def _with_time_delay(self, freq): """ Tests an URL for OS Commanding vulnerabilities using time delays. @param freq: A fuzzableRequest """ # Send the fuzzableRequest without any fuzzing, so we can measure the response # time of this script in order to compare it later res = self._sendMutant(freq, analyze=False, grepResult=False) self._original_wait_time = res.getWaitTime() # Prepare the strings to create the mutants command_list = self._get_wait_commands() only_command_strings = [v.getCommand() for v in command_list] mutants = createMutants(freq, only_command_strings) for mutant in mutants: # Only spawn a thread if the mutant has a modified variable # that has no reported bugs in the kb if self._hasNoBug("osCommanding", "osCommanding", mutant.getURL(), mutant.getVar()): targs = (mutant,) kwds = {"analyze_callback": self._analyze_wait} self._tm.startFunction(target=self._sendMutant, args=targs, kwds=kwds, ownerObj=self) self._tm.join(self)
def audit(self, freq ): ''' Searches for file upload vulns. @param freq: A fuzzableRequest ''' # Start if freq.getMethod().upper() == 'POST' and len ( freq.getFileVariables() ) != 0: om.out.debug( 'fileUpload plugin is testing: ' + freq.getURL() ) # I do all this to be able to perform the enumerate() below for file_parameter in freq.getFileVariables(): self._file_list = self._get_files() # Only file handlers are passed to the createMutants functions file_handlers = [ i[0] for i in self._file_list ] mutants = createMutants( freq, file_handlers, fuzzableParamList=[file_parameter, ] ) for mutant in mutants: _, filename = os.path.split( mutant.getModValue().name ) mutant.uploaded_file_name = filename for mutant in mutants: args = (mutant,) kwds = {'callback': self._analyze_result } self._run_async(meth=self._uri_opener.send_mutant, args=args, kwds=kwds) self._join()
def _with_time_delay(self, freq): ''' Tests an URL for OS Commanding vulnerabilities using time delays. @param freq: A fuzzableRequest ''' fake_mutants = createMutants(freq, ['',]) for mutant in fake_mutants: if self._has_bug(mutant): continue for delay_obj in self._get_wait_commands(): ed = exact_delay(mutant, delay_obj, self._uri_opener) success, responses = ed.delay_is_controlled() if success: v = vuln.vuln( mutant ) v.setPluginName(self.getName()) v.setName( 'OS commanding vulnerability' ) v.setSeverity(severity.HIGH) v['os'] = delay_obj.get_OS() v['separator'] = delay_obj.get_separator() v.setDesc( 'OS Commanding was found at: ' + mutant.foundAt() ) v.setDc( mutant.getDc() ) v.setId( [r.id for r in responses] ) v.setURI( r.getURI() ) kb.kb.append( self, 'osCommanding', v ) break
def audit(self, freq ): ''' Tests an URL for server side inclusion vulnerabilities. @param freq: A fuzzableRequest ''' om.out.debug( 'ssi plugin is testing: ' + freq.getURL() ) oResponse = self._uri_opener.send_mutant(freq) # Used in end() to detect "persistent SSI" self._add_persistent_SSI( freq, oResponse ) # Create the mutants to send right now, ssi_strings = self._get_ssi_strings() mutants = createMutants( freq , ssi_strings, oResponse=oResponse ) for mutant in mutants: # Only spawn a thread if the mutant has a modified variable # that has no reported bugs in the kb if self._has_no_bug(mutant): args = (mutant,) kwds = {'callback': self._analyze_result } self._run_async(meth=self._uri_opener.send_mutant, args=args, kwds=kwds) self._join()
