def analysis(http_objs): requests = http_objs["total_requests"] response_body = http_objs["response_body"] response_headers = http_objs["response_headers"] request_URLs = http_objs["request_URL"] json_rows = [] rpt = report.htmltags() for i in xrange(0, requests): protocol = request_URLs[i]["protocol"] url = request_URLs[i]["url"] path = request_URLs[i]["path"] params = request_URLs[i]["params"] query = request_URLs[i]["query"] full_path = protocol + "://" + url + path if response_headers[i].has_key("Content-Type"): if "application/json" in str(response_headers[i]["Content-Type"]): json_rows.append("<td>" + rpt.href(full_path) + "</td><td>" + response_body[i] + "</td>") collums = {"JSON": ["Path", "JSON Analyzed"]} rows = {"JSON": json_rows} tip = "Tip: <a href='https://www.owasp.org/index.php/Testing_for_AJAX_Vulnerabilities_%28OWASP-AJ-001%29' target='_blank'>Testing for AJAX Vulnerabilities</a> and <a href='http://haacked.com/archive/2009/06/25/json-hijacking.aspx' target='_blank'>JSON Hijacking</a>" rpt.make_table("json", tip, collums, rows)
def load_modules(log_file): """ Put docstring here """ total_spent = 0.0 begin = time.time() requests = parser.headers_pool(log_file) http_objs = requests.get_http_objs() end = time.time() total_spent = end - begin utils.print_info("info", "Parser Done! | Seconds %.3f" % total_spent) import_modules() rpt = report.htmltags() modules_dict = utils.parser_xml("conf/config.xml", "modules", "config") while modules_dict: i = modules_dict.pop() begin = time.time() content = eval("modules." + i["name"] + ".analysis(http_objs)") end = time.time() spent = end - begin total_spent = total_spent + spent utils.print_info("info", "- \033[1;33m" + i["name"] + "\033[1;m Spent %.3f" % spent + "\033[1;m Seconds") rpt.html_report() utils.print_info("info", "Total Time spent: %.3f" % total_spent)
def analysis(http_objs): requests = http_objs["total_requests"] response_headers = http_objs["response_headers"] request_headers = http_objs["request_headers"] headers = {"Server":"Application Server", "X-Powered-By":"Platform", "X-Aspnet-Version":"Asp.Net Version", "X-Varnish":"Varnish Cache"} fingerprint_rows = [] servers = [] hash_group = [] rpt = report.htmltags() for i in xrange(0, requests): for header in response_headers[i].iterkeys(): if header in headers.iterkeys(): if utils.md5_object(str(request_headers[i]["Host"]) + str(headers[header])) not in hash_group: servers.append(rpt.href(request_headers[i]["Host"])) if response_headers[i].has_key("Server"): fingerprint_rows.append("<td>" + request_headers[i]["Host"] + "</td><td>" + str(response_headers[i]["Server"]) + "</td>") else: fingerprint_rows.append("<td>" + request_headers[i]["Host"] + "</td><td>" + str(header) + "</td>") hash_group.append(utils.md5_object(str(request_headers[i]["Host"]) + str(headers[header]))) collums = {"Fingerprint":["Path", "-"]} rows = {"Fingerprint":fingerprint_rows} tip = "Tip: <a href='https://www.owasp.org/index.php/Testing_for_Web_Application_Fingerprint_%28OWASP-IG-004%29' target='_blank'>Testing for Web Application Fingerprint</a>" rpt.make_table("fingerprint", tip, collums, rows)
