dawnscanner 1.4.2 → 1.5.0

data/lib/dawn/kb/owasp_ror_cheatsheet/check_for_backup_files.rb

@@ -1,22 +1,18 @@
-require 'anemone'
-require 'httpclient'
-
-
-# Yes, I was buit just for RubyDay 2012 talk demo
+# It will be completely rewritten in dawnscanner v2.0.0
 #
+# require 'anemone'
+# require 'httpclient'
 
-h=HTTPClient.new()
-Anemone.crawl(ARGV[0]) do |anemone|
-  anemone.on_every_page do |page|
-      response = h.get(page.url)
-      puts "Original: #{page.url}: #{response.code}"
-      response = h.get(page.url.to_s.split(";")[0].concat(".bak"))
-      puts "BAK: #{page.url.to_s.split(";")[0].concat(".bak")}: #{response.code}"
-      response = h.get(page.url.to_s.split(";")[0].concat(".old"))
-      puts "OLD: #{page.url.to_s.split(";")[0].concat(".old")}: #{response.code}"
-      response = h.get(page.url.to_s.split(";")[0].concat("~"))
-      puts "~: #{page.url.to_s.split(";")[0].concat("~")}: #{response.code}"
-  end
-end
-
-# http://localhost:8080/HacmeBooks
+# h=HTTPClient.new()
+# Anemone.crawl(ARGV[0]) do |anemone|
+  # anemone.on_every_page do |page|
+      # response = h.get(page.url)
+      # puts "Original: #{page.url}: #{response.code}"
+      # response = h.get(page.url.to_s.split(";")[0].concat(".bak"))
+      # puts "BAK: #{page.url.to_s.split(";")[0].concat(".bak")}: #{response.code}"
+      # response = h.get(page.url.to_s.split(";")[0].concat(".old"))
+      # puts "OLD: #{page.url.to_s.split(";")[0].concat(".old")}: #{response.code}"
+      # response = h.get(page.url.to_s.split(";")[0].concat("~"))
+      # puts "~: #{page.url.to_s.split(";")[0].concat("~")}: #{response.code}"
+  # end
+# end

data/lib/dawn/kb/owasp_ror_cheatsheet/check_for_safe_redirect_and_forward.rb

@@ -1,12 +1,12 @@
-  module Dawn
-    module Kb
-      module OwaspRorCheatSheet
+module Dawn
+  module Kb
+    module OwaspRorCheatSheet
 
-        class CheckForSafeRedirectAndForward
-          include PatternMatchCheck
+      class CheckForSafeRedirectAndForward
+        include PatternMatchCheck
 
-          def initialize
-            message = <<-EOT
+        def initialize
+          message = <<-EOT
 Web applications often require the ability to dynamically redirect users based
 on client-supplied data. To clarify, dynamic redirection usually entails the
 client including a URL in a parameter within a request to the application. Once
@@ -25,33 +25,33 @@ Example: http://www.example.com/redirect?url=http://badhacker.com
 
 The most basic, but restrictive protection is to use the :only_path option.
 Setting this to true will essentially strip out any host information.
-            EOT
-
-            super({
-              :name=>"Owasp Ror CheatSheet: Check for safe redirect and forward",
-              :kind=>Dawn::KnowledgeBase::PATTERN_MATCH_CHECK,
-              :applies=>["rails"],
-              :glob=>"*.rb",
-              :aux_links=>["https://www.owasp.org/index.php/Ruby_on_Rails_Cheatsheet"],
-              :message=>message,
-              :attack_pattern => ["redirect_to"],
-              :mitigation=>"The most basic, but restrictive protection is to use the :only_path option. Setting this to true will essentially strip out any host information.",
-              :severity=>:info,
-              :check_family=>:owasp_ror_cheatsheet
-            })
-            # @debug = true
+          EOT
+
+          super({
+            :name=>"Owasp Ror CheatSheet: Check for safe redirect and forward",
+            :kind=>Dawn::KnowledgeBase::PATTERN_MATCH_CHECK,
+            :applies=>["rails"],
+            :glob=>"*.rb",
+            :aux_links=>["https://www.owasp.org/index.php/Ruby_on_Rails_Cheatsheet"],
+            :message=>message,
+            :attack_pattern => ["redirect_to"],
+            :mitigation=>"The most basic, but restrictive protection is to use the :only_path option. Setting this to true will essentially strip out any host information.",
+            :severity=>:info,
+            :check_family=>:owasp_ror_cheatsheet
+          })
+          # @debug = true
 