def _fuzz_with_time_delay(self, freq): """ Tests an URL for eval() usage vulnerabilities using time delays. @param freq: A fuzzableRequest """ fake_mutants = createMutants(freq, [""]) for mutant in fake_mutants: if self._has_bug(mutant): continue for delay_obj in self.WAIT_OBJ: ed = exact_delay(mutant, delay_obj, self._uri_opener) success, responses = ed.delay_is_controlled() if success: v = vuln.vuln(mutant) v.setPluginName(self.getName()) v.setId([r.id for r in responses]) v.setSeverity(severity.HIGH) v.setName("eval() input injection vulnerability") v.setDesc("eval() input injection was found at: " + mutant.foundAt()) kb.kb.append(self, "eval", v) break
def audit(self, freq): """ Tests an URL for XSS vulnerabilities. @param freq: A fuzzableRequest """ om.out.debug("XSS plugin is testing: " + freq.getURL()) # Save it here, so I can search for permanent XSS self._fuzzableRequests.append(freq) # This list is just to test if the parameter is echoed back fake_mutants = createMutants(freq, [""]) for mutant in fake_mutants: # verify if the variable we are fuzzing is actually being # echoed back if self._is_echoed(mutant): # Search for reflected XSS self._search_reflected_xss(mutant) # And also check stored self._search_stored_xss(mutant) elif self._check_stored_xss: # Search for permanent XSS self._search_stored_xss(mutant)
def audit(self, freq ): ''' Tests an URL for local file inclusion vulnerabilities. @param freq: A fuzzableRequest ''' om.out.debug( 'localFileInclude plugin is testing: ' + freq.getURL() ) oResponse = self._sendMutant( freq , analyze=False ).getBody() # What payloads do I want to send to the remote end? local_files = [] local_files.append( urlParser.getFileName( freq.getURL() ) ) if not self._open_basedir: local_files.extend( self._get_local_file_list(freq.getURL()) ) mutants = createMutants( freq , local_files, oResponse=oResponse ) for mutant in mutants: # Only spawn a thread if the mutant has a modified variable # that has no reported bugs in the kb if self._hasNoBug( 'localFileInclude' , 'localFileInclude', mutant.getURL() , mutant.getVar() ): targs = (mutant,) # I don't grep the result, because if I really find a local file inclusion, # I will be requesting /etc/passwd and that would generate A LOT of false # positives in the grep.pathDisclosure plugin kwds = {'grepResult':False} self._tm.startFunction( target=self._sendMutant, args=targs , \ kwds=kwds, ownerObj=self ) self._tm.join( self )
def _search_stored_xss(self, mutant): ''' Analyze the mutant for stored XSS. We get here because we already verified and the parameter is NOT being echoed back. @parameter mutant: A mutant that was used to test if the parameter was echoed back or not @return: None ''' xss_tests = self._get_xss_tests() xss_tests = xss_tests[:self._number_of_stored_xss_checks] # Get the strings only xss_strings = [ i[0] for i in xss_tests ] # And now replace the alert by fake_alert; I don't want to break web applications xss_strings = [ xss_test.replace('alert', 'fake_alert') for xss_test in xss_strings ] mutant_list = createMutants( mutant.getFuzzableReq() , xss_strings , \ fuzzableParamList=[mutant.getVar(), ]) # In the mutant, we have to save which browsers are vulnerable to that specific string for mutant in mutant_list: for xss_string, affected_browsers in xss_tests: if xss_string.replace('alert', 'fake_alert') in mutant.getModValue(): mutant.affected_browsers = affected_browsers for mutant in mutant_list: targs = (mutant,) self._tm.startFunction( target=self._sendMutant, args=targs, ownerObj=self ) self._tm.join( self )
