def scan(ps, msg, src):
if DEV_MODE:
print("\n--------------------")
print("[*] %s script started" % NAME)
# Docs on alert raising function:
# raiseAlert(int risk, int confidence, str name, str description, str uri,
# str param, str attack, str otherInfo, str solution,
# str evidence, int cweId, int wascId, HttpMessage msg)
# risk: 0: info, 1: low, 2: medium, 3: high
# confidence: 0: falsePositive, 1: low, 2: medium, 3: high, 4: confirmed
old_script_hash = max(ScriptVars.getGlobalVar(NAME + "_hash"), "")
script_hash = hash_source_code()
if script_hash == old_script_hash:
matcher = pickle.loads(ScriptVars.getGlobalVar(NAME + "_matcher"))
else:
ScriptVars.setGlobalVar(NAME + "_hash", script_hash)
matcher = build_matcher()
ScriptVars.setGlobalVar(NAME + "_matcher", pickle.dumps(matcher))
if DEV_MODE:
print("[+] Got matcher, now scanning body")
body = msg.getResponseBody()
hdr = msg.getResponseHeader()
uri = msg.getRequestHeader().getURI().toString()
if DEV_MODE:
print("[*] URI = %s" % uri)
content_type = max(hdr.getHeader(hdr.CONTENT_TYPE), "")
content_type = content_type.split(";", 1)[0].strip()
blacklist = ["audio/", "video/"]
if any(s in content_type for s in blacklist):
if DEV_MODE:
print("[-] Blacklisted content-type %r: aborting" % content_type)
return
data = body.toString()[:MAX_BODY_SIZE]
data_type = get_data_type(content_type)
if DEV_MODE:
print("[*] data_type = %s" % data_type)
matches = scan_body(data, data_type, matcher)
found_evidences = []
for start_pos in sorted(matches):
match = matches[start_pos]
title = "%s: %s (script)" % (NAME, match["issue"])
desc = "Regular Expression:\n %s" % match["regex"]
evidence = match["str"]
if evidence in found_evidences:
continue
found_evidences.append(evidence)
if DEV_MODE:
print(" -> GOT MATCH: %s" % title)
ps.raiseAlert(0, 1, title, desc, uri, None, None, None, None, evidence,
0, 0, msg)
if DEV_MODE:
print("[+] Body correctly scanned")
def scan(ps, msg, src):
# Test the request and/or response here
if ScriptVars.getGlobalVar("hunt_pssrf") is None:
ScriptVars.setGlobalVar("hunt_pssrf", "init")
if (msg and msg.getHistoryRef().getHistoryType() <= 2):
# Change to a test which detects the vulnerability
# raiseAlert(risk, int reliability, String name, String description, String uri,
# String param, String attack, String otherInfo, String solution, String evidence,
# int cweId, int wascId, HttpMessage msg)
# risk: 0: info, 1: low, 2: medium, 3: high
# reliability: 0: falsePositive, 1: suspicious, 2: warning
words = [
'dest', 'redirect', 'uri', 'path', 'continue', 'url', 'window',
'next', 'data', 'reference', 'site', 'html', 'val', 'validate',
'domain', 'callback', 'return', 'page', 'feed', 'host', 'port',
'to', 'out', 'view', 'dir', 'show', 'navigation', 'open'
]
result = []
uri = msg.getRequestHeader().getURI().toString()
params = msg.getParamNames()
params = [element.lower() for element in params]
base_uri = re.search('https?:\/\/([^/]+)(\/[^?#=]*)', uri)
if base_uri:
base_uri = str(base_uri.group())
regex = base_uri + str(params)
globalvar = ScriptVars.getGlobalVar("hunt_pssrf")
if regex not in globalvar:
ScriptVars.setGlobalVar("hunt_pssrf",
"" + globalvar + ' , ' + regex)
for x in words:
y = re.compile(".*" + x)
if len(filter(y.match, params)) > 0:
result.append(x)
if result:
ps.raiseAlert(
0, 1, 'Possible SSRF',
'HUNT located the ' + ','.join(result) +
' parameter inside of your application traffic. The ' +
','.join(result) +
' parameter is most often susceptible to Server Side Request Forgery (and sometimes URL redirects). HUNT recommends further manual analysis of the parameter in question.\n\nFor Server Side Request Forgery HUNT recommends the following resources to aid in manual testing:\n\n- Server-side browsing considered harmful - Nicolas Gregoire: http://www.agarri.fr/docs/AppSecEU15-Server_side_browsing_considered_harmful.pdf \n- How To: Server-Side Request Forgery (SSRF) - Jobert Abma: https://www.hackerone.com/blog-How-To-Server-Side-Request-Forgery-SSRF \n- SSRF Examples from ngalongc/bug-bounty-reference: https://github.com/ngalongc/bug-bounty-reference#server-side-request-forgery-ssrf \n- Safebuff SSRF Tips: http://blog.safebuff.com/2016/07/03/SSRF-Tips/ \n- The SSRF Bible: https://docs.google.com/document/d/1v1TkWZtrhzRLy0bYXBcdLUedXGb9njTNIJXa3u9akHM/edit',
msg.getRequestHeader().getURI().toString(),
','.join(result), '',
msg.getRequestHeader().toString() + '\n' +
msg.getRequestBody().toString(), '', '', 0, 0, msg)
def scan(ps, msg, src):
# Test the request and/or response here
if ScriptVars.getGlobalVar("hunt_prce") is None:
ScriptVars.setGlobalVar("hunt_prce", "init")
if (msg and msg.getHistoryRef().getHistoryType() <= 2):
# Change to a test which detects the vulnerability
# raiseAlert(risk, int reliability, String name, String description, String uri,
# String param, String attack, String otherInfo, String solution, String evidence,
# int cweId, int wascId, HttpMessage msg)
# risk: 0: info, 1: low, 2: medium, 3: high
# reliability: 0: falsePositive, 1: suspicious, 2: warning
words = [
