Class: Watobo::Modules::Passive::Ajax

Inherits:

PassiveCheck

• Object
• PassiveCheck
• Watobo::Modules::Passive::Ajax

Defined in:

modules/passive/ajax.rb

Constant Summary

Constants included from Constants

Constants::AC_GROUP_APACHE, Constants::AC_GROUP_DOMINO, Constants::AC_GROUP_ENUMERATION, Constants::AC_GROUP_FILE_INCLUSION, Constants::AC_GROUP_FLASH, Constants::AC_GROUP_GENERIC, Constants::AC_GROUP_JBOSS, Constants::AC_GROUP_JOOMLA, Constants::AC_GROUP_SAP, Constants::AC_GROUP_SQL, Constants::AC_GROUP_TYPO3, Constants::AC_GROUP_XSS, Constants::AUTH_TYPE_BASIC, Constants::AUTH_TYPE_DIGEST, Constants::AUTH_TYPE_NONE, Constants::AUTH_TYPE_NTLM, Constants::CHAT_SOURCE_AUTO_SCAN, Constants::CHAT_SOURCE_FUZZER, Constants::CHAT_SOURCE_INTERCEPT, Constants::CHAT_SOURCE_MANUAL, Constants::CHAT_SOURCE_MANUAL_SCAN, Constants::CHAT_SOURCE_PROXY, Constants::CHAT_SOURCE_UNDEF, Constants::DEFAULT_PORT_HTTP, Constants::DEFAULT_PORT_HTTPS, Constants::FINDING_TYPE_HINT, Constants::FINDING_TYPE_INFO, Constants::FINDING_TYPE_UNDEFINED, Constants::FINDING_TYPE_VULN, Constants::FIRST_TIME_FILE, Constants::GUI_REGULAR_FONT_SIZE, Constants::GUI_SMALL_FONT_SIZE, Constants::ICON_PATH, Constants::LOG_DEBUG, Constants::LOG_INFO, Constants::SCAN_CANCELED, Constants::SCAN_FINISHED, Constants::SCAN_PAUSED, Constants::SCAN_STARTED, Constants::TE_CHUNKED, Constants::TE_COMPRESS, Constants::TE_DEFLATE, Constants::TE_GZIP, Constants::TE_IDENTITY, Constants::TE_NONE, Constants::VULN_RATING_CRITICAL, Constants::VULN_RATING_HIGH, Constants::VULN_RATING_INFO, Constants::VULN_RATING_LOW, Constants::VULN_RATING_MEDIUM, Constants::VULN_RATING_UNDEFINED

Instance Method Summary

• #do_test(chat) ⇒ Object
• #initialize(project) ⇒ Ajax constructor

  A new instance of Ajax.

• #showError(chatid, message) ⇒ Object

Constructor Details

#initialize(project) ⇒ Ajax

# File 'modules/passive/ajax.rb', line 32

def initialize(project)
  @project = project
  super(project)
  
  @info.update(
               :check_name => 'Ajax',    # name of check which briefly describes functionality, will be used for tree and progress views
  :description => "Spots Ajax Frameworks like jQuery.",   # description of checkfunction
  :author => "Andreas Schmidt", # author of check
  :version => "1.0"   # check version
  )
  
  @finding.update(
                  :threat => 'Framework may contain vulnerabilities.',        # thread of vulnerability, e.g. loss of information
  :class => "Ajax Framework",    # vulnerability class, e.g. Stored XSS, SQL-Injection, ...
  :type => FINDING_TYPE_INFO         # FINDING_TYPE_HINT, FINDING_TYPE_INFO, FINDING_TYPE_VULN 
  )
  
    @fw_patterns = []
    @fw_patterns << { :name => 'jQuery', :pattern => 'jQuery v([0-9\.]*) jquery.com'}
end

Instance Method Details

#do_test(chat) ⇒ Object

# File 'modules/passive/ajax.rb', line 59

def do_test(chat)
  begin

    return true unless chat.response.content_type =~ /(text|script)/ 
    
    @fw_patterns.each do |pattern|
      if chat.response.body =~ /#{pattern[:pattern]}/i then
       version = $1.strip
       addFinding(
                   :check_pattern => "#{pattern[:pattern]}", 
        :proof_pattern => "#{pattern}",
        :chat=>chat,
        :title =>"[ #{pattern[:name]} #{version} ] - #{chat.request.path}",            
        )
        
      end
    end
  rescue => bang
    # raise
    showError(chat.id, bang)
  end
end

#showError(chatid, message) ⇒ Object

# File 'modules/passive/ajax.rb', line 53

def showError(chatid, message)
  puts "!!! Error"  
  puts "Chat: [#{chatid}]"
  puts message
end