Commit 417094e2 authored by Russ Fish's avatar Russ Fish

Checkpoint.

parent c3ac79df
#
# EMULAB-COPYRIGHT
# Copyright (c) 2000-2006 University of Utah and the Flux Group.
# All rights reserved.
#
all: src_forms spider forms_coverage input_coverage probes
SRCDIR = @srcdir@
TESTBED_SRCDIR = @top_srcdir@
OBJDIR = ../..
SUBDIR = www/sec-check
SRCWWW = $(TESTBED_SRCDIR)/www
OURDOMAIN = @OURDOMAIN@
EinE_proj = testbed
EinE_exp = vulnElab
EinE_boss = myboss
#================================================================
# Grep the sources for <form and make up a list of php form files.
src_forms: src_list src_count src_msg
# All of the forms lines.
SRC_FORMS = $(SRCSC)/src_forms.list
# Just the files list.
SRC_FILES = $(SRCSC)/src_files.list
src_list: $(SRC_FILES)
# Ignore any Emacs backup files with tilde's in the filenames.
$(SRC_FORMS) $(SRC_FILES):
(cd $(SRCWWW); \
find . -maxdepth 1 -name '*.php*' -print0 | \
xargs -0 grep -n '<form' | fgrep -v /save/ | \
sed '/^[^:]*~/d' | sort) > $(SRC_FORMS)
sed -e 's|^[^:]*/||' -e 's|:.*||' $(SRC_FORMS) > $(SRC_FILES)
SRC_COUNT = $(SRCSC)/src_files.count
src_count: $(SRC_COUNT)
$(SRC_COUNT): $(SRC_FILES)
sed 's|^\./\([^:]*\):.*|\1|' $(SRC_FILES) | \
sort -u | wc -l > $(SRC_COUNT)
src_msg: src_count
@echo "** `wc -l < $(SRC_FORMS)` separate forms" \
"are on `cat $(SRC_COUNT)` code pages. **"
#================================================================
# Spider a copy of the EinE site with wget and extract its forms list.
spider: clear_wget_dir login admin do_spider site_list site_count site_msg
WGETDIR = admin.wget
# Login info for the inner Emulab.
uid = $(USER)
### It's better to log in a browser and change your password in Edit Profile
### in the inner Elab to this string, than to put your real password here.
pswd = EinE_tmp
dom = $(EinE_proj).$(OURDOMAIN)
svr = $(EinE_boss).$(EinE_exp).$(dom)
root = http://$(svr)
sroot = https://$(svr)
# These are used only in the $(WGETDIR).
COOKIES = cookies.txt
sv_cookies = --save-cookies $(COOKIES)
ld_cookies = --load-cookies $(COOKIES)
wget_args = --keep-session-cookies --no-check-certificate
# Reject these links, which don't have any input fields,
# and don't ask for confirmation before taking action.
top_links = logout.php3,toggle.php
showexp_links = showlogfile.php3
shownode_links = nodetipacl.php3,showconlog.php3,nodessh.php3
rej_links = .txt,$(top_links),$(showexp_links),$(shownode_links)
# Clear out the wget directory.
clear_wget_dir: $(WGETDIR)
$(WGETDIR):
- rm -rf $(WGETDIR).prev
- mv -f $(WGETDIR) $(WGETDIR).prev
mkdir $(WGETDIR)
# Log in and create a current cookies.txt file.
login: $(WGETDIR) $(WGETDIR)/login.php3
$(WGETDIR)/login.php3:
cd $(WGETDIR); \
wget -S -dv $(wget_args) $(sv_cookies) -o login.log -O login.html \
--post-data "uid=$(uid)&password=$(pswd)&login=Login" \
$(sroot)/login.php3
# Log in above, then use this to toggle the admin bit on.
admin: login admin.html
admin.html:
cd $(WGETDIR); \
wget -S -dv $(wget_args) $(ld_cookies) -o admin.log -O admin.html \
"$(sroot)/toggle.php?target_uid=$uid&type=adminon&value=1"
# Finally ready to grab the whole site.
do_spider: $(WGETDIR)/wget.log
$(WGETDIR)/wget.log:
@echo "** Be patient, it's 25 megabytes, at maybe a meg a minute. **"
cd $(WGETDIR); \
wget -r -S $(wget_args) $(ld_cookies) -o wget.log \
-k -D $(dom) -R $(rej_links) -X /downloads,/gallery $(sroot)
du -s $(WGETDIR)
# Extract a list of the active forms in the site.
SITE_FORMS = $(SRCSC)/site_forms.list
SITE_FILES = $(SRCSC)/site_files.list
site_list: $(SITE_FILES)