'daemon', 'host', 'upload', 'dir', 'execute', 'download', 'log',
'ip', 'cli', 'cmd'
]
result = []
uri = msg.getRequestHeader().getURI().toString()
params = msg.getParamNames()
params = [element.lower() for element in params]
base_uri = re.search('https?:\/\/([^/]+)(\/[^?#=]*)', uri)
if base_uri:
base_uri = str(base_uri.group())
regex = base_uri + str(params)
globalvar = ScriptVars.getGlobalVar("hunt_prce")
if regex not in globalvar:
ScriptVars.setGlobalVar("hunt_prce",
"" + globalvar + ' , ' + regex)
for x in words:
y = re.compile(".*" + x)
if len(filter(y.match, params)) > 0:
result.append(x)
if result:
ps.raiseAlert(
1, 1, 'Possible RCE',
'HUNT located the ' + ','.join(result) +
' parameter inside of your application traffic. The ' +
','.join(result) +
' parameter is most often susceptible to OS Command Injection. HUNT recommends further manual analysis of the parameter in question.\n\nFor OS Command Injection HUNT recommends the following resources to aid in manual testing:\n\n- (OWASP) Testing for OS Command Injection: https://www.owasp.org/index.php/Testing_for_Command_Injection_(OTG-INPVAL-013)\n- Joberts How To Command Injection: https://www.hackerone.com/blog/how-to-command-injections \n- Commix Command Injection Tool: https://github.com/commixproject/commix\n-The FuzzDB OS CMD Exec section: https://github.com/fuzzdb-project/fuzzdb/tree/master/attack/os-cmd-execution \n- Ferruh Mavitunas CMDi Cheat Sheet: https://ferruh.mavituna.com/unix-command-injection-cheat-sheet-oku/ \nThe Web Application Hackers Handbook: Chapter 10',
msg.getRequestHeader().getURI().toString(),
','.join(result), '',
msg.getRequestHeader().toString() + '\n' +
msg.getRequestBody().toString(), '', '', 0, 0, msg)
def scan(ps, msg, src):
# Test the request and/or response here
if ScriptVars.getGlobalVar("hunt_pidor") is None:
ScriptVars.setGlobalVar("hunt_pidor", "init")
if (msg and msg.getHistoryRef().getHistoryType() <= 2):
# Change to a test which detects the vulnerability
# raiseAlert(risk, int reliability, String name, String description, String uri,
# String param, String attack, String otherInfo, String solution, String evidence,
# int cweId, int wascId, HttpMessage msg)
# risk: 0: info, 1: low, 2: medium, 3: high
# reliability: 0: falsePositive, 1: suspicious, 2: warning
words = [
'id', 'user', 'account', 'number', 'order', 'no', 'doc', 'key',
'email', 'group', 'profile', 'edit', 'report'
]
result = []
uri = msg.getRequestHeader().getURI().toString()
params = msg.getParamNames()
params = [element.lower() for element in params]
base_uri = re.search('https?:\/\/([^/]+)(\/[^?#=]*)', uri)
if base_uri:
base_uri = str(base_uri.group())
regex = base_uri + str(params)
globalvar = ScriptVars.getGlobalVar("hunt_pidor")
if regex not in globalvar:
ScriptVars.setGlobalVar("hunt_pidor",
"" + globalvar + ' , ' + regex)
for x in words:
y = re.compile(".*" + x)
if len(filter(y.match, params)) > 0:
result.append(x)
if result:
ps.raiseAlert(
0, 1, 'Possible IDOR',
'HUNT located the ' + ','.join(result) +
' parameter inside of your application traffic. The ' +
','.join(result) +
' parameter is most often susceptible to Insecure Direct Object Reference Vulnerabilities. \n\nDirect object reference vulnerabilities occur when there are insufficient authorization checks performed against object identifiers used in requests. This could occur when database keys, filenames, or other identifiers are used to directly access resources within an application. \nThese identifiers would likely be predictable (an incrementing counter, the name of a file, etc), making it easy for an attacker to detect this vulnerability class. If further authorization checks are not performed, this could lead to unauthorized access to the underlying data.\nHUNT recommends further manual analysis of the parameter in question.\n\nFor Insecure Direct Object Reference Vulnerabilities HUNT recommends the following resources to aid in manual testing:\n\n- The Web Application Hackers Handbook: Chapter 8\n- Testing for Insecure Direct Object References (OTG-AUTHZ-004): https://www.owasp.org/index.php/Testing_for_Insecure_Direct_Object_References_(OTG-AUTHZ-004) \n- Using Burp to Test for Insecure Direct Object References: https://support.portswigger.net/customer/portal/articles/1965691-using-burp-to-test-for-insecure-direct-object-references\n- IDOR Examples from ngalongc/bug-bounty-reference: https://github.com/ngalongc/bug-bounty-reference#insecure-direct-object-reference-idor',
msg.getRequestHeader().getURI().toString(),
','.join(result), '',
msg.getRequestHeader().toString() + '\n' +
msg.getRequestBody().toString(), '', '', 0, 0, msg)
def authenticate(msg, initiator, helper, loginTestcase, errorScreens):
print "AUTHENTICATION REQUIRED! Your initiator is: " + str(initiator) + " URL: " + msg.getRequestHeader().getURI().toString()
sessionSite = getZAPsessionSite(msg)
seleniumSession = "Auth-Selenium"
import org.zaproxy.zap.extension.script.ScriptVars as vars
if vars.getGlobalVar("auth_running") == "True":
print "Another authentication is running... waiting..."