def audit(self, freq ): ''' Searches for file upload vulns. @param freq: A fuzzableRequest ''' # Start if freq.getMethod().upper() == 'POST' and len ( freq.getFileVariables() ) != 0: om.out.debug( 'fileUpload plugin is testing: ' + freq.getURL() ) # I do all this to be able to perform the enumerate() below for file_parameter in freq.getFileVariables(): self._file_list = self._get_files() # Only file handlers are passed to the createMutants functions file_handlers = [ i[0] for i in self._file_list ] mutants = createMutants( freq, file_handlers, fuzzableParamList=[file_parameter, ] ) for mutant in mutants: _, filename = os.path.split( mutant.getModValue().name ) mutant.uploaded_file_name = filename for mutant in mutants: targs = (mutant,) self._tm.startFunction(target=self._sendMutant, args=targs, ownerObj=self) self._tm.join( self )
def audit(self, freq ): ''' Tests an URL for local file inclusion vulnerabilities. @param freq: A fuzzableRequest ''' om.out.debug( 'localFileInclude plugin is testing: ' + freq.getURL() ) oResponse = self._uri_opener.send_mutant(freq) # What payloads do I want to send to the remote end? local_files = [] local_files.append( freq.getURL().getFileName() ) if not self._open_basedir: local_files.extend( self._get_local_file_list(freq.getURL()) ) mutants = createMutants( freq , local_files, oResponse=oResponse ) for mutant in mutants: # Only spawn a thread if the mutant has a modified variable # that has no reported bugs in the kb if self._has_no_bug(mutant): # I don't grep the result, because if I really find a local # file inclusion I will be requesting /etc/passwd and that # would generate A LOT of false positives in the # grep.pathDisclosure plugin args = (mutant,) kwds = {'callback': self._analyze_result, 'grep': False } self._run_async(meth=self._uri_opener.send_mutant, args=args, kwds=kwds) self._join()
def _search_stored_xss(self, mutant): """ Analyze the mutant for stored XSS. We get here because we already verified and the parameter is NOT being echoed back. @parameter mutant: A mutant that was used to test if the parameter was echoed back or not """ xss_tests = self._get_xss_tests() xss_tests = xss_tests[: self._number_of_stored_xss_checks] # Get the strings only xss_strings = [i[0] for i in xss_tests] # And now replace the alert by fake_alert; I don't want to # break web applications xss_strings = [xss_test.replace("alert", "fake_alert") for xss_test in xss_strings] mutant_list = createMutants(mutant.getFuzzableReq(), xss_strings, fuzzableParamList=[mutant.getVar()]) # In the mutant, we have to save which browsers are vulnerable # to that specific string for mutant in mutant_list: for xss_string, affected_browsers in xss_tests: if xss_string.replace("alert", "fake_alert") in mutant.getModValue(): mutant.affected_browsers = affected_browsers if self._has_no_bug(mutant): args = (mutant,) kwds = {"callback": self._analyze_result} self._run_async(meth=self._uri_opener.send_mutant, args=args, kwds=kwds) self._join()
def audit(self, freq ): ''' Tests an URL for server side inclusion vulnerabilities. @param freq: A fuzzableRequest ''' om.out.debug( 'ssi plugin is testing: ' + freq.getURL() ) oResponse = self._sendMutant( freq , analyze=False ).getBody() # Used in end() to detect "persistent SSI" self._add_persistent_SSI( freq, oResponse ) # Create the mutants to send right now, ssi_strings = self._get_ssi_strings() mutants = createMutants( freq , ssi_strings, oResponse=oResponse ) for mutant in mutants: # Only spawn a thread if the mutant has a modified variable # that has no reported bugs in the kb if self._hasNoBug( 'ssi' , 'ssi', mutant.getURL() , mutant.getVar() ): targs = (mutant,) self._tm.startFunction( target=self._sendMutant, args=targs, ownerObj=self ) self._tm.join( self )
