def grep(self, request, response): ''' Plugin entry point. :param request: The HTTP request object. :param response: The HTTP response object :return: None, all results are saved in the kb. ''' uri = response.get_uri() if response.is_text_or_html() and uri not in self._already_inspected: # Don't repeat URLs self._already_inspected.add(uri) for regex in self._regex_list: for m in regex.findall(response.get_body()): user = m[0] desc = 'The URL: "%s" contains a SVN versioning signature'\ ' with the username "%s".' desc = desc % (uri, user) v = Vuln('SVN user disclosure vulnerability', desc, severity.LOW, response.id, self.get_name()) v.set_uri(uri) v['user'] = user v.add_to_highlight(user) self.kb_append_uniq(self, 'users', v, 'URL')
def end(self): ''' This method is called when the plugin wont be used anymore. The real job of this plugin is done here, where I will try to see if one of the error_500 responses were not identified as a vuln by some of my audit plugins ''' all_vulns = kb.kb.get_all_vulns() all_vulns_tuples = [(v.get_uri(), v.get_dc()) for v in all_vulns] for request, error_500_response_id in self._error_500_responses: if (request.get_uri(), request.get_dc()) not in all_vulns_tuples: # Found a err 500 that wasnt identified !!! desc = 'An unidentified web application error (HTTP response'\ ' code 500) was found at: "%s". Enable all plugins and'\ ' try again, if the vulnerability still is not identified'\ ', please verify manually and report it to the w3af'\ ' developers.' desc = desc % request.get_url() v = Vuln('Unhandled error in web application', desc, severity.MEDIUM, error_500_response_id, self.get_name()) v.set_uri(request.get_uri()) self.kb_append_uniq(self, 'error_500', v, 'VAR') self._error_500_responses.cleanup()
def write_vuln_to_kb(vulnty, url, funcs): vulndata = php_sca.KB_DATA[vulnty] for f in funcs: vuln_sev = vulndata['severity'] desc = name = vulndata['name'] v = Vuln(name, desc, vuln_sev, 1, 'PHP Static Code Analyzer') v.set_uri(url) v.set_var(f.vulnsources[0]) args = list(vulndata['kb_key']) + [v] # TODO: Extract the method from the PHP code # $_GET == GET # $_POST == POST # $_REQUEST == GET v.set_method('GET') # TODO: Extract all the other variables that are # present in the PHP file using the SCA v.set_dc(DataContainer()) # # TODO: This needs to be checked! OS Commanding specific # attributes. v['os'] = 'unix' v['separator'] = '' kb.kb.append(*args)
def grep(self, request, response): """ Plugin entry point, find the SSN numbers. :param request: The HTTP request object. :param response: The HTTP response object :return: None. """ uri = response.get_uri() if ( response.is_text_or_html() and response.get_code() == 200 and response.get_clear_text_body() is not None and uri not in self._already_inspected ): # Don't repeat URLs self._already_inspected.add(uri) found_ssn, validated_ssn = self._find_SSN(response.get_clear_text_body()) if validated_ssn: desc = 'The URL: "%s" possibly discloses a US Social Security' ' Number: "%s".' desc = desc % (uri, validated_ssn) v = Vuln("US Social Security Number disclosure", desc, severity.LOW, response.id, self.get_name()) v.set_uri(uri) v.add_to_highlight(found_ssn) self.kb_append_uniq(self, "ssn", v, "URL")
def grep(self, request, response): ''' Plugin entry point, find the SSN numbers. :param request: The HTTP request object. :param response: The HTTP response object :return: None. ''' uri = response.get_uri() if response.is_text_or_html() and response.get_code() == 200 \ and response.get_clear_text_body() is not None \ and uri not in self._already_inspected: # Don't repeat URLs self._already_inspected.add(uri) found_ssn, validated_ssn = self._find_SSN( response.get_clear_text_body()) if validated_ssn: desc = 'The URL: "%s" possibly discloses a US Social Security'\ ' Number: "%s".' desc = desc % (uri, validated_ssn) v = Vuln('US Social Security Number disclosure', desc, severity.LOW, response.id, self.get_name()) v.set_uri(uri) v.add_to_highlight(found_ssn) self.kb_append_uniq(self, 'ssn', v, 'URL')
def _from_csv_get_vulns(self): file_vulns = [] vuln_reader = csv.reader(open(self.OUTPUT_FILE, 'rb'), delimiter=',', quotechar='|', quoting=csv.QUOTE_MINIMAL) for name, method, uri, var, dc, _id, desc in vuln_reader: v = Vuln(name, desc, 'High', json.loads(_id), 'TestCase') v.set_method(method) v.set_uri(URL(uri)) v.set_var(var) v.set_dc(dc) file_vulns.append(v) return file_vulns
def grep(self, request, response): ''' Plugin entry point. :param request: The HTTP request object. :param response: The HTTP response object :return: None, all results are saved in the kb. ''' try: dp = parser_cache.dpc.get_document_parser_for(response) except w3afException: return # Note: # - With parsed_references I'm 100% that it's really something in the # HTML that the developer intended to add. # # - The re_references are the result of regular expressions, which in # some cases are just false positives. # parsed_references, _ = dp.get_references() for ref in parsed_references: qs = ref.querystring for param_name in qs: # This for loop is to address the repeated parameter name issue for element_index in xrange(len(qs[param_name])): if self._is_strange(request, param_name, qs[param_name][element_index])\ and (ref.uri2url(), param_name) not in self._already_reported: # Don't repeat findings self._already_reported.add((ref.uri2url(), param_name)) desc = 'The URI: "%s" has a parameter named: "%s"'\ ' with value: "%s", which is very uncommon.'\ ' and requires manual verification.' desc = desc % (response.get_uri(), param_name, qs[param_name][element_index]) i = Info('Uncommon query string parameter', desc, response.id, self.get_name()) i.set_uri(ref) i.set_var(param_name) i['parameter_value'] = qs[param_name][element_index] i.add_to_highlight(qs[param_name][element_index]) self.kb_append(self, 'strange_parameters', i) # To find this kind of vulns # http://thedailywtf.com/Articles/Oklahoma- # Leaks-Tens-of-Thousands-of-Social-Security-Numbers,-Other- # Sensitive-Data.aspx if self._is_SQL(request, param_name, qs[param_name][element_index])\ and ref not in self._already_reported: # Don't repeat findings self._already_reported.add(ref) desc = 'The URI: "%s" has a parameter named: "%s"'\ ' with value: "%s", which is a SQL query.' desc = desc % (response.get_uri(), param_name, qs[param_name][element_index]) v = Vuln('Parameter has SQL sentence', desc, severity.LOW, response.id, self.get_name()) v.set_uri(ref) v.set_var(param_name) v['parameter_value'] = qs[param_name][element_index] v.add_to_highlight(qs[param_name][element_index]) self.kb_append(self, 'strange_parameters', v)