O’zbekiston milliy universiteti qo’lyozma huquqida udk

ФОЙДАЛАНИЛГАН АДАБИЁТЛАР РЎЙХАТИ

Download 6,02 Mb.

bet	56/56
Sana	04.02.2022
Hajmi	6,02 Mb.
	#428657

1 ... 48 49 50 51 52 53 54 55 56

Bog'liq
Dissertatsiya SH.M

ФОЙДАЛАНИЛГАН АДАБИЁТЛАР РЎЙХАТИ

Ўзбекистон Республикаси Президентининг 2017 йил 7 февралдаги «Ўзбекистон Республикасини янада ривожлантириш бўйича ҳаракатлар стратегияси тўғрисида» ги ПФ-4947-сон Фармони. https://lex.uz/docs/3107036
Ўзбекистон Республикаси Президентининг «Ўзбекистон Республикасида маъмурий ислоҳотлар концепциясини тасдиқлаш тўғрисида»ги ПФ-5185 сонли Фармони 2 банди, “а” қисми, 4-сўзбоши;
Карла Поппер, Открытое общество и его враги (The Open Society and Its Enemies), т. 1, — 1945, Вена, (Открытое общество и его враги. Т. 1: Чары Платона. Пер. с англ. под ред. В. Н. Садовского. — М.: Феникс, Международный фонд «Культурная инициатива», 1992. — 448 с)
Roberts, Alasdair S., Structural Pluralism and the Right to Information (July 21, 2001). University of Toronto Law Journal, Vol. 51, No. 3, pp. 243-271, July 2001. Available at SSRN: https://ssrn.com/abstract=1305423
Roberts, Alasdair S., National Security and Open Government (July 1, 2004). Georgetown Public Policy Review, Vol. 9.2, pp. 69-85, Spring 2004. Available at SSRN: https://ssrn.com/abstract=1438084
Шабров О.Ф. Реформа государственной службы: открытость или эффективность? // Социология власти: №6, 2005.
Ҳ. Зайниддинов, М. Якубов, Ж. Қорабоев. “Электрон ҳукумат” Т-2014, “Академия” 23-бет.
А.Усмонов “Бошқарув ахборот тизимлари ва технологиялари асослари”. “Академия” 7-бет.
Jason Hawke. 2011. Writing Authority: Elite Competition and Written Law in Early Greece. pg. 171–172.
Henri Bergson, The Two Sources of Morality and Religion (New York: Henry Holt and company, 1935). Pg. 22
Popper, K.R., (1962) The Spell of Plato, Volume I, Routledge & Kegan Paul, Fourth Edition, London, pg. 199
Richard Chapman. Open Government: A Study Of The Prospects Of Open Government Within The Limitations Of The British Political System. 1987. pg. 11
«Давлат ҳокимияти ва бошқарув органлари фаолиятининг очиқлиги тўғрисида»ги ЎРҚ-369, 05.05.2014 й.
G8 Open Data Charter and Technical Annex [Electronic resource]. – Mode of access: https://www.gov.uk/government/ publications/open-data-charter/g8-open-data-charter-and-technical-annex#technical-annex. – Date of access: 19.04.2018.
Open data: Unlocking innovation and performance with liquid information. Available at: https://www.mckinsey. com/business-functions/digital-mckinsey/our-insights/open-data-unlocking-innovation-and-performance-with-liquidinformation (accessed: 19.04.2018)
Market value Open Data to reach 286 billion by 2020 [Electronic resource]. – Mode of access: https://www.consultancy. uk/news/3019/market-value-open-data-to-reach-286-billion-by-2020. – Date of access: 19.04.2018.
Белл Д. Третья технологическая революция и ее возможные социо-экономические последствия // Информационная революция: наука, экономика, технология. – Москва: ИНИОН РАН, 1993. – С. 29
Мелюхин И. С. Информационное общество: истоки, проблемы, тенденции развития. – Москва: Издательство МГУ, 1999. – С. 156.
Атаманов Г. А. Информационная безопасность: сущность и содержание // Бизнес и безопасность в России. – 2007. – № 47. – С. 106.
Поппер К.Р. Открытое общество и его враги. – М.: Феникс, 1992.;
Шабров О.Ф. Реформа государственной службы: открытость или эффективность? // Социология власти: №6, 2005;
Roberts, Alasdair S., Structural Pluralism and the Right to Information (July 21, 2001). University of Toronto Law Journal, Vol. 51, No. 3, pp. 243-271, July 2001;
Jason Hawke. 2011. Writing Authority: Elite Competition and Written Law in Early Greece;
Henri Bergson, The Two Sources of Morality and Religion (New York: Henry Holt and company, 1935);
Popper, K.R., (1962) The Spell of Plato, Volume I, Routledge & Kegan Paul, Fourth Edition, London;
Richard Chapman. Open Government : A Study Of The Prospects Of Open Government Within The Limitations Of The British Political System;
Россия Федерацияси Ҳукуматининг 2008 йил 6 майдаги “2010 йилгача Россия Федерациясида электрон ҳукуматни шакллантириш Концепцияси тўғрисида” ги №632-р сонли Фармойиши;
Махлуп Ф. Производство и распространение знаний в США. - М.: Прогресс, 1966. (“The Production and Distribution of Knowledge in the United States”;
Зайнидинов Х.Н., Якубов М.С., Қорабоев Ж.Ф. Электрон ҳукумат. Монография, Тўлдирилган 2-нашр, Ўзбекистон республикаси Президенти ҳузуридаги Давлат бошқаруви Академияси, Ўзбекистон республикаси Вазирлар Маҳкамаси ҳузуридаги Курс ва технологияларни ривожлантиришни мувофиқлаштириш қўмитаси, Т. “Akademiya”, 2014 й., 273 бет.
Асаул В.В., Михайлова А.О. Обеспечение информационной безопасности в условиях формирования циф-ровой экономики // Теория и практика сервиса: экономика, социальная сфера, технологии. – 2018. – №-4(38). – С. 5-9;
Руденко М.Н., Вертакова Ю.В., Курбанов А.Х., Репин Н.В., Михайлов О.В. Информаци-онное обеспечение управления регионом и организациями с использованием аутсорсинга. – Курск, 2019.
Плотников В.А. Цифровизация производства: теоретическая сущность и перспективы развития в россий-ской экономике // Известия Санкт-Петербургского государственного экономического университета. – 2018. –№ 4 (112). – С. 16-24.
Коптелов А. Готов ли ваш бизнес к цифровой трансформации? Электронный ресурс. URL: https://www.e-xecutive.ru/management/itforbusiness/1985479-gotov-li-vash-biznes-k-tsifrovoi-transformatsii.
Глоссарий [Электронный ресурс] URL: https://www.retail.ru/glossary/automation.
5. Грибанов Ю.И., Репин Н.В. Перспективы IT-аутсорсинга в цифровой экономике.URL: http://www.e- rej.ru/Articles/2018/Gribanov_Repin.pdf.Россия 2025: от кадров к талантам. / Исследование Boston Consulting
6. Group и Сбербанка России. 2017. URL: http://d-russia.ru/wp-content/uploads/2017/11/Skills_Outline_web_tcm26-175469.pdf.
7. Месропян В. Цифровые платформы–новая рыночная власть. Москва, 2018. URL: https://www.econ.msu.ru/sys/raw.php?o=46781&p=attachment.
Китова О.В., Брускин С.Н. Цифровая трансформация бизнеса. URL: http://digital-economy.ru/images/easyblog_articles/320/kitova.pdf.
Волкова А.А. Стратегия развития предприятий сферы услуг // Новая парадигма науки об управлении в XXI веке и ее практическое приложение к проблемам Севера / Государственная полярная академия. – СПб., 2016.
– С. 102-106; Песоцкая Е.В. Этологический подход в управлении туристскими услугами // Известия Санкт-Петербургского государственного экономического университета. – 2016. – № 3 (99). – С. 92-97; Пирогова О.Е., Сморчкова Т.М. Укрепление конкурентоспособности компаний сферы услуг на основе клиентоориен-тированного подхода // Перспективы науки. – 2018. – № 2 (101). – С. 77-81.
V. P. Aggelidis and P. D. Chatzoglou, "Methods for evaluating hospital information systems: a literature review," EuroMed J. Business, vol. 3, pp. 99-118, 2008.
S. K. Dubey, A. Anand and H. Jangala, "Laboratory information and management system: A tool to increase laboratory productivity,"Clinical Research & Regulatory Affairs, vol. 29, no. 2, pp. 45-56, 2012.
R. Wetering, R. Batenburg, J. Versendaal, R. Lederman and L. Firth, "A balanced evaluation perspective: picture archiving and communication system impacts on hospital workflow," J. Digital Imaging, vol. 19, pp. 10-17, 2006.
J. J. Nance, C. Meenan and P. G. Nagy, "The future of the radiology information system," American J. Roentgenology, vol. 200, pp. 1064-1070, 2013.
T. Kuroda, H. Sasaki, T. Suenaga, Y. Masuda, Y. Yasumuro and K. Hori, et al., "Embedded ubiquitous services on hospital information systems," IEEE Trans. Informat. Technology in Biomed., vol. 16, pp. 1216-1223, 2012.
E. V. Eikey, A. R. Murphy, M. C. Reddy and H. Xu, "Designing for privacy management in hospitals: Understanding the gap between user activities and IT staff’s understandings," Int. J. Med. Informat., vol. 84, pp. 1065-1075, 2015.
H. Zhang, S. Mehotra, D. Liebovitz, C. A. Gunter and B. Malin, "Mining Deviations from Patient Care Pathways via Electronic Medical Record System Audits," ACM Trans. Management Informat.Syst., vol. 4, A. 17, 2013.
R. Zhang, D. Chen, and X. Shang, "Privacy preserving for patients’ information: a knowledge-constrained access control model for hospital information systems," In Proc. IEEE INDIN 2016, Poitiers, France, 2016, pp. 921-926.
R. S. Sandhu, E. J. Coyne, H. L. Feinstein and C. E. Youman, "Role- based access control models," IEEE Computer, vol. 29, pp. 38-47,1996.
P. Hung, "Towards a privacy: access control model for e-healthcare service", 3rd Conf. Privacy, Security and Trust, New Brunswick, Canada, October 12-14, 2005.
J. Byun and N. Li, "Purpose based access control for privacy protection in relational database systems," Int. J. Very Large Data Bases, vol. 17, pp. 603-619, 2008.
M. Viceconti, P. Hunter and R. Hose, "Big data, big knowledge: big data for personalized healthcare," IEEE J. Biomed. and Health Informat., vol. 19, pp. 1209-1215, 2015.
