Merge pull request #72 from anthonykasza/master

owasp beginning, file extraction bug fix
SuperCowPowers · Jun 15, 2014 · eb5dcca · eb5dcca
2 parents 80deb2c + 03123a1
commit eb5dcca
Show file tree

Hide file tree

Showing 5 changed files with 351 additions and 1 deletion.
diff --git a/server/workers/bro/file_extensions/extract_files.bro b/server/workers/bro/file_extensions/extract_files.bro
@@ -17,10 +17,11 @@ global ext_map: table[string] of string = {
 
 event file_new(f: fa_file)
     {
+    if (!f?$mime_type) return;
     local ext = ext_map[f$mime_type];
     if (ext != "txt" && ext != "html" && ext != "ms_font" && ext != "jpg" && ext != "gif" && ext != "png")
         {
         local fname = fmt("%s-%s.%s", f$source, f$id, ext);
         Files::add_analyzer(f, Files::ANALYZER_EXTRACT, [$extract_filename=fname]);
         }
-    }
+    }
diff --git a/server/workers/bro/owasp/__load__.bro b/server/workers/bro/owasp/__load__.bro
@@ -0,0 +1,4 @@
+@load ./http_ext
+@load ./url_decoder
+@load ./detect-response-splitting.bro
+
diff --git a/server/workers/bro/owasp/detect-response-splitting.bro b/server/workers/bro/owasp/detect-response-splitting.bro
@@ -0,0 +1,38 @@
+@load base/frameworks/notice
+
+module HTTP;
+
+export {
+	redef enum Notice::Type += {
+		Response_Splitting_Body,
+		Response_Splitting_Parameter,
+	};
+
+	global http_response_line: pattern = /.*?[[:digit:]]{3}[[:space:]]([[:alpha:]]+[[:space:]])+HTTP\/[0-9]/;
+	global url_decode_tries: count = 3;
+}
+
+event connection_state_remove(c: connection)
+{
+	if (!c?$http) return;
+	if (c$http$body_length > 6)
+	{
+		if (HTTP::http_response_line in HTTP::url_decode(c$http$body_data, HTTP::url_decode_tries))
+		{
+			NOTICE([$note=Response_Splitting_Body, $msg="Possible HTTP response splitting"]);			
+		}
+	}
+}
+
+event http_message_done(c: connection, is_orig: bool, stat: http_message_stat)
+{
+	if (! is_orig) return;
+
+	for (p in c$http$params_data)
+	{
+		if (HTTP::http_response_line in HTTP::url_decode(p, HTTP::url_decode_tries))
+		{
+			NOTICE([$note=Response_Splitting_Parameter, $msg="Possible HTTP response splitting"]);
+		}
+	}
+}
diff --git a/server/workers/bro/owasp/http_ext.bro b/server/workers/bro/owasp/http_ext.bro
@@ -0,0 +1,53 @@
+module HTTP;
+
+export {
+	redef record Info += {
+		body_length: count &log &default=0;
+		body_data: string &log &default="";
+		params_data: set[string] &log &optional;
+	};
+	global body_length_max: count = 1024;
+}
+
+function extract_params_data(uri: string): set[string]
+{
+	local p: set[string] = set();
+	if (strstr(uri, "?")==0) return p;
+
