class API_Fuzzer::PrivilegeEscalationCheck
Public Class Methods
fuzz_identity(url, params, value)
click to toggle source
# File lib/API_Fuzzer/privilege_escalation_check.rb, line 60 def fuzz_identity(url, params, value) @methods.each do |method| response = API_Fuzzer::Request.send_api_request( url: url, method: method, params: @params, cookies: @cookies, headers: @headers ) @vulnerabilities << API_Fuzzer::Vulnerability.new( type: 'HIGH', value: "ID in #{value} parameter is vulnerable to Privilege Escalation vulnerability.", description: "Privilege Escalation vulnerability in #{method} #{url}" ) if response.code == 200 end end
fuzz_privileges()
click to toggle source
# File lib/API_Fuzzer/privilege_escalation_check.rb, line 22 def fuzz_privileges id = /\A\d+\z/ uri = URI(@url) path = uri.path query = uri.query url = @url base_uri = query.nil? ? path : [path, query].join("?") fragments = base_uri.split(/[\/,?,&]/) - [''] fragments.each do |fragment| if fragment.match(/\A(\w)+=(\w)*\z/) key, value = fragment.split("=") if value.match(id) value = value.to_i value += 1 url = url.gsub(fragment, [key, value].join("=")).chomp fuzz_identity(url, @params) end elsif fragment.match(id) value = fragment.to_i value += 1 url = url.gsub(fragment, value.to_s).chomp if url fuzz_identity(url, @params, url) end end return if @params.empty? parameters = @params parameters.keys.each do |parameter| value = parameters[parameter] if value.match(id) value = value.to_i value += 1 info = [parameter, value].join(" ") fuzz_identity(@url, parameters.merge(parameter, value), info) end end end
scan(options = {})
click to toggle source
# File lib/API_Fuzzer/privilege_escalation_check.rb, line 8 def scan(options = {}) @url = options[:url] @params = options[:params] || {} @headers = options[:headers] || {} @methods = options[:method] || [] @cookies = options[:cookies] || {} @vulnerabilities = [] fuzz_privileges @vulnerabilities.uniq { |vuln| vuln.description } rescue Exception => e Rails.logger.info e.message end