dradis-acunetix 3.6.0

data/lib/acunetix/report_item.rb

@@ -0,0 +1,165 @@
+module Acunetix
+  # This class represents each of the /ScanGroup/Scan/ReportItems/ReportItem
+  # elements in the Acunetix XML document.
+  #
+  # It provides a convenient way to access the information scattered all over
+  # the XML in attributes and nested tags.
+  #
+  # Instead of providing separate methods for each supported property we rely
+  # on Ruby's #method_missing to do most of the work.
+  class ReportItem
+    attr_accessor :xml
+
+    # Accepts an XML node from Nokogiri::XML.
+    def initialize(xml_node)
+      @xml = xml_node
+    end
+
+    # List of supported tags. They can be attributes, simple descendans or
+    # collections.
+    def supported_tags
+      [
+        # attributes
+        # :color
+
+        # simple tags
+        :name, :module_name, :severity, :type, :impact, :description,
+        :detailed_information, :recommendation, :cwe,
+
+        # tags that correspond to Evidence
+        :details, :affects, :parameter, :aop_source_file, :aop_source_line,
+        :aop_additional, :is_false_positive,
+
+
+        # nested tags
+        :request, :response,
+        :cvss_descriptor, :cvss_score,
+        :cvss3_descriptor, :cvss3_score, :cvss3_tempscore, :cvss3_envscore,
+
+        # multiple tags
+        :cve_list, :references
+        ]
+    end
+
+    # This allows external callers (and specs) to check for implemented
+    # properties
+    def respond_to?(method, include_private=false)
+      return true if supported_tags.include?(method.to_sym)
+      super
+    end
+
+    # This method is invoked by Ruby when a method that is not defined in this
+    # instance is called.
+    #
+    # In our case we inspect the @method@ parameter and try to find the
+    # attribute, simple descendent or collection that it maps to in the XML
+    # tree.
+    def method_missing(method, *args)
+
+      # We could remove this check and return nil for any non-recognized tag.
+      # The problem would be that it would make tricky to debug problems with
+      # typos. For instance: <>.potr would return nil instead of raising an
+      # exception
+      unless supported_tags.include?(method)
+        super
+        return
+      end
+
+      # Any fields where a simple .camelcase() won't work we need to translate,
+      # this includes acronyms (e.g. :cwe would become 'Cwe') and simple nested
+      # tags.
+      translations_table = {
+                    cwe: 'CWE',
+        aop_source_file: 'AOPSourceFile',
+        aop_source_line: 'AOPSourceLine',
+         aop_additional: 'AOPAdditional',
+                request: 'TechnicalDetails/Request',
+               response: 'TechnicalDetails/Response',
+        cvss_descriptor: 'CVSS/Descriptor',
+             cvss_score: 'CVSS/Score',
+       cvss3_descriptor: 'CVSS3/Descriptor',
+            cvss3_score: 'CVSS3/Score',
+        cvss3_tempscore: 'CVSS3/TempScore',
+         cvss3_envscore: 'CVSS3/EnvScore'
+      }
+      method_name = translations_table.fetch(method, method.to_s.camelcase)
+      # first we try the attributes:
+      # return @xml.attributes[method_name].value if @xml.attributes.key?(method_name)
+
+
+      # There is a ./References tag, but we want to short-circuit that one to
+      # do custom processing.
+      return references_list() if method == :references
+
+      # then we try the children tags
+      tag = xml.at_xpath("./#{method_name}")
+      if tag && !tag.text.blank?
+        if tags_with_html_content.include?(method)
+          return cleanup_html(tag.text)
+        elsif tags_with_commas.include?(method)
+          return cleanup_decimals(tag.text)
+        else
+          return tag.text
+        end
+      else
+        'n/a'
+      end
+
+      return 'unimplemented'   if method == :cve_list
+
+      # nothing found
+      return nil
+    end
+
+    private
+
+    def cleanup_html(source)
+      result = source.dup
+      result.gsub!(/&quot;/, '"')
+      result.gsub!(/&amp;/, '&')
+      result.gsub!(/&lt;/, '<')
+      result.gsub!(/&gt;/, '>')
+
+      result.gsub!(/<b>(.*?)<\/b>/) { "*#{$1.strip}*" }
+      result.gsub!(/<br\/>/, "\n")
+      result.gsub!(/<font.*?>(.*?)<\/font>/m, '\1')
+      result.gsub!(/<h2>(.*?)<\/h2>/) { "*#{$1.strip}*" }
+      result.gsub!(/<i>(.*?)<\/i>/, '\1')
+      result.gsub!(/<p>(.*?)<\/p>/, '\1')
+      result.gsub!(/<code><pre.*?>(.*?)<\/pre><\/code>/m){|m| "\n\nbc.. #{$1.strip}\n\np.  \n" }
+      result.gsub!(/<pre.*?>(.*?)<\/pre>/m){|m| "\n\nbc.. #{$1.strip}\n\np.  \n" }
+      result.gsub!(/<ul>(.*?)<\/ul>/m){"#{$1.strip}\n"}
+
+      result.gsub!(/<li>(.*?)<\/li>/){"\n* #{$1.strip}"}
+
+      result
+    end
+
+    def cleanup_decimals(source)
+      result = source.dup
+      result.gsub!(/([0-9])\,([0-9])/, '\1.\2')
+      result
+    end
+
+    def references_list
+      references = ''
+      xml.xpath('./References/Reference').each do |xml_reference|
+        references << xml_reference.at_xpath('./Database').text()
+        references << "\n"
+        references << xml_reference.at_xpath('./URL').text()
+        references << "\n\n"
+      end
+      references
+    end
+
+    # Some of the values have embedded HTML conent that we need to strip
+    def tags_with_html_content
+      [:details, :description, :detailed_information, :impact, :recommendation]
+    end
+
+    def tags_with_commas
+      [:cvss3_score, :cvss3_tempscore, :cvss3_envscore]
+    end
+
+  end
+end

