Hello:
I've been working on a symfony !csrf protection plugin. I owe you the testing,
next month I'll have some spare time to make it. Meanwhile, I want to share it
with you.
Symfony has csrf protection activated by default in the forms, but sometimes
the devs disable it either by need or ignorance. The plugin first detects that
its symfony by means of a cookie. Then it scans every form and if it does not
find an input named *csrf*, reports it as a possible target.
I'll appreciate any feedback.
Carlos Pantelides
-----------------
http://seguridad-agile.blogspot.com/
'''
symfony.py
Copyright 2011 Andres Riancho and Carlos Pantelides
This file is part of w3af, w3af.sourceforge.net .
w3af is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation version 2 of the License.
w3af is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with w3af; if not, write to the Free Software
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
'''
# options
from core.data.options.option import option
from core.data.options.optionList import optionList
from core.controllers.basePlugin.baseGrepPlugin import baseGrepPlugin
import core.data.kb.knowledgeBase as kb
import core.data.kb.info as info
from core.data.bloomfilter.bloomfilter import scalable_bloomfilter
import re
class symfony(baseGrepPlugin):
'''
Grep every page for traces of the Symfony framework.
@author: Carlos Pantelides ([email protected] ) based upon work by Andres Riancho ( [email protected] )
'''
def __init__(self):
baseGrepPlugin.__init__(self)
# Internal variables
self._already_inspected = scalable_bloomfilter()
csrf_protection_regex_string = '.*csrf_token'
self._csrf_protection_regex_re = re.compile( csrf_protection_regex_string, re.IGNORECASE )
def log(self, response, url, key,msg):
i = info.info()
i.setPluginName(self.getName())
i.setName('Symfony Framework')
i.setURL(url)
i.setDesc(msg)
i.setId(response.id)
kb.kb.append(self, 'symfony', i)
def grep(self, request, response):
'''
Plugin entry point.
@parameter request: The HTTP request object.
@parameter response: The HTTP response object
@return: None, all results are saved in the kb.
test cases:
symfony not found
symfony found
csrf found
csrf not found
mock:
response.getURL():string
response.is_text_or_html():true
response.getDom():xml
response.getHeaders():map
response.id:id
'''
url = response.getURL()
if response.is_text_or_html() and url not in self._already_inspected:
# Don't repeat URLs
self._already_inspected.add(url)
symfony_found = False
for header_name in response.getHeaders().keys():
if header_name.lower() == 'set-cookie':
protected_by = response.getHeaders()[header_name]
if re.match('^symfony=', protected_by):
symfony_found = True
break
if not symfony_found:
return
dom = response.getDOM()
if dom is not None:
forms = dom.xpath('//form')
if forms:
for form in forms:
csrf_protection = False
actions = form.xpath('//input[@id]')
if actions:
for action in actions:
res = self._csrf_protection_regex_re.search(action.attrib["id"])
if res:
csrf_protection = True
break
if not csrf_protection:
i = info.info()
i.setPluginName(self.getName())
i.setName('Symfony Framework')
i.setURL(url)
i.setDesc('The URL: "%s" seems to be generated by the Symfony framework and contains a form that perhaps has csrf protection disabled.' % url)
i.setId(response.id)
kb.kb.append(self, 'symfony', i)
def setOptions( self, OptionList ):
pass
def getOptions( self ):
'''
@return: A list of option objects for this plugin.
'''
ol = optionList()
return ol
def end(self):
'''
This method is called when the plugin wont be used anymore.
'''
self.printUniq( kb.kb.getData( 'symfony', 'symfony' ), 'URL' )
def getPluginDeps( self ):
'''
@return: A list with the names of the plugins that should be runned before the
current one.
'''
return []
def getLongDesc( self ):
'''
@return: A DETAILED description of the plugin functions and features.
'''
return '''
This plugin greps every page for traces of the Symfony framework and the lack of csrf protection.
'''
------------------------------------------------------------------------------
Magic Quadrant for Content-Aware Data Loss Prevention
Research study explores the data loss prevention market. Includes in-depth
analysis on the changes within the DLP market, and the criteria used to
evaluate the strengths and weaknesses of these DLP solutions.
http://www.accelacomm.com/jaw/sfnl/114/51385063/
_______________________________________________
W3af-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/w3af-users