import time
mustend = time.time() + 30
while time.time() < mustend:
try:
time.sleep(1)
except:
print "Script was interruped, stop processing current message"
return
if vars.getGlobalVar("auth_running") != "True":
resendMessageWithSession(msg, helper, sessionSite.getHttpSession(seleniumSession))
return
print "Authentication timeout exceeded, discard message"
else:
#do auth
vars.setGlobalVar("auth_running", "True")
if sessionSite.getHttpSession(seleniumSession) is not None:
seleniumSession = "Re-Auth-Selenium " + str(sessionSite.getNextSessionId())
sessionSite.createEmptySession(seleniumSession)
firefoxBinary = 'FirefoxPortableDeveloper/linux/firefox'
import platform
if 'Windows' in platform.platform():
firefoxBinary = 'FirefoxPortable\FirefoxPortable.exe'
import subprocess as sub
#selenese = sub.Popen("java -jar selenese-runner-2.5.0.jar --strict-exit-code --proxy "+ str(getZAPproxy()) +" --no-proxy *.mozilla.com --screenshot-on-fail \"" + errorScreens + "\" --set-speed 100 --cli-args /private-window --cli-args about:blank \"" + loginTestcase + "\" --firefox " + firefoxBinary, stdout=sub.PIPE)
selenese = sub.Popen(["java", "-jar", "selenese-runner-2.5.0.jar", "--strict-exit-code", "--proxy", str(getZAPproxy()), "--no-proxy", "*.mozilla.com", "--screenshot-on-fail", errorScreens, "--set-speed", "100", "--cli-args", "-private-window", "--cli-args", "about:blank", loginTestcase, "--firefox", firefoxBinary], stdout=sub.PIPE)
output = selenese.communicate()[0]
returns = selenese.returncode
vars.setGlobalVar("auth_running", "False")
if returns != 0:
print "AUTHENTICATION FAILURE!"
print output
else:
print "Auth-SUCCESS"
resendMessageWithSession(msg, helper, sessionSite.getHttpSession(seleniumSession))
def scan(ps, msg, src):
# Test the request and/or response here
if ScriptVars.getGlobalVar("hunt_pfi") is None:
ScriptVars.setGlobalVar("hunt_pfi", "init")
if (msg and msg.getHistoryRef().getHistoryType() <= 2):
# Change to a test which detects the vulnerability
# raiseAlert(risk, int reliability, String name, String description, String uri,
# String param, String attack, String otherInfo, String solution, String evidence,
# int cweId, int wascId, HttpMessage msg)
# risk: 0: info, 1: low, 2: medium, 3: high
# reliability: 0: falsePositive, 1: suspicious, 2: warning
words = [
'file', 'document', 'folder', 'root', 'path', 'pg', 'style', 'pdf',
'template', 'php_path', 'doc'
]
result = []
uri = msg.getRequestHeader().getURI().toString()
params = msg.getParamNames()
params = [element.lower() for element in params]
base_uri = re.search('https?:\/\/([^/]+)(\/[^?#=]*)', uri)
if base_uri:
base_uri = str(base_uri.group())
regex = base_uri + str(params)
globalvar = ScriptVars.getGlobalVar("hunt_pfi")
if regex not in globalvar:
ScriptVars.setGlobalVar("hunt_pfi",
"" + globalvar + ' , ' + regex)
for x in words:
y = re.compile(".*" + x)
if len(filter(y.match, params)) > 0:
result.append(x)
if result:
ps.raiseAlert(
0, 1, 'Possible File Inclusion or Path Traversal',
'HUNT located the ' + ','.join(result) +
' parameter inside of your application traffic. The ' +
','.join(result) +
' parameter is most often susceptible to File Inclusion or Path Traversal. HUNT recommends further manual analysis of the parameter in question. Also note that several parameters from this section and SSRF might overlap or need testing for both vulnerability categories.\n\nFor File Inclusion or Path Traversal HUNT recommends the following resources to aid in manual testing:\n\n- The Web Application Hackers Handbook: Chapter 10\n- LFI Cheat Sheet: https://highon.coffee/blog/lfi-cheat-sheet/ \n- Gracefuls Path Traversal Cheat Sheet: Windows: https://www.gracefulsecurity.com/path-traversal-cheat-sheet-windows/ \n- Gracefuls Path Traversal Cheat Sheet: Linux: https://www.gracefulsecurity.com/path-traversal-cheat-sheet-linux/',
