-
Notifications
You must be signed in to change notification settings - Fork 3
/
attack_page_getter.py
175 lines (162 loc) · 9.12 KB
/
attack_page_getter.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
"""
Author: Avinash Sudhodanan
Contact: [email protected]
Project: ElasTest, COSI
Description: This code can be included as a library
to identify the ways to differentiate between
two different HTTP responses
"""
from pprint import pprint
import xlrd # Reading an excel file using Python
import os
import re
# --------------------------------------------------------------------- #
# Constants
# --------------------------------------------------------------------- #
BASE_DIR = os.path.dirname(os.path.abspath(__file__))
# --------------------------------------------------------------------- #
class COSIAttackFinder(object):
"""
COSIAttackFinder Class
"""
def __init__(self, *args, **kwargs):
super(COSIAttackFinder, self).__init__(*args, **kwargs)
_DEFAULT_DEBUG= False
if "debug" in kwargs:
self._debug= kwargs["debug"]
else:
self._debug = _DEFAULT_DEBUG
@staticmethod
def strlist_to_list(strlist):
"""Converts a string representation of list to a list
Args:
strlist: string representation of the list
Returns:
The list representation of the input string
"""
lst = []
for event in strlist.lstrip('[').rstrip(']').split(','):
lst.append(event.lstrip().rstrip().lstrip('\'').rstrip('\''))
return lst
@staticmethod
def open_workbook(location):
"""Returns the 0th sheet of a .xslx workbook
Args:
location: the location of the .xslx workbook
Returns:
The pointer to the sheet of the .xslx workbook
"""
workbook = xlrd.open_workbook(location)
sheet = workbook.sheet_by_index(0)
return sheet
def _clean_event_props(self, inclusion_str):
"""
cleans all the event listeners on the inclusion string
"""
pattern = r"on[A-Za-z]+=\".*\""
out = re.sub(pattern, "", inclusion_str)
return out
def get_attack_inclusion(self,
state_a_res_code, state_a_cto, state_a_ctype, state_a_xfo, state_a_cd,
state_b_res_code, state_b_cto, state_b_ctype, state_b_xfo, state_b_cd,
browser, browser_version):
"""Returns the inclusions that can be performed for
differentiating between the two input states
Args:
state_a_res_code: the HTTP response code of State A
state_a_cto: the HTTP response's X-Content-Type-Options settings of State A
state_a_ctype: the HTTP response content type of State A
state_a_xfo: the HTTP response's X-Frame-Options settings of State A
state_a_cd: the HTTP response's Content-Disposition header's value for State A
state_b_res_code: the HTTP response code of State B
state_b_cto: the HTTP response's X-Content-Type-Options settings of State B
state_b_ctype: the HTTP response content type of State B
state_b_xfo: the HTTP response's X-Frame-Options settings of State B
state_b_cd: the HTTP response's Content-Disposition header's value for State B
browser: The browser for which the attack needs to be performed
browser_version: The browser version for which the attack needs to be performed
Returns:
A list of dictionaries where each item represents an inclusion strategy.
Each dictionary item has the following keys
inclusion: the exact inclusion that needs to be used in the attack page.
the value INCLUDED_URL shuld be replaced with the URL of the response
method:
state_a_events:
state_b_events:
"""
attack_vectors=["events_fired","appcache"]
efc_tags = ["script","img","iframe","object","link"]
cosi_attacks = []
for attack_vector in attack_vectors:
if attack_vector == "events_fired" and browser in ["firefox"]:
for efc_tag in efc_tags:
workbook_name = efc_tag + "_tag_test_log_"+ browser + ".xlsx"
workbook_path = os.path.join(BASE_DIR, "reports")
workbook_path_name = os.path.join(workbook_path, workbook_name)
sheet = self.open_workbook(workbook_path_name)
# For row 0 and column 0
previous_inclusion = sheet.cell_value(1, 2)
events_a = None
events_b = None
for row in range(1, sheet.nrows):
if sheet.cell_value(row, 2) != previous_inclusion:
if self._debug: print("")
if (events_a is not None and events_b is not None and events_a != events_b):
inc = self._clean_event_props(previous_inclusion)
cosi_attacks.append({"inclusion" : inc,
"method" : "events_fired",
"state_a_events" : events_a,
"state_b_events" : events_b})
events_triggered_a = None
events_triggered_b = None
previous_inclusion = sheet.cell_value(row, 2)
state_b_res_code, state_b_cto, state_b_ctype, state_b_xfo, state_b_cd,
if(state_a_res_code == sheet.cell_value(row, 3) and
state_a_cto == sheet.cell_value(row, 4) and
state_a_ctype == sheet.cell_value(row, 5) and
state_a_xfo == sheet.cell_value(row, 6) and
sheet.cell_value(row, 7) in state_a_cd and
browser == sheet.cell_value(row, 9) and
browser_version == sheet.cell_value(row, 10)):
events_triggered_a = sheet.cell_value(row, 8)
events_a = self.strlist_to_list(events_triggered_a)
events_a.sort()
if self._debug: print(events_a)
if(state_b_res_code == sheet.cell_value(row, 3) and
state_b_cto == sheet.cell_value(row, 4) and
state_b_ctype == sheet.cell_value(row, 5) and
state_b_xfo == sheet.cell_value(row, 6) and
sheet.cell_value(row, 7) in state_b_cd and
browser == sheet.cell_value(row, 9) and
browser_version == sheet.cell_value(row, 10)):
events_triggered_b = sheet.cell_value(row, 8)
events_b = self.strlist_to_list(events_triggered_b)
events_b.sort()
if self._debug: print(events_b)
if(events_a is not None and events_b is not None and events_a != events_b):
if self._debug: print (events_a is not events_b)
if self._debug: print(type(events_a),type(events_b))
inc = self._clean_event_props(previous_inclusion)
cosi_attacks.append({"inclusion" : inc,
"method" : "events_fired",
"state_a_events" : events_a,
"state_b_events" : events_b})
elif attack_vector == "appcache" and browser in ["chrome", "opera"]:
if state_a_res_code.startswith("2") and (state_b_res_code.startswith("3") or state_b_res_code.startswith("4") or state_b_res_code.startswith("5")):
cosi_attacks.append({"inclusion" : "<link rel=\"prefetch\" href=\"SD_URL\">",
"method" : "appcache",
"state_a_events" : [],
"state_b_events" : ["error"]})
elif state_b_res_code.startswith("2") and (state_a_res_code.startswith("3") or state_a_res_code.startswith("4") or state_a_res_code.startswith("5")):
cosi_attacks.append({"inclusion" : "<link rel=\"prefetch\" href=\"SD_URL\">",
"method" : "appcache",
"state_a_events" : ["error"],
"state_b_events" : []})
if self._debug: print("\nThe following are the matches:")
if self._debug: pprint(cosi_attacks)
return cosi_attacks
if __name__ == "__main__":
OBJECT_CAF = COSIAttackFinder()
OBJECT_CAF.get_attack_inclusion("200", "enabled", "application/pdf", "disabled", "inline",
"302", "enabled", "text/html", "disabled", "disabled",
"chrome", "60.0")