Refactoring WAF scripts

stamparm · stamparm · commit be50192d8d9d · 2013-02-26T15:54:50.000+01:00
diff --git a/lib/core/settings.py b/lib/core/settings.py
@@ -384,6 +384,7 @@
 
 # Vectors used for provoking specific WAF/IDS/IPS behavior(s)
 WAF_ATTACK_VECTORS = (
+                        "",  # NIL
                         "search=<script>alert(1)</script>",
                         "file=../../../../etc/passwd",
                         "q=<invalid>foobar",
diff --git a/waf/airlock.py b/waf/airlock.py
@@ -8,9 +8,17 @@
 import re
 
 from lib.core.enums import HTTPHEADER
+from lib.core.settings import WAF_ATTACK_VECTORS
 
 __product__ = "Airlock (Phion/Ergon)"
 
 def detect(get_page):
-    page, headers, code = get_page()
-    return re.search(r"\AAL[_-]?(SESS|LB)=", headers.get(HTTPHEADER.SET_COOKIE, ""), re.I) is not None
+    retval = False
+
+    for vector in WAF_ATTACK_VECTORS:
+        page, headers, code = get_page(get=vector)
+        retval = re.search(r"\AAL[_-]?(SESS|LB)=", headers.get(HTTPHEADER.SET_COOKIE, ""), re.I) is not None
+        if retval:
+            break
+
+    return retval
diff --git a/waf/barracuda.py b/waf/barracuda.py
@@ -8,9 +8,17 @@
 import re
 
 from lib.core.enums import HTTPHEADER
+from lib.core.settings import WAF_ATTACK_VECTORS
 
 __product__ = "Barracuda Web Application Firewall (Barracuda Networks)"
 
 def detect(get_page):
-    page, headers, code = get_page()
-    return re.search(r"\Abarra_counter_session=", headers.get(HTTPHEADER.SET_COOKIE, ""), re.I) is not None
+    retval = False
+
+    for vector in WAF_ATTACK_VECTORS:
+        page, headers, code = get_page(get=vector)
+        retval = re.search(r"\Abarra_counter_session=", headers.get(HTTPHEADER.SET_COOKIE, ""), re.I) is not None
+        if retval:
+            break
+
+    return retval
diff --git a/waf/bigip.py b/waf/bigip.py
@@ -13,14 +13,14 @@
 __product__ = "BIG-IP Application Security Manager (F5 Networks)"
 
 def detect(get_page):
-    page, headers, code = get_page()
-    retval = re.search(r"\ATS[a-zA-Z0-9]{3,6}=", headers.get(HTTPHEADER.SET_COOKIE, ""), re.I) is not None
+    retval = False
 
-    if not retval:
-        for vector in WAF_ATTACK_VECTORS:
-            page, headers, code = get_page(get=vector)
-            retval = headers.get("X-Cnection", "").lower() == "close"
-            if retval:
-                break
+    for vector in WAF_ATTACK_VECTORS:
+        page, headers, code = get_page(get=vector)
+        retval = headers.get("X-Cnection", "").lower() == "close"
+        retval |= re.search(r"\ATS[a-zA-Z0-9]{3,6}=", headers.get(HTTPHEADER.SET_COOKIE, ""), re.I) is not None
+        retval |= re.search(r"BigIP|BIGipServer", headers.get(HTTPHEADER.SERVER, ""), re.I) is not None
+        if retval:
+            break
 
     return retval
diff --git a/waf/binarysec.py b/waf/binarysec.py
@@ -8,12 +8,18 @@
 import re
 
 from lib.core.enums import HTTPHEADER
+from lib.core.settings import WAF_ATTACK_VECTORS
 
