Refactoring WAF scripts

2024-11-22 17:46:37 +03:00 · 2013-02-26 15:54:50 +01:00 · 2013-02-26 15:54:50 +01:00 · be50192d8d
commit be50192d8d
parent e5835dc74f
13 changed files with 115 additions and 45 deletions
--- a/lib/core/settings.py
+++ b/lib/core/settings.py
@ -384,6 +384,7 @@ IDS_WAF_CHECK_PAYLOAD = "AND 1=1 UNION ALL SELECT 1,2,3,table_name FROM informat

 # Vectors used for provoking specific WAF/IDS/IPS behavior(s)
 WAF_ATTACK_VECTORS = (
+                        "",  # NIL
                        "search=<script>alert(1)</script>",
                        "file=../../../../etc/passwd",
                        "q=<invalid>foobar",
--- a/waf/airlock.py
+++ b/waf/airlock.py
@ -8,9 +8,17 @@ See the file 'doc/COPYING' for copying permission
 import re

 from lib.core.enums import HTTPHEADER
+from lib.core.settings import WAF_ATTACK_VECTORS

 __product__ = "Airlock (Phion/Ergon)"

 def detect(get_page):
-    page, headers, code = get_page()
-    return re.search(r"\AAL[_-]?(SESS|LB)=", headers.get(HTTPHEADER.SET_COOKIE, ""), re.I) is not None
+    retval = False
+
+    for vector in WAF_ATTACK_VECTORS:
+        page, headers, code = get_page(get=vector)
+        retval = re.search(r"\AAL[_-]?(SESS|LB)=", headers.get(HTTPHEADER.SET_COOKIE, ""), re.I) is not None
+        if retval:
+            break
+
+    return retval
--- a/waf/barracuda.py
+++ b/waf/barracuda.py
@ -8,9 +8,17 @@ See the file 'doc/COPYING' for copying permission
 import re

 from lib.core.enums import HTTPHEADER
+from lib.core.settings import WAF_ATTACK_VECTORS

 __product__ = "Barracuda Web Application Firewall (Barracuda Networks)"

 def detect(get_page):
-    page, headers, code = get_page()
-    return re.search(r"\Abarra_counter_session=", headers.get(HTTPHEADER.SET_COOKIE, ""), re.I) is not None
+    retval = False
+
+    for vector in WAF_ATTACK_VECTORS:
+        page, headers, code = get_page(get=vector)
+        retval = re.search(r"\Abarra_counter_session=", headers.get(HTTPHEADER.SET_COOKIE, ""), re.I) is not None
+        if retval:
+            break
+
+    return retval
--- a/waf/bigip.py
+++ b/waf/bigip.py
@ -13,13 +13,13 @@ from lib.core.settings import WAF_ATTACK_VECTORS
 __product__ = "BIG-IP Application Security Manager (F5 Networks)"

 def detect(get_page):
-    page, headers, code = get_page()
-    retval = re.search(r"\ATS[a-zA-Z0-9]{3,6}=", headers.get(HTTPHEADER.SET_COOKIE, ""), re.I) is not None
+    retval = False

-    if not retval:
    for vector in WAF_ATTACK_VECTORS:
        page, headers, code = get_page(get=vector)
        retval = headers.get("X-Cnection", "").lower() == "close"
+        retval |= re.search(r"\ATS[a-zA-Z0-9]{3,6}=", headers.get(HTTPHEADER.SET_COOKIE, ""), re.I) is not None
+        retval |= re.search(r"BigIP|BIGipServer", headers.get(HTTPHEADER.SERVER, ""), re.I) is not None
        if retval:
            break

--- a/waf/binarysec.py
+++ b/waf/binarysec.py
@ -8,12 +8,18 @@ See the file 'doc/COPYING' for copying permission
 import re

 from lib.core.enums import HTTPHEADER
+from lib.core.settings import WAF_ATTACK_VECTORS