+        end
+        def vuln?
+          super
+          ret = []
+          @evidences.each do |ev|
+            ret << ev unless ev[:matches].include? ":only_path => true"
           end
-          def vuln?
-            super
-            ret = []
-            @evidences.each do |ev|
-              ret << ev unless ev[:matches].include? ":only_path => true"
-            end
-            @evidences = ret unless ret.empty?
-            return @evidences.empty?
-          end
+          @evidences = ret unless ret.empty?
+          return @evidences.empty?
         end
       end
     end
   end
+end

data/lib/dawn/kb/owasp_ror_cheatsheet/command_injection.rb

@@ -1,28 +1,28 @@
-  module Dawn
-    module Kb
-      module OwaspRorCheatSheet
-        class CommandInjection
-          include PatternMatchCheck
+module Dawn
+  module Kb
+    module OwaspRorCheatSheet
+      class CommandInjection
+        include PatternMatchCheck
 
-          def initialize
-            message = "Ruby offers a function called \"eval\" which will dynamically build new Ruby code based on Strings. It also has a number of ways to call system commands. While the power of these commands is quite useful, extreme care should be taken when using them in a Rails based application. Usually, its just a bad idea. If need be, a whitelist of possible values should be used and any input should be validated as thoroughly as possible. The Ruby Security Reviewer's Guide has a section on injection and there are a number of OWASP references for it, starting at the top: Command Injection."
+        def initialize
+          message = "Ruby offers a function called \"eval\" which will dynamically build new Ruby code based on Strings. It also has a number of ways to call system commands. While the power of these commands is quite useful, extreme care should be taken when using them in a Rails based application. Usually, its just a bad idea. If need be, a whitelist of possible values should be used and any input should be validated as thoroughly as possible. The Ruby Security Reviewer's Guide has a section on injection and there are a number of OWASP references for it, starting at the top: Command Injection."
 
-            super({
-              :name=>"Owasp Ror CheatSheet: Command Injection",
-              :kind=>Dawn::KnowledgeBase::PATTERN_MATCH_CHECK,
-              :applies=>["rails"],
-              :glob=>"*.rb",
-              :aux_links=>["https://www.owasp.org/index.php/Ruby_on_Rails_Cheatsheet"],
-              :message=>message,
-              :attack_pattern => ["eval", "System", "\`", "Kernel.exec"],
-              :avoid_comments => true,
-              :check_family=>:owasp_ror_cheatsheet,
-              :severity=>:info,
-              :mitigation=>"Please validate the code you pass as argument to eval, System, Kernel.exec and friends. If you generate your command line with user controlled values, can lead to an arbitrary code execution."
-            })
-            # @debug = true
-          end
+          super({
+            :name=>"Owasp Ror CheatSheet: Command Injection",
+            :kind=>Dawn::KnowledgeBase::PATTERN_MATCH_CHECK,
+            :applies=>["rails"],
+            :glob=>"*.rb",
+            :aux_links=>["https://www.owasp.org/index.php/Ruby_on_Rails_Cheatsheet"],
+            :message=>message,
+            :attack_pattern => ["eval", "System", "\`", "Kernel.exec"],
+            :avoid_comments => true,
+            :check_family=>:owasp_ror_cheatsheet,
+            :severity=>:info,
+            :mitigation=>"Please validate the code you pass as argument to eval, System, Kernel.exec and friends. If you generate your command line with user controlled values, can lead to an arbitrary code execution."
+          })
+          # @debug = true
         end
       end
     end
   end
+end

data/lib/dawn/kb/owasp_ror_cheatsheet/csrf.rb

@@ -1,29 +1,29 @@
-  module Dawn
-    module Kb
-      module OwaspRorCheatSheet
-        class Csrf
-          include PatternMatchCheck
+module Dawn
+  module Kb
+    module OwaspRorCheatSheet
+      class Csrf
+        include PatternMatchCheck
 
-          def initialize
-            message = "Ruby on Rails has specific, built in support for CSRF tokens. To enable it, or ensure that it is enabled, find the base ApplicationController and look for the protect_from_forgery directive. Note that by default Rails does not provide CSRF protection for any HTTP GET request."
-
-            super({
-              :name=>"Owasp Ror CheatSheet: Cross Site Request Forgery",
-              :kind=>Dawn::KnowledgeBase::PATTERN_MATCH_CHECK,
-              :applies=>["rails"],
-              :glob=>"application_controller.rb",
-              :aux_links=>["https://www.owasp.org/index.php/Ruby_on_Rails_Cheatsheet"],
-              :message=>message,
-              :attack_pattern => ["protect_from_forgery"],
-              :negative_search=>true,
-              :mitigation=>"Make sure you are using Rails protect_from_forgery facilities in application_controller.rMake sure you are using Rails protect_from_forgery facilities in application_controller.rb",
-              :severity=>:info,
-              :check_family=>:owasp_ror_cheatsheet
-            })
-            # @debug = true
-          end
+        def initialize
+          message = "Ruby on Rails has specific, built in support for CSRF tokens. To enable it, or ensure that it is enabled, find the base ApplicationController and look for the protect_from_forgery directive. Note that by default Rails does not provide CSRF protection for any HTTP GET request."
 
+          super({
+            :name=>"Owasp Ror CheatSheet: Cross Site Request Forgery",
+            :kind=>Dawn::KnowledgeBase::PATTERN_MATCH_CHECK,
+            :applies=>["rails"],
+            :glob=>"application_controller.rb",
+            :aux_links=>["https://www.owasp.org/index.php/Ruby_on_Rails_Cheatsheet"],
+            :message=>message,
+            :attack_pattern => ["protect_from_forgery"],
+            :negative_search=>true,
+            :mitigation=>"Make sure you are using Rails protect_from_forgery facilities in application_controller.rMake sure you are using Rails protect_from_forgery facilities in application_controller.rb",
+            :severity=>:info,
+            :check_family=>:owasp_ror_cheatsheet
+          })
+          # @debug = true
         end
+
       end
     end
   end
+end

data/lib/dawn/kb/owasp_ror_cheatsheet/mass_assignment_in_model.rb

@@ -1,33 +1,33 @@
-  module Dawn
-    module Kb
-      module OwaspRorCheatSheet
+module Dawn
+  module Kb
+    module OwaspRorCheatSheet
 
-        class MassAssignmentInModel
+      class MassAssignmentInModel
 
-           include PatternMatchCheck
+        include PatternMatchCheck
 
-          def initialize
-            message = "Although the major issue with Mass Assignment has been fixed by default in base Rails specifically when generating new projects, it still applies to older and upgraded projects so it is important to understand the issue and to ensure that only attributes that are intended to be modifiable are exposed."
-
-            super({
-              :name=>"Owasp Ror CheatSheet: Mass Assignement in model",
-              :kind=>Dawn::KnowledgeBase::PATTERN_MATCH_CHECK,
-              :applies=>["rails"],
-              :glob=>"**/model/*.rb",
-              :aux_links=>["https://www.owasp.org/index.php/Ruby_on_Rails_Cheatsheet"],
-              :message=>message,
-              :attack_pattern => ["attr_accessor"],
-              :negative_search=>false,
-              :avoid_comments=>true,
-              :check_family=>:owasp_ror_cheatsheet,
-              :severity=>:info,
-              :evidences=>["In one or more of your models, you use attr_accessor attribute modifier. This is risky since it exposes you to a massive assignment vulnerability. You have to carefully handle how your model receive data by setting all attribute to attr_reader and using a setter method validating input before saving to database."],
-              :mitigation=>"Avoid attr_accessor attribute modifier in your models. You must use attr_reader as modifier and carefully filter your inputs before passing to the database layer."
-            })
-            # @debug = true
-          end
+        def initialize
+          message = "Although the major issue with Mass Assignment has been fixed by default in base Rails specifically when generating new projects, it still applies to older and upgraded projects so it is important to understand the issue and to ensure that only attributes that are intended to be modifiable are exposed."
 
