From bc4ed01d70e9d302adee7f03183542341cda3f13 Mon Sep 17 00:00:00 2001 From: Tomer Ben-Rachel Date: Fri, 20 Oct 2023 02:54:19 +0300 Subject: [PATCH] Feature: Disable stoping of addon after finding vulnerability (#20) --- .../attacks/FileUploadAttackExecutor.java | 9 ++++-- .../FileUploadConfiguration.java | 20 ++++++++++++- .../fileupload/i18n/FileUploadI18n.java | 2 +- .../fileupload/ui/FileUploadOptionsPanel.java | 28 +++++++++++++++++-- .../fileupload/i18n/Messages.properties | 4 ++- 5 files changed, 56 insertions(+), 7 deletions(-) diff --git a/src/main/java/org/sasanlabs/fileupload/attacks/FileUploadAttackExecutor.java b/src/main/java/org/sasanlabs/fileupload/attacks/FileUploadAttackExecutor.java index c8816d8..6a5bc2c 100644 --- a/src/main/java/org/sasanlabs/fileupload/attacks/FileUploadAttackExecutor.java +++ b/src/main/java/org/sasanlabs/fileupload/attacks/FileUploadAttackExecutor.java @@ -1,5 +1,5 @@ /** - * Copyright 2021 SasanLabs + * Copyright 2023 SasanLabs * *

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file * except in compliance with the License. You may obtain a copy of the License at @@ -29,6 +29,7 @@ import org.sasanlabs.fileupload.attacks.rce.php.SimplePHPFileUpload; import org.sasanlabs.fileupload.attacks.xss.HtmlFileUpload; import org.sasanlabs.fileupload.attacks.xss.SVGFileUpload; +import org.sasanlabs.fileupload.configuration.FileUploadConfiguration; import org.sasanlabs.fileupload.exception.FileUploadException; /** @@ -70,11 +71,15 @@ public FileUploadAttackExecutor( } public boolean executeAttack() throws FileUploadException { + + Boolean shouldSendRequestsAfterFindingVulnerability = + FileUploadConfiguration.getInstance().getSendRequestsAfterFindingVulnerability(); + for (AttackVector attackVector : attackVectors) { if (this.fileUploadScanRule.isStop()) { return false; } else { - if (attackVector.execute(this)) { + if (attackVector.execute(this) && !shouldSendRequestsAfterFindingVulnerability) { return true; } } diff --git a/src/main/java/org/sasanlabs/fileupload/configuration/FileUploadConfiguration.java b/src/main/java/org/sasanlabs/fileupload/configuration/FileUploadConfiguration.java index e62b3e6..bbb1e7a 100644 --- a/src/main/java/org/sasanlabs/fileupload/configuration/FileUploadConfiguration.java +++ b/src/main/java/org/sasanlabs/fileupload/configuration/FileUploadConfiguration.java @@ -1,5 +1,5 @@ /** - * Copyright 2021 SasanLabs + * Copyright 2023 SasanLabs * *

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file * except in compliance with the License. You may obtain a copy of the License at @@ -39,12 +39,16 @@ public class FileUploadConfiguration extends VersionedAbstractParam { PARAM_BASE_KEY + ".parseresponse.startidentifier"; private static final String PARAM_PARSE_RESPONSE_CONFIGURATION_END_IDENTIFIER = PARAM_BASE_KEY + ".parseresponse.endidentifier"; + private static final String PARAM_SEND_REQUESTS_AFTER_FINDING_VULNERABILITY_IDENTIFIER = + PARAM_BASE_KEY + ".sendrequests"; private String staticLocationURIRegex; private String dynamicLocationURIRegex; private String parseResponseStartIdentifier; private String parseResponseEndIdentifier; + private Boolean sendRequestsAfterFindingVulnerability; + private static volatile FileUploadConfiguration fileUploadConfiguration; private FileUploadConfiguration() {} @@ -105,6 +109,18 @@ public void setParseResponseEndIdentifier(String parseResponseEndIdentifier) { parseResponseEndIdentifier); } + public Boolean getSendRequestsAfterFindingVulnerability() { + return sendRequestsAfterFindingVulnerability; + } + + public void setSendRequestsAfterFindingVulnerability(boolean shouldSendRequestsAfterFindingVulnerability) { + sendRequestsAfterFindingVulnerability = shouldSendRequestsAfterFindingVulnerability; + this.getConfig() + .setProperty( + PARAM_SEND_REQUESTS_AFTER_FINDING_VULNERABILITY_IDENTIFIER, + shouldSendRequestsAfterFindingVulnerability); + } + @Override protected String getConfigVersionKey() { return CONFIG_VERSION_KEY; @@ -125,6 +141,8 @@ protected void parseImpl() { getConfig().getString(PARAM_PARSE_RESPONSE_CONFIGURATION_START_IDENTIFIER)); this.setParseResponseEndIdentifier( getConfig().getString(PARAM_PARSE_RESPONSE_CONFIGURATION_END_IDENTIFIER)); + this.setSendRequestsAfterFindingVulnerability( + getConfig().getBoolean(PARAM_SEND_REQUESTS_AFTER_FINDING_VULNERABILITY_IDENTIFIER)); } @Override diff --git a/src/main/java/org/sasanlabs/fileupload/i18n/FileUploadI18n.java b/src/main/java/org/sasanlabs/fileupload/i18n/FileUploadI18n.java index 118a423..db817f3 100644 --- a/src/main/java/org/sasanlabs/fileupload/i18n/FileUploadI18n.java +++ b/src/main/java/org/sasanlabs/fileupload/i18n/FileUploadI18n.java @@ -1,5 +1,5 @@ /** - * Copyright 2021 SasanLabs + * Copyright 2023 SasanLabs * *