def analysis(http_objs): requests = http_objs["total_requests"] response_body = http_objs["response_body"] response_headers = http_objs["response_headers"] request_URLs = http_objs["request_URL"] json_rows = [] rpt = report.htmltags() for i in xrange(0, requests): protocol = request_URLs[i]["protocol"] url = request_URLs[i]["url"] path = request_URLs[i]["path"] params = request_URLs[i]["params"] query = request_URLs[i]["query"] full_path = protocol + "://" + url + path if response_headers[i].has_key("Content-Type"): if "application/json" in str(response_headers[i]["Content-Type"]): json_rows.append("<td>" + rpt.href(full_path) + "</td><td>" + response_body[i] + "</td>") collums = {"JSON":["Path", "JSON Analyzed"]} rows = {"JSON":json_rows} tip = "Tip: <a href='https://www.owasp.org/index.php/Testing_for_AJAX_Vulnerabilities_%28OWASP-AJ-001%29' target='_blank'>Testing for AJAX Vulnerabilities</a> and <a href='http://haacked.com/archive/2009/06/25/json-hijacking.aspx' target='_blank'>JSON Hijacking</a>" rpt.make_table("json", tip, collums, rows)
def analysis(http_objs): requests = http_objs["total_requests"] request_headers = http_objs["request_headers"] response_headers = http_objs["response_headers"] request_URLs = http_objs["request_URL"] auth_rows = [] authenticate_types_rows = [] rpt = report.htmltags() for i in xrange(0, requests): protocol = request_URLs[i]["protocol"] url = request_URLs[i]["url"] path = request_URLs[i]["path"] params = request_URLs[i]["params"] query = request_URLs[i]["query"] full_path = protocol + "://" + url + path if request_headers[i].has_key("Authorization"): auth_rows.append("<td>" + rpt.href(full_path) + "</td><td>" + request_headers[i]["Authorization"] + "</td>") if response_headers[i].has_key("WWW-Authenticate"): authenticate_types_rows.append("<td>" + rpt.href(full_path) + "</td><td>" + response_headers[i]["WWW-Authenticate"] + "</td>") collums = {"Authorization":["Path", "Authorization Analyzed"], "Authenticate":["Path", "Authenticate Type Analyzed"]} rows = {"Authorization":auth_rows, "Authenticate": authenticate_types_rows} tip = "Tip: <a href='https://www.owasp.org/index.php/Testing_for_authentication' target='_blank'>Testing for authentication</a>" rpt.make_table("auth", tip, collums, rows)
def analysis(http_objs): requests = http_objs["total_requests"] response_headers = http_objs["response_headers"] request_headers = http_objs["request_headers"] headers = { "Server": "Application Server", "X-Powered-By": "Platform", "X-Aspnet-Version": "Asp.Net Version", "X-Varnish": "Varnish Cache" } fingerprint_rows = [] servers = [] hash_group = [] rpt = report.htmltags() for i in xrange(0, requests): for header in response_headers[i].iterkeys(): if header in headers.iterkeys(): if utils.md5_object( str(request_headers[i]["Host"]) + str(headers[header])) not in hash_group: servers.append(rpt.href(request_headers[i]["Host"])) if response_headers[i].has_key("Server"): fingerprint_rows.append( "<td>" + request_headers[i]["Host"] + "</td><td>" + str(response_headers[i]["Server"]) + "</td>") else: fingerprint_rows.append("<td>" + request_headers[i]["Host"] + "</td><td>" + str(header) + "</td>") hash_group.append( utils.md5_object( str(request_headers[i]["Host"]) + str(headers[header]))) collums = {"Fingerprint": ["Path", "-"]} rows = {"Fingerprint": fingerprint_rows} tip = "Tip: <a href='https://www.owasp.org/index.php/Testing_for_Web_Application_Fingerprint_%28OWASP-IG-004%29' target='_blank'>Testing for Web Application Fingerprint</a>" rpt.make_table("fingerprint", tip, collums, rows)
