def analysis(http_objs):
requests = http_objs["total_requests"]
response_body = http_objs["response_body"]
response_headers = http_objs["response_headers"]
request_URLs = http_objs["request_URL"]
json_rows = []
rpt = report.htmltags()
for i in xrange(0, requests):
protocol = request_URLs[i]["protocol"]
url = request_URLs[i]["url"]
path = request_URLs[i]["path"]
params = request_URLs[i]["params"]
query = request_URLs[i]["query"]
full_path = protocol + "://" + url + path
if response_headers[i].has_key("Content-Type"):
if "application/json" in str(response_headers[i]["Content-Type"]):
json_rows.append("<td>" + rpt.href(full_path) + "</td><td>" +
response_body[i] + "</td>")
collums = {"JSON": ["Path", "JSON Analyzed"]}
rows = {"JSON": json_rows}
tip = "Tip: <a href='https://www.owasp.org/index.php/Testing_for_AJAX_Vulnerabilities_%28OWASP-AJ-001%29' target='_blank'>Testing for AJAX Vulnerabilities</a> and <a href='http://haacked.com/archive/2009/06/25/json-hijacking.aspx' target='_blank'>JSON Hijacking</a>"
rpt.make_table("json", tip, collums, rows)
def load_modules(log_file):
"""
Put docstring here
"""
total_spent = 0.0
begin = time.time()
requests = parser.headers_pool(log_file)
http_objs = requests.get_http_objs()
end = time.time()
total_spent = end - begin
utils.print_info("info", "Parser Done! | Seconds %.3f" % total_spent)
import_modules()
rpt = report.htmltags()
modules_dict = utils.parser_xml("conf/config.xml", "modules", "config")
while modules_dict:
i = modules_dict.pop()
begin = time.time()
content = eval("modules." + i["name"] + ".analysis(http_objs)")
end = time.time()
spent = end - begin
total_spent = total_spent + spent
utils.print_info("info",
"- \033[1;33m" + i["name"] + "\033[1;m Spent %.3f" % spent + "\033[1;m Seconds")
rpt.html_report()
utils.print_info("info", "Total Time spent: %.3f" % total_spent)
def analysis(http_objs):
requests = http_objs["total_requests"]
response_headers = http_objs["response_headers"]
request_headers = http_objs["request_headers"]
headers = {"Server":"Application Server",
"X-Powered-By":"Platform",
"X-Aspnet-Version":"Asp.Net Version",
"X-Varnish":"Varnish Cache"}
fingerprint_rows = []
servers = []
hash_group = []
rpt = report.htmltags()
for i in xrange(0, requests):
for header in response_headers[i].iterkeys():
if header in headers.iterkeys():
if utils.md5_object(str(request_headers[i]["Host"]) + str(headers[header])) not in hash_group:
servers.append(rpt.href(request_headers[i]["Host"]))
if response_headers[i].has_key("Server"):
fingerprint_rows.append("<td>" + request_headers[i]["Host"] + "</td><td>" + str(response_headers[i]["Server"]) + "</td>")
else:
fingerprint_rows.append("<td>" + request_headers[i]["Host"] + "</td><td>" + str(header) + "</td>")
hash_group.append(utils.md5_object(str(request_headers[i]["Host"]) + str(headers[header])))
collums = {"Fingerprint":["Path", "-"]}
rows = {"Fingerprint":fingerprint_rows}
tip = "Tip: <a href='https://www.owasp.org/index.php/Testing_for_Web_Application_Fingerprint_%28OWASP-IG-004%29' target='_blank'>Testing for Web Application Fingerprint</a>"
rpt.make_table("fingerprint", tip, collums, rows)
def analysis(http_objs):
requests = http_objs["total_requests"]
response_body = http_objs["response_body"]
response_headers = http_objs["response_headers"]
request_URLs = http_objs["request_URL"]
json_rows = []
rpt = report.htmltags()
for i in xrange(0, requests):
protocol = request_URLs[i]["protocol"]
url = request_URLs[i]["url"]
path = request_URLs[i]["path"]
params = request_URLs[i]["params"]
query = request_URLs[i]["query"]
full_path = protocol + "://" + url + path