data/lib/acunetix/scan.rb

@@ -0,0 +1,93 @@
+module Acunetix
+  # This class represents each of the /ScanGroup/Scan elements in the Acunetix
+  # XML document.
+  #
+  # It provides a convenient way to access the information scattered all over
+  # the XML in attributes and nested tags.
+  #
+  # Instead of providing separate methods for each supported property we rely
+  # on Ruby's #method_missing to do most of the work.
+  class Scan
+    attr_accessor :xml
+    # Accepts an XML node from Nokogiri::XML.
+    def initialize(xml_node)
+      @xml = xml_node
+      unless @xml.name == "Scan"
+        raise "Invalid XML; root node must be called 'Scan'"
+      end
+    end
+
+    # List of supported tags. They are all descendents of the ./Scan node.
+    SUPPORTED_TAGS = [
+        # attributes
+
+        # simple tags
+        :name, :short_name, :start_url, :start_time, :finish_time, :scan_time,
+        :aborted, :responsive, :banner, :os, :web_server, :technologies, :ip,
+        :fqdn, :operating_system, :mac_address, :netbios_name, :scan_start_time,
+        :scan_stop_time
+      ]
+
+    # This allows external callers (and specs) to check for implemented
+    # properties
+    def respond_to?(method, include_private=false)
+      return true if SUPPORTED_TAGS.include?(method.to_sym)
+      super
+    end
+
+    # This method is invoked by Ruby when a method that is not defined in this
+    # instance is called.
+    #
+    # In our case we inspect the @method@ parameter and try to find the
+    # corresponding <tag/> element inside the ./Scan child.
+    def method_missing(method, *args)
+      # We could remove this check and return nil for any non-recognized tag.
+      # The problem would be that it would make tricky to debug problems with
+      # typos. For instance: <>.potr would return nil instead of raising an
+      # exception
+      super and return unless SUPPORTED_TAGS.include?(method)
+
+      if tag = xml.at_xpath("./#{tag_name_for_method(method)}")
+        tag.text
+      else
+        nil
+      end
+    end
+
+
+    def report_items
+      @xml.xpath('./ReportItems/ReportItem')
+    end
+
+
+    def service
+      "port #{start_url_port}, #{banner}"
+    end
+
+
+    def start_url_host
+      start_uri.host
+    end
+    alias_method :hostname, :start_url_host
+
+
+    def start_url_port
+      start_uri.port
+    end
+
+    private
+
+    def start_uri
+      @start_uri ||= URI::parse(start_url)
+    end
+
+    def tag_name_for_method(method)
+      # Any fields where a simple .camelcase() won't work we need to translate,
+      # this includes acronyms (e.g. :scan_url would become 'ScanUrl').
+      {
+        start_url: 'StartURL'
+      }[method] || method.to_s.camelcase
+    end
+
+  end
+end

