8.6. Complete Source Code
The rest of this chapter contains the complete source code for the
two scripts developed and outlined in this chapter.
8.6.1. simpleScanner.pl
Example 8-8 shows the full source code for the
simpleScanner.pl script.
Example 8-8. Code for simpleScanner.pl
#!/usr/bin/perl
use LWP::UserAgent;
use strict;
use Getopt::Std;
my %args;
getopts('c:o:v', \%args);
printReport("\n** Simple Web Application Scanner **\n");
if ($#ARGV < 1) {
die "\n$0 [-o <file>] [-c <cookie data>] [-v] inputfile
http://hostname\n\n-c: Use HTTP Cookie\n-o: Output File\n-v: Be Verbose\n";
}
# Open input file
open(IN, "< $ARGV[0]") or die"ERROR => Can't open file $ARGV[0].\n";
my @requestArray = <IN>;
my ($oRequest,$oResponse, $oStatus, %dirLog, %paramLog);
printReport("\n** Beginning Scan **\n\n");
# Loop through each of the input file requests
foreach $oRequest (@requestArray) {
# Remove line breaks and carriage returns
$oRequest =~ s/(\n|\r)//g;
# Only process GETs and POSTs
if ($oRequest =~ /^(GET|POST)/) {
# Check for request data
if ($oRequest =~ /\?/) {
# Issue the original request for reference purposes
($oStatus, $oResponse) = makeRequest($oRequest);
#Populate methodAndFile and reqData variables
my ($methodAndFile, $reqData) = split(/\?/, $oRequest, 2);
my @reqParams = split(/\&/, $reqData);
my $pLogEntry = $methodAndFile;
# Build parameter log entry
my $parameter;
foreach $parameter (@reqParams) {
my ($pName) = split("=", $parameter);
$pLogEntry .= "+".$pName;
}
$paramLog{$pLogEntry}++;
if ($paramLog{$pLogEntry} eq 1) {
# Loop to perform test on each parameter
for (my $i = 0; $i <= $#reqParams; $i++) {
my $testData;
# Loop to reassemble the request parameters
for (my $j = 0; $j <= $#reqParams; $j++) {
if ($j == $i) {
my ($varName, $varValue) = split("=",$reqParams[$j],2);
$testData .= $varName."="."---PLACEHOLDER---"."&";
} else {
$testData .= $reqParams[$j]."&";
}
}
chop($testData);
my $paramRequest = $methodAndFile."?".$testData;
## Perform input validation tests
my $sqlVuln = sqlTest($paramRequest);
my $xssVuln = xssTest($paramRequest);
} # End of loop for each request parameter
} # End if statement for unique parameter combos
} # Close if statement checking for request data
my $trash;
($trash, $oRequest, $trash) = split(/\ |\?/, $oRequest);
my @directories = split(/\//, $oRequest);
my @checkSlash = split(//, $oRequest);
my $totalDirs = $#directories;
# Start looping through each directory level
for (my $d = 0; $d <= $totalDirs; $d++) {
if ((($checkSlash[(-1)] ne "/") && ($d == 0)) || ($d != 0)) {
pop(@directories);
}
my $dirRequest = "GET ".join("/", @directories)."\/";
# Add directory log entry
$dirLog{$dirRequest}++;
if ($dirLog{$dirRequest} eq 1) {
my $dListVuln = dirList($dirRequest);
my $dPutVuln = dirPut($dirRequest);
} # End check for unique directory
} # End loop for each directory level
} # End check for GET or POST request
} # End loop on each input file entry
printReport("\n\n** Scan Complete **\n\n");
sub dirPut {
my ($putRequest, $putStatus, $putResults, $putVulnerable);
($putRequest) = @_;
# Format the test request to upload the file
$putRequest =~ s/^GET/PUT/;
$putRequest .= "uploadTest.txt?ThisIsATest";
# Make the request and get the response data
($putStatus, $putResults) = makeRequest($putRequest);
# Format the request to check for the new file
$putRequest =~ s/^PUT/GET/;
$putRequest =~ s/\?ThisIsATest//;
# Check for the uploaded file
($putStatus, $putResults) = makeRequest($putRequest);
if ($putResults =~ /ThisIsATest/) {
$putVulnerable = 1;
# If vulnerable, print something to the user
printReport("\n\nALERT: Writeable Directory Detected:\n=> $putRequest\n\n");
} else {
$putVulnerable = 0;
}
# Return the test results.
return $putVulnerable;
}
sub dirList {
my ($dirRequest, $dirStatus, $dirResults, $dirVulnerable);
($dirRequest) = @_;
# Make the request and get the response data
($dirStatus, $dirResults) = makeRequest($dirRequest);
# Check to see if it looks like a listing
if ($dirResults =~ /(<TITLE>Index of \/|(<h1>|<title>)Directory Listing For|<title>Directory of|\"\?N=D\"|\"\?S=A\"|\"\?M=A\"|\"\?D=A\"| - \/<\/title>|<dir>| - \/<\/H1><hr>|\[To Parent Directory\])/i) {
$dirVulnerable = 1;
# If vulnerable, print something to the user
printReport("\n\nALERT: Directory Listing Detected:\n=> $dirRequest\n\n");
} else {
$dirVulnerable = 0;