+	local query: string = split1(uri, /\?/)[2];
+	local opv: table[count] of string = split(query, /&/);
+
+	for (each in opv)
+	{
+		add p[split1(opv[each], /=/)[2]];
+	}
+
+	return p;
+}
+
+event http_entity_data(c: connection, is_orig: bool, length: count, data: string)
+{
+	if (is_orig) 
+	{
+		if (c$http$body_length < HTTP::body_length_max)
+		{
+			c$http$body_data = string_cat(c$http$body_data, data);
+			c$http$body_length += length;
+		}
+	}
+ }
+
+event http_request(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string)
+{
+        local ss: set[string] = extract_params_data(original_URI);
+
+        if (! c$http?$params_data)
+        {
+                local tmp: set[string] = set();
+                c$http$params_data = tmp;
+        }
+        for (each in ss)
+        {
+                add c$http$params_data[each];
+        }
+}
diff --git a/server/workers/bro/owasp/url_decoder.bro b/server/workers/bro/owasp/url_decoder.bro
@@ -0,0 +1,254 @@
+module HTTP;
+
+export {
+        global url_decode: function(s: string, iterations: count): string;
+	global url2char: table[string] of string = {
+		["%0A"]="\n",
+		["%0D"]="\r",
+		["%20"]=" ",
+		["%21"]="!",
+		["%22"]="\"",
+		["%23"]="#",
+		["%24"]="$",
+		["%25"]="%",
+		["%26"]="&",
+		["%27"]="'",
+		["%28"]="(",
+		["%29"]=")",
+		["%2A"]="*",
+		["%2B"]="+",
+		["%2C"]=",",
+		["%2D"]="-",
+		["%2E"]=".",
+		["%2F"]="/",
+		["%30"]="0",
+		["%31"]="1",
+		["%32"]="2",
+		["%33"]="3",
+		["%34"]="4",
+		["%35"]="5",
+		["%36"]="6",
+		["%37"]="7",
+		["%38"]="8",
+		["%39"]="9",
+		["%3A"]=":",
+		["%3B"]=";",
+		["%3C"]="<",
+		["%3D"]="=",
+		["%3E"]=">",
+		["%3F"]="?",
+		["%40"]="@",
+		["%41"]="A",
+		["%42"]="B",
+		["%43"]="C",
+		["%44"]="D",
+		["%45"]="E",
+		["%46"]="F",
+		["%47"]="G",
+		["%48"]="H",
+		["%49"]="I",
+		["%4A"]="J",
+		["%4B"]="K",
+		["%4C"]="L",
+		["%4D"]="M",
+		["%4E"]="N",	
+		["%4F"]="O",
+		["%50"]="P",
+		["%51"]="Q",
+		["%52"]="R",
+		["%53"]="S",
+		["%54"]="T",
+		["%55"]="U",
+		["%56"]="V",
+		["%57"]="W",
+		["%58"]="X",
+		["%59"]="Y",
+		["%5A"]="Z",
+		["%5B"]="[",
+		["%5C"]="\\",
+		["%5D"]="]",
+		["%5E"]="^",
+		["%5F"]="_",
+		["%60"]="`",
+		["%61"]="a",
+		["%62"]="b",
+		["%63"]="c",
+		["%64"]="d",
+		["%65"]="e",
+		["%66"]="f",
+		["%67"]="g",
+		["%68"]="h",
+		["%69"]="i",
+		["%6A"]="j",
+		["%6B"]="k",
+		["%6C"]="l",
+		["%6D"]="m",
+		["%6E"]="n",
+		["%6F"]="o",
+		["%70"]="p",
+		["%71"]="q",
+		["%72"]="r",
+		["%73"]="s",
+		["%74"]="t",
+		["%75"]="u",
+		["%76"]="v",
+		["%77"]="w",
+		["%78"]="x",
+		["%79"]="y",
+		["%7A"]="z",
+		["%7B"]="{",
