1 /* 2 3 ratproxy - hardcoded configuration 4 ---------------------------------- 5 6 Author: Michal Zalewski <lcamtuf@google.com> 7 8 Copyright 2007, 2008 by Google Inc. All Rights Reserved. 9 10 Licensed under the Apache License, Version 2.0 (the "License"); 11 you may not use this file except in compliance with the License. 12 You may obtain a copy of the License at 13 14 http://www.apache.org/licenses/LICENSE-2.0 15 16 Unless required by applicable law or agreed to in writing, software 17 distributed under the License is distributed on an "AS IS" BASIS, 18 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 19 See the License for the specific language governing permissions and 20 limitations under the License. 21 22 */ 23 24 #ifndef _HAVE_CONFIG_H 25 #define _HAVE_CONFIG_H 26 27 #include "types.h" 28 29 #define VERSION "1.58-beta" 30 31 /* Maximum request / response header line length (HTTP traffic 32 that exceeds this limit will be rejected). */ 33 34 #define MAXLINE 8192 35 36 /* Maximum request payload size (to avoid DoS / malloc overflows). */ 37 38 #define MAXPAYLOAD (30 * 1024 * 1024) 39 40 /* Maximum saved trace file payload size (to conserve disk space). */ 41 42 #define MAXTRACEITEM (1 * 1024 * 1024) 43 44 /* Default proxy listen port. */ 45 46 #define DEFAULT_PORT 8080 47 48 /* Uncomment to forcibly disable client-side page caching. Will slow 49 things down - but may be useful if there is no way to purge browser 50 cache manually prior to testing, or if you are forgetful. */ 51 52 // #define FORCE_NOCACHE 1 53 54 /* Maximum token length for log entries produced (making this higher 55 will include more query / response data in reports). */ 56 57 #define MAXTOKEN 1024 58 59 /* MIME sniffing buffer size. */ 60 61 #define SNIFFBUF 1024 62 63 /* Character set sniffing buffer size (when looking for META directives). */ 64 65 #define CHARSNIFF 1024 66 67 /* Minimum parameter value length to be tested as an XSS candidate. */ 68 69 #define MIN_XSS_LEN 4 70 71 /* The same, but for HTTP header injection checks. */ 72 73 #define MIN_XSS_HEAD 6 74 75 /* Maximum parameter length to be considered a file path, as opposed to 76 being just a random base64 blob with slashes in it. */ 77 78 #define MAX_FPATH 64 79 80 /* Uncomment to XSS anti-XSRF tokens in -X mode. When defined, may prompt 81 the proxy to miss some self-XSS vectors (because clobbered security 82 tokens may inhibit page rendering), but will improve coverage in poorly 83 written apps with no real XSRF protection to begin with. */ 84 85 // #define XSS_XSRF_TOKENS 1 86 87 /* Uncomment to look for query path, not only parameters, being echoed back 88 in response body, to derive risk flags. This may trigger false positives 89 with some applciations, and hence is disabled by default. */ 90 91 // #define CHECK_ECHO_PATH 1 92 93 /* NULL-terminated list of query field names that imply authentication. 94 These override standard request repost based checks. This is a substring 95 match - prefix with '=' to do full field matching. You might want to 96 customize this list to include any other common values you encounter. */ 97 98 static _u8* __attribute__((used)) auth_fields[] = { 99 "login", 100 "user", 101 "sess", 102 "account", 103 "pass", 104 0 105 }; 106 107 /* NULL-terminated list of known fields that implement XSRF protection 108 features, even if they fail our tests. You might want to customize 109 this list to troubleshoot any false positives you encounter. */ 110 111 static _u8* __attribute__((used)) xsrf_fields[] = { 112 "token", 113 "once", 114 "secret", 115 "secid", 116 "auth", 117 "=tok", 118 "=sig", 119 120 /* The values below are chiefly Google-specific. */ 