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file * except in compliance with the License. You may obtain a copy of the License at diff --git a/src/main/java/org/sasanlabs/fileupload/ui/FileUploadOptionsPanel.java b/src/main/java/org/sasanlabs/fileupload/ui/FileUploadOptionsPanel.java index 7224663..cbd3af9 100644 --- a/src/main/java/org/sasanlabs/fileupload/ui/FileUploadOptionsPanel.java +++ b/src/main/java/org/sasanlabs/fileupload/ui/FileUploadOptionsPanel.java @@ -1,5 +1,5 @@ /** - * Copyright 2021 SasanLabs + * Copyright 2023 SasanLabs * *

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file * except in compliance with the License. You may obtain a copy of the License at @@ -21,6 +21,7 @@ import java.awt.event.ActionListener; import javax.swing.BoxLayout; import javax.swing.JButton; +import javax.swing.JCheckBox; import javax.swing.JLabel; import javax.swing.JPanel; import javax.swing.JScrollPane; @@ -52,6 +53,8 @@ public class FileUploadOptionsPanel extends AbstractParamPanel { private JTextField parseResponseStartIdentifier; private JTextField parseResponseEndIdentifier; + private JCheckBox sendRequestsAfterFindingVulnerability; + public FileUploadOptionsPanel() { super(); this.setName(FileUploadI18n.getMessage("fileupload.settings.title")); @@ -72,9 +75,25 @@ public FileUploadOptionsPanel() { private void init(JPanel settingsPanel) { settingsPanel.add(uriLocatorConfiguration()); + settingsPanel.add(buildSendRequestsAfterFindingVulnerabilityCheckbox()); footerPanel.add(getResetButton()); } + private JPanel buildSendRequestsAfterFindingVulnerabilityCheckbox() { + JPanel sendRequestsAfterFindingVulnerabilityPanel = new JPanel(); + sendRequestsAfterFindingVulnerabilityPanel.setLayout(new FlowLayout(FlowLayout.LEFT)); + JLabel sendRequestsAfterFindingVulnerabilityLabel = + new JLabel( + FileUploadI18n.getMessage( + "fileupload.settings.checkbox.sendrequestsaftervulnerability")); + + sendRequestsAfterFindingVulnerability = new JCheckBox(); + sendRequestsAfterFindingVulnerabilityPanel.add(sendRequestsAfterFindingVulnerabilityLabel); + sendRequestsAfterFindingVulnerabilityPanel.add(sendRequestsAfterFindingVulnerability); + + return sendRequestsAfterFindingVulnerabilityPanel; + } + private JButton getResetButton() { JButton resetButton = new JButton(); resetButton.setText(FileUploadI18n.getMessage("fileupload.settings.button.reset")); @@ -225,6 +244,7 @@ private void resetOptionsPanel() { dynamicLocationConfigurationURIRegex.setText(""); parseResponseStartIdentifier.setText(""); parseResponseEndIdentifier.setText(""); + sendRequestsAfterFindingVulnerability.setSelected(false); } @Override @@ -239,6 +259,8 @@ public void initParam(Object optionParams) { parseResponseStartIdentifier.setText( fileUploadConfiguration.getParseResponseStartIdentifier()); parseResponseEndIdentifier.setText(fileUploadConfiguration.getParseResponseEndIdentifier()); + sendRequestsAfterFindingVulnerability.setSelected( + fileUploadConfiguration.getSendRequestsAfterFindingVulnerability()); } @Override @@ -275,7 +297,7 @@ public String getHelpIndex() { } @Override - public void saveParam(Object optionParams) throws Exception { + public void saveParam(Object optionParams) { FileUploadConfiguration fileUploadConfiguration = ((OptionsParam) optionParams).getParamSet(FileUploadConfiguration.class); fileUploadConfiguration.setStaticLocationURIRegex( @@ -286,5 +308,7 @@ public void saveParam(Object optionParams) throws Exception { this.parseResponseStartIdentifier.getText()); fileUploadConfiguration.setParseResponseEndIdentifier( this.parseResponseEndIdentifier.getText()); + fileUploadConfiguration.setSendRequestsAfterFindingVulnerability( + this.sendRequestsAfterFindingVulnerability.isSelected()); } } diff --git a/src/main/resources/org/sasanlabs/fileupload/i18n/Messages.properties b/src/main/resources/org/sasanlabs/fileupload/i18n/Messages.properties index 3a52cc5..d2f3af9 100755 --- a/src/main/resources/org/sasanlabs/fileupload/i18n/Messages.properties +++ b/src/main/resources/org/sasanlabs/fileupload/i18n/Messages.properties @@ -125,4 +125,6 @@ fileupload.scanner.vulnerability.htaccessFile.soln=Follow the suggestions mentio 1. https://portswigger.net/kb/issues/00500980_file-upload-functionality \ 2. https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload \ 3. https://www.youtube.com/watch?v=CmF9sEyKZNo \ -4. https://cwe.mitre.org/data/definitions/434.html \ No newline at end of file +4. https://cwe.mitre.org/data/definitions/434.html + +fileupload.settings.checkbox.sendrequestsaftervulnerability=Keep exploiting after discovery \ No newline at end of file