List of usage examples for org.apache.commons.httpclient URI URI
public URI(URI base, URI relative) throws URIException
From source file:org.zaproxy.zap.extension.ascanrules.SourceCodeDisclosureWEBINF.java
@Override public void scan() { try {/*from ww w . j av a2s . c o m*/ URI originalURI = getBaseMsg().getRequestHeader().getURI(); List<String> javaClassesFound = new LinkedList<String>(); List<String> javaClassesHandled = new LinkedList<String>(); // Pass 1: thru each of the WEB-INF files, looking for class names for (String filename : WEBINF_FILES) { HttpMessage webinffilemsg = new HttpMessage(new URI( originalURI.getScheme() + "://" + originalURI.getAuthority() + "/WEB-INF/" + filename, true)); sendAndReceive(webinffilemsg, false); // do not follow redirects String body = new String(webinffilemsg.getResponseBody().getBytes()); Matcher matcher = JAVA_CLASSNAME_PATTERN.matcher(body); while (matcher.find()) { // we have a possible class *name*. // Next: See if the class file lives in the expected location in the WEB-INF // folder // skip Java built-in classes String classname = matcher.group(); if (!classname.startsWith("java.") && !classname.startsWith("javax.") && !javaClassesFound.contains(classname)) { javaClassesFound.add(classname); } } } // for each class name found, try download the actual class file.. // for ( String classname: javaClassesFound) { while (javaClassesFound.size() > 0) { String classname = javaClassesFound.get(0); URI classURI = getClassURI(originalURI, classname); if (log.isDebugEnabled()) log.debug("Looking for Class file: " + classURI.getURI()); HttpMessage classfilemsg = new HttpMessage(classURI); sendAndReceive(classfilemsg, false); // do not follow redirects if (classfilemsg.getResponseHeader().getStatusCode() == HttpStatus.SC_OK) { // to decompile the class file, we need to write it to disk.. // under the current version of the library, at least File classFile = null; try { classFile = File.createTempFile("zap", ".class"); classFile.deleteOnExit(); OutputStream fos = new FileOutputStream(classFile); fos.write(classfilemsg.getResponseBody().getBytes()); fos.close(); // now decompile it DecompilerSettings decompilerSettings = new DecompilerSettings(); // set some options so that we can better parse the output, to get the names // of more classes.. decompilerSettings.setForceExplicitImports(true); decompilerSettings.setForceExplicitTypeArguments(true); PlainTextOutput decompiledText = new PlainTextOutput(); Decompiler.decompile(classFile.getAbsolutePath(), decompiledText, decompilerSettings); String javaSourceCode = decompiledText.toString(); if (javaSourceCode.startsWith("!!! ERROR: Failed to load class")) { // Not a Java class file... javaClassesFound.remove(classname); javaClassesHandled.add(classname); continue; } if (log.isDebugEnabled()) { log.debug("Source Code Disclosure alert for: " + classname); } // bingo. bingo(Alert.RISK_HIGH, Alert.CONFIDENCE_MEDIUM, Constant.messages.getString("ascanrules.sourcecodedisclosurewebinf.name"), Constant.messages.getString("ascanrules.sourcecodedisclosurewebinf.desc"), null, // originalMessage.getRequestHeader().getURI().getURI(), null, // parameter being attacked: none. "", // attack javaSourceCode, // extrainfo Constant.messages.getString("ascanrules.sourcecodedisclosurewebinf.soln"), "", // evidence, highlighted in the message classfilemsg // raise the alert on the classfile, rather than on the // web.xml (or other file where the class reference was // found). ); // and add the referenced classes to the list of classes to look for! // so that we catch as much source code as possible. Matcher importMatcher = JAVA_IMPORT_CLASSNAME_PATTERN.matcher(javaSourceCode); while (importMatcher.find()) { // we have another possible class name. // Next: See if the class file lives in the expected location in the // WEB-INF folder String importClassname = importMatcher.group(1); if ((!javaClassesFound.contains(importClassname)) && (!javaClassesHandled.contains(importClassname))) { javaClassesFound.add(importClassname); } } // attempt to find properties files within the Java source, and try get them Matcher propsFileMatcher = PROPERTIES_FILE_PATTERN.matcher(javaSourceCode); while (propsFileMatcher.find()) { String propsFilename = propsFileMatcher.group(1); if (log.isDebugEnabled()) log.debug("Found props file: " + propsFilename); URI propsFileURI = getPropsFileURI(originalURI, propsFilename); HttpMessage propsfilemsg = new HttpMessage(propsFileURI); sendAndReceive(propsfilemsg, false); // do not follow redirects if (propsfilemsg.getResponseHeader().getStatusCode() == HttpStatus.SC_OK) { // Holy sheet.. we found a properties file bingo(Alert.RISK_HIGH, Alert.CONFIDENCE_MEDIUM, Constant.messages.getString( "ascanrules.sourcecodedisclosurewebinf.propertiesfile.name"), Constant.messages.getString( "ascanrules.sourcecodedisclosurewebinf.propertiesfile.desc"), null, // originalMessage.getRequestHeader().getURI().getURI(), null, // parameter being attacked: none. "", // attack Constant.messages.getString( "ascanrules.sourcecodedisclosurewebinf.propertiesfile.extrainfo", classURI), // extrainfo Constant.messages.getString( "ascanrules.sourcecodedisclosurewebinf.propertiesfile.soln"), "", // evidence, highlighted in the message propsfilemsg); } } // do not return at this point.. there may be multiple classes referenced. // We want to see as many of them as possible. } finally { // delete the temp file. // this will be deleted when the VM is shut down anyway, but just in case! if (classFile != null) classFile.delete(); } } // remove the class from the set to handle, and add it to the list of classes // handled javaClassesFound.remove(classname); javaClassesHandled.add(classname); } } catch (Exception e) { log.error("Error scanning a Host for Source Code Disclosure via the WEB-INF folder: " + e.getMessage(), e); } }
From source file:org.zaproxy.zap.extension.ascanrules.SourceCodeDisclosureWEBINF.java
/** * gets a candidate URI for a given class path. * * @param classname//from w w w . ja v a 2s . c om * @return * @throws URIException */ private URI getClassURI(URI hostURI, String classname) throws URIException { return new URI(hostURI.getScheme() + "://" + hostURI.getAuthority() + "/WEB-INF/classes/" + classname.replaceAll("\\.", "/") + ".class", false); }
From source file:org.zaproxy.zap.extension.ascanrules.SourceCodeDisclosureWEBINF.java
private URI getPropsFileURI(URI hostURI, String propsfilename) throws URIException { return new URI(hostURI.getScheme() + "://" + hostURI.getAuthority() + "/WEB-INF/classes/" + propsfilename, false);/*from w w w . j a v a 2 s.com*/ }
From source file:org.zaproxy.zap.extension.ascanrules.TestDirectoryBrowsing.java
private void checkIfDirectory(HttpMessage msg) throws URIException { URI uri = msg.getRequestHeader().getURI(); uri.setQuery(null);//from ww w . j a va 2s. c o m String sUri = uri.toString(); if (!sUri.endsWith("/")) { sUri = sUri + "/"; } msg.getRequestHeader().setURI(new URI(sUri, true)); }
From source file:org.zaproxy.zap.extension.ascanrulesAlpha.ProxyDisclosureScanner.java
/** * scans for Proxy Disclosure issues, using the TRACE and OPTIONS method with 'Max-Forwards', * and the TRACK method. The code attempts to enumerate and identify all proxies identified * between the Zap instance and the origin web server. */// w w w.j av a2s . co m @Override public void scan() { try { // where's what we're going to do (roughly): // 1: If TRACE is enabled on the origin web server, we're going to use it, and the // "Max-Forwards" header to verify // if *no* proxy exists between Zap and the origin web server. // 2: If we can't do that, because TRACE is not supported, or because there appears to // be a proxy between Zap // and the origin web server, we use the "Max-Forwards" compatible methods (TRACE and // OPTIONS) to // iterate through each of the proxies between Zap and the origin web server. // We will attempt to fingerprint each proxy / web server along the way, using various // techniques. // 3: At this point, depending on the proxies and their configurations, there is a // possibility that we have not // identified *all* of the nodes (proxies / web servers) that the request/response // traverses. We will use // other HTTP methods, such as "TRACK" to obtain an error-type response. In all of the // cases we have tested so far, // such an error response comes from the origin web server, rather than an // intermediate proxy. We then fingerprint // the origin web server. If the origin web server's signature is not the same as the // final node that we have // already identified, we consider the origin web server to be an additional node in // the path. // 4: Report the results. // Step 1: Using TRACE, identify if *no* proxies are used between the Zap instance and // the origin web server // int maxForwardsMaximum = 7; //Anonymous only use 7 proxies, so that's good enough // for us too.. :) int step1numberOfProxies = 0; // this variable is to track proxies that set cookies, but are otherwise complete // invisible, and do not // respond per spec (RFC2616, RFC2965) to OPTIONS/TRACE with Max-Forwards. // They do not set headers that can be identified. // They are also inherently un-ordered, because we do not, and cannot be sure at what // point they fit into the topology // that we can otherwise document using OPTIONS/TRACE + Max-Forwards. Set<String> silentProxySet = new HashSet<String>(); boolean endToEndTraceEnabled = false; boolean proxyTraceEnabled = false; URI traceURI = getBaseMsg().getRequestHeader().getURI(); HttpRequestHeader traceRequestHeader = new HttpRequestHeader(); traceRequestHeader.setMethod(HttpRequestHeader.TRACE); // go to the URL requested, in case the proxy is configured on a per-URL basis.. // traceRequestHeader.setURI(new URI(traceURI.getScheme() + "://" + // traceURI.getAuthority()+ "/",true)); traceRequestHeader.setURI(traceURI); traceRequestHeader.setVersion(HttpRequestHeader.HTTP11); // or 1.1? traceRequestHeader.setSecure(traceRequestHeader.isSecure()); traceRequestHeader.setHeader("Max-Forwards", String.valueOf(MAX_FORWARDS_MAXIMUM)); traceRequestHeader.setHeader("Cache-Control", "no-cache"); // we do not want cached content. we want content from the origin // server traceRequestHeader.setHeader("Pragma", "no-cache"); // similarly, for HTTP/1.0 HttpMessage tracemsg = getNewMsg(); tracemsg.setRequestHeader(traceRequestHeader); // create a random cookie, and set it up, so we can detect if the TRACE is enabled (in // which case, it should echo it back in the response) String randomcookiename = RandomStringUtils.random(15, "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"); String randomcookievalue = RandomStringUtils.random(40, "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"); TreeSet<HtmlParameter> cookies = tracemsg.getCookieParams(); cookies.add(new HtmlParameter(HtmlParameter.Type.cookie, randomcookiename, randomcookievalue)); tracemsg.setCookieParams(cookies); sendAndReceive(tracemsg, false); // do not follow redirects. // is TRACE enabled? String traceResponseBody = tracemsg.getResponseBody().toString(); if (traceResponseBody.contains(randomcookievalue)) { // TRACE is enabled. Look at the Max-Forwards in the response, to see if it was // decremented // if it was decremented, there is definitely a proxy.. // if not, it *suggests* there is no proxy (or any proxies present are not compliant // --> all bets are off) boolean proxyActuallyFound = false; // found a TRACE from Zap all the way through to the Origin server.. not good!! endToEndTraceEnabled = true; // this will raise the risk from Medium to High if a Proxy Disclosure // was found! // TODO: raise a "TRACE" type alert (if no proxy disclosure is found, but TRACE // enabled?) Matcher matcher = MAX_FORWARDS_RESPONSE_PATTERN.matcher(traceResponseBody); if (matcher.find()) { String maxForwardsResponseValue = matcher.group(1); if (log.isDebugEnabled()) log.debug("TRACE with \"Max-Forwards: " + MAX_FORWARDS_MAXIMUM + "\" causes response body Max-Forwards value '" + maxForwardsResponseValue + "'"); if (maxForwardsResponseValue.equals(String.valueOf(MAX_FORWARDS_MAXIMUM))) { // (probably) no proxy! if (log.isDebugEnabled()) log.debug("TRACE with \"Max-Forwards: " + MAX_FORWARDS_MAXIMUM + "\" indicates that there is *NO* proxy in place. Note: the TRACE method is supported.. that's an issue in itself! :)"); // To be absolutely certain, check that the cookie info in the response // header, // and proxy request headers in the response body (via TRACE) do not leak // the presence of a proxy // This would indicate a non-RFC2606 compliant proxy, since these are // supposed to decrement the Max-Forwards. // it does happen in the wild.. String traceResponseHeader = tracemsg.getResponseHeader().toString(); // look for cookies set by the proxy, which will be in the response header Iterator<Pattern> cookiePatternIterator = PROXY_COOKIES.keySet().iterator(); while (cookiePatternIterator.hasNext() && !proxyActuallyFound) { Pattern cookiePattern = cookiePatternIterator.next(); String proxyServer = PROXY_COOKIES.get(cookiePattern); Matcher cookieMatcher = cookiePattern.matcher(traceResponseHeader); if (cookieMatcher.find()) { String cookieDetails = cookieMatcher.group(1); if (log.isDebugEnabled()) { proxyActuallyFound = true; if (!proxyServer.equals("") && !silentProxySet.contains(proxyServer)) silentProxySet.add(proxyServer); if (log.isDebugEnabled()) log.debug("TRACE with \"Max-Forwards: " + MAX_FORWARDS_MAXIMUM + "\" indicates that there is *NO* proxy in place, but a known proxy cookie (" + cookieDetails + ", which indicates proxy server '" + proxyServer + "') in the response header contradicts this.."); } } } // look for request headers set by the proxy, which will end up in the // response body if the TRACE succeeded Iterator<Pattern> requestHeaderPatternIterator = PROXY_REQUEST_HEADERS.keySet().iterator(); while (requestHeaderPatternIterator.hasNext() && !proxyActuallyFound) { Pattern proxyHeaderPattern = requestHeaderPatternIterator.next(); String proxyServer = PROXY_REQUEST_HEADERS.get(proxyHeaderPattern); Matcher proxyHeaderMatcher = proxyHeaderPattern.matcher(traceResponseBody); if (proxyHeaderMatcher.find()) { String proxyHeaderName = proxyHeaderMatcher.group(1); if (log.isDebugEnabled()) { proxyActuallyFound = true; if (log.isDebugEnabled()) log.debug("TRACE with \"Max-Forwards: " + MAX_FORWARDS_MAXIMUM + "\" indicates that there is *NO* proxy in place, but a known proxy request header (" + proxyHeaderName + ", which indicates proxy server '" + proxyServer + "') in the response body contradicts this.."); } } } } else { // Trace indicates there is a proxy in place.. (or multiple proxies) // Note: this number cannot really be trusted :( we don't use it, other than // for informational purposes step1numberOfProxies = MAX_FORWARDS_MAXIMUM - Integer.parseInt(maxForwardsResponseValue); if (log.isDebugEnabled()) log.debug("TRACE with \"Max-Forwards: " + MAX_FORWARDS_MAXIMUM + "\" indicates that there *IS* at least one proxy in place (Likely number: " + step1numberOfProxies + "). Note: the TRACE method is also supported!"); proxyActuallyFound = true; } } else { // The Max-Forwards does not appear in the response body, even though the cookie // value appeared in the response body, using TRACE.. Why? if (log.isDebugEnabled()) log.debug( "TRACE support is indicated via an echoed cookie, but the Max-Forwards value from the request is not echoed in the response. Why? Load balancer? WAF?"); proxyActuallyFound = true; } // no conflicting evidence (ie, no proxy indicated) ==> return if (!proxyActuallyFound) return; } else { // TRACE is NOT enabled, so we can't use this technique to tell if there is *no* // proxy between Zap and the origin server if (log.isDebugEnabled()) log.debug( "TRACE is not supported, so we cannot quickly check for *no* proxies. Falling back to the hard way"); } // bale out if we were asked nicely. it's nice to be nice. if (isStop()) { if (log.isDebugEnabled()) log.debug("Stopping the scan due to a user request (after step 1)"); return; } // Step 2: Use Max-Forwards with OPTIONS and TRACE to iterate through each of the // proxies HttpRequestHeader baseRequestHeader = getBaseMsg().getRequestHeader(); URI baseRequestURI = baseRequestHeader.getURI(); int step2numberOfNodes = 0; String[] nodeServers = new String[MAX_FORWARDS_MAXIMUM + 2]; // up to n proxies, and an origin server. // for each of the methods for (String httpMethod : MAX_FORWARD_METHODS) { // for each method, increment the Max-Forwards, and look closely at the response // TODO: loop from 0 to numberOfProxies -1???? int step2numberOfNodesForMethod = 0; String[] nodeServersForMethod = new String[MAX_FORWARDS_MAXIMUM + 2]; String previousServerDetails = RandomStringUtils.random(15, "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"); int previousResponseStatusCode = 0; int responseStatusCode = 0; boolean httpHandled = false; // a flag to handle an extra HTTP request for this method, if the URL // is HTTPS // if the TRACE worked in step 1, and we know how many proxies there are, do that // number + 1, else just do the maximum defined on the attack strength for (int maxForwards = 0; maxForwards < (step1numberOfProxies > 0 ? step1numberOfProxies + 1 : MAX_FORWARDS_MAXIMUM); maxForwards++) { HttpMessage testMsg = getNewMsg(); // get a new message, with the request attributes cloned // from the base message HttpRequestHeader origRequestHeader = testMsg.getRequestHeader(); if (log.isDebugEnabled()) log.debug("Trying method " + httpMethod + " with MAX-FORWARDS: " + Integer.toString(maxForwards)); // if we're on the right iteration (Max-Forwards=0, ie first proxy, and a HTTPS // request, then // then prepare to try an additional HTTP request.. boolean tryHttp = (!httpHandled && maxForwards == 0 && baseRequestHeader.isSecure()); HttpRequestHeader requestHeader = new HttpRequestHeader(); requestHeader.setMethod(httpMethod); // requestHeader.setURI(new URI(origURI.getScheme() + "://" + // origURI.getAuthority()+ "/",true)); requestHeader.setURI(baseRequestURI); requestHeader.setVersion(HttpRequestHeader.HTTP11); // OPTIONS and TRACE are supported under 1.0, but for // multi-homing, we need to use 1.1 if (tryHttp) { if (log.isDebugEnabled()) log.debug( "Blind-spot testing, using a HTTP connection, to try detect an initial proxy, which we might not see via HTTPS"); requestHeader.setSecure(false); requestHeader.setHeader("Max-Forwards", "0"); } else { requestHeader.setSecure(origRequestHeader.isSecure()); requestHeader.setHeader("Max-Forwards", Integer.toString(maxForwards)); } requestHeader.setHeader("Cache-Control", "no-cache"); // we do not want cached content. we want content from the // origin server requestHeader.setHeader("Pragma", "no-cache"); // similarly, for HTTP/1.0 HttpMessage mfMethodMsg = getNewMsg(); mfMethodMsg.setRequestHeader(requestHeader); // create a random cookie, and set it up, so we can detect if the TRACE is // enabled (in which case, it should echo it back in the response) String randomcookiename2 = RandomStringUtils.random(15, "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"); String randomcookievalue2 = RandomStringUtils.random(40, "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"); TreeSet<HtmlParameter> cookies2 = mfMethodMsg.getCookieParams(); cookies2.add( new HtmlParameter(HtmlParameter.Type.cookie, randomcookiename2, randomcookievalue2)); mfMethodMsg.setCookieParams(cookies2); try { sendAndReceive(mfMethodMsg, false); // do not follow redirects. } catch (Exception e) { log.error( "Failed to send a request in step 2 with method " + httpMethod + ", Max-Forwards: " + requestHeader.getHeader("Max-Forwards") + ": " + e.getMessage()); break; // to the next method } // if the response from the proxy/origin server echoes back the cookie (TRACE, // or other method), that's serious, so we need to check. String methodResponseBody = mfMethodMsg.getResponseBody().toString(); if (methodResponseBody.contains(randomcookievalue2)) { proxyTraceEnabled = true; // this will raise the risk from Medium to High if a Proxy // Disclosure was found! // TODO: raise a "TRACE" type alert (if no proxy disclosure is found, but // TRACE enabled?) } // check if the Server response header differs // the server header + powered by list is what we will record if a key attribute // changes between requests. HttpResponseHeader responseHeader = mfMethodMsg.getResponseHeader(); String serverHeader = responseHeader.getHeader("Server"); if (serverHeader == null) serverHeader = ""; String poweredBy; Vector<String> poweredByList = responseHeader.getHeaders("X-Powered-By"); if (poweredByList != null) poweredBy = poweredByList.toString(); // uses format: "[a,b,c]" else poweredBy = ""; String serverDetails = serverHeader + (poweredBy.equals("") || poweredBy.equals("[]") ? "" : poweredBy); responseStatusCode = responseHeader.getStatusCode(); if (!serverDetails.equals(previousServerDetails)) { // it's a new node that we don't appear to have previously seen (for this // HTTP method). nodeServersForMethod[step2numberOfNodesForMethod] = serverDetails; step2numberOfNodesForMethod++; if (log.isDebugEnabled()) log.debug("Identified a new node for method " + httpMethod + ", by server details: " + serverDetails + ". That makes " + step2numberOfNodesForMethod + " nodes so far"); } else { // else check if the HTTP status code differs if (responseStatusCode != previousResponseStatusCode) { // if the status code is different, this likely indicates a different // node nodeServersForMethod[step2numberOfNodesForMethod] = serverDetails; step2numberOfNodesForMethod++; if (log.isDebugEnabled()) log.debug("Identified a new node for method " + httpMethod + ", by response status : " + responseStatusCode + ". That makes " + step2numberOfNodesForMethod + " nodes so far"); } } previousServerDetails = serverDetails; previousResponseStatusCode = responseStatusCode; // if the base URL is HTTPS, and we just did an extra "blind spot" check for // HTTP, go into the next iteration with the same // "Max-Forwards" value that we just handled, but set the flag to false so that // we don't attempt to do the HTTP "blind spot" request again. if (tryHttp) { maxForwards--; httpHandled = true; } // bale out if we were asked nicely. it's nice to be nice. if (isStop()) { if (log.isDebugEnabled()) log.debug("Stopping the scan due to a user request"); return; } } // if the number of nodes (proxies+origin web server) detected using this HTTP // method is greater than the number detected thus far, use the data // gained using this HTTP method.. if (log.isDebugEnabled()) log.debug("The number of nodes detected using method " + httpMethod + " is " + step2numberOfNodesForMethod); if (step2numberOfNodesForMethod > step2numberOfNodes) { step2numberOfNodes = step2numberOfNodesForMethod; nodeServers = nodeServersForMethod; } } if (log.isDebugEnabled()) log.debug("The maximum number of nodes detected using any Max-Forwards method is " + step2numberOfNodes); // Step 3: For the TRACK, use a random URL, to force an error, and to bypass any cached // file. URI trackURI = getBaseMsg().getRequestHeader().getURI(); HttpRequestHeader trackRequestHeader = new HttpRequestHeader(); trackRequestHeader.setMethod("TRACK"); // There is no suitable constant on HttpRequestHeader // go to a similar (but random) URL requested // - in case a proxy is configured on a per-URL basis.. (this is the case on some of my // real world test servers) // - to try to ensure we get an error message that we can fingerprint // - to bypass caching (if it's a random filename, if won't have been seen before, and // won't be cached) // yes, I know TRACK requests should *not* be cached, but not all servers are // compliant. String randompiece = RandomStringUtils.random(5, "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"); trackRequestHeader.setURI(new URI( trackURI.getScheme() + "://" + trackURI.getAuthority() + getPath(trackURI) + randompiece, true)); trackRequestHeader.setVersion(HttpRequestHeader.HTTP11); // trackRequestHeader.setSecure(trackRequestHeader.isSecure()); trackRequestHeader.setHeader("Max-Forwards", String.valueOf(MAX_FORWARDS_MAXIMUM)); trackRequestHeader.setHeader("Cache-Control", "no-cache"); // we do not want cached content. we want content from the origin // server trackRequestHeader.setHeader("Pragma", "no-cache"); // similarly, for HTTP/1.0 HttpMessage trackmsg = getNewMsg(); trackmsg.setRequestHeader(trackRequestHeader); sendAndReceive(trackmsg, false); // do not follow redirects. // TODO: fingerprint more origin web servers response to a TRACK request for a file that // does not exist. String trackResponseBody = trackmsg.getResponseBody().toString(); Matcher unsupportedApacheMatcher = NOT_SUPPORTED_APACHE_PATTERN.matcher(trackResponseBody); if (unsupportedApacheMatcher.find()) { String originServerName = unsupportedApacheMatcher.group(1); if (log.isDebugEnabled()) log.debug("Identified the origin node using TRACK, with server header: " + originServerName); // check if this is the same as the last node we've identified, and if so, discard // it. If not, add it to to the end (as the origin server). if (!nodeServers[step2numberOfNodes - 1].equals(originServerName)) { // it's different to the last one seen.. add it. if (log.isDebugEnabled()) log.debug( "The origin node was not already recorded using the Max-Forwards method, so adding it in."); nodeServers[step2numberOfNodes] = originServerName; step2numberOfNodes++; } } // TODO: compare step2numberOfProxies and step1numberOfProxies? // log the nodes we have noted so far if (log.isDebugEnabled()) { for (int nodei = 0; nodei < step2numberOfNodes; nodei++) { log.debug("Node " + nodei + " is " + (!nodeServers[nodei].equals("") ? nodeServers[nodei] : "Unknown")); } // log the "silent" proxies that we saw. for (String silentServer : silentProxySet) { log.debug("Silent Proxy: " + (!silentServer.equals("") ? silentServer : "Unknown")); } } // Note: there will always be an origin web server, so check for >1, not <0 number of // nodes. if (step2numberOfNodes > 1 || silentProxySet.size() > 0) { // bingo with the list of nodes (proxies+origin web server) that we detected. String unknown = Constant.messages.getString(MESSAGE_PREFIX + "extrainfo.unknown"); String proxyServerHeader = Constant.messages .getString(MESSAGE_PREFIX + "extrainfo.proxyserver.header"); String webServerHeader = Constant.messages.getString(MESSAGE_PREFIX + "extrainfo.webserver.header"); String silentProxyServerHeader = Constant.messages .getString(MESSAGE_PREFIX + "extrainfo.silentproxyserver.header"); // get the proxy server information (ie, all but the last node) String proxyServerInfo = ""; if (step2numberOfNodes > 0) { StringBuilder sb = new StringBuilder(); sb.append(proxyServerHeader); sb.append("\n"); for (int nodei = 0; nodei < step2numberOfNodes - 1; nodei++) { String proxyServerNode = Constant.messages.getString( MESSAGE_PREFIX + "extrainfo.proxyserver", (!nodeServers[nodei].equals("") ? nodeServers[nodei] : unknown)); sb.append(proxyServerNode); sb.append("\n"); } proxyServerInfo = sb.toString(); } // get the origin web server information (ie, the last node) String webServerInfo = ""; if (step2numberOfNodes > 0) { StringBuilder sb = new StringBuilder(); sb.append(webServerHeader); sb.append("\n"); String webServerNode = Constant.messages.getString(MESSAGE_PREFIX + "extrainfo.webserver", (!nodeServers[step2numberOfNodes - 1].equals("") ? nodeServers[step2numberOfNodes - 1] : unknown)); sb.append(webServerNode); sb.append("\n"); webServerInfo = sb.toString(); } // get the silent proxy information String silentProxyServerInfo = ""; if (silentProxySet.size() > 0) { StringBuilder sb = new StringBuilder(); sb.append(silentProxyServerHeader); sb.append("\n"); for (String silentServer : silentProxySet) { // log.debug("Silent Proxy: // "+(!silentServer.equals("")?silentServer:"Unknown")); String silentProxyServerNode = Constant.messages.getString( MESSAGE_PREFIX + "extrainfo.silentproxyserver", (!silentServer.equals("") ? silentServer : unknown)); sb.append(silentProxyServerNode); sb.append("\n"); } silentProxyServerInfo = sb.toString(); } String traceInfo = ""; if (endToEndTraceEnabled || proxyTraceEnabled) { traceInfo = Constant.messages.getString(MESSAGE_PREFIX + "extrainfo.traceenabled"); } // all the info is collated nicely. raise the alert. String extraInfo = ""; if (!proxyServerInfo.equals("")) { extraInfo += proxyServerInfo; } if (!webServerInfo.equals("")) { extraInfo += webServerInfo; } if (!silentProxyServerInfo.equals("")) { extraInfo += silentProxyServerInfo; } if (!traceInfo.equals("")) { extraInfo += traceInfo; } // raise the alert on the original message // there are multiple messages on which the issue could have been raised, but each // individual atatck message // tells only a small part of the story. Explain it in the "extra info" instead. bingo(endToEndTraceEnabled || proxyTraceEnabled ? Alert.RISK_HIGH : getRisk(), Alert.CONFIDENCE_MEDIUM, getName(), Constant.messages.getString(MESSAGE_PREFIX + "desc", step2numberOfNodes - 1 + silentProxySet.size()), getBaseMsg().getRequestHeader().getURI().getURI(), // url "", // there is no parameter of interest getAttack(), // the attack. who'd have thunk it? extraInfo, // extra info.. all the detail of the proxy, etc. getSolution(), "", // evidence this.getCweId(), this.getWascId(), getBaseMsg() // the message on which we place the alert ); } } catch (Exception e) { // Do not try to internationalise this.. we need an error message in any event.. // if it's in English, it's still better than not having it at all. log.error("An error occurred checking for proxy disclosure", e); } }
From source file:org.zaproxy.zap.extension.ascanrulesAlpha.RemoteCodeExecutionCVE20121823.java
@Override public void scan() { try {/* www .j a v a 2 s. com*/ String attackParam = "?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input"; String payloadBoilerPlate = "<?php exec('<<<<COMMAND>>>>',$colm);echo join(\"\n\",$colm);die();?>"; String[] payloads = { payloadBoilerPlate.replace("<<<<COMMAND>>>>", "cmd.exe /C echo " + randomString), payloadBoilerPlate.replace("<<<<COMMAND>>>>", "echo " + randomString) }; //tries payloads for Linux/Unix, and Windows until we find something that works for (String payload : payloads) { URI originalURI = getBaseMsg().getRequestHeader().getURI(); byte[] originalResponseBody = getBaseMsg().getResponseBody().getBytes(); //construct a new URL based on the original URL, but without any of the original parameters //important: the URL is already escaped, and must not be escaped again URI attackURI = new URI( originalURI.getScheme() + "://" + originalURI.getAuthority() + (originalURI.getPath() != null ? originalURI.getPath() : "/") + attackParam, true); //and send it as a POST request, unauthorised, with the payload as the POST body. HttpRequestHeader requestHeader = new HttpRequestHeader(HttpRequestHeader.POST, attackURI, HttpRequestHeader.HTTP11); HttpMessage attackmsg = new HttpMessage(requestHeader); attackmsg.setRequestBody(payload); sendAndReceive(attackmsg, false); //do not follow redirects byte[] attackResponseBody = attackmsg.getResponseBody().getBytes(); String responseBody = new String(attackResponseBody); //if the command was not recognised (by the host OS), we get a response size of 0 on PHP, but not on Tomcat //to be sure it's not a false positive, we look for a string to be echoed if (attackmsg.getResponseHeader().getStatusCode() == HttpStatus.SC_OK && attackResponseBody.length >= randomString.length() && responseBody.startsWith(randomString)) { if (log.isDebugEnabled()) { log.debug("Remote Code Execution alert for: " + originalURI.getURI()); } //bingo. bingo(Alert.RISK_HIGH, Alert.WARNING, Constant.messages.getString("ascanalpha.remotecodeexecution.cve-2012-1823.name"), Constant.messages.getString("ascanalpha.remotecodeexecution.cve-2012-1823.desc"), null, // originalMessage.getRequestHeader().getURI().getURI(), null, // parameter being attacked: none. payload, // attack: none (it's not a parameter being attacked) responseBody, //extrainfo Constant.messages.getString("ascanalpha.remotecodeexecution.cve-2012-1823.soln"), responseBody, //evidence, highlighted in the message attackmsg //raise the alert on the attack message ); } } } catch (Exception e) { log.error("Error scanning a URL for Remote Code Execution via CVE-2012-1823: " + e.getMessage(), e); } }
