def audit(self, freq ):
'''
Check if the protocol specified in freq is https and fetch the same URL using http.
ie:
- input: https://a/
- check: http://a/
@param freq: A fuzzableRequest
'''
if self._ignore_next_calls:
return
else:
# Define some variables
secure = freq.getURL()
insecure = secure.setProtocol('http')
if self._first_run:
try:
self._uri_opener.GET( insecure )
except:
# The request failed because the HTTP port is closed or something like that
# we shouldn't test any other fuzzable requests.
self._ignore_next_calls = True
msg = 'HTTP port seems to be closed. Not testing any other URLs in unSSL.'
om.out.debug( msg )
return
else:
# Only perform the initial check once.
self._first_run = False
# It seems that we can request the insecure HTTP URL
# (checked with the GET request)
if 'HTTPS' == freq.getURL().getProtocol().upper():
# We are going to perform requests that (in normal cases)
# are going to fail, so we set the ignore errors flag to True
self._uri_opener.ignore_errors( True )
https_response = self._uri_opener.send_mutant(freq)
freq.setURL( insecure )
http_response = self._uri_opener.send_mutant(freq)
if http_response.getCode() == https_response.getCode():
if relative_distance_boolean( http_response.getBody(),
https_response.getBody(),
0.97 ):
v = vuln.vuln( freq )
v.setPluginName(self.getName())
v.setName( 'Secure content over insecure channel' )
v.setSeverity(severity.MEDIUM)
msg = 'Secure content can be accesed using the insecure protocol HTTP.'
msg += ' The vulnerable URLs are: "' + secure + '" - "' + insecure + '" .'
v.setDesc( msg )
v.setId( [http_response.id, https_response.id] )
kb.kb.append( self, 'unSSL', v )
om.out.vulnerability( v.getDesc(), severity=v.getSeverity() )
# Disable error ignoring
self._uri_opener.ignore_errors( False )
def equal_with_limit(self, body1, body2, compare_diff=False):
'''
Determines if two pages are equal using a ratio.
'''
if compare_diff:
body1, body2 = diff(body1, body2)
cmp_res = relative_distance_boolean(body1, body2, self._eq_limit)
self.debug('Result: %s' % cmp_res)
return cmp_res
def equal_with_limit(self, body1, body2, compare_diff=False):
'''
Determines if two pages are equal using a ratio.
'''
if compare_diff:
body1, body2 = diff(body1, body2)
cmp_res = relative_distance_boolean(body1, body2, self._eq_limit)
self.debug('Result: %s' % cmp_res)
return cmp_res
def _is_resp_equal(self, res1, res2):
'''
@see: unittest for this method in test_csrf.py
'''
if res1.get_code() != res2.get_code():
return False
if not relative_distance_boolean(res1.body, res2.body,
self._equal_limit):
return False
return True
def _is_resp_equal(self, res1, res2):
'''
@see: unittest for this method in test_csrf.py
'''
if res1.get_code() != res2.get_code():
return False
if not relative_distance_boolean(res1.body, res2.body,
self._equal_limit):
return False
return True
def test_all(self):
acceptance_tests = []
acceptance_tests.append(('a', 'a', 1.0))
acceptance_tests.append(('a', 'a', 0.1))
acceptance_tests.append(('a', 'a', 0.0))
acceptance_tests.append(('a', 'b', 1.0))
acceptance_tests.append(('a', 'b', 0.1))
acceptance_tests.append(('a', 'b', 0.0))
acceptance_tests.append(('a', 'ab', 1.0))
acceptance_tests.append(('a', 'ab', 0.1))
acceptance_tests.append(('a', 'b', 0.0000000000000000001))
acceptance_tests.append(('a', 'b' * 100, 1.0))
acceptance_tests.append(('a', 'ab', 0.66666666666))
acceptance_tests.append(('a', 'aab', 0.5))
acceptance_tests.append(('a', 'aaab', 0.4))
acceptance_tests.append(
('a', 'aaaab',
0.33333333333333333333333333333333333333333333333333333333))
acceptance_tests.append(('a' * 25, 'a', 1.0))
acceptance_tests.append(('aaa', 'aa', 1.0))
acceptance_tests.append(('a', 'a', 1.0))
acceptance_tests.append(('a' * 25, 'a', 0.076923076923076927))
acceptance_tests.append(('aaa', 'aa', 0.8))
acceptance_tests.append(('a', 'a', 0.0))
for e, d, f in acceptance_tests:
res1 = relative_distance_boolean(e, d, f)
res2 = relative_distance(e, d) >= f
msg = 'relative_distance_boolean and relative_distance returned'\
' different results for the same parameters:\n'\
' - %s\n'\
' - %s\n'\
' - Threshold: %s\n'\
self.assertEqual(res1, res2, msg % (e, d, f))
def test_all(self):
acceptance_tests = []
acceptance_tests.append(('a', 'a', 1.0))
acceptance_tests.append(('a', 'a', 0.1))
acceptance_tests.append(('a', 'a', 0.0))
acceptance_tests.append(('a', 'b', 1.0))
acceptance_tests.append(('a', 'b', 0.1))
acceptance_tests.append(('a', 'b', 0.0))