+		["%7C"]="|",
+		["%7D"]="}",
+		["%7E"]="~",
+#		["%7F"]="]",
+		["%80"]="`",
+#		["%81"]="",
+		["%82"]="‚",
+		["%83"]="ƒ",
+		["%84"]="„",
+		["%85"]="…",
+		["%86"]="†",
+		["%87"]="‡",
+		["%88"]="ˆ",
+		["%89"]="‰",
+		["%8A"]="Š",
+		["%8B"]="‹",
+		["%8C"]="Œ",
+#		["%8D"]="",
+		["%8E"]="Ž",
+#		["%8F"]="",
+#		["%90"]="",
+		["%91"]="‘",
+		["%92"]="’",
+		["%93"]="“",
+		["%94"]="”",
+		["%95"]="•",
+		["%96"]="–",
+		["%97"]="—",
+		["%98"]="˜",
+		["%99"]="™",
+		["%9A"]="š",
+		["%9B"]="›",
+		["%9C"]="œ",
+#		["%9D"]="",
+		["%9E"]="ž",
+		["%9F"]="Ÿ",
+#		["%A0"]="]",
+		["%A1"]="¡",
+		["%A2"]="¢",
+		["%A3"]="£",
+		["%A4"]="¤",
+		["%A5"]="¥",
+		["%A6"]="¦",
+		["%A7"]="§",
+		["%A8"]="¨",
+		["%A9"]="©",
+		["%AA"]="ª",
+		["%AB"]="«",
+		["%AC"]="¬",
+#		["%AD"]="]",
+		["%AE"]="®",
+		["%AF"]="¯",
+		["%B0"]="°",
+		["%B1"]="±",
+		["%B2"]="²",
+		["%B3"]="³",
+		["%B4"]="´",
+		["%B5"]="µ",
+		["%B6"]="¶",
+		["%B7"]="·",
+		["%B8"]="¸",
+		["%B9"]="¹",
+		["%BA"]="º",
+		["%BB"]="»",
+		["%BC"]="¼",
+		["%BD"]="½",
+		["%BE"]="¾",
+		["%BF"]="¿",
+		["%C0"]="À",
+		["%C1"]="Á",
+		["%C2"]="Â",
+		["%C3"]="Ã",
+		["%C4"]="Ä",
+		["%C5"]="Å",
+		["%C6"]="Æ",
+		["%C7"]="Ç",
+		["%C8"]="È",
+		["%C9"]="É",
+		["%CA"]="Ê",
+		["%CB"]="Ë",
+		["%CC"]="Ì",
+		["%CD"]="Í",
+		["%CE"]="Î",
+		["%CF"]="Ï",
+		["%D0"]="Ð",
+		["%D1"]="Ñ",
+		["%D2"]="Ò",
+		["%D3"]="Ó",
+		["%D4"]="Ô",
+		["%D5"]="Õ",
+		["%D6"]="Ö",
+		["%D7"]="×",
+		["%D8"]="Ø",
+		["%D9"]="Ù",
+		["%DA"]="Ú",
+		["%DB"]="Û",
+		["%DC"]="Ü",
+		["%DD"]="Ý",
+		["%DE"]="Þ",
+		["%DF"]="ß",
+		["%E0"]="à",
+		["%E1"]="á",
+		["%E2"]="â",
+		["%E3"]="ã",
+		["%E4"]="ä",
+		["%E5"]="å",
+		["%E6"]="æ",
+		["%E7"]="ç",
+		["%E8"]="è",
+		["%E9"]="é",
+		["%EA"]="ê",
+		["%EB"]="ë",
+		["%EC"]="ì",
+		["%ED"]="í",
+		["%EE"]="î",
+		["%EF"]="ï",
+		["%F0"]="ð",
+		["%F1"]="ñ",
+		["%F2"]="ò",
+		["%F3"]="ó",
+		["%F4"]="ô",
+		["%F5"]="õ",
+		["%F6"]="ö",
+		["%F7"]="÷",
+		["%F8"]="ø",
+		["%F9"]="ù",
+		["%FA"]="ú",
+		["%FB"]="û",
+		["%FC"]="ü",
+		["%FD"]="ý",
+		["%FE"]="þ",
+		["%FF"]="ÿ",
+	};
+}
+
+function url_decode(s: string, iterations: count &default=5): string
+{
+        if ( (|find_all(s, /%/)| == 0) || (iterations <= 0) )
+        {
+                return s;
+        }
+
+        local s2: string = s;
+
+        for (each in find_all(s, /\%../))
+        {
+                if (to_upper(each) in url2char)
+                {
+                        s2 = subst_string(s2, each, url2char[to_upper(each)]);
+                }
+        }
+
+	return url_decode(s2, iterations-1);
+}
+