1 /*
2 
3    ratproxy - hardcoded configuration
4    ----------------------------------
5 
6    Author: Michal Zalewski <lcamtuf@google.com>
7 
8    Copyright 2007, 2008 by Google Inc. All Rights Reserved.
9 
10    Licensed under the Apache License, Version 2.0 (the "License");
11    you may not use this file except in compliance with the License.
12    You may obtain a copy of the License at
13 
14      http://www.apache.org/licenses/LICENSE-2.0
15 
16    Unless required by applicable law or agreed to in writing, software
17    distributed under the License is distributed on an "AS IS" BASIS,
18    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
19    See the License for the specific language governing permissions and
20    limitations under the License.
21 
22 */
23 
24 #ifndef _HAVE_CONFIG_H
25 #define _HAVE_CONFIG_H
26 
27 #include "types.h"
28 
29 #define VERSION		"1.58-beta"
30 
31 /* Maximum request / response header line length (HTTP traffic
32    that exceeds this limit will be rejected). */
33 
34 #define MAXLINE 	8192
35 
36 /* Maximum request payload size (to avoid DoS / malloc overflows). */
37 
38 #define MAXPAYLOAD      (30 * 1024 * 1024)
39 
40 /* Maximum saved trace file payload size (to conserve disk space). */
41 
42 #define MAXTRACEITEM    (1 * 1024 * 1024)
43 
44 /* Default proxy listen port. */
45 
46 #define DEFAULT_PORT    8080
47 
48 /* Uncomment to forcibly disable client-side page caching. Will slow
49    things down - but may be useful if there is no way to purge browser
50    cache manually prior to testing, or if you are forgetful. */
51 
52 // #define FORCE_NOCACHE 1
53 
54 /* Maximum token length for log entries produced (making this higher
55    will include more query / response data in reports). */
56 
57 #define MAXTOKEN	1024
58 
59 /* MIME sniffing buffer size. */
60 
61 #define SNIFFBUF	1024
62 
63 /* Character set sniffing buffer size (when looking for META directives). */
64 
65 #define CHARSNIFF       1024
66 
67 /* Minimum parameter value length to be tested as an XSS candidate. */
68 
69 #define MIN_XSS_LEN     4
70 
71 /* The same, but for HTTP header injection checks. */
72 
73 #define MIN_XSS_HEAD    6
74 
75 /* Maximum parameter length to be considered a file path, as opposed to
76    being just a random base64 blob with slashes in it. */
77 
78 #define MAX_FPATH       64
79 
80 /* Uncomment to XSS anti-XSRF tokens in -X mode. When defined, may prompt
81    the proxy to miss some self-XSS vectors (because clobbered security
82    tokens may inhibit page rendering), but will improve coverage in poorly
83    written apps with no real XSRF protection to begin with. */
84 
85 // #define XSS_XSRF_TOKENS 1
86 
87 /* Uncomment to look for query path, not only parameters, being echoed back
88    in response body, to derive risk flags. This may trigger false positives
89    with some applciations, and hence is disabled by default. */
90 
91 // #define CHECK_ECHO_PATH 1
92 
93 /* NULL-terminated list of query field names that imply authentication.
94    These override standard request repost based checks. This is a substring
95    match - prefix with '=' to do full field matching. You might want to
96    customize this list to include any other common values you encounter. */
97 
98 static _u8* __attribute__((used)) auth_fields[] = {
99   "login",
100   "user",
101   "sess",
102   "account",
103   "pass",
104   0
105 };
106 
107 /* NULL-terminated list of known fields that implement XSRF protection
108    features, even if they fail our tests. You might want to customize
109    this list to troubleshoot any false positives you encounter. */
110 
111 static _u8* __attribute__((used)) xsrf_fields[] = {
112   "token",
113   "once",
114   "secret",
115   "secid",
116   "auth",
117   "=tok",
118   "=sig",
119 
120   /* The values below are chiefly Google-specific. */
121 
122   "=gb",
123   "=usg",
124   "=at",
125   "=bb",
126   "=cid",
127   "=ids",
128   "=et",
129   0
130 };
131 
132 /* NULL-terminated list of known fields that look like XSRF tokens,
133    but have a different meaning and should be ignored. This is
134    chiefly Google-specific - customize as needed, based on -X
135    mode findings or manual testing. */
136 
137 static _u8* __attribute__((used)) no_xsrf_fields[] = {
138   "=ver",
139   "=id",
140   "=zx",
141   "=_",
142   0
143 };
144 
145 /* NULL-terminated list of common values that if visible in request
146    parameters and inline on a page, do not really imply an XSS
147    vector. */
148 
149 static _u8* __attribute__((used)) no_xss_text[] = {
150   "utf",
151   "html",
152   0
153 };
154 
155 /* NULL-terminated list of JSON-like response prefixes we consider to
156    be sufficiently safe against cross-site script inclusion. You
157    might want to extend the list as needed. */
158 
159 static _u8* __attribute__((used)) json_safe[] = {
160   "while(1);",		/* Parser looping - common      */
161   "while (1);",		/* ...                          */
162   "while(true);",	/* ...                          */
163   "while (true);",	/* ...                          */
164   "&&&",		/* Parser breaking - OpenSocial */
165   "//OK[",		/* Line commenting - GWT        */
166   "{\"",		/* Serialized object - common   */
167   "{{\"",		/* Serialized object - common   */
168   "throw 1;",           /* Parser bailout - common      */
169   ")]}",                /* A robust alternative         */
170   0
171 };
172 
173 /* NULL-terminated list of known valid charsets. Charsets not on
174    the list are considered invalid, as they may trigger strange
175    encoded XSS attack vectors, etc. You might want to extend
176    this list as needed when testing foreign-language applications.
177 
178    WARNING: Please note that "harmless" misspellings such as
179    'utf8' or 'utf_8' are *not* harmless, and may trigger utf-7
180    XSSes. Do not add these to the list unless thoroughly
181    validated. */
182 
183 static _u8* __attribute__((used)) valid_charsets[] = {
184   "utf-8",              /* Valid Unicode                 */
185   "iso8859-1",          /* Valid Western                 */
186   "iso-8859-1",         /* Invalid but recognized        */
187   "iso8859-2",          /* Valid European                */
188   "iso-8859-2",         /* Invalid but recognized        */
189   "iso8859-15",		/* ISO-8859-1, new and improved  */
190   "iso-8859-15",	/* ISO-8859-1, new and improved  */
191   "windows-1252",       /* Microsoft's Western           */
192   "windows-1250",       /* Microsoft's European          */
193   "us-ascii",           /* Old school but generally safe */
194   0
195 };
196 
197 
198 /* NULL-terminated list of active content MIME types, as produced
199    by our sniffer. Any content that may execute in the browser
200    in the security context of its serving domain belongs here. */
201 
202 static _u8* __attribute__((used)) active_mime[] = {
203   "text/html",				/* HTML       */
204   "application/xhtml+xml",		/* XHTML      */
205   "application/java-vm",		/* Java class */
206   "application/java-archive",		/* Java JAR   */
207   "application/x-shockwave-flash",	/* Flash      */
208   "video/flv",				/* Flash      */
209   "video/x-flv",			/* Flash      */
210   0
211 };
212 
213 /* XSRF detector parameters; these might need to be tweaked if
214    seeing false positives, but are otherwise OK for most intents
215    and purposes. */
216 
217 #define XSRF_B16_MIN 	10	/* Minimum base16 token length */
218 #define XSRF_B16_MAX 	45	/* Maximum base16 token length */
219 #define XSRF_B16_NUM    2       /* Require at least this many digit chars */
220 
221 #define XSRF_B64_MIN	9	/* Minimum base32/64 token length */
222 #define XSRF_B64_MAX	32	/* Maximum base32/64 token length */
223 #define XSRF_B64_NUM	1	/* Require at least this many digit chars */
224 #define XSRF_B64_CASE 	2	/* Require at least this many uppercase chars */
225 #define XSRF_B64_NUM2 	3	/* Digit char count threshold to waive uppercase check */
226 
227 #endif /* ! _HAVE_CONFIG_H */
228