+          super({
+            :name=>"Owasp Ror CheatSheet: Mass Assignement in model",
+            :kind=>Dawn::KnowledgeBase::PATTERN_MATCH_CHECK,
+            :applies=>["rails"],
+            :glob=>"**/model/*.rb",
+            :aux_links=>["https://www.owasp.org/index.php/Ruby_on_Rails_Cheatsheet"],
+            :message=>message,
+            :attack_pattern => ["attr_accessor"],
+            :negative_search=>false,
+            :avoid_comments=>true,
+            :check_family=>:owasp_ror_cheatsheet,
+            :severity=>:info,
+            :evidences=>["In one or more of your models, you use attr_accessor attribute modifier. This is risky since it exposes you to a massive assignment vulnerability. You have to carefully handle how your model receive data by setting all attribute to attr_reader and using a setter method validating input before saving to database."],
+            :mitigation=>"Avoid attr_accessor attribute modifier in your models. You must use attr_reader as modifier and carefully filter your inputs before passing to the database layer."
+          })
+          # @debug = true
         end
+
       end
     end
   end
+end

data/lib/dawn/kb/owasp_ror_cheatsheet/sensitive_files.rb

@@ -1,29 +1,29 @@
-  module Dawn
-    module Kb
-      module OwaspRorCheatSheet
+module Dawn
+  module Kb
+    module OwaspRorCheatSheet
 
-        class SensitiveFiles
-          include PatternMatchCheck
+      class SensitiveFiles
+        include PatternMatchCheck
 
-          def initialize
-            message = "Many Ruby on Rails apps are open source and hosted on publicly available source code repositories. Whether that is the case or the code is committed to a corporate source control system, there are certain files that should be either excluded or carefully managed." 
+        def initialize
+          message = "Many Ruby on Rails apps are open source and hosted on publicly available source code repositories. Whether that is the case or the code is committed to a corporate source control system, there are certain files that should be either excluded or carefully managed." 
 
-            super({
-              :name=>"Owasp Ror CheatSheet: Sensitive Files",
-              :kind=>Dawn::KnowledgeBase::PATTERN_MATCH_CHECK,
-              :applies=>["rails"],
-              :glob=>".gitignore",
-              :aux_links=>["https://www.owasp.org/index.php/Ruby_on_Rails_Cheatsheet"],
-              :message=>message,
-              :check_family=>:owasp_ror_cheatsheet,
-              :severity=>:info,
-              :attack_pattern => ["/config/database.yml", "/config/initializers/secret_token.rb", "/db/seeds.rb", "/db/*.sqlite3"],
-              :mitigation=>"Put sensitive files in your repository gitignore file"
-            })
-            # @debug = true
+          super({
+            :name=>"Owasp Ror CheatSheet: Sensitive Files",
+            :kind=>Dawn::KnowledgeBase::PATTERN_MATCH_CHECK,
+            :applies=>["rails"],
+            :glob=>".gitignore",
+            :aux_links=>["https://www.owasp.org/index.php/Ruby_on_Rails_Cheatsheet"],
+            :message=>message,
+            :check_family=>:owasp_ror_cheatsheet,
+            :severity=>:info,
+            :attack_pattern => ["/config/database.yml", "/config/initializers/secret_token.rb", "/db/seeds.rb", "/db/*.sqlite3"],
+            :mitigation=>"Put sensitive files in your repository gitignore file"
+          })
+          # @debug = true
 
-          end
         end
       end
     end
   end
+end

data/lib/dawn/kb/owasp_ror_cheatsheet/session_stored_in_database.rb

@@ -1,31 +1,31 @@
-  module Dawn
-    module Kb
-      module OwaspRorCheatSheet
+module Dawn
+  module Kb
+    module OwaspRorCheatSheet
 
-        class SessionStoredInDatabase
-          include PatternMatchCheck
+      class SessionStoredInDatabase
+        include PatternMatchCheck
 
-          def initialize
-            message = "By default, Ruby on Rails uses a Cookie based session store. What that means is that unless you change something, the session will not expire on the server. That means that some default applications may be vulnerable to replay attacks. It also means that sensitive information should never be put in the session."
+        def initialize
+          message = "By default, Ruby on Rails uses a Cookie based session store. What that means is that unless you change something, the session will not expire on the server. That means that some default applications may be vulnerable to replay attacks. It also means that sensitive information should never be put in the session."
 
