Exemplo n.º 1
0
def get_script_body(urls, requests, request_headers, response_data):

    js_body_rows = []
    js_body_path = []
    js_comment_rows = []
    js_comment_path = []
    hash_group = []

    for i in xrange(0, requests):
        protocol = urls[i]["protocol"]
        domain = urls[i]["url"]
        path = urls[i]["path"]
        params = urls[i]["params"]
        query = urls[i]["query"]

        full_path = protocol + "://" + domain + path

        body_js = re.findall(r'(?s)<script.+?</script>', response_data[i])
        comment_js = re.findall(r'(?s)/\*.+?\*/', str(body_js))

        for script in body_js:
            if utils.md5_object(full_path + script) not in hash_group:
                if full_path not in js_body_path:
                    content = jsbeautifier.js_beautify(script, "")
                    content = utils.syntaxhighlighter(
                        "js", rpt.href(full_path), utils.html_escape(content))
                    js_body_rows.append("<td>" + rpt.href(full_path) +
                                        "</td><td>" +
                                        rpt.href(str(i) + "body") + "</td>")
                    hash_group.append(utils.md5_object(full_path + script))
                    js_body_path.append(full_path)
                else:
                    content = jsbeautifier.js_beautify(script, "")
                    content = utils.syntaxhighlighter(
                        "js", rpt.href(full_path), utils.html_escape(content))
                rpt.make_module_report_file(content, str(i) + "body")

        for comment in comment_js:
            if utils.md5_object(full_path + comment) not in hash_group:
                if full_path not in js_comment_path:
                    content = utils.syntaxhighlighter(
                        "js", rpt.href(full_path), utils.html_escape(comment))
                    js_comment_rows.append("<td>" + rpt.href(full_path) +
                                           "</td><td>" +
                                           rpt.href(str(i) + "comment") +
                                           "</td>")
                    hash_group.append(utils.md5_object(full_path + comment))
                    js_comment_path.append(full_path)
                else:
                    content = utils.syntaxhighlighter(
                        "js", rpt.href(full_path), utils.html_escape(comment))
                rpt.make_module_report_file(content, str(i) + "comment")

    js_body = [js_body_rows, js_comment_rows]
    return js_body
Exemplo n.º 2
0
def xml_analys(urls, requests, response_body, response_headers):

    url = urls
    xml_full_path = []
    xml_rows = []

    for i in xrange(0, requests):
        protocol = url[i]["protocol"]
        domain = url[i]["url"]
        path = url[i]["path"]
        params = url[i]["params"]
        query = url[i]["query"]

        full_path = protocol + "://" + domain + path

        if response_headers[i].has_key("Content-Type"):
            if "xml" in str(response_headers[i]["Content-Type"]
                            ) and full_path not in xml_full_path:
                xml_full_path.append(full_path)
                content = utils.syntaxhighlighter("xml", rpt.href(full_path),
                                                  response_body[i])
                xml_rows.append("<td>" + rpt.href(full_path) + "</td><td>" +
                                rpt.href(str(i) + "file") + "</td>")
                rpt.make_module_report_file(content, str(i) + "file")

    collums = {"XML": ["Path", "XML Analyzed"]}
    rows = {"XML": xml_rows}

    tip = ""

    rpt.make_table("xml", tip, collums, rows)
Exemplo n.º 3
0
def xml_analys(urls, requests, response_body, response_headers):

    url = urls
    xml_full_path = []
    xml_rows = []

    for i in xrange(0, requests):
        protocol = url[i]["protocol"]
        domain = url[i]["url"]
        path = url[i]["path"]
        params = url[i]["params"]
        query = url[i]["query"]

        full_path = protocol + "://" + domain + path

        if response_headers[i].has_key("Content-Type"):
            if "xml" in str(response_headers[i]["Content-Type"]) and full_path not in xml_full_path:
                xml_full_path.append(full_path)
                content = utils.syntaxhighlighter("xml", rpt.href(full_path), response_body[i])
                xml_rows.append("<td>" + rpt.href(full_path) + "</td><td>" + rpt.href(str(i) + "file") + "</td>")
                rpt.make_module_report_file(content, str(i) + "file")

    collums = {"XML":["Path", "XML Analyzed"]}
    rows = {"XML":xml_rows}

    tip = ""
    