msg.getRequestHeader().getURI().toString(),
','.join(result), '',
msg.getRequestHeader().toString() + '\n' +
msg.getRequestBody().toString(), '', '', 0, 0, msg)
def scan(ps, msg, src):
# Test the request and/or response here
if ScriptVars.getGlobalVar("hunt_psql") is None:
ScriptVars.setGlobalVar("hunt_psql", "init")
if (msg and msg.getHistoryRef().getHistoryType() <= 2):
# Change to a test which detects the vulnerability
# raiseAlert(risk, int reliability, String name, String description, String uri,
# String param, String attack, String otherInfo, String solution, String evidence,
# int cweId, int wascId, HttpMessage msg)
# risk: 0: info, 1: low, 2: medium, 3: high
# reliability: 0: falsePositive, 1: suspicious, 2: warning
words = [
'id', 'select', 'report', 'role', 'update', 'query', 'user',
'name', 'sort', 'where', 'search', 'params', 'process', 'row',
'view', 'table', 'from', 'sel', 'results', 'sleep', 'fetch',
'order', 'keyword', 'column', 'field', 'delete', 'string',
'number', 'filter'
]
result = []
uri = msg.getRequestHeader().getURI().toString()
params = msg.getParamNames()
params = [element.lower() for element in params]
base_uri = re.search('https?:\/\/([^/]+)(\/[^?#=]*)', uri)
if base_uri:
base_uri = str(base_uri.group())
regex = base_uri + str(params)
globalvar = ScriptVars.getGlobalVar("hunt_psql")
if regex not in globalvar:
ScriptVars.setGlobalVar("hunt_psql",
"" + globalvar + ' , ' + regex)
for x in words:
y = re.compile(".*" + x)
if len(filter(y.match, params)) > 0:
result.append(x)
if result:
ps.raiseAlert(
1, 1, 'Possible SQLi',
'HUNT located the parameter inside of your application traffic. The parameter is most often susceptible to SQL Injection. HUNT recommends further manual analysis of the parameter in question.\n\nFor SQL Injection HUNT references The Bug Hunters Methodology SQL Injection references table:\n\n- PentestMonkeys MySQL Injection Cheat Sheet: http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet \n\n- Reiners MySQL Injection Filter Evasion: https://websec.wordpress.com/2010/12/04/sqli-filter-evasion-cheat-sheet-mysql/ \n- EvilSQLs Error/Union/Blind MSSQL Cheat Sheet: http://evilsql.com/main/page2.php \n- PentestMonkeys MSSQL SQL Injection Cheat Sheet: http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet \n- PentestMonkeys Oracle SQL Cheat Sheet: http://pentestmonkey.net/cheat-sheet/sql-injection/oracle-sql-injection-cheat-sheet \n- PentestMonkeys PostgreSQL Cheat Sheet: http://pentestmonkey.net/cheat-sheet/sql-injection/postgres-sql-injection-cheat-sheet \n- Access SQL Injection Cheat Sheet: http://nibblesec.org/files/MSAccessSQLi/MSAccessSQLi.html \n- PentestMonkeys Ingres SQL Injection Cheat Sheet: http://pentestmonkey.net/cheat-sheet/sql-injection/ingres-sql-injection-cheat-sheet \n- PentestMonkeys DB2 SQL Injection Cheat Sheet: http://pentestmonkey.net/cheat-sheet/sql-injection/db2-sql-injection-cheat-sheet \n- PentestMonkeys Informix SQL Injection Cheat Sheet: http://pentestmonkey.net/cheat-sheet/sql-injection/informix-sql-injection-cheat-sheet \n- SQLite3 Injection Cheat Sheet: https://sites.google.com/site/0x7674/home/sqlite3injectioncheatsheet \n- Ruby on Rails (ActiveRecord) SQL Injection Guide: https://sites.google.com/site/0x7674/home/sqlite3injectioncheatsheet',
msg.getRequestHeader().getURI().toString(),
