From 7b3608df4d45e3cc2d25595967d2cd4c0214a12e Mon Sep 17 00:00:00 2001 From: Maximilian Hildebrand Date: Fri, 13 Aug 2021 19:03:33 +0200 Subject: [PATCH] 0.4.36: erased logical flaw --- pkg/config.go | 7 +- pkg/recon.go | 158 +++-------------------------- web-cache-vulnerability-scanner.go | 2 +- 3 files changed, 16 insertions(+), 151 deletions(-) diff --git a/pkg/config.go b/pkg/config.go index d04ee47..96ca404 100644 --- a/pkg/config.go +++ b/pkg/config.go @@ -78,10 +78,9 @@ type ( //HitMissVerbose bool //HitMissTime bool - NoCache bool - Indicator string - TimeIndicator bool - ReflectionIndicator bool + NoCache bool + Indicator string + TimeIndicator bool } ) diff --git a/pkg/recon.go b/pkg/recon.go index 8217dcd..8a1407f 100644 --- a/pkg/recon.go +++ b/pkg/recon.go @@ -222,7 +222,7 @@ func CheckCache(stat string) (CacheStruct, []error) { } } - if cache.Indicator == "" && !cache.TimeIndicator && !cache.ReflectionIndicator { + if cache.Indicator == "" && !cache.TimeIndicator { msg := "No cache indicator could be found" Print(msg+"\n", Yellow) errSlice = append(errSlice, errors.New(strings.ToLower(msg))) @@ -243,7 +243,7 @@ func CheckCache(stat string) (CacheStruct, []error) { } } - if (!cache.CBwasFound || (cache.Indicator == "" && !cache.TimeIndicator && !cache.ReflectionIndicator)) && !Config.Force { + if (!cache.CBwasFound || (cache.Indicator == "" && !cache.TimeIndicator)) && !Config.Force { msg := "Use -f/-force to force the test\n" Print(msg, Yellow) } @@ -340,11 +340,9 @@ func cachebusterCookie(cache *CacheStruct) []error { var times []int64 if cache.Indicator == "" { - // No Cache Indicator was found. So time and reflection will be used as Indicator + // No Cache Indicator was found. So time will be used as Indicator var newCookie http.Cookie - // random number, so it doesnt fullfill reflected check if first request fails - cb := randInt() - boolContinue := false + var cb string for ii := 0; ii < 5*2; ii++ { weburl := Config.Website.Url.String() if Config.DoPost { @@ -379,33 +377,6 @@ func cachebusterCookie(cache *CacheStruct) []error { } defer resp.Body.Close() - if ii%2 == 1 && !boolContinue { - //check if cachebuster is reflected in second response - body, err := ioutil.ReadAll(resp.Body) - if err != nil { - msg := errorString + err.Error() - Print(msg+"\n", Red) - errSlice = append(errSlice, errors.New(msg)) - } - if searchBodyHeadersForString(cb, string(body), resp.Header) { - cache.ReflectionIndicator = true - cache.TimeIndicator = false - cache.CBwasFound = true - cache.CBisCookie = true - cache.CBisHTTPMethod = false - cache.CBisHeader = false - cache.CBisParameter = false - cache.CBName = Config.Website.Cookies[i].Name - addHitMissIndicatorMap("reflection") - addCachebusterMap("c:" + Config.Website.Cookies[i].Name) - - msg := fmt.Sprintf("%s was successful (Cookie, reflection was used as indicator)\n", identifier) - Print(msg, Blue) - - boolContinue = true - } - } - if resp.StatusCode != Config.Website.StatusCode { msg := errorString + fmt.Sprintf("Unexpected Status Code %d\n", resp.StatusCode) Print(msg, Yellow) @@ -413,10 +384,7 @@ func cachebusterCookie(cache *CacheStruct) []error { } msg := fmt.Sprintf("measured times: %d\n", times) Print(msg, NoColor) - if boolContinue { - cbFoundDifference(times, identifier) - continue - } + skip := false for ii := range times { // Cache miss has to take 30ms (misshitdif) longer than cache hit @@ -430,7 +398,6 @@ func