def get_script_body(urls, requests, request_headers, response_data):
js_body_rows = []
js_body_path = []
js_comment_rows = []
js_comment_path = []
hash_group = []
for i in xrange(0, requests):
protocol = urls[i]["protocol"]
domain = urls[i]["url"]
path = urls[i]["path"]
params = urls[i]["params"]
query = urls[i]["query"]
full_path = protocol + "://" + domain + path
body_js = re.findall(r'(?s)<script.+?</script>', response_data[i])
comment_js = re.findall(r'(?s)/\*.+?\*/', str(body_js))
for script in body_js:
if utils.md5_object(full_path + script) not in hash_group:
if full_path not in js_body_path:
content = jsbeautifier.js_beautify(script, "")
content = utils.syntaxhighlighter(
"js", rpt.href(full_path), utils.html_escape(content))
js_body_rows.append("<td>" + rpt.href(full_path) +
"</td><td>" +
rpt.href(str(i) + "body") + "</td>")
hash_group.append(utils.md5_object(full_path + script))
js_body_path.append(full_path)
else:
content = jsbeautifier.js_beautify(script, "")
content = utils.syntaxhighlighter(
"js", rpt.href(full_path), utils.html_escape(content))
rpt.make_module_report_file(content, str(i) + "body")
for comment in comment_js:
if utils.md5_object(full_path + comment) not in hash_group:
if full_path not in js_comment_path:
content = utils.syntaxhighlighter(
"js", rpt.href(full_path), utils.html_escape(comment))
js_comment_rows.append("<td>" + rpt.href(full_path) +
"</td><td>" +
rpt.href(str(i) + "comment") +
"</td>")
hash_group.append(utils.md5_object(full_path + comment))
js_comment_path.append(full_path)
else:
content = utils.syntaxhighlighter(
"js", rpt.href(full_path), utils.html_escape(comment))
rpt.make_module_report_file(content, str(i) + "comment")
js_body = [js_body_rows, js_comment_rows]
return js_body
def xml_analys(urls, requests, response_body, response_headers):
url = urls
xml_full_path = []
xml_rows = []
for i in xrange(0, requests):
protocol = url[i]["protocol"]
domain = url[i]["url"]
path = url[i]["path"]
params = url[i]["params"]
query = url[i]["query"]
full_path = protocol + "://" + domain + path
if response_headers[i].has_key("Content-Type"):
if "xml" in str(response_headers[i]["Content-Type"]
) and full_path not in xml_full_path:
xml_full_path.append(full_path)
content = utils.syntaxhighlighter("xml", rpt.href(full_path),
response_body[i])
xml_rows.append("<td>" + rpt.href(full_path) + "</td><td>" +
rpt.href(str(i) + "file") + "</td>")
rpt.make_module_report_file(content, str(i) + "file")
collums = {"XML": ["Path", "XML Analyzed"]}
rows = {"XML": xml_rows}
tip = ""
rpt.make_table("xml", tip, collums, rows)
def xml_analys(urls, requests, response_body, response_headers):
url = urls
xml_full_path = []
xml_rows = []
for i in xrange(0, requests):
protocol = url[i]["protocol"]
domain = url[i]["url"]
path = url[i]["path"]
params = url[i]["params"]
query = url[i]["query"]
full_path = protocol + "://" + domain + path
if response_headers[i].has_key("Content-Type"):
if "xml" in str(response_headers[i]["Content-Type"]) and full_path not in xml_full_path:
xml_full_path.append(full_path)
content = utils.syntaxhighlighter("xml", rpt.href(full_path), response_body[i])
xml_rows.append("<td>" + rpt.href(full_path) + "</td><td>" + rpt.href(str(i) + "file") + "</td>")
rpt.make_module_report_file(content, str(i) + "file")
collums = {"XML":["Path", "XML Analyzed"]}
rows = {"XML":xml_rows}
tip = ""
rpt.make_table("xml", tip, collums, rows)
def js_analys(urls, requests, response_data, request_headers, response_headers):