def audit(self, freq): ''' Tester les vulnerabilites d'injection SQL d'une URL @param freq: Une URL a tester ''' # New audit, everything following will have global_id for identifying global global_id global_id = global_id + 1 # Recupere la page : OK oResponse = self._sendMutant( freq , analyze=False ).getBody() # Recupere un tableau de string a tester drame_str_reject = self.getDrameStrings("reject") drame_str_error = self.getDrameStrings("error") drame_str_injection = self.getDrameStrings("injection") # REJECT URL mutantsReject = createMutants( freq , drame_str_reject, oResponse=oResponse ) for mutant in mutantsReject: # Only spawn a thread if the mutant has a modified variable # that has no reported bugs in the kb if self._hasNoBug( 'drame' , 'drame', mutant.getURL() , mutant.getVar() ): # resultReject function will be the callback of this _sendMutant targs = (mutant,True,True,self._resultReject) self._tm.startFunction( target=self._sendMutant, args=targs, ownerObj=self ) # ERROR URL mutantsError = createMutants( freq , drame_str_error, oResponse=oResponse ) for mutant in mutantsError: if self._hasNoBug( 'drame' , 'drame', mutant.getURL() , mutant.getVar() ): # resultError function will be the callback of this _sendMutant targs = ( mutant, True, True, self._resultError ) self._tm.startFunction( target=self._sendMutant, args=targs, ownerObj=self ) # INJECTION URL mutantsInjection = createMutants( freq , drame_str_injection, oResponse=oResponse ) for mutant in mutantsInjection: if self._hasNoBug( 'drame' , 'drame', mutant.getURL() , mutant.getVar() ): # resultInjection function will be the callback of this _sendMutant targs = (mutant,True,True,self._resultInjection) self._tm.startFunction( target=self._sendMutant, args=targs, ownerObj=self ) self._tm.join( self )
def audit(self, freq): """ Find those phishing vectors! @param freq: A fuzzableRequest """ om.out.debug("phishingVector plugin is testing: " + freq.getURL()) mutants = createMutants(freq, self._test_urls) for mutant in mutants: args = (mutant,) kwds = {"callback": self._analyze_result} self._run_async(meth=self._uri_opener.send_mutant, args=args, kwds=kwds) self._join()
def audit(self, freq ): ''' Find those phishing vectors! @param freq: A fuzzableRequest ''' om.out.debug( 'phishingVector plugin is testing: ' + freq.getURL() ) mutants = createMutants( freq , self._test_urls ) for mutant in mutants: targs = (mutant,) self._tm.startFunction( target=self._sendMutant, args=targs, ownerObj=self ) self._tm.join( self )
def _search_reflected_xss(self, mutant): ''' Analyze the mutant for reflected XSS. We get here because we already verified and the parameter is being echoed back. @parameter mutant: A mutant that was used to test if the parameter was echoed back or not @return: None ''' # Verify what characters are allowed try: allowed_chars = self._get_allowed_chars(mutant) except w3afException: # If something fails, every char is allowed allowed_chars = self._special_characters[:] # Filter the tests based on the knowledge we got from the previous test orig_xss_tests = self._get_xss_tests() filtered_xss_tests = [] for xss_string, affected_browsers in orig_xss_tests: for char in self._special_characters: all_allowed = True if char in xss_string and not char in allowed_chars: all_allowed = False break # Decide wether to send the test or not if all_allowed: filtered_xss_tests.append((xss_string, affected_browsers)) # Get the strings only xss_strings = [ i[0] for i in filtered_xss_tests ] mutant_list = createMutants( mutant.getFuzzableReq() , xss_strings , \ fuzzableParamList=[mutant.getVar(), ]) # In the mutant, we have to save which browsers are vulnerable to that specific string for mutant in mutant_list: for xss_string, affected_browsers in filtered_xss_tests: if xss_string in mutant.getModValue(): mutant.affected_browsers = affected_browsers for mutant in mutant_list: # Only spawn a thread if the mutant has a modified variable # that has no reported bugs in the kb if self._hasNoBug( 'xss' , 'xss', mutant.getURL() , mutant.getVar() ): targs = (mutant,) self._tm.startFunction( target=self._sendMutant, args=targs, ownerObj=self ) self._tm.join( self )
