Merge pull request #16 from Hackmanit/dev

Added curl command to output/report + various bug fixes / improvements + updated deps

Author: m10x

README.md

@@ -115,6 +115,7 @@ wcvs -u https://example.com -hw "file:/home/user/Documents/wordlist-header.txt"
 - `--setbody/-sb` specifies the body which shall be added to the request
 - `--contenttype/-ct` specifies the value of the Content-Type header
 - `--useragentchrome/-uac` changes the User-Agent from `WebCacheVulnerabilityScanner v{Version-Number}` to `Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36`. While the same can be achieved with e.g. `-sh "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) ...`, this flag provides a quicker way.
+- `--cacheheader/-ch` specify a custom cache header (case-insensitive)
 
 #### If you want to specify more than 1 cookie, parameter or header you need to specify a file which contains them. Take a look at the [available templates](https://github.com/Hackmanit/Web-Cache-Vulnerability-Scanner/tree/master/templates).
 
@@ -137,6 +138,8 @@ wcvs -u https://example.com -post -sb "file:/home/user/Documents/body.txt"
 wcvs -u https://example.com -post -sb "{}" -ct "application/json"
 
 wcvs -u https://example.com -uac
+
+wcvs -u https://example.com -ch "X-Custom-Cache-Header"
 ```
 
 ## Generate a JSON Report

go.mod

@@ -3,7 +3,8 @@ module github.com/Hackmanit/Web-Cache-Vulnerability-Scanner
 go 1.16
 
 require (
-	github.com/fatih/color v1.15.0 // indirect
-	golang.org/x/net v0.0.0-20220425223048-2871e0cb64e4
-	golang.org/x/time v0.0.0-20220411224347-583f2d630306
+	github.com/fatih/color v1.16.0
+	golang.org/x/net v0.19.0
+	golang.org/x/time v0.5.0
+	moul.io/http2curl v1.0.0 // indirect
 )

go.sum

@@ -1,20 +1,56 @@
-github.com/fatih/color v1.15.0 h1:kOqh6YHBtK8aywxGerMG2Eq3H6Qgoqeo13Bk2Mv/nBs=
-github.com/fatih/color v1.15.0/go.mod h1:0h5ZqXfHYED7Bhv2ZJamyIOUej9KtShiJESRwBDUSsw=
+github.com/fatih/color v1.16.0 h1:zmkK9Ngbjj+K0yRhTVONQh1p/HknKYSlNT+vZCzyokM=
+github.com/fatih/color v1.16.0/go.mod h1:fL2Sau1YI5c0pdGEVCbKQbLXB6edEj1ZgiY4NijnWvE=
 github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
 github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
 github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
-github.com/mattn/go-isatty v0.0.17 h1:BTarxUcIeDqL27Mc+vyvdWYSL28zpIhv3RoTdsLMPng=
-github.com/mattn/go-isatty v0.0.17/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
-golang.org/x/net v0.0.0-20220425223048-2871e0cb64e4 h1:HVyaeDAYux4pnY+D/SiwmLOR36ewZ4iGQIIrtnuCjFA=
-golang.org/x/net v0.0.0-20220425223048-2871e0cb64e4/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
+github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
+github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
+github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
+golang.org/x/crypto v0.16.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4=
+golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
+golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
+golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
+golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
+golang.org/x/net v0.19.0 h1:zTwKpTd2XuCqf8huc7Fo2iSy+4RHPd10s4KzeTnVr1c=
+golang.org/x/net v0.19.0/go.mod h1:CfAk/cbD4CthTvqiEl8NpboMuiuOYsAr/7NOjZJtv1U=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.6.0 h1:MVltZSvRTcU2ljQOhs94SXPftV6DCNnZViHeQps87pQ=
+golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.14.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc=
+golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/text v0.3.7 h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk=
+golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
+golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
+golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
-golang.org/x/time v0.0.0-20220411224347-583f2d630306 h1:+gHMid33q6pen7kv9xvT+JRinntgeXO2AeZVd0AWD3w=
-golang.org/x/time v0.0.0-20220411224347-583f2d630306/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
+golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
+golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk=
+golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
+golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+moul.io/http2curl v1.0.0 h1:6XwpyZOYsgZJrU8exnG87ncVkU1FVCcTRpwzOkTDUi8=
+moul.io/http2curl v1.0.0/go.mod h1:f6cULg+e4Md/oW1cYmwW4IWQOVl2lGbmCNGOHvzX2kE=

pkg/recon.go

@@ -5,7 +5,6 @@ import (
 	"errors"
 	"fmt"
 	"io"
-	"io/ioutil"
 	"net/http"
 	"net/url"
 	"strings"
@@ -145,8 +144,8 @@ func CheckCache(stat string) (CacheStruct, []error) {
 			msg := fmt.Sprintf("%s header was found: %s \n", key, val)
