■ ■ ■ ■ ■ ■ ■
Src/Groviera/InspectorPages.fs
skipped 4 lines 5 5 open System.IO.Compression 6 6 open System.Reflection 7 7 open System.Collections.Generic 8 + open System.Xml 9 + open System.Xml.Linq 10 + open System.Xml.Schema 11 + open System.Text 8 12 open Suave 9 13 open Suave.Filters 10 14 open Suave.Successful skipped 4 lines 15 19 open Suave.Operators 16 20 open Suave.Cookie 17 21 open Suave.RequestErrors 18 - open Suave.Authentication 19 22 open ES.Groviera.Utility 20 23 open System.Data.SQLite 21 24 22 25 module InspectorPages = 23 - open System.Text 24 - open System.Text 25 - 26 26 let mutable private _test24Token = new List<String>() 27 27 let mutable private _test25Token = new List<String>() 28 28 let _baseDir = Path.GetDirectoryName(Assembly.GetExecutingAssembly().Location) skipped 53 lines 82 82 <li>TEST38: <a href="/inspector/test38/">/inspector/test38/</a> RXSS on a password type parameter which implements check on password and retype password</li> 83 83 <li>TEST39: <a href="/inspector/test39/">/inspector/test39/</a> An HTTP Basic protected page (admin:admin)</li> 84 84 <li>TEST40: <a href="/inspector/test40/">/inspector/test40/</a> A Web Form only password protected page (admin)</li> 85 + <li>TEST41: <a href="/inspector/test41/">/inspector/test41/</a> XXE Vulnerability</li> 85 86 </ul><br/> 86 87 </body> 87 88 </html>""" ctx skipped 380 lines 468 469 OK html ctx 469 470 470 471 path "/inspector/test40/dashboard.php" >=> okContent "Welcome authenticated user" 472 + 473 + path "/inspector/test41/" >=> okContent """ 474 + <html> 475 + <head><title>Blind XXE vulnerability</title></head> 476 + <body> 477 + <a href="/inspector/test41/xml.php">This endpoint accept XML document if send with POST</a><br> 478 + Test the endpoint:<br><br> 479 + <textarea rows="10" cols="60" id="data"> 480 + <note> 481 + <user>Antonio</user> 482 + <message>Hello from XML message</message> 483 + </note> 484 + </textarea><br> 485 + <button type="button" onclick="testEndpoint();">Test me</button> 486 + 487 + <br><br> 488 + <h2>Result</h2> 489 + <div id="result"></div> 490 + 491 + <script> 492 + function testEndpoint() 493 + { 494 + var data = document.getElementById("data").value; 495 + 496 + var xmlhttp = new XMLHttpRequest(); 497 + xmlhttp.open("POST","/inspector/test41/xml.php"); 498 + var xmlDoc; 499 + xmlhttp.onreadystatechange = function() { 500 + if (xmlhttp.readyState == 4 && xmlhttp.status == 200) { 501 + document.getElementById("result").innerText += "\n" + xmlhttp.responseText; 502 + } 503 + }; 504 + xmlhttp.setRequestHeader('Content-Type', 'text/xml'); 505 + xmlhttp.send(data); 506 + return true; 507 + } 508 + </script> 509 + </body> 510 + </html> 511 + """ 512 + 513 + path "/inspector/test41/xml.php" >=> fun (ctx: HttpContext) -> 514 + let xmlError = """ 515 + <result> 516 + <errors> 517 + <error>The request is invalid: The requested resource could not be found.</error> 518 + </errors> 519 + </result> 520 + """ 521 + (NOT_FOUND xmlError >=> setHeader "Content-Type" "text/xml") ctx 522 + 471 523 ] 472 524 473 525 // ************************* skipped 118 lines 592 644 Redirection.redirect "/inspector/test40/dashboard.php" ctx 593 645 else 594 646 OK "Sorry but the password that you inserted are not equals" ctx 647 + 648 + path "/inspector/test41/xml.php" >=> fun (ctx: HttpContext) -> 649 + try 650 + let xmlRequest = Encoding.Default.GetString(ctx.request.rawForm) 651 + let settings = 652 + new XmlReaderSettings( 653 + DtdProcessing = DtdProcessing.Parse, 654 + IgnoreProcessingInstructions = false, 655 + ValidationType = ValidationType.DTD, 656 + ValidationFlags = (XmlSchemaValidationFlags.ProcessInlineSchema ||| XmlSchemaValidationFlags.ReportValidationWarnings) 657 + 658 + ) 659 + settings.XmlResolver <- new XmlUrlResolver() 660 + 661 + use reader = XmlReader.Create(new StringReader(xmlRequest), settings) 662 + let root = XDocument.Load(reader).Root 663 + let from = root.Element(XName.Get("user")).Value 664 + let body = root.Element(XName.Get("message")).Value 665 + let xmlResponse = String.Format("<response>{0} said: {1}</response>", from, body) 666 + (OK xmlResponse >=> setHeader "Content-Type" "text/xml") ctx 667 + with e -> 668 + INTERNAL_ERROR (e.ToString()) ctx 595 669 ] 596 670 ] 597 671 skipped 1 lines