def analysis(http_objs): requests = http_objs["total_requests"] request_headers = http_objs["request_headers"] response_headers = http_objs["response_headers"] request_URLs = http_objs["request_URL"] auth_rows = [] authenticate_types_rows = [] rpt = report.htmltags() for i in xrange(0, requests): protocol = request_URLs[i]["protocol"] url = request_URLs[i]["url"] path = request_URLs[i]["path"] params = request_URLs[i]["params"] query = request_URLs[i]["query"] full_path = protocol + "://" + url + path if request_headers[i].has_key("Authorization"): auth_rows.append("<td>" + rpt.href(full_path) + "</td><td>" + request_headers[i]["Authorization"] + "</td>") if response_headers[i].has_key("WWW-Authenticate"): authenticate_types_rows.append( "<td>" + rpt.href(full_path) + "</td><td>" + response_headers[i]["WWW-Authenticate"] + "</td>") collums = { "Authorization": ["Path", "Authorization Analyzed"], "Authenticate": ["Path", "Authenticate Type Analyzed"] } rows = { "Authorization": auth_rows, "Authenticate": authenticate_types_rows } tip = "Tip: <a href='https://www.owasp.org/index.php/Testing_for_authentication' target='_blank'>Testing for authentication</a>" rpt.make_table("auth", tip, collums, rows)
def analysis(http_objs): requests = http_objs["total_requests"] response_headers = http_objs["response_headers"] request_URLs = http_objs["request_URL"] headers = {"Cache-Control":"Cache-Control", "Pragma":"Pragma"} cache_rows = [] hash_group = [] rpt = report.htmltags() for i in xrange(0, requests): for header in response_headers[i].iterkeys(): if header in headers.iterkeys(): protocol = request_URLs[i]["protocol"] url = request_URLs[i]["url"] path = request_URLs[i]["path"] params = request_URLs[i]["params"] query = request_URLs[i]["query"] full_path = protocol + "://" + url + path if utils.md5_object(full_path + str(header)) not in hash_group: cache_rows.append("<td>" + rpt.href(full_path) + "</td><td>" + str(response_headers[i][header]) + "</td>") hash_group.append(utils.md5_object(full_path + str(header))) collums = {"Cache":["Path", "Cache Analyzed"]} rows = {"Cache":cache_rows} tip = "Tip: <a href='https://www.owasp.org/index.php/Testing_for_Logout_and_Browser_Cache_Management_%28OWASP-AT-007%29' target='_blank'>Testing for Logout and Browser Cache Management</a>" rpt.make_table("cache", tip, collums, rows) rpt.html_report()
#!/usr/bin/env python # -*- coding: utf-8 -*- from conf import utils from core import report rpt = report.htmltags() def xml_analys(urls, requests, response_body, response_headers): url = urls xml_full_path = [] xml_rows = [] for i in xrange(0, requests): protocol = url[i]["protocol"] domain = url[i]["url"] path = url[i]["path"] params = url[i]["params"] query = url[i]["query"] full_path = protocol + "://" + domain + path if response_headers[i].has_key("Content-Type"): if "xml" in str(response_headers[i]["Content-Type"] ) and full_path not in xml_full_path: xml_full_path.append(full_path) content = utils.syntaxhighlighter("xml", rpt.href(full_path), response_body[i]) xml_rows.append("<td>" + rpt.href(full_path) + "</td><td>" +
def analysis(http_objs): requests = http_objs["total_requests"] response_body = http_objs["response_body"] request_headers = http_objs["request_headers"] response_headers = http_objs["response_headers"] request_URLs = http_objs["request_URL"] path_flasm = utils.parser_xml("conf/config.xml", "path", "flasm") path_report = utils.__workspace_path__ swf_files = [] flash_rows = [] swf_paths = [] rpt = report.htmltags() for i in xrange(0, requests): protocol = request_URLs[i]["protocol"] url = request_URLs[i]["url"] path = request_URLs[i]["path"] params = request_URLs[i]["params"] query = request_URLs[i]["query"] full_path = protocol + "://" + url + path if path.endswith(".swf"): split_url = full_path.split('/') file = len(split_url) getoutput('cd ' + path_report + ';' + utils.curl_conn() + ' ' + full_path + ';' + path_flasm[0] + '/./flasm -d ' + split_url[file - 1] + ' > ' + split_url[file - 1] + '.html') swf_files.append(split_url[file - 1] + '.html') swf_paths.append(rpt.href(full_path)) if