 			PrintVerbose(msg, NoColor, 1)
 		case "x-cache", "cf-cache-status", "x-drupal-cache", "x-varnish-cache", "akamai-cache-status", "server-timing", "x-iinfo", "x-nc", "x-hs-cf-cache-status", "x-proxy-cache", "x-cache-hits", "x-cache-status", customCacheHeader:
-			// CacheHeader flag might not be set. Continue in this case
-			if customCacheHeader == "" {
+			// CacheHeader flag might not be set (=> ""). Continue in this case
+			if key == "" {
 				continue
 			}
 			cache.Indicator = key
@@ -1220,7 +1219,7 @@ func GetWebsite(requrl string, setStatusCode bool, cacheBuster bool) (WebsiteStr
 
 	defer resp.Body.Close()
 
-	body, err := ioutil.ReadAll(resp.Body)
+	body, err := io.ReadAll(resp.Body)
 	if err != nil {
 		msg := fmt.Sprintf("%s: ioutil.ReadAll: %s", errorString, err.Error())
 		Print(msg+"\n", Red)

pkg/report.go

@@ -17,10 +17,11 @@ type (
 	}
 
 	reportRequest struct {
-		URL      string `json:"-"`
-		Reason   string `json:"reason"`
-		Request  string `json:"request"`
-		Response string `json:"response"`
+		URL         string `json:"-"`
+		Reason      string `json:"reason"`
+		CurlCommand string `json:"curlCommand"`
+		Request     string `json:"request"`
+		Response    string `json:"response"`
 	}
 
 	reportSettings struct {

pkg/requests.go

@@ -4,11 +4,13 @@ import (
 	"bytes"
 	"errors"
 	"fmt"
-	"io/ioutil"
+	"io"
 	"net/http"
 	"net/http/httputil"
 	"strings"
 	"sync"
+
+	"moul.io/http2curl"
 )
 
 const (
@@ -130,7 +132,9 @@ func checkPoisoningIndicators(repResult *reportResult, request reportRequest, su
 	Print(success, Green)
 	msg := "URL: " + request.URL + "\n"
 	Print(msg, Green)
-	msg = "Reason: " + request.Reason + "\n\n"
+	msg = "Reason: " + request.Reason + "\n"
+	Print(msg, Green)
+	msg = "Curl: " + request.CurlCommand + "\n\n"
 	Print(msg, Green)
 	repResult.Vulnerable = true
 	repResult.Requests = append(repResult.Requests, request)
@@ -273,18 +277,38 @@ func firstRequest(rp requestParams) ([]byte, int, reportRequest, http.Header, er
 	}
 
 	waitLimiter(rp.identifier)
-	resp, err = newClient.Do(req)
+	var dumpReqBytes []byte
+	var bodyBackup []byte
+	if req.Body != nil {
+		// Backup the request body, because it can only be read once
+		bodyBackup, err = io.ReadAll(req.Body)
+		if err != nil {
+			msg = fmt.Sprintf("%s: io.ReadAll: %s\n", rp.identifier, err.Error())
+			Print(msg, Red)
+			return body, -1, repRequest, nil, errors.New(msg)
+		}
+		// Restore the request body for the first use
+		req.Body = io.NopCloser(bytes.NewReader(bodyBackup))
+		// Dump the request including the body
+		dumpReqBytes, _ = httputil.DumpRequest(req, true)
+	} else {
+		// Dump the request without the body
+		dumpReqBytes, _ = httputil.DumpRequest(req, false)
+	}
+	repRequest.Request = string(dumpReqBytes)
 
+	// Do request
+	resp, err = newClient.Do(req)
 	if err != nil {
 		msg = fmt.Sprintf("%s: newClient.Do: %s\n", rp.identifier, err.Error())
 		Print(msg, Red)
 		return body, -1, repRequest, nil, errors.New(msg)
 	} else {
 		defer resp.Body.Close()
 
-		body, err = ioutil.ReadAll(resp.Body)
+		body, err = io.ReadAll(resp.Body)
 		if err != nil {
-			msg = fmt.Sprintf("%s: ioutil.ReadAll: %s\n", rp.identifier, err.Error())
+			msg = fmt.Sprintf("%s: io.ReadAll: %s\n", rp.identifier, err.Error())
 			Print(msg, Red)
 			return body, -1, repRequest, nil, errors.New(msg)
 		}
@@ -299,8 +323,14 @@ func firstRequest(rp requestParams) ([]byte, int, reportRequest, http.Header, er
 		return body, -1, repRequest, nil, errors.New(msg)
 	}
 
-	requestBytes, _ := httputil.DumpRequestOut(req, true)
-	repRequest.Request = string(requestBytes)
+	// Add the request as curl command to the report
+	command, err := http2curl.GetCurlCommand(req)
+	if err != nil {
+		PrintVerbose("Error: firstRequest: "+err.Error()+"\n", Yellow, 1)
+	}
+	commandFixed := strings.Replace(command.String(), "-d ''", "-d '"+string(bodyBackup)+"'", 1)
+	repRequest.CurlCommand = commandFixed
+	PrintVerbose("Curl command: "+repRequest.CurlCommand+"\n", NoColor, 2)
 
 	responseBytes, _ := httputil.DumpResponse(resp, true)
 	repRequest.Response = string(responseBytes)

pkg/utils.go

@@ -3,7 +3,6 @@ package pkg
 import (
 	"context"
 	"fmt"
-	"io/ioutil"
 	"log"
 	"math/rand"
 	"net/http"
@@ -65,7 +64,7 @@ func ReadLocalFile(path string, name string) []string {
 		PrintFatal("Please make sure that path: is lowercase")
 	}
 
-	w, err := ioutil.ReadFile(path)
+	w, err := os.ReadFile(path)
 	if err != nil {
 		additional := ""
 		if name == "header" {

web-cache-vulnerability-scanner.go

@@ -17,7 +17,7 @@ import (
 	"golang.org/x/net/http2"
 )
 
-const version = "1.1.0"
+const version = "1.1.1"
 
 var (
 	currentDate      string