crash.software
Projects
Pull Requests
Issues
Builds
Taipan
Code
Files
Commits
Branches
Tags
Pull Requests
Code Comments
Code Compare
Issues
Builds
Statistics
Child Projects
cra.sh
RESTful API
Projects STRLCPY Taipan Commits 25c30a96
🤬
  • ■ ■ ■ ■ ■
    Src/ES.Taipan.Inspector.AddOns/ES.Taipan.Inspector.AddOns.fsproj
    skipped 83 lines
    84 84   <Compile Include="WebApplicationVulnerability\WebApplicationVulnerabilityAddOn.fs" />
    85 85   <Compile Include="WebFormBruteforcer\BruteforceHelper.fs" />
    86 86   <Compile Include="WebFormBruteforcer\WebFormBruteforcerAddOn.fs" />
     87 + <Compile Include="XMLExternalEntity\XMLExternalEntityAddOn.fs" />
    87 88   <None Include="paket.references" />
    88 89   </ItemGroup>
    89 90   <ItemGroup>
    skipped 2189 lines
  • ■ ■ ■ ■ ■
    Src/ES.Taipan.Inspector.AddOns/WebFormBruteforcer/WebFormBruteforcerAddOn.fs
    skipped 198 lines
    199 199   let resultVerifier(falseResponse: WebResponse) (testResponse: WebResponse) =
    200 200   if falseResponse.HttpResponse.StatusCode = testResponse.HttpResponse.StatusCode then
    201 201   if HttpUtility.isRedirect(falseResponse.HttpResponse.StatusCode) then
    202  - // if it is a relocation, check if the destinations are different
     202 + // if it is a relocation, check if the destinations are different. If they are different
     203 + // then a login has been successfully executed
    203 204   let templateLocation = HttpUtility.tryGetHeader("Location", falseResponse.HttpResponse.Headers)
    204 205   let testLocation = HttpUtility.tryGetHeader("Location", testResponse.HttpResponse.Headers)
    205 206   
    skipped 105 lines
  • ■ ■ ■ ■ ■ ■
    Src/ES.Taipan.Inspector.AddOns/XMLExternalEntity/XMLExternalEntityAddOn.fs
     1 +namespace ES.Taipan.Inspector.AddOns.XMLExternalEntity
     2 + 
     3 +open System
     4 +open System.Collections.Generic
     5 +open ES.Taipan.Inspector
     6 +open ES.Taipan.Inspector.AddOns
     7 +open ES.Taipan.Infrastructure.Service
     8 +open ES.Taipan.Infrastructure.Messaging
     9 +open ES.Taipan.Infrastructure.Network
     10 +open ES.Taipan.Infrastructure.Text
     11 + 
     12 +// Info: https://www.honoki.net/2018/12/from-blind-xxe-to-root-level-file-read-access/
     13 +type XMLExternalEntityAddOn() as this =
     14 + inherit BaseStatelessAddOn("XML External Entity AddOn", string XMLExternalEntityAddOn.Id, 1)
     15 + 
     16 + let _analyzedPages = new HashSet<String>()
     17 + 
     18 + let _logger =
     19 + log "XMLExternalEntityAddOn"
     20 + |> build
     21 + 
     22 + let reportSecurityIssue(entryPoint: EntryPoint, webRequest: WebRequest, webResponse: WebResponse) =
     23 + let securityIssue =
     24 + new SecurityIssue(
     25 + HttpBruteforcerAddOn.Id,
     26 + Name = "XML External Entity (XXE)",
     27 + Uri = webRequest.HttpRequest.Uri,
     28 + EntryPoint = EntryPoint.Header
     29 + )
     30 + 
     31 + securityIssue.Transactions.Add(webRequest, webResponse)
     32 + this.Context.Value.AddSecurityIssue(securityIssue)
     33 + 
     34 + static member Id = Guid.Parse("77F5F5A9-EEA3-4622-BAD4-3EDBE8830E73")
     35 + 
     36 + default this.Initialize(context: Context, webRequestor: IWebPageRequestor, messageBroker: IMessageBroker, logProvider: ILogProvider) =
     37 + let initResult = base.Initialize(context, webRequestor, messageBroker, logProvider)
     38 + logProvider.AddLogSourceToLoggers(_logger)
     39 + // TODO load attack string template
     40 + 
     41 + initResult
     42 +
     43 + default this.Scan(testRequest: TestRequest, stateController: ServiceStateController) =
     44 + if testRequest.RequestType = TestRequestType.CrawledPage && _analyzedPages.Add(testRequest.WebRequest.HttpRequest.Uri.AbsolutePath) then
     45 + ()
  • ■ ■ ■ ■ ■ ■
    Src/Groviera/Groviera.fsproj
    skipped 47 lines
    48 48   <Reference Include="System.IO.Compression.FileSystem" />
    49 49   <Reference Include="System.Numerics" />
    50 50   <Reference Include="System.Transactions" />
     51 + <Reference Include="System.Xml" />
     52 + <Reference Include="System.Xml.Linq" />
    51 53   </ItemGroup>
    52 54   <ItemGroup>
    53 55   <Compile Include="AssemblyInfo.fs" />
    skipped 2143 lines
  • ■ ■ ■ ■ ■ ■
    Src/Groviera/InspectorPages.fs
    skipped 4 lines
    5 5  open System.IO.Compression
    6 6  open System.Reflection
    7 7  open System.Collections.Generic
     8 +open System.Xml
     9 +open System.Xml.Linq
     10 +open System.Xml.Schema
     11 +open System.Text
    8 12  open Suave
    9 13  open Suave.Filters