','.join(result), '',
msg.getRequestHeader().toString() + '\n' +
msg.getRequestBody().toString(), '', '', 0, 0, msg)
def scan(ps, msg, src):
# Test the request and/or response here
if ScriptVars.getGlobalVar("hunt_pssti") is None:
ScriptVars.setGlobalVar("hunt_pssti", "init")
if (msg and msg.getHistoryRef().getHistoryType() <= 2):
# Change to a test which detects the vulnerability
# raiseAlert(risk, int reliability, String name, String description, String uri,
# String param, String attack, String otherInfo, String solution, String evidence,
# int cweId, int wascId, HttpMessage msg)
# risk: 0: info, 1: low, 2: medium, 3: high
# reliability: 0: falsePositive, 1: suspicious, 2: warning
words = [
'template', 'preview', 'id', 'view', 'activity', 'name', 'content',
'redirect'
]
result = []
uri = msg.getRequestHeader().getURI().toString()
params = msg.getParamNames()
params = [element.lower() for element in params]
base_uri = re.search('https?:\/\/([^/]+)(\/[^?#=]*)', uri)
if base_uri:
base_uri = str(base_uri.group())
regex = base_uri + str(params)
globalvar = ScriptVars.getGlobalVar("hunt_pssti")
if regex not in globalvar:
ScriptVars.setGlobalVar("hunt_pssti",
"" + globalvar + ' , ' + regex)
for x in words:
y = re.compile(".*" + x)
if len(filter(y.match, params)) > 0:
result.append(x)
if result:
ps.raiseAlert(
0, 1, 'Possible SSTI',
'HUNT located the ' + ','.join(result) +
' parameter inside of your application traffic. The ' +
','.join(result) +
' parameter is most often susceptible to Server Side Template Injection. HUNT recommends further manual analysis of the parameter in question.',
msg.getRequestHeader().getURI().toString(),
','.join(result), '',
msg.getRequestHeader().toString() + '\n' +
msg.getRequestBody().toString(), '', '', 0, 0, msg)
def getValues(event):
print "clicked"
ScriptVars.setGlobalVar("Input1",str(txt1.getText()))
print(ScriptVars.getGlobalVar("Input1"))
ScriptVars.setGlobalVar("Input2",str(txt2.getText()))
print(ScriptVars.getGlobalVar("Input2"))
ScriptVars.setGlobalVar("Input3",str(txt3.getText()))
print(ScriptVars.getGlobalVar("Input3"))
ScriptVars.setGlobalVar("Input4",str(txt4.getText()))
print(ScriptVars.getGlobalVar("Input4"))
def getValues(event):
print "clicked"
ScriptVars.setGlobalVar("Input1", str(txt1.getText()))
print(ScriptVars.getGlobalVar("Input1"))
ScriptVars.setGlobalVar("Input2", str(txt2.getText()))
print(ScriptVars.getGlobalVar("Input2"))
ScriptVars.setGlobalVar("Input3", str(txt3.getText()))
print(ScriptVars.getGlobalVar("Input3"))
ScriptVars.setGlobalVar("Input4", str(txt4.getText()))
print(ScriptVars.getGlobalVar("Input4"))
def scan(ps, msg, src):
# Test the request and/or response here
if ScriptVars.getGlobalVar("hunt_prce") is None:
ScriptVars.setGlobalVar("hunt_prce","init")
if (msg and msg.getHistoryRef().getHistoryType()<=2):
# Change to a test which detects the vulnerability
# raiseAlert(risk, int reliability, String name, String description, String uri,
# String param, String attack, String otherInfo, String solution, String evidence,
# int cweId, int wascId, HttpMessage msg)
# risk: 0: info, 1: low, 2: medium, 3: high
# reliability: 0: falsePositive, 1: suspicious, 2: warning
words = ['daemon','host' ,'upload','dir','execute','download','log','ip','cli','cmd']
result = []
uri = msg.getRequestHeader().getURI().toString()
params = msg.getParamNames()
params = [element.lower() for element in params]
base_uri = re.search('https?:\/\/([^/]+)(\/[^?#=]*)',uri)
def authenticate(helper, paramsValues, credentials):
#print "API-based authenticating via Jython script..."