J. Li, "Ensuring privacy in a personal health record system," Computer, vol. 48, pp. 24-31, 2015.
W. Hsu and J. Pan, "The secure authorization model for healthcare information system," J. Med. Syst., vol. 37, pp. 1-5, 2013.
A. V. Deokar and O. F. EI-Gayar, "On semantic annotation of decision models," Informat. Syst. and e-Business Management, vol. 11, pp. 93-117, 2012.
S. Gritzalis, C. Lambrinoudakis, D. Lekkas and S. Deftereos, "Technical guidelines for enhancing privacy and data protection in modern electronic medical environments," IEEE Trans. Information Technology in Biomed., vol. 9, no. 3, pp. 413-423, 2005.
L. Røstad and O. Nytrø, "Towards dynamic access control for healthcare information systems," Studies in Health Technology & Informat., vol. 136, pp. 703-8, 2008.
V. P. Gurupur, S. C. Suh, R. R Selvaggi, P. R. Karla, J. S. Nair and S. Ajit, "An approach for building a personal health information system using conceptual domain knowledge," J. Med. Syst., vol. 36, no. 6, pp. 3685-3693, 2012.
W. A. Khan, A. M. Khattak, M. Hussain, M. B. Amin, M. Afzal and C. Nugent, et al., "An adaptive semantic based mediation system for data interoperability among health information systems," J. Med. Syst., vol. 38, no. 8, pp. 1-18, 2014.
L. Lee, Y. Chou, E. Huang and D. Liou, "Design of a personal health record and health knowledge sharing system using IHE-XDS and OWL," J. Med. Syst., vol. 37, no. 2, pp. 1-12, 2013.
M. B. Ateya, B. C. Delaney and S. M. Speedie, "The value of structured data elements from electronic health records for identifying subjects for primary care clinical trials," BMC Med. Informat. & Decision-making, vol. 16, no. 1, 2015.
N. W. Changa, H. J. Dai, J. Jonnagaddala, C. W. Chen, R. T. Han Tsai and W. L. Hsu, "A context-aware approach for progression tracking of medical concepts in electronic medical records," J. Biomed. Informat.,vol. 59, pp. S150-S157, 2015.
D. Fabbri and K. LeFevre, "Explaining accesses to electronic medical records using diagnosis information," J. American Med. Informat. Association, vol. 20, no. 1, pp. 52-60, 2013.
D. Beimel and M. Peleg. "Using OWL and SWRL to represent and reason with situation-based access control policies," Data & Knowledge Eng., vol. 70, no. 6, pp. 596-615, 2011.
Z. Li, C. H. Chu and W. Yao, "A semantic authorization model for pervasive healthcare," Research Collection School of Informat. Syst., vol. 38, pp. 76-87, 2014.
Bernd Blobel, "Ontology driven health information systems architectures enable pHealth for empowered patients," Int. J. Med. Informat., vol. 80, no. 2, pp. 17-25, 2010.
C. L. Gordona and C. Weng, "Combining expert knowledge and knowledge automatically acquired from electronic data sources for continued ontology evaluation and improvement," J. Biomed. Informat., vol. 57, Part C, pp. 42-52, 2015.
Котляров И.Д. Сетевое сотрудничество в АПК как инструмент развития экспорта // Никоновские чтения. – 2017. – № 22. – С. 301-303; Плахотникова М.А., Крыжановская О.А. Стратегия процессной трансформации бизнеса на российских предприятиях // Теория и практика сервиса: экономика, социальная сфера, техноло-гии. – 2017. – № 1 (31). – С. 45-50.
Мухаммадиев Ж.У. Шухратов М.Ш. Юридический факт научный юридический факт Выпуск 92, Актуалные проблемы правового обеспечения информационной безопасности. 15-19ст. 30-март.
Kosabergenova M, Shuhratov M.Sh.“Sience and Education” ISSN 2181-0842 Volume 1, ISSUE2 May 2020 Jurnali “Очиқ Маьлумотлар: Тенденция Ва Таҳлили”. 186-191
Саидов М.Х. Шухратов М.Ш. Ашурметова Н.A. Каримова М.Н. Proceedings of the international conference dedicated to the 90th anniversary of the establishment of tashkent state agrarian university“Actual Theoretic - Practical Problems and Their Solutions in The Agricultural Science” “Агрокластеры Как Особая Форма Сетевого Взаимодействия” 7-12 ст.
Саидов М.Х. Шухратов М.Ш. Очилов И.С. “Proceedings of the international conference dedicated to the 90th anniversary of the establishment of tashkent state agrarian university“Actual Theoretic - Practical Problems and Their Solutions in The Agricultural Science” Цифровая Экономика в аграрном секторе: анализ и перспектива
Kosabergenova M, Shuhratov M.Sh. “Organization and management of the economy and Production in the conditions of the digital economy: Theory and practice” “O‘zbekiston respublikasida elektron poliklinika joriy etilishida horij tajribasi qo`llash va axborot xavfsizligi masalasi” 561-565.

