/usr/share/w3af/plugins/grep/clickJacking.py is in w3af-console 1.1svn5547-1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 | '''
clickJacking.py
Copyright 2006 Andres Riancho
This file is part of w3af, w3af.sourceforge.net .
w3af is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation version 2 of the License.
w3af is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with w3af; if not, write to the Free Software
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
'''
import core.controllers.outputManager as om
from core.data.options.option import option
from core.data.options.optionList import optionList
import core.data.kb.knowledgeBase as kb
import core.data.kb.vuln as vuln
import core.data.constants.severity as severity
from core.data.db.disk_list import disk_list
from core.controllers.basePlugin.baseGrepPlugin import baseGrepPlugin
class clickJacking(baseGrepPlugin):
'''
Grep every page for X-Frame-Options header.
@author: Taras (oxdef@oxdef.info)
'''
def __init__(self):
baseGrepPlugin.__init__(self)
self._total_count = 0
self._vuln_count = 0
self._vulns = disk_list()
def grep(self, request, response):
if not response.is_text_or_html():
return
self._total_count += 1
# TODO need to check here for auth cookie?!
headers = response.getLowerCaseHeaders()
x_frame_options = headers.get('x-frame-options', None)
if x_frame_options\
and x_frame_options.lower() in ('deny', 'sameorigin'):
return
self._vuln_count += 1
if response.getURL() not in self._vulns:
self._vulns.append(response.getURL())
def getOptions(self):
ol = optionList()
return ol
def setOptions(self, o):
pass
def end(self):
# If all URLs implement protection, don't report anything.
if not self._vuln_count:
return
v = vuln.vuln()
v.setPluginName(self.getName())
v.setName('Possible ClickJacking attack' )
v.setSeverity(severity.MEDIUM)
# If none of the URLs implement protection, simply report
# ONE vulnerability that says that.
if self._total_count == self._vuln_count:
msg = 'The whole target '
msg += 'has no protection (X-Frame-Options header) against ClickJacking attack'
v.setDesc(msg)
kb.kb.append(self, 'clickJacking', v)
# If most of the URLs implement the protection but some
# don't, report ONE vulnerability saying: "Most are protected, but x, y are not.
if self._total_count > self._vuln_count:
msg = 'Some URLs has no protection (X-Frame-Options header) '
msg += 'against ClickJacking attack. Among them:\n '
msg += ' '.join([str(url) + '\n' for url in self._vulns])
v.setDesc(msg)
kb.kb.append(self, 'clickJacking', v)
self.printUniq(kb.kb.getData( 'clickJacking', 'clickJacking' ), 'URL')
def getPluginDeps(self):
return []
def getLongDesc(self):
return '''
This plugin greps every page for X-Frame-Options header and so
for possible ClickJacking attack against URL.
Additional information: https://www.owasp.org/index.php/Clickjacking
'''
|