js_rows = []
js_full_path = []
for i in xrange(0, requests):
protocol = urls[i]["protocol"]
domain = urls[i]["url"]
path = urls[i]["path"]
params = urls[i]["params"]
query = urls[i]["query"]
full_path = protocol + "://" + domain + path
if response_headers[i].has_key("Content-Type"):
if "javascript" in str(response_headers[i]["Content-Type"]) and full_path not in js_full_path:
source_warnings = utils.grep_statement("javascript_patterns", response_data[i], "source")
sink_warnings = utils.grep_statement("javascript_patterns", response_data[i], "sink")
content = jsbeautifier.js_beautify(response_data[i], "")
content = utils.syntaxhighlighter("js", rpt.href(full_path), content)
if request_headers[i].has_key("Referer") is True:
origin = rpt.href(request_headers[i]["Referer"])
else:
origin = "No Referer Header"
js_rows.append("<td>" + rpt.href(full_path) + "</td><td>" + origin + "</td><td>" + rpt.href(str(i) + "file") + "</td><td>" + source_warnings + "</td><td>" + sink_warnings + "</td>")
rpt.make_module_report_file(content, str(i) + "file")
js_full_path.append(full_path)
return js_rows
def get_script_body(urls, requests, request_headers, response_data):
js_body_rows = []
js_body_path = []
js_comment_rows = []
js_comment_path = []
hash_group = []
for i in xrange(0, requests):
protocol = urls[i]["protocol"]
domain = urls[i]["url"]
path = urls[i]["path"]
params = urls[i]["params"]
query = urls[i]["query"]
full_path = protocol + "://" + domain + path
body_js = re.findall(r'(?s)<script.+?</script>', response_data[i])
comment_js = re.findall(r'(?s)/\*.+?\*/', str(body_js))
for script in body_js:
if utils.md5_object(full_path + script) not in hash_group:
if full_path not in js_body_path:
content = jsbeautifier.js_beautify(script, "")
content = utils.syntaxhighlighter("js", rpt.href(full_path), utils.html_escape(content))
js_body_rows.append("<td>" + rpt.href(full_path) + "</td><td>" + rpt.href(str(i) + "body") + "</td>")
hash_group.append(utils.md5_object(full_path + script))
js_body_path.append(full_path)
else:
content = jsbeautifier.js_beautify(script, "")
content = utils.syntaxhighlighter("js", rpt.href(full_path), utils.html_escape(content))
rpt.make_module_report_file(content, str(i) + "body")
for comment in comment_js:
if utils.md5_object(full_path + comment) not in hash_group:
if full_path not in js_comment_path:
content = utils.syntaxhighlighter("js", rpt.href(full_path), utils.html_escape(comment))
js_comment_rows.append("<td>" + rpt.href(full_path) + "</td><td>" + rpt.href(str(i) + "comment") + "</td>")
hash_group.append(utils.md5_object(full_path + comment))
js_comment_path.append(full_path)
else:
content = utils.syntaxhighlighter("js", rpt.href(full_path), utils.html_escape(comment))
rpt.make_module_report_file(content, str(i) + "comment")
js_body = [js_body_rows, js_comment_rows]
return js_body
def js_analys(urls, requests, response_data, request_headers,
response_headers):
js_rows = []
js_full_path = []
for i in xrange(0, requests):
protocol = urls[i]["protocol"]
domain = urls[i]["url"]
path = urls[i]["path"]
params = urls[i]["params"]
query = urls[i]["query"]
full_path = protocol + "://" + domain + path
if response_headers[i].has_key("Content-Type"):
if "javascript" in str(response_headers[i]["Content-Type"]
) and full_path not in js_full_path:
source_warnings = utils.grep_statement("javascript_patterns",
response_data[i],
"source")
sink_warnings = utils.grep_statement("javascript_patterns",
response_data[i], "sink")
content = jsbeautifier.js_beautify(response_data[i], "")
content = utils.syntaxhighlighter("js", rpt.href(full_path),
content)
if request_headers[i].has_key("Referer") is True:
origin = rpt.href(request_headers[i]["Referer"])
else:
origin = "No Referer Header"
js_rows.append("<td>" + rpt.href(full_path) + "</td><td>" +
origin + "</td><td>" +
rpt.href(str(i) + "file") + "</td><td>" +
source_warnings + "</td><td>" + sink_warnings +
"</td>")
rpt.make_module_report_file(content, str(i) + "file")
js_full_path.append(full_path)
return js_rows
def analysis(http_objs):
requests = http_objs["total_requests"]
response_body = http_objs["response_body"]
request_headers = http_objs["request_headers"]
response_headers = http_objs["response_headers"]
request_URLs = http_objs["request_URL"]
path_flasm = utils.parser_xml("conf/config.xml", "path", "flasm")
path_report = utils.__workspace_path__
swf_files = []
flash_rows = []
swf_paths = []
rpt = report.htmltags()
for i in xrange(0, requests):
protocol = request_URLs[i]["protocol"]
url = request_URLs[i]["url"]
path = request_URLs[i]["path"]
params = request_URLs[i]["params"]
query = request_URLs[i]["query"]
full_path = protocol + "://" + url + path
if path.endswith(".swf"):
split_url = full_path.split('/')
file = len(split_url)
getoutput('cd ' + path_report + ';' + utils.curl_conn() +
' ' + full_path + ';' + path_flasm[0] + '/./flasm -d ' +
split_url[file - 1] + ' > ' + split_url[file - 1] + '.html')
swf_files.append(split_url[file - 1] + '.html')
swf_paths.append(rpt.href(full_path))
if request_headers[i].has_key("Referer") is True:
origin = rpt.href(request_headers[i]["Referer"])
else:
origin = "No Referer Header"
for i in swf_files:
readfile = open(path_report + i, "r")
swf_content = readfile.read()
content = ""
text_warning = utils.grep_statement("flash_patterns", swf_content, "text")
load_warning = utils.grep_statement("flash_patterns", swf_content, "load")
net_warning = utils.grep_statement("flash_patterns", swf_content, "net")
url_warning = utils.grep_statement("flash_patterns", swf_content, "url")
crossdomain_warning = utils.grep_statement("flash_patterns", swf_content, "crossdomain")
xml_warning = utils.grep_statement("flash_patterns", swf_content, "xml")
lso_warning = utils.grep_statement("flash_patterns", swf_content, "lso")
header_warning = utils.grep_statement("flash_patterns", swf_content, "header")
externalinterface_warning = utils.grep_statement("flash_patterns", swf_content, "externalinterface")
globalvariables_warning = utils.grep_statement("flash_patterns", swf_content, "globalvariables")
content = content + utils.syntaxhighlighter("as3", rpt.href(full_path), swf_content)
rpt.make_module_report_file(content, str(i) + "ActionScript")
flash_rows.append("<td>" + rpt.href(full_path) + "</td><td>" + origin + "</td><td>" + rpt.href(str(i) + "ActionScript") + "</td><td>" + text_warning + "</td><td>" + load_warning + "</td><td>" + net_warning + "</td>" + "</td><td>" + url_warning + "</td><td>" + crossdomain_warning + "</td><td>" + xml_warning + "</td><td>" + lso_warning + "</td><td>" + header_warning + "</td><td>" + externalinterface_warning + "</td><td>" + globalvariables_warning +"</td>")
collums = {"flash":["Path", "Origin", "Flash Analyzed", "Text Write", "Load", "Net Connections",
"Url Parameter", "Cross Domain", "XML Send", "lSO", "Add Header", "External Interface", "Global Variables"]}
rows = {"flash":flash_rows}