request_headers[i].has_key("Referer") is True: origin = rpt.href(request_headers[i]["Referer"]) else: origin = "No Referer Header" for i in swf_files: readfile = open(path_report + i, "r") swf_content = readfile.read() content = "" text_warning = utils.grep_statement("flash_patterns", swf_content, "text") load_warning = utils.grep_statement("flash_patterns", swf_content, "load") net_warning = utils.grep_statement("flash_patterns", swf_content, "net") url_warning = utils.grep_statement("flash_patterns", swf_content, "url") crossdomain_warning = utils.grep_statement("flash_patterns", swf_content, "crossdomain") xml_warning = utils.grep_statement("flash_patterns", swf_content, "xml") lso_warning = utils.grep_statement("flash_patterns", swf_content, "lso") header_warning = utils.grep_statement("flash_patterns", swf_content, "header") externalinterface_warning = utils.grep_statement("flash_patterns", swf_content, "externalinterface") globalvariables_warning = utils.grep_statement("flash_patterns", swf_content, "globalvariables") content = content + utils.syntaxhighlighter("as3", rpt.href(full_path), swf_content) rpt.make_module_report_file(content, str(i) + "ActionScript") flash_rows.append("<td>" + rpt.href(full_path) + "</td><td>" + origin + "</td><td>" + rpt.href(str(i) + "ActionScript") + "</td><td>" + text_warning + "</td><td>" + load_warning + "</td><td>" + net_warning + "</td>" + "</td><td>" + url_warning + "</td><td>" + crossdomain_warning + "</td><td>" + xml_warning + "</td><td>" + lso_warning + "</td><td>" + header_warning + "</td><td>" + externalinterface_warning + "</td><td>" + globalvariables_warning +"</td>") collums = {"flash":["Path", "Origin", "Flash Analyzed", "Text Write", "Load", "Net Connections", "Url Parameter", "Cross Domain", "XML Send", "lSO", "Add Header", "External Interface", "Global Variables"]} rows = {"flash":flash_rows} tip = "Tip: <a href='https://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project' target='_blank'>OWASP Flash Security Project</a> and <a href='https://www.owasp.org/index.php/Flash_Testing' target='_blank'>OWASP Testing Guide - Flash</a>" rpt.make_table("flash", tip, collums, rows)
def analysis(http_objs): """ Requests analysis @param log_parser: Objects parsed at Burp Log File. """ rpt = report.htmltags() hash = utils.md5_object hash_group = [] requests = http_objs["total_requests"] request_methods = http_objs["request_methods"] request_URLs = http_objs["request_URL"] status = http_objs["response_status"] request_body = http_objs["request_body"] csrf_rows = [] params_form = [] header_poc = "<html><title>CSRF PoC</title><body>" footer_poc = "'</form> <script>document.forms[0].submit()</script></body></html>" for i in xrange(0, requests): protocol = request_URLs[i]["protocol"] url = request_URLs[i]["url"] path = request_URLs[i]["path"] params = request_URLs[i]["params"] query = request_URLs[i]["query"] out_escope = request_URLs[i]["out_escope"] full_path = protocol + "://" + url + path if out_escope is False: if status[i] != 0 and status[i] < 300: if request_methods[i] == "GET" and query != "": body_poc = "<form method='GET' action='" + protocol + "://" + url + path + "?" + query + "'" content = header_poc + body_poc + footer_poc content_source = header_poc + utils.html_escape(body_poc + "</form> <script>document.forms[0].submit()</script>") + "</body></html>" rpt.make_module_report_file(content, str(i) + "CSRF_POC") rpt.make_module_report_file(content_source, str(i) + "CSRF_SOURCE_POC") csrf_rows.append("<td>" + rpt.href(full_path) + "</td><td>" + rpt.href(str(i) + "CSRF_POC") + "</td><td>" + rpt.href(str(i) + "CSRF_SOURCE_POC") + "</td><td>" + request_methods[i] + "</td>") elif