Last active
February 25, 2017 02:34
-
-
Save pwneddesal/0ccb5557bbd6c10b436511eab94adcb2 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| """ | |
| looks for parameter values that are reflected in the response. | |
| Author: maradrianbelen.com | |
| The scan function will be called for request/response made via ZAP, excluding some of the automated tools | |
| Passive scan rules should not make any requests | |
| Note that new passive scripts will initially be disabled | |
| Right click the script in the Scripts tree and select "enable" | |
| """ | |
| def compare(paramvalue_pair,msg): #get the value in a single parameter and compare it on the HTTP response. | |
| value=paramvalue_pair.split('=') | |
| #print 'parameter ' + value[0]+ ' is equal to ' + value[1] | |
| body=msg.getResponseBody().toString() | |
| reflected='' | |
| if body.find(value[1])>-1: | |
| reflected=value[0] | |
| return reflected | |
| def scan(ps, msg, src): | |
| reflected_params='' | |
| URI=msg.getRequestHeader().getURI(); | |
| query=msg.getRequestHeader().getURI().getQuery(); | |
| print 'params of ' + URI.toString(); | |
| print '\n' | |
| #get a LIST of param:value pairs. i.e test=ddd&ddd=sdsd | |
| if msg.getRequestHeader().getURI().getQuery(): | |
| uriofreflected_param=msg.getRequestHeader().getURI().toString() | |
| paramvalue_pair=query.split('&');#test=ddd | |
| i=0; | |
| while(i<len(paramvalue_pair)): # send a single param:value pair. | |
| if(compare(paramvalue_pair[i],msg)): | |
| reflected_params=reflected_params + ',' + compare(paramvalue_pair[i],msg) | |
| i=i+1; | |
| if(reflected_params): | |
| ps.raiseAlert(0, 2, 'Find reflected parameter values', 'Reflected parameter value has been found. A reflected parameter values may introduce XSS vulnerability.', | |
| uriofreflected_param, | |
| 'Reflected Parameters: ' + reflected_params, 'blank', 'blank', '', '', 0, 0, msg); | |
| else: | |
| print URI.toString() + ' has no parameter' | |
| # Test the request and/or response here | |
| #if (True): | |
| # Change to a test which detects the vulnerability | |
| # raiseAlert(risk, int reliability, String name, String description, String uri, | |
| # String param, String attack, String otherInfo, String solution, String evidence, | |
| # int cweId, int wascId, HttpMessage msg) | |
| # risk: 0: info, 1: low, 2: medium, 3: high | |
| # reliability: 0: falsePositive, 1: suspicious, 2: warning | |
| # ps.raiseAlert(1, 1, 'Passive Vulnerability title', 'Full description', | |
| # msg.getRequestHeader().getURI().toString(), | |
| # 'The param', 'Your attack', 'Any other info', 'The solution', '', 0, 0, msg); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment