dawnscanner 1.2.99

data/lib/codesake/dawn/kb/osvdb_105971.rb

@@ -0,0 +1,31 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2014-04-17
+			class OSVDB_105971
+				include DependencyCheck
+
+				def initialize
+          message = "sfpagent Gem for Ruby contains a flaw that is triggered as JSON[body] input is not properly sanitized when handling module names with shell metacharacters. This may allow a context-dependent attacker to execute arbitrary commands."
+
+           super({
+            :name=> "OSVDB-105971",
+            :cvss=>"AV:N/AC:L/Au:N/C:P/I:P/A:P",
+            :cve=>"2014-2888",
+            :osvdb=> "105971",
+            :release_date => Date.new(2014, 4, 16),
+            :cwe=>"",
+            :owasp=>"A9",
+            :applies=>["rack", "sinatra", "padrino", "rails"],
+            :kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message=>message,
+            :mitigation=>"Please upgrade sfpagent version at least to 0.4.15. As a general rule, using the latest stable version is recommended.",
+            :aux_links=>["http://seclists.org/oss-sec/2014/q2/118"]
+           })
+           self.safe_dependencies = [{:name=>"sfpagent", :version=>['0.4.15']}]
+
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/kb/osvdb_108530.rb

@@ -0,0 +1,29 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2014-07-04
+			class OSVDB_108530
+				include DependencyCheck
+
+				def initialize
+          message = "kajam Gem for Ruby contains a flaw in /dataset/lib/dataset/database/postgresql.rb that is triggered when handling metacharacters. This may allow a remote attacker to execute arbitrary commands."
+           super({
+            :name=> "OSVDB-108530",
+            :cvss=>"",
+            :osvdb=>"108530",
+            :release_date => Date.new(2014, 6, 30),
+            :cwe=>"",
+            :owasp=>"A9",
+            :applies=>["rack", "sinatra", "padrino", "rails"],
+            :kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message=>message,
+            :mitigation=>"We are not currently aware of a solution for this vulnerability. Keep track on kajam gem updates",
+            :aux_links=>["http://www.vapid.dhs.org/advisories/kajam-1.0.3.rc2-2nd-vuln.html"]
+           })
+           self.safe_dependencies = [{:name=>"kajam", :version=>['1.0.3.rc3']}]
+
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/kb/osvdb_108563.rb

@@ -0,0 +1,30 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2014-07-04
+			class OSVDB_108563
+				include DependencyCheck
+
+				def initialize
+          message = "gyazo Gem for Ruby contains a flaw in client.rb that is triggered when handling metacharacters. This may allow a remote attacker to execute arbitrary commands."
+           super({
+            :name=> "OSVDB-108563",
+            :cvss=>"",
+            :cve=>"",
+            :osvdb=>"108563",
+            :release_date => Date.new(2014, 6, 30),
+            :cwe=>"",
+            :owasp=>"A9",
+            :applies=>["rack", "sinatra", "padrino", "rails"],
+            :kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message=>message,
+            :mitigation=>"We are not currently aware of a solution for this vulnerability. Please check gyazo rubygem for updates and apply them as soon as possible",
+            :aux_links=>["http://www.vapid.dhs.org/advisories/gyazo-1.0.0.html"],
+           })
+           self.safe_dependencies = [{:name=>"gyazo", :version=>['1.0.1']}]
+
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/kb/osvdb_108569.rb

@@ -0,0 +1,30 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2014-07-04
+			class OSVDB_108569
+				include DependencyCheck
+
+				def initialize
+          message = "backup_checksum Gem for Ruby contains a flaw in /lib/backup/cli/utility.rb that is triggered as the program displays password information in plaintext in the process list. This may allow a local attacker to gain access to password information."
+
+           super({
+            :name=> "OSVDB-108569",
+            :osvdb=> "108569",
+            :cvss=>"",
+            :release_date => Date.new(2014, 6, 30),
+            :cwe=>"",
+            :owasp=>"A9",
+            :applies=>["rack", "sinatra", "padrino", "rails"],
+            :kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message=>message,
+            :mitigation=>"We are not currently aware of a solution for this vulnerability. Please check backup_checksum gem for security updates.",
+            :aux_links=>["http://www.vapid.dhs.org/advisories/backup_checksum-3.0.23.html"]
+           })
+           self.safe_dependencies = [{:name=>"backup_checksum", :version=>['3.0.24']}]
+
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/kb/osvdb_108570.rb

