@Override public List<IScanIssue> doScan(IHttpRequestResponse baseRequestResponse, IScannerInsertionPoint insertionPoint) { IResponseInfo resp = helpers.analyzeResponse(baseRequestResponse.getResponse()); if (resp == null) return null; URL url = helpers.analyzeRequest(baseRequestResponse).getUrl(); if (flags.contains(url.toString())) return null; else flags.add(url.toString()); List<IScanIssue> issues = new ArrayList<>(); for (ICookie c : resp.getCookies()) { if (!c.getValue().contains("--")) continue; String[] cookieVal = c.getValue().split("--"); if (cookieVal.length != 2) continue; if (isSignatureValid(cookieVal[0], cookieVal[1])) { String issueDetails = "Vulnerability detected at <b> " + helpers.analyzeRequest(baseRequestResponse).getUrl().toString() + "</b>\n" + "Default Ruby Session secret used - can lead to RCE during unmarshalling"; List responseMarkers = new ArrayList(1); String responseString = helpers.bytesToString(baseRequestResponse.getResponse()); responseMarkers.add(new int[]{responseString.toUpperCase().indexOf("SET-COOKIE:"), responseString.toUpperCase().indexOf("SET-COOKIE:") + "SET-COOKIE:".length()}); issues.add(new CustomScanIssue(baseRequestResponse.getHttpService(), helpers.analyzeRequest(baseRequestResponse).getUrl(), new IHttpRequestResponse[]{this.callbacks.applyMarkers(baseRequestResponse, null, responseMarkers)}, issueDetails, ISSUE_TYPE, ISSUE_NAME, SEVERITY, CONFIDENCE, "", "", "")); } } return issues.isEmpty() ? null : issues; }
@Override protected IHttpRequestResponse doInBackground() throws Exception { publish(0); String cookieName = param.getName(); publish("Looking for "+cookieName+"..."); IHttpRequestResponse[] messages = callbacks.getProxyHistory(); for (int i = 0; i < messages.length; i++) { publish(100 * i / messages.length); if(messages[i].getResponse() != null && messages[i].getResponse().length > 0) { List<ICookie> cookies = callbacks.getHelpers().analyzeResponse(messages[i].getResponse()).getCookies(); for(ICookie cookie: cookies) { if (cookie.getName().equals(cookieName) && cookie.getValue().equals(param.getValue())) { return messages[i]; } } } } publish(100); return null; }