1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
|
/*
ratproxy - hardcoded configuration
----------------------------------
Author: Michal Zalewski <lcamtuf@google.com>
Copyright 2007, 2008 by Google Inc. All Rights Reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
#ifndef _HAVE_CONFIG_H
#define _HAVE_CONFIG_H
#include "types.h"
#define VERSION "1.58-beta"
/* Maximum request / response header line length (HTTP traffic
that exceeds this limit will be rejected). */
#define MAXLINE 8192
/* Maximum request payload size (to avoid DoS / malloc overflows). */
#define MAXPAYLOAD (30 * 1024 * 1024)
/* Maximum saved trace file payload size (to conserve disk space). */
#define MAXTRACEITEM (1 * 1024 * 1024)
/* Default proxy listen port. */
#define DEFAULT_PORT 8080
/* Uncomment to forcibly disable client-side page caching. Will slow
things down - but may be useful if there is no way to purge browser
cache manually prior to testing, or if you are forgetful. */
// #define FORCE_NOCACHE 1
/* Maximum token length for log entries produced (making this higher
will include more query / response data in reports). */
#define MAXTOKEN 1024
/* MIME sniffing buffer size. */
#define SNIFFBUF 1024
/* Character set sniffing buffer size (when looking for META directives). */
#define CHARSNIFF 1024
/* Minimum parameter value length to be tested as an XSS candidate. */
#define MIN_XSS_LEN 4
/* The same, but for HTTP header injection checks. */
#define MIN_XSS_HEAD 6
/* Maximum parameter length to be considered a file path, as opposed to
being just a random base64 blob with slashes in it. */
#define MAX_FPATH 64
/* Uncomment to XSS anti-XSRF tokens in -X mode. When defined, may prompt
the proxy to miss some self-XSS vectors (because clobbered security
tokens may inhibit page rendering), but will improve coverage in poorly
written apps with no real XSRF protection to begin with. */
// #define XSS_XSRF_TOKENS 1
/* Uncomment to look for query path, not only parameters, being echoed back
in response body, to derive risk flags. This may trigger false positives
with some applciations, and hence is disabled by default. */
// #define CHECK_ECHO_PATH 1
/* NULL-terminated list of query field names that imply authentication.
These override standard request repost based checks. This is a substring
match - prefix with '=' to do full field matching. You might want to
customize this list to include any other common values you encounter. */
static _u8* __attribute__((used)) auth_fields[] = {
"login",
"user",
"sess",
"account",
"pass",
0
};
/* NULL-terminated list of known fields that implement XSRF protection
features, even if they fail our tests. You might want to customize
this list to troubleshoot any false positives you encounter. */
static _u8* __attribute__((used)) xsrf_fields[] = {
"token",
"once",
"secret",
"secid",
"auth",
"=tok",
"=sig",
/* The values below are chiefly Google-specific. */
"=gb",
"=usg",
"=at",
"=bb",
"=cid",
"=ids",
"=et",
0
};
/* NULL-terminated list of known fields that look like XSRF tokens,
but have a different meaning and should be ignored. This is
chiefly Google-specific - customize as needed, based on -X
mode findings or manual testing. */
static _u8* __attribute__((used)) no_xsrf_fields[] = {
"=ver",
"=id",
"=zx",
"=_",
0
};
/* NULL-terminated list of common values that if visible in request
parameters and inline on a page, do not really imply an XSS
vector. */
static _u8* __attribute__((used)) no_xss_text[] = {
"utf",
"html",
0
};
/* NULL-terminated list of JSON-like response prefixes we consider to
be sufficiently safe against cross-site script inclusion. You
might want to extend the list as needed. */
static _u8* __attribute__((used)) json_safe[] = {
"while(1);", /* Parser looping - common */
"while (1);", /* ... */
"while(true);", /* ... */
"while (true);", /* ... */
"&&&", /* Parser breaking - OpenSocial */
"//OK[", /* Line commenting - GWT */
"{\"", /* Serialized object - common */
"{{\"", /* Serialized object - common */
"throw 1;", /* Parser bailout - common */
")]}", /* A robust alternative */
0
};
/* NULL-terminated list of known valid charsets. Charsets not on
the list are considered invalid, as they may trigger strange
encoded XSS attack vectors, etc. You might want to extend
this list as needed when testing foreign-language applications.
WARNING: Please note that "harmless" misspellings such as
'utf8' or 'utf_8' are *not* harmless, and may trigger utf-7
XSSes. Do not add these to the list unless thoroughly
validated. */
static _u8* __attribute__((used)) valid_charsets[] = {
"utf-8", /* Valid Unicode */
"iso8859-1", /* Valid Western */
"iso-8859-1", /* Invalid but recognized */
"iso8859-2", /* Valid European */
"iso-8859-2", /* Invalid but recognized */
"iso8859-15", /* ISO-8859-1, new and improved */
"iso-8859-15", /* ISO-8859-1, new and improved */
"windows-1252", /* Microsoft's Western */
"windows-1250", /* Microsoft's European */
"us-ascii", /* Old school but generally safe */
0
};
/* NULL-terminated list of active content MIME types, as produced
by our sniffer. Any content that may execute in the browser
in the security context of its serving domain belongs here. */
static _u8* __attribute__((used)) active_mime[] = {
"text/html", /* HTML */
"application/xhtml+xml", /* XHTML */
"application/java-vm", /* Java class */
"application/java-archive", /* Java JAR */
"application/x-shockwave-flash", /* Flash */
"video/flv", /* Flash */
"video/x-flv", /* Flash */
0
};
/* XSRF detector parameters; these might need to be tweaked if
seeing false positives, but are otherwise OK for most intents
and purposes. */
#define XSRF_B16_MIN 10 /* Minimum base16 token length */
#define XSRF_B16_MAX 45 /* Maximum base16 token length */
#define XSRF_B16_NUM 2 /* Require at least this many digit chars */
#define XSRF_B64_MIN 9 /* Minimum base32/64 token length */
#define XSRF_B64_MAX 32 /* Maximum base32/64 token length */
#define XSRF_B64_NUM 1 /* Require at least this many digit chars */
#define XSRF_B64_CASE 2 /* Require at least this many uppercase chars */
#define XSRF_B64_NUM2 3 /* Digit char count threshold to waive uppercase check */
#endif /* ! _HAVE_CONFIG_H */
|