data/lib/dradis-acunetix.rb

@@ -0,0 +1,9 @@
+# hook to the framework base clases
+require 'dradis-plugins'
+
+# load this add-on's engine
+require 'dradis/plugins/acunetix'
+
+# load supporting Acunetix classes
+require 'acunetix/report_item'
+require 'acunetix/scan'

data/lib/dradis/plugins/acunetix.rb

@@ -0,0 +1,12 @@
+module Dradis
+  module Plugins
+    module Acunetix
+    end
+  end
+end
+
+require 'dradis/plugins/acunetix/engine'
+require 'dradis/plugins/acunetix/field_processor'
+require 'dradis/plugins/acunetix/importer'
+require 'dradis/plugins/acunetix/version'
+

data/lib/dradis/plugins/acunetix/engine.rb

@@ -0,0 +1,9 @@
+module Dradis::Plugins::Acunetix
+  class Engine < ::Rails::Engine
+    isolate_namespace Dradis::Plugins::Acunetix
+
+    include ::Dradis::Plugins::Base
+    description 'Processes Acunetix XML format'
+    provides :upload
+  end
+end

data/lib/dradis/plugins/acunetix/field_processor.rb

@@ -0,0 +1,25 @@
+module Dradis::Plugins::Acunetix
+  # This processor defers to ::Acunetix::Scan for the scan template and to
+  # ::Acunetix::ReportItem for the report_item and evidence templates.
+  class FieldProcessor < Dradis::Plugins::Upload::FieldProcessor
+
+    def post_initialize(args={})
+      if data.name == "Scan"
+        @acunetix_object = ::Acunetix::Scan.new(data)
+      else
+        @acunetix_object = ::Acunetix::ReportItem.new(data)
+      end
+    end
+
+    def value(args={})
+      field = args[:field]
+
+      # fields in the template are of the form <foo>.<field>, where <foo>
+      # is common across all fields for a given template (and meaningless).
+      _, name = field.split('.')
+
+      @acunetix_object.try(name) || 'n/a'
+    end
+  end
+
+end

data/lib/dradis/plugins/acunetix/gem_version.rb

@@ -0,0 +1,19 @@
+module Dradis
+  module Plugins
+    module Acunetix
+      # Returns the version of the currently loaded Acunetix as a <tt>Gem::Version</tt>
+      def self.gem_version
+        Gem::Version.new VERSION::STRING
+      end
+
+      module VERSION
+        MAJOR = 3
+        MINOR = 6
+        TINY = 0
+        PRE = nil
+
+        STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
+      end
+    end
+  end
+end

