codesake-dawn 0.60 → 0.70

data/.gitignore

@@ -1,3 +1,4 @@
+*.log
 *.sw?
 *.gem
 *.rbc

data/Competitive_matrix.md

@@ -54,7 +54,7 @@ applications will be supported as well.
 
 |Feature                | Dawn          | Brakeman          | Excellent   | ror-sec-scanner   | Scanny      |
 |-----------------------|---------------|-------------------|-------------|-------------------|-------------|
-| Version               | 0.51          | 1.9.5             |             |                   |             |
+| Version               | 0.70          | 1.9.5             |             |                   |             |
 | Production ready?     | NO            | YES               |             |                   |             |
 | Sinatra support       | YES           | NO                |             |                   |             |
 | Padrino support       | NO *planned*  | NO                |             |                   |             |
@@ -68,14 +68,27 @@ applications will be supported as well.
 
 | CVE Check             | Dawn          | Brakeman          | Excellent   | ror-sec-scanner   | Scanny      |
 |-----------------------|---------------|-------------------|-------------|-------------------|-------------|
+| CVE-2011-0447         | YES           | NO                |             |                   |             |
+| CVE-2011-2197         | YES           | NO                |             |                   |             |
 | CVE-2011-2931         | YES           | YES               |             |                   |             |
+| CVE-2011-2932         | YES           | NO                |             |                   |             |
+| CVE-2011-3186         | YES           | NO                |             |                   |             |
+| CVE-2012-1099         | YES           | NO                |             |                   |             |
+| CVE-2012-1241         | YES           | NO                |             |                   |             |
+| CVE-2012-2140         | YES           | NO                |             |                   |             |
 | CVE-2012-2660         | YES           | YES               |             |                   |             |
 | CVE-2012-2661         | YES           | YES               |             |                   |             |
 | CVE-2012-2694         | YES           | YES               |             |                   |             |
 | CVE-2012-2695         | YES           | YES               |             |                   |             |
+| CVE-2012-3463         | YES           | YES               |             |                   |             |
+| CVE-2012-3464         | YES           | YES               |             |                   |             |
 | CVE-2012-3465         | YES           | YES               |             |                   |             |
-| CVE-2012-3464         | NO            | YES               |             |                   |             |
-| CVE-2012-3463         | NO            | YES               |             |                   |             |
+| CVE-2012-4464         | YES           | NO                |             |                   |             |
+| CVE-2012-4466         | YES           | NO                |             |                   |             |
+| CVE-2012-4481         | YES           | NO                |             |                   |             |
+| CVE-2012-5370         | YES           | NO                |             |                   |             |
+| CVE-2012-5371         | YES           | NO                |             |                   |             |
+| CVE-2012-6134         | YES           | NO                |             |                   |             |
 | CVE-2012-6496         | YES           | NO                |             |                   |             |
 | CVE-2012-5664         | NO            | YES               |             |                   |             |
 | CVE-2012-6497         | YES           | NO                |             |                   |             |
@@ -93,6 +106,7 @@ applications will be supported as well.
 | CVE-2013-0276         | YES           | YES               |             |                   |             |
 | CVE-2013-0277         | YES           | YES               |             |                   |             |
 | CVE-2013-0156         | YES           | YES               |             |                   |             |
+| CVE-2013-2065 [0]     | NO            | NO                |             |                   |             |
 | CVE-2013-2090 [0]     | NO            | NO                |             |                   |             |
 | CVE-2013-2615         | YES           | NO                |             |                   |             |
 | CVE-2013-1875         | YES           | NO                |             |                   |             |
@@ -127,7 +141,7 @@ applications will be supported as well.
 
 | Security check              | Dawn          | Brakeman   | Excellent   | ror-sec-scanner   | Scanny      |
 |-----------------------------|---------------|------------|-------------|-------------------|-------------|
-| Reflected XSS               | NO            | YES        |             |                   |             |
+| Reflected XSS               | YES (sinatra) | YES        |             |                   |             |
 | Stored XSS                  | NO            | YES        |             |                   |             |
 | DOM Based XSS               | NO            | NO         |             |                   |             |
 | SQL injection               | NO            | YES        |             |                   |             |

data/README.md

@@ -5,6 +5,11 @@ It supports [Sinatra](http://www.sinatrarb.com),
 [Padrino](http://www.padrinorb.com) and [Ruby on Rails](http://rubyonrails.org)
 frameworks. 
 