request_methods[i] == "POST" and request_body[i] != "": params_split = request_body[i].split("&") for x in params_split: param = x.split("=") params_form.append("<input type='text' name='" + str(param[0]) + "' value='" + str(i) + "' />") input_form = "" for param in params_form: input_form = input_form + param body_poc = "<form method='POST' action='" + protocol + "://" + url + path + "'" body_poc = body_poc + input_form content = header_poc + body_poc + footer_poc content_source = header_poc + utils.html_escape(body_poc + "</form> <script>document.forms[0].submit()</script>") + "</body></html>" rpt.make_module_report_file(content, str(i) + "CSRF_POC") rpt.make_module_report_file(content_source, str(i) + "CSRF_SOURCE_POC") csrf_rows.append("<td>" + rpt.href(full_path) + "</td><td>" + request_methods[i] + "</td><td>" + rpt.href(str(i) + "CSRF_SOURCE_POC") + "</td><td>" + rpt.href(str(i) + "CSRF_POC") + "</td>") collums = {"CSRF":["Path", "Method", "PoC", "Source PoC"]} rows = {"CSRF":csrf_rows} tip = "Tip: <a href='https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet' target='_blank'>Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet</a> and <a href='https://www.owasp.org/index.php/Testing_for_CSRF_%28OWASP-SM-005%29' target='_blank'>Testing for CSRF</a>" rpt.make_table("csrf", tip, collums, rows)
#!/usr/bin/env python # -*- coding: utf-8 -*- from conf import utils from core import report import re rpt = report.htmltags() def grep_domobjects(http_objs, requests, response_data, dom_regex): request_URLs = http_objs["request_URL"] dom_rows = [] hash_group = [] for i in xrange(0, requests): protocol = request_URLs[i]["protocol"] url = request_URLs[i]["url"] path = request_URLs[i]["path"] params = request_URLs[i]["params"] query = request_URLs[i]["query"] full_path = protocol + "://" + url + path content = re.findall(eval(dom_regex), response_data[i], re.I) content = str(content) if content != "[]": if utils.md5_object(full_path + utils.html_escape(content)) not in hash_group: dom_rows.append("<td>" + rpt.href(full_path) + "</td><td>" + utils.html_escape(content) + "</td>")
def analysis(http_objs): requests = http_objs["total_requests"] response_body = http_objs["response_body"] request_headers = http_objs["request_headers"] response_headers = http_objs["response_headers"] request_URLs = http_objs["request_URL"] path_flasm = utils.parser_xml("conf/config.xml", "path", "flasm") path_report = utils.__workspace_path__ swf_files = [] flash_rows = [] swf_paths = [] rpt = report.htmltags() for i in xrange(0, requests): protocol = request_URLs[i]["protocol"] url = request_URLs[i]["url"] path = request_URLs[i]["path"] params = request_URLs[i]["params"] query = request_URLs[i]["query"] full_path = protocol + "://" + url + path if path.endswith(".swf"): split_url = full_path.split('/') file = len(split_url) getoutput('cd ' + path_report + ';' + utils.curl_conn() + ' ' + full_path + ';' + path_flasm[0] + '/./flasm -d ' + split_url[file - 1] + ' > ' + split_url[file - 1] + '.html') swf_files.append(split_url[file - 1] + '.html') swf_paths.append(rpt.href(full_path)) if request_headers[i].has_key("Referer") is True: origin = rpt.href(request_headers[i]["Referer"]) else: origin = "No Referer Header" for i in swf_files: readfile = open(path_report + i, "r") swf_content = readfile.read() content = "" text_warning = utils.grep_statement("flash_patterns", swf_content, "text") load_warning = utils.grep_statement("flash_patterns", swf_content, "load") net_warning = utils.grep_statement("flash_patterns", swf_content, "net") url_warning = utils.grep_statement("flash_patterns", swf_content, "url") crossdomain_warning = utils.grep_statement("flash_patterns", swf_content, "crossdomain") xml_warning = utils.grep_statement("flash_patterns", swf_content, "xml") lso_warning = utils.grep_statement("flash_patterns", swf_content, "lso") header_warning = utils.grep_statement("flash_patterns", swf_content, "header") externalinterface_warning = utils.grep_statement( "flash_patterns", swf_content, "externalinterface") globalvariables_warning = utils.grep_statement("flash_patterns", swf_content, "globalvariables") content = content + utils.syntaxhighlighter("as3", rpt.href(full_path), swf_content) rpt.make_module_report_file(content, str(i) + "ActionScript") flash_rows.append("<td>" + rpt.href(full_path) + "</td><td>" + origin + "</td><td>" + rpt.href(str(i) + "ActionScript") + "</td><td>" + text_warning + "</td><td>" + load_warning + "</td><td>" + net_warning + "</td>" + "</td><td>" + url_warning + "</td><td>" + crossdomain_warning + "</td><td>" + xml_warning + "</td><td>" + lso_warning + "</td><td>" + header_warning + "</td><td>" + externalinterface_warning + "</td><td>" + globalvariables_warning + "</td>") collums = { "flash": [ "Path", "Origin", "Flash Analyzed", "Text Write", "Load", "Net Connections", "Url Parameter", "Cross Domain", "XML Send", "lSO", "Add Header", "External Interface", "Global Variables" ] } rows = {"flash": flash_rows} tip = "Tip: <a href='https://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project' target='_blank'>OWASP Flash Security Project</a> and <a href='https://www.owasp.org/index.php/Flash_Testing' target='_blank'>OWASP Testing Guide - Flash</a>" rpt.make_table("flash", tip, collums, rows)
def analysis(http_objs): """ Put docstring here """ rpt = report.htmltags() requests = http_objs["total_requests"] request_methods = http_objs["request_methods"] request_URLs = http_objs["request_URL"] status = http_objs["response_status"] request_body = http_objs["request_body"] response_headers = http_objs["response_headers"] get_rows = [] post_rows = [] redirect_rows = [] error_rows = [] files_rows = [] escope_rows = [] for i in xrange(0, requests): protocol = request_URLs[i]["protocol"] url = request_URLs[i]["url"] path = request_URLs[i]["path"] params = request_URLs[i]["params"] query = request_URLs[i]["query"] out_escope = request_URLs[i]["out_escope"] full_path = protocol + "://" + url + path if out_escope is False: if status[i] != 0 and status[i] < 300: if request_methods[i] == "GET": get_rows.append("<td>" + rpt.href(full_path) + "</td><td>" + query + "</td><td>" + str(status[i]) + "</td>") elif request_methods[i] == "POST": post_rows.append("<td>" + rpt.href(full_path) + "</td><td>" + request_body[i] + "</td><td>" + str(status[i]) + "</td>") elif status[i] >= 300 and status[i] <= 400: if response_headers[i].has_key("Location") is True: redirect_rows.append("<td>" + rpt.href(full_path) + "</td><td>" + response_headers[i]["Location"] + "</td><td>" + str(status[i]) + "</td>") else: redirect_rows.append("<td>" + rpt.href(full_path) + "</td>" + "<td>-</td>" + "<td>" + str(status[i]) + "</td>") elif status[i] >= 401: error_rows.append("<td>" + rpt.href(full_path) + "</td><td>" + str(status[i]) + "</td>") elif status[i] == 0: files_rows.append("<td>" + rpt.href(full_path) + "</td><td>" + str(status[i]) + "</td>") else: escope_rows.append("<td>" + rpt.href(full_path) + "</td><td>" + str(status[i]) + "</td>") collums = { "GET": ["Path", "Query", "Status Code"], "POST": ["Path", "Param", "Status Code"], "Redirect": ["Path", "Location", "Status Code"], "Error": ["Path", "Status Code"], "Files": ["Path", "Status Code"], "Escope": ["Path", "Status Code"] } rows = { "GET": get_rows, "POST": post_rows, "Redirect": redirect_rows, "Error": error_rows, "Files": files_rows, "Escope": escope_rows } tip = "" rpt.make_table("main", tip, collums, rows)
