Attack Module API Reference
The Attack Module API is a COM-based API. The type library for the API is located in AttackerCOM.dll. To access the type library, the C# client should include in the project a reference to COM component 'AttackerCOMLib'.
Return Values
This documentation is from a simplified COM point of view; that is, the methods and properties are all functions that all have an HRESULT return value. When imported into C# this is transformed, such that the COM properties will become C# properties with the relevant type, and methods will either return void, or will have a return value of the [out, retval] parameter.
Input Ranges
The input ranges of the various writable properties and method input parameters are not documented in detail. Common sense should apply based on the property or parameter in question, and the implementor is presumed to have relevant knowledge of the HTTP protocol to make such judgments.
enum AttackPointType
This enumerator described the type Attack Point. The following are the values of the enumerator:
Value | Description |
---|---|
ATTACKPOINT_HOST | The attack point represents a host. |
ATTACKPOINT_DIR | The attack point represents a directory. |
ATTACKPOINT_FILE | The attack point represents a file. |
ATTACKPOINT_CRAWLRESULT | The attack point represents a unique request. |
ATTACKPOINT_PARAMETER | The attack point represents a parameter in a request. |
ATTACKPOINT_RESPONSE | The attack point represents a response for one of the requests sent by the crawler. |
enum ParameterLocation
This enumerator describes the parameter location. The following are the values of the enumerator:
Value | Description |
---|---|
PARAMETERLOCATION_DIR | The parameter is located in the directory part of URI. |
PARAMETERLOCATION_FILE | The parameter is located in the file name part of the URI. |
PARAMETERLOCATION_PATH | The parameter is located in the path part of the URI. |
PARAMETERLOCATION_QUERY | The parameter is a query parameter. |
PARAMETERLOCATION_FRAGMENT | The parameter is located in the fragment (after # character) part of the URL. |
PARAMETERLOCATION_POST | The parameter is located in the body of the request. |
PARAMETERLOCATION_HEADER | The parameter is one of the headers of the HTTP request. |
PARAMETERLOCATION_COOKIE | The parameter is a cookie. |
PARAMETERLOCATION_REFERRER | The parameter is the referrer HTTP header. |
enum ParameterType
This enumerator described the type of the parameter as it was determined by AppSpider.
Value | Description |
---|---|
PARAMETERTYPE_UNCATEGORIZED | AppSpider was not able to categorize parameter. |
PARAMETERTYPE_OPERATOR | The parameter value indicates an operation, e.g. ‘deleteuser’. |
PARAMETERTYPE_SESSION | The parameter contains session information. |
PARAMETERTYPE_DATAQUERY | The parameter is used to retrieve data. |
PARAMETERTYPE_ONETIMETOKEN | The parameter is a one-time token (usually a hidden parameter in forms to prevent submission of the same form). |
enum DataStorageScope
This enumerator describes the scope in which module data should be stored.
Value | Description |
---|---|
DATASTORAGESCOPE_ATTACKPOINT | The module data should be stored for Attack Point. |
DATASTORAGESCOPE_CRAWLRESULT | The module data should be stored for CrawlResult. |
DATASTORAGESCOPE_PATH | The module data should be stored for a specific path. |
DATASTORAGESCOPE_HOST | The module data should be stored for a host. |
DATASTORAGESCOPE_GLOBAL | The module data should be stored in global area and can be accessed from everywhere. |
interface ISignature
Interface ISignature allows operations on response signatures.
Method/Property | Description |
---|---|
IsEqual |
This method compares signatures of two responses. Parameters:
|
interface IResponse
Interface IResponse provides access to the HTTP response data received from the server.
