static String getStartType(byte[] response) { int i = getBodyStart(response); String start = ""; if (i == response.length) { start = "[blank]"; } else if (response[i] == '<') { while (i < response.length && (response[i] != ' ' && response[i] != '\n' && response[i] != '\r' && response[i] != '>')) { start += (char) (response[i] & 0xFF); i += 1; } } else { start = "text"; } return start; }
static String getStartType(byte[] response) { int i = getBodyStart(response); String start = ""; if (i == response.length) { start = "[blank]"; } else if (response[i] == '<') { while (i < response.length && (response[i] != ' ' && response[i] != '\n' && response[i] != '\r' && response[i] != '>')) { start += (char) (response[i] & 0xFF); i += 1; } } else { start = "text"; } return start; }
static String getBody(byte[] response) { if (response == null) { return ""; } int bodyStart = Utilities.getBodyStart(response); String body = Utilities.helpers.bytesToString(Arrays.copyOfRange(response, bodyStart, response.length)); return body; }
public JsonParamNameInsertionPoint(byte[] request, String name, String value, byte type, String attackID) { super(request, name, value, type); // Utilities.encodeJSON(value) int start = Utilities.getBodyStart(request); this.attackID = attackID; headers = Arrays.copyOfRange(request, 0, start); body = Arrays.copyOfRange(request, start, request.length); baseInput = Utilities.helpers.bytesToString(body); root = new JsonParser().parse(baseInput); }
public static byte[] fixContentLength(byte[] request) { if (countMatches(request, helpers.stringToBytes("Content-Length: ")) > 0) { int start = Utilities.getBodyStart(request); int contentLength = request.length - start; return setHeader(request, "Content-Length", Integer.toString(contentLength)); } else { return request; } }
public static byte[] fixContentLength(byte[] request) { if (countMatches(request, helpers.stringToBytes("Content-Length: ")) > 0) { int start = Utilities.getBodyStart(request); int contentLength = request.length - start; return setHeader(request, "Content-Length", Integer.toString(contentLength)); } else { return request; } }
static List<IParameter> getExtraInsertionPoints(byte[] request) { // List<IParameter> params = new ArrayList<>(); int end = getBodyStart(request); int i = 0; while(i < end && request[i++] != ' ') {} // walk to the url start
static List<IParameter> getExtraInsertionPoints(byte[] request) { // List<IParameter> params = new ArrayList<>(); int end = getBodyStart(request); int i = 0; while(i < end && request[i++] != ' ') {} // walk to the url start
public static List<IParameter> getExtraInsertionPoints(byte[] request) { // List<IParameter> params = new ArrayList<>(); int end = getBodyStart(request); int i = 0; while(i < end && request[i++] != ' ') {} // walk to the url start
private boolean tryReflectCache(PayloadInjector injector, String param, IHttpRequestResponse base, int attackDedication, int i, String pathSuffix) { IHttpService service = injector.getService(); byte[] setPoisonReq = Utilities.appendToPath(injector.getInsertionPoint().buildRequest(Utilities.helpers.stringToBytes(param)), pathSuffix); IParameter cacheBuster = Utilities.helpers.buildParameter(Utilities.generateCanary(), "1", IParameter.PARAM_URL); setPoisonReq = Utilities.helpers.addParameter(setPoisonReq, cacheBuster); for (int j = attackDedication - i; j < attackDedication; j++) { Utilities.attemptRequest(service, setPoisonReq); } for (int j = attackDedication - i; j < attackDedication; j += 3) { IHttpRequestResponse getPoison = Utilities.attemptRequest(service, Utilities.appendToPath(Utilities.helpers.addParameter(base.getRequest(), cacheBuster), pathSuffix)); if (Utilities.containsBytes(getPoison.getResponse(), "wrtqv".getBytes())) { Utilities.log("Successful cache poisoning check"); String title = "Cache poisoning"; byte[] headerSplitReq = Utilities.appendToPath(injector.getInsertionPoint().buildRequest(Utilities.helpers.stringToBytes(param + "~zxcv\rvcz")), pathSuffix); cacheBuster = Utilities.helpers.buildParameter(Utilities.generateCanary(), "1", IParameter.PARAM_URL); byte[] headerSplitResp = Utilities.attemptRequest(service, Utilities.helpers.addParameter(headerSplitReq, cacheBuster)).getResponse(); if (Utilities.containsBytes(Arrays.copyOfRange(headerSplitResp, 0, Utilities.getBodyStart(headerSplitReq)), "zxcv\rvcz".getBytes())) { title = "Severe cache poisoning"; } title = title + " "+i; Utilities.callbacks.addScanIssue(new CustomScanIssue(getPoison.getHttpService(), Utilities.getURL(getPoison), getPoison, title, "Cache poisoning: '" + param + "'. Disregard the request and look for wrtqv in the response", "High", "Firm", "Investigate")); return true; } } return false; }