[Bug] => Execution Breaking due to Unhandled Exception.

[0xInfection]

Describe the bug

Connection Aborted/ Connection Refused.

Command You Used

It can be reproduced by any command when site is un-responsive.

Full Stack Trace Error

 [!] Testing site example.com status...
 [+] Site seems to be up!
 [!] Testing  endpoint status...
Traceback (most recent call last):
  File "/usr/local/lib/python3.6/dist-packages/urllib3/connection.py", line 171, in _new_conn
    (self._dns_host, self.port), self.timeout, **extra_kw)
  File "/usr/local/lib/python3.6/dist-packages/urllib3/util/connection.py", line 79, in create_connection
    raise err
  File "/usr/local/lib/python3.6/dist-packages/urllib3/util/connection.py", line 69, in create_connection
    sock.connect(sa)
ConnectionRefusedError: [Errno 111] Connection refused

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.6/dist-packages/urllib3/connectionpool.py", line 600, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python3.6/dist-packages/urllib3/connectionpool.py", line 354, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python3.6/http/client.py", line 1239, in request
    self._send_request(method, url, body, headers, encode_chunked)
  File "/usr/lib/python3.6/http/client.py", line 1285, in _send_request
    self.endheaders(body, encode_chunked=encode_chunked)
  File "/usr/lib/python3.6/http/client.py", line 1234, in endheaders
    self._send_output(message_body, encode_chunked=encode_chunked)
  File "/usr/lib/python3.6/http/client.py", line 1026, in _send_output
    self.send(msg)
  File "/usr/lib/python3.6/http/client.py", line 964, in send
    self.connect()
  File "/usr/local/lib/python3.6/dist-packages/urllib3/connection.py", line 196, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python3.6/dist-packages/urllib3/connection.py", line 180, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
urllib3.exceptions.NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f6ed533f6d8>: Failed to establish a new connection: [Errno 111] Connection refused

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.6/dist-packages/requests/adapters.py", line 449, in send
    timeout=timeout
  File "/usr/local/lib/python3.6/dist-packages/urllib3/connectionpool.py", line 638, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python3.6/dist-packages/urllib3/util/retry.py", line 398, in increment
    raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPConnectionPool(host='', port=80): Max retries exceeded with url: / (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f6ed533f6d8>: Failed to establish a new connection: [Errno 111] Connection refused',))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/root/PenTest/Audit/XSRFProbe/core/inputin.py", line 40, in inputin
    requests.get(web)
  File "/usr/local/lib/python3.6/dist-packages/requests/api.py", line 75, in get
    return request('get', url, params=params, **kwargs)
  File "/usr/local/lib/python3.6/dist-packages/requests/api.py", line 60, in request
    return session.request(method=method, url=url, **kwargs)
  File "/usr/local/lib/python3.6/dist-packages/requests/sessions.py", line 533, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/local/lib/python3.6/dist-packages/requests/sessions.py", line 646, in send
    r = adapter.send(request, **kwargs)
  File "/usr/local/lib/python3.6/dist-packages/requests/adapters.py", line 516, in send
    raise ConnectionError(e, request=request)
requests.exceptions.ConnectionError: HTTPConnectionPool(host='example.com', port=80): Max retries exceeded with url: / (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f6ed533f6d8>: Failed to establish a new connection: [Errno 111] Connection refused',))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "xsrfprobe.py", line 13, in <module>
    main.Engine()  # start the Scanner Engine ;)
  File "/root/PenTest/Audit/XSRFProbe/core/main.py", line 70, in Engine
    web, fld = inputin()  # Take the input
  File "/root/PenTest/Audit/XSRFProbe/core/inputin.py", line 52, in inputin
    verbout(R, 'Connection Aborted : '+main_url)
NameError: name 'main_url' is not defined

Potential cause or fix

PR #21 fixes it.

Environment:

• OS: Kali Rolling
• Python version: v3

Some Questions

• [x] I am using the latest version of XSFRProbe.
• [x] I installed the dependecies using pip3 instead of pip.
• [x] I have read the documentation before submitting this issue.
• [x] I have checked the other issues to see if someone reported this before.

Other stuff

The site is unresponsive, however the bug should be handled properly which it isn't. So this is a bug as pointed out by @sumgro in #17.

[sumgr0]

Post the latest update, the scan runs further now, but when doing the Cookie Persistence Validation throws this error. Tested this for 2/3 websites to scan:

Traceback (most recent call last):
  File "xsrfprobe.py", line 13, in <module>
    main.Engine()  # start the Scanner Engine ;)
  File "/root/PenTest/Audit/XSRFProbe/core/main.py", line 143, in Engine
    Cookie(url, r1)
  File "/root/PenTest/Audit/XSRFProbe/modules/Cookie.py", line 33, in Cookie
    Persistence(url, request)
  File "/root/PenTest/Audit/XSRFProbe/modules/Persistence.py", line 122, in Persistence
    VulnLogger(url, 'Persistent Session Cookies Found.', '[i] Cookie: '+req.headers.get('Set-Cookie'))
TypeError: must be str, not NoneType

Not sure, if this is a separate issue or related.

[0xInfection]

Hi there, can you give me the sites you used? Cause I am really not able to reproduce the error. If it's sensitive, email me via the email address on my profile. :)

Oh and btw, please open another issue for this, since it is some website specific issue, some users might find it helpful as another issue.

[sumgr0]

Hi there, can you give me the sites you used? Cause I am really not able to reproduce the error. If it's sensitive, email me via the email address on my profile. :)

Won't be able to share the sites as they are my clients and it'll not be ethical.

[0xInfection]

Alright. If you are unable to give the site, its fine. However then I'd have to pass this as not-applicable and non-reproducible, since I am unable to reproduce the error.

However from the looks of the error, I can pretty much say your target isn't responding well. The function Persistence() calls the Get() function which makes a GET request to the site. It returns with a valid set of headers if the target responds or with NoneType if the target response is blank. That's all I can tell you about this.

Let me know if you have any other queries.

[iDuronto]

Won't be able to share the sites as they are my clients and it'll not be ethical.

@sumgro do you think open-source developers like @0xInfection would unethically abuse your client site? You're running a toolkit entirely developed by him and only himself. Look at his contributions! He is contributing tools that help in idenitfying bugs and securing websites and here you're afraid that he'll unethically abuse your site! Your concept is entirely lame and pathetic, isn't it?

Plus he is so considerate that he even asked you to share your testing site privately via his email. Afaik, other devs won't even care to lend you an ear.

[sumgr0]

@iDuronto the reason for not sharing the client's website is not about me trusting @0xInfection, its more about my client's trust in me to share his details without his approval. I would not want to give out details since they are not part of the agreement with the client.

I really appreciate @0xInfection for his contributions and dedication without any doubts.

Hope you'd understand my point...