Merge pull request #59 from flipkart-incubator/dev

Added module for CRLF injection.
flipkart-incubator · Aug 1, 2018 · be52b90 · be52b90
2 parents d2f0a29 + cf99055
commit be52b90
Show file tree

Hide file tree

Showing 5 changed files with 120 additions and 5 deletions.
diff --git a/Payloads/crlf.txt b/Payloads/crlf.txt
@@ -0,0 +1,16 @@
+%0aCRLF-Test: crlf=injection
+%0d%0aCRLF-Test: crlf=injection
+%0dCRLF-Test: crlf=injection
+%23%0aCRLF-Test: crlf=injection
+%23%0d%0aCRLF-Test: crlf=injection
+%23%0dCRLF-Test: crlf=injection
+%25%30%61CRLF-Test: crlf=injection
+%25%30aCRLF-Test: crlf=injection
+%250aCRLF-Test: crlf=injection
+%25250aCRLF-Test: crlf=injection
+%2e%2e%2f%0d%0aCRLF-Test: crlf=injection
+%2f%2e%2e%0d%0aCRLF-Test: crlf=injection
+%2F..%0d%0aCRLF-Test: crlf=injection
+%3f%0d%0aCRLF-Test: crlf=injection
+%3f%0dCRLF-Test: crlf=injection
+%u000aCRLF-Test: crlf=injection
diff --git a/astra.py b/astra.py
@@ -25,6 +25,7 @@
 from modules.xss import xss_check
 from modules.redirect import open_redirect_check
 from modules.xxe import xxe_scan
+from modules.crlf import crlf_check
 from core.zap_config import zap_start
 from multiprocessing import Process
 from utils.db import Database_update
@@ -33,7 +34,6 @@
 if os.getcwd().split('/')[-1] != 'API':
     from API.api import main
 
-xxe = xxe_scan()
 dbupdate = Database_update()
 
 def parse_collection(collection_name,collection_type):
@@ -148,9 +148,12 @@ def modules_scan(url,method,headers,body,scanid=None):
         open_redirect_check(url,method,headers,body,scanid)
         update_scan_status(scanid, "open-redirection")
     if attack['xxe'] == 'Y' or attack['xxe'] == 'y':
+        xxe = xxe_scan()
         xxe.xxe_test(url,method,headers,body,scanid)
-        update_scan_status(scanid, "xxe") 
-
+        update_scan_status(scanid, "xxe")
+    if attack['crlf'] == 'Y' or attack['crlf'] == 'y':
+        crlf_check(url,method,headers,body,scanid)
+        update_scan_status(scanid, "crlf") 
 
