Ignore Google analytics cookies

2025-01-23 15:54:24 +03:00 · 2013-12-04 09:56:37 +01:00 · 2013-12-04 09:56:37 +01:00 · bf3fbb0ae0
commit bf3fbb0ae0
parent dd2ddec79a
3 changed files with 9 additions and 3 deletions
--- a/lib/controller/controller.py
+++ b/lib/controller/controller.py
@ -54,6 +54,7 @@ from lib.core.settings import DEFAULT_GET_POST_DELIMITER
 from lib.core.settings import EMPTY_FORM_FIELDS_REGEX
 from lib.core.settings import IGNORE_PARAMETERS
 from lib.core.settings import LOW_TEXT_PERCENT
+from lib.core.settings import GOOGLE_ANALYTICS_COOKIE_PREFIX
 from lib.core.settings import HOST_ALIASES
 from lib.core.settings import REFERER_ALIASES
 from lib.core.settings import USER_AGENT_ALIASES
@ -452,7 +453,7 @@ def start():
                            logger.info(infoMsg)

                        # Ignore session-like parameters for --level < 4
-                        elif conf.level < 4 and parameter.upper() in IGNORE_PARAMETERS:
+                        elif conf.level < 4 and (parameter.upper() in IGNORE_PARAMETERS or parameter.upper().startswith(GOOGLE_ANALYTICS_COOKIE_PREFIX)):
                            testSqlInj = False

                            infoMsg = "ignoring %s parameter '%s'" % (place, parameter)
--- a/lib/core/common.py
+++ b/lib/core/common.py
@ -97,6 +97,7 @@ from lib.core.settings import ERROR_PARSING_REGEXES
 from lib.core.settings import FORCE_COOKIE_EXPIRATION_TIME
 from lib.core.settings import FORM_SEARCH_REGEX
 from lib.core.settings import GENERIC_DOC_ROOT_DIRECTORY_NAMES
+from lib.core.settings import GOOGLE_ANALYTICS_COOKIE_PREFIX
 from lib.core.settings import HASHDB_MILESTONE_VALUE
 from lib.core.settings import HOST_ALIASES
 from lib.core.settings import INFERENCE_UNKNOWN_CHAR
@ -556,8 +557,9 @@ def paramToDict(place, parameters=None):
                testableParameters[parameter] = "=".join(parts[1:])
                if not conf.multipleTargets:
                    _ = urldecode(testableParameters[parameter], convall=True)
-                    if _.strip(DUMMY_SQL_INJECTION_CHARS) != _\
-                        or re.search(r'\A9{3,}', _) or re.search(DUMMY_USER_INJECTION, _):
+                    if (_.strip(DUMMY_SQL_INJECTION_CHARS) != _\
+                      or re.search(r'\A9{3,}', _) or re.search(DUMMY_USER_INJECTION, _))\
+                      and not parameter.upper().startswith(GOOGLE_ANALYTICS_COOKIE_PREFIX):
                        warnMsg = "it appears that you have provided tainted parameter values "
                        warnMsg += "('%s') with most probably leftover " % element
                        warnMsg += "chars/statements from manual SQL injection test(s). "
--- a/lib/core/settings.py
+++ b/lib/core/settings.py
@ -340,6 +340,9 @@ IGNORE_PARAMETERS = ("__VIEWSTATE", "__VIEWSTATEENCRYPTED", "__EVENTARGUMENT", "
 # Regular expression used for recognition of ASP.NET control parameters
 ASP_NET_CONTROL_REGEX = r"(?i)\Actl\d+\$"

+# Prefix for Google analytics cookie names
+GOOGLE_ANALYTICS_COOKIE_PREFIX = "__UTM"
+
 # Turn off resume console info to avoid potential slowdowns
 TURN_OFF_RESUME_INFO_LIMIT = 20