From 1fd3f281e79523bbbbef7a8461b6d548b217d4d2 Mon Sep 17 00:00:00 2001 From: ekultek Date: Tue, 14 Nov 2017 16:07:26 -0600 Subject: [PATCH] updates to cloudflare, sucuri WAF scripts, added AWS waf script (issue #142) --- etc/checksum/md5sum.md5 | 7 ++++--- lib/core/settings.py | 2 +- lib/firewall/aws.py | 25 +++++++++++++++++++++++++ lib/firewall/cloudflare.py | 2 ++ lib/firewall/sucuri.py | 5 +++++ 5 files changed, 37 insertions(+), 4 deletions(-) create mode 100644 lib/firewall/aws.py diff --git a/etc/checksum/md5sum.md5 b/etc/checksum/md5sum.md5 index da43516..9fe7d61 100644 --- a/etc/checksum/md5sum.md5 +++ b/etc/checksum/md5sum.md5 @@ -22,16 +22,17 @@ ca6935a72fd0527d15a78a17a35e56e8 ./bin/drivers/geckodriver-v0.19.0-linux64.tar. 4ccb56fb3700005c9f9188f84152f21a ./bin/drivers/geckodriver-v0.18.0-linux64.tar.gz 07cd383c8aef8ea5ef194a506141afd6 ./bin/drivers/geckodriver-v0.19.0-linux32.tar.gz 6ea65a0160c21e144e92334acc2e3667 ./lib/firewall/anquanbao.py -34b946ab1f9aaac397ba77d5f8c132b1 ./lib/firewall/cloudflare.py +1ebfc01f84201fb723ff727957d18b26 ./lib/firewall/cloudflare.py 54815706261c32b57fbbdc99244b5cdd ./lib/firewall/modsecurity.py 6b370050b40d8c1d2221424f756c7842 ./lib/firewall/paloalto.py -60973a0c2e34108dfb32c89ad46477b6 ./lib/firewall/sucuri.py +24342e7de0c51595d593cef74d80d3a0 ./lib/firewall/sucuri.py 1f303641d59686d544f2986ff74c6b31 ./lib/firewall/webseal.py 783973a4c6af58907f6dbfe1b274c59c ./lib/firewall/generic.py 6ccf3a1df5aa6429cd3365b7b8ded8f4 ./lib/firewall/powerful.py c3f01fc8ff7dfe7759f63bf16b00f127 ./lib/firewall/wordfence.py 2bfc3884ae96cc2443ebf94359b380c0 ./lib/firewall/cloudfront.py fde5445df5d77d245656adea96673cfa ./lib/firewall/squid.py +9c3ec0cce44c4246b97b431e37e3dcc2 ./lib/firewall/aws.py 785c28da8b681a7e23964f99118b5aab ./lib/tamper_scripts/obfuscateordinal_encode.py 10bf1bc4ef0287d31633148fab557e8a ./lib/tamper_scripts/uppercase_encode.py 5b68de0ce3a783b870921b09b5222146 ./lib/tamper_scripts/hex_encode.py @@ -60,7 +61,7 @@ ceb1b278b0861c976dfecc91cb64e53d ./lib/attacks/xss_scan/__init__.py 21faf4679cdeaa731029a48f8963d6e7 ./lib/attacks/nmap_scan/nmap_opts.py 1faa2b5dfad6eb538bbfe42942d2a9da ./lib/core/errors.py d41d8cd98f00b204e9800998ecf8427e ./lib/core/__init__.py -dc27f3a46931a5264b60e28601d1bc63 ./lib/core/settings.py +80c1415065b90c6af32e554fe83cfb5c ./lib/core/settings.py 376c0d9ebb943f539bb655fabc1bb8ba ./lib/header_check/__init__.py d41d8cd98f00b204e9800998ecf8427e ./var/google_search/__init__.py 5974e78ce4035d14005fd1a00a3655d2 ./var/google_search/search.py diff --git a/lib/core/settings.py b/lib/core/settings.py index 7b69710..207af0f 100644 --- a/lib/core/settings.py +++ b/lib/core/settings.py @@ -55,7 +55,7 @@ CLONE = "https://github.com/ekultek/zeus-scanner.git" ISSUE_LINK = "https://github.com/ekultek/zeus-scanner/issues" # current version -VERSION = "1.2.13".format(PATCH_ID) +VERSION = "1.2.14".format(PATCH_ID) # colors to output depending on the version VERSION_TYPE_COLORS = {"dev": 33, "stable": 92, "other": 30} diff --git a/lib/firewall/aws.py b/lib/firewall/aws.py new file mode 100644 index 0000000..18dc1e5 --- /dev/null +++ b/lib/firewall/aws.py @@ -0,0 +1,25 @@ +import re + + +__item__ = "Amazon Web Services Web Application Firewall (Amazon)" + + +def detect(content, **kwargs): + headers = kwargs.get("headers", None) + content = str(content) + detection_schema = ( + re.compile(r"[0-9a-zA-Z]{16,25}<.RequestId>", re.I), + re.compile(r"AccessDenied<.Code>", re.I) + ) + for detection in detection_schema: + if detection.search(content) is not None: + return True + if headers is not None: + headers = str(headers) + detection_schema = ( + re.compile(r"x.amz.id.\d+", re.I), + re.compile(r"x.amz.request.id", re.I) + ) + for detection in detection_schema: + if detection.search(headers) is not None: + return True diff --git a/lib/firewall/cloudflare.py b/lib/firewall/cloudflare.py index d8ebdf9..e853fa2 100644 --- a/lib/firewall/cloudflare.py +++ b/lib/firewall/cloudflare.py @@ -16,5 +16,7 @@ def detect(content, **kwargs): return True if re.compile(r"\A__cfduid=", re.I).search(headers.get("Cookie")) is not None: return True + if re.compile(r"CF_RAY", re.I).search(str(headers)) is not None: + return True except Exception: pass diff --git a/lib/firewall/sucuri.py b/lib/firewall/sucuri.py index 4bea066..9d27ecf 100644 --- a/lib/firewall/sucuri.py +++ b/lib/firewall/sucuri.py @@ -6,6 +6,7 @@ __item__ = "Sucuri Firewall (Sucuri Cloudproxy)" def detect(content, **kwargs): content = str(content) + headers = kwargs.get("headers", None) detection_schema = ( re.compile(r"Access Denied - Sucuri Website Firewall"), re.compile(r"Sucuri WebSite Firewall - CloudProxy - Access Denied"), @@ -14,3 +15,7 @@ def detect(content, **kwargs): for detection in detection_schema: if detection.search(content) is not None: return True + if headers is not None: + headers = str(headers) + if re.compile(r"X-Sucuri-ID", re.I).search(headers) is not None: + return True