Merge pull request #8 from lalithr95/idor-check

lalithr95 · web-flow · commit a0b4080ef12b · 2016-09-26T00:42:07.000+05:30
idor check
diff --git a/lib/API_Fuzzer.rb b/lib/API_Fuzzer.rb
@@ -7,6 +7,8 @@
 require 'API_Fuzzer/request'
 require 'API_Fuzzer/engine'
 require 'API_Fuzzer/xxe_check'
+require 'API_Fuzzer/redirect_check'
+require 'API_Fuzzer/idor_check'
 
 module API_Fuzzer
   # Scans all the checks
@@ -18,6 +20,8 @@ def self.scan(options = {})
     vulnerabilities << API_Fuzzer::XssCheck.scan(options)
     vulnerabilities << API_Fuzzer::SqlCheck.scan(options)
     vulnerabilities << API_Fuzzer::SqlBlindCheck.scan(options)
+    vulnerabilities << API_Fuzzer::RedirectCheck.scan(options)
+    vulnerabilities << API_Fuzzer::IdorCheck.scan(options)
     API_Fuzzer::XxeCheck.scan(options)
     vulnerabilities.uniq.flatten
   end
diff --git a/lib/API_Fuzzer/idor_check.rb b/lib/API_Fuzzer/idor_check.rb
@@ -0,0 +1,47 @@
+require 'API_Fuzzer/vulnerability'
+require 'API_Fuzzer/error'
+require 'API_Fuzzer/request'
+
+module API_Fuzzer
+  class IdorCheck
+    class << self
+      def scan(options = {})
+        @url = options[:url]
+        @params = options[:params]
+        @methods = options[:method]
+        @cookies = options[:cookies]
+        @vulnerabilities = []
+
+        fuzz_without_session
+        @vulnerabilities.uniq { |vuln| vuln.description }
+      end
+
+      def fuzz_without_session
+        @methods.each do |method|
+          response = API_Fuzzer::Request.send_api_request(
+            url: @url,
+            params: @params,
+            method: method,
+            cookies: @cookies
+          )
+
+          response_without_session = API_Fuzzer::Request.send_api_request(
+            url: @url,
+            params: @params,
+            method: method
+          )
+
+          fuzz_match(response, response_without_session, method)
+        end
+      end
+
+      def fuzz_match(resp, resp_without_session, method)
+        @vulnerabilities << API_Fuzzer::Vulnerability.new(
+          type: 'HIGH',
+          value: "API doesn't have session protection",
+          description: "Possible IDOR in #{method} #{@url}"
+        ) if resp.body.to_s == resp_without_session.body.to_s
+      end
+    end
+  end
+end
