improved responsesplitting feedback

Author: m10x

pkg/requests.go

@@ -49,16 +49,7 @@ func getRespSplit() string {
 	return "\\r\\n" + respSplitHeader + ": " + respSplitValue
 }
 
-func checkPoisoningIndicators(repResult *reportResult, request reportRequest, success string, body string, poison string, statusCode1 int, statusCode2 int, sameBodyLength bool, header http.Header, recursive bool) bool {
-	testForResponseSplitting := false
-	// forwardheader benutzen keinen mutex. deswegen macht das if hier keinen Sinn
-	/*if m == nil {
-		result.HasError = true
-		msg := fmt.Sprintf("%s: checkPoisoningIndicators: mutex is nil", request.URL)
-		Print(msg, Red)
-		result.ErrorMessages = append(result.ErrorMessages, msg)
-		return testForResponseSplitting
-	}*/
+func checkPoisoningIndicators(repResult *reportResult, request reportRequest, success string, body string, poison string, statusCode1 int, statusCode2 int, sameBodyLength bool, header http.Header, recursive bool) string {
 	headerWithPoison := ""
 	if header != nil && poison != "" {
 		for x := range header {
@@ -76,7 +67,6 @@ func checkPoisoningIndicators(repResult *reportResult, request reportRequest, su
 			request.Reason = "Response Body contained " + poison
 		} else if headerWithPoison != "" {
 			request.Reason = fmt.Sprintf("%s header contains poison value %s", headerWithPoison, poison)
-			testForResponseSplitting = true
 		} else if statusCode1 >= 0 && statusCode1 != Config.Website.StatusCode && statusCode1 == statusCode2 {
 			// check if status code should be ignored
 			if len(Config.IgnoreStatus) > 0 {
@@ -87,7 +77,7 @@ func checkPoisoningIndicators(repResult *reportResult, request reportRequest, su
 						if err != nil {
 							Print(fmt.Sprintln("Error while checking whether the default status code changed: ", err.Error()), Yellow)
 						}
-						return testForResponseSplitting
+						return headerWithPoison
 					}
 				}
 			}
@@ -141,7 +131,7 @@ func checkPoisoningIndicators(repResult *reportResult, request reportRequest, su
 				request.Reason = fmt.Sprintf("Length %d differed more than %d bytes from normal length %d", len(body), Config.CLDiff, len(Config.Website.Body))
 			}
 		} else {
-			return testForResponseSplitting
+			return headerWithPoison
 		}
 	}
 
@@ -155,7 +145,7 @@ func checkPoisoningIndicators(repResult *reportResult, request reportRequest, su
 	Print(msg, Green)
 	repResult.Vulnerable = true
 	repResult.Requests = append(repResult.Requests, request)
-	return testForResponseSplitting
+	return headerWithPoison
 }
 
 func compareLengths(len1 int, len2 int, limit int) bool {
@@ -377,7 +367,7 @@ func secondRequest(rUrl string, identifier string, cb string) ([]byte, int, http
 
 // TODO: ResponseSplitting Methode
 /* return value:first bool is needed for responsesplitting, second bool is only needed for ScanParameters */
-func issueRequest(rp requestParams) (bool, bool) {
+func issueRequest(rp requestParams) (string, bool) {
 	body1, statusCode1, request, header1, err := firstRequest(rp)
 	if err != nil {
 		if err.Error() != "stop" {
@@ -389,7 +379,7 @@ func issueRequest(rp requestParams) (bool, bool) {
 			rp.repResult.ErrorMessages = append(rp.repResult.ErrorMessages, err.Error())
 		}
 
-		return false, false
+		return "", false
 	}
 
 	firstRequestPoisoningIndicator(rp.identifier, body1, rp.poison, header1)
@@ -404,7 +394,7 @@ func issueRequest(rp requestParams) (bool, bool) {
 			rp.repResult.HasError = true
 			rp.repResult.ErrorMessages = append(rp.repResult.ErrorMessages, err.Error())
 		}
-		return false, true
+		return "", true
 	}
 	sameBodyLength := len(body1) == len(body2)
 
@@ -414,9 +404,9 @@ func issueRequest(rp requestParams) (bool, bool) {
 		rp.m.Lock()
 		defer rp.m.Unlock()
 	}
-	responseSplitting := checkPoisoningIndicators(rp.repResult, request, rp.success, string(body2), rp.poison, statusCode1, statusCode2, sameBodyLength, respHeader, false)
+	responseSplittingHeader := checkPoisoningIndicators(rp.repResult, request, rp.success, string(body2), rp.poison, statusCode1, statusCode2, sameBodyLength, respHeader, false)
 
-	return responseSplitting, true
+	return responseSplittingHeader, true
 }
 
 func firstRequestPoisoningIndicator(identifier string, body []byte, poison string, header http.Header) {

pkg/techniques.go

@@ -52,17 +52,17 @@ func ScanCookies() reportResult {
 			m:                nil,
 			newCookie:        newCookie,
 		}
-		responseSplitting, _ := issueRequest(rp)
+		responseSplittingHeader, _ := issueRequest(rp)
 
 		// check for response splitting, if poison was reflected in a header
-		if responseSplitting {
-			msg := fmt.Sprintf("Checking cookie %s for Response Splitting, because it was reflected in the response' header\n", c.Name)
+		if responseSplittingHeader != "" {
+			msg := fmt.Sprintf("Checking cookie %s for Response Splitting, because it was reflected in the header %s\n", c.Name, responseSplittingHeader)
 			PrintVerbose(msg, Cyan, 1)
 
 			rp.poison += getRespSplit()
 			rp.url = rUrl
 			rp.cb = randInt()
-			rp.success = fmt.Sprintf("Cookie %s was successfully poisoned with Response Splitting! cb: %s poison: %s\n", c.Name, rp.cb, rp.poison)
+			rp.success = fmt.Sprintf("Cookie %s successfully poisoned the header %s with Response Splitting! cb: %s poison: %s\n", c.Name, responseSplittingHeader, rp.cb, rp.poison)
 			rp.identifier += " response splitting"
 
 			msg = fmt.Sprintf("Overwriting %s=%s with %s=%s\n", c.Name, c.Value, c.Name, rp.poison)
@@ -142,18 +142,18 @@ func ForwardHeadersTemplate(repResult *reportResult, headers []string, values []
 		m:                nil,
 		newCookie:        http.Cookie{},
 	}
-	responseSplitting, _ := issueRequest(rp)
+	responseSplittingHeader, _ := issueRequest(rp)
 
 	// check for response splitting, if poison was reflected in a header
-	if responseSplitting {
+	if responseSplittingHeader != "" {
 		rp.values[0] += getRespSplit()
-		msg := fmt.Sprintf("Checking header(s) %s with value(s) %s for Response Splitting, because it was reflected in the response' header\n", rp.headers, rp.values)
+		msg := fmt.Sprintf("Checking header(s) %s with value(s) %s for Response Splitting, because it was reflected in the header %s\n", rp.headers, rp.values, responseSplittingHeader)
 		PrintVerbose(msg, Cyan, 1)
 
 		rp.poison += getRespSplit()
 		rp.url = rUrl
 		rp.cb = randInt()
-		rp.success = fmt.Sprintf("%s was successfully poisoned with Response Splitting! cb: %s poison: %s\n", headers, rp.cb, rp.values)
+		rp.success = fmt.Sprintf("%s successfully poisoned the header %s with Response Splitting! cb: %s poison: %s\n", headers, responseSplittingHeader, rp.cb, rp.values)
 		rp.identifier += " response splitting"
 
 		issueRequest(rp)
@@ -252,17 +252,17 @@ func ScanHeaders(headerList []string) reportResult {
 				m:                &m,
 				newCookie:        http.Cookie{},
 			}
-			responseSplitting, _ := issueRequest(rp)
+			responseSplittingHeader, _ := issueRequest(rp)
 
 			// check for response splitting, if poison was reflected in a header
-			if responseSplitting {
-				msg := fmt.Sprintf("Testing now (%d/%d) %s for Response Splitting, because it was reflected in the response' header\n", i+1, len(headerList), header)
+			if responseSplittingHeader != "" {
+				msg := fmt.Sprintf("Testing now (%d/%d) %s for Response Splitting, because it was reflected in the header %s\n", i+1, len(headerList), header, responseSplittingHeader)
 				PrintVerbose(msg, Cyan, 1)
 
 				rp.url = rUrl
 				rp.cb = randInt()
 				rp.poison += getRespSplit()
-				rp.success = fmt.Sprintf("Header %s was successfully poisoned with Response Splitting! cb: %s poison: %s\n", header, rp.cb, rp.poison)
+				rp.success = fmt.Sprintf("Header %s successfully poisoned the header %s with Response Splitting! cb: %s poison: %s\n", header, responseSplittingHeader, rp.cb, rp.poison)
 				rp.identifier += " response splitting"
 
 				issueRequest(rp)
@@ -468,21 +468,21 @@ func ScanParameters(parameterList []string) reportResult {
 				newCookie:        http.Cookie{},
 				m:                &m,
 			}
-			responseSplitting, appendParameter := issueRequest(rp)
+			responseSplittingHeader, appendParameter := issueRequest(rp)
 
 			if appendParameter {
 				impactfulQueries = append(impactfulQueries, parameter)
 			}
 			// check for response splitting, if poison was reflected in a header
-			if responseSplitting {
-				msg := fmt.Sprintf("Testing now Parameter (%d/%d) %s for Response Splitting, because it was reflected in the response' header\n", i+1, len(parameterList), parameter)
+			if responseSplittingHeader != "" {
+				msg := fmt.Sprintf("Testing now Parameter (%d/%d) %s for Response Splitting, because it was reflected in the header %s\n", i+1, len(parameterList), parameter, responseSplittingHeader)
 				PrintVerbose(msg, Cyan, 1)
 
 				rp.poison += getRespSplit()
 				rp.parameters = []string{parameter + "=" + rp.poison}
 				rp.url = rUrl
 				rp.cb = randInt()
-				rp.success = fmt.Sprintf("Query Parameter %s was successfully poisoned with Response Splitting! cb: %s poison: %s\n", parameter, rp.cb, rp.poison)
+				rp.success = fmt.Sprintf("Query Parameter %s successfully poisoned the header %s with Response Splitting! cb: %s poison: %s\n", parameter, responseSplittingHeader, rp.cb, rp.poison)
 				rp.identifier += " response splitting"
 				issueRequest(rp)
 			}
@@ -570,19 +570,19 @@ func ScanFatGET() reportResult {
 					m:                &m,
 					newCookie:        http.Cookie{},
 				}
-				responseSplitting, _ := issueRequest(rp)
+				responseSplittingHeader, _ := issueRequest(rp)
 
