Package org.zaproxy.zap.extension.pscanrules

Source Code of org.zaproxy.zap.extension.pscanrules.TestInfoPrivateAddressDisclosure

/*
*
* Paros and its related class files.
*
* Paros is an HTTP/HTTPS proxy for assessing web application security.
* Copyright (C) 2003-2004 Chinotec Technologies Company
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the Clarified Artistic License
* as published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
* Clarified Artistic License for more details.
*
* You should have received a copy of the Clarified Artistic License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
*/
// ZAP: 2012/01/02 Separate param and attack
// ZAP: 2012/03/15 Changed the method scan to use the class StringBuilder
// instead of String.
// ZAP: 2012/04/25 Added @Override annotation to all appropriate methods.
// ZAP: 2012/12/28 Issue 447: Include the evidence in the attack field, and made into a passive scan rule
package org.zaproxy.zap.extension.pscanrules;

import java.util.regex.Matcher;
import java.util.regex.Pattern;

import net.htmlparser.jericho.Source;

import org.parosproxy.paros.core.scanner.Alert;
import org.parosproxy.paros.network.HttpMessage;
import org.zaproxy.zap.extension.pscan.PassiveScanThread;
import org.zaproxy.zap.extension.pscan.PluginPassiveScanner;

public class TestInfoPrivateAddressDisclosure extends PluginPassiveScanner {

    private static final String REGULAR_IP_OCTET = "\\b(25[0-5]|2[0-4][0-9]|1?[0-9]{1,2})";
    private static final String REGULAR_PORTS = "\\b(6553[0-5]|65[0-5][0-2][0-9]|6[0-4][0-9]{4}|[0-5]?[0-9]{0,4})";
   
    // Private IP's including localhost
    public static final Pattern patternPrivateIP = Pattern.compile(
            "(10\\.(" + REGULAR_IP_OCTET + "\\.){2}" + REGULAR_IP_OCTET + "|"
            + "172\\." + "\\b(3[01]|2[0-9]|1[6-9])\\." + REGULAR_IP_OCTET + "\\." + REGULAR_IP_OCTET + "|"
            + "192\\.168\\." + REGULAR_IP_OCTET + "\\." + REGULAR_IP_OCTET + ")"
            + "(\\:" + REGULAR_PORTS + ")?",
            Pattern.CASE_INSENSITIVE | Pattern.MULTILINE);
   
    /*"(10\\." +
     "\\b((([0-1]?[0-9]?|2[0-4])[0-9])|25[0-5])\\." +
     "\\b((([0-1]?[0-9]?|2[0-4])[0-9])|25[0-5])\\." +
     "\\b((([0-1]?[0-9]?|2[0-4])[0-9])|25[0-5])" +
     "|" +
     "172\\." +
     "\\b(1[6-9]|2[0-9]|3[01])\\." +
     "\\b((([0-1]?[0-9]?|2[0-4])[0-9])|25[0-5])\\." +
     "\\b((([0-1]?[0-9]?|2[0-4])[0-9])|25[0-5])" +
     "|" +
     "192\\.168\\." +
     "\\b((([0-1]?[0-9]?|2[0-4])[0-9])|25[0-5])\\." +
     "\\b((([0-1]?[0-9]?|2[0-4])[0-9])|25[0-5]))"
     , PATTERN_PARAM);
     */
    //"(10\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|172\\.\\d{2,2}\\.\\d{1,3}\\.\\d{1,3}|192\\.168\\.\\d{1,3}\\.\\d{1,3})", PATTERN_PARAM);
   
    private PassiveScanThread parent = null;

    @Override
    public int getPluginId() {
        return 00002;
    }

    @Override
    public String getName() {
        return "Private IP disclosure";
    }

    private String getDescription() {
        return "A private IP such as 10.x.x.x, 172.x.x.x, 192.168.x.x has been found in the HTTP response body.  "
                + "This information might be helpful for further attacks targeting internal systems.";
    }

    private String getSolution() {
        return "Remove the private IP address from the HTTP response body.  For comments, use JSP/ASP comment instead "
                + "of HTML/JavaScript comment which can be seen by client browsers.";
    }

    private String getReference() {
        return null;
    }

    @Override
    public void scanHttpRequestSend(HttpMessage msg, int id) {
        // Ignore
    }

    @Override
    public void scanHttpResponseReceive(HttpMessage msg, int id, Source source) {

        String txtBody = msg.getResponseBody().toString();
        Matcher matcher = patternPrivateIP.matcher(txtBody);
        StringBuilder sbTxtFound = new StringBuilder();
        String firstOne = null;
       
        while (matcher.find()) {
            if (firstOne == null) {
                firstOne = matcher.group();
            }
            sbTxtFound.append(matcher.group()).append("\n");
        }

        if (sbTxtFound.length() != 0) {
            Alert alert = new Alert(getPluginId(), this.getRisk(), Alert.WARNING, this.getName());

            alert.setDetail(
                    this.getDescription(),
                    msg.getRequestHeader().getURI().toString(),
                    "",
                    firstOne,
                    sbTxtFound.toString(),
                    this.getSolution(),
                    this.getReference(),
                    firstOne, // evidence
                    200, // CWE Id
                    13, // WASC Id - Info leakage
                    msg);

            parent.raiseAlert(id, alert);
        }

    }

    private int getRisk() {
        return Alert.RISK_LOW;
    }

    @Override
    public void setParent(PassiveScanThread parent) {
        this.parent = parent;

    }
}
TOP

Related Classes of org.zaproxy.zap.extension.pscanrules.TestInfoPrivateAddressDisclosure

TOP
Copyright © 2018 www.massapi.com. All rights reserved.
All source code are property of their respective owners. Java is a trademark of Sun Microsystems, Inc and owned by ORACLE Inc. Contact coftware#gmail.com.