Web Cache Vulnerability Scanner is a Go-based CLI tool for testing for web cache poisoning. It is developed by Hackmanit GmbH (http://hackmanit.de/).
License: Other
Thank you for your contribution, it is an awesome tool !!!
The program throws an exception when I try to run the following command.
Bash:
./wcvs -gp ./log -gr -gc -uac -r 2 -rl 3 -red templates/recdomains_list -st parameter -u https://6o4xu.vk.com
Error Message:
GetWebsite: Get "https://6o4xu.vk.com": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x8 pc=0x559fa0]
goroutine 1272 [running]:
net/url.(*URL).String(0x0)
/usr/local/go/src/net/url/url.go:813 +0x40
github.com/Hackmanit/Web-Cache-Vulnerability-Scanner/pkg.getStatusCode()
/home/max/Documents/git/Web-Cache-Vulnerability-Scanner/pkg/recon.go:1284 +0x35
github.com/Hackmanit/Web-Cache-Vulnerability-Scanner/pkg.checkPoisoningIndicators(0xc000242050, {{0xc000016300, 0x14}, {0x0, 0x0}, {0xc0000ece00, 0xd7}, {0xc000c2e340, 0x192}}, {0xc000328a00, ...}, ...)
/home/max/Documents/git/Web-Cache-Vulnerability-Scanner/pkg/requests.go:96 +0xb49
github.com/Hackmanit/Web-Cache-Vulnerability-Scanner/pkg.checkPoisoningIndicators(0xc000242050, {{0xc000016300, 0x14}, {0x0, 0x0}, {0xc0000ece00, 0xd7}, {0xc000c2e340, 0x192}}, {0xc000328a00, ...}, ...)
/home/max/Documents/git/Web-Cache-Vulnerability-Scanner/pkg/requests.go:88 +0x4a9
github.com/Hackmanit/Web-Cache-Vulnerability-Scanner/pkg.issueRequest({0xc000242050, {0xc000630110, 0x1, 0x1}, {0xc000630120, 0x1, 0x1}, {0x0, 0x0, 0x0}, ...})
/home/max/Documents/git/Web-Cache-Vulnerability-Scanner/pkg/requests.go:367 +0x658
github.com/Hackmanit/Web-Cache-Vulnerability-Scanner/pkg.ScanHeaders.func1(0x14, {0xc00037c0d0, 0x9})
/home/max/Documents/git/Web-Cache-Vulnerability-Scanner/pkg/techniques.go:254 +0x438
created by github.com/Hackmanit/Web-Cache-Vulnerability-Scanner/pkg.ScanHeaders
I see that --uac exists as an option, but I think it's very important that we're able to select a custom user-agent.
Great tool btw!
There is an insufficient verification of findings, which occur if a website or resource changes during a scan.
Potential changes which trigger these false positives are e.g. if the content changes or the status code.
One other identified reason for false positives is, that one test uses the short number "12345" in an HTTP request as port number and checks if this number exists in the HTTP response. Because the number is that short, there is a not so unlikely possibility, that this number already was present beforehand. For example in the URL of an image.
Solutions for these two problems were already found and will be implemented in the near future.
Hi,
go install -v github.com/Hackmanit/Web-Cache-Vulnerability-Scanner@latest -> installs all packages but does not work.
Hi,
$ go get -u "https://github.com/Hackmanit/Web-Cache-Vulnerability-Scanner"
go get: malformed module path "https:/github.com/Hackmanit/Web-Cache-Vulnerability-Scanner": invalid char ':'
Hey there,
Is there any way to configure it in a way it doesn't report as valid cases these kind examples:
Reason: Status Code 403 differed from 200
or
Reason: Status Code 200 differed from 429
A lot of sites start giving code 429 or 403 when you make a lot of requests, and it makes a looot of noise of "valid" alerts of the scanner. Would be absolutely awesome to prevent reporting these cases.
Convert the requests to curl commands with https://github.com/moul/http2curl and add them to the report.
Hello,
I was trying to run a tests against my CDN. the caching is working in a way that it looks for the "Host" header that should be the origin of the files, for example to fetch the file a.js from the cache it'll ask for the Host Header with the origin name.
so If I run the following :
curl -H 'Host: origin-server.com' http://my-cache-cdn-url.com/a.js
I'll get the content from the server. however if the same command is run without the Host Header, the cdn will respond with 404 not found.
I've tried to run wvcs by running ./wcvs -url http://my-cache-cdn-url.com/a.js -sh "Host: origin-server.com", however it seems like wvcs is ignoring specifically the "host" header since I intercepted the traffic and saw that the header is not present on the request.
also I was checking if I might be doing it wrong but once I changed "host" to "host1" it worked.
Hi,
$ go get -u "https://github.com/Hackmanit/Web-Cache-Vulnerability-Scanner"
go get: malformed module path "https:/github.com/Hackmanit/Web-Cache-Vulnerability-Scanner": invalid char ':'
This is seems a little bit not usual.
go version
go version go1.17.2 linux/amd64 (Linux Mint)
Thank you for help in advance.
Would it be possible to implement a feature that would allow detection of a non-standard cache hit header? I'm testing on a website that uses X-Cache-Status: HIT as the header, but this header isn't included in the code.
Hello,
When running the binary contained in web-cache-vulnerability-scanner_1.2.0_windows_amd64.zip , it is detected as malware by Windows Defender as well as other engines on Virus Total. Also, when compiling directly from source, the hash value does not match the hash value of the binary. The source was compiled on a Windows 10 machine. The compiled executable does not raise any detections. Please provide some insight on this.
Binary hash SHA256 value: e2978db859ebcc0d8634deeb92a376a40d0d07c5ac386e678e9aed11fd906663
Compiled hash SHA256 value: fed1d256cbc2645bddbe17d8771f2c304ca270ee5c219b4312775e32aa94cd91
Malware Detection of Binary:
https://www.virustotal.com/gui/file/e2978db859ebcc0d8634deeb92a376a40d0d07c5ac386e678e9aed11fd906663
Clean (Compiled from source)
https://www.virustotal.com/gui/file/fed1d256cbc2645bddbe17d8771f2c304ca270ee5c219b4312775e32aa94cd91
Thanks,
Dave
Hello
I downloaded the latest version of binary for Mac but I can't run it.
go: no packages loaded from wcvs
zsh: exec format error: ./wcvs
MacOS Monterey
12.6
go version go1.19.2 darwin/amd64
Can anyone tell me what and how to do it? Thanks
This is just a small doubt I have, and then I will close the issue.
All valid cases will contain [+] in the output, right? Because I found out that it is present in most cases of vulns found. Because maybe in fatget or dos tests it would be in a different output but didn't find a test environment to check it.
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google โค๏ธ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.