ILOVA

import json

import sys

import os

import argparse

import threading

from common.common import *

from common.logger import Log

from common.corscheck import CORSCheck

import gevent

from gevent import monkey

monkey.patch_all()

from gevent.pool import Pool

from gevent.queue import Queue

from colorama import init

# Globals

results = []

def parser_error(errmsg):

banner()

print(("Usage: python " + sys.argv[0] + " [Options] use -h for help"))

print(("Error: " + errmsg))

sys.exit()

def parse_args():

# parse the arguments

parser = argparse.ArgumentParser(

epilog='\tExample: \r\npython ' + sys.argv[0] + " -u google.com")

parser.error = parser_error

parser._optionals.title = "OPTIONS"

parser.add_argument(

'-u', '--url', help="URL/domain to check it's CORS policy")

parser.add_argument(

'-i',

'--input',

help='URL/domain list file to check their CORS policy')

parser.add_argument(

'-t',

'--threads',

help='Number of threads to use for CORS scan',

type=int,

default=50)

parser.add_argument('-o', '--output', help='Save the results to json file')

parser.add_argument(

'-v',

'--verbose',

help='Enable Verbosity and display results in realtime',

action='store_true',

default=False)

parser.add_argument('-d', '--headers', help='Add headers to the request.', default=None, nargs='*')

parser.add_argument(

'-T',

'--timeout',

help='Set requests timeout (default 5 sec)',

type=int,

default=10)

parser.add_argument('-p', '--proxy', help='Enable proxy (http or socks5)')

args = parser.parse_args()

if not (args.url or args.input):

parser.error("No url inputed, please add -u or -i option")

if args.input and not os.path.isfile(args.input):

parser.error("Input file " + args.input + " not exist.")