+[![Gem Version](https://badge.fury.io/rb/codesake-dawn.png)](http://badge.fury.io/rb/codesake-dawn)
+[![Build Status](https://travis-ci.org/codesake/codesake_dawn.png?branch=master)](https://travis-ci.org/codesake/codesake_dawn)
+[![Dependency Status](https://gemnasium.com/codesake/codesake_dawn.png)](https://gemnasium.com/codesake/codesake_dawn)
+[![Coverage Status](https://coveralls.io/repos/codesake/codesake_dawn/badge.png)](https://coveralls.io/r/codesake/codesake_dawn)
+
 ## Useful links
 
 www:      [http://codesake.com](http://codesake.com) 
@@ -43,44 +48,18 @@ that.
 ## Usage
 
 You can start your code review with dawn very easily. Simply tell the tool
-where the project root directory is and which is the framework you used to
-write the web application. 
+where the project root directory. 
 
-_Sorry for non autodetect this; at this point we prefere working hard over core
-features like adding new vulnerabilities and having valuable output._
+Starting from an unofficial 0.68 release, underlying MVC framework is
+autodetected by dawn using target Gemfile.lock file. If autodetect fails for
+some reason, the tool will complain about it and you have to specify if it's a
+rails, sinatra or padrino web application by hand.
 
 dawn command line is in this form with options and the target.
 ``` 
 $ dawn [options] target
 ```
 
-The options you can specify tell down the MVC used in your application and some
-triggers you may want to be active during the scan.
-
-### Scanning a Sinatra web application
-
-dawn will scan application stored in hello_world directory which is a Sinatra application
-
-```
-$ dawn -s hello_world 
-```
-
-### Scanning a Ruby on Rails web application
-
-dawn will scan application stored in hello_world directory which is a Ruby on Rails application
-
-```
-$ dawn -r hello_world 
-```
-
-### Scanning a Padrino web application
-
-dawn will scan application stored in hello_world directory which is a Padrino application
-
-```
-$ dawn -p hello_world 
-```
-
 ### As output you get
 
 As output, dawn will put all security checks that are failed during the scan.
@@ -90,18 +69,17 @@ application:
 ```
 $ bundle exec bin/dawn -s target
 
-[*] dawn v0.51 (C) 2013 - paolo@armoredcode.com is starting up at 08:09:11
-08:09:11: scanning target
-08:09:11: sinatra vsinatra 1.4.2 detected
-08:09:11: applying all security checks
-08:09:11 [*] all security checks applied
-08:09:11: 1 vulnerabilities found
-08:09:11 [!] CVE-2013-1800 failed
-08:09:11: Description: The crack gem 0.3.1 and earlier for Ruby does not properly restrict casts of string values, which might allow remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion, a similar vulnerability to CVE-2013-0156.
-08:09:11: Solution: Please use crack gem version 0.3.2 or above. Correct your gemfile
-08:09:11 [!] Evidence:
-08:09:11 [!] Vulnerable crack gem version found: 0.3.1
-[*] dawn is shutting down at 08:09:11
+[*] dawn v0.67 (C) 2013 - paolo@armoredcode.com is starting up at 08:14:17
+08:14:17: scanning /Users/thesp0nge/src/hacking/railsberry2013
+08:14:17: sinatra v1.4.2 detected
+08:14:17: applying all security checks
+08:14:17: all security checks applied
+08:14:17: 1 vulnerabilities found
+08:14:17 [!] CVE-2013-1800 failed
+08:14:17: Solution: Please use crack gem version 0.3.2 or above. Correct your gemfile
+08:14:17 [!] Evidence:
+08:14:17 [!] Vulnerable crack gem version found: 0.3.1
+[*] dawn is shutting down at 08:14:17
 ```
 
 
@@ -116,7 +94,11 @@ $ dawn -k|--list-knowledge-base
 
 [saten](https://github.com/saten): first issue posted about a typo in the README
 
-[presidentbeef](https://githbu.com/presidentbeef): for his outstanding work that inspired me creating dawn and for double check comparison matrix. Issue #2 is your :)
+[presidentbeef](https://github.com/presidentbeef): for his outstanding work that inspired me creating dawn and for double check comparison matrix. Issue #2 is your :)
+
+[marinerJB](https://github.com/marinerJB): for misc bug reports and further ideas
+
+[Matteo](https://github.com/matteocollina): for ideas on API and their usage with [github.com](https://github.com) hooks
 