 __product__ = "BinarySEC Web Application Firewall (BinarySEC)"
 
 def detect(get_page):
-    page, headers, code = get_page()
-    retval = re.search(r"BinarySec", headers.get(HTTPHEADER.SERVER, ""), re.I) is not None
-    if not retval:
+    retval = False
+
+    for vector in WAF_ATTACK_VECTORS:
+        page, headers, code = get_page(get=vector)
         retval = any(headers.get(_) for _ in ("x-binarysec-via", "x-binarysec-nocache"))
+        retval |= re.search(r"BinarySec", headers.get(HTTPHEADER.SERVER, ""), re.I) is not None
+        if retval:
+            break
+
     return retval
diff --git a/waf/datapower.py b/waf/datapower.py
@@ -7,8 +7,18 @@
 
 import re
 
+from lib.core.enums import HTTPHEADER
+from lib.core.settings import WAF_ATTACK_VECTORS
+
 __product__ = "IBM WebSphere DataPower (IBM)"
 
 def detect(get_page):
-    page, headers, code = get_page()
-    return re.search(r"\A(OK|FAIL)", headers.get("X-Backside-Transport", ""), re.I) is not None
+    retval = False
+
+    for vector in WAF_ATTACK_VECTORS:
+        page, headers, code = get_page(get=vector)
+        retval = re.search(r"\A(OK|FAIL)", headers.get("X-Backside-Transport", ""), re.I) is not None
+        if retval:
+            break
+
+    return retval
diff --git a/waf/denyall.py b/waf/denyall.py
@@ -13,14 +13,13 @@
 __product__ = "Deny All Web Application Firewall (DenyAll)"
 
 def detect(get_page):
-    page, headers, code = get_page()
-    retval = re.search(r"\Asessioncookie=", headers.get(HTTPHEADER.SET_COOKIE, ""), re.I) is not None
+    retval = False
 
-    if not retval:
-        for vector in WAF_ATTACK_VECTORS:
-            page, headers, code = get_page(get=vector)
-            retval = code == 200 and re.search(r"\ACondition Intercepted", page, re.I) is not None
-            if retval:
-                break
+    for vector in WAF_ATTACK_VECTORS:
+        page, headers, code = get_page(get=vector)
+        retval = re.search(r"\Asessioncookie=", headers.get(HTTPHEADER.SET_COOKIE, ""), re.I) is not None
+        retval |= code == 200 and re.search(r"\ACondition Intercepted", page, re.I) is not None
+        if retval:
+            break
 
     return retval
diff --git a/waf/hyperguard.py b/waf/hyperguard.py
@@ -8,9 +8,17 @@
 import re
 
 from lib.core.enums import HTTPHEADER
+from lib.core.settings import WAF_ATTACK_VECTORS
 
 __product__ = "Hyperguard Web Application Firewall (art of defence Inc.)"
 
 def detect(get_page):
-    page, headers, code = get_page()
-    return re.search(r"\AODSESSION=", headers.get(HTTPHEADER.SET_COOKIE, ""), re.I) is not None
+    retval = False
+
+    for vector in WAF_ATTACK_VECTORS:
+        page, headers, code = get_page(get=vector)
+        retval = re.search(r"\AODSESSION=", headers.get(HTTPHEADER.SET_COOKIE, ""), re.I) is not None
+        if retval:
+            break
+
+    return retval
diff --git a/waf/netcontinuum.py b/waf/netcontinuum.py
@@ -8,9 +8,17 @@
 import re
 
 from lib.core.enums import HTTPHEADER
+from lib.core.settings import WAF_ATTACK_VECTORS
 
 __product__ = "NetContinuum Web Application Firewall (NetContinuum/Barracuda Networks)"
 
 def detect(get_page):
-    page, headers, code = get_page()
-    return re.search(r"\ANCI__SessionId=", headers.get(HTTPHEADER.SET_COOKIE, ""), re.I) is not None
+    retval = False
+
+    for vector in WAF_ATTACK_VECTORS:
+        page, headers, code = get_page(get=vector)
+        retval = re.search(r"\ANCI__SessionId=", headers.get(HTTPHEADER.SET_COOKIE, ""), re.I) is not None
+        if retval:
+            break
+
+    return retval
diff --git a/waf/netscaler.py b/waf/netscaler.py
@@ -13,15 +13,14 @@
 __product__ = "NetScaler (Citrix Systems)"
 
 def detect(get_page):
-    page, headers, code = get_page()
-    retval = re.search(r"\A(ns_af=|citrix_ns_id|NSC_)", headers.get(HTTPHEADER.SET_COOKIE, ""), re.I) is not None
-    retval |= re.search(r"\ANS-CACHE", headers.get(HTTPHEADER.VIA, ""), re.I) is not None
+    retval = False
 