return args

# Synchronize results

c = threading.Condition()

def scan(cfg):

log = cfg["logger"]

global results

while not cfg["queue"].empty():

try:

item = cfg["queue"].get(timeout=1.0)

cors_check = CORSCheck(item, cfg)

msg = cors_check.check_one_by_one()

# Keeping results to be written to file only if needed

if log.filename and msg:

c.acquire()

results.append(msg)

c.release()

except Exception as e:

print(e)

break

"""

CORScanner library API interface for other projects to use. This will check

the CORS policy for a given URL. Example Usage:

>>> from CORScanner.cors_scan import cors_check

>>> ret = cors_check("https://www.instagram.com", None)

>>> ret

{'url': 'https://www.instagram.com', 'type': 'reflect_origin',...}

"""

def cors_check(url, headers=None):

# 0: 'DEBUG', 1: 'INFO', 2: 'WARNING', 3: 'ALERT', 4: 'disable log'

log = Log(None, print_level=4)

cfg = {"logger": log, "headers": headers, "timeout": 5}

cors_check = CORSCheck(url, cfg)

#msg = cors_check.check_all_in_parallel()

msg = cors_check.check_one_by_one()

return msg

def main():

init()

args = parse_args()

#banner()

queue = Queue()

log_level = 1 if args.verbose else 2 # 1: INFO, 2: WARNING

log = Log(args.output, log_level)

cfg = {"logger": log, "queue": queue, "headers": parse_headers(args.headers),

"timeout": args.timeout, "proxy": args.proxy}

read_urls(args.url, args.input, queue)

sys.stderr.write("Starting CORS scan...(Tips: this may take a while, add -v option to enable debug info)\n")

sys.stderr.flush()

threads = [gevent.spawn(scan, cfg) for i in range(args.threads)]

try:

gevent.joinall(threads)

except KeyboardInterrupt as e:

pass

# Writing results file if output file has been set

if log.filename:

with open(log.filename, 'w') as output_file:

output_file.write(json.dumps(results, indent=4))

output_file.close()

sys.stderr.write("Finished CORS scanning...\n")

sys.stderr.flush()

if __name__ == '__main__':

main()

import gevent.monkey
		gevent.monkey.patch_all()

		import requests, json, os, inspect, tldextract

		from future.utils import iteritems
		try:
		from urllib.parse import urlparse
		except Exception as e:
		from urlparse import urlparse

		import urllib3
		urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

		from threading import Thread

		class CORSCheck:
		"""docstring for CORSCheck"""
		url = None
		cfg = None
		headers = None
		timeout = None
		result = {}

		def __init__(self, url, cfg):
		self.url = url
		self.cfg = cfg
		self.timeout = cfg["timeout"]
		self.all_results = []
		if cfg["headers"] != None:
		self.headers = cfg["headers"]
		self.proxies = {}
		if cfg.get("proxy") != None:
		self.proxies = {
		"http": cfg["proxy"],
		"https": cfg["proxy"],
		}

		def send_req(self, url, origin):
		try:

		headers = {
		'Origin':
		origin,
		'Cache-Control':
		'no-cache',
		'User-Agent':
		'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36'
		}
		if self.headers != None:
		headers.update(self.headers)

		# self-signed cert OK, follow redirections
		resp = requests.get(self.url, timeout=self.timeout, headers=headers,
		verify=False, allow_redirects=True, proxies=self.proxies)

		# remove cross-domain redirections, which may cause false results
		first_domain =tldextract.extract(url).registered_domain
		last_domain = tldextract.extract(resp.url).registered_domain

		if(first_domain.lower() != last_domain.lower()):
		resp = None

		except Exception as e:
		resp = None
		return resp

		def get_resp_headers(self, resp):
		if resp == None:
		return None
		resp_headers = dict(
		(k.lower(), v) for k, v in iteritems(resp.headers))
		return resp_headers

		def check_cors_policy(self, test_module_name,test_origin,test_url):
		resp = self.send_req(self.url, test_origin)
		resp_headers = self.get_resp_headers(resp)
		status_code = resp.status_code if resp is not None else None

		if resp_headers == None:
		return None

		parsed = urlparse(str(resp_headers.get("access-control-allow-origin")))
		if test_origin != "null":
		resp_origin = parsed.scheme + "://" + parsed.netloc.split(':')[0]
		else:
		resp_origin = str(resp_headers.get("access-control-allow-origin"))

		msg = None

		# test_origin does not have to be case sensitive
		if test_origin.lower() == resp_origin.lower():
		credentials = "false"

		if resp_headers.get("access-control-allow-credentials") == "true":
		credentials = "true"

		# Set the msg
		msg = {
		"url": test_url,
		"type": test_module_name,
		"credentials": credentials,
		"origin": test_origin,
		"status_code" : status_code
		}
		return msg

		def is_cors_permissive(self,test_module_name,test_origin,test_url):
		msg = self.check_cors_policy(test_module_name,test_origin,test_url)

		if msg != None:
		self.cfg["logger"].warning(msg)
		self.result = msg
		self.all_results.append(msg)
		return True

		self.cfg["logger"].info("nothing found for {url: %s, origin: %s, type: %s}" % (test_url, test_origin, test_module_name))
		return False

		def test_reflect_origin(self):
		module_name = inspect.stack()[0][3].replace('test_','');
		test_url = self.url
		parsed = urlparse(test_url)
		test_origin = parsed.scheme + "://" + "evil.com"

		self.cfg["logger"].info(
		"Start checking %s for %s" % (module_name,test_url))

		return self.is_cors_permissive(module_name,test_origin,test_url)

		def test_prefix_match(self):
		module_name = inspect.stack()[0][3].replace('test_','');
		test_url = self.url
		parsed = urlparse(test_url)
		test_origin = parsed.scheme + "://" + parsed.netloc.split(':')[0] + ".evil.com"

		self.cfg["logger"].info(
		"Start checking %s for %s" % (module_name,test_url))

		return self.is_cors_permissive(module_name,test_origin,test_url)


		def test_suffix_match(self):
		module_name = inspect.stack()[0][3].replace('test_','');
		test_url = self.url
		parsed = urlparse(test_url)
		sld = tldextract.extract(test_url.strip()).registered_domain
		test_origin = parsed.scheme + "://" + "evil" + sld

		self.cfg["logger"].info(
		"Start checking %s for %s" % (module_name,test_url))

		return self.is_cors_permissive(module_name,test_origin,test_url)


		def test_trust_null(self):
		module_name = inspect.stack()[0][3].replace('test_','');
		test_url = self.url
		test_origin = "null"

		self.cfg["logger"].info(
		"Start checking %s for %s" % (module_name,test_url))

		return self.is_cors_permissive(module_name,test_origin,test_url)


		def test_include_match(self):
		module_name = inspect.stack()[0][3].replace('test_','');
		test_url = self.url
		parsed = urlparse(test_url)
		sld = tldextract.extract(test_url.strip()).registered_domain
		test_origin = parsed.scheme + "://" + sld[1:]

		self.cfg["logger"].info(
		"Start checking %s for %s" % (module_name,test_url))

		return self.is_cors_permissive(module_name,test_origin,test_url)


		def test_not_escape_dot(self):
		module_name = inspect.stack()[0][3].replace('test_','');
		test_url = self.url
		parsed = urlparse(test_url)
		sld = tldextract.extract(test_url.strip()).registered_domain
		domain = parsed.netloc.split(':')[0]
		test_origin = parsed.scheme + "://" + domain[::-1].replace(
		'.', 'a', 1)[::-1]

		self.cfg["logger"].info(
		"Start checking %s for %s" % (module_name,test_url))

		return self.is_cors_permissive(module_name,test_origin,test_url)


		def test_trust_any_subdomain(self):
		module_name = inspect.stack()[0][3].replace('test_','');
		test_url = self.url
		parsed = urlparse(test_url)
		test_origin = parsed.scheme + "://" + "evil." + parsed.netloc.split(':')[0]

		self.cfg["logger"].info(
		"Start checking %s for %s" % (module_name,test_url))

		return self.is_cors_permissive(module_name,test_origin,test_url)


		def test_https_trust_http(self):
		module_name = inspect.stack()[0][3].replace('test_','');
		test_url = self.url
		parsed = urlparse(test_url)
		if parsed.scheme != "https":
		return
		test_origin = "http://" + parsed.netloc.split(':')[0]

