File: error500.py

package info (click to toggle)
w3af 1.0-rc3svn3489-1
  • links: PTS
  • area: main
  • in suites: jessie, jessie-kfreebsd, squeeze, wheezy
  • size: 59,908 kB
  • ctags: 16,916
  • sloc: python: 136,990; xml: 63,472; sh: 153; ruby: 94; makefile: 40; asm: 35; jsp: 32; perl: 18; php: 5
file content (134 lines) | stat: -rw-r--r-- 4,991 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
 
'''
error500.py

Copyright 2006 Andres Riancho

This file is part of w3af, w3af.sourceforge.net .

w3af is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation version 2 of the License.

w3af is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with w3af; if not, write to the Free Software
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA

'''

import core.controllers.outputManager as om
# options
from core.data.options.option import option
from core.data.options.optionList import optionList

from core.controllers.basePlugin.baseGrepPlugin import baseGrepPlugin

import core.data.kb.knowledgeBase as kb
import core.data.kb.vuln as vuln
import core.data.constants.severity as severity


class error500(baseGrepPlugin):
    '''
    Grep every page for error 500 pages that haven't been identified as bugs by other plugins.
      
    @author: Andres Riancho ( andres.riancho@gmail.com )
    '''

    def __init__(self):
        baseGrepPlugin.__init__(self)
        
        self._error_500_responses = []
        
    def grep(self, request, response):
        '''
        Plugin entry point, identify which requests generated a 500 error.
        
        @parameter request: The HTTP request object.
        @parameter response: The HTTP response object
        @return: None
        '''
        if response.is_text_or_html() and response.getCode() in range(400, 600)\
        and response.getCode() not in (404 , 403, 401, 405, 400, 501)\
        and not self._falsePositive( response ):
            self._error_500_responses.append( (request, response) )
    
    def _falsePositive( self, response ):
        '''
        Filters out some false positives like this one:

        This false positive is generated by IIS when I send an URL that's "odd"
        Some examples of URLs that trigger this false positive:
            - http://127.0.0.2/ext.ini.%00.txt
            - http://127.0.0.2/%00/
            - http://127.0.0.2/%0a%0a<script>alert(\Vulnerable\)</script>.jsp
        
        @return: True if the response is a false positive.
        '''
        falsePositiveStrings = []
        falsePositiveStrings.append( '<h1>Bad Request (Invalid URL)</h1>' )
        for fps in falsePositiveStrings:
            if response.getBody() == fps:
                return True
        return False
    
    def getOptions( self ):
        '''
        @return: A list of option objects for this plugin.
        '''    
        ol = optionList()
        return ol
        
    def setOptions( self , o ):
        '''
        Do nothing, I don't have options.
        '''  
        pass
        
    def end(self):
        '''
        This method is called when the plugin wont be used anymore.
        
        The real job of this plugin is done here, where I will try to see if one
        of the error500 responses were not identified as a vuln by some of my audit plugins
        '''
        all_vulns = kb.kb.getAllVulns()
        all_vulns_tuples = [ (v.getURI(), v.getDc()) for v in all_vulns ]

        for request, error_500_response in self._error_500_responses:
            if ( error_500_response.getURI() , request.getDc() ) not in all_vulns_tuples:
                # Found a err 500 that wasnt identified !!!
                v = vuln.vuln()
                v.setURI( error_500_response.getURI() )
                v.setURL( error_500_response.getURL() )
                v.setId( error_500_response.id )
                v.setSeverity(severity.MEDIUM)
                v.setName( 'Unhandled error in web application' )
                msg = 'An unidentified web application error (HTTP response code 500)'
                msg += ' was found at: "' + v.getURL()+'".'
                msg += ' Enable all plugins and try again, if the vulnerability still is not'
                msg += ' identified, please verify mannually and report it to the w3af developers.'
                v.setDesc( msg )
                kb.kb.append( self, 'error500', v )
                
        self.printUniq( kb.kb.getData( 'error500', 'error500' ), 'VAR' )

    def getPluginDeps( self ):
        '''
        @return: A list with the names of the plugins that should be runned before the
        current one.
        '''
        return []
    
    def getLongDesc( self ):
        '''
        @return: A DETAILED description of the plugin functions and features.
        '''
        return '''
        This plugin greps every page for error 500 pages that havent been catched by other plugins. By enabling this,
        you are enabling a "safety net" that will catch all bugs that havent been catched by other plugins.
        '''