if response_headers[i].has_key("Content-Type"):
if "application/json" in str(response_headers[i]["Content-Type"]):
json_rows.append("<td>" + rpt.href(full_path) + "</td><td>" + response_body[i] + "</td>")
collums = {"JSON":["Path", "JSON Analyzed"]}
rows = {"JSON":json_rows}
tip = "Tip: <a href='https://www.owasp.org/index.php/Testing_for_AJAX_Vulnerabilities_%28OWASP-AJ-001%29' target='_blank'>Testing for AJAX Vulnerabilities</a> and <a href='http://haacked.com/archive/2009/06/25/json-hijacking.aspx' target='_blank'>JSON Hijacking</a>"
rpt.make_table("json", tip, collums, rows)
def analysis(http_objs):
requests = http_objs["total_requests"]
request_headers = http_objs["request_headers"]
response_headers = http_objs["response_headers"]
request_URLs = http_objs["request_URL"]
auth_rows = []
authenticate_types_rows = []
rpt = report.htmltags()
for i in xrange(0, requests):
protocol = request_URLs[i]["protocol"]
url = request_URLs[i]["url"]
path = request_URLs[i]["path"]
params = request_URLs[i]["params"]
query = request_URLs[i]["query"]
full_path = protocol + "://" + url + path
if request_headers[i].has_key("Authorization"):
auth_rows.append("<td>" + rpt.href(full_path) + "</td><td>" + request_headers[i]["Authorization"] + "</td>")
if response_headers[i].has_key("WWW-Authenticate"):
authenticate_types_rows.append("<td>" + rpt.href(full_path) + "</td><td>" + response_headers[i]["WWW-Authenticate"] + "</td>")
collums = {"Authorization":["Path", "Authorization Analyzed"], "Authenticate":["Path", "Authenticate Type Analyzed"]}
rows = {"Authorization":auth_rows, "Authenticate": authenticate_types_rows}
tip = "Tip: <a href='https://www.owasp.org/index.php/Testing_for_authentication' target='_blank'>Testing for authentication</a>"
rpt.make_table("auth", tip, collums, rows)
def analysis(http_objs):
requests = http_objs["total_requests"]
response_headers = http_objs["response_headers"]
request_headers = http_objs["request_headers"]
headers = {
"Server": "Application Server",
"X-Powered-By": "Platform",
"X-Aspnet-Version": "Asp.Net Version",
"X-Varnish": "Varnish Cache"
}
fingerprint_rows = []
servers = []
hash_group = []
rpt = report.htmltags()
for i in xrange(0, requests):
for header in response_headers[i].iterkeys():
if header in headers.iterkeys():
if utils.md5_object(
str(request_headers[i]["Host"]) +
str(headers[header])) not in hash_group:
servers.append(rpt.href(request_headers[i]["Host"]))
if response_headers[i].has_key("Server"):
fingerprint_rows.append(
"<td>" + request_headers[i]["Host"] + "</td><td>" +
str(response_headers[i]["Server"]) + "</td>")
else:
fingerprint_rows.append("<td>" +
request_headers[i]["Host"] +
"</td><td>" + str(header) +
"</td>")
hash_group.append(
utils.md5_object(
str(request_headers[i]["Host"]) +
str(headers[header])))
collums = {"Fingerprint": ["Path", "-"]}
rows = {"Fingerprint": fingerprint_rows}
tip = "Tip: <a href='https://www.owasp.org/index.php/Testing_for_Web_Application_Fingerprint_%28OWASP-IG-004%29' target='_blank'>Testing for Web Application Fingerprint</a>"
rpt.make_table("fingerprint", tip, collums, rows)
def analysis(http_objs):
requests = http_objs["total_requests"]
request_headers = http_objs["request_headers"]
response_headers = http_objs["response_headers"]
request_URLs = http_objs["request_URL"]
auth_rows = []
authenticate_types_rows = []
rpt = report.htmltags()
for i in xrange(0, requests):
protocol = request_URLs[i]["protocol"]
url = request_URLs[i]["url"]
path = request_URLs[i]["path"]
params = request_URLs[i]["params"]
query = request_URLs[i]["query"]
full_path = protocol + "://" + url + path