# Prepare the login request details
requestUri = URI(paramsValues["Auth_URL"], False);
requestMethod = HttpRequestHeader.GET;
extraPostData = paramsValues["Extra_POST_data"];
#username = "******"; password = "******";
username = quote(credentials.getParam("Username")).encode('utf-8');
password = quote(credentials.getParam("Password")).encode('utf-8');
#print "Using username %s and password %s " % (username, password);
encoded_data = (username + ":" + password).encode('utf-8');
basic = "Basic " + base64.b64encode(encoded_data);
print "Authorization: %s " % (basic);
if len(extraPostData.strip()) > 0:
requestBody = requestBody + "&" + extraPostData.strip();
# Build the actual message to be sent
msg = helper.prepareMessage();
requestHeader = HttpRequestHeader(requestMethod, requestUri, HttpHeader.HTTP10);
#header_basic = "Authorization: " + basic;
requestHeader.setHeader(HttpRequestHeader.AUTHORIZATION, basic);
msg.setRequestHeader(requestHeader);
# Send the authentication message and return it
#print "Sending %s request to %s" % (requestMethod, requestUri);
helper.sendAndReceive(msg);
#print "Received response status code for authentication request: %d" % msg.getResponseHeader().getStatusCode();
#print "Response body:";
#print msg.getResponseBody();
#{"message":"Your token is established.","code":200,"trace":"","token":"4b2c75efb454344aaa3aafd15b0aa87db3c92daf"}
#return_token returns the token value to be used
token = return_token(msg);
# set the token as global variable so can be used by httpsender module
GlobalVariables.setGlobalVar("hackazon_token",token);
return msg;
def scan(ps, msg, src):
# Test the request and/or response here
if ScriptVars.getGlobalVar("hunt_dlp") is None:
ScriptVars.setGlobalVar("hunt_dlp","init")
if (msg and msg.getHistoryRef().getHistoryType()<=2):
# Change to a test which detects the vulnerability
# raiseAlert(risk, int reliability, String name, String description, String uri,
# String param, String attack, String otherInfo, String solution, String evidence,
# int cweId, int wascId, HttpMessage msg)
# risk: 0: info, 1: low, 2: medium, 3: high
# reliability: 0: falsePositive, 1: suspicious, 2: warning
words = ['access','admin','dbg','debug','edit','grant','test','alter','clone','create','delete','disable','enable','exec','execute','load','make','modify','rename','reset','shell','toggle','adm','root','cfg','config']
result = []
uri = msg.getRequestHeader().getURI().toString()
params = msg.getParamNames()
params = [element.lower() for element in params]
base_uri = re.search('https?:\/\/([^/]+)(\/[^?#=]*)',uri)
if base_uri:
base_uri = str( base_uri.group() )
regex = base_uri + str(params)
globalvar = ScriptVars.getGlobalVar("hunt_dlp")
if regex not in globalvar:
ScriptVars.setGlobalVar("hunt_dlp","" + globalvar + ' , ' + regex)
for x in words:
y = re.compile(".*"+x)
if len(filter(y.match, params))>0:
result.append(x)
if result:
ps.raiseAlert(0, 1, 'Possible Debug & Logic Parameters', 'HUNT located the' + ','.join(result) + ' parameter inside of your application traffic. The ' + ','.join(result) + ' parameter is most often associated to debug, access, or critical functionality in applications. \nHUNT recommends further manual analysis of the parameter in question.',
msg.getRequestHeader().getURI().toString(),
','.join(result), '', msg.getRequestHeader().toString()+'\n'+msg.getRequestBody().toString(), '', '', 0, 0, msg);
# String param, String attack, String otherInfo, String solution, String evidence,
# int cweId, int wascId, HttpMessage msg)
# risk: 0: info, 1: low, 2: medium, 3: high
# reliability: 0: falsePositive, 1: suspicious, 2: warning
words = ['daemon','host' ,'upload','dir','execute','download','log','ip','cli','cmd']
result = []
uri = msg.getRequestHeader().getURI().toString()
params = msg.getParamNames()
params = [element.lower() for element in params]
base_uri = re.search('https?:\/\/([^/]+)(\/[^?#=]*)',uri)
if base_uri:
base_uri = str( base_uri.group() )
regex = base_uri + str(params)
globalvar = ScriptVars.getGlobalVar("hunt_prce")
if regex not in globalvar:
ScriptVars.setGlobalVar("hunt_prce","" + globalvar + ' , ' + regex)
for x in words:
y = re.compile(".*"+x)
if len(filter(y.match, params))>0:
result.append(x)
if result:
ps.raiseAlert(1, 1, 'Possible RCE', 'HUNT located the ' + ','.join(result) + ' parameter inside of your application traffic. The ' + ','.join(result) + ' parameter is most often susceptible to OS Command Injection. HUNT recommends further manual analysis of the parameter in question.\n\nFor OS Command Injection HUNT recommends the following resources to aid in manual testing:\n\n- (OWASP) Testing for OS Command Injection: https://www.owasp.org/index.php/Testing_for_Command_Injection_(OTG-INPVAL-013)\n- Joberts How To Command Injection: https://www.hackerone.com/blog/how-to-command-injections \n- Commix Command Injection Tool: https://github.com/commixproject/commix\n-The FuzzDB OS CMD Exec section: https://github.com/fuzzdb-project/fuzzdb/tree/master/attack/os-cmd-execution \n- Ferruh Mavitunas CMDi Cheat Sheet: https://ferruh.mavituna.com/unix-command-injection-cheat-sheet-oku/ \nThe Web Application Hackers Handbook: Chapter 10',