From source file:org.zaproxy.zap.extension.ascanrulesAlpha.SourceCodeDisclosureCVE20121823.java
@Override public void scan() { try {//from w w w . ja va 2 s. co m //at Low or Medium strength, do not attack URLs which returned "Not Found" AttackStrength attackStrength = getAttackStrength(); if ((attackStrength == AttackStrength.LOW || attackStrength == AttackStrength.MEDIUM) && (getBaseMsg().getResponseHeader().getStatusCode() == HttpStatus.SC_NOT_FOUND)) return; URI originalURI = getBaseMsg().getRequestHeader().getURI(); //construct a new URL based on the original URL, but without any of the original parameters String attackParam = "?-s"; URI attackURI = new URI(originalURI.getScheme() + "://" + originalURI.getAuthority() + (originalURI.getPath() != null ? originalURI.getPath() : "/") + attackParam, true); //and send it as a GET, unauthorised. HttpMessage attackmsg = new HttpMessage(attackURI); sendAndReceive(attackmsg, false); //do not follow redirects if (attackmsg.getResponseHeader().getStatusCode() == HttpStatus.SC_OK) { //double-check: does the response contain HTML encoded PHP? //Ignore the case where it contains encoded HTML for now, since thats not a source code disclosure anyway //(HTML is always sent back to the web browser) String responseBody = new String(attackmsg.getResponseBody().getBytes()); String responseBodyDecoded = new Source(responseBody).getRenderer().toString(); Matcher matcher1 = PHP_PATTERN1.matcher(responseBodyDecoded); Matcher matcher2 = PHP_PATTERN2.matcher(responseBodyDecoded); boolean match1 = matcher1.matches(); boolean match2 = matcher2.matches(); if ((!responseBody.equals(responseBodyDecoded)) && (match1 || match2)) { if (log.isDebugEnabled()) { log.debug("Source Code Disclosure alert for: " + originalURI.getURI()); } String sourceCode = null; if (match1) { sourceCode = matcher1.group(1); } else { sourceCode = matcher2.group(1); } //bingo. bingo(Alert.RISK_HIGH, Alert.WARNING, Constant.messages.getString("ascanalpha.sourcecodedisclosurecve-2012-1823.name"), Constant.messages.getString("ascanalpha.sourcecodedisclosurecve-2012-1823.desc"), null, // originalMessage.getRequestHeader().getURI().getURI(), null, // parameter being attacked: none. "", // attack: none (it's not a parameter being attacked) sourceCode, //extrainfo Constant.messages.getString("ascanalpha.sourcecodedisclosurecve-2012-1823.soln"), "", //evidence, highlighted in the message (cannot use the source code here, since it is encoded in the message response, and so will not match up) attackmsg //raise the alert on the attack message ); } } } catch (Exception e) { log.error("Error scanning a Host for Source Code Disclosure via CVE-2012-1823: " + e.getMessage(), e); } }
From source file:org.zaproxy.zap.extension.ascanrulesAlpha.SourceCodeDisclosureWEBINF.java
@Override public void scan() { try {/*from ww w.ja va 2 s.c om*/ URI originalURI = getBaseMsg().getRequestHeader().getURI(); List<String> javaClassesFound = new LinkedList<String>(); List<String> javaClassesHandled = new LinkedList<String>(); //Pass 1: thru each of the WEB-INF files, looking for class names for (String filename : WEBINF_FILES) { HttpMessage webinffilemsg = new HttpMessage(new URI( originalURI.getScheme() + "://" + originalURI.getAuthority() + "/WEB-INF/" + filename, true)); sendAndReceive(webinffilemsg, false); //do not follow redirects String body = new String(webinffilemsg.getResponseBody().getBytes()); Matcher matcher = JAVA_CLASSNAME_PATTERN.matcher(body); while (matcher.find()) { //we have a possible class *name*. //Next: See if the class file lives in the expected location in the WEB-INF folder //skip Java built-in classes String classname = matcher.group(); if (!classname.startsWith("java.") && !classname.startsWith("javax.") && !javaClassesFound.contains(classname)) { javaClassesFound.add(classname); } } } //for each class name found, try download the actual class file.. //for ( String classname: javaClassesFound) { while (javaClassesFound.size() > 0) { String classname = javaClassesFound.get(0); URI classURI = getClassURI(originalURI, classname); if (log.isDebugEnabled()) log.debug("Looking for Class file: " + classURI.getURI()); HttpMessage classfilemsg = new HttpMessage(classURI); sendAndReceive(classfilemsg, false); //do not follow redirects if (classfilemsg.getResponseHeader().getStatusCode() == HttpStatus.SC_OK) { //to decompile the class file, we need to write it to disk.. //under the current version of the library, at least File classFile = null; try { classFile = File.createTempFile("zap", ".class"); classFile.deleteOnExit(); OutputStream fos = new FileOutputStream(classFile); fos.write(classfilemsg.getResponseBody().getBytes()); fos.close(); //now decompile it DecompilerSettings decompilerSettings = new DecompilerSettings(); //set some options so that we can better parse the output, to get the names of more classes.. decompilerSettings.setForceExplicitImports(true); decompilerSettings.setForceExplicitTypeArguments(true); PlainTextOutput decompiledText = new PlainTextOutput(); Decompiler.decompile(classFile.getAbsolutePath(), decompiledText, decompilerSettings); String javaSourceCode = decompiledText.toString(); if (log.isDebugEnabled()) { log.debug("Source Code Disclosure alert for: " + classname); } //bingo. bingo(Alert.RISK_HIGH, Alert.WARNING, Constant.messages.getString("ascanalpha.sourcecodedisclosurewebinf.name"), Constant.messages.getString("ascanalpha.sourcecodedisclosurewebinf.desc"), null, // originalMessage.getRequestHeader().getURI().getURI(), null, // parameter being attacked: none. "", // attack javaSourceCode, //extrainfo Constant.messages.getString("ascanalpha.sourcecodedisclosurewebinf.soln"), "", //evidence, highlighted in the message classfilemsg //raise the alert on the classfile, rather than on the web.xml (or other file where the class reference was found). ); //and add the referenced classes to the list of classes to look for! //so that we catch as much source code as possible. Matcher importMatcher = JAVA_IMPORT_CLASSNAME_PATTERN.matcher(javaSourceCode); while (importMatcher.find()) { //we have another possible class name. //Next: See if the class file lives in the expected location in the WEB-INF folder String importClassname = importMatcher.group(1); if ((!javaClassesFound.contains(importClassname)) && (!javaClassesHandled.contains(importClassname))) { javaClassesFound.add(importClassname); } } //attempt to find properties files within the Java source, and try get them Matcher propsFileMatcher = PROPERTIES_FILE_PATTERN.matcher(javaSourceCode); while (propsFileMatcher.find()) { String propsFilename = propsFileMatcher.group(1); if (log.isDebugEnabled()) log.debug("Found props file: " + propsFilename); URI propsFileURI = getPropsFileURI(originalURI, propsFilename); HttpMessage propsfilemsg = new HttpMessage(propsFileURI); sendAndReceive(propsfilemsg, false); //do not follow redirects if (propsfilemsg.getResponseHeader().getStatusCode() == HttpStatus.SC_OK) { //Holy sheet.. we found a properties file bingo(Alert.RISK_HIGH, Alert.WARNING, Constant.messages.getString( "ascanalpha.sourcecodedisclosurewebinf.propertiesfile.name"), Constant.messages.getString( "ascanalpha.sourcecodedisclosurewebinf.propertiesfile.desc"), null, // originalMessage.getRequestHeader().getURI().getURI(), null, // parameter being attacked: none. "", // attack Constant.messages.getString( "ascanalpha.sourcecodedisclosurewebinf.propertiesfile.extrainfo", classURI), //extrainfo Constant.messages.getString( "ascanalpha.sourcecodedisclosurewebinf.propertiesfile.soln"), "", //evidence, highlighted in the message propsfilemsg); } } //do not return at this point.. there may be multiple classes referenced. We want to see as many of them as possible. } finally { //delete the temp file. //this will be deleted when the VM is shut down anyway, but just in case! if (classFile != null) classFile.delete(); } } //remove the class from the set to handle, and add it to the list of classes handled javaClassesFound.remove(classname); javaClassesHandled.add(classname); } } catch (Exception e) { log.error("Error scanning a Host for Source Code Disclosure via the WEB-INF folder: " + e.getMessage(), e); } }
From source file:org.zaproxy.zap.extension.ascanrulesBeta.RemoteCodeExecutionCVE20121823.java
private static URI createAttackUri(URI originalURI, String attackParam) { StringBuilder strBuilder = new StringBuilder(); strBuilder.append(originalURI.getScheme()).append("://").append(originalURI.getEscapedAuthority()); strBuilder.append(originalURI.getRawPath() != null ? originalURI.getEscapedPath() : "/") .append(attackParam);/*from w ww. j ava 2 s . c om*/ String uri = strBuilder.toString(); try { return new URI(uri, true); } catch (URIException e) { log.warn("Failed to create attack URI [" + uri + "], cause: " + e.getMessage()); } return null; }
From source file:org.zaproxy.zap.extension.ascanrulesBeta.SessionFixation.java
/** * scans all GET, Cookie params for Session fields, and looks for SessionFixation * vulnerabilities/*from w w w . j a v a2 s. co m*/ */ @Override public void scan() { // TODO: scan the POST (form) params for session id fields. try { boolean loginUrl = false; // Are we dealing with a login url in any of the contexts of which this uri is part URI requestUri = getBaseMsg().getRequestHeader().getURI(); ExtensionAuthentication extAuth = (ExtensionAuthentication) Control.getSingleton().getExtensionLoader() .getExtension(ExtensionAuthentication.NAME); // using the session, get the list of contexts for the url List<Context> contextList = extAuth.getModel().getSession().getContextsForUrl(requestUri.getURI()); // now loop, and see if the url is a login url in each of the contexts in turn... for (Context context : contextList) { URI loginUri = extAuth.getLoginRequestURIForContext(context); if (loginUri != null && requestUri.getPath() != null) { if (requestUri.getScheme().equals(loginUri.getScheme()) && requestUri.getHost().equals(loginUri.getHost()) && requestUri.getPort() == loginUri.getPort() && requestUri.getPath().equals(loginUri.getPath())) { // we got this far.. only the method (GET/POST), user details, query params, // fragment, and POST params // are possibly different from the login page. loginUrl = true; break; } } } // For now (from Zap 2.0), the Session Fixation scanner will only run for login pages if (loginUrl == false) { log.debug("For the Session Fixation scanner to actually do anything, a Login Page *must* be set!"); return; } // find all params set in the request (GET/POST/Cookie) // Note: this will be the full set, before we delete anything. TreeSet<HtmlParameter> htmlParams = new TreeSet<>(); htmlParams.addAll(getBaseMsg().getRequestHeader().getCookieParams()); // request cookies only. no