OWTF 0.40 'Summer Storm III': Added HTTP AUTH support in proxy. Fixed #9

owtf · Oct 23, 2013 · d03461a · d03461a
1 parent 5c3e719
commit d03461a
Show file tree

Hide file tree

Showing 2 changed files with 51 additions and 4 deletions.
diff --git a/framework/http/proxy/proxy.py b/framework/http/proxy/proxy.py
@@ -154,6 +154,30 @@ def process_request(self):
         if self.cached_response:
             self.write_cached_response(self.cached_response)
         else:
+            # HTTP AUTH settings
+            http_auth_username = None
+            http_auth_password = None
+            http_auth_mode = None
+            host = self.request.host
+            if self.application.http_auth: #If http auth exists
+                # If default ports are not provided, they are added
+                try:
+                    test = self.request.host.index(':')
+                except ValueError:
+                    default_ports = {'http':'80', 'https':'443'}
+                    try:
+                        host = self.request.host + ':' + default_ports[self.request.protocol]
+                    except KeyError:
+                        pass
+                # Check if auth is provided for that host
+                try:
+                    index = self.application.http_auth_hosts.index(host)
+                    http_auth_username = self.application.http_auth_usernames[index]
+                    http_auth_password = self.application.http_auth_passwords[index]
+                    http_auth_mode = self.application.http_auth_modes[index]
+                except ValueError:
+                    pass
+
             # pycurl is needed for curl client
             async_client = tornado.curl_httpclient.CurlAsyncHTTPClient()
             # httprequest object is created and then passed to async client with a callback
@@ -162,6 +186,9 @@ def process_request(self):
                     method=self.request.method,
                     body=self.request.body,
                     headers=self.request.headers,
+                    auth_username=http_auth_username,
+                    auth_password=http_auth_password,
+                    auth_mode=http_auth_mode,
                     follow_redirects=False,
                     use_gzip=True,
                     streaming_callback=self.handle_data_chunk,
@@ -541,7 +568,7 @@ def __init__(self, core, outbound_options=[], outbound_auth=""):
 
         # Blacklist (or) Whitelist Cookies
         # Building cookie regex to be used for cookie filtering for caching
-        if self.application.Core.Config.Get('WHITELIST_COOKIES') == 'none':
+        if self.application.Core.Config.Get('WHITELIST_COOKIES') == 'None':
             cookies_list = self.application.Core.Config.Get('BLACKLIST_COOKIES').split(',')
             self.application.cookie_blacklist = True
         else:
@@ -582,14 +609,25 @@ def __init__(self, core, outbound_options=[], outbound_auth=""):
 
         # Request throttling
         # Throttling settings picked up from profiles/general/default.cfg
-        if self.application.Core.Config.Get("PROXY_THROTTLING") == 'false':
+        if self.application.Core.Config.Get("PROXY_THROTTLING") == 'False':
             self.application.throttle_variables = None
         else:
             self.application.throttle_variables = {
                                                     "hosts": {},
                                                     "threshold": self.application.Core.Config.Get("PROXY_THROTTLING_THRESHOLD"),
                                                   }
 
+        # HTTP Auth options
+        if self.application.Core.Config.Get("HTTP_AUTH_HOST") != "None":
+            self.application.http_auth = True
+            # All the variables are lists
+            self.application.http_auth_hosts = self.application.Core.Config.Get("HTTP_AUTH_HOST").strip().split(',')
+            self.application.http_auth_usernames = self.application.Core.Config.Get("HTTP_AUTH_USERNAME").strip().split(',')
+            self.application.http_auth_passwords = self.application.Core.Config.Get("HTTP_AUTH_PASSWORD").strip().split(',')
+            self.application.http_auth_modes = self.application.Core.Config.Get("HTTP_AUTH_MODE").strip().split(',')
+        else:
+            self.application.http_auth = False
+
     # "0" equals the number of cores present in a machine
     def run(self):
         try:

diff --git a/profiles/general/default.cfg b/profiles/general/default.cfg
@@ -308,11 +308,20 @@ CA_KEY: ~/.owtf/proxy/ca.key
 CERTS_FOLDER: ~/.owtf/proxy/certs
 BLACKLIST_COOKIES: _ga,__utma,__utmb,__utmc,__utmz,__utmv
 # If you have multiple values make sure you enter them seperated by commas & none stands for 'None'
-WHITELIST_COOKIES: none
-PROXY_THROTTLING: false
+WHITELIST_COOKIES: None
+PROXY_THROTTLING: False
 PROXY_THROTTLING_THRESHOLD: 0.1
 PROXY_LOG: /tmp/owtf-proxy.log
 
+# ************************* HTTP AUTH Options *****************************#
+# If multiple sites are to be provided, seperate them using comma ','
+# To enable http auth for a url like http://testsite.net:8080/something, add 'testsite.net:8080'
+HTTP_AUTH_HOST: None
+HTTP_AUTH_USERNAME: None
+HTTP_AUTH_PASSWORD: None
+# basic (or) digest
+HTTP_AUTH_MODE: basic
+
 # ************************* Resource Monitor ***************************** #
 RESOURCE_MONITOR_PROFILER: 0
 PROCESS_PER_CORE: 1