if request_headers[i].has_key("Authorization"):
auth_rows.append("<td>" + rpt.href(full_path) + "</td><td>" +
request_headers[i]["Authorization"] + "</td>")
if response_headers[i].has_key("WWW-Authenticate"):
authenticate_types_rows.append(
"<td>" + rpt.href(full_path) + "</td><td>" +
response_headers[i]["WWW-Authenticate"] + "</td>")
collums = {
"Authorization": ["Path", "Authorization Analyzed"],
"Authenticate": ["Path", "Authenticate Type Analyzed"]
}
rows = {
"Authorization": auth_rows,
"Authenticate": authenticate_types_rows
}
tip = "Tip: <a href='https://www.owasp.org/index.php/Testing_for_authentication' target='_blank'>Testing for authentication</a>"
rpt.make_table("auth", tip, collums, rows)
def analysis(http_objs):
requests = http_objs["total_requests"]
response_headers = http_objs["response_headers"]
request_URLs = http_objs["request_URL"]
headers = {"Cache-Control":"Cache-Control",
"Pragma":"Pragma"}
cache_rows = []
hash_group = []
rpt = report.htmltags()
for i in xrange(0, requests):
for header in response_headers[i].iterkeys():
if header in headers.iterkeys():
protocol = request_URLs[i]["protocol"]
url = request_URLs[i]["url"]
path = request_URLs[i]["path"]
params = request_URLs[i]["params"]
query = request_URLs[i]["query"]
full_path = protocol + "://" + url + path
if utils.md5_object(full_path + str(header)) not in hash_group:
cache_rows.append("<td>" + rpt.href(full_path) + "</td><td>" + str(response_headers[i][header]) + "</td>")
hash_group.append(utils.md5_object(full_path + str(header)))
collums = {"Cache":["Path", "Cache Analyzed"]}
rows = {"Cache":cache_rows}
tip = "Tip: <a href='https://www.owasp.org/index.php/Testing_for_Logout_and_Browser_Cache_Management_%28OWASP-AT-007%29' target='_blank'>Testing for Logout and Browser Cache Management</a>"
rpt.make_table("cache", tip, collums, rows)
rpt.html_report()
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from conf import utils
from core import report
rpt = report.htmltags()
def xml_analys(urls, requests, response_body, response_headers):
url = urls
xml_full_path = []
xml_rows = []
for i in xrange(0, requests):
protocol = url[i]["protocol"]
domain = url[i]["url"]
path = url[i]["path"]
params = url[i]["params"]
query = url[i]["query"]
full_path = protocol + "://" + domain + path
if response_headers[i].has_key("Content-Type"):
if "xml" in str(response_headers[i]["Content-Type"]
) and full_path not in xml_full_path:
xml_full_path.append(full_path)
content = utils.syntaxhighlighter("xml", rpt.href(full_path),
response_body[i])
xml_rows.append("<td>" + rpt.href(full_path) + "</td><td>" +
def analysis(http_objs):
requests = http_objs["total_requests"]
response_body = http_objs["response_body"]
request_headers = http_objs["request_headers"]
response_headers = http_objs["response_headers"]
request_URLs = http_objs["request_URL"]
path_flasm = utils.parser_xml("conf/config.xml", "path", "flasm")
path_report = utils.__workspace_path__
swf_files = []
flash_rows = []
swf_paths = []
rpt = report.htmltags()
for i in xrange(0, requests):
protocol = request_URLs[i]["protocol"]
url = request_URLs[i]["url"]
path = request_URLs[i]["path"]
params = request_URLs[i]["params"]
query = request_URLs[i]["query"]
full_path = protocol + "://" + url + path
if path.endswith(".swf"):
split_url = full_path.split('/')
file = len(split_url)
getoutput('cd ' + path_report + ';' + utils.curl_conn() +
' ' + full_path + ';' + path_flasm[0] + '/./flasm -d ' +
split_url[file - 1] + ' > ' + split_url[file - 1] + '.html')
swf_files.append(split_url[file - 1] + '.html')
swf_paths.append(rpt.href(full_path))
