andresriancho / w3af Goto Github PK
View Code? Open in Web Editor NEWw3af: web application attack and audit framework, the open source web vulnerability scanner.
Home Page: http://w3af.org/
w3af: web application attack and audit framework, the open source web vulnerability scanner.
Home Page: http://w3af.org/
Add an object that inherits from info() and represents a system fingerprint. We should have different classes of fingerprint objects, one for OS, other for HTTP daemon, other for programming language, other for programming framework, etc. These should be stored in the KB by the infrastructure plugins that do this job. In the future this could be used by the core to cross this info with an XML file that says "PHP version X.Y.Z has vulnerability CVE-12345".
Encode/Decode tool:
Export request tool:
Perform a valid scan and verify vulnerabilities appear in log and KB; exploit the vulnerability and execute a command in the shell; execute a payload in the shell
Manual request editor:
All attack plugins should use shell_identifiers to extract information.
Perform a valid scan and verify vulnerabilities appear in log and KB; clear results; perform a scan with different configuration and verify results
The simplest solution would be to move the set the output manager instance as an attribute of the w3afCore, but maybe there is a different design pattern I could use? Research design patterns for logging
This task gets even more complicated because of "Move grep plugins to a multiprocessing process pool" #28 , which requires me to be able to send logging messages from different processes.
More details and related information at "Remove KB and CF singleton objects" #26
Review this comment and the associated code: "This except clause will catch unexpected errors For the first N errors, return an empty response... Then a w3afMustStopException will be raised"
New crawl plugin: http://host.tld/images.jsp?id=3 #> http://host.tld/images/
Remove Rapid7 branding from threading2 branch
As a user I want to be able to detect XXE vulnerabilities
application/xml
data which we got via a spider_man
. The XXE is in the XML we send in the post-body. In this case test two different things:
<?xml version=""1.0"" encoding=""ISO-8859-1""?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM ""file://c:/boot.ini"">]><foo>&xxe;</foo>
<?xml version=""1.0"" encoding=""ISO-8859-1""?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM ""file:////etc/passwd"">]><foo>&xxe;</foo>
Once detected, I could check for RCE with a payload that contains (]>) just like it is explained here: https://gist.github.com/3623896
Going to leave exploitation out of the initial implementation since it's complex to code and users can do it on their own ๐
OS detection needs to be in the core (near 404 fingerprinting). Add also ICMP fingerprinting and filename case sensitiviness index.html vs. indEX.html in URLs.
Local Proxy:
Move knowledgeBase and config to sqlite databases; and use sqlite's concurrency (https://www.sqlite.org/faq.html#q5) in our favor: each process should open a connection to the sqlite file, when creating a new process we don't need to share the whole kb/cf, we just share the name of the file where the data is stored.
Glob DoS plugin: " with .../blah.php?a=/..//..//..//..//..//../* "
Show progress and status in some meaningful way in both consoleUI and gtkUI. Also, fix this error: "Current value can never be greater than max value!"
Add a one-time "show and accept" window for w3af's disclaimer (core/data/constants/disclaimer.py):
The current auto-update code looks for updates from Sourceforge's repository using pysvn. Modify the code to make it look for updates in this repo.
Attack plugins should support the case when the application returns the expected command output more than once. The problem looks like this:
http://localhost/foo?cmd=whoami
...
root
http://localhost/foo?cmd=whoami
...
root
...
root
...
root
The plugins that require a thread-safe fix are:
''Shay Chen โ@sectooladdict: try the premium login page of the latest puzzlemall. Watch http://www.youtube.com/watch?v=3k_eJ1bcCro&feature=plcp''
Migrate automated ticket creation to use the w3af issues for tickets.
Create a new label to report vulnerabilities there.
Some unittests in w3af use SVN repo meta-data to determine if the file needs to be updated. Migrate this to use git meta-data
Need to define how to test it without a Windows environment
Research: Maybe the w3af scan should run on a different process and the GTK UI should be running in a process where no other threads are running? This would be easy to achieve if KB and CF are in sqlite backends.
Verify if error handling works as expected and unittest all of it:
* Ctrl+C does what we expect (in both console and gui)
* Ctrl+C still stops the crawl process? Verify documentation.
Verify if I can write a plugin or core component that exploits the 8.3 filename format as explained by Bogdan in a blog post. Tomas sent iis_short_name_brute.py a while ago which could be useful; but I was thinking about something that wouldn't depend on a separate wordlist. My idea would work more like:
As a user I want w3af to find as many XSS vulnerabilities as possible.
While I was re-writing the code as specified in the Context code rewrite v2.0 section one main issue appeared: finding context based on inside_context
(see below and code in xss branch) was too error/false-positive prone. With inside_context
the context accuracy is rather low ๐
The main reason for using the previous strategy was that we're sending payloads that might break the HTML structure, this classic parsers would be unable to determine the payload's location. A solution for this issue would be to:
Using that strategy we would be able to use almost any HTML parser to determine the context, the problems that I foresee now are:
The same problem with context appears when parsing JavaScript and CSS, so we might need to find a parser for that too.
