static IHttpRequestResponse fetchFromSitemap(URL url) { IHttpRequestResponse[] pages = callbacks.getSiteMap(sensibleURL(url)); for (IHttpRequestResponse page : pages) { if (page.getResponse() != null) { if (url.equals(getURL(page))) { return page; } } } return null; }
public static IHttpRequestResponse fetchFromSitemap(URL url) { IHttpRequestResponse[] pages = callbacks.getSiteMap(sensibleURL(url)); for (IHttpRequestResponse page : pages) { if (page.getResponse() != null) { if (url.equals(getURL(page))) { return page; } } } return null; }
static IHttpRequestResponse fetchFromSitemap(URL url) { IHttpRequestResponse[] pages = callbacks.getSiteMap(sensibleURL(url)); for (IHttpRequestResponse page : pages) { if (page.getResponse() != null) { if (url.equals(getURL(page))) { return page; } } } return null; }
public HashMap<String, ArrayDeque<WorkTarget>> splitItemsByHost() { HashMap<String, ArrayDeque<WorkTarget>> scanItemsByHost = new HashMap<>(); int i = 0; for (IHttpRequestResponse request : requests) { i += 1; if(i % 1000 == 0) { Utilities.log(i + " of " + requests.length + " items processed"); } if (request.getResponse() != null ) { continue; } String host = request.getHttpService().getHost(); if (scanItemsByHost.containsKey(host)) { scanItemsByHost.get(host).add(new WorkTarget(Utilities.getURL(request))); } else { ArrayDeque<WorkTarget> newQueue = new ArrayDeque<>(); newQueue.add(new WorkTarget(Utilities.getURL(request))); scanItemsByHost.put(host, newQueue); } } return scanItemsByHost; }
private static boolean findPersistent(IHttpRequestResponse baseRequestResponse, Attack paramGuess, String attackID, CircularFifoQueue<String> recentParams, ArrayList<String> currentParams, HashSet<String> alreadyReported) { if (currentParams == null) { currentParams = new ArrayList<>(); } byte[] failResp = paramGuess.getFirstRequest().getResponse(); if (failResp == null) { return false; } if (!Utilities.containsBytes(failResp, "wrtqva".getBytes())) { return false; } byte[] req = paramGuess.getFirstRequest().getRequest(); for(Iterator<String> params = recentParams.iterator(); params.hasNext();) { String param = params.next(); if(currentParams.contains(param) || alreadyReported.contains(param)) { continue; } byte[] canary = Utilities.helpers.stringToBytes(Utilities.toCanary(param.split("~", 2)[0]) + attackID); if (Utilities.containsBytes(failResp, canary) && !Utilities.containsBytes(req, canary)){ Utilities.out("Identified persistent parameter on "+Utilities.getURL(baseRequestResponse) + ":" + param); params.remove(); Utilities.callbacks.addScanIssue(new CustomScanIssue(baseRequestResponse.getHttpService(), Utilities.getURL(baseRequestResponse), paramGuess.getFirstRequest(), "Secret parameter", "Found persistent parameter: '"+param+"'. Disregard the request and look for " + Utilities.helpers.bytesToString(canary) + " in the response", "High", "Firm", "Investigate")); alreadyReported.add(param); return true; } } return false; }
evidence[1] = paramGuess.getFirstRequest(); evidence[2] = paramGrab.getFirstRequest(); Utilities.callbacks.addScanIssue(new CustomScanIssue(service, Utilities.getURL(baseRequestResponse), evidence, "Secret parameter", "Parameter name: '" + candidates + "'. Review the three requests attached in chronological order.", "Medium", "Tentative", "Investigate"));
private boolean tryReflectCache(PayloadInjector injector, String param, IHttpRequestResponse base, int attackDedication, int i, String pathSuffix) { IHttpService service = injector.getService(); byte[] setPoisonReq = Utilities.appendToPath(injector.getInsertionPoint().buildRequest(Utilities.helpers.stringToBytes(param)), pathSuffix); IParameter cacheBuster = Utilities.helpers.buildParameter(Utilities.generateCanary(), "1", IParameter.PARAM_URL); setPoisonReq = Utilities.helpers.addParameter(setPoisonReq, cacheBuster); for (int j = attackDedication - i; j < attackDedication; j++) { Utilities.attemptRequest(service, setPoisonReq); } for (int j = attackDedication - i; j < attackDedication; j += 3) { IHttpRequestResponse getPoison = Utilities.attemptRequest(service, Utilities.appendToPath(Utilities.helpers.addParameter(base.getRequest(), cacheBuster), pathSuffix)); if (Utilities.containsBytes(getPoison.getResponse(), "wrtqv".getBytes())) { Utilities.log("Successful cache poisoning check"); String title = "Cache poisoning"; byte[] headerSplitReq = Utilities.appendToPath(injector.getInsertionPoint().buildRequest(Utilities.helpers.stringToBytes(param + "~zxcv\rvcz")), pathSuffix); cacheBuster = Utilities.helpers.buildParameter(Utilities.generateCanary(), "1", IParameter.PARAM_URL); byte[] headerSplitResp = Utilities.attemptRequest(service, Utilities.helpers.addParameter(headerSplitReq, cacheBuster)).getResponse(); if (Utilities.containsBytes(Arrays.copyOfRange(headerSplitResp, 0, Utilities.getBodyStart(headerSplitReq)), "zxcv\rvcz".getBytes())) { title = "Severe cache poisoning"; } title = title + " "+i; Utilities.callbacks.addScanIssue(new CustomScanIssue(getPoison.getHttpService(), Utilities.getURL(getPoison), getPoison, title, "Cache poisoning: '" + param + "'. Disregard the request and look for wrtqv in the response", "High", "Firm", "Investigate")); return true; } } return false; }
private boolean tryStatusCache(PayloadInjector injector, String param, int attackDedication, short get404Code) { String canary = Utilities.generateCanary()+".jpg"; byte[] setPoison200Req = injector.getInsertionPoint().buildRequest(Utilities.helpers.stringToBytes(addStatusPayload(param))); setPoison200Req = Utilities.appendToPath(setPoison200Req, canary); byte[] getPoison200Req = injector.getInsertionPoint().buildRequest(Utilities.helpers.stringToBytes(addStatusPayload("xyz"+param+"z"))); getPoison200Req = Utilities.appendToPath(getPoison200Req, canary); for(int j=0; j<attackDedication; j++) { Utilities.attemptRequest(injector.getService(), setPoison200Req); } for(int j=0; j<attackDedication; j+=3) { IHttpRequestResponse getPoison200 = Utilities.attemptRequest(injector.getService(), getPoison200Req); short getPoison200Code = Utilities.helpers.analyzeResponse(getPoison200.getResponse()).getStatusCode(); if (getPoison200Code != get404Code) { Utilities.callbacks.addScanIssue(new CustomScanIssue(getPoison200.getHttpService(), Utilities.getURL(getPoison200), getPoison200, "Dubious cache poisoning " + j, "Cache poisoning: '" + param + "'. Diff based cache poisoning. Good luck confirming", "High", "Tentative", "Investigate")); } return true; } return false; }