if request_headers[i].has_key("Referer") is True:
origin = rpt.href(request_headers[i]["Referer"])
else:
origin = "No Referer Header"
for i in swf_files:
readfile = open(path_report + i, "r")
swf_content = readfile.read()
content = ""
text_warning = utils.grep_statement("flash_patterns", swf_content, "text")
load_warning = utils.grep_statement("flash_patterns", swf_content, "load")
net_warning = utils.grep_statement("flash_patterns", swf_content, "net")
url_warning = utils.grep_statement("flash_patterns", swf_content, "url")
crossdomain_warning = utils.grep_statement("flash_patterns", swf_content, "crossdomain")
xml_warning = utils.grep_statement("flash_patterns", swf_content, "xml")
lso_warning = utils.grep_statement("flash_patterns", swf_content, "lso")
header_warning = utils.grep_statement("flash_patterns", swf_content, "header")
externalinterface_warning = utils.grep_statement("flash_patterns", swf_content, "externalinterface")
globalvariables_warning = utils.grep_statement("flash_patterns", swf_content, "globalvariables")
content = content + utils.syntaxhighlighter("as3", rpt.href(full_path), swf_content)
rpt.make_module_report_file(content, str(i) + "ActionScript")
flash_rows.append("<td>" + rpt.href(full_path) + "</td><td>" + origin + "</td><td>" + rpt.href(str(i) + "ActionScript") + "</td><td>" + text_warning + "</td><td>" + load_warning + "</td><td>" + net_warning + "</td>" + "</td><td>" + url_warning + "</td><td>" + crossdomain_warning + "</td><td>" + xml_warning + "</td><td>" + lso_warning + "</td><td>" + header_warning + "</td><td>" + externalinterface_warning + "</td><td>" + globalvariables_warning +"</td>")
collums = {"flash":["Path", "Origin", "Flash Analyzed", "Text Write", "Load", "Net Connections",
"Url Parameter", "Cross Domain", "XML Send", "lSO", "Add Header", "External Interface", "Global Variables"]}
rows = {"flash":flash_rows}
tip = "Tip: <a href='https://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project' target='_blank'>OWASP Flash Security Project</a> and <a href='https://www.owasp.org/index.php/Flash_Testing' target='_blank'>OWASP Testing Guide - Flash</a>"
rpt.make_table("flash", tip, collums, rows)
def analysis(http_objs):
"""
Requests analysis
@param log_parser: Objects parsed at Burp Log File.
"""
rpt = report.htmltags()
hash = utils.md5_object
hash_group = []
requests = http_objs["total_requests"]
request_methods = http_objs["request_methods"]
request_URLs = http_objs["request_URL"]
status = http_objs["response_status"]
request_body = http_objs["request_body"]
csrf_rows = []
params_form = []
header_poc = "<html><title>CSRF PoC</title><body>"
footer_poc = "'</form> <script>document.forms[0].submit()</script></body></html>"
for i in xrange(0, requests):
protocol = request_URLs[i]["protocol"]
url = request_URLs[i]["url"]
path = request_URLs[i]["path"]
params = request_URLs[i]["params"]
query = request_URLs[i]["query"]
out_escope = request_URLs[i]["out_escope"]
full_path = protocol + "://" + url + path
if out_escope is False:
if status[i] != 0 and status[i] < 300:
if request_methods[i] == "GET" and query != "":
body_poc = "<form method='GET' action='" + protocol + "://" + url + path + "?" + query + "'"
content = header_poc + body_poc + footer_poc
content_source = header_poc + utils.html_escape(body_poc + "</form> <script>document.forms[0].submit()</script>") + "</body></html>"
rpt.make_module_report_file(content, str(i) + "CSRF_POC")
rpt.make_module_report_file(content_source, str(i) + "CSRF_SOURCE_POC")