 __product__ = "BinarySEC Web Application Firewall (BinarySEC)"

 def detect(get_page):
-    page, headers, code = get_page()
-    retval = re.search(r"BinarySec", headers.get(HTTPHEADER.SERVER, ""), re.I) is not None
-    if not retval:
+    retval = False
+
+    for vector in WAF_ATTACK_VECTORS:
+        page, headers, code = get_page(get=vector)
        retval = any(headers.get(_) for _ in ("x-binarysec-via", "x-binarysec-nocache"))
+        retval |= re.search(r"BinarySec", headers.get(HTTPHEADER.SERVER, ""), re.I) is not None
+        if retval:
+            break
+
    return retval
--- a/waf/datapower.py
+++ b/waf/datapower.py
@ -7,8 +7,18 @@ See the file 'doc/COPYING' for copying permission

 import re

+from lib.core.enums import HTTPHEADER
+from lib.core.settings import WAF_ATTACK_VECTORS
+
 __product__ = "IBM WebSphere DataPower (IBM)"

 def detect(get_page):
-    page, headers, code = get_page()
-    return re.search(r"\A(OK|FAIL)", headers.get("X-Backside-Transport", ""), re.I) is not None
+    retval = False
+
+    for vector in WAF_ATTACK_VECTORS:
+        page, headers, code = get_page(get=vector)
+        retval = re.search(r"\A(OK|FAIL)", headers.get("X-Backside-Transport", ""), re.I) is not None
+        if retval:
+            break
+
+    return retval
--- a/waf/denyall.py
+++ b/waf/denyall.py
@ -13,13 +13,12 @@ from lib.core.settings import WAF_ATTACK_VECTORS
 __product__ = "Deny All Web Application Firewall (DenyAll)"

 def detect(get_page):
-    page, headers, code = get_page()
-    retval = re.search(r"\Asessioncookie=", headers.get(HTTPHEADER.SET_COOKIE, ""), re.I) is not None
+    retval = False

-    if not retval:
    for vector in WAF_ATTACK_VECTORS:
        page, headers, code = get_page(get=vector)
-            retval = code == 200 and re.search(r"\ACondition Intercepted", page, re.I) is not None
+        retval = re.search(r"\Asessioncookie=", headers.get(HTTPHEADER.SET_COOKIE, ""), re.I) is not None
+        retval |= code == 200 and re.search(r"\ACondition Intercepted", page, re.I) is not None
        if retval:
            break

--- a/waf/hyperguard.py
+++ b/waf/hyperguard.py
@ -8,9 +8,17 @@ See the file 'doc/COPYING' for copying permission
 import re

 from lib.core.enums import HTTPHEADER
+from lib.core.settings import WAF_ATTACK_VECTORS

 __product__ = "Hyperguard Web Application Firewall (art of defence Inc.)"

 def detect(get_page):
-    page, headers, code = get_page()
-    return re.search(r"\AODSESSION=", headers.get(HTTPHEADER.SET_COOKIE, ""), re.I) is not None
+    retval = False
+
+    for vector in WAF_ATTACK_VECTORS:
+        page, headers, code = get_page(get=vector)
+        retval = re.search(r"\AODSESSION=", headers.get(HTTPHEADER.SET_COOKIE, ""), re.I) is not None
+        if retval:
+            break
+
+    return retval
--- a/waf/netcontinuum.py
+++ b/waf/netcontinuum.py
@ -8,9 +8,17 @@ See the file 'doc/COPYING' for copying permission
 import re

 from lib.core.enums import HTTPHEADER
+from lib.core.settings import WAF_ATTACK_VECTORS

 __product__ = "NetContinuum Web Application Firewall (NetContinuum/Barracuda Networks)"

 def detect(get_page):
-    page, headers, code = get_page()
-    return re.search(r"\ANCI__SessionId=", headers.get(HTTPHEADER.SET_COOKIE, ""), re.I) is not None
+    retval = False
+
+    for vector in WAF_ATTACK_VECTORS:
+        page, headers, code = get_page(get=vector)
+        retval = re.search(r"\ANCI__SessionId=", headers.get(HTTPHEADER.SET_COOKIE, ""), re.I) is not None
+        if retval:
+            break
+
+    return retval
--- a/waf/netscaler.py
+++ b/waf/netscaler.py
@ -13,14 +13,13 @@ from lib.core.settings import WAF_ATTACK_VECTORS
 __product__ = "NetScaler (Citrix Systems)"

 def detect(get_page):
-    page, headers, code = get_page()
-    retval = re.search(r"\A(ns_af=|citrix_ns_id|NSC_)", headers.get(HTTPHEADER.SET_COOKIE, ""), re.I) is not None
-    retval |= re.search(r"\ANS-CACHE", headers.get(HTTPHEADER.VIA, ""), re.I) is not None
+    retval = False