@@ -0,0 +1,29 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2014-07-04
+			class OSVDB_108570
+				include DependencyCheck
+
+				def initialize
+          message = "backup_checksum Gem for Ruby contains a flaw in /lib/backup/cli/utility.rb that is triggered when handling metacharacters. This may allow a remote attacker to execute arbitrary commands."
+           super({
+            :name=> "OSVDB-108570",
+            :cvss=>"",
+            :osvdb=> "108570",
+            :release_date => Date.new(2014, 6, 30),
+            :cwe=>"",
+            :owasp=>"A9",
+            :applies=>["rack", "sinatra", "padrino", "rails"],
+            :kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message=>message,
+            :mitigation=>"We are not currently aware of a solution for this vulnerability. Please check backup_checksum rubygem for upgrades",
+            :aux_links=>["http://www.vapid.dhs.org/advisories/backup_checksum-3.0.23.html"]
+           })
+           self.safe_dependencies = [{:name=>"backup_checksum", :version=>['3.0.24']}]
+
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/kb/owasp_ror_cheatsheet.rb

@@ -0,0 +1,41 @@
+require 'codesake/dawn/kb/owasp_ror_cheatsheet/command_injection'
+require 'codesake/dawn/kb/owasp_ror_cheatsheet/csrf'
+require 'codesake/dawn/kb/owasp_ror_cheatsheet/session_stored_in_database'
+require 'codesake/dawn/kb/owasp_ror_cheatsheet/mass_assignment_in_model'
+require 'codesake/dawn/kb/owasp_ror_cheatsheet/security_related_headers'
+
+module Codesake
+  module Dawn
+    module Kb
+      class OwaspRorCheatsheet
+        include ComboCheck
+
+        def initialize
+          message = "This Cheatsheet intends to provide quick basic Ruby on Rails security tips for developers. It complements, augments or emphasizes points brought up in the rails security guide from rails core.  The Rails framework abstracts developers from quite a bit of tedious work and provides the means to accomplish complex tasks quickly and with ease. New developers, those unfamiliar with the inner-workings of Rails, likely need a basic set of guidelines to secure fundamental aspects of their application. The intended purpose of this doc is to be that guide."
+
+          super({
+            :name=>"Owasp Ror Cheatsheet", 
+            :applies=>["rails"],
+            :kind=>Codesake::Dawn::KnowledgeBase::COMBO_CHECK,
+            :aux_links=>["https://www.owasp.org/index.php/Ruby_on_Rails_Cheatsheet"],
+            :message=>message,
+            :mitigation=>"Please refere to the Ruby on Rails cheatsheet available from owasp.org to mitigate this vulnerability",
+            :checks=>[
+              Codesake::Dawn::Kb::OwaspRorCheatSheet::CommandInjection.new,
+              Codesake::Dawn::Kb::OwaspRorCheatSheet::Csrf.new,
+              Codesake::Dawn::Kb::OwaspRorCheatSheet::SessionStoredInDatabase.new,
+              Codesake::Dawn::Kb::OwaspRorCheatSheet::MassAssignmentInModel.new, 
+              Codesake::Dawn::Kb::OwaspRorCheatSheet::SecurityRelatedHeaders.new, 
+
+
+            ],
+            :vuln_if_all_fails => false
+          })
+
+          # @debug = true
+
+        end
+      end
+    end
+  end
+end

data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/check_for_backup_files.rb

@@ -0,0 +1,22 @@
+require 'anemone'
+require 'httpclient'
+
+
+# Yes, I was buit just for RubyDay 2012 talk demo
+#
+
+h=HTTPClient.new()
+Anemone.crawl(ARGV[0]) do |anemone|
+  anemone.on_every_page do |page|
+      response = h.get(page.url)
+      puts "Original: #{page.url}: #{response.code}"
+      response = h.get(page.url.to_s.split(";")[0].concat(".bak"))
+      puts "BAK: #{page.url.to_s.split(";")[0].concat(".bak")}: #{response.code}"
+      response = h.get(page.url.to_s.split(";")[0].concat(".old"))
+      puts "OLD: #{page.url.to_s.split(";")[0].concat(".old")}: #{response.code}"
+      response = h.get(page.url.to_s.split(";")[0].concat("~"))
+      puts "~: #{page.url.to_s.split(";")[0].concat("~")}: #{response.code}"
+  end
+end
+
+# http://localhost:8080/HacmeBooks

data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/check_for_safe_redirect_and_forward.rb