csrf_rows.append("<td>" + rpt.href(full_path) + "</td><td>" + rpt.href(str(i) + "CSRF_POC") + "</td><td>" + rpt.href(str(i) + "CSRF_SOURCE_POC") + "</td><td>" + request_methods[i] + "</td>")
elif request_methods[i] == "POST" and request_body[i] != "":
params_split = request_body[i].split("&")
for x in params_split:
param = x.split("=")
params_form.append("<input type='text' name='" + str(param[0]) + "' value='" + str(i) + "' />")
input_form = ""
for param in params_form:
input_form = input_form + param
body_poc = "<form method='POST' action='" + protocol + "://" + url + path + "'"
body_poc = body_poc + input_form
content = header_poc + body_poc + footer_poc
content_source = header_poc + utils.html_escape(body_poc + "</form> <script>document.forms[0].submit()</script>") + "</body></html>"
rpt.make_module_report_file(content, str(i) + "CSRF_POC")
rpt.make_module_report_file(content_source, str(i) + "CSRF_SOURCE_POC")
csrf_rows.append("<td>" + rpt.href(full_path) + "</td><td>" + request_methods[i] + "</td><td>" + rpt.href(str(i) + "CSRF_SOURCE_POC") + "</td><td>" + rpt.href(str(i) + "CSRF_POC") + "</td>")
collums = {"CSRF":["Path", "Method", "PoC", "Source PoC"]}
rows = {"CSRF":csrf_rows}
tip = "Tip: <a href='https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet' target='_blank'>Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet</a> and <a href='https://www.owasp.org/index.php/Testing_for_CSRF_%28OWASP-SM-005%29' target='_blank'>Testing for CSRF</a>"
rpt.make_table("csrf", tip, collums, rows)
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from conf import utils
from core import report
import re
rpt = report.htmltags()
def grep_domobjects(http_objs, requests, response_data, dom_regex):
request_URLs = http_objs["request_URL"]
dom_rows = []
hash_group = []
for i in xrange(0, requests):
protocol = request_URLs[i]["protocol"]
url = request_URLs[i]["url"]
path = request_URLs[i]["path"]
params = request_URLs[i]["params"]
query = request_URLs[i]["query"]
full_path = protocol + "://" + url + path
content = re.findall(eval(dom_regex), response_data[i], re.I)
content = str(content)
if content != "[]":
if utils.md5_object(full_path + utils.html_escape(content)) not in hash_group:
dom_rows.append("<td>" + rpt.href(full_path) + "</td><td>" + utils.html_escape(content) + "</td>")
def analysis(http_objs):
requests = http_objs["total_requests"]
response_body = http_objs["response_body"]
request_headers = http_objs["request_headers"]
response_headers = http_objs["response_headers"]
request_URLs = http_objs["request_URL"]
path_flasm = utils.parser_xml("conf/config.xml", "path", "flasm")
path_report = utils.__workspace_path__
swf_files = []
flash_rows = []
swf_paths = []
rpt = report.htmltags()
for i in xrange(0, requests):
protocol = request_URLs[i]["protocol"]
url = request_URLs[i]["url"]
path = request_URLs[i]["path"]
params = request_URLs[i]["params"]
query = request_URLs[i]["query"]
full_path = protocol + "://" + url + path
if path.endswith(".swf"):
split_url = full_path.split('/')
file = len(split_url)
getoutput('cd ' + path_report + ';' + utils.curl_conn() + ' ' +
full_path + ';' + path_flasm[0] + '/./flasm -d ' +
split_url[file - 1] + ' > ' + split_url[file - 1] +
'.html')
swf_files.append(split_url[file - 1] + '.html')
swf_paths.append(rpt.href(full_path))
if request_headers[i].has_key("Referer") is True:
origin = rpt.href(request_headers[i]["Referer"])
else:
origin = "No Referer Header"
for i in swf_files:
readfile = open(path_report + i, "r")
swf_content = readfile.read()
content = ""
text_warning = utils.grep_statement("flash_patterns", swf_content,
"text")
load_warning = utils.grep_statement("flash_patterns", swf_content,
