From beaa69f7aff0dd396eaab71ed04f82f4ad7e9041 Mon Sep 17 00:00:00 2001 From: ekultek Date: Tue, 14 Nov 2017 13:54:52 -0600 Subject: [PATCH] added a few new WAF scripts (issue #142) squid proxy IDS, cloudfront, minor updates to modsecurity --- etc/checksum/md5sum.md5 | 6 ++++-- lib/firewall/cloudfront.py | 17 +++++++++++++++++ lib/firewall/modsecurity.py | 2 ++ lib/firewall/squid.py | 25 +++++++++++++++++++++++++ lib/header_check/__init__.py | 3 +++ 5 files changed, 51 insertions(+), 2 deletions(-) create mode 100644 lib/firewall/cloudfront.py create mode 100644 lib/firewall/squid.py diff --git a/etc/checksum/md5sum.md5 b/etc/checksum/md5sum.md5 index c1f39ae..da43516 100644 --- a/etc/checksum/md5sum.md5 +++ b/etc/checksum/md5sum.md5 @@ -23,13 +23,15 @@ ca6935a72fd0527d15a78a17a35e56e8 ./bin/drivers/geckodriver-v0.19.0-linux64.tar. 07cd383c8aef8ea5ef194a506141afd6 ./bin/drivers/geckodriver-v0.19.0-linux32.tar.gz 6ea65a0160c21e144e92334acc2e3667 ./lib/firewall/anquanbao.py 34b946ab1f9aaac397ba77d5f8c132b1 ./lib/firewall/cloudflare.py -1d65a5d7708a3b365f3a518ae7064304 ./lib/firewall/modsecurity.py +54815706261c32b57fbbdc99244b5cdd ./lib/firewall/modsecurity.py 6b370050b40d8c1d2221424f756c7842 ./lib/firewall/paloalto.py 60973a0c2e34108dfb32c89ad46477b6 ./lib/firewall/sucuri.py 1f303641d59686d544f2986ff74c6b31 ./lib/firewall/webseal.py 783973a4c6af58907f6dbfe1b274c59c ./lib/firewall/generic.py 6ccf3a1df5aa6429cd3365b7b8ded8f4 ./lib/firewall/powerful.py c3f01fc8ff7dfe7759f63bf16b00f127 ./lib/firewall/wordfence.py +2bfc3884ae96cc2443ebf94359b380c0 ./lib/firewall/cloudfront.py +fde5445df5d77d245656adea96673cfa ./lib/firewall/squid.py 785c28da8b681a7e23964f99118b5aab ./lib/tamper_scripts/obfuscateordinal_encode.py 10bf1bc4ef0287d31633148fab557e8a ./lib/tamper_scripts/uppercase_encode.py 5b68de0ce3a783b870921b09b5222146 ./lib/tamper_scripts/hex_encode.py @@ -59,7 +61,7 @@ ceb1b278b0861c976dfecc91cb64e53d ./lib/attacks/xss_scan/__init__.py 1faa2b5dfad6eb538bbfe42942d2a9da ./lib/core/errors.py d41d8cd98f00b204e9800998ecf8427e ./lib/core/__init__.py dc27f3a46931a5264b60e28601d1bc63 ./lib/core/settings.py -a32f8f2a054ab687361bda8557ff63d4 ./lib/header_check/__init__.py +376c0d9ebb943f539bb655fabc1bb8ba ./lib/header_check/__init__.py d41d8cd98f00b204e9800998ecf8427e ./var/google_search/__init__.py 5974e78ce4035d14005fd1a00a3655d2 ./var/google_search/search.py d41d8cd98f00b204e9800998ecf8427e ./var/__init__.py diff --git a/lib/firewall/cloudfront.py b/lib/firewall/cloudfront.py new file mode 100644 index 0000000..fda4a8b --- /dev/null +++ b/lib/firewall/cloudfront.py @@ -0,0 +1,17 @@ +import re + + +__item__ = "CloudFront Firewall (Amazon)" + + +def detect(content, **kwargs): + headers = kwargs.get("headers", None) + detection_schema = ( + re.compile(r"\d.\d.[a-zA-Z0-9]{32,60}.cloudfront.net", re.I), + re.compile(r"cloudfront", re.I), + re.compile(r"X-Amz-Cf-Id", re.I) + ) + if headers is not None: + for detection in detection_schema: + if detection.search(str(headers)) is not None: + return True diff --git a/lib/firewall/modsecurity.py b/lib/firewall/modsecurity.py index 4126988..12bfa33 100644 --- a/lib/firewall/modsecurity.py +++ b/lib/firewall/modsecurity.py @@ -8,6 +8,8 @@ def detect(content, **kwargs): content = str(content) detection_schema = ( re.compile(r"ModSecurity|NYOB", re.I), + re.compile(r"Mod Security", re.I), + re.compile(r"mod_security", re.I), re.compile(r"This error was generated by Mod_Security", re.I), re.compile(r"Web Server at", re.I), re.compile(r"page you are (accessing|trying)? (to|is)? (access)? (is|to)? (restricted)?", re.I) diff --git a/lib/firewall/squid.py b/lib/firewall/squid.py new file mode 100644 index 0000000..e2dd10d --- /dev/null +++ b/lib/firewall/squid.py @@ -0,0 +1,25 @@ +import re + + +__item__ = "Squid Proxy (IDS)" + + +def detect(content, **kwargs): + content = str(content) + headers = kwargs.get("headers", None) + detection_schema = ( + re.compile(r"squid", re.I), + re.compile(r"Access control configuration prevents", re.I) + ) + for detection in detection_schema: + if detection.search(content) is not None: + return True + if headers is not None: + headers = str(headers) + detection_schema = ( + re.compile(r"X.Squid.Error", re.I), + re.compile(r"squid", re.I) + ) + for detection in detection_schema: + if detection.search(headers) is not None: + return True diff --git a/lib/header_check/__init__.py b/lib/header_check/__init__.py index 3522538..3bb3253 100644 --- a/lib/header_check/__init__.py +++ b/lib/header_check/__init__.py @@ -247,6 +247,9 @@ def main_header_check(url, **kwargs): )) for key in found_headers.iterkeys(): protection[key] = found_headers[key] + logger.info(set_color( + "writing found headers to log file...", level=25 + )) return write_to_log_file(protection, HEADER_RESULT_PATH, "{}-headers.json".format(replace_http(url))) else: logger.error(set_color(