@@ -0,0 +1,59 @@
+module Codesake
+  module Dawn
+    module Kb
+      module OwaspRorCheatSheet
+
+        class CheckForSafeRedirectAndForward
+          include PatternMatchCheck
+
+          def initialize
+            message = <<-EOT
+Web applications often require the ability to dynamically redirect users based
+on client-supplied data. To clarify, dynamic redirection usually entails the
+client including a URL in a parameter within a request to the application. Once
+received by the application, the user is redirected to the URL specified in the
+request.
+
+For example: http://www.example.com/redirect?url=http://www.example_commerce_site.com/checkout
+
+The above request would redirect the user to http://www.example.com/checkout.
+
+The security concern associated with this functionality is leveraging an
+organization's trusted brand to phish users and trick them into visiting a
+malicious site, in our example, "badhacker.com".
+
+Example: http://www.example.com/redirect?url=http://badhacker.com
+
+The most basic, but restrictive protection is to use the :only_path option.
+Setting this to true will essentially strip out any host information.
+            EOT
+
+            super({
+              :name=>"Owasp Ror CheatSheet: Check for safe redirect and forward",
+              :kind=>Codesake::Dawn::KnowledgeBase::PATTERN_MATCH_CHECK,
+              :applies=>["rails"],
+              :glob=>"*.rb",
+              :aux_links=>["https://www.owasp.org/index.php/Ruby_on_Rails_Cheatsheet"],
+              :message=>message,
+              :attack_pattern => ["redirect_to"],
+              :mitigation=>"The most basic, but restrictive protection is to use the :only_path option. Setting this to true will essentially strip out any host information.",
+              :severity=>:info,
+              :check_family=>:owasp_ror_cheatsheet
+            })
+            # @debug = true
+
+          end
+          def vuln?
+            super
+            ret = []
+            @evidences.each do |ev|
+              ret << ev unless ev[:matches].include? ":only_path => true"
+            end
+            @evidences = ret unless ret.empty?
+            return @evidences.empty?
+          end
+        end
+      end
+    end
+  end
+end

data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/command_injection.rb

@@ -0,0 +1,30 @@
+module Codesake
+  module Dawn 
+    module Kb
+      module OwaspRorCheatSheet
+        class CommandInjection
+          include PatternMatchCheck
+
+          def initialize
+            message = "Ruby offers a function called \"eval\" which will dynamically build new Ruby code based on Strings. It also has a number of ways to call system commands. While the power of these commands is quite useful, extreme care should be taken when using them in a Rails based application. Usually, its just a bad idea. If need be, a whitelist of possible values should be used and any input should be validated as thoroughly as possible. The Ruby Security Reviewer's Guide has a section on injection and there are a number of OWASP references for it, starting at the top: Command Injection."
+
+            super({
+              :name=>"Owasp Ror CheatSheet: Command Injection",
+              :kind=>Codesake::Dawn::KnowledgeBase::PATTERN_MATCH_CHECK,
+              :applies=>["rails"],
+              :glob=>"*.rb",
+              :aux_links=>["https://www.owasp.org/index.php/Ruby_on_Rails_Cheatsheet"],
+              :message=>message,
+              :attack_pattern => ["eval", "System", "\`", "Kernel.exec"],
+              :avoid_comments => true,
+              :check_family=>:owasp_ror_cheatsheet,
+              :severity=>:info,
+              :mitigation=>"Please validate the code you pass as argument to eval, System, Kernel.exec and friends. If you generate your command line with user controlled values, can lead to an arbitrary code execution."
+            })
+            # @debug = true
+          end
+        end
+      end
+    end
+  end
+end

data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/csrf.rb

@@ -0,0 +1,31 @@
+module Codesake
+  module Dawn
+    module Kb
+      module OwaspRorCheatSheet
+        class Csrf
+          include PatternMatchCheck
+
+          def initialize
+            message = "Ruby on Rails has specific, built in support for CSRF tokens. To enable it, or ensure that it is enabled, find the base ApplicationController and look for the protect_from_forgery directive. Note that by default Rails does not provide CSRF protection for any HTTP GET request."
+
+            super({
+              :name=>"Owasp Ror CheatSheet: Cross Site Request Forgery",
+              :kind=>Codesake::Dawn::KnowledgeBase::PATTERN_MATCH_CHECK,
+              :applies=>["rails"],
+              :glob=>"application_controller.rb",
+              :aux_links=>["https://www.owasp.org/index.php/Ruby_on_Rails_Cheatsheet"],
+              :message=>message,
+              :attack_pattern => ["protect_from_forgery"],
+              :negative_search=>true,
+              :mitigation=>"Make sure you are using Rails protect_from_forgery facilities in application_controller.rMake sure you are using Rails protect_from_forgery facilities in application_controller.rb",
+              :severity=>:info,
+              :check_family=>:owasp_ror_cheatsheet
+            })
+            # @debug = true
+          end
+
+        end
+      end
+    end
+  end
+end

data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/mass_assignment_in_model.rb