def analysis(http_objs): requests = http_objs["total_requests"] response_headers = http_objs["response_headers"] request_URLs = http_objs["request_URL"] clickjacking_rows = [] hsts_rows = [] csp_rows = [] csp_report_rows = [] accesscontrol_rows = [] xss_protection_rows = [] rpt = report.htmltags() for i in xrange(0, requests): protocol = request_URLs[i]["protocol"] url = request_URLs[i]["url"] path = request_URLs[i]["path"] params = request_URLs[i]["params"] query = request_URLs[i]["query"] full_path = protocol + "://" + url + path if response_headers[i].has_key("X-Frame-Options"): clickjacking_rows.append( "<td>" + rpt.href(full_path) + "</td><td>" + response_headers[i]["X-Frame-Options"] + "</td>" ) if response_headers[i].has_key("Strict-Transport-Security"): hsts_rows.append( "<td>" + rpt.href(full_path) + "</td><td>" + response_headers[i]["Strict-Transport-Security"] + "</td>" ) if response_headers[i].has_key("X-Content-Security-Policy"): csp_rows.append( "<td>" + rpt.href(full_path) + "</td><td>" + response_headers[i]["X-Content-Security-Policy"] + "</td>" ) if response_headers[i].has_key("X-Content-Security-Policy-Report-Only"): csp_report_rows.append( "<td>" + rpt.href(full_path) + "</td><td>" + response_headers[i]["X-Content-Security-Policy-Report-Only"] + "</td>" ) if response_headers[i].has_key("Access-Control-Allow-Origin"): accesscontrol_rows.append( "<td>" + rpt.href(full_path) + "</td><td>" + response_headers[i]["Access-Control-Allow-Origin"] + "</td>" ) if response_headers[i].has_key("X-XSS-Protection"): xss_protection_rows.append( "<td>" + rpt.href(full_path) + "</td><td>" + response_headers[i]["X-XSS-Protection"] + "</td>" ) collums = { "HeadersSecurity": ["Path", "Diretive"], "HSTS": ["Path", "Diretive"], "CSP": ["Path", "Diretive"], "CSP_Report": ["Path", "Diretive"], "AccessControl": ["Path", "Diretive"], "XSS_Protection": ["Path", "Diretive"], } rows = { "HeadersSecurity": clickjacking_rows, "HSTS": hsts_rows, "CSP": csp_rows, "CSP_Report": csp_report_rows, "AccessControl": accesscontrol_rows, "XSS_Protection": xss_protection_rows, } tip = "Tip: <a href='http://www.mcafee.com/us/resources/white-papers/foundstone/wp-recent-advances-web-app-security.pdf' target='_blank'>Recent Advances in Web Application Security</a>" rpt.make_table("headers", tip, collums, rows)
def analysis(http_objs): """ Put docstring here """ rpt = report.htmltags() requests = http_objs["total_requests"] request_methods = http_objs["request_methods"] request_URLs = http_objs["request_URL"] status = http_objs["response_status"] request_body = http_objs["request_body"] response_headers = http_objs["response_headers"] get_rows = [] post_rows = [] redirect_rows = [] error_rows = [] files_rows = [] escope_rows = [] for i in xrange(0, requests): protocol = request_URLs[i]["protocol"] url = request_URLs[i]["url"] path = request_URLs[i]["path"] params = request_URLs[i]["params"] query = request_URLs[i]["query"] out_escope = request_URLs[i]["out_escope"] full_path = protocol + "://" + url + path if out_escope is False: if status[i] != 0 and status[i] < 300: if request_methods[i] == "GET": get_rows.append( "<td>" + rpt.href(full_path) + "</td><td>" + query + "</td><td>" + str(status[i]) + "</td>" ) elif