-    if not retval:
-        for vector in WAF_ATTACK_VECTORS:
-            page, headers, code = get_page(get=vector)
-            retval = re.search(r"\Aclose", headers.get("Cneonction", "") or headers.get("nnCoection", ""), re.I) is not None
-            if retval:
-                break
+    for vector in WAF_ATTACK_VECTORS:
+        page, headers, code = get_page(get=vector)
+        retval = re.search(r"\Aclose", headers.get("Cneonction", "") or headers.get("nnCoection", ""), re.I) is not None
+        retval = re.search(r"\A(ns_af=|citrix_ns_id|NSC_)", headers.get(HTTPHEADER.SET_COOKIE, ""), re.I) is not None
+        retval |= re.search(r"\ANS-CACHE", headers.get(HTTPHEADER.VIA, ""), re.I) is not None
+        if retval:
+            break
 
     return retval
diff --git a/waf/profense.py b/waf/profense.py
@@ -8,12 +8,18 @@
 import re
 
 from lib.core.enums import HTTPHEADER
+from lib.core.settings import WAF_ATTACK_VECTORS
 
 __product__ = "Profense Web Application Firewall (Armorlogic)"
 
 def detect(get_page):
-    page, headers, code = get_page()
-    retval = re.search(r"Profense", headers.get(HTTPHEADER.SERVER, ""), re.I) is not None
-    if not retval:
+    retval = False
+
+    for vector in WAF_ATTACK_VECTORS:
+        page, headers, code = get_page(get=vector)
         retval = re.search(r"\APLBSID=", headers.get(HTTPHEADER.SET_COOKIE, ""), re.I) is not None
+        retval |= re.search(r"Profense", headers.get(HTTPHEADER.SERVER, ""), re.I) is not None
+        if retval:
+            break
+
     return retval
diff --git a/waf/teros.py b/waf/teros.py
@@ -8,9 +8,17 @@
 import re
 
 from lib.core.enums import HTTPHEADER
+from lib.core.settings import WAF_ATTACK_VECTORS
 
 __product__ = "Teros/Citrix Application Firewall Enterprise (Teros/Citrix Systems)"
 
 def detect(get_page):
-    page, headers, code = get_page()
-    return re.search(r"\Ast8(id|_wat|_wlf)", headers.get(HTTPHEADER.SET_COOKIE, ""), re.I) is not None
+    retval = False
+
+    for vector in WAF_ATTACK_VECTORS:
+        page, headers, code = get_page(get=vector)
+        retval = re.search(r"\Ast8(id|_wat|_wlf)", headers.get(HTTPHEADER.SET_COOKIE, ""), re.I) is not None
+        if retval:
+            break
+
+    return retval
diff --git a/waf/trafficshield.py b/waf/trafficshield.py
@@ -8,9 +8,18 @@
 import re
 
 from lib.core.enums import HTTPHEADER
+from lib.core.settings import WAF_ATTACK_VECTORS
 
 __product__ = "TrafficShield (F5 Networks)"
 
 def detect(get_page):
-    page, headers, code = get_page()
-    return (re.search(r"\AASINFO=", headers.get(HTTPHEADER.SET_COOKIE, ""), re.I) or re.search(r"F5-TrafficShield", headers.get(HTTPHEADER.SERVER, ""), re.I)) is not None
+    retval = False
+
+    for vector in WAF_ATTACK_VECTORS:
+        page, headers, code = get_page(get=vector)
+        retval = re.search(r"F5-TrafficShield", headers.get(HTTPHEADER.SERVER, ""), re.I) is not None
+        retval |= re.search(r"\AASINFO=", headers.get(HTTPHEADER.SET_COOKIE, ""), re.I) is not None
+        if retval:
+            break
+
+    return retval
