Class: Watobo::Modules::Active::Xml::Xml_xxe

Inherits:
ActiveCheck
  • Object
show all
Defined in:
modules/active/xml/xml_xxe.rb

Constant Summary

Constants included from Constants

Constants::AC_GROUP_APACHE, Constants::AC_GROUP_DOMINO, Constants::AC_GROUP_ENUMERATION, Constants::AC_GROUP_FILE_INCLUSION, Constants::AC_GROUP_FLASH, Constants::AC_GROUP_GENERIC, Constants::AC_GROUP_JBOSS, Constants::AC_GROUP_JOOMLA, Constants::AC_GROUP_SAP, Constants::AC_GROUP_SQL, Constants::AC_GROUP_TYPO3, Constants::AC_GROUP_XSS, Constants::AUTH_TYPE_BASIC, Constants::AUTH_TYPE_DIGEST, Constants::AUTH_TYPE_NONE, Constants::AUTH_TYPE_NTLM, Constants::CHAT_SOURCE_AUTO_SCAN, Constants::CHAT_SOURCE_FUZZER, Constants::CHAT_SOURCE_INTERCEPT, Constants::CHAT_SOURCE_MANUAL, Constants::CHAT_SOURCE_MANUAL_SCAN, Constants::CHAT_SOURCE_PROXY, Constants::CHAT_SOURCE_UNDEF, Constants::DEFAULT_PORT_HTTP, Constants::DEFAULT_PORT_HTTPS, Constants::FINDING_TYPE_HINT, Constants::FINDING_TYPE_INFO, Constants::FINDING_TYPE_UNDEFINED, Constants::FINDING_TYPE_VULN, Constants::FIRST_TIME_FILE, Constants::GUI_REGULAR_FONT_SIZE, Constants::GUI_SMALL_FONT_SIZE, Constants::ICON_PATH, Constants::LOG_DEBUG, Constants::LOG_INFO, Constants::SCAN_CANCELED, Constants::SCAN_FINISHED, Constants::SCAN_PAUSED, Constants::SCAN_STARTED, Constants::TE_CHUNKED, Constants::TE_COMPRESS, Constants::TE_DEFLATE, Constants::TE_GZIP, Constants::TE_IDENTITY, Constants::TE_NONE, Constants::VULN_RATING_CRITICAL, Constants::VULN_RATING_HIGH, Constants::VULN_RATING_INFO, Constants::VULN_RATING_LOW, Constants::VULN_RATING_MEDIUM, Constants::VULN_RATING_UNDEFINED

Instance Method Summary collapse

Methods included from CheckInfoMixin::InfoMethods

#check_group, #check_name

Constructor Details

#initialize(project, prefs = {}) ⇒ Xml_xxe

Returns a new instance of Xml_xxe.


52
53
54
55
# File 'modules/active/xml/xml_xxe.rb', line 52

def initialize(project, prefs={})
  super(project, prefs)
  
end

Instance Method Details

#generateChecks(chat) ⇒ Object


57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
# File 'modules/active/xml/xml_xxe.rb', line 57

def generateChecks(chat)
  begin              
    if ( chat.request.content_type =~ /xml/ ) and chat.request.has_body?
      # first we do a request with an
      base = chat.copyRequest
      base_request, base_response = doRequest(base)
      return unless base_response.has_body?
      create_entity_packets(chat.request.body).each do |packet|
        checker = proc {
          begin                      
            test_request = nil
          test_response = nil
          test = chat.copyRequest
          test.setData packet.to_s
          test_request, test_response = doRequest(test)
          #puts test_response.status
          
          if test_response.has_body? and test_response.body == base_response.body
           
            addFinding(test_request,test_response,
            :test_item => "ENTITY",
            :check_pattern => "ENTITY",
            :chat => chat,
            :title => "[#{chat.request.path}] - ENTITY",
            :debug => true
            )
          end
          rescue => bang
            puts bang
            puts bang.backtrace if $DEBUG                      
          end
          [ test_request, test_response ]
        }
        yield checker
        
         end
    end
  rescue => bang
    puts bang
  end
end