fluidasserts.proto.http module

This module allows to check HTTP-specific vulnerabilities.

fluidasserts.proto.http.can_brute_force(url, ok_regex, user_field, pass_field, user_list=None, pass_list=None, *args, **kwargs)

Check if URL allows brute forcing.

Parameters

  • url (str) – URL to test.

  • ok_regex (str) – Regex to search in response text.

  • user_field (str) – Name of the field for username.

  • pass_field (str) – Name of the field for password.

  • user_list (typing.Optional[typing.List[str]]) – List of users to create dataset.

  • pass_list (typing.Optional[typing.List[str]]) – List of passwords.

  • *args – Optional arguments for _request_dataset().

  • **kwargs – Optional arguments for _request_dataset().

Return type

fluidasserts.Result

Either params or data must be present in kwargs, if the request is GET or POST, respectively. They must be strings as they would appear in the request.

fluidasserts.proto.http.has_clear_viewstate(url, *args, **kwargs)

Check if URL has encrypted ViewState by checking response.

Parameters
Return type

fluidasserts.Result

fluidasserts.proto.http.has_command_injection(url, expect, *args, **kwargs)

Check command injection vulnerability by checking a expected string.

Parameters

  • url (str) – URL to test.

  • expect (str) – Text to search in potential vulnerability .

  • *args – Optional arguments for HTTPSession.

  • **kwargs – Optional arguments for HTTPSession.

Return type

fluidasserts.Result

fluidasserts.proto.http.has_csrf(url, expect, *args, **kwargs)

Check Cross-Site Request Forgery vulnerability.

Parameters

  • url (str) – URL to test.

  • expect (str) – Text to search in potential vulnerability .

  • *args – Optional arguments for HTTPSession.

  • **kwargs – Optional arguments for HTTPSession.

Return type

fluidasserts.Result

fluidasserts.proto.http.has_delete_method(url, *args, **kwargs)

Check if HTTP DELETE method is enabled.

Parameters
Return type

fluidasserts.Result

fluidasserts.proto.http.has_dirlisting(url, *args, **kwargs)

Check if the given URL has directory listing enabled.

Looks for the text “Index of” to test if directories can be listed.

Parameters
Return type

fluidasserts.Result

fluidasserts.proto.http.has_dirtraversal(url, expect, *args, **kwargs)

Check directory traversal vulnerability by checking a expected string.

Parameters

  • url (str) – URL to test.

  • expect (str) – Text to search in potential vulnerability .

  • *args – Optional arguments for HTTPSession.

  • **kwargs – Optional arguments for HTTPSession.

Return type

fluidasserts.Result

fluidasserts.proto.http.has_host_header_injection(url, *args, **kwargs)

Check if server is vulnerable to ‘Host’ header injection.

Parameters
Return type

fluidasserts.Result

fluidasserts.proto.http.has_hpp(url, expect, *args, **kwargs)

Check HTTP Parameter Pollution vulnerability.

Parameters

  • url (str) – URL to test.

  • expect (str) – Text to search in potential vulnerability .

  • *args – Optional arguments for HTTPSession.

  • **kwargs – Optional arguments for HTTPSession.

Return type

fluidasserts.Result

fluidasserts.proto.http.has_insecure_dor(url, expect, *args, **kwargs)

Check insecure direct object reference vulnerability.

Parameters

  • url (str) – URL to test.

  • expect (str) – Text to search in potential vulnerability .

  • *args – Optional arguments for HTTPSession.

  • **kwargs – Optional arguments for HTTPSession.

Return type

fluidasserts.Result

fluidasserts.proto.http.has_insecure_upload(url, expect, file_param, file_path, *args, **kwargs)

Check insecure upload vulnerability.

Parameters

  • url (str) – URL to test.

  • file_param (str) – Name of a file to try to upload.

  • file_path (str) – Path to the actual file.

  • *args – Optional arguments for HTTPSession.

  • **kwargs – Optional arguments for HTTPSession.

Return type

fluidasserts.Result

fluidasserts.proto.http.has_lfi(url, expect, *args, **kwargs)

Check local file inclusion vulnerability by checking a expected string.