"load")
net_warning = utils.grep_statement("flash_patterns", swf_content,
"net")
url_warning = utils.grep_statement("flash_patterns", swf_content,
"url")
crossdomain_warning = utils.grep_statement("flash_patterns",
swf_content, "crossdomain")
xml_warning = utils.grep_statement("flash_patterns", swf_content,
"xml")
lso_warning = utils.grep_statement("flash_patterns", swf_content,
"lso")
header_warning = utils.grep_statement("flash_patterns", swf_content,
"header")
externalinterface_warning = utils.grep_statement(
"flash_patterns", swf_content, "externalinterface")
globalvariables_warning = utils.grep_statement("flash_patterns",
swf_content,
"globalvariables")
content = content + utils.syntaxhighlighter("as3", rpt.href(full_path),
swf_content)
rpt.make_module_report_file(content, str(i) + "ActionScript")
flash_rows.append("<td>" + rpt.href(full_path) + "</td><td>" + origin +
"</td><td>" + rpt.href(str(i) + "ActionScript") +
"</td><td>" + text_warning + "</td><td>" +
load_warning + "</td><td>" + net_warning + "</td>" +
"</td><td>" + url_warning + "</td><td>" +
crossdomain_warning + "</td><td>" + xml_warning +
"</td><td>" + lso_warning + "</td><td>" +
header_warning + "</td><td>" +
externalinterface_warning + "</td><td>" +
globalvariables_warning + "</td>")
collums = {
"flash": [
"Path", "Origin", "Flash Analyzed", "Text Write", "Load",
"Net Connections", "Url Parameter", "Cross Domain", "XML Send",
"lSO", "Add Header", "External Interface", "Global Variables"
]
}
rows = {"flash": flash_rows}
tip = "Tip: <a href='https://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project' target='_blank'>OWASP Flash Security Project</a> and <a href='https://www.owasp.org/index.php/Flash_Testing' target='_blank'>OWASP Testing Guide - Flash</a>"
rpt.make_table("flash", tip, collums, rows)
def analysis(http_objs):
"""
Put docstring here
"""
rpt = report.htmltags()
requests = http_objs["total_requests"]
request_methods = http_objs["request_methods"]
request_URLs = http_objs["request_URL"]
status = http_objs["response_status"]
request_body = http_objs["request_body"]
response_headers = http_objs["response_headers"]
get_rows = []
post_rows = []
redirect_rows = []
error_rows = []
files_rows = []
escope_rows = []
for i in xrange(0, requests):
protocol = request_URLs[i]["protocol"]
url = request_URLs[i]["url"]
path = request_URLs[i]["path"]
params = request_URLs[i]["params"]
query = request_URLs[i]["query"]
out_escope = request_URLs[i]["out_escope"]
full_path = protocol + "://" + url + path
if out_escope is False:
if status[i] != 0 and status[i] < 300:
if request_methods[i] == "GET":
get_rows.append("<td>" + rpt.href(full_path) +
"</td><td>" + query + "</td><td>" +
str(status[i]) + "</td>")
elif request_methods[i] == "POST":
post_rows.append("<td>" + rpt.href(full_path) +
"</td><td>" + request_body[i] +
"</td><td>" + str(status[i]) + "</td>")
elif status[i] >= 300 and status[i] <= 400:
if response_headers[i].has_key("Location") is True:
redirect_rows.append("<td>" + rpt.href(full_path) +
"</td><td>" +
response_headers[i]["Location"] +
"</td><td>" + str(status[i]) +
"</td>")
else:
redirect_rows.append("<td>" + rpt.href(full_path) +
"</td>" + "<td>-</td>" + "<td>" +
str(status[i]) + "</td>")
elif status[i] >= 401:
error_rows.append("<td>" + rpt.href(full_path) + "</td><td>" +
str(status[i]) + "</td>")
elif status[i] == 0:
files_rows.append("<td>" + rpt.href(full_path) + "</td><td>" +
str(status[i]) + "</td>")
else:
escope_rows.append("<td>" + rpt.href(full_path) + "</td><td>" +
str(status[i]) + "</td>")
collums = {
"GET": ["Path", "Query", "Status Code"],