# Ignore flyspray and Twiki for now.
# Ignore the search box form on every page, we'll treat it separately.
# Remove "get" arg lists following a question-mark from wget filenames.
$(SITE_FORMS) $(SITE_FILES): $(WGETDIR)/wget.log
(cd $(WGETDIR); \
find . \( -name distributions -prune \) \
-o \( -name flyspray -prune \) \
-o \( -name twiki -prune \) \
-o -type f -print0 | xargs -0 grep -n '<form ' | \
fgrep -v /search.php3 ) | sort -u > $(SITE_FORMS)
sed -e 's|^[^:]*/||' -e 's|[:?].*||' $(SITE_FORMS) | \
uniq > $(SITE_FILES)
SITE_COUNT = $(SRCSC)/site_forms.count
site_count: $(SITE_COUNT)
$(SITE_COUNT): $(SITE_FILES)
sed 's|^\./\([^:]*\):.*|\1|' $(SITE_FILES) | \
sort -u | wc -l > $(SITE_COUNT)
site_msg: site_count
@echo "** `wc -l < $(SITE_FORMS)` forms instances" \
"are in `cat $(SITE_COUNT)` web pages. **"
#================================================================
# Compare the two lists to find uncovered (unlinked) forms.
forms_coverage: files_missing forms_msg
FILES_MISSING = $(SRCSC)/files_missing.list
files_missing: $(FILES_MISSING)
$(FILES_MISSING): src_count site_count
diff $(SRC_FILES) $(SITE_FILES) | grep '^[<>]' > $(FILES_MISSING)
forms_msg: src_msg site_msg
@echo "** `wc -l < $(FILES_MISSING)` forms files are not covered. **"
# Look at files_missing.list and see README-howto.txt for the
# procedure to activate coverage of more forms.
#================================================================
# Grep spidered forms for <input definitions and devise acceptable values.
input_coverage: input_list input_msg gen_normal run_normal
SITE_INPUTS = $(SRCSC)/site_inputs.list
INPUT_NAMES = $(SRCSC)/input_names.list
INPUT_VALUES = $(SRCSC)/input_values.list
input_list: $(INPUT_NAMES)
# Extract input fields from the files from wget.
# Canonicalize and reorder: <input type=.* name=.* value=.* .*>
$(SITE_INPUTS):
@(cd $(WGETDIR); \
gawk -f ../$(SRCSC)/form-input.awk \
$(shell sed -e "s/:.*//" -e "s/.*/'&'/" $(SITE_FORMS) ) \
) > $(SITE_INPUTS)
# Get unique field names. We only care about type="text" for now.
$(INPUT_NAMES): $(SITE_INPUTS)
awk '/type="text"/{print $$3}' $(SITE_INPUTS) | \
sort -u > $(INPUT_NAMES)
input_msg: input_list
@echo "** `wc -l < $(INPUT_NAMES)` unique input field names. **"
# Copy input_names.list to input_values.list .
# Edit value= clauses onto the lines.
# Convert the list to WebInject XML test cases submitting input field values.
NORMAL_URLS = $(SRCSC)/site_normal.urls
NORMAL_CASES = $(SRCSC)/normal_cases.xml
gen_normal: $(NORMAL_CASES)
$(NORMAL_URLS): $(SITE_INPUTS) $(SITE_VALUES)
gawk -f $(SRCSC)/forms-to-urls -v VALUES=$(SITE_VALUES) \
$(SITE_INPUTS) > $(NORMAL_URLS)
$(NORMAL_CASES): $(NORMAL_URLS)
gawk -f $(SRCSC)/urls-to-webinject $(NORMAL_URLS) > $(NORMAL_CASES)
# Test using WebInject until "normal" input tests work properly in all forms.
NORMAL_OUTPUT = $(SRCSC)/normal_output.xml
run_normal: $(NORMAL_OUTPUT)
$(NORMAL_OUTPUT): $(NORMAL_CASES)
(cd $(SRCSC)/webinject;
webinject.pl ../$(NORMAL_CASES);
mv results.xml ../$(NORMAL_OUTPUT)