 ## LICENSE
 

data/Roadmap.md

@@ -49,7 +49,7 @@ _latest update: Fri 17 May 2013 15:29:55 CEST_
 * adding a '--count-only' option
 * support JSON output
 
-## Version 0.70 
+## Version 0.70 (2013-06-19)
 
 * adding test for CVE-2011-0447
 * adding test for CVE-2011-3186
@@ -65,17 +65,20 @@ _latest update: Fri 17 May 2013 15:29:55 CEST_
 * adding test for CVE-2012-4464
 * adding test for CVE-2012-4466
 * adding test for CVE-2012-4481
-* adding test for CVE-2012-5664
 * adding test for CVE-2012-6134
+* Fix issue #4. PatternMatching complains when applied to binary files. We must
+  skip them
 * add ruby\_parser dependency
-* parsing HAML for XSS
+* add haml dependency
+* add target MVC autodetect
 * write '--help'
-* support sinatra application controllers parsing for XSS
-* Fix issue #1. You can read more about it in TODO.md
+* detect sinks for XSS in Sinatra applications
+* detect reflected XSS in Sinatra applications
 
 ## Version 0.80
 
 * adding test for CVE-2013-2090 _if CVE will be approved_
+* adding test for CVE-2013-2065 _if CVE will be approved_
 * adding test for CVE-2010-1330
 * adding test for CVE-2011-0447 
 * adding test for CVE-2011-0446 
@@ -95,9 +98,17 @@ _latest update: Fri 17 May 2013 15:29:55 CEST_
 * adding test for CVE-2012-4522
 * adding test for CVE-2012-3464
 * adding test for CVE-2012-3463
-* support sinatra application controllers parsing for SQLi
-* support rails application controllers parsing for XSS
-* parsing ERB for XSS
+* detect sinks for XSS in Padrino applications
+* detect reflected XSS in Padrino applications
+* detect stored XSS in Sinatra applications
+* detect stored XSS in Padrino applications
+* detect insecure direct object reference in Sinatra applications
+* detect insecure direct object reference in Padrino applications
+* support ERB for in detect\_views (for both Sinatra and Padrino)
+* Fix issue #1. You can read more about it in TODO.md
+* integration with [codesake.com](http://codesake.com) with a public available
+  APIs to be consumed by codesake beta users.
+
 
 ## Version 0.90
 
@@ -142,6 +153,11 @@ _latest update: Fri 17 May 2013 15:29:55 CEST_
 * adding test for CVE-2008-2725
 * preliminary javascript support
 * adding test for CVE-2011-4969  XSS in jquery < 1.6.2 
+* detect stored XSS in Rails applications
+* detect reflected XSS in Rails applications
+* detect insecure direct object reference in Rails applications
+* detect SQLi in Sinatra applications
+* detect SQLi in Padrino applications
 
 ## Version 1.00
 
@@ -189,9 +205,7 @@ _latest update: Fri 17 May 2013 15:29:55 CEST_
 * adding test for CVE-2004-0755
 * adding test for CVE-2004-0983
 * dedicated web site under dawn.codesake.com
-* support rails application controllers parsing for SQLi
-* support padrino application controllers parsing for XSS
-* support padrino application controllers parsing for SQLi
+* detect SQLi in Rails applications
 * integration with [codesake.com](http://codesake.com) with a public available
   APIs to be consumed by codesake users.
 * automatic mitigation patch generation 

data/bin/dawn

@@ -1,6 +1,7 @@
 #!/usr/bin/env ruby
 
 require 'getoptlong'
+require 'json'
 
 require 'codesake_commons'
 require 'codesake-dawn'
@@ -13,23 +14,70 @@ end
 
 def output_json_run(target = "", engine = nil)
   result = {}
-  return {:status=>"KO", :message=>"BUG at #{__FILE__}@#{__LINE__}: target is empty or engine is nil."} if target.empty? or engine.nil?
-  return {:status=>"KO", :message=>"#{target} doesn't exist"} if ! Dir.exist?(target)
+  return {:status=>"KO", :message=>"BUG at #{__FILE__}@#{__LINE__}: target is empty or engine is nil."}.to_json if target.empty? or engine.nil?
+  return {:status=>"KO", :message=>"#{target} doesn't exist"}.to_json if ! Dir.exist?(target)
   check_applied = dry_run(target, engine)
-  return {:status=>"KO", :message=>"no security checks applied"} unless check_applied
+  return {:status=>"KO", :message=>"no security checks applied"}.to_json unless check_applied
 
