From 3180dcca64b9f454b40cb5bd8487623a03f52739 Mon Sep 17 00:00:00 2001 From: freakyclown Date: Fri, 2 Jan 2015 14:18:25 +0000 Subject: [PATCH 1/4] Create Find Internal IPs --- passive/Find Internal IPs | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 passive/Find Internal IPs diff --git a/passive/Find Internal IPs b/passive/Find Internal IPs new file mode 100644 index 00000000..c1a0aff4 --- /dev/null +++ b/passive/Find Internal IPs @@ -0,0 +1,34 @@ +// RFC1918 internal IP Finder by freakyclown@gmail.com + +function scan(ps, msg, src) { + url = msg.getRequestHeader().getURI().toString(); + alertRisk = 2 + alertReliability = 2 + alertTitle = "Private IP address in Body(script)" + alertDesc = "A private IP such as 10.x.x.x, 172.x.x.x, 192.168.x.x or IPV6 fe00:: has been found in the HTTP response body. This information might be helpful for further attacks targeting internal systems. " + alertSolution = "Remove the private IP address from the HTTP response body. For comments, use JSP/ASP comment instead of HTML/JavaScript comment which can be seen by client browsers." + + cweId = 0 + wascId = 0 + // regex must appear within /( and )/g + re = /((172\.\d{1,3}\.\d{1,3}\.\d{1,3})|(192\.168\.\d{1,3}\.\d{1,3})|(10\.\d{1,3}\.\d{1,3}\.\d{1,3})|([fF][eE][89aAbBcCdDeEfF]::))/g + + + // you can tell the user in the console we are doing stuff by uncommenting the line below + //println('Finding IPs Under: ' + url); + + if (msg) { + body = msg.getResponseBody().toString() + + if (re.test(body)) { + re.lastIndex = 0 // After testing reset index + // Look for IP addresses + var foundIP = [] + while (comm = re.exec(body)) { + foundIP.push(comm[0]); + } + ps.raiseAlert(alertRisk, alertReliability, alertTitle, alertDesc, url, '', '', foundIP.toString(), alertSolution, '', cweId, wascId, msg); + } + + } +} From 78d60771771dcf60e7da51d507845cedf69438de Mon Sep 17 00:00:00 2001 From: freakyclown Date: Fri, 2 Jan 2015 14:31:04 +0000 Subject: [PATCH 2/4] Create Mutliple Security Header Check --- passive/Mutliple Security Header Check | 66 ++++++++++++++++++++++++++ 1 file changed, 66 insertions(+) create mode 100644 passive/Mutliple Security Header Check diff --git a/passive/Mutliple Security Header Check b/passive/Mutliple Security Header Check new file mode 100644 index 00000000..e3ecc36f --- /dev/null +++ b/passive/Mutliple Security Header Check @@ -0,0 +1,66 @@ +// Multiple Security Header checker by freakyclown@gmail.com + + +function scan(ps, msg, src) { + url = msg.getRequestHeader().getURI().toString(); + body = msg.getResponseHeader().toString() + alertRisk = [0, 1, 2, 3] //1=informational, 2=low, 3=medium, 4=high + alertReliability = [0, 1, 2, 3, 4] //0=fp,1=low,2=medium,3=high,4=confirmed + alertTitle = ["Strict Transport Security(STS) Header Not Set (script)", + "Content-Security-Policy (script)", + "Web Browser XSS Protection Not Enabled (script)", + "X-Content-Type-Options Header Missing (script)", + "X-Frame-Options Header Not Set (script)", + "" + ] + alertDesc = ["HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL). HSTS is an IETF standards track protocol and is specified in RFC 6797.", + "Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a standard HTTP header that allows website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.", + "Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server", + "The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.", + "X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.", + "" + ] + alertSolution = ["Ensure that your web server, application server, load balancer, etc. is configured to set Strict Transport Security headers.", + "Ensure that your web server, application server, load balancer, etc. is configured to set Content Security Policy headers.", + "Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.", + "Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages. If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.", + "Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).", + "" + ] + cweId = [0, 1] + wascId = [0, 1] + + // test sts + if (msg.getRequestHeader().isSecure()) { + if (msg.getResponseHeader().getHeaders("Strict-Transport-Security") == null) + ps.raiseAlert(alertRisk[1], alertReliability[3], alertTitle[0], alertDesc[0], url, '', '', '', alertSolution[0], '', cweId[0], wascId[0], msg); + } + // test csp + if (msg.getResponseHeader().getHeaders(("Content-Security-Policy" && "X-Content-Security-Policy" && "X-WebKit-CSP")) == null) + ps.raiseAlert(alertRisk[1], alertReliability[3], alertTitle[1], alertDesc[1], url, '', '', '', alertSolution[1], '', cweId[0], wascId[0], msg); + + + // test xxs protection + re_xss = /(X\-XSS\-Protection\:.+1)/g + if (!(re_xss.test(body))) //if its false + { + ps.raiseAlert(alertRisk[1], alertReliability[3], alertTitle[2], alertDesc[2], url, '', '', '', alertSolution[2], '', cweId[0], wascId[0], msg); + } + + // test xcontent no sniff protection + re_nosniff = /(X\-Content\-Type\-Options\:.