tip = "Tip: <a href='https://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project' target='_blank'>OWASP Flash Security Project</a> and <a href='https://www.owasp.org/index.php/Flash_Testing' target='_blank'>OWASP Testing Guide - Flash</a>"
rpt.make_table("flash", tip, collums, rows)
def analysis(http_objs):
requests = http_objs["total_requests"]
response_body = http_objs["response_body"]
request_headers = http_objs["request_headers"]
response_headers = http_objs["response_headers"]
request_URLs = http_objs["request_URL"]
path_flasm = utils.parser_xml("conf/config.xml", "path", "flasm")
path_report = utils.__workspace_path__
swf_files = []
flash_rows = []
swf_paths = []
rpt = report.htmltags()
for i in xrange(0, requests):
protocol = request_URLs[i]["protocol"]
url = request_URLs[i]["url"]
path = request_URLs[i]["path"]
params = request_URLs[i]["params"]
query = request_URLs[i]["query"]
full_path = protocol + "://" + url + path
if path.endswith(".swf"):
split_url = full_path.split('/')
file = len(split_url)
getoutput('cd ' + path_report + ';' + utils.curl_conn() + ' ' +
full_path + ';' + path_flasm[0] + '/./flasm -d ' +
split_url[file - 1] + ' > ' + split_url[file - 1] +
'.html')
swf_files.append(split_url[file - 1] + '.html')
swf_paths.append(rpt.href(full_path))
if request_headers[i].has_key("Referer") is True:
origin = rpt.href(request_headers[i]["Referer"])
else:
origin = "No Referer Header"
for i in swf_files:
readfile = open(path_report + i, "r")
swf_content = readfile.read()
content = ""
text_warning = utils.grep_statement("flash_patterns", swf_content,
"text")
load_warning = utils.grep_statement("flash_patterns", swf_content,
"load")
net_warning = utils.grep_statement("flash_patterns", swf_content,
"net")
url_warning = utils.grep_statement("flash_patterns", swf_content,
"url")
crossdomain_warning = utils.grep_statement("flash_patterns",
swf_content, "crossdomain")
xml_warning = utils.grep_statement("flash_patterns", swf_content,
"xml")
lso_warning = utils.grep_statement("flash_patterns", swf_content,
"lso")
header_warning = utils.grep_statement("flash_patterns", swf_content,
"header")
externalinterface_warning = utils.grep_statement(
"flash_patterns", swf_content, "externalinterface")
globalvariables_warning = utils.grep_statement("flash_patterns",
swf_content,
"globalvariables")
content = content + utils.syntaxhighlighter("as3", rpt.href(full_path),
swf_content)
rpt.make_module_report_file(content, str(i) + "ActionScript")
flash_rows.append("<td>" + rpt.href(full_path) + "</td><td>" + origin +
"</td><td>" + rpt.href(str(i) + "ActionScript") +
"</td><td>" + text_warning + "</td><td>" +
load_warning + "</td><td>" + net_warning + "</td>" +
"</td><td>" + url_warning + "</td><td>" +
crossdomain_warning + "</td><td>" + xml_warning +
"</td><td>" + lso_warning + "</td><td>" +
header_warning + "</td><td>" +
externalinterface_warning + "</td><td>" +
globalvariables_warning + "</td>")
collums = {
"flash": [
"Path", "Origin", "Flash Analyzed", "Text Write", "Load",
"Net Connections", "Url Parameter", "Cross Domain", "XML Send",
"lSO", "Add Header", "External Interface", "Global Variables"
]
}
rows = {"flash": flash_rows}
tip = "Tip: <a href='https://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project' target='_blank'>OWASP Flash Security Project</a> and <a href='https://www.owasp.org/index.php/Flash_Testing' target='_blank'>OWASP Testing Guide - Flash</a>"
rpt.make_table("flash", tip, collums, rows)
