# Copyright (C) 2021 DigeeX
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <https://www.gnu.org/licenses/>.
"""Attacks to be run on Flows.
"""
import logging
import sys
from copy import deepcopy
from typing import Callable, List, Optional
from raider.authentication import Authentication
from raider.config import Config
from raider.flow import Flow
from raider.plugins import Plugin
from raider.user import User
# pylint: disable=too-few-public-methods
[docs]class Fuzz:
"""Fuzz an input."""
# Fuzzing flags
# Fuzzing is done on a Flow that affects the authentication process.
# Setting this will make raider consider NextStage operations and move
# between stages until reaching this Flow again.
IS_AUTHENTICATION = 0x01
def __init__(
self,
flow: Flow,
fuzzing_point: str,
fuzzing_function: Callable[[Optional[str]], List[str]],
flags: int = 0,
) -> None:
"""Initialize the Fuzz object.
Given a :class:`Flow <raider.flow.Flow>`, a fuzzing point (in
case of Raider this should be a :class:`Plugin
<raider.plugins.Plugin>`), and a function, run the attack. The
function is used to generate the strings to be used for
fuzzing. The ``fuzzing_point`` attribute should contain the name
of the plugin.
Args:
flow:
A :class:`Flow <raider.flow.Flow>` object which needs to be
fuzzed.
fuzzing_point:
The name given to the :class:`Plugin
<raider.plugins.Plugin>` which should be fuzzed.
fuzzing_function:
A callable function, which will generate the strings that
will be used for fuzzing. The function should accept one
argument. This will be the value of the plugin before
fuzzing. It can be considered when building the fuzzing
list.
flags:
An integer with the flags that affect the fuzzing behaviour.
For now only IS_AUTHENTICATION is supported. Setting this
flag will make Raider check for NextStage operations after
each fuzzing request, and redo the authentication process
until reaching this Flow again.
"""
self.flow = flow
self.fuzzing_point = fuzzing_point
self.fuzzing_function = fuzzing_function
self.flags = flags
[docs] def attack_function(self, user: User, config: Config) -> None:
"""Attacks a flow defined in ``_functions``.
Fuzz blindly the Flow object. It doesn't take into account the
authentication process, so this function is useful for fuzzing
stuff as an already authenticated user.
Args:
user:
A :class:`User <raider.user.User>` object with the user
specific information.
config:
A :class:`Config <raider.config.Config>` object with global
**Raider** configuration.
"""
flow = deepcopy(self.flow)
fuzzing_plugin = self.get_fuzzing_input(flow)
# Reset plugin flags because it doesn't need userdata nor
# the HTTP response anymore when fuzzing
fuzzing_plugin.flags = 0
elements = self.fuzzing_function(fuzzing_plugin.value)
for item in elements:
fuzzing_plugin.function = lambda item=item: item
flow.execute(user, config)
flow.run_operations()
[docs] def attack_authentication(
self, authentication: Authentication, user: User, config: Config
) -> None:
"""Attacks a Flow defined in ``_authentication``.
Unlike ``attack_function``, this will take into account the
finite state machine defined in the hyfiles. This should be used
when the authentication process can be altered by the fuzzing,
for example if some token needs to be extracted again from a
previous authentication step for fuzzing to work.
It will first follow the authentication process until reaching
the desired state, then it will try fuzzing it, and if a
:class:`NextStage <raider.operations.NextStage>` operation is
encountered, it will follow the instruction and move to this
stage, then continue fuzzing.
Args:
authentication:
An :class:`Authentication
<raider.authentication.Authentication>` object with the
finite state machine definitions.
user:
A :class:`User <raider.user.User>` object with the user
specific information.
config:
A :class:`Config <raider.config.Config>` object with global
**Raider** configuration.
"""
while authentication.current_stage_name != self.flow.name:
authentication.run_current_stage(user, config)
flow = deepcopy(self.flow)
fuzzing_plugin = self.get_fuzzing_input(flow)
# Reset plugin flags because it doesn't need userdata nor
# the HTTP response anymore when fuzzing
fuzzing_plugin.flags = 0
elements = self.fuzzing_function(fuzzing_plugin.value)
for item in elements:
fuzzing_plugin.function = lambda item=item: item
flow.execute(user, config)
next_stage = flow.run_operations()
if next_stage:
while next_stage != flow.name:
if next_stage:
next_stage = authentication.run_stage(
next_stage, user, config
)
else:
logging.critical(
(
"Cannot reach the %s stage. ",
"Make sure you defined NextStage correctly.",
),
flow.name,
)
@property
def is_authentication(self) -> bool:
"""Returns True if the IS_AUTHENTICATION flag is set."""
return bool(self.flags & Fuzz.IS_AUTHENTICATION)