 				// check for response splitting, if poison was reflected in a header
-				if responseSplitting {
-					msg := fmt.Sprintf("Testing now (%d/%d) %s for Response Splitting, because it was reflected in the response' header\n", i+1, len(impactfulQueries), s)
+				if responseSplittingHeader != "" {
+					msg := fmt.Sprintf("Testing now (%d/%d) %s for Response Splitting, because it was reflected in the header %s\n", i+1, len(impactfulQueries), s, responseSplittingHeader)
 					PrintVerbose(msg, Cyan, 1)
 
 					rp.url = rUrl
 					rp.cb = randInt()
 					rp.poison += getRespSplit()
 					rp.bodyString += getRespSplit()
 					rp.identifier += " response splitting"
-					rp.success = fmt.Sprintf("Query Parameter %s was successfully poisoned via %s with Response Splitting! cb: %s poison:%s\n", s, identifier, rp.cb, rp.poison)
+					rp.success = fmt.Sprintf("Query Parameter %s successfully poisoned the header %s via %s with Response Splitting! cb: %s poison:%s\n", s, responseSplittingHeader, identifier, rp.cb, rp.poison)
 
 					issueRequest(rp)
 				}
@@ -742,18 +742,18 @@ func ScanParameterCloaking() reportResult {
 					m:                &m,
 					newCookie:        http.Cookie{},
 				}
-				responseSplitting, _ := issueRequest(rp)
+				responseSplittingHeader, _ := issueRequest(rp)
 
 				// check for response splitting, if poison was reflected in a header
-				if responseSplitting {
-					msg := fmt.Sprintf("Testing now Parameter Cloaking (%d/%d) %s%s%s for Response Splitting, because it was reflected in the response' header\n", iu+is+1, len(impactfulQueries)*len(unkeyed_parameter), u, cloak, s)
+				if responseSplittingHeader != "" {
+					msg := fmt.Sprintf("Testing now Parameter Cloaking (%d/%d) %s%s%s for Response Splitting, because it was reflected in the header %s\n", iu+is+1, len(impactfulQueries)*len(unkeyed_parameter), u, cloak, s, responseSplittingHeader)
 					PrintVerbose(msg, Cyan, 1)
 
 					rp.url = rUrl
 					rp.cb = randInt()
 					rp.poison += getRespSplit()
 					rp.parameters = []string{u + "=foobar" + cloak + s + "=" + rp.poison}
-					rp.success = fmt.Sprintf("Query Parameter %s was successfully poisoned via Response Splitting using %s with Parameter Cloaking! cb:%s poison:%s\n", s, u, rp.cb, rp.poison)
+					rp.success = fmt.Sprintf("Query Parameter %s successfully poisoned the header %s with Response Splitting using %s with Parameter Cloaking! cb:%s poison:%s\n", s, responseSplittingHeader, u, rp.cb, rp.poison)
 					rp.identifier += " response splitting"
 
 					issueRequest(rp)
@@ -950,17 +950,17 @@ func headerDOSTemplate(repResult *reportResult, values []string, header string,
 				m:                &m,
 				newCookie:        http.Cookie{},
 			}
-			responseSplitting, _ := issueRequest(rp)
+			responseSplittingHeader, _ := issueRequest(rp)
 
 			// check for response splitting, if poison was reflected in a header
-			if responseSplitting {
-				msg := fmt.Sprintf("Testing now %s Header DOS with %s\n for Response Splitting, because it was reflected in the response' header", header, value)
+			if responseSplittingHeader != "" {
+				msg := fmt.Sprintf("Testing now %s Header DOS with %s\n for Response Splitting, because it was reflected in the header %s", header, value, responseSplittingHeader)
 				PrintVerbose(msg, Cyan, 1)
 
 				rp.values[0] += getRespSplit()
 				rp.url = rUrl
 				rp.cb = randInt()
-				rp.success = fmt.Sprintf("%sDOS with header %s was successfully poisoned with Response Splitting! cb: %s poison: %s\n", msgextra, header, rp.cb, rp.values[0])
+				rp.success = fmt.Sprintf("%sDOS with header %s successfully poisoned the header %s with Response Splitting! cb: %s poison: %s\n", msgextra, header, responseSplittingHeader, rp.cb, rp.values[0])
 				rp.identifier += getRespSplit() + " with response splitting"
 
 				issueRequest(rp)