Merge pull request #11 from lalithr95/implement-privilege-escalation

Implement privilege escalation

Author: lalithr95

lib/API_Fuzzer.rb

@@ -10,6 +10,8 @@
 require 'API_Fuzzer/redirect_check'
 require 'API_Fuzzer/idor_check'
 require 'API_Fuzzer/rate_limit_check'
+require 'API_Fuzzer/csrf_check'
+require 'API_Fuzzer/privilege_escalation_check'
 
 module API_Fuzzer
   # Scans all the checks
@@ -24,6 +26,8 @@ def self.scan(options = {})
     vulnerabilities << API_Fuzzer::RedirectCheck.scan(options)
     vulnerabilities << API_Fuzzer::IdorCheck.scan(options)
     vulnerabilities << API_Fuzzer::RateLimitCheck.scan(options)
+    vulnerabilities << API_Fuzzer::CsrfCheck.scan(options)
+    vulnerabilities << API_Fuzzer::PrivilegeEscalationCheck.scan(options)
     API_Fuzzer::XxeCheck.scan(options)
     vulnerabilities.uniq.flatten
   end

lib/API_Fuzzer/csrf_check.rb

@@ -11,19 +11,30 @@ def scan(options = {})
         @url = options[:url] || nil
         @params = options[:params] || {}
         @cookies = options[:cookies] || {}
+        @methods = options[:method] || [:get]
+        @headers = options[:headers] || {}
         @json = options[:json] || false
         @vulnerabilities = []
 
-        validate_csrf
+        fuzz_csrf
+        @vulnerabilities.uniq { |vuln| vuln.description }
+      rescue Exception => e
+        Rails.logger.info e.message
+      end
+
+      def fuzz_csrf
+        @vulnerabilities << API_Fuzzer::Vulnerability.new(
+          type: 'MEDIUM',
+          value: 'No Cross-site request forgery protection found in API',
+          description: "Cross-site request forgery vulnerability in GET #{@url}"
+        ) if @methods.map(&:downcase).include?(:get)
       end
 
       def validate_csrf
         params = @params
         headers = request.headers
         matched_headers = headers.keys.select { |header| VALID_CSRF_HEADERS.any? { |exp| header.match(exp) } }
         matched_param = params.keys.select { |param| VALID_CSRF_PARAMS.any? { |exp| param.match(exp) } }
-
-        
       end
     end
   end

lib/API_Fuzzer/idor_check.rb

@@ -33,6 +33,7 @@ def fuzz_without_session
             method: method
           )
 
+          fuzz_sensitive_files(response, method)
           fuzz_match(response, response_without_session, method)
         end
       end
@@ -44,6 +45,18 @@ def fuzz_match(resp, resp_without_session, method)
           description: "Possible IDOR in #{method} #{@url}"
         ) if resp.body.to_s == resp_without_session.body.to_s
       end
+
+      def fuzz_sensitive_files(response, method)
+        file_url = /^((https?:\/\/)?(www\.)?([\da-z\.-]+)\.([a-z\.]{2,6})\/[\w \.-]+?\.(pdf|doc|docs|rtf)([a-zA-Z0-9=?]*?))$/
+        flagged_url = response.body.to_s.scan(file_url) || []
+        flagged_url.each do |url|
+          @vulnerabilities << API_Fuzzer::Vulnerability.new(
+            type: 'MEDIUM',
+            value: "File #{url} can be accessed without proper permissions",
+            description: "Access control violation in #{method} #{url}"
+          )
+        end
+      end
     end
   end
 end

lib/API_Fuzzer/privilege_escalation_check.rb

@@ -0,0 +1,78 @@
+require 'API_Fuzzer/vulnerability'
+require 'API_Fuzzer/error'
+require 'API_Fuzzer/request'
+
+module API_Fuzzer
+  class PrivilegeEscalationCheck
+    class << self
+      def scan(options = {})
+        @url = options[:url]
+        @params = options[:params] || {}
+        @headers = options[:headers] || {}
+        @methods = options[:method] || []
+        @cookies = options[:cookies] || {}
+
+        @vulnerabilities = []
+        fuzz_privileges
+        @vulnerabilities.uniq  { |vuln| vuln.description }
+      rescue Exception => e
+        Rails.logger.info e.message
+      end
+
+      def fuzz_privileges
+        id = /\A\d+\z/
+        uri = URI(@url)
+        path = uri.path
+        query = uri.query
+        url = @url
+        base_uri = query.nil? ? path : [path, query].join("?")
+        fragments = base_uri.split(/[\/,?,&]/) - ['']
+        fragments.each do |fragment|
+          if fragment.match(/\A(\w)+=(\w)*\z/)
+            key, value = fragment.split("=")
+            if value.match(id)
+              value = value.to_i
+              value += 1
+              url = url.gsub(fragment, [key, value].join("=")).chomp
+              fuzz_identity(url, @params)
+            end
+          elsif fragment.match(id)
+            value = fragment.to_i
+            value += 1
+            url = url.gsub(fragment, value.to_s).chomp if url
+            fuzz_identity(url, @params, url)
+          end
+        end
+        return if @params.empty?
+
+        parameters = @params
+        parameters.keys.each do |parameter|
+          value = parameters[parameter]
+          if value.match(id)
+            value = value.to_i
+            value += 1
+            info = [parameter, value].join(" ")
+            fuzz_identity(@url, parameters.merge(parameter, value), info)
+          end
+        end
+      end
+
+      def fuzz_identity(url, params, value)
+        @methods.each do |method|
+          response = API_Fuzzer::Request.send_api_request(
+            url: url,
+            method: method,
+            params: @params,
+            cookies: @cookies,
+            headers: @headers
+          )
+          @vulnerabilities << API_Fuzzer::Vulnerability.new(
+            type: 'HIGH',
+            value: "ID in #{value} parameter is vulnerable to Privilege Escalation vulnerability.",
+            description: "Privilege Escalation vulnerability in #{method} #{url}"
+          ) if response.code == 200
+        end
+      end
+    end
+  end
+end

rules/info.yml

@@ -1,20 +1,20 @@
 ---
 rules:
-  
-  - 
+
+  -
     #Server
     description: Information Disclosure of Server version
     match: server
   -
     # Powered-by Header
     description: Information Disclosure through x-powered-by
     match: x-powered-by
-  
+
   -
     # ASP.NET MVC version
     description: Information Disclosure of APS.NET MVC version
     match: x-aspnetmvc-version
-  
+
   -
     # ASP.NET version
     description: Information Disclosure of ASP.NET version