response cookies htmlParams.addAll(getBaseMsg().getFormParams()); // add in the POST params htmlParams.addAll(getBaseMsg().getUrlParams()); // add in the GET params // Now add in the pseudo parameters set in the URL itself, such as in the following: // http://www.example.com/someurl;JSESSIONID=abcdefg?x=123&y=456 // as opposed to the url parameters in the following example, which are already picked // up by getUrlParams() // http://www.example.com/someurl?JSESSIONID=abcdefg&x=123&y=456 // convert from org.apache.commons.httpclient.URI to a String String requestUrl = "Unknown URL"; try { requestUrl = new URL(requestUri.getScheme(), requestUri.getHost(), requestUri.getPort(), requestUri.getPath()).toString(); } catch (Exception e) { // no point in continuing. The URL is invalid. This is a peculiarity in the Zap // core, // and can happen when // - the user browsed to http://www.example.com/bodgeit and // - the user did not browse to http://www.example.com or to http://www.example.com/ // so the Zap GUI displays "http://www.example.com" as a node under "Sites", // and under that, it displays the actual urls to which the user browsed // (http://www.example.com/bodgeit, for instance) // When the user selects the node "http://www.example.com", and tries to scan it // with // the session fixation scanner, the URI that is passed is "http://www.example.com", // which is *not* a valid url. // If the user actually browses to "http://www.example.com" (even without the // trailing slash) // the web browser appends the trailing slash, and so Zap records the URI as // "http://www.example.com/", which IS a valid url, and which can (and should) be // scanned. // // In short.. if this happens, we do not want to scan the URL anyway // (because the user never browsed to it), so just do nothing instead. log.error("Cannot convert URI [" + requestUri + "] to a URL: " + e.getMessage()); return; } // suck out any pseudo url parameters from the url Set<HtmlParameter> pseudoUrlParams = getPseudoUrlParameters(requestUrl); htmlParams.addAll(pseudoUrlParams); if (this.debugEnabled) log.debug("Pseudo url params of URL [" + requestUrl + "] : [" + pseudoUrlParams + "]"); //// for each parameter in turn, // int counter = 0; for (Iterator<HtmlParameter> iter = htmlParams.iterator(); iter.hasNext();) { HttpMessage msg1Final; HttpMessage msg1Initial = getNewMsg(); //// debug logic only.. to do first field only // counter ++; // if ( counter > 1 ) // return; HtmlParameter currentHtmlParameter = iter.next(); // Useful for debugging, but I can't find a way to view this data in the GUI, so // leave it out for now. // msg1Initial.setNote("Message 1 for parameter "+ currentHtmlParameter); if (this.debugEnabled) log.debug("Scanning URL [" + msg1Initial.getRequestHeader().getMethod() + "] [" + msg1Initial.getRequestHeader().getURI() + "], [" + currentHtmlParameter.getType() + "] field [" + currentHtmlParameter.getName() + "] with value [" + currentHtmlParameter.getValue() + "] for Session Fixation"); if (currentHtmlParameter.getType().equals(HtmlParameter.Type.cookie)) { // careful to pick up the cookies from the Request, and not to include cookies // set in any earlier response TreeSet<HtmlParameter> cookieRequestParams = msg1Initial.getRequestHeader().getCookieParams(); // delete the original cookie from the parameters cookieRequestParams.remove(currentHtmlParameter); msg1Initial.setCookieParams(cookieRequestParams); // send the message, minus the cookie parameter, and see how it comes back. // Note: do NOT automatically follow redirects.. handle those here instead. sendAndReceive(msg1Initial, false, false); ///////////////////////////// // create a copy of msg1Initial to play with to handle redirects (if any). // we use a copy because if we change msg1Initial itself, it messes the URL and // params displayed on the GUI. msg1Final = msg1Initial; HtmlParameter cookieBack1 = getResponseCookie(msg1Initial, currentHtmlParameter.getName()); long cookieBack1TimeReceived = System.currentTimeMillis(); // in ms. when was the cookie received? // Important if it has a Max-Age directive Date cookieBack1ExpiryDate = null; HttpMessage temp = msg1Initial; int redirectsFollowed1 = 0; while (HttpStatusCode.isRedirection(temp.getResponseHeader().getStatusCode())) { // Note that we need to clone the Request and the Response.. // we seem to need to track the secure flag now to make sure its set later boolean secure1 = temp.getRequestHeader().isSecure(); temp = temp.cloneAll(); // clone the previous message redirectsFollowed1++; if (redirectsFollowed1 > 10) { throw new Exception("Too many redirects were specified in the first message"); } // create a new URI from the absolute location returned, and interpret it as // escaped // note that the standard says that the Location returned should be // absolute, but it ain't always so... URI newLocation = new URI(temp.getResponseHeader().getHeader(HttpHeader.LOCATION), true); // and follow the forward url // need to clear the params (which would come from the initial POST, // otherwise) temp.getRequestHeader().setGetParams(new TreeSet<HtmlParameter>()); temp.setRequestBody(""); temp.setResponseBody(""); // make sure no values accidentally carry from one iteration to // the next try { temp.getRequestHeader().setURI(newLocation); } catch (Exception e) { // the Location field contents may not be standards compliant. Lets // generate a uri to use as a workaround where a relative path was // given instead of an absolute one URI newLocationWorkaround = new URI(temp.getRequestHeader().getURI(), temp.getResponseHeader().getHeader(HttpHeader.LOCATION), true); // try again, except this time, if it fails, don't try to handle it if (this.debugEnabled) log.debug("The Location [" + newLocation + "] specified in a redirect was not valid. Trying workaround url [" + newLocationWorkaround + "]"); temp.getRequestHeader().setURI(newLocationWorkaround); } temp.getRequestHeader().setSecure(secure1); temp.getRequestHeader().setMethod(HttpRequestHeader.GET); temp.getRequestHeader().setContentLength(0); // since we send a GET, the body will be 0 long if (cookieBack1 != null) { // if the previous request sent back a cookie, we need to set that // cookie when following redirects, as a browser would if (this.debugEnabled) log.debug("Adding in cookie [" + cookieBack1 + "] for a redirect"); TreeSet<HtmlParameter> forwardCookieParams = temp.getRequestHeader().getCookieParams(); forwardCookieParams.add(cookieBack1); temp.getRequestHeader().setCookieParams(forwardCookieParams); } if (this.debugEnabled) log.debug("DEBUG: Cookie Message 1 causes us to follow redirect to [" + newLocation + "]"); sendAndReceive(temp, false, false); // do NOT redirect.. handle it here // handle any cookies set from following redirects that override the cookie // set in the redirect itself (if any) // note that this will handle the case where a latter cookie unsets one set // earlier. HtmlParameter cookieBack1Temp = getResponseCookie(temp, currentHtmlParameter.getName()); if (cookieBack1Temp != null) { cookieBack1 = cookieBack1Temp; cookieBack1TimeReceived = System.currentTimeMillis(); // in ms. record when we got the // cookie.. in case it has a // Max-Age directive } // reset the "final" version of message1 to use the final response in the // chain msg1Final = temp; } /////////////////////////// // if non-200 on the final response for message 1, no point in continuing. Bale // out. if (msg1Final.getResponseHeader().getStatusCode() != HttpStatusCode.OK) { if (this.debugEnabled) log.debug( "Got a non-200 response code [" + msg1Final.getResponseHeader().getStatusCode() + "] when sending [" + msg1Initial.getRequestHeader().getURI() + "] with param [" + currentHtmlParameter.getName() + "] = NULL (possibly somewhere in the redirects)"); continue; } // now check that the response set a cookie. if it didn't, then either.. // 1) we are messing with the wrong field // 2) the app doesn't do sessions // either way, there is not much point in continuing to look at this field.. if (cookieBack1 == null || cookieBack1.getValue() == null) { // no cookie was set, or the cookie param was set to a null value if (this.debugEnabled) log.debug("The Cookie parameter was NOT set in the response, when cookie param [" + currentHtmlParameter.getName() + "] was set to NULL: " + cookieBack1); continue; } ////////////////////////////////////////////////////////////////////// // at this point, before continuing to check for Session Fixation, do some other // checks on the session cookie we got back // that might cause us to raise additional alerts (in addition to doing the main // check for Session Fixation) ////////////////////////////////////////////////////////////////////// // Check 1: was the session cookie sent and received securely by the server? // If not, alert this fact if ((!msg1Final.getRequestHeader().isSecure()) || (!cookieBack1.getFlags().contains("secure"))) { // pass the original param value here, not the new value, since we're // displaying the session id exposed in the original message String extraInfo = Constant.messages.getString( "ascanbeta.sessionidsentinsecurely.alert.extrainfo", currentHtmlParameter.getType(), currentHtmlParameter.getName(), currentHtmlParameter.getValue()); if (!cookieBack1.getFlags().contains("secure")) { extraInfo += ("\n" + Constant.messages.getString( "ascanbeta.sessionidsentinsecurely.alert.extrainfo.secureflagnotset")); } // and figure out the risk, depending on whether it is a login page int risk = Alert.RISK_LOW; if (loginUrl) { extraInfo += ("\n" + Constant.messages .getString("ascanbeta.sessionidsentinsecurely.alert.extrainfo.loginpage")); // login page, so higher risk risk = Alert.RISK_MEDIUM; } else { // not a login page.. lower risk risk = Alert.RISK_LOW; } String attack = Constant.messages.getString( "ascanbeta.sessionidsentinsecurely.alert.attack", currentHtmlParameter.getType(), currentHtmlParameter.getName()); String vulnname = Constant.messages.getString("ascanbeta.sessionidsentinsecurely.name"); String vulndesc = Constant.messages.getString("ascanbeta.sessionidsentinsecurely.desc"); String vulnsoln = Constant.messages.getString("ascanbeta.sessionidsentinsecurely.soln"); // call bingo with some extra info, indicating that the alert is // not specific to Session Fixation, but has its own title and description // (etc) // the alert here is "Session id sent insecurely", or words to that effect. bingo(risk, Alert.CONFIDENCE_MEDIUM, vulnname, vulndesc, getBaseMsg().getRequestHeader().getURI().getURI(), currentHtmlParameter.getName(), attack, extraInfo, vulnsoln, getBaseMsg()); if (log.isDebugEnabled()) { String logMessage = MessageFormat.format( "A session identifier in {2} field: [{3}] may be sent " + "via an insecure mechanism at [{0}] URL [{1}]", getBaseMsg().getRequestHeader().getMethod(), getBaseMsg().getRequestHeader().getURI().getURI(), currentHtmlParameter.getType(), currentHtmlParameter.getName()); log.debug(logMessage); } // Note: do NOT continue to the next field at this point.. // since we still need to check for Session Fixation. } ////////////////////////////////////////////////////////////////////// // Check 2: is the session cookie that was set accessible to Javascript? // If so, alert this fact too if (!cookieBack1.getFlags().contains("httponly") && loginUrl) { // pass the original param value here, not the new value, since we're // displaying the session id exposed in the original message String extraInfo = Constant.messages.getString( "ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo", currentHtmlParameter.getType(), currentHtmlParameter.getName(), currentHtmlParameter.getValue()); String attack = Constant.messages.getString( "ascanbeta.sessionidaccessiblebyjavascript.alert.attack", currentHtmlParameter.getType(), currentHtmlParameter.getName()); String vulnname = Constant.messages .getString("ascanbeta.sessionidaccessiblebyjavascript.name"); String vulndesc = Constant.messages .getString("ascanbeta.sessionidaccessiblebyjavascript.desc"); String vulnsoln = Constant.messages .getString("ascanbeta.sessionidaccessiblebyjavascript.soln"); extraInfo += ("\n" + Constant.messages .getString("ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo.loginpage")); // call bingo with some extra info, indicating that the alert is // not specific to Session Fixation, but has its own title and description // (etc) // the alert here is "Session id accessible in Javascript", or words to that // effect. bingo(Alert.RISK_LOW, Alert.CONFIDENCE_MEDIUM, vulnname, vulndesc, getBaseMsg().getRequestHeader().getURI().getURI(), currentHtmlParameter.getName(), attack, extraInfo, vulnsoln, getBaseMsg()); if (log.isDebugEnabled()) { String logMessage = MessageFormat.format( "A session identifier in [{0}] URL [{1}] {2} field: " + "[{3}] may be accessible to JavaScript", getBaseMsg().getRequestHeader().getMethod(), getBaseMsg().getRequestHeader().getURI().getURI(), currentHtmlParameter.getType(), currentHtmlParameter.getName()); log.debug(logMessage); } // Note: do NOT continue to the next field at this point.. // since we still need to check for Session Fixation. } ////////////////////////////////////////////////////////////////////// // Check 3: is the session cookie set to expire soon? when the browser session // closes? never? // the longer the session cookie is valid, the greater the risk. alert it // accordingly String cookieBack1Expiry = null; int sessionExpiryRiskLevel; String sessionExpiryDescription = null; // check for the Expires header for (Iterator<String> i = cookieBack1.getFlags().iterator(); i.hasNext();) { String cookieBack1Flag = i.next(); // if ( this.debugEnabled ) log.debug("Cookie back 1 flag (checking for // Expires): "+ cookieBack1Flag); // match in a case insensitive manner. never know what case various web // servers are going to send back. // if (cookieBack1Flag.matches("(?i)expires=.*")) { if (cookieBack1Flag.toLowerCase(Locale.ENGLISH).startsWith("expires=")) { String[] cookieBack1FlagValues = cookieBack1Flag.split("="); if (cookieBack1FlagValues.length > 1) { if (this.debugEnabled) log.debug("Cookie Expiry: " + cookieBack1FlagValues[1]); cookieBack1Expiry = cookieBack1FlagValues[1]; // the Date String sessionExpiryDescription = cookieBack1FlagValues[1]; // the Date String cookieBack1ExpiryDate = DateUtil.parseDate(cookieBack1Expiry); // the actual Date } } } // also check for the Max-Age header, which overrides the Expires header. // WARNING: this Directive is reported to be ignored by IE, so if both Expires // and Max-Age are present // and we report based on the Max-Age value, but the user is using IE, then the // results reported // by us here may be different from those actually experienced by the user! (we // use Max-Age, IE uses Expires) for (Iterator<String> i = cookieBack1.getFlags().iterator(); i.hasNext();) { String cookieBack1Flag = i.next(); // if ( this.debugEnabled ) log.debug("Cookie back 1 flag (checking for // Max-Age): "+ cookieBack1Flag); // match in a case insensitive manner. never know what case various web // servers are going to send back. if (cookieBack1Flag.toLowerCase(Locale.ENGLISH).startsWith("max-age=")) { String[] cookieBack1FlagValues = cookieBack1Flag.split("="); if (cookieBack1FlagValues.length > 1) { // now the Max-Age value is the number of seconds relative to the // time the browser received the cookie // (as stored in cookieBack1TimeReceived) if (this.debugEnabled) log.debug("Cookie Max Age: " + cookieBack1FlagValues[1]); long cookie1DropDeadMS = cookieBack1TimeReceived + (Long.parseLong(cookieBack1FlagValues[1]) * 1000); cookieBack1ExpiryDate = new Date(cookie1DropDeadMS); // the actual Date the cookie // expires (by Max-Age) cookieBack1Expiry = DateUtil.formatDate(cookieBack1ExpiryDate, DateUtil.PATTERN_RFC1123); sessionExpiryDescription = cookieBack1Expiry; // needs to the Date String } } } String sessionExpiryRiskDescription = null; // check the Expiry/Max-Age details garnered (if any) // and figure out the risk, depending on whether it is a login page // and how long the session will live before expiring if (cookieBack1ExpiryDate == null) { // session expires when the browser closes.. rate this as medium risk? sessionExpiryRiskLevel = Alert.RISK_MEDIUM; sessionExpiryRiskDescription = "ascanbeta.sessionidexpiry.browserclose"; sessionExpiryDescription = Constant.messages.getString(sessionExpiryRiskDescription); } else { long datediffSeconds = (cookieBack1ExpiryDate.getTime() - cookieBack1TimeReceived) / 1000; long anHourSeconds = 3600; long aDaySeconds = anHourSeconds * 24; long aWeekSeconds = aDaySeconds * 7; if (datediffSeconds < 0) { if (this.debugEnabled) log.debug("The session cookie has expired already"); sessionExpiryRiskDescription = "ascanbeta.sessionidexpiry.timeexpired"; sessionExpiryRiskLevel = Alert.RISK_INFO; // no risk.. the cookie has expired already } else if (datediffSeconds > aWeekSeconds) { if (this.debugEnabled) log.debug("The session cookie is set to last for more than a week!"); sessionExpiryRiskDescription = "ascanbeta.sessionidexpiry.timemorethanoneweek"; sessionExpiryRiskLevel = Alert.RISK_HIGH; } else if (datediffSeconds > aDaySeconds) { if (this.debugEnabled) log.debug("The session cookie is set to last for more than a day"); sessionExpiryRiskDescription = "ascanbeta.sessionidexpiry.timemorethanoneday"; sessionExpiryRiskLevel = Alert.RISK_MEDIUM; } else if (datediffSeconds > anHourSeconds) { if (this.debugEnabled) log.debug("The session cookie is set to last for more than an hour"); sessionExpiryRiskDescription = "ascanbeta.sessionidexpiry.timemorethanonehour"; sessionExpiryRiskLevel = Alert.RISK_LOW; } else { if (this.debugEnabled) log.debug("The session cookie is set to last for less than an hour!"); sessionExpiryRiskDescription = "ascanbeta.sessionidexpiry.timelessthanonehour"; sessionExpiryRiskLevel = Alert.RISK_INFO; } } if (!loginUrl) { // decrement the risk if it's not a login page sessionExpiryRiskLevel--; } // alert it if the default session expiry risk level is more than informational if (sessionExpiryRiskLevel > Alert.RISK_INFO) { // pass the original param value here, not the new value String cookieReceivedTime = cookieBack1Expiry = DateUtil .formatDate(new Date(cookieBack1TimeReceived), DateUtil.PATTERN_RFC1123); String extraInfo = Constant.messages.getString("ascanbeta.sessionidexpiry.alert.extrainfo", currentHtmlParameter.getType(), currentHtmlParameter.getName(), currentHtmlParameter.getValue(), sessionExpiryDescription, cookieReceivedTime); String attack = Constant.messages.getString("ascanbeta.sessionidexpiry.alert.attack", currentHtmlParameter.getType(), currentHtmlParameter.getName()); String vulnname = Constant.messages.getString("ascanbeta.sessionidexpiry.name"); String vulndesc = Constant.messages.getString("ascanbeta.sessionidexpiry.desc"); String vulnsoln = Constant.messages.getString("ascanbeta.sessionidexpiry.soln"); if (loginUrl) { extraInfo += ("\n" + Constant.messages .getString("ascanbeta.sessionidexpiry.alert.extrainfo.loginpage")); } // call bingo with some extra info, indicating that the alert is // not specific to Session Fixation, but has its own title and description // (etc) // the alert here is "Session Id Expiry Time is excessive", or words to that // effect. bingo(sessionExpiryRiskLevel, Alert.CONFIDENCE_MEDIUM, vulnname, vulndesc, getBaseMsg().getRequestHeader().getURI().getURI(), currentHtmlParameter.getName(), attack, extraInfo, vulnsoln, getBaseMsg()); if (log.isDebugEnabled()) { String logMessage = MessageFormat.format( "A session identifier in [{0}] URL [{1}] {2} field: " + "[{3}] may be accessed until [{4}], unless the session is destroyed.", getBaseMsg().getRequestHeader().getMethod(), getBaseMsg().getRequestHeader().getURI().getURI(), currentHtmlParameter.getType(), currentHtmlParameter.getName(), sessionExpiryDescription); log.debug(logMessage); } // Note: do NOT continue to the next field at this point.. // since we still need to check for Session Fixation. } if (!loginUrl) { // not a login page.. skip continue; } //////////////////////////////////////////////////////////////////////////////////////////// /// Message 2 - processing starts here //////////////////////////////////////////////////////////////////////////////////////////// // so now that we know the URL responds with 200 (OK), and that it sets a // cookie, lets re-issue the original request, // but lets add in the new (valid) session cookie that was just issued. // we will re-send it. the aim is then to see if it accepts the cookie (BAD, in // some circumstances), // or if it issues a new session cookie (GOOD, in most circumstances) if (this.debugEnabled) log.debug("A Cookie was set by the URL for the correct param, when param [" + currentHtmlParameter.getName() + "] was set to NULL: " + cookieBack1); // use a copy of msg2Initial, since it has already had the correct cookie // removed in the request.. // do NOT use msg2Initial itself, as this will cause both requests in the GUI to // show the modified data.. // finally send the second message, and see how it comes back. HttpMessage msg2Initial = msg1Initial.cloneRequest(); TreeSet<HtmlParameter> cookieParams2Set = msg2Initial.getRequestHeader().getCookieParams(); cookieParams2Set.add(cookieBack1); msg2Initial.setCookieParams(cookieParams2Set); // resend the copy of the initial message, but with the valid session cookie // added in, to see if it is accepted // do not automatically follow redirects, as we need to check these for cookies // being set. sendAndReceive(msg2Initial, false, false); // create a copy of msg2Initial to play with to