Parameters

  • url (str) – URL to test.

  • expect (str) – Text to search in potential vulnerability .

  • *args – Optional arguments for HTTPSession.

  • **kwargs – Optional arguments for HTTPSession.

Return type

fluidasserts.Result

fluidasserts.proto.http.has_mixed_content(url, *args, **kwargs)

Check if resource has mixed (HTTP and HTTPS) links.

Parameters
Return type

fluidasserts.Result

fluidasserts.proto.http.has_multiple_text(url, regex_list, *args, **kwargs)

Check if one of a list of bad texts is present in URL response.

Parameters
Return type

fluidasserts.Result

fluidasserts.proto.http.has_not_subresource_integrity(url, *request_args, trusted_hosts=None, **request_kwargs)

Check if elements fetched by the provided url have SRI.

See: Documentation.

Parameters

  • url (str) – URL to test.

  • *request_args – Optional arguments for HTTPSession.

  • **request_kwargs – Optional arguments for HTTPSession.

Return type

fluidasserts.Result

fluidasserts.proto.http.has_not_text(url, expected_text, *args, **kwargs)

Check if a required text is not present in URL response.

Parameters

  • url (str) – URL to test.

  • expected_text (str) – Text to search. Can be regex.

  • *args – Optional arguments for HTTPSession.

  • **kwargs – Optional arguments for HTTPSession.

Return type

fluidasserts.Result

fluidasserts.proto.http.has_php_command_injection(url, expect, *args, **kwargs)

Check PHP command injection vulnerability by checking a expected string.

Parameters

  • url (str) – URL to test.

  • expect (str) – Text to search in potential vulnerability .

  • *args – Optional arguments for HTTPSession.

  • **kwargs – Optional arguments for HTTPSession.

Return type

fluidasserts.Result

fluidasserts.proto.http.has_put_method(url, *args, **kwargs)

Check is HTTP PUT method is enabled.

Parameters
Return type

fluidasserts.Result

fluidasserts.proto.http.has_reverse_tabnabbing(url, *args, **kwargs)

Check if resource has links vulnerable to a reverse tabnabbing.

Parameters
Return type

fluidasserts.Result

fluidasserts.proto.http.has_session_fixation(url, expect, *args, **kwargs)

Check session fixation by not passing cookies and having authenticated.

Parameters

  • url (str) – URL to test.

  • expect (str) – Text to search in potential vulnerability .

  • *args – Optional arguments for HTTPSession.

  • **kwargs – Optional arguments for HTTPSession.

Return type

fluidasserts.Result

fluidasserts.proto.http.has_sqli(url, *args, **kwargs)

Check SQLi vulnerability by checking common SQL strings in response.

Parameters
Return type

fluidasserts.Result

fluidasserts.proto.http.has_sqli_time(url_safe, url_break, time, args_safe=None, kwargs_safe=None, args_break=None, kwargs_break=None, allow_con_errors=False)

Check SQLi vulnerability by checking the delay of response.

Take an undamaged URL along with the optional parameters of the HTTPSession. and calculate the average response time. Take an exploited URL with optional parameters from HTTPSession. and calculate the response time and then compare the result with the average response time of the undamaged URL.

  • Use a sleep method in your attack.

  • Use this method with stable connection network, a slow connection can generate a False Positive.

  • Use a perceptible time delay to prevent a False Positive.

Parameters
Return type

fluidasserts.Result

fluidasserts.proto.http.has_ssrf(url, expect, *args, **kwargs)

Check server-side request forgery by checking a expected string.

Parameters

  • url (str) – URL to test.

  • expect (str) – Text to search in potential vulnerability .

  • *args – Optional arguments for HTTPSession.

  • **kwargs – Optional arguments for HTTPSession.

Return type

fluidasserts.Result

fluidasserts.proto.http.has_text(url, expected_text, *args, **kwargs)

Check if a bad text is present in URL response.

Parameters

  • url (str) – URL to test.

  • expected_text (str) – Text to search. Can be regex.