-            super({
-              :name=>"Owasp Ror CheatSheet: Session management",
-              :kind=>Dawn::KnowledgeBase::PATTERN_MATCH_CHECK,
-              :applies=>["rails"],
-              :glob=>"session_store.rb",
-              :aux_links=>["https://www.owasp.org/index.php/Ruby_on_Rails_Cheatsheet"],
-              :message=>message,
-              :attack_pattern => ["Application.config.session_store :active_record_store"],
-              :negative_search=>true,
-              :avoid_comments=>true,
-              :check_family=>:owasp_ror_cheatsheet,
-              :severity=>:info,
-              :evidences=>["In your session_store.rb file you are not using ActiveRecord to store session data. This will let rails to use a cookie based session and it can expose your web application to a session replay attack."],
-              :mitigation=>"Use ActiveRecord or the ORM you love most to handle your code session_store. Add \"Application.config.session_store :active_record_store\" to your session_store.rb file."
-            })
-            # @debug = true
-          end
+          super({
+            :name=>"Owasp Ror CheatSheet: Session management",
+            :kind=>Dawn::KnowledgeBase::PATTERN_MATCH_CHECK,
+            :applies=>["rails"],
+            :glob=>"session_store.rb",
+            :aux_links=>["https://www.owasp.org/index.php/Ruby_on_Rails_Cheatsheet"],
+            :message=>message,
+            :attack_pattern => ["Application.config.session_store :active_record_store", "Rails.application.config.session_store ActionDispatch::Session::CacheStore"],
+            :negative_search=>true,
+            :avoid_comments=>true,
+            :check_family=>:owasp_ror_cheatsheet,
+            :severity=>:info,
+            :evidences=>["In your session_store.rb file you are not using ActiveRecord to store session data. This will let rails to use a cookie based session and it can expose your web application to a session replay attack."],
+            :mitigation=>"Use ActiveRecord or the ORM you love most to handle your code session_store. Add \"Application.config.session_store :active_record_store\" to your session_store.rb file."
+          })
+          # @debug = true
         end
       end
     end
   end
+end

data/lib/dawn/kb/version_check.rb

@@ -31,6 +31,8 @@ module Dawn
         debug_me "Safe versions array is #{@safe}"
         debug_me "Deprecated versions array is #{@deprecated}. I'll mark them as vulnerable" unless @deprecated.nil?
         debug_me "Excluded versions array is #{@excluded}. I'll mark them as not vulnerable" unless @excluded.nil?
+        debug_me "SAVE_MINOR FLAG = #{@save_minor}"
+        debug_me "SAVE_MAJOR FLAG = #{@save_major}"
 
         @status = :deprecated if is_detected_deprecated?
         return debug_me_and_return_false("detected version #{detected} is marked to be excluded for vulnerable ones")   if is_detected_excluded?
@@ -162,7 +164,9 @@ module Dawn
         dva = version_string_to_array(@detected)[:version]
         @safe.sort.each do |s|
           sva = version_string_to_array(s)[:version]
+          debug_me("#SVA=#{sva};DVA=#{dva};SM=#{is_same_major?(sva, dva)};sm=#{is_same_minor?(sva, dva)}; ( dva[2] >= sva[2] )=#{(dva[2] >= sva[2])}")
           return true if is_same_major?(sva, dva) && is_same_minor?(sva, dva) && dva[2] >= sva[2] && hm
+          return true if is_same_major?(sva, dva) && hm
         end
         return false
       end

data/lib/dawn/knowledge_base.rb

@@ -7,14 +7,13 @@ require "dawn/kb/operating_system_check"
 require "dawn/kb/combo_check"
 require "dawn/kb/version_check"
 require "dawn/kb/deprecation_check"
+require "dawn/kb/gem_check"
 
 # Q&A related checks
 ## Not revised code
 require "dawn/kb/not_revised_code"
-# require "dawn/kb/owasp_ror_cheatsheet"
 
 ## Owasp ROR Cheatsheet
-
 require 'dawn/kb/owasp_ror_cheatsheet/command_injection'
 require 'dawn/kb/owasp_ror_cheatsheet/csrf'
 require 'dawn/kb/owasp_ror_cheatsheet/session_stored_in_database'
@@ -232,9 +231,9 @@ require "dawn/kb/cve_2014_9490"
 # CVE - 2015
 
 
+require "dawn/kb/cve_2015_1819"
 # CVE-2015-1840 is spread in two classes because a single CVE is assigned to a
-# vulnerability affecting two differents but related gems. An idiot hack to
-# mitigate an idiot decision.
+# vulnerability affecting two differents but related gems.
 require "dawn/kb/cve_2015_1840/cve_2015_1840_a"
 require "dawn/kb/cve_2015_1840/cve_2015_1840_b"
 require "dawn/kb/cve_2015_2963"
@@ -243,6 +242,7 @@ require "dawn/kb/cve_2015_3225"
 require "dawn/kb/cve_2015_3226"
 require "dawn/kb/cve_2015_3227"
 require "dawn/kb/cve_2015_3448"
+require "dawn/kb/cve_2015_4020"
 
 
 # OSVDB
@@ -252,11 +252,17 @@ require "dawn/kb/osvdb_108569"
 require "dawn/kb/osvdb_108570"
 require "dawn/kb/osvdb_108530"
 require "dawn/kb/osvdb_108563"
+require "dawn/kb/osvdb_115654"
+require "dawn/kb/osvdb_116010"
+require "dawn/kb/osvdb_117903"
 require "dawn/kb/osvdb_118579"
 require "dawn/kb/osvdb_118830"
 require "dawn/kb/osvdb_118954"
 require "dawn/kb/osvdb_119878"
 require "dawn/kb/osvdb_119927"
+require "dawn/kb/osvdb_120415"
+require "dawn/kb/osvdb_120857"
+require "dawn/kb/osvdb_121701"
 
 
 
@@ -266,6 +272,7 @@ module Dawn
 
     include Dawn::Utils
 
+    GEM_CHECK           = :rubygem_check
     DEPENDENCY_CHECK    = :dependency_check
     PATTERN_MATCH_CHECK = :pattern_match_check
     RUBY_VERSION_CHECK  = :ruby_version_check
@@ -508,6 +515,7 @@ module Dawn
           Dawn::Kb::CVE_2014_7829.new,
           Dawn::Kb::CVE_2014_8090.new,
           Dawn::Kb::CVE_2014_9490.new,
+          Dawn::Kb::CVE_2015_1819.new,
           Dawn::Kb::CVE_2015_1840_a.new,
           Dawn::Kb::CVE_2015_1840_b.new,
           Dawn::Kb::CVE_2015_2963.new,
@@ -516,6 +524,7 @@ module Dawn
           Dawn::Kb::CVE_2015_3226.new,
           Dawn::Kb::CVE_2015_3227.new,
           Dawn::Kb::CVE_2015_3448.new,
+          Dawn::Kb::CVE_2015_4020.new,
 
 
           # OSVDB Checks are still here since are all about dependencies
@@ -524,11 +533,17 @@ module Dawn
           Dawn::Kb::OSVDB_108570.new,
           Dawn::Kb::OSVDB_108530.new,
           Dawn::Kb::OSVDB_108563.new,
+          Dawn::Kb::OSVDB_115654.new,
+          Dawn::Kb::OSVDB_116010.new,
+          Dawn::Kb::OSVDB_117903.new,
           Dawn::Kb::OSVDB_118579.new,
           Dawn::Kb::OSVDB_118830.new,
           Dawn::Kb::OSVDB_118954.new,
           Dawn::Kb::OSVDB_119878.new,
           Dawn::Kb::OSVDB_119927.new,
+          Dawn::Kb::OSVDB_120415.new,
+          Dawn::Kb::OSVDB_120857.new,
+          Dawn::Kb::OSVDB_121701.new,
       ]
         # END @cve_security_checks array
         # START @owasp_ror_cheatsheet_checks array
@@ -558,6 +573,23 @@ module Dawn
 
           ret
     end
+
+    def self.dump(verbose=false)
+      puts "Security checks currently supported:"
+      i=0
+      self.new.all.each do |check|
+        i+=1
+        if verbose
+          puts "Name: #{check.name}\tCVSS: #{check.cvss_score}\tReleased: #{check.release_date}"
+          puts "Description\n#{check.message}"
+          puts "Remediation\n#{check.remediation}\n\n"
+        else
+          puts "#{check.name}"
+        end
+      end
+      puts "-----\nTotal: #{i}"
+
+    end
   end
 
 end