Merge pull request #1 from zaproxy/master

pulling in changes

Author: kurobeats

.gitattributes

@@ -0,0 +1,19 @@
+* text=auto
+
+*.conf text
+*.gradle text
+*.gradle.kts text
+*.java text
+*.js text
+*.md text
+*.properties text
+*.py text
+*.txt text
+*.zest text
+*.zst text
+
+*.bat text eol=crlf
+*.sh text eol=lf
+gradlew text eol=lf
+
+*.jar binary

.gitignore

@@ -0,0 +1,44 @@
+# Gradle
+#-------
+.gradle
+/build
+/buildSrc/build
+
+# IDEA
+# ----
+.idea
+.shelf
+/*.iml
+/*.ipr
+/*.iws
+/buildSrc/*.iml
+/buildSrc/*.ipr
+/buildSrc/*.iws
+/buildSrc/out
+/out
+
+# Eclipse
+# -------
+*.pydevproject
+.metadata
+tmp/
+*.tmp
+*.bak
+*.swp
+*~.nib
+local.properties
+.loadpath
+*.classpath
+*.project
+*.settings
+/bin
+RemoteSystemsTempFiles/
+.externalToolBuilders/
+*.launch
+.cproject
+.buildpath
+
+# NetBeans
+# --------
+.nb-gradle
+.nb-gradle-properties

.project

@@ -0,0 +1,14 @@
+language: java
+sudo: false
+
+jdk:
+  - openjdk8
+  - openjdk11
+
+before_cache:
+  - rm -f  $HOME/.gradle/caches/modules-2/modules-2.lock
+  - rm -fr $HOME/.gradle/caches/*/plugin-resolution/
+cache:
+  directories:
+    - $HOME/.gradle/caches/
+    - $HOME/.gradle/wrapper/

.travis.yml

@@ -0,0 +1,76 @@
+"""
+Note that new active scripts will initially be disabled
+Right click the script in the Scripts tree and select "enable"  
+"""
+
+"""
+Active Scan Python script to test if the webserver has potentially insecure http methods enabled
+Author: http://renouncedthoughts.wordpress.com
+
+
+Tested to work with some of the online vulnerable applications like:
+http://zero.webappsecurity.com
+http://testaspnet.vulnweb.com
+http://testfire.net/
+http://crackme.cenzic.com
+
+and other apps from https://www.owasp.org/index.php/OWASP_Vulnerable_Web_Applications_Directory_Project#tab=On-Line_apps
+
+For some reasons, the order of the array insecureverbs could throw a java.net.SocketTimeoutException, for example with some proxies when TRACE is called just after DELETE
+If you encounter such issues, try to change the order on the following line
+"""
+
+insecureverbs=["HEAD", "TRACE", "OPTIONS", "PUT", "DELETE", "CONNECT", "DEBUG", "MOVE", "SEARCH", "PATCH", "MKCOL", "COPY", "LOCK", "UNLOCK", "ARBIT", "XXXX", "12AB"]
+acceptedhttpstatuscodesforinsecureverbs=[301, 302, 404, 405, 403, 400, 501] # if we get a response code that is not a part of this array, then flag as potentially vulnerable
+activevulnerabilitytitle='Potentially Insecure HTTP Verb allowed'
+activevulnerabilityfulldescription='Some of the HTTP methods can potentially pose a security risk for a web application, as they allow an attacker to modify the files stored on the web server and, in some scenarios, steal the credentials of legitimate users.' + 'Insecure configuration can possibly lead to web server compromise and website defacement. ' + 'If an application needs one or more of the potentially insecure HTTP methods, such as for REST Web Services (which may require PUT or DELETE), it is important to check that their usage is properly limited to trusted users and safe conditions. ' + 'http://security.stackexchange.com/questions/21413/how-to-exploit-http-methods.'
+activevulnerabilitysolution = 'Configure the web server to allow insecure methods like DELETE and PUT only for the relevant resources. ' + 'If your application does not need HTTP methods other than GET and POST, consider disabling the unused HTTP methods.'
+printdebugmessages = True
+#printdebugmessages= False
+
+def PrintAlerts(sas, msg, uri, insecureverb, responsestatuscode, responsestatusmessage):
+	attackevidence = 'VERB: \t' + insecureverb + '\t-- HTTP STATUS CODE: '+ str(responsestatuscode) +' -- \tMESSAGE: ' + responsestatusmessage  + '\t\t-- POTENTIALLY VULNERABLE: YES\n'
+	if printdebugmessages:
+		print (attackevidence)
+	sas.raiseAlert(1, 2, activevulnerabilitytitle, activevulnerabilityfulldescription, uri, 'HTTP VERB', 'ZAP sent an HTTP request with method - ' + insecureverb, '', activevulnerabilitysolution, attackevidence, 0, 0, msg);
+
+	
+def ProcessAndPrintAlert(sas, msg, uri, insecureverb):
+	if not msg.getResponseHeader().getStatusCode() in acceptedhttpstatuscodesforinsecureverbs:
+		PrintAlerts(sas, msg, uri, insecureverb, msg.getResponseHeader().getStatusCode(), msg.getResponseHeader().getReasonPhrase())
+
+
+def PrepareHttpRequest(msg, insecureverb):
+	msg.mutateHttpMethod(insecureverb)
+	if insecureverb == "POST" or insecureverb == "PUT":
+		msg.setRequestBody("bodytext")
+		msg.getRequestHeader().setContentLength(msg.getRequestBody().length());
+	if printdebugmessages:
+		print('After mutating resulting HTTP VERB: -- \t' + msg.getRequestHeader().getMethod() + '\n')
+
+	
+def TestTheURIForInsecureVerbs(sas, msg, uri, insecureverbs):
+	for insecureverb in insecureverbs:
+		try:
+			if printdebugmessages:
+				print ('Testing Initiated for the HTTP VERB: -- \t' + insecureverb + '\n')
+			msg = msg.cloneRequest();
+			PrepareHttpRequest(msg, insecureverb)
+			sas.sendAndReceive(msg, False)
+			if printdebugmessages:
+				print('VERB: \t' + insecureverb + '\t-- STATUS: '+ str(msg.getResponseHeader().getStatusCode()) +' -- \tMESSAGE: ' + msg.getResponseHeader().getReasonPhrase() + '\n')
+			ProcessAndPrintAlert(sas, msg, uri, insecureverb)
+		except Exception, e:
+			print('ERROR For: ' + insecureverb + 'Detail: ' + e.message + '\n')
+
+
+def scanNode(sas, msg):
+	url = msg.getRequestHeader().getURI().toString()
+	if printdebugmessages:
+    		print('Active scan script called for url = ' + url + '\n')
+		print('Testing for insecure verbs against a list of accepted http response status codes for the url = ' + url + '\n')
+    	TestTheURIForInsecureVerbs(sas, msg, url, insecureverbs)
+
+
+def scan(sas, msg, param, value):
+    pass