		self.cfg["logger"].info(
		"Start checking %s for %s" % (module_name,test_url))

		return self.is_cors_permissive(module_name,test_origin,test_url)


		def test_custom_third_parties(self):
		module_name = inspect.stack()[0][3].replace('test_','');
		test_url = self.url
		parsed = urlparse(test_url)
		sld = tldextract.extract(test_url.strip()).registered_domain
		domain = parsed.netloc.split(':')[0]

		self.cfg["logger"].info(
		"Start checking %s for %s" % (module_name,test_url))

		is_cors_perm = False

		# Opening origins file
		with open(os.path.join(os.path.dirname(os.path.realpath(__file__)),'..%sorigins.json' % os.sep)) as origins_file:
		origins = json.load(origins_file)['origins']

		for test_origin in origins:

		is_cors_perm = self.is_cors_permissive(module_name,test_origin,test_url)
		if is_cors_perm: break

		return is_cors_perm

		def test_special_characters_bypass(self):
		module_name = inspect.stack()[0][3].replace('test_','');
		test_url = self.url
		parsed = urlparse(test_url)
		special_characters = ['_','-','"','{','}','+','^','%60','!','~','`',';','\|','&',"'",'(',')','*',',','$','=','+',"%0b"]

		origins = []

		for char in special_characters:
		attempt = parsed.scheme + "://" + parsed.netloc.split(':')[0] + char + ".evil.com"
		origins.append(attempt)

		is_cors_perm = False

		self.cfg["logger"].info(
		"Start checking %s for %s" % (module_name,test_url))

		for test_origin in origins:
		is_cors_perm = self.is_cors_permissive(module_name,test_origin,test_url)
		if is_cors_perm: break

		return is_cors_perm

		def check_one_by_one(self):
		functions = [
		'test_reflect_origin',
		'test_prefix_match',
		'test_suffix_match',
		'test_trust_null',
		'test_include_match',
		'test_not_escape_dot',
		'test_custom_third_parties',
		'test_special_characters_bypass',
		'test_trust_any_subdomain',
		'test_https_trust_http',
		]

		for fname in functions:
		func = getattr(self,fname)
		# Stop if we found a exploit case.
		if(func()): break

		return self.result

		def check_all_in_parallel(self):
		functions = [
		'test_reflect_origin',
		'test_prefix_match',
		'test_suffix_match',
		'test_trust_null',
		'test_include_match',
		'test_not_escape_dot',
		'test_custom_third_parties',
		'test_special_characters_bypass',
		'test_trust_any_subdomain',
		'test_https_trust_http',
		]

		threads = []
		for fname in functions:
		func = getattr(self,fname)
		t = Thread(target=func)
		t.start()
		threads.append(t)

		for t in threads:
		t.join()

		return self.all_results
import time
	import json
	import sys


	class Log:
	"""Class Log for logging CORS misconfiguration message"""
	print_level = 0
	msg_level = {0: 'DEBUG', 1: 'INFO', 2: 'WARNING', 3: 'ALERT'}
	auto_timestamp = 1

	def __init__(self, filename, print_level, auto_timestamp=1):
	self.filename = filename
	self.print_level = print_level
	self.auto_timestamp = auto_timestamp

	def write(self, msg, level=0, auto_timestamp=1):
	try:
	if level >= self.print_level:
	if self.auto_timestamp == 1:
	timestamp = time.strftime("%Y-%m-%d %H:%M:%S",
	time.localtime())
	record = "%s %s %s" % (timestamp, self.msg_level[level],
	msg)
	sys.stdout.write(record + "\r\n")
	else:
	sys.stdout.write(msg + "\r\n")
	sys.stdout.flush()
	except KeyboardInterrupt:
	self.close()

	def debug(self, msg):
	self.write(msg, 0)

	def info(self, msg):
	self.write(msg, 1)

	def warning(self, msg):
	record = "Found misconfiguration! " + json.dumps(msg)
	self.write("""%s%s%s""" % ('\033[91m', record, '\033[0m'), 2)

	def alert(self, msg):
	self.write(msg, 3)

	def close(self):
	if self.log:
	self.log.close()

Download 6,02 Mb.

Do'stlaringiz bilan baham:

1 ... 48 49 50 51 52 53 54 55 56