Method/Property | Description |
---|---|
Code |
This read-only property provides access to the HTTP response code. Type: unsigned long |
Headers |
This read-only property provides access to the HTTP headers of the response. Type: string |
Body |
This read-only property provides access to the body of the response. Type: string |
CreateSignature |
This method creates a signature of the response. The signature can be used to compare this response with other responses. Parameters:
|
Is404 |
Tests whether response is a 'page not found' response. It can be a standard 404 response or a custom 200 response. AppSpider uses various algorithms to detect whether the page exists on the server, or it is a 'page not found' response. Parameters:
|
Duration |
This read-only property returns duration of the response in milliseconds. Type: unsigned long |
interface IRequest
Interface IRequest provides read-write access to the HTTP request data.
Method/Property | Description |
---|---|
ProtocolHostAndPort |
This read-write property provides access to a string that represents the protocol, host, and port of the request, e.g. http://www.webscantest.com:80. Type: string |
Method |
This read-write property provides access the method of the request: GET, POST, etc. Type: string |
RequestURI |
This read-write property provides access to the URI portion of the request string. Normally it will be relative URI to host (e.g. '/' or '/dir/file.html'), but it can include the host if desired (as with proxy). Type: string |
Headers |
This read-write property provides access the HTTP headers of the request. Type: string |
GetHeaderValue |
This method returns the value of an individual HTTP header. Parameters:
|
SetHeader |
This method sets the value of an individual HTTP header. Parameters:
|
SetBody |
This method sets the body of the request. Parameters:
|
GetBody |
This method returns the body of the request. Parameters:
|
interface IResult
Interface IResult represents a vulnerability found by the attack module. Note that some of the properties of the result object will be set by the framework using the Attack Point object, as noted below. Interface IResult has the following members:
Method/Property | Description |
---|---|
URL |
This write-only property sets the URL of the vulnerability. It only needs to be set by the attack module if it is different than URL of attack point, as the framework automatically pre-fills the value using the attack point. Type: string |
AttackValue |
This write-only property sets attack value of the attack. For parameter attacks, the framework automatically pre-fills this value, but for all other attacks it must be set by the attack module (as appropriate). Type: string |
OriginalValue |
This write-only property sets the original value being replaced by the attack value. For parameter attacks, the framework automatically pre-fills this value, but for all other attacks it must be set by the attack module (as appropriate). Type: string |
ErrorString |
This write-only property sets the error string, the string that made the module believe that this is a vulnerability. In the <scanname>.xml file, this is the VulnString field. In VulnerabilitiesSummary.xml this is the AttackMatchedString field. Type: string |
Description |
This write-only property allows the module to specify a description of the vulnerability. N.B. This description does not appear in HTML reports. It is a field in the AttackVariance structure in the <scanname>.xml file. In VulnerabilitiesSummary.xml this is the AttackDescription field. Type: string |
PlaybackData |
This method is reserved for future revisions and is not currently used. |
interface IBaseAttack
Interface IBaseAttack is the base interface for several attack interfaces. Its methods allow construction of a simple attack that can send requests to the server. It has the following members:
Method/Property | Description |
---|---|
CreateRequest |
Creates a new request for the attack. Parameters:
|
SendRequest |
Sends the attack request returned by the method CreateRequest. Parameters:
|
CreateResult |
Creates a new result object for a vulnerability. Parameters:
|
PreProcessResponse |
Returns whether or not the response passes framework checks. Several entries in the AttackConfig are verified: Discard404, ResponseCode, ForbiddenResponseCode, ResponseContentCharset, and ResponseContentType. Also, in a sequence context (see below), the response for a given step is checked against various attacking criteria to determine if the step should be eligible for a finding. Parameters:
|
FollowRedirect |
If the response to the last sent attack request indicates a redirect that can be followed, this function will return a request representing the redirect. If a request is returned, the next send function invocation will use this request. Normally, this function would not be used in sequence capable attacks (see below) because the sequence will include the redirect request. Parameters:
|
interface ISequenceCapableAttack : IBaseAttack
Interface ISequenceCapableAttack contains methods that are required to implement an attack on either a Parameter Attack Point or a CrawlResult Attack Point. It has the following members:
Method/Property | Description |
---|---|
SendNextRequest |
This method sends next request in the sequence, or the single request if there is no sequence. Normally, this method, and not SendRequest, should be used with Parameter Attack Points and CrawlResult Attack Points. Parameters:
|
OriginalResponse |
This read-only property provides access to the response that the crawler received during crawling the site. Type: string |
interface IParameterAttack : ISequenceCapableAttack
Interface IParameterAttack contains methods that are required to implement an attack on a Parameter Attack Point. It has the following members:
Method/Property | Description |
---|---|
ParameterValue |
This read-write property provides access to the value of the attacked parameter that will be used during attack. Note this value could be different than the original value. Type: string |
interface ICrawlResultAttack : ISequenceCapableAttack
Interface ICrawlResultAttack allows performing attacks on a CrawlResult Attack Point. It has the following members:
Method/Property | Description |
---|---|
AttackedRequest |
This read-only property provides access to the request that the crawler made during crawling the site. While the property is read-only, the request retrieved can be modified to create the attack request. Type: IRequest |
CreateNewRequest |
This is a synonym for IBaseAttack.CreateRequest, which is an artifact from older interface schema. This method is deprecated. |
SetParameterValue |
This method provides access to request parameters for attacking. Parameters:
|
interface IAttackPoint
Interface IAttackPoint is the base interface for the attack points. It has the following members:
Method/Property | Description |
---|---|
Type |
This read-only property returns type of the attack point. Type: enum AttackPointType |
interface IHostAttackPoint : IAttackPoint
Method/Property | Description |
---|---|
Host |
This read-property property contains the protocol, host and port of the site in the format protocol://host:port, e.g. http://www.webscantest.com:443. Type: string |
GetAttack |
This method returns an attack object that can be used to perform an attack against a Host Attack Point. Parameters:
|
interface IDirectoryAttackPoint : IAttackPoint
Method/Property | Description |
---|---|
Directory |
This read-property property contains the path to the directory. Type: string |
GetAttack |
This method returns an attack object that can be used to perform an attack against a Directory Attack Point. Parameters:
|
interface IFileAttackPoint : IAttackPoint
Method/Property | Description |
---|---|
File |
This read-property property contains the path to the file. Type: string |
GetAttack |
This method returns an attack object that can be used to perform an attack against a File Attack Point. Parameters:
|
interface IAttackerParameter
Method/Property | Description |
---|---|
Name |
This read-only property provides access the name of the parameter. Type: string |
Type |
This read-only property provides access the type of the parameter. Type: ParameterType |
Location |
This read-only property provides access the location of the parameter within the request. Type: ParameterLocation |
OriginalValue |
This read-only property provides access the original value of the parameter, the value that was discovered by the Crawler. Type: string |
OriginalValues |
All of the original values seen for the parameter. Type: array of strings |
IsInjectedParameter |
Returns whether or not the parameter is an injected parameter. The framework adds an additional GET parameter with an empty name to all requests. It only appears during the attacking phase, and only when it has a value set by the attack module. Type: boolean |
interface ICrawlResultAttackPoint : IAttackPoint
Method/Property | Description |
---|---|
GetCrawlResultAttack |
Returns a CrawlResultAttack object. Parameters:
|
GetAttack |
Returns a base attack object. The returned attack object can be used to perfom attacks in a non-sequence context. Parameters:
|
OriginalRequest |
This read-only property returns the original request for this attack point. Type: IRequest |
OriginalResponse |
This read-only property returns the original response for this attack point. Type: IResponse |
ParameterCount |
This read-only property returns the number of parameters of this request. Type: unsigned long |
GetParameter |
This method returns a parameter by its index. Parameters:
|
interface IParameterAttackPoint : IAttackPoint
Method/Property | Description |