121 122 "=gb", 123 "=usg", 124 "=at", 125 "=bb", 126 "=cid", 127 "=ids", 128 "=et", 129 0 130 }; 131 132 /* NULL-terminated list of known fields that look like XSRF tokens, 133 but have a different meaning and should be ignored. This is 134 chiefly Google-specific - customize as needed, based on -X 135 mode findings or manual testing. */ 136 137 static _u8* __attribute__((used)) no_xsrf_fields[] = { 138 "=ver", 139 "=id", 140 "=zx", 141 "=_", 142 0 143 }; 144 145 /* NULL-terminated list of common values that if visible in request 146 parameters and inline on a page, do not really imply an XSS 147 vector. */ 148 149 static _u8* __attribute__((used)) no_xss_text[] = { 150 "utf", 151 "html", 152 0 153 }; 154 155 /* NULL-terminated list of JSON-like response prefixes we consider to 156 be sufficiently safe against cross-site script inclusion. You 157 might want to extend the list as needed. */ 158 159 static _u8* __attribute__((used)) json_safe[] = { 160 "while(1);", /* Parser looping - common */ 161 "while (1);", /* ... */ 162 "while(true);", /* ... */ 163 "while (true);", /* ... */ 164 "&&&", /* Parser breaking - OpenSocial */ 165 "//OK[", /* Line commenting - GWT */ 166 "{\"", /* Serialized object - common */ 167 "{{\"", /* Serialized object - common */ 168 "throw 1;", /* Parser bailout - common */ 169 ")]}", /* A robust alternative */ 170 0 171 }; 172 173 /* NULL-terminated list of known valid charsets. Charsets not on 174 the list are considered invalid, as they may trigger strange 175 encoded XSS attack vectors, etc. You might want to extend 176 this list as needed when testing foreign-language applications. 177 178 WARNING: Please note that "harmless" misspellings such as 179 'utf8' or 'utf_8' are *not* harmless, and may trigger utf-7 180 XSSes. Do not add these to the list unless thoroughly 181 validated. */ 182 183 static _u8* __attribute__((used)) valid_charsets[] = { 184 "utf-8", /* Valid Unicode */ 185 "iso8859-1", /* Valid Western */ 186 "iso-8859-1", /* Invalid but recognized */ 187 "iso8859-2", /* Valid European */ 188 "iso-8859-2", /* Invalid but recognized */ 189 "iso8859-15", /* ISO-8859-1, new and improved */ 190 "iso-8859-15", /* ISO-8859-1, new and improved */ 191 "windows-1252", /* Microsoft's Western */ 192 "windows-1250", /* Microsoft's European */ 193 "us-ascii", /* Old school but generally safe */ 194 0 195 }; 196 197 198 /* NULL-terminated list of active content MIME types, as produced 199 by our sniffer. Any content that may execute in the browser 200 in the security context of its serving domain belongs here. */ 201 202 static _u8* __attribute__((used)) active_mime[] = { 203 "text/html", /* HTML */ 204 "application/xhtml+xml", /* XHTML */ 205 "application/java-vm", /* Java class */ 206 "application/java-archive", /* Java JAR */ 207 "application/x-shockwave-flash", /* Flash */ 208 "video/flv", /* Flash */ 209 "video/x-flv", /* Flash */ 210 0 211 }; 212 213 /* XSRF detector parameters; these might need to be tweaked if 214 seeing false positives, but are otherwise OK for most intents 215 and purposes. */ 216 217 #define XSRF_B16_MIN 10 /* Minimum base16 token length */ 218 #define XSRF_B16_MAX 45 /* Maximum base16 token length */ 219 #define XSRF_B16_NUM 2 /* Require at least this many digit chars */ 220 221 #define XSRF_B64_MIN 9 /* Minimum base32/64 token length */ 222 #define XSRF_B64_MAX 32 /* Maximum base32/64 token length */ 223 #define XSRF_B64_NUM 1 /* Require at least this many digit chars */ 224 #define XSRF_B64_CASE 2 /* Require at least this many uppercase chars */ 225 #define XSRF_B64_NUM2 3 /* Digit char count threshold to waive uppercase check */ 226 227 #endif /* ! _HAVE_CONFIG_H */ 228