request_methods[i] == "POST": post_rows.append( "<td>" + rpt.href(full_path) + "</td><td>" + request_body[i] + "</td><td>" + str(status[i]) + "</td>" ) elif status[i] >= 300 and status[i] <= 400: if response_headers[i].has_key("Location") is True: redirect_rows.append( "<td>" + rpt.href(full_path) + "</td><td>" + response_headers[i]["Location"] + "</td><td>" + str(status[i]) + "</td>" ) else: redirect_rows.append( "<td>" + rpt.href(full_path) + "</td>" + "<td>-</td>" + "<td>" + str(status[i]) + "</td>" ) elif status[i] >= 401: error_rows.append("<td>" + rpt.href(full_path) + "</td><td>" + str(status[i]) + "</td>") elif status[i] == 0: files_rows.append("<td>" + rpt.href(full_path) + "</td><td>" + str(status[i]) + "</td>") else: escope_rows.append("<td>" + rpt.href(full_path) + "</td><td>" + str(status[i]) + "</td>") collums = { "GET": ["Path", "Query", "Status Code"], "POST": ["Path", "Param", "Status Code"], "Redirect": ["Path", "Location", "Status Code"], "Error": ["Path", "Status Code"], "Files": ["Path", "Status Code"], "Escope": ["Path", "Status Code"], } rows = { "GET": get_rows, "POST": post_rows, "Redirect": redirect_rows, "Error": error_rows, "Files": files_rows, "Escope": escope_rows, } tip = "" rpt.make_table("main", tip, collums, rows)
def analysis(http_objs): requests = http_objs["total_requests"] response_headers = http_objs["response_headers"] request_URLs = http_objs["request_URL"] clickjacking_rows = [] hsts_rows = [] csp_rows = [] csp_report_rows = [] accesscontrol_rows = [] xss_protection_rows = [] rpt = report.htmltags() for i in xrange(0, requests): protocol = request_URLs[i]["protocol"] url = request_URLs[i]["url"] path = request_URLs[i]["path"] params = request_URLs[i]["params"] query = request_URLs[i]["query"] full_path = protocol + "://" + url + path if response_headers[i].has_key("X-Frame-Options"): clickjacking_rows.append("<td>" + rpt.href(full_path) + "</td><td>" + response_headers[i]["X-Frame-Options"] + "</td>") if response_headers[i].has_key("Strict-Transport-Security"): hsts_rows.append("<td>" + rpt.href(full_path) + "</td><td>" + response_headers[i]["Strict-Transport-Security"] + "</td>") if response_headers[i].has_key("X-Content-Security-Policy"): csp_rows.append("<td>" + rpt.href(full_path) + "</td><td>" + response_headers[i]["X-Content-Security-Policy"] + "</td>") if response_headers[i].has_key( "X-Content-Security-Policy-Report-Only"): csp_report_rows.append( "<td>" + rpt.href(full_path) + "</td><td>" + response_headers[i]["X-Content-Security-Policy-Report-Only"] + "</td>") if response_headers[i].has_key("Access-Control-Allow-Origin"): accesscontrol_rows.append( "<td>" + rpt.href(full_path) + "</td><td>" + response_headers[i]["Access-Control-Allow-Origin"] + "</td>") if response_headers[i].has_key("X-XSS-Protection"): xss_protection_rows.append( "<td>" + rpt.href(full_path) + "</td><td>" + response_headers[i]["X-XSS-Protection"] + "</td>") collums = { "HeadersSecurity": ["Path", "Diretive"], "HSTS": ["Path", "Diretive"], "CSP": ["Path", "Diretive"], "CSP_Report": ["Path", "Diretive"], "AccessControl": ["Path", "Diretive"], "XSS_Protection": ["Path", "Diretive"] } rows = { "HeadersSecurity": clickjacking_rows, "HSTS": hsts_rows, "CSP": csp_rows, "CSP_Report": csp_report_rows, "AccessControl": accesscontrol_rows, "XSS_Protection": xss_protection_rows } tip = "Tip: <a href='http://www.mcafee.com/us/resources/white-papers/foundstone/wp-recent-advances-web-app-security.pdf' target='_blank'>Recent Advances in Web Application Security</a>" rpt.make_table("headers", tip, collums, rows)