@@ -0,0 +1,35 @@
+module Codesake
+  module Dawn
+    module Kb
+      module OwaspRorCheatSheet
+
+        class MassAssignmentInModel
+
+           include PatternMatchCheck
+
+          def initialize
+            message = "Although the major issue with Mass Assignment has been fixed by default in base Rails specifically when generating new projects, it still applies to older and upgraded projects so it is important to understand the issue and to ensure that only attributes that are intended to be modifiable are exposed."
+
+            super({
+              :name=>"Owasp Ror CheatSheet: Mass Assignement in model",
+              :kind=>Codesake::Dawn::KnowledgeBase::PATTERN_MATCH_CHECK,
+              :applies=>["rails"],
+              :glob=>"**/model/*.rb",
+              :aux_links=>["https://www.owasp.org/index.php/Ruby_on_Rails_Cheatsheet"],
+              :message=>message,
+              :attack_pattern => ["attr_accessor"],
+              :negative_search=>false,
+              :avoid_comments=>true,
+              :check_family=>:owasp_ror_cheatsheet,
+              :severity=>:info,
+              :evidences=>["In one or more of your models, you use attr_accessor attribute modifier. This is risky since it exposes you to a massive assignment vulnerability. You have to carefully handle how your model receive data by setting all attribute to attr_reader and using a setter method validating input before saving to database."],
+              :mitigation=>"Avoid attr_accessor attribute modifier in your models. You must use attr_reader as modifier and carefully filter your inputs before passing to the database layer."
+            })
+            # @debug = true
+          end
+
+        end
+      end
+    end
+  end
+end

data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/security_related_headers.rb

@@ -0,0 +1,38 @@
+module Codesake
+  module Dawn
+    module Kb
+      module OwaspRorCheatSheet
+        class SecurityRelatedHeaders
+          include PatternMatchCheck
+
+          def initialize
+            message = "To set a header value, simply access the response.headers object as a hash inside your controller (often in a before/after_filter). Rails 4 provides the \"default_headers\" functionality that will automatically apply the values supplied. This works for most headers in almost all cases."
+
+            super({
+              :name=>"Owasp Ror CheatSheet: Security Related Headers",
+              :kind=>Codesake::Dawn::KnowledgeBase::PATTERN_MATCH_CHECK,
+              :applies=>["rails"],
+              :glob=>"**/controllers/*.rb",
+              :aux_links=>["https://www.owasp.org/index.php/Ruby_on_Rails_Cheatsheet"],
+              :message=>message,
+              :attack_pattern => [
+                "response.headers\\['X-Frame-Options'\\] = 'DENY'",
+                "response.headers\\['X-Content-Type-Options'\\] = 'nosniff'",
+                "response.headers\\['X-XSS-Protection'\\] = '1'",
+                "ActionDispatch::Response.default_headers = {
+                    'X-Frame-Options' => 'DENY',
+                    'X-Content-Type-Options' => 'nosniff',
+                    'X-XSS-Protection' => '1;'
+                  }"],
+              :negative_search=>true,
+              :check_family=>:owasp_ror_cheatsheet,
+              :severity=>:info,
+              :mitigation=>"Use response headers like X-Frame-Options, X-Content-Type-Options, X-XSS-Protection in your project."
+            })
+          end
+        end
+      end
+    end
+  end
+end
+

data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/sensitive_files.rb

@@ -0,0 +1,31 @@
+module Codesake
+  module Dawn
+    module Kb
+      module OwaspRorCheatSheet
+
+        class SensitiveFiles
+          include PatternMatchCheck
+
+          def initialize
+            message = "Many Ruby on Rails apps are open source and hosted on publicly available source code repositories. Whether that is the case or the code is committed to a corporate source control system, there are certain files that should be either excluded or carefully managed." 
+
+            super({
+              :name=>"Owasp Ror CheatSheet: Sensitive Files",
+              :kind=>Codesake::Dawn::KnowledgeBase::PATTERN_MATCH_CHECK,
+              :applies=>["rails"],
+              :glob=>".gitignore",
+              :aux_links=>["https://www.owasp.org/index.php/Ruby_on_Rails_Cheatsheet"],
+              :message=>message,
+              :check_family=>:owasp_ror_cheatsheet,
+              :severity=>:info,
+              :attack_pattern => ["/config/database.yml", "/config/initializers/secret_token.rb", "/db/seeds.rb", "/db/*.sqlite3"],
+              :mitigation=>"Put sensitive files in your repository gitignore file"
+            })
+            # @debug = true
+
+          end
+        end
+      end
+    end
+  end
+end