data/lib/dradis/plugins/acunetix/importer.rb

@@ -0,0 +1,62 @@
+module Dradis::Plugins::Acunetix
+  class Importer < Dradis::Plugins::Upload::Importer
+
+    # The framework will call this function if the user selects this plugin from
+    # the dropdown list and uploads a file.
+    # @returns true if the operation was successful, false otherwise
+    def import(params={})
+      file_content    = File.read( params.fetch(:file) )
+
+      logger.info{'Parsing Acunetix output file...'}
+      @doc = Nokogiri::XML( file_content )
+      logger.info{'Done.'}
+
+      if @doc.xpath('/ScanGroup/Scan').empty?
+        error = "No scan results were detected in the uploaded file (/ScanGroup/Scan). Ensure you uploaded an Acunetix XML report."
+        logger.fatal{ error }
+        content_service.create_note text: error
+        return false
+      end
+
+      @doc.xpath('/ScanGroup/Scan').each do |xml_scan|
+        process_scan(xml_scan)
+      end
+
+      return true
+    end # /import
+
+
+    private
+    attr_accessor :scan_node
+
+    def process_scan(xml_scan)
+
+      start_url = URI::parse(xml_scan.at_xpath('./StartURL').text()).host
+
+      self.scan_node = content_service.create_node(label: start_url, type: :host)
+      logger.info{ "\tScan start URL: #{start_url}" }
+
+      scan_note = template_service.process_template(template: 'scan', data: xml_scan)
+      content_service.create_note text: scan_note, node: scan_node
+
+      xml_scan.xpath('./ReportItems/ReportItem').each do |xml_report_item|
+        process_report_item(xml_report_item)
+      end
+    end
+
+    def process_report_item(xml_report_item)
+      plugin_id = "%s/%s" % [
+                              xml_report_item.at_xpath('./ModuleName').text(),
+                              xml_report_item.at_xpath('./Name').text()
+                            ]
+      logger.info{ "\t\t => Creating new issue (plugin_id: #{plugin_id})" }
+
+      issue_text = template_service.process_template(template: 'report_item', data: xml_report_item)
+      issue = content_service.create_issue(text: issue_text, id: plugin_id)
+
+      logger.info{ "\t\t => Creating new evidence" }
+      evidence_content = template_service.process_template(template: 'evidence', data: xml_report_item)
+      content_service.create_evidence(issue: issue, node: scan_node, content: evidence_content)
+    end
+  end
+end

data/lib/dradis/plugins/acunetix/version.rb

@@ -0,0 +1,13 @@
+require_relative 'gem_version'
+
+module Dradis
+  module Plugins
+    module Acunetix
+      # Returns the version of the currently loaded Acunetix as a
+      # <tt>Gem::Version</tt>.
+      def self.version
+        gem_version
+      end
+    end
+  end
+end

data/lib/tasks/thorfile.rb

@@ -0,0 +1,25 @@
+class AcunetixTasks < Thor
+  include Rails.application.config.dradis.thor_helper_module
+  
+  namespace "dradis:plugins:acunetix"
+
+  desc "upload FILE", "upload Acunetix XML results"
+  def upload(file_path)
+    require 'config/environment'
+
+    logger = Logger.new(STDOUT)
+    logger.level = Logger::DEBUG
+
+    unless File.exists?(file_path)
+      $stderr.puts "** the file [#{file_path}] does not exist"
+      exit -1
+    end
+
+    detect_and_set_project_scope
+    importer = Dradis::Plugins::Acunetix::Importer.new(logger: logger)
+    importer.import(file: file_path)
+
+    logger.close
+  end
+
+end

