Skip to content

Commit

Permalink
Auto Login detection improvement
Browse files Browse the repository at this point in the history
  • Loading branch information
@sagarpo
sagarpo committed Jul 25, 2018
1 parent b223d44 commit 03fe1d4
Show file tree
Hide file tree
Showing 3 changed files with 62 additions and 39 deletions.
22 changes: 17 additions & 5 deletions astra.py
View file
Expand Up @@ -38,11 +38,22 @@ def parse_collection(collection_name,collection_type):

def add_headers(headers):
# This function deals with adding custom header and auth value .
cookie = get_value('config.property','login','auth')
cookie_dict = ast.literal_eval(cookie)
cookie_header = {'Cookie': cookie_dict['cookie']}
headers.update(cookie_header)

auth_type = get_value('config.property','login','auth_type')
if auth_type == 'cookie':
cookie = get_value('config.property','login','cookie')
if cookie:
cookie_dict = ast.literal_eval(cookie)
cookie_header = {'Cookie': cookie_dict['cookie']}
headers.update(cookie_header)
else:
auth_success = get_value('config.property','login','auth_success')
if auth_success == 'Y':
auth_success_token = get_value('config.property','login','auth_success_token')
#auth_request_header = get_value('config.property','login','auth_request_token')
auth_success_param = get_value('config.property','login','auth_success_param')
auth_header = {auth_success_param : auth_success_token }
headers.update(auth_header)

try:
custom_header = get_value('config.property','login','headers')
custom_header = ast.literal_eval(custom_header)
Expand Down Expand Up @@ -101,6 +112,7 @@ def modules_scan(url,method,headers,body,scanid=None):
status = zap_start()
if status is True:
api_scan.start_scan(url,method,headers,body,scanid)

# Custom modules scan
if attack['cors'] == 'Y' or attack['cors'] == 'y':
cors_main(url,method,headers,body,scanid)
Expand Down
56 changes: 41 additions & 15 deletions core/login.py
View file
Expand Up @@ -9,7 +9,7 @@
import time
import utils.logs as logs

from utils.config import update_value
from utils.config import update_value,get_value


class APILogin:
Expand All @@ -22,31 +22,59 @@ def fetch_logintoken(self,url,method,headers,body=None,relogin=None):
if method.upper() == "GET":
login_request = requests.get(url,headers=headers)
elif method.upper() == "POST":
#print headers,body
login_request = requests.post(url,headers=headers,json=body)
#debugging
logs.logging.info("HTTP response of login API : %s %s %s",login_request.status_code,headers,body)
else:
print "[-]Invalid request"
sys.exit(1)


try:
cookie = {'cookie' : login_request.headers['Set-Cookie']}
print "Login successful"
update_value('login','auth',cookie)
update_value('login','auth_type','cookie')
return True
login_response = json.loads(login_request.text)
except:
if relogin is not None:
pass

if relogin is not None:
print "Session fixation attack won't be tested since it failed to re-login."
return
login_response = raw_input("Failed to fetch cookie. Do you want to continue scanning without cookie(y/n),"+self.api_logger.G+url+': '+self.api_logger.W)

auth_names = get_value('config.property','login','auth_names')
auth_type = get_value('config.property','login','auth_type')
auth_names = auth_names.split(',')
#auth_header = get_value('config.property','login','auth_header')

# Auth types:
# 1. Cookie
# 2. Basic
# 3. Oauth
auth_status = False
if auth_type == 'cookie':
if login_request.headers['Set-Cookie']:
auth_cookie = {'cookie' : login_request.headers['Set-Cookie']}
print "[+]Login successful"
update_value('login','auth_success','Y')
update_value('login','cookie',auth_cookie)
auth_status = True

# Basic and oauth auth type code will come here(yet to develop).
else:
for auth_name in auth_names:
if auth_name in login_response:
auth_success_token = login_response[auth_name]
print "[+]Login successful"
update_value('login','auth_success','Y')
update_value('login','auth_success_param',auth_name)
update_value('login','auth_success_token',auth_success_token)
auth_status = True
break

if not auth_status:
login_response = raw_input("Failed to login. Do you want to continue scanning without cookie(y/n),"+self.api_logger.G+url+': '+self.api_logger.W)
if login_response == 'Y' or login_response == 'y':
return
elif login_response == 'n' or login_response == 'N':
sys.exit(1)


def create_urllist(self,collection_data):
url_list = []
for data in collection_data:
Expand Down Expand Up @@ -82,7 +110,7 @@ def auth_verify(self,collection_data,api):
api_types = logout_names

url_list = self.create_urllist(collection_data)

for url in url_list:
for name in api_types:
if name in url:
Expand All @@ -108,7 +136,6 @@ def verify_login(self,collection_data):
else:
sys.exit(1)


for data in collection_data:
if data['url'] == api_url:
url,method,headers,body = data['url'],data['method'],data['headers'],data['body']
Expand All @@ -129,11 +156,10 @@ def verify_login(self,collection_data):
update_value("login",key,value)
return


def parse_logindata(self,loginurl):
for data in self.parse_data.api_lst:
if loginurl == data['url']:
headers,method,body = data['headers'],data['method'],''
if data['body'] != '':
body = json.loads(base64.b64decode(data['body']))
return loginurl,headers,method,body
return loginurl,headers,method,body
23 changes: 4 additions & 19 deletions modules/auth.py
View file
Expand Up @@ -36,26 +36,9 @@ def fetch_auth_config(name):
auth_config_value = get_value('scan.property','modules',name)
return auth_config_value.split(',')

def add_authheader(auth_headers):
# This function reads auth value from config file and add auth header in HTTP request.
auth_type = get_value('config.property','login','auth_type')
auth = get_value('config.property','login','auth')
if auth_type == "cookie":
auth_headers = ast.literal_eval(auth_headers)
if auth_headers['Cookie']:
del auth_headers['Cookie']
auth_headers.update({'Cookie' : auth})
logs.logging.info("Updated header for session fixation %s",auth_headers)
return auth_headers,auth
else:
logs.logging.info("Updated header for session fixation %s",auth_headers)

elif auth_type == "token":
# If API is using access token as an auth
return headers

def session_fixation(url,method,headers,body,scanid):
# This function deals with checking session fixation issue.
attack_result = {}
login_result = get_value('config.property','login','loginresult')
logout_result = get_value('config.property','logout','logoutresult')
if login_result == 'Y' and logout_result == 'Y':
Expand Down Expand Up @@ -98,6 +81,7 @@ def auth_check(url,method,headers,body,scanid=None):
# This function removes auth header and check if server is accepting request without it
temp_headers = {}
temp_headers.update(headers)
print "headers form auth", headers
try:
attack_result = {}
auth_headers = fetch_auth_config("auth_headers")
Expand Down Expand Up @@ -131,6 +115,7 @@ def auth_check(url,method,headers,body,scanid=None):
})

dbupdate.insert_record(attack_result)
print "%s[+]{0} is vulnerable to broken Authentication and session management %s ".format(url)% (api_logger.R, api_logger.W)
return

session_fixation(url,method,temp_headers,body,scanid)
Expand All @@ -152,7 +137,7 @@ def auth_check(url,method,headers,body,scanid=None):
"res_body" : brokenauth_request.text
})
dbupdate.insert_record(attack_result)

print "%s[+]{0} is vulnerable to broken Authentication and session management %s ".format(url)% (api_logger.R, api_logger.W)
# Test for session fixation
session_fixation(url,method,updated_headers,body,scanid)
return
Expand Down

0 comments on commit 03fe1d4

Please sign in to comment.