msg.getRequestHeader().getURI().toString(),
','.join(result), '', msg.getRequestHeader().toString()+'\n'+msg.getRequestBody().toString(), '', '', 0, 0, msg);
import org.zaproxy.zap.extension.script.ScriptVars as vars
vars.setGlobalVar("auth_running", "init")
print "reset: " + str(vars.getGlobalVar("auth_running"))
def clearAccessTokenFromGlobalVar():
GlobalVariables.setGlobalVar(ACCESS_TOKEN_KEY_NAME, None);
GlobalVariables.setGlobalCustomVar(ACCESS_TOKEN_CREATION_TIMESTAMP_KEY_NAME, None);
GlobalVariables.setGlobalCustomVar(ACCESS_TOKEN_EXPIRY_IN_SECONDS_KEY_NAME, None);
def setAccessTokenInGlobalVar(accessToken, expiryInSeconds):
GlobalVariables.setGlobalVar(ACCESS_TOKEN_KEY_NAME, str(accessToken));
GlobalVariables.setGlobalCustomVar(ACCESS_TOKEN_CREATION_TIMESTAMP_KEY_NAME, time.time());
GlobalVariables.setGlobalCustomVar(ACCESS_TOKEN_EXPIRY_IN_SECONDS_KEY_NAME, expiryInSeconds);
def scan(ps, msg, src):
words_dlp = [
'access', 'admin', 'dbg', 'debug', 'edit', 'grant', 'test', 'alter',
'clone', 'create', 'delete', 'disable', 'enable', 'exec', 'execute',
'load', 'make', 'modify', 'rename', 'reset', 'shell', 'toggle', 'adm',
'root', 'cfg', 'config'
]
words_pfi = [
'file', 'document', 'folder', 'root', 'path', 'pg', 'style', 'pdf',
'template', 'php_path', 'doc'
]
words_pidor = [
'id', 'user', 'account', 'number', 'order', 'no', 'doc', 'key',
'email', 'group', 'profile', 'edit', 'report'
]
words_prce = [
'daemon', 'host', 'upload', 'dir', 'execute', 'download', 'log', 'ip',
'cli', 'cmd'
]
words_psql = [
'id', 'select', 'report', 'role', 'update', 'query', 'user', 'name',
'sort', 'where', 'search', 'params', 'process', 'row', 'view', 'table',
'from', 'sel', 'results', 'sleep', 'fetch', 'order', 'keyword',
'column', 'field', 'delete', 'string', 'number', 'filter'
]
words_pssrf = [
'dest', 'redirect', 'uri', 'path', 'continue', 'url', 'window', 'next',
'data', 'reference', 'site', 'html', 'val', 'validate', 'domain',
'callback', 'return', 'page', 'feed', 'host', 'port', 'to', 'out',
'view', 'dir', 'show', 'navigation', 'open'
]
words_pssti = [
'template', 'preview', 'id', 'view', 'activity', 'name', 'content',
'redirect'
]
uri = msg.getRequestHeader().getURI().toString()
params = [p.lower() for p in msg.getParamNames()]
base_uri = re.search('^https?://[^/]+/[^?#=]*', uri)
if not params or not base_uri:
return
base_uri = base_uri.group()
urlParam_repr = base_uri + str(params)
globalvar = max(ScriptVars.getGlobalVar("hunt"), "")
if urlParam_repr in globalvar:
return
ScriptVars.setGlobalVar("hunt", globalvar + ' , ' + urlParam_repr)
# Searching Debug and Logic
result = find_words_in_params(params, words_dlp)
hunt_alert(
ps, msg, uri, result, "Possible Debug & Logic Parameters", """
HUNT located the {result} parameter inside of your application traffic. \
The {result} parameter is most often associated to debug, access, or \
critical functionality in applications.
HUNT recommends further manual analysis of the parameter in question.
""")
# Searching File Inclusion
result = find_words_in_params(params, words_pfi)
hunt_alert(
ps, msg, uri, result, "Possible File Inclusion or Path Traversal", """
HUNT located the {result} parameter inside of your application traffic. \
The {result} parameter is most often susceptible to \
File Inclusion or Path Traversal.
HUNT recommends further manual analysis of the parameter in question.
Also note that several parameters from this section and SSRF might overlap or \
need testing for both vulnerability categories.
For File Inclusion or Path Traversal HUNT recommends the following resources \
to aid in manual testing:
- The Web Application Hackers Handbook: \
Chapter 10
- LFI Cheat Sheet: https://highon.coffee/blog/lfi-cheat-sheet/
- Gracefuls Path Traversal Cheat Sheet: Windows: \
https://www.gracefulsecurity.com/path-traversal-cheat-sheet-windows/
- Gracefuls Path Traversal Cheat Sheet: Linux: \
https://www.gracefulsecurity.com/path-traversal-cheat-sheet-linux/
""")
# Searching IDORs
result = find_words_in_params(params, words_pidor)
hunt_alert(
ps, msg, uri, result, "Possible IDOR", """
HUNT located the {result} parameter inside of your application traffic. \
The {result} parameter is most often susceptible to \
Insecure Direct Object Reference Vulnerabilities.
Direct object reference vulnerabilities occur when there are insufficient \
authorization checks performed against object identifiers used in requests. \
This could occur when database keys, filenames, or other identifiers are used \
to directly access resources within an application.
These identifiers would likely be predictable (an incrementing counter, \
the name of a file, etc), making it easy for an attacker to detect this \
vulnerability class. If further authorization checks are not performed, this \
could lead to unauthorized access to the underlying data.
HUNT recommends further manual analysis of the parameter in question.