active/TestInsecureHTTPVerbs.py

@@ -0,0 +1,195 @@
+// An example active scan rule script which uses a set of attack payloads and a set of regexes
+// in order to find potential issues.
+// Replace or extend the attacks and evidence regexes with you own values.
+
+// Note that new active scripts will initially be disabled
+// Right click the script in the Scripts tree and select "enable"  
+
+// Replace or extend these with your own attacks
+// put the attacks you most want to run higher, unless you disable the attack strength check
+var attacks = [
+	'<>"\'%;)(&+', 
+	'\'', 
+	'\' --',  
+	'|', 
+	'!', 
+	'?', 
+	'/', 
+	'//', 
+	'//*', 
+	'(', 
+	')', 
+	'*|', 
+	'*/*', 
+	'{', 
+	'}', 
+]
+
+// Replace or extend these with your own evidence - regexes that indicate potential issues
+// The default ones are a subset of https://github.com/fuzzdb-project/fuzzdb/blob/master/regex/errors.txt
+var evidence = [
+	"A syntax error has occurred",
+	"Active Server Pages error",
+	"ADODB.Field error",
+	"An illegal character has been found in the statement",
+	"An unexpected token .* was found",
+	"ASP\.NET is configured to show verbose error messages",
+	"ASP\.NET_SessionId",
+	"Custom Error Message",
+	"database error",
+	"DB2 Driver",
+	"DB2 Error",
+	"DB2 ODBC",
+	"detected an internal error",
+	"Error converting data type varchar to numeric",
+	"Error Diagnostic Information",
+	"Error Report",
+	"Fatal error",
+	"Incorrect syntax near",
+	"Index of",
+	"Internal Server Error",
+	"Invalid Path Character",
+	"Invalid procedure call or argument",
+	"invalid query",
+	"Invision Power Board Database Error",
+	"is not allowed to access",
+	"JDBC Driver",
+	"JDBC Error",
+	"JDBC MySQL",
+	"JDBC Oracle",
+	"JDBC SQL",
+	"Microsoft OLE DB Provider for ODBC Drivers",
+	"Microsoft VBScript compilation error",
+	"Microsoft VBScript error",
+	"MySQL Driver",
+	"mysql error",
+	"MySQL Error",
+	"mySQL error with query",
+	"MySQL ODBC",
+	"ODBC DB2",
+	"ODBC Driver",
+	"ODBC Error",
+	"ODBC Microsoft Access",
+	"ODBC Oracle",
+	"ODBC SQL",
+	"OLE/DB provider returned message",
+	"on line",
+	"on MySQL result index",
+	"Oracle DB2",
+	"Oracle Driver",
+	"Oracle Error",
+	"Oracle ODBC",
+	"Parent Directory",
+	"PHP Error",
+	"PHP Parse error",
+	"PHP Warning",
+	"PostgreSQL query failed",
+	"server object error",
+	"SQL command not properly ended",
+	"SQL Server Driver",
+	"SQLException",
+	"supplied argument is not a valid",
+	"Syntax error in query expression",
+	"The error occurred in",
+	"The script whose uid is",
+	"Type mismatch",
+	"Unable to jump to row",
+	"Unclosed quotation mark before the character string",
+	"unexpected end of SQL command",
+	"unexpected error",
+	"Unterminated string constant",
+	"Warning: mysql_query",
+	"Warning: pg_connect",
+	"You have an error in your SQL syntax near",
+]
+
+/**
+ * Scans a "node", i.e. an individual entry in the Sites Tree.
+ * The scanNode function will typically be called once for every page. 
+ * 
+ * @param as - the ActiveScan parent object that will do all the core interface tasks 
+ *     (i.e.: sending and receiving messages, providing access to Strength and Threshold settings,
