Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add module http_post #130

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

OussamaBeng
Copy link
Contributor

Check if credentials are transported over an encrypted channel

@OussamaBeng OussamaBeng force-pushed the add-mod-check-http-post branch from ceed948 to efe6c93 Compare June 25, 2021 09:38
wapitiCore/attack/mod_http_post.py Outdated Show resolved Hide resolved
wapitiCore/attack/mod_http_post.py Outdated Show resolved Hide resolved
wapitiCore/attack/mod_http_post.py Outdated Show resolved Hide resolved
@OussamaBeng OussamaBeng force-pushed the add-mod-check-http-post branch 3 times, most recently from 493bcd5 to 791cdea Compare July 26, 2021 10:06
@codecov-commenter
Copy link

Codecov Report

Merging #130 (791cdea) into master (debd1b1) will decrease coverage by 0.02%.
The diff coverage is 72.97%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master     #130      +/-   ##
==========================================
- Coverage   70.92%   70.89%   -0.03%     
==========================================
  Files          76       78       +2     
  Lines        7563     7621      +58     
==========================================
+ Hits         5364     5403      +39     
- Misses       2199     2218      +19     
Impacted Files Coverage Δ
wapitiCore/attack/attack.py 82.21% <ø> (-0.26%) ⬇️
wapitiCore/net/page.py 81.29% <28.57%> (-0.72%) ⬇️
wapitiCore/main/wapiti.py 33.28% <50.00%> (-0.15%) ⬇️
wapitiCore/attack/mod_http_post.py 81.25% <81.25%> (ø)
wapitiCore/definitions/http_post.py 100.00% <100.00%> (ø)
wapitiCore/net/crawler.py 73.20% <100.00%> (-0.22%) ⬇️
wapitiCore/attack/mod_drupal_enum.py 68.68% <0.00%> (-21.15%) ⬇️
wapitiCore/attack/mod_brute_login_form.py 20.00% <0.00%> (-3.08%) ⬇️
... and 28 more

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 26d16d0...791cdea. Read the comment docs.

Check if credentials are transported over an encrypted channel
@OussamaBeng OussamaBeng force-pushed the add-mod-check-http-post branch from 791cdea to 6118d1a Compare July 26, 2021 10:38

if "Letm3in_" not in request.encoded_data + request.encoded_params:
return
self.finished = True
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you can remove this line

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also as an improvement we can keep track of files we marked as vulnerable (using request.path) to prevent duplicates (you can try on http://www.tvsoop.com/ for example which will generate lot of duplicates)

return
self.finished = True

self.log_red(NAME)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please use the output format used by other modules (take example here https://github.com/wapiti-scanner/wapiti/blob/master/wapitiCore/attack/mod_ssrf.py#L253 )

from wapitiCore.language.language import _

TYPE = "vulnerability"
NAME = _("POST HTTP")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing translations in en / fr .po files

@bretfourbe
Copy link
Collaborator

I think this one can be closed now, replaced by module https_redirect : #411 ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants