Andres:
A working plugin/grep/wicket attached, please give some feedback and feel free
to add it to w3af if you like it.
Carlos Pantelides
-----------------
http://seguridad-agile.blogspot.com/
--- On Thu, 6/9/11, Andres Riancho <[email protected]> wrote:
> From: Andres Riancho <[email protected]>
> Subject: Re: [W3af-users] about wicket
> To: "Carlos Pantelides" <[email protected]>
> Cc: [email protected]
> Date: Thursday, June 9, 2011, 3:44 PM
> Carlos,
>
> On Thu, Jun 9, 2011 at 3:31 PM, Carlos Pantelides
> <[email protected]>
> wrote:
> >>
> >> You should see this change if you update to the
> latest version.
> >>
> >
> > Last version works fine.
>
> Great!
>
> > I added successfully a rule to pykto:
> >
> > [plugins/discovery/pykto/scan_database.db]
> > "generic","/","wicket","GET","Wicket found."
>
> That rule is very generic, and would trigger
> lots of false
> positives in websites that don't USE wicket, but talk about
> it.
>
> > but it shows as a vulnerability and I only want to
> report it.
> >
> > Please give me a hint about how I can add a this kind
> of check. A short paragraph.
>
> For playing around with the framework, the
> best option you've got
> is grep plugins. Just copy the "ajax.py" file in the same
> directory
> (under a new name) and change the regular expressions
> and/or xpath
> expressions that match against the HTTP responses. If you
> find a
> match, you can save an information object (info.info) to
> the knowledge
> base, send an email, run a command, etc. Anything that
> python can do.
>
> > Keep in mind that later I could add a few more
> frameworks detection rules or scripts. I do not have enough
> spare time, so I can not go through all the w3af arq/dev
> intro that surely exists.
> >
> > Thank you
> >
> > Carlos Pantelides
> >
> > -----------------
> >
> > http://seguridad-agile.blogspot.com/
> >
> >
> >
> >
> >
> >
> ------------------------------------------------------------------------------
> > EditLive Enterprise is the world's most technically
> advanced content
> > authoring tool. Experience the power of Track Changes,
> Inline Image
> > Editing and ensure content is compliant with
> Accessibility Checking.
> > http://p.sf.net/sfu/ephox-dev2dev
> > _______________________________________________
> > W3af-users mailing list
> > [email protected]
> > https://lists.sourceforge.net/lists/listinfo/w3af-users
> >
>
>
>
> --
> Andrés Riancho
> Director of Web Security at Rapid7 LLC
> Founder at Bonsai Information Security
> Project Leader at w3af
>
'''
wicket.py
Copyright 2011 Andres Riancho and Carlos Pantelides
This file is part of w3af, w3af.sourceforge.net .
w3af is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation version 2 of the License.
w3af is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with w3af; if not, write to the Free Software
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
'''
# options
from core.data.options.option import option
from core.data.options.optionList import optionList
from core.controllers.basePlugin.baseGrepPlugin import baseGrepPlugin
import core.data.kb.knowledgeBase as kb
import core.data.kb.info as info
from core.data.bloomfilter.bloomfilter import scalable_bloomfilter
import re
class wicket(baseGrepPlugin):
'''
Grep every page for traces of the Wicket framework.
@author: Carlos Pantelides ([email protected] ) based upon work by Andres Riancho ( [email protected] )
'''
def __init__(self):
baseGrepPlugin.__init__(self)
# Internal variables
self._already_inspected = scalable_bloomfilter()
# Create the regular expression to search for WICKET
wicket_regex_string = '\?wicket'
self._wicket_regex_re = re.compile( wicket_regex_string, re.IGNORECASE )
def grep(self, request, response):
'''
Plugin entry point.
@parameter request: The HTTP request object.
@parameter response: The HTTP response object
@return: None, all results are saved in the kb.
Init
>>> from core.data.url.httpResponse import httpResponse
>>> from core.data.request.fuzzableRequest import fuzzableRequest
>>> from core.controllers.misc.temp_dir import create_temp_dir
>>> from core.data.parsers.urlParser import url_object
>>> o = create_temp_dir()
Simple test, empty string.
>>> body = ''
>>> url = url_object('http://www.w3af.com/')
>>> headers = {'content-type': 'text/html'}
>>> response = httpResponse(200, body , headers, url, url)
>>> request = fuzzableRequest()
>>> request.setURL( url )
>>> request.setMethod( 'GET' )
>>> a = wicket()
>>> a.grep(request, response)
>>> assert len(kb.kb.getData('wicket', 'wicket')) == 0
Discover wicket!
>>> body = '<html><head><script>xhr = new XMLHttpRequest(); xhr.open(GET, "data.txt", true); </script></head><html>'
>>> url = url_object('http://www.w3af.com/')
>>> headers = {'content-type': 'text/html'}
>>> response = httpResponse(200, body , headers, url, url)
>>> request = fuzzableRequest()
>>> request.setURL( url )
>>> request.setMethod( 'GET' )
>>> a = wicket()
>>> a.grep(request, response)
>>> assert len(kb.kb.getData('wicket', 'wicket')) == 0
1
'''
url = response.getURL()
if response.is_text_or_html() and url not in self._already_inspected:
# Don't repeat URLs
self._already_inspected.add(url)
dom = response.getDOM()
# In some strange cases, we fail to normalize the document
if dom is not None:
actions = dom.xpath('//form[@action]')
for action in actions:
res = self._wicket_regex_re.search(action.attrib["action"])
if res:
i = info.info()
i.setPluginName(self.getName())
i.setName('Wicket Framework')
i.setURL(url)
i.setDesc('The URL: "%s" seems to be generated by the Wicket framework.' % url)
i.setId(response.id)
i.addToHighlight(res.group(0))
kb.kb.append(self, 'wicket', i)
actions = dom.xpath('//a[@href]')
for action in actions:
res = self._wicket_regex_re.search(action.attrib["href"])
if res:
i = info.info()
i.setPluginName(self.getName())
i.setName('Wicket Framework')
i.setURL(url)
i.setDesc('The URL: "%s" seems to be generated by the Wicket framework.' % url)
i.setId(response.id)
i.addToHighlight(res.group(0))
kb.kb.append(self, 'wicket', i)
def setOptions( self, OptionList ):
pass
def getOptions( self ):
'''
@return: A list of option objects for this plugin.
'''
ol = optionList()
return ol
def end(self):
'''
This method is called when the plugin wont be used anymore.
'''
self.printUniq( kb.kb.getData( 'wicket', 'wicket' ), 'URL' )
def getPluginDeps( self ):
'''
@return: A list with the names of the plugins that should be runned before the
current one.
'''
return []
def getLongDesc( self ):
'''
@return: A DETAILED description of the plugin functions and features.
'''
return '''
This plugin greps every page for traces of the Wicket framework.
'''
------------------------------------------------------------------------------
Simplify data backup and recovery for your virtual environment with vRanger.
Installation's a snap, and flexible recovery options mean your data is safe,
secure and there when you need it. Data protection magic?
Nope - It's vRanger. Get your free trial download today.
http://p.sf.net/sfu/quest-sfdev2dev
_______________________________________________
W3af-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/w3af-users