An option that we might experiment with is to build our own parser-lexer
This method looks promising. If we use this there is a silly trick that might come handy to determine if the payload is in single/double/backtick quotes, simply dump the tag text, get the attribute value (containing the payload) and search for "fooPAYLOADbar"
, then if that's not in the tag text search for the same but with single quotes and so on. The only detail would be to check for " and ' escapes
The code that processes the HTML and makes it possible to identify the HTML context where the payload landed is complex, hard to debug and extend. So I propose a rewrite with the following objectives:
ByteChunk
class Context(object):
NAME = 'HTML'
@staticmethod
def match(normalized_html):
return True
def can_break(payload):
raise NotImplementedError
def executable():
return False
def inside_context(normalized_html, context_start, context_end):
"""
:return: True if we perform a reverse find of context_start (ie '<script'), then
a reverse find of context_end (ie. '</script>') and the second has a
lower index; meaning we're still in the context of '<script>' tag
:param context_start: Would be '<script' in the example above
:param context_start: Would be '</script>' in the example above
"""
def current_context_content(normalized_html, context_start, context_end):
"""
Extract the current context text, handles the following cases:
<script type="application/json">foo();</script>
<script>foo();</script>
Returning 'foo();' in both.
:param context_start: Would be '<script' in the example above
:param context_start: Would be '</script>' in the example above
"""
pass
This context matches if we're inside a <script>
tag:
class ScriptTagContext(Context):
NAME = 'SCRIPT_TAG'
@staticmethod
def match(normalized_html):
return Context.inside_context(normalized_html, '<script', '</script>')
This context matches when we're inside a script
tag and a multi-line comment:
class ScriptTagMultiLineCommentContext(ScriptTagContext):
NAME = 'SCRIPT_MULTI_COMMENT'
@staticmethod
def match(normalized_html):
if not ScriptTagContext.match(normalized_html):
return False
script_code = Context.current_context_content(normalized_html, '<script', '</script>')
js_context = get_js_context(script_code)
if js_context is None:
return False
return isinstance(js_context, JSMultiLineComment)
def can_break(payload)
return '*/' in payload
Since contexts don't hold any data I believe it would be smart to make the match method a @staticmethod
and only create an instance when we find a match and need to return it to the xss plugin.
With this new approach the order in which we match the contexts is very important. It MUST start with the more specific contexts and then move down to the generic cases (ScriptTagMultiLineCommentContext goes before ScriptTagContext)
It might be a good idea to write the inside_context(normalized_html, '<script', '</script>')
with a lru cache, since we might call it with the same params several times (one for each context+sub-contexts inside it).
JavaScript can be found in several places:
* <script>...</script>
* <a href="javascript:...">
* <a onmouseover="...">
When found we need to analyze the JS code to understand if in this context we can run arbitrary code (or not). In order to do this we'll need JavaScript sub-contexts.
What I have in mind is to:
can_break
or if it's executable
(just like the other contexts)Same as above but for CSS
The idea is to rewrite the attack plugin "fast exploit" feature, which never worked as expected, using a simple idea: "Users add vulnerabilities to the KB manually, attack plugins exploit them just as they would exploit a vulnerability added by a plugin". For doing this, I have to define vulnerability templates for allowing users to add the vulns with the required data.
This will require code at the core level, testing of all templates with the corresponding attack plugin, and modifications in the console and GUI in order to give the user the ability to add vulnerabilities to the KB.
Since running a scan and verifying the results is already done in other tests, just test if the invalid URL error can be corrected.
Remove the ugly kb and cf "singleton" objects. The main goal is to be able to have two w3afCore objects in the same python process. This is a continuation of the feature/module
efforts.
A good idea would be to make the kb
and cf
objects w3afCore attributes
Related with #25 (Remove output manager singleton).
123asdfafs
Inject into parameter names, something like http://host/foo<script>...</script>=3 , details here http://blog.portswigger.net/2008/08/attacking-parameter-names.html
In order to achieve this EPIC task, many things need to be analyzed.
We already tried to do this, and failed: https://github.com/andresriancho/w3af/commits/multiprocessing
I need a good way to measure performance of this improvement, so before even starting I'll need to define how to measure performance improvements.
A good idea would be to:
Compare before and after.
Grep plugins call the output manager to print information about newly identified vulnerabilities. Calling the output manager from another process is an already solved problem, see how this was done in the multiprocessing document parser.
The same ideas could be applied to communication with cf
and kb
from the main thread.
We can re-use a lot of the things we learnt from he multiprocessing document parser.
Serialization is completely transparent when using pebble. If all attributes from request and response are serializable then we wouldn't have any issues. The only worry I have is the re-work of, for example, having to parse the same HTTP response in each process because I had to remove that attribute from the HTTP response instance before sending it to the wire.
The main thread would create N grep consumer processes, each with its own queue. Each process would have a subset of the enabled grep plugins. Each enabled grep plugin would have only one instance, living in one of the grep consumer processes.
When the main thread receives a request / response, it has to send it to all grep consumer processes.
Having multiple process for the grep consumer means that the multiprocessing document parser cache will have N instances and be 1/N times effective. A lot of rework would be done to parse the same response multiple times. This is something to solve.
Grep plugins query the KnowledgeBase
and cf
objects, how are we going to "proxy" (?) those calls to the parent process / main thread?
Fuzzy request editor:
https://sourceforge.net/apps/trac/w3af/wiki/pydev-setup and change the documentation to use git instead of svn
Create a profile with 1 enabled plugin from each family, click on "Empty Profile" and then back on the newly created plugin. Verify that the configuration is there.
123
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.