}
# Return the test results.
return $dirVulnerable;
}
sub xssTest {
my ($xssRequest, $xssStatus, $xssResults, $xssVulnerable);
($xssRequest) = @_;
# Replace the "---PLACEHOLDER---" string with our test string
$xssRequest =~ s/---PLACEHOLDER---/"><script>alert('Vulnerable');<\/script>/;
# Make the request and get the response data
($xssStatus, $xssResults) = makeRequest($xssRequest);
# Check to see if the output matches our vulnerability signature.
if ($xssResults =~ /"><script>alert\('Vulnerable'\);<\/script>/i) {
$xssVulnerable = 1;
# If vulnerable, print something to the user
printReport("\n\nALERT: Cross-Site Scripting Vulnerability Detected:\n=> $xssRequest\n\n");
} else {
$xssVulnerable = 0;
}
# Return the test results
return $xssVulnerable;
}
sub sqlTest {
my ($sqlRequest, $sqlStatus, $sqlResults, $sqlVulnerable);
($sqlRequest) = @_;
# Replace the "---PLACEHOLDER---" string with our test string
$sqlRequest =~ s/---PLACEHOLDER---/te'st/;
# Make the request and get the response data
($sqlStatus, $sqlResults) = makeRequest($sqlRequest);
# Check to see if the output matches our vulnerability signature.
my $sqlRegEx = qr /(OLE DB|SQL Server|Incorrect Syntax|ODBC Driver|ORA-|SQL command
not|Oracle Error Code|CFQUERY|MySQL|Sybase| DB2 |Pervasive|Microsoft Access|MySQL|
CLI Driver|The string constant beginning with|does not have an ending string
delimiter|JET Database Engine error)/i;
if (($sqlResults =~ $sqlRegEx) && ($oResponse !~ $sqlRegEx)) {
$sqlVulnerable = 1;
printReport("\n\nALERT: Database Error Message Detected:\n=>
$sqlRequest\n\n");
} else {
$sqlVulnerable = 0;
}
# Return the test result indicator
return $sqlVulnerable;
}
sub makeRequest {
my ($request, $lwp, $method, $uri, $data, $req, $status, $content);
($request)=@_;
if ($args{v}) {
printReport("Making Request: $request\n");
} else {
print ".";
}
# Setup LWP UserAgent
$lwp = LWP::UserAgent->new(env_proxy => 1,
keep_alive => 1,
timeout => 30,
);
# Method should always precede the request with a space
($method, $uri) = split(/ /, $request);
# PUTS and POSTS should have data appended to the request
if (($method eq "POST") || ($method eq "PUT")) {
($uri, $data) = split(/\?/, $uri);
}
# Append the URI to the hostname and setup the request
$req = new HTTP::Request $method => $ARGV[1].$uri;
# Add request content for POST and PUTS
if ($data) {
$req->content_type('application/x-www-form-urlencoded');
$req->content($data);
}
# If cookies are defined, add a COOKIE header
if ($args{c}) {
$req->header(Cookie => $args{c});
}
my $response = $lwp->request($req);
# Extract the HTTP status code and HTML content from the response
$status = $response->status_line;
$content = $response->content;
if ($status =~ /^400/) {
die "Error: Invalid URL or HostName\n\n";
}
return ($status, $content);
}
sub printReport {
my ($printData) = @_;
if ($args{o}) {
open(REPORT, ">>$args{o}") or die "ERROR => Can't write to file $args{o}\n";
print REPORT $printData;
close(REPORT);
}
print $printData;
}
8.6.2. parseLog.pl
Example 8-9 contains the full source for the
parseLog.pl script.
Example 8-9. Code for parseLog.pl
#!/usr/bin/perl
use strict;
if ($#ARGV < 0) {
die "Usage: $0 LogFile\n";
}
open(IN, "< $ARGV[0]") or die"ERROR: Can't open file $ARGV[0].\n";
# Change the input record separator to select entire log entries
$/ = "=" x 54;
my @logData = <IN>;
# Loop through each request and parse it
my ($request,$logEntry, @requests);
foreach $logEntry (@logData) {
# Create an array containing each line of the raw request
my @logEntryLines = split(/\n/, $logEntry);
# Create an array containing each element of the first request line
my @requestElements = split(/ /, $logEntryLines[1]);
# Only parse GET and POST requests
if ($requestElements[0] eq "GET" || $requestElements[0] eq "POST" ) {
if ($requestElements[0] eq "GET" ) {
print $requestElements[0]." ".$requestElements[1]."\n";
}
# POST request data is appended after the question mark
if ($requestElements[0] eq "POST" ) {
print $requestElements[0]." ".$requestElements[1]."?".$logEntryLines[-2]."\n";
}
} # End check for GET or POST
} # End loop for input file entries
 |