   result[:status]="OK"
   result[:target]=target
   result[:mvc]=engine.name
   result[:mvc_version]=engine.get_mvc_version
-  result[:vulnerabilities_count]=engine.vulnerabilities.count
-  result[:vulnerabilities]=engine.vulnerabilities
+  result[:vulnerabilities_count]=engine.count_vulnerabilities
+  result[:vulnerabilities]=[]
+  engine.vulnerabilities.each do |v|
+    result[:vulnerabilities] << v[:name]
+  end
   result[:mitigated_vuln_count]=engine.mitigated_issues.count
   result[:mitigated_vuln] = engine.mitigated_issues
+   result[:reflected_xss] = []
+  engine.reflected_xss.each do |r|
+    result[:reflected_xss] << "request parameter \"#{r[:sink_source]}\""
+  end
 
-  result
+  result.to_json
 end 
 
+def dump_knowledge_base(verbose = false)
+  kb = Codesake::Dawn::KnowledgeBase.new
+  lines = []
+  lines << "Security checks currently supported:\n\n"
+
+  kb.all.each do |check|
+    if verbose
+      lines << "Name: #{check.name}\tCVSS: #{check.cvss_score}\tReleased: #{check.release_date}"
+      lines << "Description\n#{check.message}"
+      lines << "Remediation\n#{check.remediation}\n\n"
+    else
+      lines << "#{check.name}"
+    end
+  end
+  
+  lines.empty? ? 0 : lines.compact.join("\n")
+
+end
+
+def help
+  puts "Usage: dawn [options] target_directory"
+  printf "\n\nExamples:"
+  puts "$ dawn a_sinatra_webapp_directory"
+  puts "$ dawn -C the_rails_blog_engine"
+  puts "$ dawn -C --output json a_sinatra_webapp_directory"
+  printf "\n   -r, --rails\t\t\t\t\tforce dawn to consider the target a rails application" 
+  printf "\n   -s, --sinatra\t\t\t\tforce dawn to consider the target a sinatra application" 
+  printf "\n   -p, --padrino\t\t\t\tforce dawn to consider the target a padrino application" 
+  printf "\n   -f, --list-known-framework\t\t\tlist ruby MVC frameworks supported by dawn"
+  printf "\n   -k, --list-knowledgebase\t\t\tlist dawn known security checks"
+  printf "\n   -o, --output [console, json. csv, html]\tthe output will be in the specified format"
+  printf "\n   -V, --verbose\t\t\t\tthe output will be more verbose"
+  printf "\n   -C, --count-only\t\t\t\tdawn will only count vulnerabilities (useful for scripts)"
+  printf "\n   -v, --version\t\t\t\tshow version information"
+  printf "\n   -h, --help\t\t\t\t\tshow this help\n"
+
+  0
+end
+
+
 APPNAME = File.basename($0)
 LIST_KNOWN_FRAMEWORK  = %w(rails sinatra) #padrino)
 VALID_OUTPUT_FORMAT   = %w(console json csv html)
@@ -48,7 +96,7 @@ opts    = GetoptLong.new(
   [ '--help',                   '-h',   GetoptLong::NO_ARGUMENT]
 )
 engine  = nil
-options = {:verbose=>false, :output=>"console", :count_only=>false}
+options = {:verbose=>false, :output=>"console", :count_only=>false, :dump_kb=>false, :mvc=>nil}
 
 trap("INT")   { logger.die('[INTERRUPTED]') }
 
@@ -59,10 +107,11 @@ opts.each do |opt, val|
     puts "#{Codesake::Dawn::VERSION}"
     Kernel.exit(0)
   when '--rails'
-    engine = Codesake::Dawn::Rails.new
+    options[:mvc]=:force_rails
   when '--sinatra'
-    engine = Codesake::Dawn::Sinatra.new
+    options[:mvc]=:force_sinatra
   when '--padrino'
+    options[:mvc]=:force_padrino
     puts "sorry padrino is not yet supported"
     Kernel.exit(1)
   when '--verbose'
@@ -73,32 +122,43 @@ opts.each do |opt, val|
     options[:count_only] = true
 