#================================================================
# Probe the checking code of all input fields for SQL injection holes.
probes: gen_probes run_probes
# Generate WebInject cases with SQL injection probes in individual fields.
# Probe strings include form and field names that caused the hole.
PROBE_URLS = $(SRCSC)/site_probe.urls
PROBE_CASES = $(SRCSC)/probe_cases.xml
gen_probes: $(PROBE_CASES)
$(PROBE_URLS): $(SITE_INPUTS) $(SITE_VALUES)
gawk -f $(SRCSC)/forms-to-urls -v PROBE=1 -v VALUES=$(SITE_VALUES) \
$(SITE_INPUTS) > $(PROBE_URLS)
$(PROBE_CASES): $(PROBE_URLS)
gawk -f $(SRCSC)/urls-to-webinject $(PROBE_URLS) > $(PROBE_CASES)
# Run the probes through webinject.
# Successfully caught cases should produce "invalid input" warnings.
# Potential penetrations will log SQL errors with the form/field name.
PROBE_OUTPUT = $(SRCSC)/probe_output.xml
run_probes: $(PROBE_OUTPUT)
$(PROBE_OUTPUT): $(PROBE_CASES)
(cd $(SRCSC)/webinject;
webinject.pl ../$(PROBE_CASES);
mv results.xml ../$(PROBE_OUTPUT)
sec-check/README-howto.txt - Documentation outline.
- Overview
. Purpose: Locate and plug all SQL injection holes in the Emulab web pages.
- Guide plugging them and find any new ones we introduce.
. Method: Combine white-box and black-box testing, with automation.
- Background
. Ref "The OWASP Top Ten Project"
http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
- "The OWASP Top Ten represents a broad consensus about what the most
critical web application security flaws are."
- The first flaw on the list (many others are consequences of this one.)
"A1 Unvalidated Input -
Information from web requests is not validated before being used by a
web application. Attackers can use these flaws to attack backend
components through a web application."
http://www.owasp.org/index.php/Unvalidated_Input
- One of the consequences:
"A6 Injection Flaws -
Web applications pass parameters when they access external systems
or the local operating system. If an attacker can embed malicious
commands in these parameters, the external system may execute those
commands on behalf of the web application."
http://www.owasp.org/index.php/Injection_Flaws
- More details:
. The OWASP Guide Project
http://www.owasp.org/index.php/Category:OWASP_Guide_Project
. Guide Table of Contents
http://www.owasp.org/index.php/Guide_Table_of_Contents
- Data Validation
http://www.owasp.org/index.php/Data_Validation
. Data Validation Strategies
http://www.owasp.org/index.php/Data_Validation#Data_Validation_Strategies
. Prevent parameter tampering
http://www.owasp.org/index.php/Data_Validation#Prevent_parameter_tampering
. Hidden fields
http://www.owasp.org/index.php/Data_Validation#Hidden_fields
- Interpreter Injection
http://www.owasp.org/index.php/Interpreter_Injection
. SQL Injection
http://www.owasp.org/index.php/Interpreter_Injection#SQL_Injection
- Forms coverage
. Grep the sources for <form and make up a list of php form files.
gmake src_forms
- 105 separate forms are on 95 php code pages (plus 7 "extras" on Boss.)
. Spider a copy of the EinE site with wget and extract its forms list.
gmake spider
gmake site_forms
- 40 "base" forms are visible once logged in as user, 47 with admin on.
. Compare the two lists to find uncovered (unlinked) forms.
gmake forms_coverage
. Create a script to activate the EinE site to turn on all forms.
- Look in the sources to find where the missing links should be.
- Connect to the EinE site from a browser through Spike Proxy.
- Interactively create DB state that will elicit the uncovered forms.
. Projects/users awaiting approval,
. Experiments swapped in with active nodes, and so on.
- Capture a list of URL's along with Get or Post inputs for automation.
- Convert the list into an wget script and/or WebInject test cases.
. Re-spider and compare until everything is covered (no more missing forms.)
gmake spider
gmake forms_msg
- Input fields coverage
. Grep spidered forms for <input definitions and devise acceptable values.
gmake input_coverage
- 1631 <input lines in admin-base, 511 unique, with 156 unique field names.
- But only 78 of the unique field names are text fields.
. Convert the list to WebInject XML test cases submitting input field values.
. Test using WebInject until "normal" input tests work properly in all forms.
- Probe the checking code of all input fields for SQL injection holes
. Generate WebInject cases with SQL injection probes in individual fields.
Probe strings include form and field names that caused the hole.
. Successfully caught cases should produce "invalid input" warnings.
. Potential penetrations will log SQL errors with the form/field name.
- Plug all of the holes by adding or fixing input validation logic.
. Re-run probes to check.
. Re-do it periodically, as the system evolves.
