Add module http_post

Check if credentials are transported over an encrypted channel

Author: OussamaBeng

make_exe.py

@@ -110,6 +110,7 @@ def build_file_list(results, dest, root, src=""):
                 "wapitiCore.attack.mod_methods",
                 "wapitiCore.attack.mod_nikto",
                 "wapitiCore.attack.mod_permanentxss",
+                "wapitiCore.attack.mod_http_post",
                 "wapitiCore.attack.mod_redirect",
                 "wapitiCore.attack.mod_shellshock",
                 "wapitiCore.attack.mod_sql",

wapitiCore/attack/attack.py

@@ -58,7 +58,8 @@
     "mod_redirect",
     "mod_xxe",
     "mod_wapp",
-    "mod_wp_enum"
+    "mod_wp_enum",
+    "mod_http_post"
 ]
 
 # Modules that will be used if option -m isn't used

wapitiCore/attack/mod_http_post.py

@@ -0,0 +1,50 @@
+from httpx import RequestError
+
+from wapitiCore.attack.attack import Attack
+from wapitiCore.net.web import Request
+from wapitiCore.language.vulnerability import MEDIUM_LEVEL, _
+from wapitiCore.definitions.post_http import NAME
+
+
+MSG_NO_CSP = _("CSP is not set")
+MSG_CSP_MISSING = _("CSP attribute \"{0}\" is missing")
+MSG_CSP_UNSAFE = _("CSP \"{0}\" value is not safe")
+
+# This module check the basics recommendations of CSP
+class mod_http_post(Attack):
+    """Evaluate the security level of Content Security Policies of the web server."""
+    name = "http_post"
+
+    async def must_attack(self, request: Request):
+        # We leverage the fact that the crawler will fill password entries with a known placeholder
+        if "Letm3in_" not in request.encoded_data + request.encoded_params:
+            return False
+
+        # We may want to remove this but if not available fallback to target URL
+        if not request.referer:
+            return False
+
+        return True
+
+    async def attack(self, request: Request):
+        try:
+            page = await self.crawler.async_send(request, follow_redirects=True)
+        except RequestError:
+            self.network_errors += 1
+            return
+
+        login_form, username_field, password_field = page.find_login_form()
+        if not login_form:
+            return
+
+        self.finished = True
+
+        if "http://" in login_form.url:
+            self.log_red(_("Credentials transported over an Unencrypted Channel on : {0}"), login_form.url)
+
+            await self.add_vuln_medium(
+                request_id=request.path_id,
+                category=NAME,
+                request=request,
+                info=_("Credentials transported over an Unencrypted Channel on :  {0}").format(login_form.url)
+            )

wapitiCore/definitions/post_http.py

@@ -0,0 +1,47 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+
+# This file is part of the Wapiti project (https://wapiti.sourceforge.io)
+# Copyright (C) 2021 Nicolas Surribas
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+from wapitiCore.language.language import _
+
+TYPE = "vulnerability"
+NAME = _("POST HTTP")
+SHORT_NAME = NAME
+
+DESCRIPTION = _(
+    "The application configuration should ensure that SSL is used for all access controlled pages.\\n)."
+) + " " + _(
+    "If an application uses SSL to guarantee confidential communication with client browsers, "
+) + " " + _(
+    "the application configuration should make it impossible to view any access controlled page without SSL."
+)
+
+SOLUTION = _(
+    "Force the use of HTTPS for all authentication requests"
+)
+
+REFERENCES = [
+{
+        "title": "OWASP: Insecure Transport",
+        "url": "https://owasp.org/www-community/vulnerabilities/Insecure_Transport"
+    },
+    {
+        "title": "Acunetix: Insecure Authentication",
+        "url": "https://owasp.org/www-project-mobile-top-10/2016-risks/m4-insecure-authentication"
+    }
+]

wapitiCore/language_sources/en.po

@@ -175,6 +175,9 @@ msgstr ""
 "Permanent XSS vulnerability found in {0} by injecting the parameter {1} of "
 "{2}"
 
+msgid "Credentials transported over an Unencrypted Channel on : {0}"
+msgstr "Credentials transported over an Unencrypted Channel on : {0}"
+
 msgid "Warning: Content-Security-Policy is present!"
 msgstr "Warning: Content-Security-Policy is present!"
 

wapitiCore/language_sources/fr.po

@@ -177,6 +177,9 @@ msgstr ""
 "Vulnérabilité de XSS permanent trouvée dans {0} via une injection dans la "
 "paramètre {1} de {2}"
 
+msgid "Credentials transported over an Unencrypted Channel on : {0}"
+msgstr "Identifiants transportés sur un canal non chiffré sur : {0}"
+
 msgid "Warning: Content-Security-Policy is present!"
 msgstr "Avertissement: L'entête Content-Security-Policy est présent!"
 

wapitiCore/net/page.py

@@ -908,8 +908,10 @@ def find_login_form(self):
                     username_field_idx.append(i)
 
                 elif input_type == "text" and (
-                        any(field_name in input_name for field_name in ["mail", "user", "login", "name"]) or
-                        any(field_id in input_id for field_id in ["mail", "user", "login", "name"])
+                        any(field_name in input_name for field_name in \
+                            ["mail", "user", "login", "name", "id", "client", "nom"])
+                        or any(field_id in input_id for field_id in \
+                               ["mail", "user", "login", "name", "id", "client", "nom"])
                 ):
                     username_field_idx.append(i)