Feature: Disable stoping of addon after finding vulnerability (#20)

SasanLabs · Oct 19, 2023 · bc4ed01 · bc4ed01
1 parent c8f01d5
commit bc4ed01
Show file tree

Hide file tree

Showing 5 changed files with 56 additions and 7 deletions.
diff --git a/src/main/java/org/sasanlabs/fileupload/attacks/FileUploadAttackExecutor.java b/src/main/java/org/sasanlabs/fileupload/attacks/FileUploadAttackExecutor.java
@@ -1,5 +1,5 @@
 /**
- * Copyright 2021 SasanLabs
+ * Copyright 2023 SasanLabs
  *
  * <p>Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file
  * except in compliance with the License. You may obtain a copy of the License at
@@ -29,6 +29,7 @@
 import org.sasanlabs.fileupload.attacks.rce.php.SimplePHPFileUpload;
 import org.sasanlabs.fileupload.attacks.xss.HtmlFileUpload;
 import org.sasanlabs.fileupload.attacks.xss.SVGFileUpload;
+import org.sasanlabs.fileupload.configuration.FileUploadConfiguration;
 import org.sasanlabs.fileupload.exception.FileUploadException;
 
 /**
@@ -70,11 +71,15 @@ public FileUploadAttackExecutor(
     }
 
     public boolean executeAttack() throws FileUploadException {
+
+        Boolean shouldSendRequestsAfterFindingVulnerability =
+                FileUploadConfiguration.getInstance().getSendRequestsAfterFindingVulnerability();
+
         for (AttackVector attackVector : attackVectors) {
             if (this.fileUploadScanRule.isStop()) {
                 return false;
             } else {
-                if (attackVector.execute(this)) {
+                if (attackVector.execute(this) && !shouldSendRequestsAfterFindingVulnerability) {
                     return true;
                 }
             }

diff --git a/src/main/java/org/sasanlabs/fileupload/configuration/FileUploadConfiguration.java b/src/main/java/org/sasanlabs/fileupload/configuration/FileUploadConfiguration.java
@@ -1,5 +1,5 @@
 /**
- * Copyright 2021 SasanLabs
+ * Copyright 2023 SasanLabs
  *
  * <p>Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file
  * except in compliance with the License. You may obtain a copy of the License at
@@ -39,12 +39,16 @@ public class FileUploadConfiguration extends VersionedAbstractParam {
             PARAM_BASE_KEY + ".parseresponse.startidentifier";
     private static final String PARAM_PARSE_RESPONSE_CONFIGURATION_END_IDENTIFIER =
             PARAM_BASE_KEY + ".parseresponse.endidentifier";
+    private static final String PARAM_SEND_REQUESTS_AFTER_FINDING_VULNERABILITY_IDENTIFIER =
+            PARAM_BASE_KEY + ".sendrequests";
 
     private String staticLocationURIRegex;
     private String dynamicLocationURIRegex;
     private String parseResponseStartIdentifier;
     private String parseResponseEndIdentifier;
 
+    private Boolean sendRequestsAfterFindingVulnerability;
+
     private static volatile FileUploadConfiguration fileUploadConfiguration;
 
     private FileUploadConfiguration() {}
@@ -105,6 +109,18 @@ public void setParseResponseEndIdentifier(String parseResponseEndIdentifier) {
                         parseResponseEndIdentifier);
     }
 
+    public Boolean getSendRequestsAfterFindingVulnerability() {
+        return sendRequestsAfterFindingVulnerability;
+    }
+
+    public void setSendRequestsAfterFindingVulnerability(boolean shouldSendRequestsAfterFindingVulnerability) {
+        sendRequestsAfterFindingVulnerability = shouldSendRequestsAfterFindingVulnerability;
+        this.getConfig()
+                .setProperty(
+                        PARAM_SEND_REQUESTS_AFTER_FINDING_VULNERABILITY_IDENTIFIER,
+                        shouldSendRequestsAfterFindingVulnerability);
+    }
+
     @Override
     protected String getConfigVersionKey() {
         return CONFIG_VERSION_KEY;
@@ -125,6 +141,8 @@ protected void parseImpl() {
                 getConfig().getString(PARAM_PARSE_RESPONSE_CONFIGURATION_START_IDENTIFIER));
         this.setParseResponseEndIdentifier(
                 getConfig().getString(PARAM_PARSE_RESPONSE_CONFIGURATION_END_IDENTIFIER));
+        this.setSendRequestsAfterFindingVulnerability(
+                getConfig().getBoolean(PARAM_SEND_REQUESTS_AFTER_FINDING_VULNERABILITY_IDENTIFIER));
     }
 
