diff --git a/lib/attack-patterns.sh b/lib/attack-patterns.sh index 7109084..bd26b83 100644 --- a/lib/attack-patterns.sh +++ b/lib/attack-patterns.sh @@ -125,6 +125,86 @@ detect_admin_probe() { return 1 } +# XXE (XML External Entity) Detection +detect_xxe() { + local url="$1" + local url_lower=$(echo "$url" | tr '[:upper:]' '[:lower:]') + + # XML entity patterns and external entity references + if [[ "$url_lower" =~ () ]] || + [[ "$url_lower" =~ (%7b%7b|%7b%25|%24%7b) ]] || + [[ "$url_lower" =~ (7\*7|config\.|self\.|request\.|env\.) ]]; then + return 0 + fi + + return 1 +} + +# Encoding Bypass Detection (Multiple layers of encoding) +detect_encoding_bypass() { + local url="$1" + + # Double/triple URL encoding (bypass WAF) + if [[ "$url" =~ %25[0-9a-fA-F]{2} ]] || + [[ "$url" =~ (%252[0-9a-fA-F]|%25%32|%2525) ]]; then + return 0 + fi + + # Unicode/UTF-8 bypass attempts + if [[ "$url" =~ (%u[0-9a-fA-F]{4}|\\u[0-9a-fA-F]{4}) ]] || + [[ "$url" =~ (%c0%af|%e0%80%af) ]]; then + return 0 + fi + + return 1 +} + # Detect all attack vectors for a URL # Returns: attack_type1,attack_type2,... or empty if none detect_all_attacks() { @@ -139,6 +219,11 @@ detect_all_attacks() { detect_info_disclosure "$url" && attacks+=("INFO_DISCLOSURE") detect_login_bruteforce_url "$url" && attacks+=("BRUTEFORCE") detect_admin_probe "$url" && attacks+=("ADMIN_PROBE") + detect_xxe "$url" && attacks+=("XXE") + detect_ssrf "$url" && attacks+=("SSRF") + detect_nosql_injection "$url" && attacks+=("NOSQL_INJECTION") + detect_template_injection "$url" && attacks+=("TEMPLATE_INJECTION") + detect_encoding_bypass "$url" && attacks+=("ENCODING_BYPASS") if [ ${#attacks[@]} -gt 0 ]; then IFS=','; echo "${attacks[*]}" @@ -163,6 +248,11 @@ calculate_attack_score() { [[ "$attacks" =~ (^|,)BRUTEFORCE(,|$) ]] && score=$((score + 10)) [[ "$attacks" =~ (^|,)ADMIN_PROBE(,|$) ]] && score=$((score + 5)) [[ "$attacks" =~ (^|,)DDOS(,|$) ]] && score=$((score + 25)) + [[ "$attacks" =~ (^|,)XXE(,|$) ]] && score=$((score + 18)) + [[ "$attacks" =~ (^|,)SSRF(,|$) ]] && score=$((score + 18)) + [[ "$attacks" =~ (^|,)NOSQL_INJECTION(,|$) ]] && score=$((score + 15)) + [[ "$attacks" =~ (^|,)TEMPLATE_INJECTION(,|$) ]] && score=$((score + 20)) + [[ "$attacks" =~ (^|,)ENCODING_BYPASS(,|$) ]] && score=$((score + 12)) echo "$score" } @@ -180,6 +270,11 @@ get_attack_icon() { BRUTEFORCE) echo "🔐" ;; ADMIN_PROBE) echo "🔍" ;; DDOS) echo "💥" ;; + XXE) echo "📄" ;; + SSRF) echo "🌐" ;; + NOSQL_INJECTION) echo "🗄️ " ;; + TEMPLATE_INJECTION) echo "📝" ;; + ENCODING_BYPASS) echo "🔀" ;; BOT) echo "🤖" ;; SCANNER) echo "🔎" ;; *) echo "❓" ;; @@ -191,9 +286,9 @@ get_attack_color() { local attack_type="$1" case "$attack_type" in - SQL_INJECTION|RCE) echo '\033[1;41;97m' ;; # White on Red (CRITICAL) - XSS|PATH_TRAVERSAL|BRUTEFORCE) echo '\033[1;31m' ;; # Bold Red (HIGH) - INFO_DISCLOSURE|ADMIN_PROBE) echo '\033[1;33m' ;; # Bold Yellow (MEDIUM) + SQL_INJECTION|RCE|TEMPLATE_INJECTION) echo '\033[1;41;97m' ;; # White on Red (CRITICAL) + XSS|PATH_TRAVERSAL|BRUTEFORCE|XXE|SSRF|NOSQL_INJECTION) echo '\033[1;31m' ;; # Bold Red (HIGH) + INFO_DISCLOSURE|ADMIN_PROBE|ENCODING_BYPASS) echo '\033[1;33m' ;; # Bold Yellow (MEDIUM) *) echo '\033[0;36m' ;; # Cyan (LOW) esac } @@ -205,6 +300,11 @@ export -f detect_rce export -f detect_info_disclosure export -f detect_login_bruteforce_url export -f detect_admin_probe +export -f detect_xxe +export -f detect_ssrf +export -f detect_nosql_injection +export -f detect_template_injection +export -f detect_encoding_bypass export -f detect_all_attacks export -f calculate_attack_score export -f get_attack_icon