Class: Watobo::Modules::Passive::Filename_as_parameter
- Inherits:
-
PassiveCheck
- Object
- PassiveCheck
- Watobo::Modules::Passive::Filename_as_parameter
- Defined in:
- modules/passive/filename_as_parameter.rb
Constant Summary
Constants included from Constants
Constants::AC_GROUP_APACHE, Constants::AC_GROUP_DOMINO, Constants::AC_GROUP_ENUMERATION, Constants::AC_GROUP_FILE_INCLUSION, Constants::AC_GROUP_FLASH, Constants::AC_GROUP_GENERIC, Constants::AC_GROUP_JBOSS, Constants::AC_GROUP_JOOMLA, Constants::AC_GROUP_SAP, Constants::AC_GROUP_SQL, Constants::AC_GROUP_TYPO3, Constants::AC_GROUP_XSS, Constants::AUTH_TYPE_BASIC, Constants::AUTH_TYPE_DIGEST, Constants::AUTH_TYPE_NONE, Constants::AUTH_TYPE_NTLM, Constants::CHAT_SOURCE_AUTO_SCAN, Constants::CHAT_SOURCE_FUZZER, Constants::CHAT_SOURCE_INTERCEPT, Constants::CHAT_SOURCE_MANUAL, Constants::CHAT_SOURCE_MANUAL_SCAN, Constants::CHAT_SOURCE_PROXY, Constants::CHAT_SOURCE_UNDEF, Constants::DEFAULT_PORT_HTTP, Constants::DEFAULT_PORT_HTTPS, Constants::FINDING_TYPE_HINT, Constants::FINDING_TYPE_INFO, Constants::FINDING_TYPE_UNDEFINED, Constants::FINDING_TYPE_VULN, Constants::FIRST_TIME_FILE, Constants::GUI_REGULAR_FONT_SIZE, Constants::GUI_SMALL_FONT_SIZE, Constants::ICON_PATH, Constants::LOG_DEBUG, Constants::LOG_INFO, Constants::SCAN_CANCELED, Constants::SCAN_FINISHED, Constants::SCAN_PAUSED, Constants::SCAN_STARTED, Constants::TE_CHUNKED, Constants::TE_COMPRESS, Constants::TE_DEFLATE, Constants::TE_GZIP, Constants::TE_IDENTITY, Constants::TE_NONE, Constants::VULN_RATING_CRITICAL, Constants::VULN_RATING_HIGH, Constants::VULN_RATING_INFO, Constants::VULN_RATING_LOW, Constants::VULN_RATING_MEDIUM, Constants::VULN_RATING_UNDEFINED
Instance Method Summary collapse
- #do_test(chat) ⇒ Object
-
#initialize(project) ⇒ Filename_as_parameter
constructor
A new instance of Filename_as_parameter.
Constructor Details
#initialize(project) ⇒ Filename_as_parameter
Returns a new instance of Filename_as_parameter.
30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 |
# File 'modules/passive/filename_as_parameter.rb', line 30 def initialize(project) @project = project super(project) @info.update( :check_name => 'Detect Filename Parameters', # name of check which briefly describes functionality, will be used for tree and progress views :description => "Detects parameters which sounds like 'filename', e.g. filename, fname.", # description of checkfunction :author => "Andreas Schmidt", # author of check :version => "0.9" # check version ) @finding.update( :threat => 'If filename parameters are not proper handled by the application an attacker may excecute malicious files or reveal sensitive information.', # thread of vulnerability, e.g. loss of information :class => "Filename Parameter", # vulnerability class, e.g. Stored XSS, SQL-Injection, ... :type => FINDING_TYPE_HINT # FINDING_TYPE_HINT, FINDING_TYPE_INFO, FINDING_TYPE_VULN ) @possible_parm_names=%w[ (.*fname.*) (.*file.*) ] @findings = [] end |
Instance Method Details
#do_test(chat) ⇒ Object
52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 |
# File 'modules/passive/filename_as_parameter.rb', line 52 def do_test(chat) begin # puts "running module: #{Module.nesting[0].name}" all_parms = chat.request.parm_names if all_parms # puts all_parms all_parms.each do |parm| @possible_parm_names.each do |pattern| if parm =~ /#{pattern}/i match = $1 if not @findings.include?(parm) @findings.push parm addFinding( :check_pattern => match, :chat=>chat ) end end end end end rescue => bang puts "ERROR!! #{Module.nesting[0].name}" puts bang end end |