 def validate_data(url,method):
     ''' Validate HTTP request data and return boolean value'''
@@ -322,4 +325,4 @@ def main():
     parse_data = PostmanParser()
     api_logger = logger()
     api_logger.banner()
-    main()
+    main()
diff --git a/modules/crlf.py b/modules/crlf.py
@@ -0,0 +1,89 @@
+import requests
+import os
+from urlparse import urlparse
+import urlparse
+from utils.db import Database_update
+import sendrequest as req
+
+dbupdate = Database_update()
+
+
+def fetch_crlf_payload():   
+    # This function fetch the payloads from text file.               
+    payload_list = []
+    if os.getcwd().split('/')[-1] == 'API':
+        path = '../Payloads/crlf.txt'
+    else:
+        path = 'Payloads/crlf.txt'
+
+    with open(path) as f:
+        for line in f:
+            if line:
+                payload_list.append(line.rstrip())
+
+    return payload_list
+
+
+
+def crlf_post_method(uri,method,headers,body,scanid=None):            
+    # This function checks CRLF through POST method.
+    temp_body = {}
+    for key,value in body.items():
+        crlf_payloads = fetch_crlf_payload()
+        for payload in crlf_payloads:
+            temp_body.update(body)
+            temp_body[key] = payload
+            crlf_post_request = req.api_request(uri, "POST", headers, temp_body)
+            for name in crlf_post_request.headers:
+                if "CRLF-Test" in name:
+                    attack_result = { "id" : 13, "scanid" : scanid, "url" : uri, "alert": "CRLF injection", "impact": "High", "req_headers": headers, "req_body": temp_body, "res_headers": crlf_post_request.headers ,"res_body": crlf_post_request.text}
+                    dbupdate.insert_record(attack_result)
+                    print "[+]{0} is vulnerable to CRLF injection".format(uri)
+                    return
+
+
+
+def crlf_get_uri_method(uri,method,headers,scanid=None):
+    # This function checks CRLF through GET URI method.
+    par_key = {}
+    url_query = urlparse.urlparse(uri)
+    parsed_query = urlparse.parse_qs(url_query.query)
+    for key,value in parsed_query.items():
+        crlf_payloads = fetch_crlf_payload()
+        for payload in crlf_payloads:
+            par_key.update(parsed_query)
+            par_key[key] = payload
+            parsed_uri = urlparse.urlparse(uri).scheme+"://"+urlparse.urlparse(uri).netloc+urlparse.urlparse(uri).path+"?"+urlparse.urlparse(uri).query.replace(value[0], payload)
+            crlf_get_method = req.api_request(parsed_uri, "GET", headers)
+            for name in crlf_get_method.headers:
+                if "CRLF-Test" in name:
+                    attack_result = { "id" : 13, "scanid" : scanid, "url" : parsed_uri, "alert": "CRLF injection", "impact": "High", "req_headers": headers, "req_body":"NA", "res_headers": crlf_get_method.headers ,"res_body": crlf_get_method.text}
+                    dbupdate.insert_record(attack_result)
+                    print "[+]{0} is vulnerable to CRLF injection".format(parsed_uri)
+                    return
+
+
+
+def crlf_get_url_method(uri,headers,scanid=None):
+    # This function checks CRLF through GET URL method.
+    crlf_payloads = fetch_crlf_payload()
+    for payload in crlf_payloads:
+        parsed_uri = urlparse.urlparse(uri).scheme+"://"+urlparse.urlparse(uri).netloc+urlparse.urlparse(uri).path+"/"+payload
+        crlf_get_method = req.api_request(parsed_uri, "GET", headers)
+        for name in crlf_get_method.headers:
+            if "CRLF-Test" in name:
+                attack_result = { "id" : 13, "scanid" : scanid, "url" : parsed_uri, "alert": "CRLF injection", "impact": "High", "req_headers": headers, "req_body":"NA", "res_headers": crlf_get_method.headers ,"res_body": crlf_get_method.text}
+                dbupdate.insert_record(attack_result)
+                print "[+]{0} is vulnerable to CRLF injection".format(parsed_uri)
+                return
+
+
+def crlf_check(uri,method,headers,body,scanid):
+     # Main function for CRLF attack
+    if method == 'GET' or method == 'DEL':
+        crlf_get_uri_method(uri,method,headers,scanid)
+        crlf_get_url_method(uri,headers,scanid)
+
+    if method == 'POST' or method == 'PUT':
+        crlf_post_method(uri,method,headers,body,scanid)
+
diff --git a/utils/scan.property b/utils/scan.property
@@ -9,7 +9,8 @@ attack = {
           "sqli" : 'y',
           "xss" : 'y',
           "open-redirection" : "y",
-          "xxe" : "y"
+          "xxe" : "y",
+	  "crlf" : "y"
          }
 
 

diff --git a/utils/vulnerabilities.py b/utils/vulnerabilities.py
@@ -76,6 +76,12 @@
       'remediation': 'Sanitize input by creating a list of trusted URL\'s (lists of hosts or a regex).'
       },
       {
+      'id': 13,
+      'name': 'CRLF',
+      'Description':  'The term CRLF refers to Carriage Return (ASCII 13) Line Feed (ASCII 10). They are used to note the termination of a line, however, dealt with differently in today’s popular Operating Systems. For example: in Windows both a CR and LF are required to note the end of a line, whereas in Linux/UNIX a LF is only required. In the HTTP protocol, the CR-LF sequence is always used to terminate a line.',
+      'remediation': 'Sanitise the CRLF characters before passing into the header or to encode the data which will prevent the CRLF sequences entering the header.'
+      },
+      {
       'id': 14,
       'name': 'XML External Entity Attack',
       'Description':  'An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.',