#! /usr/bin/awk -f
FNR == 1 {
form=0;
# Exempt forms in twik and flyspray files.
exempt = FILENAME ~ "/(twiki|flyspray)/";
if ( exempt ) next;
if (NR != 1) printf "\n";
print FILENAME;
}
/<form/ && ! exempt && !/action=[^ ]*\/search.php3/ {
form=1;
sub(".*<form", "<form"); # Put <form at beginning of line.
sub("[ \t]on[a-zA-Z]+=.*['\"]", "", $0 ); # Skip Javascript.
while ( !match($0, ">") ) { # Multi-line <form statements.
sub("[ \t]*$", " "); # Single space at end of line.
getline ln;
sub("[ \t]on[a-zA-Z]+=.*['\"]", "", ln ); # Skip Javascript.
sub("^[ \t]*", "", ln); # No space on start of new line.
$0 = $0 ln;
}
sub(">.*", ">"); # Leave only <form ... > on the line.
print;
}
form && /<input/ {
sub(".*<input", "<input"); # Put <input at beginning of line.
sub("[ \t]on[a-zA-Z]+=.*['\"]", "", $0 ); # Skip Javascript.
while ( !match($0, ">") ) { # Multi-line <input statements.
sub("[ \t]*$", " "); # Single space at end of line.
getline ln;
sub("[ \t]on[a-zA-Z]+=.*['\"]", "", ln ); # Skip Javascript.
sub("^[ \t]*", "", ln); # No space on start of new line.
$0 = $0 ln;
}
sub(">.*", ">"); # Leave only <input ... > on the line.
# Canonicalize.
sub("type=readonly", "type=text"); # There is no readonly type, text is default.
# Convert single-quoted type and name values to double quotes.
$0 = gensub("(name|type)='([^']+)'", "\\1=\"\\2\"", "g");
# Quote unquoted values.
$0 = gensub("(name|type|value)=([^'\"][^ >]+)", "\\1=\"\\2\"", "g");
# Reorder: <input type=.* name=.* value=.* .*>
$0 = gensub("<input (.*)value=('[^']+'|\"[^\"]+\")", "<input value=\\2 \\1", 1);
$0 = gensub("<input (.*)name=('[^']+'|\"[^\"]+\")", "<input name=\\2 \\1", 1);
$0 = gensub("<input (.*)type=('[^']+'|\"[^\"]+\")", "<input type=\\2 \\1", 1);
gsub(" *", " "); # Collapse extra spaces.
print;
}
/<\/form/ { form=0 }
{next}
source tb_compat.tcl
set ns [new Simulator]
tb-elab-in-elab 1
namespace eval TBCOMPAT {
set elabinelab_hardware("boss") pc3000
set elabinelab_hardware("ops") pc3000
set elabinelab_maxpcs 1
set elabinelab_nodeos("boss") FBSD61-STD
set elabinelab_nodeos("ops") FBSD61-STD
}
$ns run
This diff is collapsed.
WebInject
Copyright 2004, 2005, 2006 Corey Goldberg (corey@goldb.org)
For information and documentation, visit the website at http://www.webinject.org
---------------------------------
Release History:
Version 1.41 - Jan 4, 2006
- Added ability to add multiple HTTP Headers within an 'addheader' testcase parameter
- Added 'addheader' testcase parameter to GET requests (previously only supported POST)
- Fixed GUI layout for high dpi displays
- Bugfixes for 'verifyresponsecode' and 'errormessage' parameters
Version 1.40 - Dec 6, 2005
- Support for Web Services (SOAP/XML)
- Added XML parser for parsing and verification of XML responses (web services)
- Support for 'text/xml' and 'application/soap+xml' Content-Type (web services)
- Added new 'addheader' testcase parameter so you can specify an additional HTTP Header field for requests
- Support for setting variables/constants within test case files
- Added ability to call generic external Perl plugins for easier integration and post-processing
- More detail added to XML output
- Code refactoring
Version 1.35 - April 4, 2005
- New command line option (-o) to specify location for writing output files (http.log, results.html, and results.xml)
- Nagios plugin performance data support
- Allows multiple 'httpauth' elements in config files to support multiple sets of HTTP Authentication credentials
- New 'verifyresponsecode' test case parameter for HTTP Response Code verification
- Additional 'baseurl' elements supported in the config file
- Additional verification parameters supported in test cases
- Added -V command line option (same as -v) to print version info (necessary for it to run with Moodss)
- Code refactoring
Version 1.34 - Feb 10, 2005
- MRTG External Monitoring Script (Plugin) compatibility
- Bugfix for using comment tags in config files
- Suppress logging when running in plugin mode
- Changed default standalone plot mode to OFF
Version 1.33 - Jan 26, 2005
- Nagios Plugin compatibility
- Support for multipart/form-data encoded POSTs (file uploads)
- Updated results.html output so it is valid XHTML
Version 1.32 - Jan 14, 2005
- Bugfix for erroneous dummy test case printing in GUI status
- Bugfix for warning that appeared when running GUI with Perl in -w mode
Version 1.31 - Jan 11, 2005
- Bugfix for errors and broken status bar in GUI