-    if not retval:
    for vector in WAF_ATTACK_VECTORS:
        page, headers, code = get_page(get=vector)
        retval = re.search(r"\Aclose", headers.get("Cneonction", "") or headers.get("nnCoection", ""), re.I) is not None
+        retval = re.search(r"\A(ns_af=|citrix_ns_id|NSC_)", headers.get(HTTPHEADER.SET_COOKIE, ""), re.I) is not None
+        retval |= re.search(r"\ANS-CACHE", headers.get(HTTPHEADER.VIA, ""), re.I) is not None
        if retval:
            break

--- a/waf/profense.py
+++ b/waf/profense.py
@ -8,12 +8,18 @@ See the file 'doc/COPYING' for copying permission
 import re

 from lib.core.enums import HTTPHEADER
+from lib.core.settings import WAF_ATTACK_VECTORS

 __product__ = "Profense Web Application Firewall (Armorlogic)"

 def detect(get_page):
-    page, headers, code = get_page()
-    retval = re.search(r"Profense", headers.get(HTTPHEADER.SERVER, ""), re.I) is not None
-    if not retval:
+    retval = False
+
+    for vector in WAF_ATTACK_VECTORS:
+        page, headers, code = get_page(get=vector)
        retval = re.search(r"\APLBSID=", headers.get(HTTPHEADER.SET_COOKIE, ""), re.I) is not None
+        retval |= re.search(r"Profense", headers.get(HTTPHEADER.SERVER, ""), re.I) is not None
+        if retval:
+            break
+
    return retval
--- a/waf/teros.py
+++ b/waf/teros.py
@ -8,9 +8,17 @@ See the file 'doc/COPYING' for copying permission
 import re

 from lib.core.enums import HTTPHEADER
+from lib.core.settings import WAF_ATTACK_VECTORS

 __product__ = "Teros/Citrix Application Firewall Enterprise (Teros/Citrix Systems)"

 def detect(get_page):
-    page, headers, code = get_page()
-    return re.search(r"\Ast8(id|_wat|_wlf)", headers.get(HTTPHEADER.SET_COOKIE, ""), re.I) is not None
+    retval = False
+
+    for vector in WAF_ATTACK_VECTORS:
+        page, headers, code = get_page(get=vector)
+        retval = re.search(r"\Ast8(id|_wat|_wlf)", headers.get(HTTPHEADER.SET_COOKIE, ""), re.I) is not None
+        if retval:
+            break
+
+    return retval
--- a/waf/trafficshield.py
+++ b/waf/trafficshield.py
@ -8,9 +8,18 @@ See the file 'doc/COPYING' for copying permission
 import re

 from lib.core.enums import HTTPHEADER
+from lib.core.settings import WAF_ATTACK_VECTORS

 __product__ = "TrafficShield (F5 Networks)"

 def detect(get_page):
-    page, headers, code = get_page()
-    return (re.search(r"\AASINFO=", headers.get(HTTPHEADER.SET_COOKIE, ""), re.I) or re.search(r"F5-TrafficShield", headers.get(HTTPHEADER.SERVER, ""), re.I)) is not None
+    retval = False
+
+    for vector in WAF_ATTACK_VECTORS:
+        page, headers, code = get_page(get=vector)
+        retval = re.search(r"F5-TrafficShield", headers.get(HTTPHEADER.SERVER, ""), re.I) is not None
+        retval |= re.search(r"\AASINFO=", headers.get(HTTPHEADER.SET_COOKIE, ""), re.I) is not None
+        if retval:
+            break
+
+    return retval