/*
*
* Paros and its related class files.
*
* Paros is an HTTP/HTTPS proxy for assessing web application security.
* Copyright (C) 2003-2004 Chinotec Technologies Company
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the Clarified Artistic License
* as published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* Clarified Artistic License for more details.
*
* You should have received a copy of the Clarified Artistic License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
*/
// ZAP: 2012/01/02 Separate param and attack
// ZAP: 2012/03/15 Changed the method checkResult to use the class StringBuilder
// instead of StringBuffer.
// ZAP: 2012/04/25 Added @Override annotation to all appropriate methods.
// ZAP: 2012/12/28 Issue 447: Include the evidence in the attack field
// ZAP: 2013/01/25 Removed the "(non-Javadoc)" comments.
// ZAP: 2013/03/03 Issue 546: Remove all template Javadoc comments
package org.zaproxy.zap.extension.ascanrules;
import java.util.regex.Pattern;
import org.apache.log4j.Logger;
import org.parosproxy.paros.core.scanner.AbstractAppParamPlugin;
import org.parosproxy.paros.core.scanner.AbstractPlugin;
import org.parosproxy.paros.core.scanner.Alert;
import org.parosproxy.paros.core.scanner.Category;
import org.parosproxy.paros.network.HttpMessage;
import org.parosproxy.paros.network.HttpStatusCode;
public class TestParameterTamper extends AbstractAppParamPlugin {
//private static final String[] PARAM_LIST = {"", "@", "+", "%A", "%1Z", "%", "%00", "|"};
// problem sending "%A", "%1Z" to server - assume server can handle properly on this.
// %0A not included as this is in CRLFInjection already.
private static String[] PARAM_LIST = {"", "", "@", "+", AbstractPlugin.getURLDecode("%00"), "|"};
private static Pattern patternErrorJava1 = Pattern.compile("javax\\.servlet\\.\\S+", PATTERN_PARAM);
private static Pattern patternErrorJava2 = Pattern.compile("invoke.+exception|exception.+invoke", PATTERN_PARAM);
private static Pattern patternErrorVBScript = Pattern.compile("Microsoft(\\s+| )*VBScript(\\s+| )+error", PATTERN_PARAM);
private static Pattern patternErrorODBC1 = Pattern.compile("Microsoft OLE DB Provider for ODBC Drivers.*error", PATTERN_PARAM);
private static Pattern patternErrorODBC2 = Pattern.compile("ODBC.*Drivers.*error", PATTERN_PARAM);
private static Pattern patternErrorJet = Pattern.compile("Microsoft JET Database Engine.*error", PATTERN_PARAM);
private static Pattern patternErrorPHP = Pattern.compile(" on line <b>", PATTERN_PARAM);
private static Pattern patternErrorTomcat = Pattern.compile("(Apache Tomcat).*(^Caused by:|HTTP Status 500 - Internal Server Error)", PATTERN_PARAM);
// ZAP: Added logger
private static Logger log = Logger.getLogger(TestParameterTamper.class);
@Override
public int getId() {
return 40008;
}
@Override
public String getName() {
return "Parameter tampering";
}
@Override
public String[] getDependency() {
return null;
}
@Override
public String getDescription() {
String msg = "Certain parameter caused error page or Java stacktrace to be displayed. This indicated lack of exception handling and potential areas for further exploit.";
return msg;
}
@Override
public int getCategory() {
return Category.INJECTION;
}
@Override
public String getSolution() {
return "Identify the cause of the error and fix it. Do not trust client side input and enforece tight check in the server side. Besides, catch the exception properly. Use a generic 500 error page for internal server error.";
}
@Override
public String getReference() {
return "";
}
@Override
public void init() {
}
@Override
public void scan(HttpMessage msg, String param, String value) {
String attack = null;
// always try normal query first
HttpMessage normalMsg = getNewMsg();
try {
sendAndReceive(normalMsg);
} catch (Exception e) {
// ZAP: Log exceptions
log.warn(e.getMessage(), e);
return;
}
if (normalMsg.getResponseHeader().getStatusCode() != HttpStatusCode.OK) {
return;
}
for (int i = 0; i < PARAM_LIST.length; i++) {
msg = getNewMsg();
if (i == 0) {
// remove entire parameter when i=0;
setParameter(msg, null, null);
attack = null;
} else {
setParameter(msg, param, PARAM_LIST[i]);
attack = PARAM_LIST[i];
}
try {
sendAndReceive(msg);
if (checkResult(msg, param, attack, normalMsg.getResponseBody().toString())) {
return;
}
} catch (Exception e) {
// ZAP: Log exceptions
log.warn(e.getMessage(), e);
}
}
}
private boolean checkResult(HttpMessage msg, String param, String attack, String normalHTTPResponse) {
if (msg.getResponseHeader().getStatusCode() != HttpStatusCode.OK
&& !HttpStatusCode.isServerError(msg.getResponseHeader().getStatusCode())) {
return false;
}
// remove false positive if parameter have no effect on output
if (msg.getResponseBody().toString().equals(normalHTTPResponse)) {
return false;
}
StringBuilder sb = new StringBuilder();
if (matchBodyPattern(msg, patternErrorJava1, sb) && matchBodyPattern(msg, patternErrorJava2, null)) {
bingo(Alert.RISK_MEDIUM, Alert.WARNING, null, param, attack, sb.toString(), msg);
return true;
} else if (matchBodyPattern(msg, patternErrorVBScript, sb)
|| matchBodyPattern(msg, patternErrorODBC1, sb)
|| matchBodyPattern(msg, patternErrorODBC2, sb)
|| matchBodyPattern(msg, patternErrorJet, sb)
|| matchBodyPattern(msg, patternErrorTomcat, sb)
|| matchBodyPattern(msg, patternErrorPHP, sb)) {
bingo(Alert.RISK_MEDIUM, Alert.SUSPICIOUS, "", param, sb.toString(), attack, msg);
return true;
}
return false;
}
@Override
public int getRisk() {
return Alert.RISK_MEDIUM;
}
@Override
public int getCweId() {
return 472;
}
@Override
public int getWascId() {
return 20;
}
}