acceptance_tests.append(('a', 'ab', 1.0))
acceptance_tests.append(('a', 'ab', 0.1))
acceptance_tests.append(('a', 'b', 0.0000000000000000001))
acceptance_tests.append(('a', 'b' * 100, 1.0))
acceptance_tests.append(('a', 'ab', 0.66666666666))
acceptance_tests.append(('a', 'aab', 0.5))
acceptance_tests.append(('a', 'aaab', 0.4))
acceptance_tests.append(('a', 'aaaab', 0.33333333333333333333333333333333333333333333333333333333))
acceptance_tests.append(('a' * 25, 'a', 1.0))
acceptance_tests.append(('aaa', 'aa', 1.0))
acceptance_tests.append(('a', 'a', 1.0))
acceptance_tests.append(('a' * 25, 'a', 0.076923076923076927))
acceptance_tests.append(('aaa', 'aa', 0.8))
acceptance_tests.append(('a', 'a', 0.0))
for e, d, f in acceptance_tests:
res1 = relative_distance_boolean(e, d, f)
res2 = relative_distance(e, d) >= f
msg = 'relative_distance_boolean and relative_distance returned'\
' different results for the same parameters:\n'\
' - %s\n'\
' - %s\n'\
' - Threshold: %s\n'\
self.assertEqual(res1, res2, msg % (e, d, f))
def audit(self, freq, orig_response):
'''
Check if the protocol specified in freq is https and fetch the same URL
using http. ie:
- input: https://w3af.org/
- check: http://w3af.org/
:param freq: A FuzzableRequest
'''
if not self._run:
return
else:
# Define some variables
initial_uri = freq.get_uri()
insecure_uri = initial_uri.copy()
secure_uri = initial_uri.copy()
insecure_uri.set_protocol('http')
insecure_fr = freq.copy()
insecure_fr.set_url(insecure_uri)
secure_uri.set_protocol('https')
secure_fr = freq.copy()
secure_fr.set_url(secure_uri)
send_mutant = self._uri_opener.send_mutant
try:
insecure_response = send_mutant(insecure_fr, grep=False)
secure_response = send_mutant(secure_fr, grep=False)
except w3afException:
# No vulnerability to report since one of these threw an error
# (because there is nothing listening on that port). It makes
# no sense to keep running since we already got an error
self._run = False
else:
if self._redirects_to_secure(insecure_response, secure_response):
return
if insecure_response.get_code() == secure_response.get_code()\
and relative_distance_boolean(insecure_response.get_body(),
secure_response.get_body(),
0.95):
desc = 'Secure content can be accessed using the insecure'\
' protocol HTTP. The vulnerable URLs are:'\
' "%s" - "%s" .'
desc = desc % (secure_uri, insecure_uri)
response_ids = [insecure_response.id, secure_response.id]
v = Vuln.from_fr('Secure content over insecure channel',
desc, severity.MEDIUM, response_ids,
self.get_name(), freq)
self.kb_append(self, 'un_ssl', v)
om.out.vulnerability(v.get_desc(),
severity=v.get_severity())
# In most cases, when one resource is available, all are
# so we just stop searching for this vulnerability
self._run = False
def audit(self, freq, orig_response):
'''
Check if the protocol specified in freq is https and fetch the same URL
using http. ie:
- input: https://w3af.org/
- check: http://w3af.org/
:param freq: A FuzzableRequest
'''
if not self._run:
return
else:
# Define some variables
initial_uri = freq.get_uri()
insecure_uri = initial_uri.copy()
secure_uri = initial_uri.copy()
insecure_uri.set_protocol('http')
insecure_fr = freq.copy()
insecure_fr.set_url(insecure_uri)
secure_uri.set_protocol('https')
secure_fr = freq.copy()
secure_fr.set_url(secure_uri)
send_mutant = self._uri_opener.send_mutant
try:
insecure_response = send_mutant(insecure_fr, grep=False)
secure_response = send_mutant(secure_fr, grep=False)
except w3afException:
# No vulnerability to report since one of these threw an error
# (because there is nothing listening on that port). It makes
# no sense to keep running since we already got an error
self._run = False
else:
if self._redirects_to_secure(insecure_response,
secure_response):
return
if insecure_response.get_code() == secure_response.get_code()\
and relative_distance_boolean(insecure_response.get_body(),
secure_response.get_body(),
0.95):
desc = 'Secure content can be accessed using the insecure'\
' protocol HTTP. The vulnerable URLs are:'\
' "%s" - "%s" .'
desc = desc % (secure_uri, insecure_uri)
response_ids = [insecure_response.id, secure_response.id]
v = Vuln.from_fr('Secure content over insecure channel',
desc, severity.MEDIUM, response_ids,
self.get_name(), freq)
self.kb_append(self, 'un_ssl', v)
om.out.vulnerability(v.get_desc(),
severity=v.get_severity())
# In most cases, when one resource is available, all are
# so we just stop searching for this vulnerability
self._run = False
