From bf3fbb0ae0b1d990ea1f799080c77b8b15065cd1 Mon Sep 17 00:00:00 2001 From: Miroslav Stampar Date: Wed, 4 Dec 2013 09:56:37 +0100 Subject: [PATCH] Ignore Google analytics cookies --- lib/controller/controller.py | 3 ++- lib/core/common.py | 6 ++++-- lib/core/settings.py | 3 +++ 3 files changed, 9 insertions(+), 3 deletions(-) diff --git a/lib/controller/controller.py b/lib/controller/controller.py index 7cd6abb04..b0c1e833b 100644 --- a/lib/controller/controller.py +++ b/lib/controller/controller.py @@ -54,6 +54,7 @@ from lib.core.settings import DEFAULT_GET_POST_DELIMITER from lib.core.settings import EMPTY_FORM_FIELDS_REGEX from lib.core.settings import IGNORE_PARAMETERS from lib.core.settings import LOW_TEXT_PERCENT +from lib.core.settings import GOOGLE_ANALYTICS_COOKIE_PREFIX from lib.core.settings import HOST_ALIASES from lib.core.settings import REFERER_ALIASES from lib.core.settings import USER_AGENT_ALIASES @@ -452,7 +453,7 @@ def start(): logger.info(infoMsg) # Ignore session-like parameters for --level < 4 - elif conf.level < 4 and parameter.upper() in IGNORE_PARAMETERS: + elif conf.level < 4 and (parameter.upper() in IGNORE_PARAMETERS or parameter.upper().startswith(GOOGLE_ANALYTICS_COOKIE_PREFIX)): testSqlInj = False infoMsg = "ignoring %s parameter '%s'" % (place, parameter) diff --git a/lib/core/common.py b/lib/core/common.py index de8c155b0..20a7a1a94 100755 --- a/lib/core/common.py +++ b/lib/core/common.py @@ -97,6 +97,7 @@ from lib.core.settings import ERROR_PARSING_REGEXES from lib.core.settings import FORCE_COOKIE_EXPIRATION_TIME from lib.core.settings import FORM_SEARCH_REGEX from lib.core.settings import GENERIC_DOC_ROOT_DIRECTORY_NAMES +from lib.core.settings import GOOGLE_ANALYTICS_COOKIE_PREFIX from lib.core.settings import HASHDB_MILESTONE_VALUE from lib.core.settings import HOST_ALIASES from lib.core.settings import INFERENCE_UNKNOWN_CHAR @@ -556,8 +557,9 @@ def paramToDict(place, parameters=None): testableParameters[parameter] = "=".join(parts[1:]) if not conf.multipleTargets: _ = urldecode(testableParameters[parameter], convall=True) - if _.strip(DUMMY_SQL_INJECTION_CHARS) != _\ - or re.search(r'\A9{3,}', _) or re.search(DUMMY_USER_INJECTION, _): + if (_.strip(DUMMY_SQL_INJECTION_CHARS) != _\ + or re.search(r'\A9{3,}', _) or re.search(DUMMY_USER_INJECTION, _))\ + and not parameter.upper().startswith(GOOGLE_ANALYTICS_COOKIE_PREFIX): warnMsg = "it appears that you have provided tainted parameter values " warnMsg += "('%s') with most probably leftover " % element warnMsg += "chars/statements from manual SQL injection test(s). " diff --git a/lib/core/settings.py b/lib/core/settings.py index 0c347a77e..1fce8a85f 100644 --- a/lib/core/settings.py +++ b/lib/core/settings.py @@ -340,6 +340,9 @@ IGNORE_PARAMETERS = ("__VIEWSTATE", "__VIEWSTATEENCRYPTED", "__EVENTARGUMENT", " # Regular expression used for recognition of ASP.NET control parameters ASP_NET_CONTROL_REGEX = r"(?i)\Actl\d+\$" +# Prefix for Google analytics cookie names +GOOGLE_ANALYTICS_COOKIE_PREFIX = "__UTM" + # Turn off resume console info to avoid potential slowdowns TURN_OFF_RESUME_INFO_LIMIT = 20