> > How can I ask if a cookie is set?
>
> Not sure if there is a "clean" way of asking xUrllib
> if in the next request it will send a cookie or not
> (also, it depends on the request you make, since cookies
> might be restricted to a path).
> What you could do, is to have two parts of the plugin,
> one to analyse all responses until you see a set-cookie
> and set an attribute like self._cookie_sent to True;
> and the second part (which will run only when
> _cookie_sent is True?!) that analyses forms.
ok, in august I'll spend some time. I've attached a new version with cosmetic
changes.
> >> Where can I test this plugin?
These two sites are taken "from the manual", they both use a cookie with
symfony=.... The first one has csrf activated, the other one no.
http slash slash bkdjombang dot com
http slash slash www dot katrinjuntke dot ch slash kontakt
There are a lot of other sites that changed the cookie, like
http slash slash level 7 systems dot co dot uk slash en slash contact-us
https slash slash ssl7 dot net slash websitechat dot net slash login
that have the csrf form protection disabled, but perhaps has moved it to a
cookie. Anyway, they are undetectable as symfony. That narrows the utility of
the plugin, thumbs up for symfony! (and the developers that change the
defaults, but, we are not sure that they really run symfony...)
I took the sites from http://www.appliedstacks.com/NewestFirst/Symfony
> > Charli
'''
symfony.py
Copyright 2011 Andres Riancho and Carlos Pantelides
This file is part of w3af, w3af.sourceforge.net .
w3af is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation version 2 of the License.
w3af is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with w3af; if not, write to the Free Software
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
'''
# options
from core.data.options.option import option
from core.data.options.optionList import optionList
from core.controllers.basePlugin.baseGrepPlugin import baseGrepPlugin
import core.data.kb.knowledgeBase as kb
import core.data.kb.info as info
from core.data.bloomfilter.bloomfilter import scalable_bloomfilter
import re
class symfony(baseGrepPlugin):
'''
Grep every page for traces of the Symfony framework.
@author: Carlos Pantelides ([email protected] ) based upon work by Andres Riancho ( [email protected] )
'''
def __init__(self):
baseGrepPlugin.__init__(self)
# Internal variables
self._already_inspected = scalable_bloomfilter()
csrf_protection_regex_string = '.*csrf_token'
self._csrf_protection_regex_re = re.compile( csrf_protection_regex_string, re.IGNORECASE )
def grep(self, request, response):
'''
Plugin entry point.
@parameter request: The HTTP request object.
@parameter response: The HTTP response object
@return: None, all results are saved in the kb.
test cases:
symfony not found
symfony found
csrf found
csrf not found
mock:
response.getURL():string
response.is_text_or_html():true
response.getDom():xml
response.getHeaders():map
response.id:id
'''
url = response.getURL()
if response.is_text_or_html() and url not in self._already_inspected:
# Don't repeat URLs
self._already_inspected.add(url)
symfony_found = False
for header_name in response.getHeaders().keys():
if header_name.lower() == 'set-cookie':
protected_by = response.getHeaders()[header_name]
if re.match('^symfony=', protected_by):
symfony_found = True
break
if not symfony_found:
return
dom = response.getDOM()
if dom is not None:
forms = dom.xpath('//form')
if forms:
for form in forms:
csrf_protection = False
inputs = form.xpath('//input[@id]')
if inputs:
for input in inputs:
res = self._csrf_protection_regex_re.search(input.attrib["id"])
if res:
csrf_protection = True
break
if not csrf_protection:
i = info.info()
i.setPluginName(self.getName())
i.setName('Symfony Framework')
i.setURL(url)
i.setDesc('The URL: "%s" seems to be generated by the Symfony framework and contains a form that perhaps has csrf protection disabled.' % url)
i.setId(response.id)
kb.kb.append(self, 'symfony', i)
def setOptions( self, OptionList ):
pass
def getOptions( self ):
'''
@return: A list of option objects for this plugin.
'''
ol = optionList()
return ol
def end(self):
'''
This method is called when the plugin wont be used anymore.
'''
self.printUniq( kb.kb.getData( 'symfony', 'symfony' ), 'URL' )
def getPluginDeps( self ):
'''
@return: A list with the names of the plugins that should be runned before the
current one.
'''
return []
def getLongDesc( self ):
'''
@return: A DETAILED description of the plugin functions and features.
'''
return '''
This plugin greps every page for traces of the Symfony framework and the lack of csrf protection.
'''
------------------------------------------------------------------------------
Magic Quadrant for Content-Aware Data Loss Prevention
Research study explores the data loss prevention market. Includes in-depth
analysis on the changes within the DLP market, and the criteria used to
evaluate the strengths and weaknesses of these DLP solutions.
http://www.accelacomm.com/jaw/sfnl/114/51385063/
_______________________________________________
W3af-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/w3af-users