def audit(self, freq): """ Tests an URL for global redirect vulnerabilities. @param freq: A fuzzableRequest """ om.out.debug("golbalRedirect plugin is testing: " + freq.getURL()) mutants = createMutants(freq, [self._test_site]) for mutant in mutants: if self._hasNoBug("globalRedirect", "globalRedirect", mutant.getURL(), mutant.getVar()): targs = (mutant,) self._tm.startFunction(target=self._sendMutant, args=targs, ownerObj=self) self._tm.join(self)
def _search_reflected_xss(self, mutant): """ Analyze the mutant for reflected XSS. We get here because we already verified and the parameter is being echoed back. @parameter mutant: A mutant that was used to test if the parameter was echoed back or not """ # Verify what characters are allowed try: allowed_chars = self._get_allowed_chars(mutant) except w3afException: # If something fails, every char is allowed allowed_chars = self._special_characters[:] # Filter the tests based on the knowledge we got from the # previous test orig_xss_tests = self._get_xss_tests() filtered_xss_tests = [] for xss_string, affected_browsers in orig_xss_tests: for char in self._special_characters: all_allowed = True if char in xss_string and not char in allowed_chars: all_allowed = False break # Decide wether to send the test or not if all_allowed: filtered_xss_tests.append((xss_string, affected_browsers)) # Get the strings only xss_strings = [i[0] for i in filtered_xss_tests] mutant_list = createMutants(mutant.getFuzzableReq(), xss_strings, fuzzableParamList=[mutant.getVar()]) # In the mutant, we have to save which browsers are vulnerable # to that specific string for mutant in mutant_list: for xss_string, affected_browsers in filtered_xss_tests: if xss_string in mutant.getModValue(): mutant.affected_browsers = affected_browsers # Only spawn a thread if the mutant has a modified variable # that has no reported bugs in the kb if self._has_no_bug(mutant): args = (mutant,) kwds = {"callback": self._analyze_result} self._run_async(meth=self._uri_opener.send_mutant, args=args, kwds=kwds) self._join()
def audit(self, freq ): ''' Tests an URL for global redirect vulnerabilities. @param freq: A fuzzableRequest ''' om.out.debug( 'globalRedirect plugin is testing: ' + freq.getURL() ) mutants = createMutants( freq , [self._test_site, ] ) for mutant in mutants: if self._has_no_bug(mutant): args = (mutant,) kwds = {'callback': self._analyze_result, 'follow_redir': False } self._run_async(meth=self._uri_opener.send_mutant, args=args, kwds=kwds) self._join()
def _fuzz_with_echo( self, freq ): ''' Tests an URL for eval() usage vulnerabilities using echo strings. @param freq: A fuzzableRequest ''' oResponse = self._sendMutant( freq , analyze=False ).getBody() print_strings = self._get_print_strings() mutants = createMutants( freq , print_strings, oResponse=oResponse ) for mutant in mutants: # Only spawn a thread if the mutant has a modified variable # that has no reported bugs in the kb if self._hasNoBug( 'eval' , 'eval', mutant.getURL() , mutant.getVar() ): targs = (mutant,) kwds = {'analyze_callback':self._analyze_echo} self._tm.startFunction( target=self._sendMutant, args=targs, kwds=kwds, ownerObj=self )
