Permalink
Browse files

[enh] more intelligent session checking in http module

  • Loading branch information...
1 parent c3fdad5 commit 260974e68ef00b021e678ee43d3ac55b3bba129b @asciimoo committed Aug 29, 2010
Showing with 35 additions and 2 deletions.
  1. +35 −2 modules/mod_http.py
View
@@ -42,6 +42,35 @@
verif_trigg = re.compile(u'\W*(?:logout|sign out|kijelentkezés)\W*', re.I | re.U | re.M)
+# Thx to w3af (collectCookies plugin) for the list of session cookies
+SESSION_DB = (
+ ('st8id','Teros web application firewall'), # Web application firewalls
+ ('ASINFO','F5 TrafficShield'), # Web application firewalls
+ ('NCI__SessionId','Netcontinuum'), # Web application firewalls
+ ('$OC4J_','Oracle container for java'), # Oracle
+ ('JSESSIONID','Jakarta Tomcat / Apache'), # Java
+ ('JServSessionIdroot','Apache JServ'), # Java
+ ('ASPSESSIONID','ASP'), # ASP
+ ('ASP.NET_SessionId','ASP.NET'), # ASP
+ ('PHPSESSID','PHP'), # PHP
+ ('sap-usercontext=sap-language','SAP'), # SAP
+ ('WebLogicSession','BEA Logic'), # Others..
+ ('SaneID','Sane NetTracker'),
+ ('ssuid','Vignette'),
+ ('vgnvisitor','Vignette'),
+ ('SESSION_ID','IBM Net.Commerce'),
+ ('NSES40Session','Netscape Enterprise Server'),
+ ('iPlanetUserId','iPlanet'),
+ ('RMID','RealMedia OpenADStream'),
+ ('cftoken','Coldfusion'),
+ ('PORTAL-PSJSESSIONID','PeopleSoft'),
+ ('WEBTRENDS_ID','WebTrends'),
+ ('sesessionid','IBM WebSphere'),
+ ('CGISESSID','Perl CGI::Session'),
+ ('GX_SESSION_ID','GeneXus'),
+ ('WC_SESSION_ESTABLISHED','WSStore'),
+ )
+
def parse(protos):
if protos[0].firstChild.attributes['name'].value == 'data':
# print "[!] DATA?!"
@@ -88,9 +117,12 @@ def parse(protos):
continue
for k, v in cookie.iteritems():
- if v.key.find('SESSID') >= 0:
- ret.append(ModuleStorage(value={'session cookie': v.value}, complete=True, notes='"%s %s" @ %s' % (method, uri, host), relevance=3))
+ if len(ret):
break
+ for s,d in SESSION_DB:
+ if s == k:
+ ret.append(ModuleStorage(value={('%s session' % d): v.value}, complete=True, notes='"%s %s" @ %s' % (method, uri, host), relevance=3))
+ break
continue
if field.attributes['name'].value == 'http.host':
host = hexStringDecode(field.attributes['value'].value)[6:].replace('\r\n', '')
@@ -111,3 +143,4 @@ def parse(protos):
return ret
+

0 comments on commit 260974e

Please sign in to comment.