"POST": ["Path", "Param", "Status Code"],
"Redirect": ["Path", "Location", "Status Code"],
"Error": ["Path", "Status Code"],
"Files": ["Path", "Status Code"],
"Escope": ["Path", "Status Code"]
}
rows = {
"GET": get_rows,
"POST": post_rows,
"Redirect": redirect_rows,
"Error": error_rows,
"Files": files_rows,
"Escope": escope_rows
}
tip = ""
rpt.make_table("main", tip, collums, rows)
def analysis(http_objs):
requests = http_objs["total_requests"]
response_headers = http_objs["response_headers"]
request_URLs = http_objs["request_URL"]
clickjacking_rows = []
hsts_rows = []
csp_rows = []
csp_report_rows = []
accesscontrol_rows = []
xss_protection_rows = []
rpt = report.htmltags()
for i in xrange(0, requests):
protocol = request_URLs[i]["protocol"]
url = request_URLs[i]["url"]
path = request_URLs[i]["path"]
params = request_URLs[i]["params"]
query = request_URLs[i]["query"]
full_path = protocol + "://" + url + path
if response_headers[i].has_key("X-Frame-Options"):
clickjacking_rows.append(
"<td>" + rpt.href(full_path) + "</td><td>" + response_headers[i]["X-Frame-Options"] + "</td>"
)
if response_headers[i].has_key("Strict-Transport-Security"):
hsts_rows.append(
"<td>" + rpt.href(full_path) + "</td><td>" + response_headers[i]["Strict-Transport-Security"] + "</td>"
)
if response_headers[i].has_key("X-Content-Security-Policy"):
csp_rows.append(
"<td>" + rpt.href(full_path) + "</td><td>" + response_headers[i]["X-Content-Security-Policy"] + "</td>"
)
if response_headers[i].has_key("X-Content-Security-Policy-Report-Only"):
csp_report_rows.append(
"<td>"
+ rpt.href(full_path)
+ "</td><td>"
+ response_headers[i]["X-Content-Security-Policy-Report-Only"]
+ "</td>"
)
if response_headers[i].has_key("Access-Control-Allow-Origin"):
accesscontrol_rows.append(
"<td>"
+ rpt.href(full_path)
+ "</td><td>"
+ response_headers[i]["Access-Control-Allow-Origin"]
+ "</td>"
)
if response_headers[i].has_key("X-XSS-Protection"):
xss_protection_rows.append(
"<td>" + rpt.href(full_path) + "</td><td>" + response_headers[i]["X-XSS-Protection"] + "</td>"
)
collums = {
"HeadersSecurity": ["Path", "Diretive"],
"HSTS": ["Path", "Diretive"],
"CSP": ["Path", "Diretive"],
"CSP_Report": ["Path", "Diretive"],
"AccessControl": ["Path", "Diretive"],
"XSS_Protection": ["Path", "Diretive"],
}
rows = {
"HeadersSecurity": clickjacking_rows,
"HSTS": hsts_rows,
"CSP": csp_rows,
"CSP_Report": csp_report_rows,
"AccessControl": accesscontrol_rows,
"XSS_Protection": xss_protection_rows,
}
tip = "Tip: <a href='http://www.mcafee.com/us/resources/white-papers/foundstone/wp-recent-advances-web-app-security.pdf' target='_blank'>Recent Advances in Web Application Security</a>"
rpt.make_table("headers", tip, collums, rows)
def analysis(http_objs):
"""
Put docstring here
"""
rpt = report.htmltags()
requests = http_objs["total_requests"]
request_methods = http_objs["request_methods"]
request_URLs = http_objs["request_URL"]
status = http_objs["response_status"]
request_body = http_objs["request_body"]
response_headers = http_objs["response_headers"]
get_rows = []
post_rows = []
redirect_rows = []
error_rows = []
files_rows = []
escope_rows = []
for i in xrange(0, requests):
protocol = request_URLs[i]["protocol"]
url = request_URLs[i]["url"]
path = request_URLs[i]["path"]
params = request_URLs[i]["params"]
query = request_URLs[i]["query"]
out_escope = request_URLs[i]["out_escope"]
full_path = protocol + "://" + url + path
if out_escope is False:
if status[i] != 0 and status[i] < 300:
if request_methods[i] == "GET":
get_rows.append(
"<td>" + rpt.href(full_path) + "</td><td>" + query + "</td><td>" + str(status[i]) + "</td>"
