def start(self, args):
# Initializations
self.sig = args["fuzzing_signature"] or self.sig
self.pm = PlaceholderManager(self.sig)
target = args["target"]
methods = self.init_methods(args)
headers = self.init_headers(args)
data = args["data"] or ""
self.init_detection_struct(args)
self.init_request.headers = headers
self.http_helper = HTTPHelper(self.init_request)
self.fuzzer = Fuzzer(self.http_helper)
# Finding the length of a placeholder
if args["mode"] == "length":
self.require(args, ["accepted_value"])
self.is_detection_set(args)
if len(methods) > 1:
Error("Only you need to specify only one Method")
print "Scanning mode: Length Detection"
ch = args["accepted_value"][0]
length = find_length(self.http_helper, self.length_signature,
target, methods[0], self.detection_struct, ch,
headers, data)
print "Placeholder Allowed Length = " + str(length)
# Detecting Allowed Sources
elif args["mode"] == "detect_accepted_sources":
self.is_detection_set(args)
self.require(
args,
["methods", "param_name", "accepted_value", "param_source"])
if len(methods) > 1:
Error("Only you need to specify only one Method")
print "Scanning mode: Allowed Sources Detection"
accepted_method = methods[0]
param_name = args["param_name"]
accepted_value = args["accepted_value"]
param_source = args["param_source"]
requests = detect_accepted_sources(self.http_helper, target, data,
headers, param_name,
param_source, accepted_value,
accepted_method)
responses = self.fuzz(args, requests)
analyze_accepted_sources(responses, self.detection_struct)
elif args["mode"] == "content_type_tamper":
print "Tampering Content-Type mode"
cnt_types = load_payload_file("./payloads/HTTP/content_types.txt")
new_headers = self.http_helper.add_header_param(
headers, "Content-Type", self.fsig)
self.pm = PlaceholderManager(self.sig)
requests = self.pm.transformed_http_requests(
self.http_helper,
methods,
target,
cnt_types, # Payloads
new_headers,
data)
responses = self.fuzz(args, requests)
for response in responses:
print "[->]Request"
print_request(response)
print "[<-]Response"
print_response(response)
print
# HPP modes
elif args["mode"] == "asp_hpp" or args["mode"] == "param_overwriting":
self.require(args, ["param_name", "param_source", "payloads"])
param_name = args["param_name"]
param_source = args["param_source"]
self.is_detection_set(args)
payloads = []
for p_file in args["payloads"]:
payloads += load_payload_file(p_file)
if args["mode"] == "asp_hpp":
print "Scanning mode: ASP HPP Parameter Splitting"
requests = asp_hpp(self.http_helper, methods, payloads,
param_name, param_source, target, headers,
data)
responses = self.fuzz(args, requests)
elif args["mode"] == "param_overwriting":
requests = param_overwrite(self.http_helper, param_name,
param_source, payloads[0], target,
data, headers)
responses = self.fuzz(args, requests)
analyze_responses(responses, self.http_helper,
self.detection_struct)
elif args["mode"] == "detect_chars":
self.is_detection_set(args)
payloads = []
for i in range(0, 256):
payloads.append(chr(i))
requests = self.pm.transformed_http_requests(
self.http_helper, methods, target, payloads, headers, data)
responses = self.fuzz(args, requests)
sent_payloads = analyze_chars(responses, self.http_helper,
self.detection_struct)
payloads = []
# urlencode blocked chars
if sent_payloads["detected"]:
print
print "URL encoding detected characters"
for bad_char in sent_payloads["detected"]:
payloads.append(urlencode(bad_char))
requests = self.pm.transformed_http_requests(
self.http_helper, methods, target, payloads, headers, data)
responses = self.fuzz(args, requests)
analyze_encoded_chars(responses, self.http_helper,
self.detection_struct)
print
print "UnicodeURL encoding detected characters"
payloads = []
# unicode urlencode blocked chars
for bad_char in sent_payloads["detected"]:
payloads.append(unicode_urlencode(bad_char))
requests = self.pm.transformed_http_requests(
self.http_helper, methods, target, payloads, headers, data)
responses = self.fuzz(args, requests)
analyze_encoded_chars(responses, self.http_helper,
self.detection_struct)
# Finding a white-listed character
good_char = None
for char in string.letters:
good_char = char
break
if not good_char:
for char in string.digits:
good_char = char
break
if not good_char:
good_char = sent_payloads["undetected"][0]
print
print "Sending a detected char followed by an undetected"
payloads = []
# add an accepted char before a blocked char
for bad_char in sent_payloads["detected"]:
payloads.append(bad_char + good_char)
requests = self.pm.transformed_http_requests(
self.http_helper, methods, target, payloads, headers, data)
responses = self.fuzz(args, requests)
analyze_encoded_chars(responses, self.http_helper,
self.detection_struct)
print
print "Sending a detected char after an undetected"
payloads = []
for bad_char in sent_payloads["detected"]:
payloads.append(good_char + bad_char)
requests = self.pm.transformed_http_requests(
self.http_helper, methods, target, payloads, headers, data)
responses = self.fuzz(args, requests)
analyze_encoded_chars(responses, self.http_helper,
self.detection_struct)
print "Sending an undetected char after a detected"
payloads = []
for bad_char in sent_payloads["detected"]:
payloads.append(bad_char + good_char)
requests = self.pm.transformed_http_requests(
self.http_helper, methods, target, payloads, headers, data)
responses = self.fuzz(args, requests)
analyze_encoded_chars(responses, self.http_helper,
self.detection_struct)
print "Sending an detected char surrounded by undetected chars"
payloads = []
for bad_char in sent_payloads["detected"]:
payloads.append(good_char + bad_char + good_char)
requests = self.pm.transformed_http_requests(
self.http_helper, methods, target, payloads, headers, data)
responses = self.fuzz(args, requests)
analyze_encoded_chars(responses, self.http_helper,
self.detection_struct)
# Fuzzing mode
elif args["mode"] == "fuzz":
fuzzing_placeholders = PlaceholderManager.get_placeholder_number(
self.template_signature_re, str(args))
if fuzzing_placeholders > 1:
Error("Multiple fuzzing placeholder signatures found. "
"Only one fuzzing placeholder is supported.")
elif fuzzing_placeholders == 0:
Error("No fuzzing placeholder signatures found.")
self.is_detection_set(args)
payloads = []
if args["payloads"]:
for p_file in args["payloads"]:
payloads += load_payload_file(p_file)
else:
payloads.append("")
print "Scanning mode: Fuzzing Using placeholders"
requests = self.pm.transformed_http_requests(
self.http_helper, methods, target, payloads, headers, data)
responses = self.fuzz(args, requests)
analyze_responses(responses, self.http_helper,
self.detection_struct)
elif args["mode"] == "show_transform_functions":
print transformations_info()
elif args["mode"] == "overchar":
self.require(args, ["payloads", "accepted_value"])
length = int(args["length"][0])
accepted_value = args["accepted_value"][0]
payloads = []
for p_file in args["payloads"]:
payloads += load_payload_file(p_file)
payloads = [(length - len(payload)) * accepted_value + payload
for payload in payloads]
requests = self.pm.transformed_http_requests(
self.http_helper, methods, target, payloads, headers, data)
responses = self.fuzz(args, requests)
analyze_responses(responses, self.http_helper,
self.detection_struct)
else:
Error("Unknown bypassing mode.")