    rpt.make_table("xml", tip, collums, rows)
Exemplo n.º 4
0
def js_analys(urls, requests, response_data, request_headers, response_headers):

    js_rows = []
    js_full_path = []

    for i in xrange(0, requests):
        protocol = urls[i]["protocol"]
        domain = urls[i]["url"]
        path = urls[i]["path"]
        params = urls[i]["params"]
        query = urls[i]["query"]

        full_path = protocol + "://" + domain + path
        
        if response_headers[i].has_key("Content-Type"):
            if "javascript" in str(response_headers[i]["Content-Type"]) and full_path not in js_full_path:
                source_warnings = utils.grep_statement("javascript_patterns", response_data[i], "source")
                sink_warnings = utils.grep_statement("javascript_patterns", response_data[i], "sink")
                content = jsbeautifier.js_beautify(response_data[i], "")
                content = utils.syntaxhighlighter("js", rpt.href(full_path), content)
                if request_headers[i].has_key("Referer") is True:
                    origin = rpt.href(request_headers[i]["Referer"])
                else:
                    origin = "No Referer Header"
                    
                js_rows.append("<td>" + rpt.href(full_path) + "</td><td>" + origin + "</td><td>" + rpt.href(str(i) + "file") + "</td><td>" + source_warnings + "</td><td>" + sink_warnings + "</td>")
                rpt.make_module_report_file(content, str(i) + "file")
                js_full_path.append(full_path)
    
    return js_rows
Exemplo n.º 5
0
def get_script_body(urls, requests, request_headers, response_data):

    js_body_rows = []
    js_body_path = []
    js_comment_rows = []
    js_comment_path = []
    hash_group = []

    for i in xrange(0, requests):
        protocol = urls[i]["protocol"]
        domain = urls[i]["url"]
        path = urls[i]["path"]
        params = urls[i]["params"]
        query = urls[i]["query"]

        full_path = protocol + "://" + domain + path
        
        body_js = re.findall(r'(?s)<script.+?</script>', response_data[i])
        comment_js = re.findall(r'(?s)/\*.+?\*/', str(body_js))	
        
        for script in body_js:
            if utils.md5_object(full_path + script) not in hash_group:
               if full_path not in js_body_path:
                   content = jsbeautifier.js_beautify(script, "")
                   content = utils.syntaxhighlighter("js", rpt.href(full_path), utils.html_escape(content))
                   js_body_rows.append("<td>" + rpt.href(full_path) + "</td><td>" + rpt.href(str(i) + "body") + "</td>")
                   hash_group.append(utils.md5_object(full_path + script))
                   js_body_path.append(full_path)
               else:
                   content = jsbeautifier.js_beautify(script, "")
                   content = utils.syntaxhighlighter("js", rpt.href(full_path), utils.html_escape(content))
               rpt.make_module_report_file(content, str(i) + "body")

        for comment in comment_js:
            if utils.md5_object(full_path + comment) not in hash_group:
               if full_path not in js_comment_path:
                   content = utils.syntaxhighlighter("js", rpt.href(full_path), utils.html_escape(comment))
                   js_comment_rows.append("<td>" + rpt.href(full_path) + "</td><td>" + rpt.href(str(i) + "comment") + "</td>")
                   hash_group.append(utils.md5_object(full_path + comment))
                   js_comment_path.append(full_path)
               else:
                   content = utils.syntaxhighlighter("js", rpt.href(full_path), utils.html_escape(comment))
               rpt.make_module_report_file(content, str(i) + "comment")
               
    js_body = [js_body_rows, js_comment_rows]    
    return js_body
Exemplo n.º 6
0
def js_analys(urls, requests, response_data, request_headers,
              response_headers):

    js_rows = []
    js_full_path = []

    for i in xrange(0, requests):
        protocol = urls[i]["protocol"]
        domain = urls[i]["url"]
        path = urls[i]["path"]
        params = urls[i]["params"]
        query = urls[i]["query"]