*nosniff.*)/g + if (!(re_nosniff.test(body))) //if its false + { + ps.raiseAlert(alertRisk[1], alertReliability[3], alertTitle[3], alertDesc[3], url, '', '', '', alertSolution[3], '', cweId[0], wascId[0], msg); + } + + // test xcontent no sniff protection + re_clickjack = /(X\-Frame\-Options\:.+[Dd][Ee][Nn][Yy])/g + if (!(re_clickjack.test(body))) //if its false + { + ps.raiseAlert(alertRisk[1], alertReliability[3], alertTitle[4], alertDesc[4], url, '', '', '', alertSolution[4], '', cweId[0], wascId[0], msg); + } + + + +} From 95d660bcc06fe4eaaccbc6081525d501b91eefa0 Mon Sep 17 00:00:00 2001 From: freakyclown Date: Fri, 2 Jan 2015 14:33:38 +0000 Subject: [PATCH 3/4] Create Find Emails.js --- passive/Find Emails.js | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 passive/Find Emails.js diff --git a/passive/Find Emails.js b/passive/Find Emails.js new file mode 100644 index 00000000..79fbef30 --- /dev/null +++ b/passive/Find Emails.js @@ -0,0 +1,34 @@ +// Email finder by freakyclown@gmail.com + + + +function scan(ps, msg, src) { + alertRisk = 0 + alertReliability = 3 + alertTitle = 'Email addresses (script)' + alertDesc = 'Email addresses were found' + alertSolution = 'Remove emails that are not public' + + cweId = 0 + wascId = 0 + // regex must appear within /( and )/g + re = /([a-zA-Z0-9.#?$*_-]+@[a-zA-Z0-9.#?$*_-]+.[a-zA-Z0-9.-]+)/g + + url = msg.getRequestHeader().getURI().toString(); + + // tell the user in the console we are doing stuff + //println('Finding email addresses under ' + url); + + if (msg) { + body = msg.getResponseBody().toString() + if (re.test(body)) { + re.lastIndex = 0 // After testing reset index + // Look for email addresses + var foundEmail = [] + while (comm = re.exec(body)) { + foundEmail.push(comm[0]); + } + ps.raiseAlert(alertRisk, alertReliability, alertTitle, alertDesc, url, '', '', foundEmail.toString(), alertSolution, '', cweId, wascId, msg); + } + } +} From 0fe6c3a5f4b440e339fc71f6169423dbadff7bf4 Mon Sep 17 00:00:00 2001 From: freakyclown Date: Fri, 2 Jan 2015 14:34:28 +0000 Subject: [PATCH 4/4] Create Find Credit Cards --- passive/Find Credit Cards | 82 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 82 insertions(+) create mode 100644 passive/Find Credit Cards diff --git a/passive/Find Credit Cards b/passive/Find Credit Cards new file mode 100644 index 00000000..cb124cfa --- /dev/null +++ b/passive/Find Credit Cards @@ -0,0 +1,82 @@ +// CreditCard Finder by freakyclown@gmail.com + +function scan(ps, msg, src) { + url = msg.getRequestHeader().getURI().toString(); + body = msg.getResponseBody().toString() + alertRisk = [0, 1, 2, 3] //1=informational, 2=low, 3=medium, 4=high + alertReliability = [0, 1, 2, 3, 4] //0=fp,1=low,2=medium,3=high,4=confirmed + alertTitle = ["Credit Card Number Disclosed (script)", + "" + ] + alertDesc = ["A Credit Card number was discovered.", + "" + ] + alertSolution = ["why are you showing Credit and debit card numbers?", + "" + ] + cweId = [0, 1] + wascId = [0, 1] + + + + // regex must appear within /( and )/g + + + re_visa = /([3-5][0-9]{3}[ -]?[0-9]{4}[ -]?[0-9]{4}[ -]?[0-9]{4})/g //visa or mastercard + re_amex = /(3[47][0-9]{2}[ -]?[0-9]{6}[ -]?[0-9]{5})/g //amex + re_disc = /(6011[ -]?[0-9]{4}[ -]?[0-9]{4}[ -]?[0-9]{4})/g //discovery + re_diner = /(3(?:0[0-5]|[68][0-9])[0-9]{11})/g //dinersclub + re_jcb = /((?:2131|1800|35d{3})d{11})/g //jcb + + + + if (msg) { + if (re_visa.test(body)) { + re_visa.lastIndex = 0 + var foundVisa = [] + while (comm = re_visa.exec(body)) { + foundVisa.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertReliability[2], alertTitle[0], alertDesc[0], url, '', '', foundVisa.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } + + if (re_amex.test(body)) { + re_amex.lastIndex = 0 + var foundAmex = [] + while (comm = re_amex.exec(body)) { + foundAmex.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertReliability[2], alertTitle[0], alertDesc[0], url, '', '', foundAmex.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } + if (re_disc.test(body)) { + re_disc.lastIndex = 0 + var foundDisc = [] + while (comm = re_disc.exec(body)) { + foundDisc.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertReliability[2], alertTitle[0], alertDesc[0], url, '', '', foundDisc.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } + + if (re_diner.test(body)) { + re_diner.lastIndex = 0 + var foundDiner = [] + while (comm = re_diner.exec(body)) { + foundDiner.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertReliability[2], alertTitle[0], alertDesc[0], url, '', '', foundDiner.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } + + if (re_jcb.test(body)) { + re_jcb.lastIndex = 0 + var foundJCB = [] + while (comm = re_jcb.exec(body)) { + foundJCB.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertReliability[2], alertTitle[0], alertDesc[0], url, '', '', foundJCB.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } + + } + + + +}