#30 Attacker which scans for Session ID in URL

test/test_sessions_url.py

@@ -0,0 +1,57 @@
+
+import unittest
+import sys
+
+import tutil
+import webvulnscan.attacks.session_url
+
+#session id's in URL can appear in various forms
+#this test creates forms of sid, sessionid, phpsessid
+
+
+def make_client(headers):
+    headers['Content-Type'] = 'text/html; charset=utf-8'
+    return tutil.TestClient({
+        '/': b'''(200, b'<html></html>', headers)''',
+    })
+
+
+class SessionUrl(unittest.TestCase):
+    #creating site without any session
+    def test_static_site(self):
+        client = make_client({})
+        client.run_attack(webvulnscan.attacks.session_url)
+        client.log.assert_count(0)
+
+    #sid in link
+    def test_site_with_post(self):
+        client = tutil.TestClient({
+            '/': u'''<html>
+            <a href="www.sample.org/index.html?
+            sid=edb0e8665db4e9042fe0176a89aade16">link1</a>
+            </html>'''
+        })
+        client.run_attack(webvulnscan.attacks.session_url)
+        client.log.assert_count(1)
+
+    #sessionid in link
+    def test_site_with_get(self):
+        client = tutil.TestClient({
+            '/': u'''<html>
+                <a href="www.sample.org/index.html?
+                sessionid=edb0e8665db4e9042fe0176a89aade16">link2</a>
+                </html>'''
+        })
+        client.run_attack(webvulnscan.attacks.session_url)
+        client.log.assert_count(1)
+
+    #phpsessid in link
+    def test_site_with_get(self):
+        client = tutil.TestClient({
+            '/': u'''<html>
+               <a href="www.sample.org/index.html?
+               phpsessid=edb0e8665db4e9042fe0176a89aade16">link3</a>
+               </html>'''
+        })
+        client.run_attack(webvulnscan.attacks.session_url)
+        client.log.assert_count(1)

webvulnscan/attacks/__init__.py

@@ -6,7 +6,8 @@
 from .clickjack import clickjack
 from .cookiescan import cookiescan
 from .exotic_characters import exotic_characters
+from .session_url import session_url
 
 
 def all_attacks():
-    return [xss, csrf, crlf, breach, clickjack, cookiescan, exotic_characters]
+    return [xss, csrf, crlf, breach, clickjack, cookiescan, exotic_characters, session_url]

webvulnscan/attacks/session_url.py

@@ -0,0 +1,19 @@
+from ..utils import attack
+
+
+def check_id(page):
+    if "sid" in page.url:
+        return true
+    if "sessionid" in page.url:
+        return true
+    if "phpsessid" in page.url:
+        return true
+    return false
+
+
+@attack()
+def session_url(client, log, page):
+    #session id in url found
+    if check_id(page):
+        log('vuln', page.url, u"Session ID in URL")
+    return