App-DubiousHTTP
view release on metacpan or search on metacpan
lib/App/DubiousHTTP/Tests.pm view on Meta::CPAN
if (test['valid'] == 2) { // no browser should fail on this!
overblocked++;
add_warning("Failed to load harmless and perfectly valid response",test);
results = results + "X | " + status + " | " + test['page'] + " | " + test['desc'] + " | failed harmless but must succeed\n";
results = results + "T | " + test['page'] + " | " + result64 + "\n";
if (!have_warn['blocked_harmless']) {
have_warn['blocked_harmless'] = 1;
var div_urlblock = document.getElementById('urlblock');
div_urlblock.innerHTML += "<div>"
+ "The firewall blocked a harmless and perfectly valid response from the server, which did not contain any kind of evasion attempts.<br>"
+ "It might be that the firewall blocked the access based on URL filtering and not based on the response at all. "
+ "This means any results you get during this tests should be considered with great caution because they might not actually reflect "
+ "the abilities of the firewall to detect malware."
+ "</div>";
div_urlblock.style.display = 'block';
}
} else if (test['valid']>0) {
if (test['valid'] == 3) {
// firewall might have modified request
maybe_overblocked++;
add_warning("Failed to load harmless and valid response, maybe the firewall blocked too much",test);
results = results + "X | " + status + " | " + test['page'] + " | " + test['desc'] + " | failed harmless but should succeed\n";
} else if (test['valid'] == 99) {
maybe_overblocked++;
add_notice("Antivirus cheats by accepting substring for test virus signature",test);
results = results + "X | " + status + " | " + test['page'] + " | " + test['desc'] + " | failed harmless but must succeed\n";
results = results + "T | " + test['page'] + " | " + result64 + "\n";
if (0 && !have_warn['av_substr']) {
have_warn['av_substr'] = 1;
var div_urlblock = document.getElementById('urlblock');
div_urlblock.innerHTML += "<div>"
+ "The firewall blocked the content because a substring of the content contained the test virus signature. "
+ "This is contrary to the rules in which the EICAR test virus should be used, which allow at most some white space after the signature. "
+ "This means any results you get during this tests should be considered with caution because they might not actually reflect "
+ "the abilities of the firewall to detect malware."
+ "</div>";
div_urlblock.style.display = 'block';
}
} else {
add_notice("Failed to load harmless and valid response, might be browser bug",test);
results = results + "X | " + status + " | " + test['page'] + " | " + test['desc'] + " | failed harmless\n";
}
results = results + "T | " + test['page'] + " | " + result64 + "\n";
} else if (test['valid'] == -3) {
results = results + "B | " + status + " | " + test['page'] + " | " + test['desc'] + " | common invalid failed harmless\n";
add_warning("Blocked response which is invalid but still commonly seen in real life",test);
} else {
results = results + "B | " + status + " | " + test['page'] + " | " + test['desc'] + " | failed harmless\n";
}
}
return status;
}
if (test['isbad']) {
// check for evasion
if (status == 'match') {
if (test['expect_bad']) {
// assume no or stupid content filter
var msg = "<div>" +
"It looks like no malware filtering is done by the firewall since " + bad_name +
" could not be detected when transferred using a valid and typical HTTP response.</div><div>" +
"The tests will continue but it is assumed that there is no malware filter available. " +
"This means no firewall bypasses can be detected (there is nothing to bypass) but instead " +
"it will only check the behavior of the browser regarding atypical or malformed responses." +
"</div>";
if (bad_name == 'EICAR') {
msg += "<div>If you feel that your firewall should be able to detect the malware please check your " +
"firewall configuration and make sure that antivirus is enabled. This test uses only " + bad_name +
" which any antivirus product should be able to detect." +
"</div>";
}
files_bad = null;
div_nobad.innerHTML = div_nobad.innerHTML + msg;
div_nobad.style.display = 'block';
results = results + "I | " + status + " | " + test['page'] + " | " + test['desc'] + " | no content filter\n";
div_title.innerHTML = '<h1>Browser behavior test with XMLHTTPRequest</h1>';
} else {
// possible evasion of content filter
add_warning("Evasion possible",test);
results = results + "E | " + status + " | " + test['page'] + " | " + test['desc'] + " | evasion\n";
evasions++;
}
} else {
// response blocked
if (test['expect_bad']) {
// add answer to results, maybe we can get the type of firewall from the error message
results = results + "T | " + test['page'] + " | " + result64 + "\n";
} else {
// recheck with innocent
test['retry'] = 'harmless';
}
}
} else {
// innocent data - check for standard conformance
check_status_noevil(test,status);
}
return status;
}
function check_status_noevil(test,status) {
if (!status) {
status = test['status'];
}
if (status == 'success' || status == 'match') {
if (test['valid'] == 0) {
add_warning("success for bad response",test);
results = results + "W | " + status + " | " + test['page'] + " | " + test['desc'] + " | success for bad response\n";
} else if (test['valid'] == -1) {
add_notice("success for valid uncommon response",test);
results = results + "N | " + status + " | " + test['page'] + " | " + test['desc'] + " | success for valid uncommon response\n";
} else if (test['valid']<0) {
add_notice("success for invalid uncommon response",test);
results = results + "N | " + status + " | " + test['page'] + " | " + test['desc'] + " | success for invalid uncommon response\n";
} else {
results = results + "I | " + status + " | " + test['page'] + " | " + test['desc'] + " | ok\n";
}
} else {
if (test['valid']>0) {
add_warning("failure for valid response",test);
lib/App/DubiousHTTP/Tests.pm view on Meta::CPAN
current_test['file'] = files_bad[i]
}
} else {
add_debug("no more bad in current_test");
continue;
}
} else {
if (page = current_test['harmless']) {
current_test['page'] = page;
current_test['_expect'] = expect64_harmless;
current_test['isbad'] = 0;
if (!current_test['file']) {
current_test['file'] = file_harmless;
}
} else {
add_debug("no harmless page");
continue;
}
}
_log({ num: current_test['num'], page: current_test['page']});
xhr('GET',current_test['page'] + '?rand=' + rand,null,function(req,status) {
current_test['retry'] = null;
status = check_xhr_result(req,current_test,status);
var retry = current_test['retry'];
if (retry) {
current_test['retry4status'] = status;
current_test['retry4page'] = current_test['page'];
checks.unshift(current_test);
}
if (fast_feedback && results.length > fast_feedback) {
submit_part();
}
done++;
runtests();
});
}
return;
}
div_process.style.display = 'none';
add_debug("*DONE*");
var submit_url;
if (files_bad) {
var div;
if (evasions == 0 && overblocked == 0) {
results = results + "NO EVASIONS\n";
div = document.getElementById('noevade');
div.innerHTML = "<h1>Congratulations!<br>No evasions detected.</h1>"
+ evasions_blocked + " evasions attempts were blocked by the firewall and "
+ browser_invalid + " attempts failed because the browser considered the response invalid or because the firewall blocks (invalid) responses even if there is no malware payload."