data/spec/dradis-acunetix_spec.rb

@@ -0,0 +1,109 @@
+require 'spec_helper'
+require 'ostruct'
+
+module Dradis::Plugins
+  describe 'Acunetix upload plugin' do
+    before(:each) do
+      # Stub template service
+      templates_dir = File.expand_path('../../templates', __FILE__)
+      allow_any_instance_of(TemplateService).to \
+        receive(:default_templates_dir).and_return(templates_dir)
+
+      @content_service = ContentService.new(plugin: Acunetix)
+      template_service = TemplateService.new(plugin: Acunetix)
+
+      @importer = Acunetix::Importer.new(
+        content_service: @content_service,
+        template_service: template_service
+      )
+
+      # Stub dradis-plugins methods
+      #
+      # They return their argument hashes as objects mimicking
+      # Nodes, Issues, etc
+      allow(@content_service).to receive(:create_node) do |args|
+        OpenStruct.new(args)
+      end
+      allow(@content_service).to receive(:create_note) do |args|
+        OpenStruct.new(args)
+      end
+      allow(@content_service).to receive(:create_issue) do |args|
+        OpenStruct.new(args)
+      end
+      allow(@content_service).to receive(:create_evidence) do |args|
+        OpenStruct.new(args)
+      end
+    end
+
+    it "creates nodes, issues, notes and an evidences as needed" do
+
+      expect(@content_service).to receive(:create_node).with(hash_including label: "testphp.vulnweb.com", type: :host).once
+      expect(@content_service).to receive(:create_note) do |args|
+        expect(args[:text]).to include("#[Title]#\nAcunetix scanner notes (7/10/2014, 11:56:03)")
+        expect(args[:node].label).to eq("testphp.vulnweb.com")
+      end.once
+
+      expect(@content_service).to receive(:create_issue) do |args|
+        expect(args[:text]).to include("#[Title]#\nHTML form without CSRF protection")
+        expect(args[:id]).to eq("Crawler/HTML form without CSRF protection")
+        OpenStruct.new(args)
+      end.once
+
+      expect(@content_service).to receive(:create_issue) do |args|
+        expect(args[:text]).to include("#[Title]#\nClickjacking: X-Frame-Options header missing")
+        expect(args[:id]).to eq("Scripting (Clickjacking_X_Frame_Options.script)/Clickjacking: X-Frame-Options header missing")
+        OpenStruct.new(args)
+      end.once
+
+      expect(@content_service).to receive(:create_evidence) do |args|
+        expect(args[:content]).to include("/")
+        expect(args[:issue].id).to eq("Crawler/HTML form without CSRF protection")
+        expect(args[:node].label).to eq("testphp.vulnweb.com")
+      end.once
+
+      expect(@content_service).to receive(:create_evidence) do |args|
+        expect(args[:content]).to include("Web Server")
+        expect(args[:issue].id).to eq("Scripting (Clickjacking_X_Frame_Options.script)/Clickjacking: X-Frame-Options header missing")
+        expect(args[:node].label).to eq("testphp.vulnweb.com")
+      end.once
+
+      @importer.import(file: 'spec/fixtures/files/simple.acunetix.xml')
+    end
+
+    # Regression test for github.com/dradis/dradis-nexpose/issues/1
+    describe "Source HTML parsing" do
+      it "identifies code/pre blocks and replaces them with the Textile equivalent" do
+
+        expect(@content_service).to receive(:create_issue) do |args|
+          expect(args[:text]).to     include("#[Title]#\nSQL injection (verified)")
+          expect(args[:text]).not_to include("<code>")
+          expect(args[:text]).not_to include("<pre")
+          expect(args[:id]).to        eq("Scripting (Sql_Injection.script)/SQL injection (verified)")
+          OpenStruct.new(args)
+        end.once
+
+        # expect(@content_service).to receive(:create_evidence) do |args|
+        #   expect(args[:content]).to include("Web Server")
+        #   expect(args[:issue].id).to eq("Scripting (Clickjacking_X_Frame_Options.script)")
+        #   expect(args[:node].label).to eq("testphp.vulnweb.com")
+        # end.once
+
+        @importer.import(file: 'spec/fixtures/files/code-pre.acunetix.xml')
+      end
+    end
+
+    # Regression test to make sure that commas are replaced with decimals in the CVSSv3 scores
+    describe "CVSS clean up decimals" do
+      it "identifies commas used as decimals in CVSSv3 scores and replaces them with periods" do
+
+        expect(@content_service).to receive(:create_issue) do |args|
+          expect(args[:text]).to include("#[CVSS3Score]#\n5.3")
+          OpenStruct.new(args)
+        end
+        
+        @importer.import(file: 'spec/fixtures/files/commas-format.acunetix.xml')
+      end
+    end
+
+  end
+end