    10 14  open Suave.Successful
    skipped 4 lines
    15 19  open Suave.Operators
    16 20  open Suave.Cookie
    17 21  open Suave.RequestErrors
    18  -open Suave.Authentication
    19 22  open ES.Groviera.Utility
    20 23  open System.Data.SQLite
    21 24   
    22 25  module InspectorPages =
    23  - open System.Text
    24  - open System.Text
    25  - 
    26 26   let mutable private _test24Token = new List<String>()
    27 27   let mutable private _test25Token = new List<String>()
    28 28   let _baseDir = Path.GetDirectoryName(Assembly.GetExecutingAssembly().Location)
    skipped 53 lines
    82 82   <li>TEST38: <a href="/inspector/test38/">/inspector/test38/</a> RXSS on a password type parameter which implements check on password and retype password</li>
    83 83   <li>TEST39: <a href="/inspector/test39/">/inspector/test39/</a> An HTTP Basic protected page (admin:admin)</li>
    84 84   <li>TEST40: <a href="/inspector/test40/">/inspector/test40/</a> A Web Form only password protected page (admin)</li>
     85 + <li>TEST41: <a href="/inspector/test41/">/inspector/test41/</a> XXE Vulnerability</li>
    85 86   </ul><br/>
    86 87   </body>
    87 88  </html>""" ctx
    skipped 380 lines
    468 469   OK html ctx
    469 470   
    470 471   path "/inspector/test40/dashboard.php" >=> okContent "Welcome authenticated user"
     472 + 
     473 + path "/inspector/test41/" >=> okContent """
     474 + <html>
     475 + <head><title>Blind XXE vulnerability</title></head>
     476 + <body>
     477 + <a href="/inspector/test41/xml.php">This endpoint accept XML document if send with POST</a><br>
     478 + Test the endpoint:<br><br>
     479 + <textarea rows="10" cols="60" id="data">
     480 +<note>
     481 + <user>Antonio</user>
     482 + <message>Hello from XML message</message>
     483 +</note>
     484 + </textarea><br>
     485 + <button type="button" onclick="testEndpoint();">Test me</button>
     486 + 
     487 + <br><br>
     488 + <h2>Result</h2>
     489 + <div id="result"></div>
     490 + 
     491 + <script>
     492 + function testEndpoint()
     493 + {
     494 + var data = document.getElementById("data").value;
     495 + 
     496 + var xmlhttp = new XMLHttpRequest();
     497 + xmlhttp.open("POST","/inspector/test41/xml.php");
     498 + var xmlDoc;
     499 + xmlhttp.onreadystatechange = function() {
     500 + if (xmlhttp.readyState == 4 && xmlhttp.status == 200) {
     501 + document.getElementById("result").innerText += "\n" + xmlhttp.responseText;
     502 + }
     503 + };
     504 + xmlhttp.setRequestHeader('Content-Type', 'text/xml');
     505 + xmlhttp.send(data);
     506 + return true;
     507 + }
     508 + </script>
     509 + </body>
     510 + </html>
     511 + """
     512 + 
     513 + path "/inspector/test41/xml.php" >=> fun (ctx: HttpContext) ->
     514 + let xmlError = """
     515 + <result>
     516 + <errors>
     517 + <error>The request is invalid: The requested resource could not be found.</error>
     518 + </errors>
     519 + </result>
     520 + """
     521 + (NOT_FOUND xmlError >=> setHeader "Content-Type" "text/xml") ctx
     522 +
    471 523   ]
    472 524  
    473 525   // *************************
    skipped 118 lines
    592 644   Redirection.redirect "/inspector/test40/dashboard.php" ctx
    593 645   else
    594 646   OK "Sorry but the password that you inserted are not equals" ctx
     647 + 
     648 + path "/inspector/test41/xml.php" >=> fun (ctx: HttpContext) ->
     649 + try
     650 + let xmlRequest = Encoding.Default.GetString(ctx.request.rawForm)
     651 + let settings =
     652 + new XmlReaderSettings(
     653 + DtdProcessing = DtdProcessing.Parse,
     654 + IgnoreProcessingInstructions = false,
     655 + ValidationType = ValidationType.DTD,
     656 + ValidationFlags = (XmlSchemaValidationFlags.ProcessInlineSchema ||| XmlSchemaValidationFlags.ReportValidationWarnings)
     657 + 
     658 + )
     659 + settings.XmlResolver <- new XmlUrlResolver()
     660 + 
     661 + use reader = XmlReader.Create(new StringReader(xmlRequest), settings)
     662 + let root = XDocument.Load(reader).Root
     663 + let from = root.Element(XName.Get("user")).Value
     664 + let body = root.Element(XName.Get("message")).Value
     665 + let xmlResponse = String.Format("<response>{0} said: {1}</response>", from, body)
     666 + (OK xmlResponse >=> setHeader "Content-Type" "text/xml") ctx
     667 + with e ->
     668 + INTERNAL_ERROR (e.ToString()) ctx
    595 669   ]
    596 670   ]
    597 671   
    skipped 1 lines
Please wait...
Page is in error, reload to recover