For Insecure Direct Object Reference Vulnerabilities HUNT recommends the \
following resources to aid in manual testing:
- The Web Application Hackers Handbook: \
Chapter 8
- Testing for Insecure Direct Object References (OTG-AUTHZ-004): \
https://www.owasp.org/index.php/Testing_for_Insecure_Direct_Object_References_(OTG-AUTHZ-004)
- Using Burp to Test for Insecure Direct Object References: \
https://support.portswigger.net/customer/portal/articles/1965691-using-burp-to-test-for-insecure-direct-object-references
- IDOR Examples from ngalongc/bug-bounty-reference: \
https://github.com/ngalongc/bug-bounty-reference#insecure-direct-object-reference-idor
""")
# Searching RCEs
result = find_words_in_params(params, words_prce)
hunt_alert(
ps, msg, uri, result, "Possible RCE", """
HUNT located the {result} parameter inside of your application traffic. \
The {result} parameter is most often susceptible to OS Command Injection.
HUNT recommends further manual analysis of the parameter in question.
For OS Command Injection HUNT recommends the following resources to aid \
in manual testing:
- (OWASP) Testing for OS Command Injection: \
https://www.owasp.org/index.php/Testing_for_Command_Injection_(OTG-INPVAL-013)
- Joberts How To Command Injection: \
https://www.hackerone.com/blog/how-to-command-injections
- Commix Command Injection Tool: \
https://github.com/commixproject/commix
-The FuzzDB OS CMD Exec section: \
https://github.com/fuzzdb-project/fuzzdb/tree/master/attack/os-cmd-execution
- Ferruh Mavitunas CMDi Cheat Sheet: \
https://ferruh.mavituna.com/unix-command-injection-cheat-sheet-oku/
- The Web Application Hackers Handbook: Chapter 10
""")
# Searching SQLi
result = find_words_in_params(params, words_psql)
hunt_alert(
ps, msg, uri, result, "Possible SQLi", """
HUNT located the {result} parameter inside of your application traffic. \
The {result} parameter is most often susceptible to SQL Injection.
HUNT recommends further manual analysis of the parameter in question.
For SQL Injection HUNT references The Bug Hunters Methodology \
SQL Injection references table:
- PentestMonkeys MySQL Injection Cheat Sheet: \
http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet
- Reiners MySQL Injection Filter Evasion: \
https://websec.wordpress.com/2010/12/04/sqli-filter-evasion-cheat-sheet-mysql/
- EvilSQLs Error/Union/Blind MSSQL Cheat Sheet: \
http://evilsql.com/main/page2.php
- PentestMonkeys MSSQL SQL Injection Cheat Sheet: \
http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet
- PentestMonkeys Oracle SQL Cheat Sheet: \
http://pentestmonkey.net/cheat-sheet/sql-injection/oracle-sql-injection-cheat-sheet
- PentestMonkeys PostgreSQL Cheat Sheet: \
http://pentestmonkey.net/cheat-sheet/sql-injection/postgres-sql-injection-cheat-sheet
- Access SQL Injection Cheat Sheet: \
http://nibblesec.org/files/MSAccessSQLi/MSAccessSQLi.html
- PentestMonkeys Ingres SQL Injection Cheat Sheet: \
http://pentestmonkey.net/cheat-sheet/sql-injection/ingres-sql-injection-cheat-sheet
- PentestMonkeys DB2 SQL Injection Cheat Sheet: \
http://pentestmonkey.net/cheat-sheet/sql-injection/db2-sql-injection-cheat-sheet
- PentestMonkeys Informix SQL Injection Cheat Sheet: \
http://pentestmonkey.net/cheat-sheet/sql-injection/informix-sql-injection-cheat-sheet
- SQLite3 Injection Cheat Sheet: \
https://sites.google.com/site/0x7674/home/sqlite3injectioncheatsheet
- Ruby on Rails (ActiveRecord) SQL Injection Guide: \
https://sites.google.com/site/0x7674/home/sqlite3injectioncheatsheet
""")
# Searching SSRF
result = find_words_in_params(params, words_pssrf)
hunt_alert(
ps, msg, uri, result, "Possible SSRF", """
HUNT located the {result} parameter inside of your application traffic. \
The {result} parameter is most often susceptible to \
Server Side Request Forgery (and sometimes URL redirects).
HUNT recommends further manual analysis of the parameter in question.
For Server Side Request Forgery HUNT recommends the following resources to \
aid in manual testing:
- Server-side browsing considered harmful - Nicolas Gregoire: \
http://www.agarri.fr/docs/AppSecEU15-Server_side_browsing_considered_harmful.pdf
- How To: Server-Side Request Forgery (SSRF) - Jobert Abma: \
https://www.hackerone.com/blog-How-To-Server-Side-Request-Forgery-SSRF
- SSRF Examples from ngalongc/bug-bounty-reference: \
https://github.com/ngalongc/bug-bounty-reference#server-side-request-forgery-ssrf
- Safebuff SSRF Tips: \
http://blog.safebuff.com/2016/07/03/SSRF-Tips/
- The SSRF Bible: \
https://docs.google.com/document/d/1v1TkWZtrhzRLy0bYXBcdLUedXGb9njTNIJXa3u9akHM/edit
""")
# Searching SSTI
result = find_words_in_params(params, words_pssti)
hunt_alert(
ps, msg, uri, result, "Possible SSTI", """
HUNT located the {result} parameter inside of your application traffic. \
The {result} parameter is most often susceptible to \
Server Side Template Injection.
HUNT recommends further manual analysis of the parameter in question.
""")