cachebusterCookie(cache *CacheStruct) []error { if skip { continue } - cache.ReflectionIndicator = false cache.TimeIndicator = true cache.CBwasFound = true cache.CBisCookie = true @@ -557,17 +524,6 @@ func cachebusterCookie(cache *CacheStruct) []error { Print(msg, Blue) cbFoundDifference(times, identifier) - - body, err := ioutil.ReadAll(resp.Body) - if err != nil { - msg = errorString + err.Error() - Print(msg+"\n", Red) - errSlice = append(errSlice, errors.New(msg)) - } - if searchBodyHeadersForString(cb, string(body), resp.Header) { - addHitMissIndicatorMap("reflection") - } - continue } } @@ -592,10 +548,8 @@ func cachebusterHeader(cache *CacheStruct) []error { var times []int64 if cache.Indicator == "" { - // No Cache Indicator was found. So time and reflection will be used as Indicator - // random number, so it doesnt fullfill reflected check if first request fails - cb := randInt() - boolContinue := false + // No Cache Indicator was found. So time will be used as Indicator + var cb string for ii := 0; ii < 5*2; ii++ { weburl := Config.Website.Url.String() if Config.DoPost { @@ -633,33 +587,6 @@ func cachebusterHeader(cache *CacheStruct) []error { } defer resp.Body.Close() - if ii%2 == 1 && !boolContinue { - //check if cachebuster is reflected in second response - body, err := ioutil.ReadAll(resp.Body) - if err != nil { - msg := errorString + err.Error() - Print(msg+"\n", Red) - errSlice = append(errSlice, errors.New(msg)) - } - if searchBodyHeadersForString(cb, string(body), resp.Header) { - cache.ReflectionIndicator = true - cache.TimeIndicator = false - cache.CBwasFound = true - cache.CBisHeader = true - cache.CBisCookie = false - cache.CBisHTTPMethod = false - cache.CBisParameter = false - cache.CBName = header - addHitMissIndicatorMap("reflection") - addCachebusterMap(header) - - msg := fmt.Sprintf("%s was successful (Header, reflection was used as indicator)\n", identifier) - Print(msg, Blue) - - boolContinue = true - } - } - if resp.StatusCode != Config.Website.StatusCode { msg := errorString + fmt.Sprintf("Unexpected Status Code %d\n", resp.StatusCode) Print(msg, Yellow) @@ -667,10 +594,7 @@ func cachebusterHeader(cache *CacheStruct) []error { } msg := fmt.Sprintf("measured times: %d\n", times) Print(msg, NoColor) - if boolContinue { - cbFoundDifference(times, identifier) - continue - } + skip := false for ii := range times { // Cache miss has to take 30ms (misshitdif) longer than cache hit @@ -685,7 +609,6 @@ func cachebusterHeader(cache *CacheStruct) []error { continue } - cache.ReflectionIndicator = false cache.TimeIndicator = true cache.CBwasFound = true cache.CBisHeader = true @@ -818,17 +741,6 @@ func cachebusterHeader(cache *CacheStruct) []error { Print(msg, Blue) cbFoundDifference(times, identifier) - - body, err := ioutil.ReadAll(resp.Body) - if err != nil { - msg = errorString + err.Error() - Print(msg+"\n", Red) - errSlice = append(errSlice, errors.New(msg)) - } - if searchBodyHeadersForString(cb, string(body), resp.Header) { - addHitMissIndicatorMap("reflection") - } - continue } } @@ -846,14 +758,11 @@ func cachebusterParameter(cache *CacheStruct) error { var times []int64 if cache.Indicator == "" { - // No Cache Indicator was found. So time and reflection will be used as Indicator + // No Cache Indicator was found. So time will be used as Indicator var urlCb string - // random number, so it doesnt fullfill reflected check if first request fails - cb := randInt() - boolReturn := false for i := 0; i < 5*2; i++ { if i%2 == 0 { - urlCb, cb = addCachebusterParameter(Config.Website.Url.String(), "") + urlCb, _ = addCachebusterParameter(Config.Website.Url.String(), "") } if Config.DoPost { req, err = http.NewRequest("POST", urlCb, bytes.NewBufferString(Config.Body)) @@ -880,33 +789,6 @@ func cachebusterParameter(cache *CacheStruct) error { } defer resp.Body.Close() - if i%2 == 1 && !boolReturn { - //check if cachebuster is reflected in second response - body, err := ioutil.ReadAll(resp.Body) - if err != nil { - msg := errorString + err.Error() - Print(msg+"\n", Red) - return errors.New(msg) - } - if searchBodyHeadersForString(cb, string(body), resp.Header) { - cache.ReflectionIndicator = true - cache.TimeIndicator = false - cache.CBwasFound = true - cache.CBisParameter = true - cache.CBisHeader = false - cache.CBisCookie = false - cache.CBisHTTPMethod = false - cache.CBName = Config.CacheBuster - addHitMissIndicatorMap("reflection") - addCachebusterMap(Config.CacheBuster) - - msg := fmt.Sprintf("%s was successful (Parameter, reflection was used as indicator)\n", identifier) - Print(msg, Blue) - - boolReturn = true - } - } - if resp.StatusCode != Config.Website.StatusCode { msg := errorString + fmt.Sprintf("Unexpected Status Code %d\n", resp.StatusCode) Print(msg, Yellow) @@ -915,11 +797,6 @@ func cachebusterParameter(cache *CacheStruct) error { msg := fmt.Sprintf("measured times: %d\n", times) Print(msg, NoColor) - if boolReturn { - cbFoundDifference(times, identifier) - return nil - } - for i := range times { // Cache miss has to take 30ms (misshitdif) longer than cache hit if i%2 == 1 && times[i-1]-times[i] < misshitdif { @@ -928,7 +805,6 @@ func cachebusterParameter(cache *CacheStruct) error { return nil } } - cache.ReflectionIndicator = false cache.TimeIndicator = true cache.CBwasFound = true cache.CBisParameter = true @@ -982,7 +858,7 @@ func cachebusterParameter(cache *CacheStruct) error { msg := fmt.Sprintf("%s was not successful (Parameter)\n", identifier) Print(msg, NoColor) } else { - urlCb, cb := addCachebusterParameter(Config.Website.Url.String(), "") + urlCb, _ := addCachebusterParameter(Config.Website.Url.String(), "") if Config.DoPost { req, err = http.NewRequest("POST", urlCb, bytes.NewBufferString(Config.Body)) @@ -1042,16 +918,6 @@ func cachebusterParameter(cache *CacheStruct) error { Print(msg, Blue) cbFoundDifference(times, identifier) - - body, err := ioutil.ReadAll(resp.Body) - if err != nil { - msg = errorString + err.Error() - Print(msg+"\n", Red) - return errors.New(msg) - } - if searchBodyHeadersForString(cb, string(body), resp.Header) { - addHitMissIndicatorMap("reflection") - } } } } @@ -1073,7 +939,7 @@ func cachebusterHTTPMethod(cache *CacheStruct) []error { var times []int64 if cache.Indicator == "" { - // No Cache Indicator was found. So time and reflection will be used as Indicator + // No Cache Indicator was found. So time will be used as Indicator skip := false for ii := 0; ii < 5*2; ii++ { weburl := Config.Website.Url.String() diff --git a/web-cache-vulnerability-scanner.go b/web-cache-vulnerability-scanner.go index 4a40f37..f73ff15 100644 --- a/web-cache-vulnerability-scanner.go +++ b/web-cache-vulnerability-scanner.go @@ -37,7 +37,7 @@ $Env:GOOS = "linux"; $Env:GOARCH = "amd64"; go build $Env:GOOS = ""; $Env:GOARCH = ""; go build */ -const version = "0.4.35" +const version = "0.4.36" var ( currentDate string