  • *args – Optional arguments for HTTPSession.

  • **kwargs – Optional arguments for HTTPSession.

Return type

fluidasserts.Result

fluidasserts.proto.http.has_trace_method(url, *args, **kwargs)

Check if HTTP TRACE method is enabled.

Parameters
Return type

fluidasserts.Result

fluidasserts.proto.http.has_user_enumeration(url, user_field, user_list=None, fake_users=None, *args, **kwargs)

Check if URL has user enumeration.

Parameters

  • url (str) – URL to test.

  • user_field (str) – Field corresponding to the username.

  • user_list (typing.Optional[typing.List]) – List of users.

  • fake_users (typing.Optional[typing.List]) – List of fake users.

  • *args – Optional arguments for _request_dataset().

  • **kwargs – Optional arguments for _request_dataset().

Return type

fluidasserts.Result

Either params or data must be present in kwargs, if the request is GET or POST, respectively. They must be strings as they would appear in the request.

fluidasserts.proto.http.has_xsleak_by_frames_discrepancy(url_a, url_b, need_samesite_strict_cookies, *request_args, **request_kwargs)

Check if a view is vulnerable to a XSLeak by counting the number of frames.

See: `CWE-204 <https://cwe.mitre.org/data/definitions/204.html`_. See: `Browser Side Channels research <https://github.com/xsleaks/xsleaks/

wiki/Browser-Side-Channels#frame-count>`_.

See: Real life exploitation.

If the same view of a website renders a different number of frames and is using cookie-based authentication and is not using cookies with the SameSite attribute set to Strict, then an attacker can exploit the cross-origin access to the window.frames.length object to ask binary questions about the contents displayed to the user in order to violate his/her privacy.

Parameters

  • url_a (str) – URL for a view.

  • url_b (str) – URL for another view.

  • need_samesite_strict_cookies (bool) – True if at least one of the cookies needed to load either url_a or url_b have set the SameSite attribute to Strict.

  • *args – Optional arguments for HTTPSession.

  • **kwargs – Optional arguments for HTTPSession.

Return type

fluidasserts.Result

fluidasserts.proto.http.has_xss(url, expect, *args, **kwargs)

Check XSS vulnerability by checking injected string.

Parameters

  • url (str) – URL to test.

  • expect (str) – Text to search in potential vulnerability .

  • *args – Optional arguments for HTTPSession.

  • **kwargs – Optional arguments for HTTPSession.

Return type

fluidasserts.Result

fluidasserts.proto.http.is_basic_auth_enabled(url, *args, **kwargs)

Check if BASIC authentication is enabled.

Parameters
Return type

fluidasserts.Result

fluidasserts.proto.http.is_content_disposition_present(url, *args, **kwargs)

Check if Contentent-Disposition header is misconfigured.

Using server-supplied information for constructing local filenames introduces many risks.

Recipients MUST NOT be able to write into any location other than one to which they are specifically entitled. To illustrate the problem, consider the consequences of being able to overwrite well-known system locations (such as “/etc/passwd”). One strategy to achieve this is to never trust folder name information in the filename parameter, for instance by stripping all but the last path segment and only considering the actual filename (where ‘path segments’ are the components of the field value delimited by the path separator characters “” and “/”).

These are summarized in https://tools.ietf.org/html/rfc6266#section-4.3.

Parameters

  • url (str) – URL to test.

  • *args – Optional arguments for HTTPSession.-m

  • **kwargs – Optional arguments for HTTPSession.

Return type

fluidasserts.Result

fluidasserts.proto.http.is_date_unsyncd(url, *args, **kwargs)

Check if server’s date is not synchronized with NTP servers.

Parameters
Return type

fluidasserts.Result

fluidasserts.proto.http.is_header_access_control_allow_origin_missing(url, *args, **kwargs)

Check if Access-Control-Allow-Origin HTTP header is properly set.

Parameters
Return type

fluidasserts.Result

fluidasserts.proto.http.is_header_cache_control_missing(url, *args, **kwargs)

Check if Cache-Control HTTP header is properly set.

Parameters
Return type

fluidasserts.Result

fluidasserts.proto.http.is_header_content_security_policy_missing(url, *args, **kwargs)

Check if Content-Security-Policy HTTP header is properly set.

Parameters
Return type

fluidasserts.Result

fluidasserts.proto.http.is_header_content_type_missing(url, *args, **kwargs)

Check if Content-Type HTTP header is present.

Parameters
Return type

fluidasserts.Result

fluidasserts.proto.http.is_header_expires_missing(url, *args, **kwargs)

Check if Expires HTTP header is properly set.

Parameters
Return type

fluidasserts.Result

fluidasserts.proto.http.is_header_hsts_missing(url, *args, **kwargs)

Check if Strict-Transport-Security HTTP header is properly set.

Parameters
Return type

fluidasserts.Result

fluidasserts.proto.http.is_header_perm_cross_dom_pol_missing(url, *args, **kwargs)

Check if X-Permitted-Cross-Domain-Policies HTTP header is properly set.

Parameters
Return type

fluidasserts.Result

fluidasserts.proto.http.is_header_pragma_missing(url, *args, **kwargs)

Check if Pragma HTTP header is properly set.

Parameters
Return type

fluidasserts.Result

fluidasserts.proto.http.is_header_server_present(url, *args, **kwargs)

Check if Server HTTP header is properly set.

Parameters
Return type

fluidasserts.Result

fluidasserts.proto.http.is_header_x_asp_net_version_present(url, *args, **kwargs)

Check if X-AspNet-Version header is missing.

Parameters
Return type

fluidasserts.Result

fluidasserts.proto.http.is_header_x_content_type_options_missing(url, *args, **kwargs)

Check if X-Content-Type-Options HTTP header is properly set.

Parameters
Return type

fluidasserts.Result

fluidasserts.proto.http.is_header_x_frame_options_missing(url, *args, **kwargs)

Check if X-Frame-Options HTTP header is properly set.

Parameters
Return type

fluidasserts.Result

fluidasserts.proto.http.is_header_x_powered_by_present(url, *args, **kwargs)

Check if X-Powered-By header is missing.

Parameters
Return type

fluidasserts.Result

fluidasserts.proto.http.is_header_x_xxs_protection_missing(url, *args, **kwargs)

Check if X-XSS-Protection HTTP header is properly set.

Parameters
Return type

fluidasserts.Result

fluidasserts.proto.http.is_not_https_required(url, *args, **kwargs)

Check if HTTPS is always forced on a given URL.

Parameters

url (str) – URL to test.

Return type

fluidasserts.Result

fluidasserts.proto.http.is_resource_accessible(url, *args, **kwargs)

Check if URL is available by checking response code.

Parameters
Return type

fluidasserts.Result

fluidasserts.proto.http.is_response_delayed(url, *args, **kwargs)

Check if the response time is acceptable.

Values taken from: https://www.nngroup.com/articles/response-times-3-important-limits/

Parameters
Return type

fluidasserts.Result

fluidasserts.proto.http.is_sessionid_exposed(url, argument='sessionid', *args, **kwargs)

Check if resulting URL has an exposed session ID.

Parameters
Argument

Name of argument to search. Defaults to sessionid.

Return type

fluidasserts.Result

fluidasserts.proto.http.is_version_visible(url, *args, **kwargs)

Check if product version is visible on HTTP response headers.

Parameters

  • url – IP address to test.

  • *args – Optional arguments for HTTPSession.

  • **kwargs – Optional arguments for HTTPSession.

Return type

fluidasserts.Result

fluidasserts.proto.http.leaks_cross_origin_credentials(url, *args, **kwargs)

Check if header Access-Control-Allow-Credentials is misconfigured.

When responding to a credentialed request, the server must specify an origin in the value of the Access-Control-Allow-Origin header, instead of specifying the “*” wildcard. Since the competent credential content is returned to the invoking web content.

Parameters
Return type

fluidasserts.Result

fluidasserts.proto.http.parse_header_content_to_dict(header_conten)

Parse the content of a header to an Dict object.