)
elif request_methods[i] == "POST":
post_rows.append(
"<td>"
+ rpt.href(full_path)
+ "</td><td>"
+ request_body[i]
+ "</td><td>"
+ str(status[i])
+ "</td>"
)
elif status[i] >= 300 and status[i] <= 400:
if response_headers[i].has_key("Location") is True:
redirect_rows.append(
"<td>"
+ rpt.href(full_path)
+ "</td><td>"
+ response_headers[i]["Location"]
+ "</td><td>"
+ str(status[i])
+ "</td>"
)
else:
redirect_rows.append(
"<td>" + rpt.href(full_path) + "</td>" + "<td>-</td>" + "<td>" + str(status[i]) + "</td>"
)
elif status[i] >= 401:
error_rows.append("<td>" + rpt.href(full_path) + "</td><td>" + str(status[i]) + "</td>")
elif status[i] == 0:
files_rows.append("<td>" + rpt.href(full_path) + "</td><td>" + str(status[i]) + "</td>")
else:
escope_rows.append("<td>" + rpt.href(full_path) + "</td><td>" + str(status[i]) + "</td>")
collums = {
"GET": ["Path", "Query", "Status Code"],
"POST": ["Path", "Param", "Status Code"],
"Redirect": ["Path", "Location", "Status Code"],
"Error": ["Path", "Status Code"],
"Files": ["Path", "Status Code"],
"Escope": ["Path", "Status Code"],
}
rows = {
"GET": get_rows,
"POST": post_rows,
"Redirect": redirect_rows,
"Error": error_rows,
"Files": files_rows,
"Escope": escope_rows,
}
tip = ""
rpt.make_table("main", tip, collums, rows)
def analysis(http_objs):
requests = http_objs["total_requests"]
response_headers = http_objs["response_headers"]
request_URLs = http_objs["request_URL"]
clickjacking_rows = []
hsts_rows = []
csp_rows = []
csp_report_rows = []
accesscontrol_rows = []
xss_protection_rows = []
rpt = report.htmltags()
for i in xrange(0, requests):
protocol = request_URLs[i]["protocol"]
url = request_URLs[i]["url"]
path = request_URLs[i]["path"]
params = request_URLs[i]["params"]
query = request_URLs[i]["query"]
full_path = protocol + "://" + url + path
if response_headers[i].has_key("X-Frame-Options"):
clickjacking_rows.append("<td>" + rpt.href(full_path) +
"</td><td>" +
response_headers[i]["X-Frame-Options"] +
"</td>")
if response_headers[i].has_key("Strict-Transport-Security"):
hsts_rows.append("<td>" + rpt.href(full_path) + "</td><td>" +
response_headers[i]["Strict-Transport-Security"] +
"</td>")
if response_headers[i].has_key("X-Content-Security-Policy"):
csp_rows.append("<td>" + rpt.href(full_path) + "</td><td>" +
response_headers[i]["X-Content-Security-Policy"] +
"</td>")
if response_headers[i].has_key(
"X-Content-Security-Policy-Report-Only"):
csp_report_rows.append(
"<td>" + rpt.href(full_path) + "</td><td>" +
response_headers[i]["X-Content-Security-Policy-Report-Only"] +
"</td>")
if response_headers[i].has_key("Access-Control-Allow-Origin"):
accesscontrol_rows.append(
"<td>" + rpt.href(full_path) + "</td><td>" +
response_headers[i]["Access-Control-Allow-Origin"] + "</td>")
if response_headers[i].has_key("X-XSS-Protection"):
xss_protection_rows.append(
"<td>" + rpt.href(full_path) + "</td><td>" +
response_headers[i]["X-XSS-Protection"] + "</td>")
collums = {
"HeadersSecurity": ["Path", "Diretive"],
"HSTS": ["Path", "Diretive"],
"CSP": ["Path", "Diretive"],
"CSP_Report": ["Path", "Diretive"],
"AccessControl": ["Path", "Diretive"],
"XSS_Protection": ["Path", "Diretive"]
}
rows = {
"HeadersSecurity": clickjacking_rows,
"HSTS": hsts_rows,
"CSP": csp_rows,
"CSP_Report": csp_report_rows,
"AccessControl": accesscontrol_rows,
"XSS_Protection": xss_protection_rows
}
tip = "Tip: <a href='http://www.mcafee.com/us/resources/white-papers/foundstone/wp-recent-advances-web-app-security.pdf' target='_blank'>Recent Advances in Web Application Security</a>"
rpt.make_table("headers", tip, collums, rows)