---|---|
GetParameterAttack |
Returns a parameter attack object. Parameters:
|
OriginalRequest |
This read-only property provides access to the original request for this attack point. Type: IRequest |
OriginalResponse |
This read-only property returns the original response for this attack point. Type: IResponse |
AttackParameter |
This read-only property provides access to the attack parameter. Type: IAttackerParameter |
ParameterCount |
This read-only property returns number of parameters of this request. Type: unsigned long |
GetParameter |
This method returns a parameter by its index. Parameters:
|
interface IResponseAttackPoint : IAttackPoint
Method/Property | Description |
---|---|
Request |
This read-only property provides access to the request for this attack point. Type: IRequest |
Response |
This read-only property provides access to the response for this attack point. Type: IResponse |
CreateResult |
This method creates a result object for this attack point. Parameters:
|
ParameterCount |
This read-only property returns number of parameters of this request. Type: unsigned long |
GetParameter |
This method returned a parameter by its index. Parameters:
|
PreProcessResponse |
Returns whether or not the response passes framework checks. Several entries in the AttackConfig are verified: Discard404, ResponseCode, ForbiddenResponseCode, ResponseContentCharset, and ResponseContentType. Parameters:
|
interface ICustomParameters
Method/Property | Description |
---|---|
GetParameter |
This method returns the name of the custom parameter, defined in either the attack config or module config (see use below). If the parameter is not defined, an empty string is returned. Parameters:
|
interface IAttackConfiguration
Method/Property | Description |
---|---|
Id |
This read-only property contains an attack id string. Type: string |
CustomParameters |
This read-only property returns a reference to the custom parameters for the attack config. Parameters:
|
interface IDataStorage
Interface IDataStorage allows retaining data between function calls to ICSModule functions. Each attack module has its own data storage; modules cannot access the data storage of another module.
Method/Property | Description |
---|---|
DataExists |
This method allows testing whether or not data with the given name & scope exists. Parameters:
|
AddData |
This method allows adding data if the name within the specified scope is not already taken. If the name/scope key already exists, the operation fails. Parameters:
|
ReadData |
This method provides access to the data with the specified name/scope key. Parameters:
|
DeleteData |
This method deletes data for the specified name/scope key. Parameters:
|
interface IModuleRunner
Method/Property | Description |
---|---|
SetModuleInstanceID |
Binds this object to the data associated with this instance of attack module. Parameters:
|
GetAttackPoint |
Returns current attack point. Note that the returned pointer should be cast by the client to the appropriate attack point interface. Parameters:
|
GetAttackConfig |
Returns current attack config object. Parameters:
|
GetParameters |
Returns custom confuguration parameters from the Module Configuration structure. Parameters:
|
GetDataStorage |
Returns object for storing persistent data across several module invokations. Parameters:
|
GetAttackSignatureCollection |
Returns the attack signature collection. |
SaveResult |
Saves the fully initialized result object, created by IResponseAttackPoint::CreateResult or IBaseAttack::CreateResult. Parameters:
|
interface IAttackSignature
Interface IAttackSignature configures a new signature for the module’s Attack Signature Collection. Each signature can have a URL, a parameter (name/value pair), and/or an arbitrary string. A signature can have one or none of each.
Method/Property | Description |
---|---|
AddUrl |
This method adds a URL to the signature. Parameters:
|
AddParameter |
This method adds a parameter (name/value pair) to the signature. Parameters:
|
AddString |
This method adds a string to the signature. Parameters:
|
interface IAttackSignatureCollection
Interface IAttackSignatureCollection provides access to a per-module set of attack signatures. The values are retained between function calls to ICSModule functions. The primary use of these signatures is to limit repetitive attacks and/or findings.
Method/Property | Description |
---|---|
CreateSignature |
This method creates a blank IAttackSignature object. It can then be configured, and added using the Add method or checked using the Exists method. Parameters:
|
Add |
This method adds a signature to the collection. Parameters:
|
Exists |
This method tests if a given signature exists in the collection. Parameters:
|
ClearModuleSignatures |
This method clears the signature collection for the module. |
What's Next?