        full_path = protocol + "://" + domain + path

        if response_headers[i].has_key("Content-Type"):
            if "javascript" in str(response_headers[i]["Content-Type"]
                                   ) and full_path not in js_full_path:
                source_warnings = utils.grep_statement("javascript_patterns",
                                                       response_data[i],
                                                       "source")
                sink_warnings = utils.grep_statement("javascript_patterns",
                                                     response_data[i], "sink")
                content = jsbeautifier.js_beautify(response_data[i], "")
                content = utils.syntaxhighlighter("js", rpt.href(full_path),
                                                  content)
                if request_headers[i].has_key("Referer") is True:
                    origin = rpt.href(request_headers[i]["Referer"])
                else:
                    origin = "No Referer Header"

                js_rows.append("<td>" + rpt.href(full_path) + "</td><td>" +
                               origin + "</td><td>" +
                               rpt.href(str(i) + "file") + "</td><td>" +
                               source_warnings + "</td><td>" + sink_warnings +
                               "</td>")
                rpt.make_module_report_file(content, str(i) + "file")
                js_full_path.append(full_path)

    return js_rows
Exemplo n.º 7
0
def analysis(http_objs):

    requests = http_objs["total_requests"]
    response_body  = http_objs["response_body"]
    request_headers = http_objs["request_headers"]
    response_headers = http_objs["response_headers"]
    request_URLs =  http_objs["request_URL"]

    path_flasm = utils.parser_xml("conf/config.xml", "path", "flasm")
    path_report = utils.__workspace_path__

    swf_files = []
    flash_rows = []
    swf_paths = []

    rpt = report.htmltags()

    for i in xrange(0, requests):
        protocol = request_URLs[i]["protocol"]
        url = request_URLs[i]["url"]
        path = request_URLs[i]["path"]
        params = request_URLs[i]["params"]
        query = request_URLs[i]["query"]

        full_path = protocol + "://" + url + path

        if path.endswith(".swf"):
            split_url = full_path.split('/')
            file = len(split_url)
            getoutput('cd ' + path_report + ';' + utils.curl_conn() +
                ' ' + full_path + ';' + path_flasm[0] + '/./flasm -d ' +
                split_url[file - 1] + ' > ' + split_url[file - 1] + '.html')
            swf_files.append(split_url[file - 1] + '.html')
            swf_paths.append(rpt.href(full_path))

            if request_headers[i].has_key("Referer") is True:
                origin = rpt.href(request_headers[i]["Referer"])
            else:
                origin = "No Referer Header"
            
    for i in swf_files:
        readfile = open(path_report + i, "r")
        swf_content = readfile.read()

        content = ""
        text_warning = utils.grep_statement("flash_patterns", swf_content, "text")
        load_warning = utils.grep_statement("flash_patterns", swf_content, "load")
        net_warning = utils.grep_statement("flash_patterns", swf_content, "net")
        url_warning = utils.grep_statement("flash_patterns", swf_content, "url")
        crossdomain_warning = utils.grep_statement("flash_patterns", swf_content, "crossdomain")
        xml_warning = utils.grep_statement("flash_patterns", swf_content, "xml")
        lso_warning = utils.grep_statement("flash_patterns", swf_content, "lso")
        header_warning = utils.grep_statement("flash_patterns", swf_content, "header")
        externalinterface_warning = utils.grep_statement("flash_patterns", swf_content, "externalinterface")
        globalvariables_warning = utils.grep_statement("flash_patterns", swf_content, "globalvariables")
                    
        content = content + utils.syntaxhighlighter("as3", rpt.href(full_path), swf_content)
        rpt.make_module_report_file(content, str(i) + "ActionScript")
        flash_rows.append("<td>" + rpt.href(full_path) + "</td><td>" + origin + "</td><td>" + rpt.href(str(i) + "ActionScript") + "</td><td>" + text_warning + "</td><td>" + load_warning + "</td><td>" + net_warning + "</td>"  + "</td><td>" + url_warning + "</td><td>" + crossdomain_warning  + "</td><td>" + xml_warning  + "</td><td>" + lso_warning  + "</td><td>" + header_warning  + "</td><td>" + externalinterface_warning + "</td><td>" + globalvariables_warning +"</td>")

    collums = {"flash":["Path", "Origin", "Flash Analyzed", "Text Write", "Load", "Net Connections",
    "Url Parameter", "Cross Domain", "XML Send", "lSO", "Add Header", "External Interface", "Global Variables"]}
    rows = {"flash":flash_rows}