handle redirects (if any). // we use a copy because if we change msg2Initial itself, it messes the URL and // params displayed on the GUI. HttpMessage temp2 = msg2Initial; HttpMessage msg2Final = msg2Initial; HtmlParameter cookieBack2Previous = cookieBack1; HtmlParameter cookieBack2 = getResponseCookie(msg2Initial, currentHtmlParameter.getName()); int redirectsFollowed2 = 0; while (HttpStatusCode.isRedirection(temp2.getResponseHeader().getStatusCode())) { // clone the previous message boolean secure2 = temp2.getRequestHeader().isSecure(); temp2 = temp2.cloneAll(); redirectsFollowed2++; if (redirectsFollowed2 > 10) { throw new Exception("Too many redirects were specified in the second message"); } // create a new URI from the absolute location returned, and interpret it as // escaped // note that the standard says that the Location returned should be // absolute, but it ain't always so... URI newLocation = new URI(temp2.getResponseHeader().getHeader(HttpHeader.LOCATION), true); // and follow the forward url // need to clear the params (which would come from the initial POST, // otherwise) temp2.getRequestHeader().setGetParams(new TreeSet<HtmlParameter>()); temp2.setRequestBody(""); temp2.setResponseBody(""); // make sure no values accidentally carry from one iteration to // the next try { temp2.getRequestHeader().setURI(newLocation); } catch (Exception e) { // the Location field contents may not be standards compliant. Lets // generate a uri to use as a workaround where a relative path was // given instead of an absolute one URI newLocationWorkaround = new URI(temp2.getRequestHeader().getURI(), temp2.getResponseHeader().getHeader(HttpHeader.LOCATION), true); // try again, except this time, if it fails, don't try to handle it if (this.debugEnabled) log.debug("The Location [" + newLocation + "] specified in a redirect was not valid. Trying workaround url [" + newLocationWorkaround + "]"); temp2.getRequestHeader().setURI(newLocationWorkaround); } temp2.getRequestHeader().setSecure(secure2); temp2.getRequestHeader().setMethod(HttpRequestHeader.GET); temp2.getRequestHeader().setContentLength(0); // since we send a GET, the body will be 0 long if (cookieBack2 != null) { // if the previous request sent back a cookie, we need to set that // cookie when following redirects, as a browser would // also make sure to delete the previous value set for the cookie value if (this.debugEnabled) { log.debug("Deleting old cookie [" + cookieBack2Previous + "], and adding in cookie [" + cookieBack2 + "] for a redirect"); } TreeSet<HtmlParameter> forwardCookieParams = temp2.getRequestHeader().getCookieParams(); forwardCookieParams.remove(cookieBack2Previous); forwardCookieParams.add(cookieBack2); temp2.getRequestHeader().setCookieParams(forwardCookieParams); } sendAndReceive(temp2, false, false); // do NOT automatically redirect.. handle redirects here // handle any cookies set from following redirects that override the cookie // set in the redirect itself (if any) // note that this will handle the case where a latter cookie unsets one set // earlier. HtmlParameter cookieBack2Temp = getResponseCookie(temp2, currentHtmlParameter.getName()); if (cookieBack2Temp != null) { cookieBack2Previous = cookieBack2; cookieBack2 = cookieBack2Temp; } // reset the "final" version of message2 to use the final response in the // chain msg2Final = temp2; } if (this.debugEnabled) log.debug("Done following redirects"); // final result was non-200, no point in continuing. Bale out. if (msg2Final.getResponseHeader().getStatusCode() != HttpStatusCode.OK) { if (this.debugEnabled) log.debug( "Got a non-200 response code [" + msg2Final.getResponseHeader().getStatusCode() + "] when sending [" + msg2Initial.getRequestHeader().getURI() + "] with a borrowed cookie (or by following a redirect) for param [" + currentHtmlParameter.getName() + "]"); continue; // to next parameter } // and what we've been waiting for.. do we get a *different* cookie being set in // the response of message 2?? // or do we get a new cookie back at all? // No cookie back => the borrowed cookie was accepted. Not ideal // Cookie back, but same as the one we sent in => the borrowed cookie was // accepted. Not ideal if ((cookieBack2 == null) || cookieBack2.getValue().equals(cookieBack1.getValue())) { // no cookie back, when a borrowed cookie is in use.. suspicious! // use the cookie extrainfo message, which is specific to the case of // cookies // pretty much everything else is generic to all types of Session Fixation // vulnerabilities String extraInfo = Constant.messages.getString( "ascanbeta.sessionfixation.alert.cookie.extrainfo", currentHtmlParameter.getName(), cookieBack1.getValue(), (cookieBack2 == null ? "NULL" : cookieBack2.getValue())); String attack = Constant.messages.getString("ascanbeta.sessionfixation.alert.attack", currentHtmlParameter.getType(), currentHtmlParameter.getName()); if (loginUrl) { extraInfo += ("\n" + Constant.messages .getString("ascanbeta.sessionfixation.alert.cookie.extrainfo.loginpage")); } bingo(Alert.RISK_INFO, Alert.CONFIDENCE_MEDIUM, msg2Initial.getRequestHeader().getURI().getURI(), currentHtmlParameter.getName(), attack, extraInfo, msg2Initial); logSessionFixation(msg2Initial, currentHtmlParameter.getType().toString(), currentHtmlParameter.getName()); } continue; // jump to the next iteration of the loop (ie, the next parameter) } // end of the cookie code. // start of the url parameter code // note that this actually caters for // - actual URL parameters // - pseudo URL parameters, where the sessionid was in the path portion of the URL, // in conjunction with URL re-writing if (currentHtmlParameter.getType().equals(HtmlParameter.Type.url)) { boolean isPseudoUrlParameter = false; // is this "url parameter" actually a url parameter, or was it // path of the path (+url re-writing)? String possibleSessionIdIssuedForUrlParam = null; // remove the named url parameter from the request.. TreeSet<HtmlParameter> urlRequestParams = msg1Initial.getUrlParams(); // get parameters? if (!urlRequestParams.remove(currentHtmlParameter)) { isPseudoUrlParameter = true; // was not removed because it was a pseudo Url parameter, not a real url // parameter.. (so it would not be in the url params) // in this case, we will need to "rewrite" (ie hack) the URL path to remove // the pseudo url parameter portion // ie, we need to remove the ";jsessionid=<sessionid>" bit from the path // (assuming the current field is named 'jsessionid') // and replace it with ";jsessionid=" (ie, we nullify the possible "session" // parameter in the hope that a new session will be issued) // then we continue as usual to see if the URL is vulnerable to a Session // Fixation issue // Side note: quote the string to search for, and the replacement, so that // regex special characters are treated as literals String hackedUrl = requestUrl.replaceAll( Pattern.quote(";" + currentHtmlParameter.getName() + "=" + currentHtmlParameter.getValue()), Matcher.quoteReplacement(";" + currentHtmlParameter.getName() + "=")); if (this.debugEnabled) log.debug("Removing the pseudo URL parameter from [" + requestUrl + "]: [" + hackedUrl + "]"); // Note: the URL is not escaped. Handle it. msg1Initial.getRequestHeader().setURI(new URI(hackedUrl, false)); } msg1Initial.setGetParams(urlRequestParams); // url parameters // send the message, minus the value for the current parameter, and see how it // comes back. // Note: automatically follow redirects.. no need to look at any intermediate // responses. // this was only necessary for cookie-based session implementations sendAndReceive(msg1Initial); // if non-200 on the response for message 1, no point in continuing. Bale out. if (msg1Initial.getResponseHeader().getStatusCode() != HttpStatusCode.OK) { if (this.debugEnabled) log.debug("Got a non-200 response code [" + msg1Initial.getResponseHeader().getStatusCode() + "] when sending [" + msg1Initial.getRequestHeader().getURI() + "] with param [" + currentHtmlParameter.getName() + "] = NULL (possibly somewhere in the redirects)"); continue; } // now parse the HTML response for urls that contain the same parameter name, // and look at the values for that parameter // if no values are found for the parameter, then // 1) we are messing with the wrong field, or // 2) the app doesn't do sessions // either way, there is not much point in continuing to look at this field.. // parse out links in HTML (assume for a moment that all the URLs are in links) // this gives us a map of parameter value for the current parameter, to the // number of times it was encountered in links in the HTML SortedMap<String, Integer> parametersInHTMLURls = getParameterValueCountInHtml( msg1Initial.getResponseBody().toString(), currentHtmlParameter.getName(), isPseudoUrlParameter); if (this.debugEnabled) log.debug("The count of the various values of the [" + currentHtmlParameter.getName() + "] parameters in urls in the result of retrieving the url with a null value for parameter [" + currentHtmlParameter.getName() + "]: " + parametersInHTMLURls); if (parametersInHTMLURls.isEmpty()) { // setting the param to NULL did not cause any new values to be generated // for it in the output.. // so either.. // it is not a session field, or // it is a session field, but a session is only issued on authentication, // and this is not an authentication url // the app doesn't do sessions (etc) // either way, the parameter/url combo is not vulnerable, so continue with // the next parameter if (this.debugEnabled) log.debug("The URL parameter [" + currentHtmlParameter.getName() + "] was NOT set in any links in the response, when " + (isPseudoUrlParameter ? "pseudo/URL rewritten" : "") + " URL param [" + currentHtmlParameter.getName() + "] was set to NULL in the request, so it is likely not a session id field"); continue; // to the next parameter } else if (parametersInHTMLURls.size() == 1) { // the parameter was set to just one value in the output // so it's quite possible it is the session id field that we have been // looking for // caveat 1: check it is longer than 3 chars long, to remove false // positives.. // we assume here that a real session id will always be greater than 3 // characters long // caveat 2: the value we got back for the param must be different from the // value we // over-wrote with NULL (empty) in the first place, otherwise it is very // unlikely to // be a session id field possibleSessionIdIssuedForUrlParam = parametersInHTMLURls.firstKey(); // did we get back the same value we just nulled out in the original // request? // if so, use this to eliminate false positives, and to optimise. if (possibleSessionIdIssuedForUrlParam.equals(currentHtmlParameter.getValue())) { if (this.debugEnabled) log.debug((isPseudoUrlParameter ? "pseudo/URL rewritten" : "") + " URL param [" + currentHtmlParameter.getName() + "], when set to NULL, causes 1 distinct values to be set for it in URLs in the output, but the possible session id value [" + possibleSessionIdIssuedForUrlParam + "] is the same as the value we over-wrote with NULL. 