Version 1.30 - Jan 07, 2005
- HTTP Basic Authentication support
- No longer forced to have test cases in strict incremental numbered order
- Source code compiles with the "use strict" pragma
- Ability to run engine from a different directory using alternate test case and config files
- Comments allowed in config file using <commment></comment> tags
- Other config.xml options are still used when you pass a test case filename as a command line argument
- New config option to change response delay timeout <timeout></timeout>
- New test case parameter to add a custom error message
- Added separators to http.log for readability
- Enhanced command line options/switches
- Nagios Plugin compatibility (beta)
- More verbose error handling when running from command line
- Ability to handle reserved XML character "<" within test cases by escaping it with a backslash "<"
- Changed output when using XPath notation from command line
- Bugfix for proxy support
- Bugfix for sending a parsed value in a POST body
- Bugfix for erroneous errors when running from command line
- Bugfix for warnings that appeared when running with Perl in -w mode
- Code refactoring
Version 1.20 - Sept 27, 2004
- Real-time response time monitoring (stats display and integration with gnuplot for plot/graph)
- Added tabbed layout to GUI with 'Status' and 'Monitor' windows
- Added 'Stop' button to GUI to halt execution
- New testcase parameter 'sleep', to throttle execution
- Added timer summary to HTML report
- Removed HTML tags from STDOUT display and cleaned up formatting
- GUI enhancements
- Code refactoring
Version 1.12 - July 28, 2004
- New test case file parameter 'repeat', to run a test case file multiple times
- Added GUI options for Minimal Output and Response Timer Output
- New config.xml parameter to define a custom User-Agent string to be sent in HTTP headers
- Added XPath Node selection to optional command line parameters
- Bugfix for GUI Restart button
Version 1.10 - June 23, 2004
- Added XML formatted output (results.xml is created each run)
- New config.xml parameter for HTTP logging
- More detailed pass/fail status to HTML report
- Redefined criteria for test case pass/pail
- Results summary and additional formatting to STDOUT (for standalone mode)
- Minor code refactoring
Version 0.95 - May 17, 2004
- Added Restart button to GUI
- Added 5 additional parsing parameters/variables to use in test cases
- Fixes to GUI positioning
Version 0.94 - April 29, 2004
- Bugfix for malformed HTTP Post
- Added colors to status window text
Version 0.93 - March 22, 2004
- Dynamic response parsing support cookieless session handling
- Added version number to GUI window title bar
Version 0.92 - March 05, 2004
- Minor bug fixes
- Added status light to GUI
- New config.xml parameter for HTTP proxy support
- New config.xml parameter for Baseurl constant
Version 0.91 - Feb 23, 2004
- Decoupled GUI (webinjectgui) from Test Engine (webinject) so engine can run standalone
- Testcase name can be passed on command line as well as via config.xml
- Code cleanup
- Output sent to STDOUT as well as reports (for standalone mode)
Version 0.90 - Feb 19, 2004
- Initial public beta release
- Contains SSL/TLS support
- Perl/Tk GUI
- Automatic cookie handling
---------------------------------
<testcasefile>testcases.xml</testcasefile>
<globalhttplog>onfail</globalhttplog>
<gnuplot>/usr/local/bin/gnuplot</gnuplot>
<testcases repeat="1">
<case
id="1"
description1="SAMPLE TEST CASE - load WebInject dev page"
description2="verify string 'Corey Goldberg' exists in response"
method="get"
url="http://www.webinject.org/dev.html"
verifypositive="Corey Goldberg"
/>
<case
id="2"
description1="SAMPLE [NEGATIVE] TEST CASE - load WebInject dev page"
description2="verify string 'bogus string' does not exist in response"
method="get"
url="http://www.webinject.org/dev.html"
verifynegative="bogus string"
/>
<case
id="3"
description1="SAMPLE TEST CASE THAT FAILS - load bogus page"
description2="case should fail with an HTTP 404 (not found) error"
method="get"
url="http://www.webinject.org/bogus.html"
/>
<case
id="4"
description1="SAMPLE TEST CASE THAT FAILS - valid page with bogus verification"
description2="case should fail"
method="get"
url="http://www.webinject.org/dev.html"
verifypositive="I am a bogus string"
/>
</testcases>
\ No newline at end of file
This diff is collapsed.
This diff is collapsed.
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment