scanner

package
v1.0.7 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 6, 2025 License: MIT Imports: 15 Imported by: 0

Documentation

Overview

Description: This file contains the core logic for the cache poisoning scanner.

Description: This file contains functions used to detect response changes between the original and modified responses.

Description: This file contains the implementation of the logger for ScannerOutput.

Description: This file contains the implementation of the main scanner which is responsible for scanning the target URL for cache poisoning vulnerabilities.

Description: This file defines the types and structures used for cache poisoning scanning. It includes the ScannerArgs struct for input parameters, ScannerOutput struct for output results, ScanMode enum for different scanning modes, and ResponseChangeType enum for different response modification types.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func ExportJSONToFile 

func ExportJSONToFile(jsonData []byte, outputFile string) error

ExportJSONToFile appends the JSON data to a file

func MarshalScannerOutput 

func MarshalScannerOutput(scanResult ScannerOutput, outputFile string) ([]byte, error)

MarshalScannerOutput converts the ScannerOutput struct to JSON

func MergeMaps 

func MergeMaps(map1, map2 map[string]string) map[string]string

MergeMaps merges two maps and returns a new map with the contents of both maps If the same key is present in both maps, the value from map2 is used

Types

type LogMode 

type LogMode int

LogMode defines the mode of logging 

const (
	PrettyLog LogMode = iota
	JsonLog
)

type LogTarget 

type LogTarget int
const (
	StdoutLog LogTarget = 1 << iota
	FileLog
	BothLog = StdoutLog | FileLog
)

type LoggerArgs 

type LoggerArgs struct {
	LogError     bool      // Flag to log errors to stderr
	LogMode      LogMode   // Mode of logging (pretty or JSON)
	LogTarget    LogTarget // Log target (stdout, file, both)
	OutputFile   string    // File to write the output to (optional)
	SkipTenative bool      // Skip logging tentative vulnerabilities
}

type PersistenceCheckResult 

type PersistenceCheckResult struct {
	IsPersistent  bool             `json:"IsPersistent"`  // Whether the modified response persists across requests
	PoCLink       string           `json:"PoCLink"`       // Link to the URL demonstrating response persistence
	FinalResponse *client.Response `json:"FinalResponse"` // Final response without payload headers after checking persistence
	Err           error            `json:"Err,omitempty"` // Error occurred during persistence check
}

PersistenceCheckResult represents the result of checking response manipulation persistence.

type PersistenceCheckerArgs 

type PersistenceCheckerArgs struct {
	*ScannerArgs           // Embedding ScannerArgs to reuse its fields
	DoCheck           bool // Whether to check response persistence
	NumRequestsToSend int  // Number of requests to send for poisoning
	NumThreads        int  // Number of threads to use for poisoning
}

PersistenceCheckerArgs contains parameters for checking response persistence.

func (*PersistenceCheckerArgs) CheckPersistence 

func (p *PersistenceCheckerArgs) CheckPersistence(
	modifiedResponse *client.Response,
	changeTypeToCheck ResponseChangeType) *PersistenceCheckResult

CheckPersistence determines whether the modified response persists across requests.

type PoisoningError 

type PoisoningError struct {
	Errors []error
}

PoisoningError aggregates multiple poisoning errors

func (*PoisoningError) Error 

func (pe *PoisoningError) Error() string

Error implements the error interface for PoisoningError

type ResponseChangeType 

type ResponseChangeType int

ResponseChangeType represents different types of response modifications. 

const (
	ChangedLocationHeader ResponseChangeType = iota // Location header changed
	ChangedStatusCode                               // Status code changed
	ChangedBody                                     // Response body changed
	NoChange                                        // No change detected btwn the responses
)

Response modification types

func DetectResponseChanges 

func DetectResponseChanges(
	originalResponse client.Response,
	modifiedResponse client.Response) (ResponseChangeType, error)

DetectResponseChanges analyzes the differences between the original and modified responses.

func (ResponseChangeType) MarshalJSON 

func (r ResponseChangeType) MarshalJSON() ([]byte, error)

MarshalJSON ensures that ResponseChangeType is serialized as a string.

type ScanMode 

type ScanMode int

Scan Mode 

const (
	SingleHeaderScanMode ScanMode = iota // Scan with each payload header separately
	MultiHeaderScanMode                  // Scan with all payload headers together
)

Scan modes for cache poisoning

type ScannerArgs 

type ScannerArgs struct {
	URL string // Target URL to scan

	ScanMode               ScanMode                // Mode of scanning (single or multi-header)
	RequestHeaders         map[string]string       // Headers to be sent with the request
	PayloadHeaders         map[string]string       // Headers to be used for cache poisoning
	PersistenceCheckerArgs *PersistenceCheckerArgs // Arguments for checking cache persistence
	OriginalResponse       *client.Response        // Original response without payload headers
	Client                 *http.Client            // HTTP client to be used for sending requests
	LoggerArgs
	// contains filtered or unexported fields
}

ScannerArgs defines the parameters required for scanning a target URL for cache poisoning vulnerabilities.

func (*ScannerArgs) Run 

func (s *ScannerArgs) Run() ([]ScannerOutput, error)

Run is the main function that performs the cache poisoning scan. It first fetches the original response without payload headers and tests each payload header separately or all together based on the scan mode. The original response is then passed to `RunPoisoningTest` with payload headers to detect changes which is the core function. It returns a slice of ScannerOutput structs containing the results of the scan.

func (*ScannerArgs) RunBatchScan 

func (s *ScannerArgs) RunBatchScan(URLs []string, Threads int) ([]ScannerOutput, []error)

RunBatchScan runs the cache poisoning scan on a batch of URLs concurrently and returns results + all encountered errors.

func (*ScannerArgs) RunPoisoningTest 

func (s *ScannerArgs) RunPoisoningTest() (*ScannerOutput, error)

RunPoisoningTest tests the target URL for cache poisoning by: 1. Taking the original response without payload headers & custom payload headers to inject. 2. Sending a modified request with the provided payload headers to potentially poison the cache. 3. Comparing the modified response with the original response to detect changes, indicating response manipulation vulnerability. 4. Optionally checking if the changes persist across multiple requests. If both response manipulation and persistence are detected, cache poisoning is confirmed. It returns a ScannerOutput struct containing the results of the scan.

func (*ScannerArgs) SetCacheBusterURL 

func (s *ScannerArgs) SetCacheBusterURL()

SetCacheBusterURL appends a cache-busting query parameter to the URL with a randomly generated value of the specified length.

type ScannerOutput 

type ScannerOutput struct {
	URL                    string                  `json:"URL"`                    // Target URL that was scanned
	IsVulnerable           bool                    `json:"IsVulnerable"`           // If vulnerable to cache poisoning
	IsResponseManipulable  bool                    `json:"IsResponseManipulable"`  // If response is manipulable
	ManipulationType       ResponseChangeType      `json:"ManipulationType"`       // Type of vulnerability detected
	RequestHeaders         map[string]string       `json:"RequestHeaders"`         // Headers sent with the request
	PayloadHeaders         map[string]string       `json:"PayloadHeaders"`         // Headers used for cache poisoning
	OriginalResponse       *client.Response        `json:"OriginalResponse"`       // Original response without payload headers
	ModifiedResponse       *client.Response        `json:"ModifiedResponse"`       // Modified response with payload headers
	PersistenceCheckResult *PersistenceCheckResult `json:"PersistenceCheckResult"` // Result of persistence check
}

ScannerOutput holds the results of a cache poisoning scan.

func (*ScannerOutput) Log 

func (so *ScannerOutput) Log(outputFilePath string, mode LogMode, logTarget LogTarget, skipTentative bool) error

Log prints the scan result based on the log mode and optionally writes it to a file.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.