'Sorry, kid. You got the gift, but it looks like you're waiting for something'"); continue; // to the next parameter } if (possibleSessionIdIssuedForUrlParam.length() > 3) { // raise an alert here on an exposed session id, even if it is not // subject to a session fixation vulnerability // log.info("The URL parameter ["+ currentHtmlParameter.getName() + "] // was set ["+ // parametersInHTMLURls.get(possibleSessionIdIssuedForUrlParam)+ "] // times to ["+ possibleSessionIdIssuedForUrlParam + "] in links in the // response, when "+ (isPseudoUrlParameter?"pseudo/URL rewritten":"")+ " // URL param ["+ currentHtmlParameter.getName() + "] was set to NULL in // the request. This likely indicates it is a session id field."); // pass the original param value here, not the new value, since we're // displaying the session id exposed in the original message String extraInfo = Constant.messages.getString( "ascanbeta.sessionidexposedinurl.alert.extrainfo", currentHtmlParameter.getType(), currentHtmlParameter.getName(), currentHtmlParameter.getValue()); String attack = Constant.messages .getString("ascanbeta.sessionidexposedinurl.alert.attack", (isPseudoUrlParameter ? "pseudo/URL rewritten " : "") + currentHtmlParameter.getType(), currentHtmlParameter.getName()); String vulnname = Constant.messages.getString("ascanbeta.sessionidexposedinurl.name"); String vulndesc = Constant.messages.getString("ascanbeta.sessionidexposedinurl.desc"); String vulnsoln = Constant.messages.getString("ascanbeta.sessionidexposedinurl.soln"); if (loginUrl) { extraInfo += ("\n" + Constant.messages .getString("ascanbeta.sessionidexposedinurl.alert.extrainfo.loginpage")); } // call bingo with some extra info, indicating that the alert is // not specific to Session Fixation, but has its own title and // description (etc) // the alert here is "Session id exposed in url", or words to that // effect. bingo(Alert.RISK_MEDIUM, Alert.CONFIDENCE_MEDIUM, vulnname, vulndesc, getBaseMsg().getRequestHeader().getURI().getURI(), currentHtmlParameter.getName(), attack, extraInfo, vulnsoln, getBaseMsg()); if (log.isDebugEnabled()) { String logMessage = MessageFormat.format( "An exposed session identifier has been found at " + "[{0}] URL [{1}] on {2} field: [{3}]", getBaseMsg().getRequestHeader().getMethod(), getBaseMsg().getRequestHeader().getURI().getURI(), (isPseudoUrlParameter ? "pseudo " : "") + currentHtmlParameter.getType(), currentHtmlParameter.getName()); log.debug(logMessage); } // Note: do NOT continue to the next field at this point.. // since we still need to check for Session Fixation. } else { if (this.debugEnabled) log.debug((isPseudoUrlParameter ? "pseudo/URL rewritten" : "") + " URL param [" + currentHtmlParameter.getName() + "], when set to NULL, causes 1 distinct values to be set for it in URLs in the output, but the possible session id value [" + possibleSessionIdIssuedForUrlParam + "] is too short to be a real session id."); continue; // to the next parameter } } else { // strange scenario: setting the param to null causes multiple different // values to be set for it in the output // it could still be a session parameter, but we assume it is *not* a // session id field // log it, but assume it is not a session id if (this.debugEnabled) log.debug((isPseudoUrlParameter ? "pseudo/URL rewritten" : "") + " URL param [" + currentHtmlParameter.getName() + "], when set to NULL, causes [" + parametersInHTMLURls.size() + "] distinct values to be set for it in URLs in the output. Assuming it is NOT a session id as a consequence. This could be a false negative"); continue; // to the next parameter } //////////////////////////////////////////////////////////////////////////////////////////// /// Message 2 - processing starts here //////////////////////////////////////////////////////////////////////////////////////////// // we now have a plausible session id field to play with, so set it to a // borrowed value. // ie: lets re-send the request, but add in the new (valid) session value that // was just issued. // the aim is then to see if it accepts the session without re-issuing the // session id (BAD, in some circumstances), // or if it issues a new session value (GOOD, in most circumstances) // and set the (modified) session for the second message // use a copy of msg2Initial, since it has already had the correct session // removed in the request.. // do NOT use msg2Initial itself, as this will cause both requests in the GUI to // show the modified data.. // finally send the second message, and see how it comes back. HttpMessage msg2Initial = msg1Initial.cloneRequest(); // set the parameter to the new session id value (in different manners, // depending on whether it is a real url param, or a pseudo url param) if (isPseudoUrlParameter) { // we need to "rewrite" (hack) the URL path to remove the pseudo url // parameter portion // id, we need to remove the ";jsessionid=<sessionid>" bit from the path // and replace it with ";jsessionid=" (ie, we nullify the possible "session" // parameter in the hope that a new session will be issued) // then we continue as usual to see if the URL is vulnerable to a Session // Fixation issue // Side note: quote the string to search for, and the replacement, so that // regex special characters are treated as literals String hackedUrl = requestUrl.replaceAll( Pattern.quote(";" + currentHtmlParameter.getName() + "=" + currentHtmlParameter.getValue()), Matcher.quoteReplacement(";" + currentHtmlParameter.getName() + "=" + possibleSessionIdIssuedForUrlParam)); if (this.debugEnabled) log.debug("Changing the pseudo URL parameter from [" + requestUrl + "]: [" + hackedUrl + "]"); // Note: the URL is not escaped msg2Initial.getRequestHeader().setURI(new URI(hackedUrl, false)); msg2Initial.setGetParams(msg1Initial.getUrlParams()); // restore the GET params } else { // do it via the normal url parameters TreeSet<HtmlParameter> urlRequestParams2 = msg2Initial.getUrlParams(); urlRequestParams2.add(new HtmlParameter(Type.url, currentHtmlParameter.getName(), possibleSessionIdIssuedForUrlParam)); msg2Initial.setGetParams(urlRequestParams2); // restore the GET params } // resend a copy of the initial message, but with the new valid session // parameter added in, to see if it is accepted // automatically follow redirects, which are irrelevant for the purposes of // testing URL parameters sendAndReceive(msg2Initial); // final result was non-200, no point in continuing. Bale out. if (msg2Initial.getResponseHeader().getStatusCode() != HttpStatusCode.OK) { if (this.debugEnabled) log.debug("Got a non-200 response code [" + msg2Initial.getResponseHeader().getStatusCode() + "] when sending [" + msg2Initial.getRequestHeader().getURI() + "] with a borrowed session (or by following a redirect) for param [" + currentHtmlParameter.getName() + "]"); continue; // next field! } // do the analysis on the parameters in link urls in the HTML output again to // see if the session id was regenerated SortedMap<String, Integer> parametersInHTMLURls2 = getParameterValueCountInHtml( msg2Initial.getResponseBody().toString(), currentHtmlParameter.getName(), isPseudoUrlParameter); if (this.debugEnabled) log.debug("The count of the various values of the [" + currentHtmlParameter.getName() + "] parameters in urls in the result of retrieving the url with a borrowed session value for parameter [" + currentHtmlParameter.getName() + "]: " + parametersInHTMLURls2); if (parametersInHTMLURls2.size() != 1) { // either no values, or multiple values, but not 1 value. For a session // that was regenerated, we would have expected to see // just 1 new value if (this.debugEnabled) log.debug("The HTML has spoken. [" + currentHtmlParameter.getName() + "] doesn't look like a session id field, because there are " + parametersInHTMLURls2.size() + " distinct values for this parameter in urls in the HTML output"); continue; } // there is but one value for this param in links in the HTML output. But is it // vulnerable to Session Fixation? Ie, is it the same parameter? String possibleSessionIdIssuedForUrlParam2 = parametersInHTMLURls2.firstKey(); if (possibleSessionIdIssuedForUrlParam2.equals(possibleSessionIdIssuedForUrlParam)) { // same sessionid used in the output.. so it is likely that we have a // SessionFixation issue.. // use the url param extrainfo message, which is specific to the case of url // parameters and url re-writing Session Fixation issue // pretty much everything else is generic to all types of Session Fixation // vulnerabilities String extraInfo = Constant.messages.getString( "ascanbeta.sessionfixation.alert.url.extrainfo", currentHtmlParameter.getName(), possibleSessionIdIssuedForUrlParam, possibleSessionIdIssuedForUrlParam2); String attack = Constant.messages.getString("ascanbeta.sessionfixation.alert.attack", (isPseudoUrlParameter ? "pseudo/URL rewritten " : "") + currentHtmlParameter.getType(), currentHtmlParameter.getName()); int risk = Alert.RISK_LOW; if (loginUrl) { extraInfo += ("\n" + Constant.messages .getString("ascanbeta.sessionfixation.alert.url.extrainfo.loginpage")); // login page, so higher risk risk = Alert.RISK_MEDIUM; } else { // not a login page.. lower risk risk = Alert.RISK_LOW; } bingo(risk, Alert.CONFIDENCE_MEDIUM, getBaseMsg().getRequestHeader().getURI().getURI(), currentHtmlParameter.getName(), attack, extraInfo, getBaseMsg()); logSessionFixation(getBaseMsg(), (isPseudoUrlParameter ? "pseudo " : "") + currentHtmlParameter.getType(), currentHtmlParameter.getName()); continue; // jump to the next iteration of the loop (ie, the next parameter) } else { // different sessionid used in the output.. so it is unlikely that we have a // SessionFixation issue.. // more likely that the Session is being re-issued for every single request, // or we have issues a login request, which // normally causes a session to be reissued if (this.debugEnabled) log.debug("The " + (isPseudoUrlParameter ? "pseudo/URL rewritten" : "") + " parameter [" + currentHtmlParameter.getName() + "] in url [" + getBaseMsg().getRequestHeader().getMethod() + "] [" + getBaseMsg().getRequestHeader().getURI() + "] changes with requests, and so it likely not vulnerable to Session Fixation"); } continue; // onto the next parameter } // end of the url parameter code. } // end of the for loop around the parameter list } catch (Exception e) { // Do not try to internationalise this.. we need an error message in any event.. // if it's in English, it's still better than not having it at all. log.error("An error occurred checking a url for Session Fixation issues", e); } }