+ *     raising alerts, etc.). This is an ScriptsActiveScanner object.
+ * @param msg - the HTTP Message being scanned. This is an HttpMessage object.
+ */
+function scanNode(as, msg) {
+	// Do nothing here - this script just attacks parameters rather than nodes
+}
+
+/**
+ * Scans a specific parameter in an HTTP message.
+ * The scan function will typically be called for every parameter in every URL and Form for every page.
+ * 
+ * @param as - the ActiveScan parent object that will do all the core interface tasks 
+ *     (i.e.: sending and receiving messages, providing access to Strength and Threshold settings,
+ *     raising alerts, etc.). This is an ScriptsActiveScanner object.
+ * @param msg - the HTTP Message being scanned. This is an HttpMessage object.
+ * @param {string} param - the name of the parameter being manipulated for this test/scan.
+ * @param {string} value - the original parameter value.
+ */
+function scan(as, msg, param, value) {
+	// Debugging can be done using print like this
+	//print('scan called for url=' + msg.getRequestHeader().getURI().toString() + 
+	//	' param=' + param + ' value=' + value);
+	
+	var max_attacks = attacks.length	// No limit for the "INSANE" level ;)
+	
+	if (as.getAttackStrength() == "LOW") {
+		max_attacks = 6
+	} else if (as.getAttackStrength() == "MEDIUM") {
+		max_attacks = 12
+	} else if (as.getAttackStrength() == "HIGH") {
+		max_attacks = 24
+	}
+
+	for (var i in attacks) {
+		// Dont exceed recommended number of attacks for strength
+		// feel free to disable this locally ;)
+		if (i > max_attacks) {
+			return
+		}
+		// Copy requests before reusing them
+		msg = msg.cloneRequest();
+
+		// setParam (message, parameterName, newValue)
+		as.setParam(msg, param, attacks[i]);
+		
+		// sendAndReceive(msg, followRedirect, handleAntiCSRFtoken)
+		as.sendAndReceive(msg, false, false);
+
+		// Add any generic checks here, eg
+		var code = msg.getResponseHeader().getStatusCode()
+		if (code >= 500 && code < 600) {
+			raiseAlert(as, msg, param, attacks[i], code)
+			// Only raise one alert per param
+			return
+		}
+
+		var body = msg.getResponseBody().toString()
+		var re = new RegExp(evidence.join("|"), "i")
+		var found = body.match(re)
+		if (found) {	// Change to a test which detects the vulnerability
+			raiseAlert(as, msg, param, attacks[i], found)
+			// Only raise one alert per param
+			return
+		}
+	
+		// Check if the scan was stopped before performing lengthy tasks
+		if (as.isStop()) {
+			return
+		}
+	}
+}
+
+function raiseAlert(as, msg, param, attack, evidence) {
+	// Replace with more suitable information
+	// raiseAlert(risk, int confidence, String name, String description, String uri, 
+	//		String param, String attack, String otherInfo, String solution, String evidence, 
+	//		int cweId, int wascId, HttpMessage msg)
+	// risk: 0: info, 1: low, 2: medium, 3: high
+	// confidence: 0: falsePositive, 1: low, 2: medium, 3: high, 4: confirmed
+	as.raiseAlert(1, 1, 'Active Vulnerability Title', 'Full description', 
+		msg.getRequestHeader().getURI().toString(), 
+		param, attack, 'Any other info', 'The solution ', evidence, 0, 0, msg);
+}
+