+ "Please note that these might be considered valid by other browsers and might lead to possible evasions, so better try with other browsers too."
+ "For this reason I would recommend to check with at least Firefox, Chrome, Safari, Internet Explorer, Edge and Opera because they all behave differently."
+ "<br><br>To get an overview which products behave that nicely "
+ "it would be helpful if you provide us with information about the firewall product you use. "
+ "Please add as much details as you know and like to offer, i.e. model, patch level, specific configurations. ";
} else if (evasions == 0) {
results = results + "NO EVASIONS BUT OVERBLOCKING\n";
div = document.getElementById('overblock');
div.innerHTML = "<h1>Suspicious!<br>No evasions detected but it looks like overblocking.</h1>"
+ evasions_blocked + " evasions attempts were blocked by the firewall but in at least "
+ overblocked + " cases the firewall blocked perfectly valid and innocent responses."
+ browser_invalid + " attempts failed because the browser considered the response invalid or because the firewall blocks (invalid) responses even if there is no malware payload."
+ "Please note that these might be considered valid by other browsers and might lead to possible evasions, so better try with other browsers too."
+ "For this reason I would recommend to check with at least Firefox, Chrome, Safari, Internet Explorer, Edge and Opera because they all behave differently."
+ "<br><br>To get an overview which products behave that nicely "
+ "it would be helpful if you provide us with information about the firewall product you use. "
+ "Please add as much details as you know and like to offer, i.e. model, patch level, specific configurations. ";
} else {
div = document.getElementById('evadable');
var msg = "<h1>Danger!<br>Possible evasions detected!</h1>"
+ "The test detected that " + evasions + " evasion attempts were not blocked by the firewall.<br>"
+ ((overblocked>0) ? "Additionally in " + overblocked + " cases the firewall blocked perfectly valid and innocent responses.<br>" : '' )
+ evasions_blocked + " evasions attempts were blocked by the firewall and "
+ browser_invalid + " attempts failed because the browser considered the response invalid or because the firewall blocks (invalid) responses even if there is no malware payload."
+ "Please note that these might be considered valid by other browsers and might lead to possible evasions, so better try with other browsers too."
+ "For this reason I would recommend to check with at least Firefox, Chrome, Safari, Internet Explorer, Edge and Opera because they all behave differently.<br>"
+ "Since the test differs slightly from a manually triggered download it might be that some of the detected evasions are "
+ "not usable in reality, so please make sure the evasion works by clicking the [TRY] link "
+ "and comparing the downloaded file wth your expectation";
if (bad_name == 'EICAR') {
msg += "In case of the EICAR test virus the file should be 68 byte and contain the string "
+ "<p><span id=eicar>X5O!P%@AP" + "[4\PZX54(P^)" + "7CC)7}$EICAR-STAND" + "ARD-ANTIVI" + "RUS-TEST-FILE!$H+H*</span></p>";
}
msg += "To get an overview which products are affected by which evasions and to inform the maker of the product about the problems "
+ "it would be helpful if you provide us with information about the firewall product you use. "
+ "Please add as much details as you know and like to offer, i.e. model, patch level, specific configurations. ";
div.innerHTML = msg;
}
div.innerHTML += '<br><br><form enctype="multipart/form-data" method=POST action="/submit_details/' + reference + '/evasions=' + evasions + "/evasions_blocked=" + evasions_blocked + '">'
+ '<textarea name=product cols=80 rows=4 placeholder="... please add product description here ..."></textarea>'
+ '<br><input type=submit name=Send></form>';
div.style.display = 'block';
submit_url = '/submit_results/' + reference + '/evasions=' + evasions + "/evasions_blocked=" + evasions_blocked;
} else {
submit_url = '/submit_results/' + reference;
}
if (submit_url) {
submit_result(submit_url,results);
results = null;
}
}
function submit_result(url,data) {
xhr('POST', url, data, function(req) {
var blocked = 1;
try {
if (req.status != 200) {
_log("bad status from submit: " + req.status);
} else if (req.getResponseHeader("X-ID") != url) {
_log("bad response x-id:'" + req.getResponseHeader("X-ID") + "' expect:'" + url +"'");
} else {
_log("submission ok");
blocked = 0
}
}
catch(e) { _log(e); }
// disable - to much false reports. Better use --fast-feedback
( run in 1.413 second using v1.01-cache-2.11-cpan-39bf76dae61 )