    tip = "Tip: <a href='https://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project' target='_blank'>OWASP Flash Security Project</a> and <a href='https://www.owasp.org/index.php/Flash_Testing' target='_blank'>OWASP Testing Guide - Flash</a>"

    rpt.make_table("flash", tip, collums, rows)
Exemplo n.º 8
0
def analysis(http_objs):

    requests = http_objs["total_requests"]
    response_body = http_objs["response_body"]
    request_headers = http_objs["request_headers"]
    response_headers = http_objs["response_headers"]
    request_URLs = http_objs["request_URL"]

    path_flasm = utils.parser_xml("conf/config.xml", "path", "flasm")
    path_report = utils.__workspace_path__

    swf_files = []
    flash_rows = []
    swf_paths = []

    rpt = report.htmltags()

    for i in xrange(0, requests):
        protocol = request_URLs[i]["protocol"]
        url = request_URLs[i]["url"]
        path = request_URLs[i]["path"]
        params = request_URLs[i]["params"]
        query = request_URLs[i]["query"]

        full_path = protocol + "://" + url + path

        if path.endswith(".swf"):
            split_url = full_path.split('/')
            file = len(split_url)
            getoutput('cd ' + path_report + ';' + utils.curl_conn() + ' ' +
                      full_path + ';' + path_flasm[0] + '/./flasm -d ' +
                      split_url[file - 1] + ' > ' + split_url[file - 1] +
                      '.html')
            swf_files.append(split_url[file - 1] + '.html')
            swf_paths.append(rpt.href(full_path))

            if request_headers[i].has_key("Referer") is True:
                origin = rpt.href(request_headers[i]["Referer"])
            else:
                origin = "No Referer Header"

    for i in swf_files:
        readfile = open(path_report + i, "r")
        swf_content = readfile.read()

        content = ""
        text_warning = utils.grep_statement("flash_patterns", swf_content,
                                            "text")
        load_warning = utils.grep_statement("flash_patterns", swf_content,
                                            "load")
        net_warning = utils.grep_statement("flash_patterns", swf_content,
                                           "net")
        url_warning = utils.grep_statement("flash_patterns", swf_content,
                                           "url")
        crossdomain_warning = utils.grep_statement("flash_patterns",
                                                   swf_content, "crossdomain")
        xml_warning = utils.grep_statement("flash_patterns", swf_content,
                                           "xml")
        lso_warning = utils.grep_statement("flash_patterns", swf_content,
                                           "lso")
        header_warning = utils.grep_statement("flash_patterns", swf_content,
                                              "header")
        externalinterface_warning = utils.grep_statement(
            "flash_patterns", swf_content, "externalinterface")
        globalvariables_warning = utils.grep_statement("flash_patterns",
                                                       swf_content,
                                                       "globalvariables")

        content = content + utils.syntaxhighlighter("as3", rpt.href(full_path),
                                                    swf_content)
        rpt.make_module_report_file(content, str(i) + "ActionScript")
        flash_rows.append("<td>" + rpt.href(full_path) + "</td><td>" + origin +
                          "</td><td>" + rpt.href(str(i) + "ActionScript") +
                          "</td><td>" + text_warning + "</td><td>" +
                          load_warning + "</td><td>" + net_warning + "</td>" +
                          "</td><td>" + url_warning + "</td><td>" +
                          crossdomain_warning + "</td><td>" + xml_warning +
                          "</td><td>" + lso_warning + "</td><td>" +
                          header_warning + "</td><td>" +
                          externalinterface_warning + "</td><td>" +
                          globalvariables_warning + "</td>")

    collums = {
        "flash": [
            "Path", "Origin", "Flash Analyzed", "Text Write", "Load",
            "Net Connections", "Url Parameter", "Cross Domain", "XML Send",
            "lSO", "Add Header", "External Interface", "Global Variables"
        ]
    }
    rows = {"flash": flash_rows}

    tip = "Tip: <a href='https://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project' target='_blank'>OWASP Flash Security Project</a> and <a href='https://www.owasp.org/index.php/Flash_Testing' target='_blank'>OWASP Testing Guide - Flash</a>"

    rpt.make_table("flash", tip, collums, rows)