     @Override

diff --git a/src/main/java/org/sasanlabs/fileupload/i18n/FileUploadI18n.java b/src/main/java/org/sasanlabs/fileupload/i18n/FileUploadI18n.java
@@ -1,5 +1,5 @@
 /**
- * Copyright 2021 SasanLabs
+ * Copyright 2023 SasanLabs
  *
  * <p>Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file
  * except in compliance with the License. You may obtain a copy of the License at

diff --git a/src/main/java/org/sasanlabs/fileupload/ui/FileUploadOptionsPanel.java b/src/main/java/org/sasanlabs/fileupload/ui/FileUploadOptionsPanel.java
@@ -1,5 +1,5 @@
 /**
- * Copyright 2021 SasanLabs
+ * Copyright 2023 SasanLabs
  *
  * <p>Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file
  * except in compliance with the License. You may obtain a copy of the License at
@@ -21,6 +21,7 @@
 import java.awt.event.ActionListener;
 import javax.swing.BoxLayout;
 import javax.swing.JButton;
+import javax.swing.JCheckBox;
 import javax.swing.JLabel;
 import javax.swing.JPanel;
 import javax.swing.JScrollPane;
@@ -52,6 +53,8 @@ public class FileUploadOptionsPanel extends AbstractParamPanel {
     private JTextField parseResponseStartIdentifier;
     private JTextField parseResponseEndIdentifier;
 
+    private JCheckBox sendRequestsAfterFindingVulnerability;
+
     public FileUploadOptionsPanel() {
         super();
         this.setName(FileUploadI18n.getMessage("fileupload.settings.title"));
@@ -72,9 +75,25 @@ public FileUploadOptionsPanel() {
 
     private void init(JPanel settingsPanel) {
         settingsPanel.add(uriLocatorConfiguration());
+        settingsPanel.add(buildSendRequestsAfterFindingVulnerabilityCheckbox());
         footerPanel.add(getResetButton());
     }
 
+    private JPanel buildSendRequestsAfterFindingVulnerabilityCheckbox() {
+        JPanel sendRequestsAfterFindingVulnerabilityPanel = new JPanel();
+        sendRequestsAfterFindingVulnerabilityPanel.setLayout(new FlowLayout(FlowLayout.LEFT));
+        JLabel sendRequestsAfterFindingVulnerabilityLabel =
+                new JLabel(
+                        FileUploadI18n.getMessage(
+                                "fileupload.settings.checkbox.sendrequestsaftervulnerability"));
+
+        sendRequestsAfterFindingVulnerability = new JCheckBox();
+        sendRequestsAfterFindingVulnerabilityPanel.add(sendRequestsAfterFindingVulnerabilityLabel);
+        sendRequestsAfterFindingVulnerabilityPanel.add(sendRequestsAfterFindingVulnerability);
+
+        return sendRequestsAfterFindingVulnerabilityPanel;
+    }
+
     private JButton getResetButton() {
         JButton resetButton = new JButton();
         resetButton.setText(FileUploadI18n.getMessage("fileupload.settings.button.reset"));
@@ -225,6 +244,7 @@ private void resetOptionsPanel() {
         dynamicLocationConfigurationURIRegex.setText("");
         parseResponseStartIdentifier.setText("");
         parseResponseEndIdentifier.setText("");
+        sendRequestsAfterFindingVulnerability.setSelected(false);
     }
 
     @Override
@@ -239,6 +259,8 @@ public void initParam(Object optionParams) {
         parseResponseStartIdentifier.setText(
                 fileUploadConfiguration.getParseResponseStartIdentifier());
         parseResponseEndIdentifier.setText(fileUploadConfiguration.getParseResponseEndIdentifier());
+        sendRequestsAfterFindingVulnerability.setSelected(
+                fileUploadConfiguration.getSendRequestsAfterFindingVulnerability());
     }
 
     @Override
@@ -275,7 +297,7 @@ public String getHelpIndex() {
     }
 
     @Override
-    public void saveParam(Object optionParams) throws Exception {
+    public void saveParam(Object optionParams) {
         FileUploadConfiguration fileUploadConfiguration =
                 ((OptionsParam) optionParams).getParamSet(FileUploadConfiguration.class);
         fileUploadConfiguration.setStaticLocationURIRegex(
@@ -286,5 +308,7 @@ public void saveParam(Object optionParams) throws Exception {
                 this.parseResponseStartIdentifier.getText());
         fileUploadConfiguration.setParseResponseEndIdentifier(
                 this.parseResponseEndIdentifier.getText());
+        fileUploadConfiguration.setSendRequestsAfterFindingVulnerability(
+                this.sendRequestsAfterFindingVulnerability.isSelected());
     }
 }
diff --git a/src/main/resources/org/sasanlabs/fileupload/i18n/Messages.properties b/src/main/resources/org/sasanlabs/fileupload/i18n/Messages.properties
@@ -125,4 +125,6 @@ fileupload.scanner.vulnerability.htaccessFile.soln=Follow the suggestions mentio
 1. https://portswigger.net/kb/issues/00500980_file-upload-functionality \
 2. https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload \
 3. https://www.youtube.com/watch?v=CmF9sEyKZNo \
-4. https://cwe.mitre.org/data/definitions/434.html
+4. https://cwe.mitre.org/data/definitions/434.html
+
+fileupload.settings.checkbox.sendrequestsaftervulnerability=Keep exploiting after discovery