def audit(self, freq): ''' Tests an URL for blind SQL injection vulnerabilities. @param freq: A fuzzableRequest ''' om.out.debug('blindSqli plugin is testing: ' + freq.getURL()) # # Setup blind SQL injection detector objects # self._bsqli_response_diff = blind_sqli_response_diff(self._uri_opener) bsqli_resp_diff = self._bsqli_response_diff bsqli_resp_diff.set_eq_limit(self._eq_limit) self._blind_sqli_time_delay = blind_sqli_time_delay(self._uri_opener) bsqli_time_delay = self._blind_sqli_time_delay method_list = [bsqli_resp_diff, bsqli_time_delay] # # Use the objects to identify the vulnerabilities # fake_mutants = createMutants(freq, ['',]) for mutant in fake_mutants: if self._has_sql_injection( mutant ): # # If sqli.py was enabled and already detected a vulnerability # in this parameter, then it makes no sense to test it again # and report a duplicate to the user # continue for method in method_list: found_vuln = method.is_injectable( mutant ) if found_vuln is not None and \ self._has_no_bug(freq, varname=found_vuln.getVar()): om.out.vulnerability(found_vuln.getDesc()) kb.kb.append(self, 'blindSqli', found_vuln) break
def _fuzz_with_echo(self, freq): """ Tests an URL for eval() usage vulnerabilities using echo strings. @param freq: A fuzzableRequest """ oResponse = self._uri_opener.send_mutant(freq) print_strings = [pstr % (self._rnd,) for pstr in self.PRINT_STRINGS] mutants = createMutants(freq, print_strings, oResponse=oResponse) for mutant in mutants: # Only spawn a thread if the mutant has a modified variable # that has no reported bugs in the kb if self._has_no_bug(mutant): args = (mutant,) kwds = {"callback": self._analyze_echo} self._run_async(meth=self._uri_opener.send_mutant, args=args, kwds=kwds) self._join()
def audit(self, freq): ''' Tests an URL for SQL injection vulnerabilities. @param freq: A fuzzableRequest ''' om.out.debug('SQLi plugin is testing: ' + freq.getURL()) oResponse = self._uri_opener.send_mutant(freq) mutants = createMutants(freq, self.SQLI_STRINGS, oResponse=oResponse) for mutant in mutants: # Only spawn a thread if the mutant has a modified variable # that has no reported bugs in the kb if self._has_no_bug(mutant): args = (mutant,) kwds = {'callback': self._analyze_result } self._run_async(meth=self._uri_opener.send_mutant, args=args, kwds=kwds) self._join()
def fastExploit( self ): ''' Exploits a web app with [blind] sql injections vulns. The options are configured using the plugin options and setOptions() method. ''' om.out.debug( 'Starting sql_webshell fastExploit.' ) if any( lambda attr: attr is None, (self._url, self._method, self._data, self._injvar) ): raise w3afException('You have to configure the plugin parameters') else: if self._method == 'POST': freq = httpPostDataRequest(self._url) elif self._method == 'GET': freq = HTTPQSRequest(self._url) else: raise w3afException('Method not supported.') freq.setDc(parse_qs(self._data)) bsql = blind_sqli_response_diff(self._uri_opener) bsql.set_eq_limit(self._eq_limit) fake_mutants = createMutants(freq, [''], fuzzableParamList=[self._injvar,]) for mutant in fake_mutants: vuln_obj = bsql.is_injectable(mutant) if vuln_obj is not None: om.out.console('SQL injection verified, trying to create the DB driver.') # Try to get a shell using all vuln msg = 'Trying to exploit using vulnerability with id: ' + str(vuln_obj.getId()) msg += '. Please wait...' om.out.console(msg) shell_obj = self._generateShell(vuln_obj) if shell_obj is not None: kb.kb.append(self, 'shell', shell_obj) return [shell_obj, ] else: raise w3afException('No exploitable vulnerabilities found.')