   when '--list-knowledgebase'
-    kb = Codesake::Dawn::KnowledgeBase.new
-    puts "Security checks currently supported:\n\n"
-
-    kb.all.each do |check|
-      puts "Name: #{check.name}\tCVSS: #{check.cvss_score}\tReleased: #{check.release_date}"
-      puts "Description\n#{check.message}"
-      puts "Remediation\n#{check.remediation}\n\n"
-    end
-    Kernel.exit(0)
-
+    options[:dump_kb]=true
+   
   when '--list-known-framework'
     puts "Ruby MVC framework supported by #{APPNAME}:"
     LIST_KNOWN_FRAMEWORK.each do |mvc|
       puts "* #{mvc}"
     end
     Kernel.exit(0)
+  when '--help'
+    Kernel.exit(help)
   end
 end
 
 target=ARGV.shift
 
+logger.die("missing target") if target.nil?
+logger.die("invalid directory (#{target})") unless Codesake::Dawn::Core.is_good_target?(target)
+
+
+## MVC auto detect
+begin
+  engine = Codesake::Dawn::Core.detect_mvc(target)  if options[:mvc].nil?
+rescue ArgumentError => e
+  logger.die(e.message)
+end
+
+engine = Codesake::Dawn::Rails.new(target)        if options[:mvc] == :force_rails
+engine = Codesake::Dawn::Sinatra.new(target)      if options[:mvc] == :force_sinatra
+# engine = Codesake::Dawn::Padrino.new if options[:mvc] == :force_padrino
+
+logger.die("ruby framework auto detect failed. Please force if rails, sinatra or padrino with -r, -s or -p flags") if engine.nil?
+
 if options[:count_only] 
   ret = dry_run(target, engine)
 
   puts (ret)? engine.vulnerabilities.count : "-1" unless options[:output] == "json"
-  puts (ret)? {:status=>"OK", :vulnerabilities_count=>engine.vulnerabilities.count} : {:status=>"KO", :vulnerabilities_count=>-1}
+  puts (ret)? {:status=>"OK", :vulnerabilities_count=>engine.count_vulnerabilities}.to_json : {:status=>"KO", :vulnerabilities_count=>-1}.to_json
   Kernel.exit(0)
 end
 
@@ -107,12 +167,15 @@ if options[:output] == "json"
   Kernel.exit(0)
 end
 
+if options[:dump_kb]
+  puts dump_knowledge_base(options[:verbose])
+  Kernel.exit(0)
+end
+
 logger.helo "#{APPNAME} v#{Codesake::Dawn::VERSION} (C) 2013 - paolo@armoredcode.com is starting up"
 logger.die "missing target framework option" if engine.nil?
-logger.die "missing target" if target.nil?
-logger.die "#{target} doesn't exist" unless Dir.exist?(target)
 
-engine.set_target(target) unless engine.nil?
+# engine.set_target(target) unless engine.nil?
 engine.load_knowledge_base
 
 logger.die "nothing to do on #{target}" unless engine.can_apply?
@@ -125,18 +188,24 @@ else
   logger.err "no security checks in the knowledge base"
 end
 
-if engine.vulnerabilities.count != 0
-
-logger.log "#{engine.vulnerabilities.count} vulnerabilities found"
-engine.vulnerabilities.each do |vuln|
-  logger.err "#{vuln[:name]} failed"
-  logger.log "Description: #{vuln[:message]}" if options[:verbose]
-  logger.log "Solution: #{vuln[:remediation]}"
-  logger.err "Evidence:"
-  vuln[:evidences].each do |evidence|
-    logger.err evidence
+if engine.count_vulnerabilities != 0
+  logger.log "#{engine.count_vulnerabilities} vulnerabilities found"
+  engine.vulnerabilities.each do |vuln|
+    logger.log "#{vuln[:name]} failed"
+    logger.log "Description: #{vuln[:message]}" if options[:verbose]
+    logger.log "Solution: #{vuln[:remediation]}"
+    logger.err "Evidence:"
+    vuln[:evidences].each do |evidence|
+      logger.err evidence
+    end
   end
-end
+  if engine.has_reflected_xss?
+    logger.log "#{engine.reflected_xss.count} reflected XSS found"
+    engine.reflected_xss.each do |vuln|
+      logger.log "request parameter \"#{vuln[:sink_source]}\""
+    end
+  end
+
 else
   logger.ok "no vulnerabilities found."
 end
@@ -153,6 +222,7 @@ end
 
 
 
+
 logger.helo "#{APPNAME} is shutting down"
 Kernel.exit(0)