def audit(self, freq ): ''' Find all kind of bugs without using a fixed database of errors. @param freq: A fuzzableRequest ''' om.out.debug( 'generic plugin is testing: ' + freq.getURL() ) # First, get the original response and create the mutants oResponse = self._uri_opener.send_mutant(freq) mutants = createMutants( freq , ['', ] , oResponse=oResponse ) for m in mutants: # First I check that the current modified parameter in the mutant doesn't have # an already reported vulnerability. I don't want to report vulnerabilities more # than once. if (m.getURL(), m.getVar()) in self._already_reported: continue # Now, we request the limit (something that doesn't exist) # If http://localhost/a.php?b=1 ; then I should request b=12938795 (random number) # If http://localhost/a.php?b=abc ; then I should request b=hnv98yks (random alnum) limit_response = self._get_limit_response( m ) # Now I request something that could generate an error # If http://localhost/a.php?b=1 ; then I should request b=d'kcz'gj'"**5*(((*) # If http://localhost/a.php?b=abc ; then I should request b=d'kcz'gj'"**5*(((*) # # I also try to trigger errors by sending empty strings # If http://localhost/a.php?b=1 ; then I should request b= # If http://localhost/a.php?b=abc ; then I should request b= for error_string in self._get_error_strings(): if self._has_no_bug(m): m.setModValue( error_string ) error_response = self._uri_opener.send_mutant(m) # Now I compare all responses self._analyze_responses( oResponse, limit_response, error_response, m )
def audit(self, freq ): ''' Tests an URL for unsafe usage of PHP's preg_replace. @param freq: A fuzzableRequest ''' om.out.debug( 'preg_replace plugin is testing: ' + freq.getURL() ) # First I check If I get the error message from php oResponse = self._uri_opener.send_mutant(freq) mutants = createMutants( freq , ['a' + ')/' * 100, ] , oResponse=oResponse ) for mutant in mutants: # Only spawn a thread if the mutant has a modified variable # that has no reported bugs in the kb if self._has_no_bug(mutant): args = (mutant,) kwds = {'callback': self._analyze_result } self._run_async(meth=self._uri_opener.send_mutant, args=args, kwds=kwds) self._join()
def _test_inclusion(self, freq): ''' Checks a fuzzableRequest for remote file inclusion bugs. @return: None ''' oResponse = self._sendMutant(freq, analyze=False).getBody() rfi_url_list = [self._rfi_url] mutants = createMutants(freq, rfi_url_list, oResponse=oResponse) for mutant in mutants: # Only spawn a thread if the mutant has a modified variable # that has no reported bugs in the kb if self._hasNoBug('remoteFileInclude', 'remoteFileInclude', mutant.getURL(), mutant.getVar()): targs = (mutant,) self._tm.startFunction(target=self._sendMutant, args=targs, ownerObj=self)
def audit(self, freq): """ Tests an URL for buffer overflow vulnerabilities. @param freq: A fuzzableRequest """ om.out.debug("bufferOverflow plugin is testing: " + freq.getURL()) str_list = self._get_string_list() try: oResponse = self._uri_opener.send_mutant(freq) except: msg = "Failed to perform the initial request during buffer" msg += " overflow testing" om.out.debug(msg) else: mutants = createMutants(freq, str_list, oResponse=oResponse) for mutant in mutants: self._run_async(meth=self._send_request, args=(mutant,)) self._join()
def _fuzz_with_time_delay( self, freq): ''' Tests an URL for eval() usage vulnerabilities using time delays. @param freq: A fuzzableRequest ''' res = self._sendMutant( freq, analyze=False, grepResult=False ) self._original_wait_time = res.getWaitTime() # Prepare the strings to create the mutants wait_strings = self._get_wait_strings() mutants = createMutants( freq, wait_strings ) for mutant in mutants: # Only spawn a thread if the mutant has a modified variable # that has no reported bugs in the kb if self._hasNoBug( 'eval' , 'eval', mutant.getURL() , mutant.getVar() ): targs = (mutant,) kwds = {'analyze_callback':self._analyze_wait} self._tm.startFunction( target=self._sendMutant, args=targs, kwds=kwds, ownerObj=self )
def audit(self, freq): """ Tests an URL for response splitting vulnerabilities. @param freq: A fuzzableRequest """ om.out.debug("responseSplitting plugin is testing: " + freq.getURL()) rsList = self._get_header_inj() mutants = createMutants(freq, rsList) for mutant in mutants: # Only spawn a thread if the mutant has a modified variable # that has no reported bugs in the kb if self._hasNoBug("responseSplitting", "responseSplitting", mutant.getURL(), mutant.getVar()): targs = (mutant,) self._tm.startFunction(target=self._sendMutant, args=targs, ownerObj=self) self._tm.join(self)