dradis-burp 3.18.0

data/README.md

@@ -0,0 +1,29 @@
+# Burp Scanner plugin for Dradis
+
+[![Build Status](https://secure.travis-ci.org/dradis/dradis-burp.png?branch=master)](http://travis-ci.org/dradis/dradis-burp) [![Code Climate](https://codeclimate.com/github/dradis/dradis-burp.png)](https://codeclimate.com/github/dradis/dradis-burp.png)
+
+
+Upload Burp Scanner XML export files into Dradis.
+
+The add-on requires [Dradis CE](https://dradisframework.org/) > 3.0, or [Dradis Pro](https://dradisframework.com/pro/).
+
+
+
+## More information
+
+See the Dradis Framework's [README.md](https://github.com/dradis/dradisframework/blob/master/README.md)
+
+
+## Contributing
+
+See the Dradis Framework's [CONTRIBUTING.md](https://github.com/dradis/dradisframework/blob/master/CONTRIBUTING.md)
+
+
+## License
+
+Dradis Framework and all its components are released under [GNU General Public License version 2.0](http://www.gnu.org/licenses/old-licenses/gpl-2.0.html) as published by the Free Software Foundation and appearing in the file LICENSE included in the packaging of this file.
+
+
+## Feature requests and bugs
+
+Please use the [Dradis Framework issue tracker](https://github.com/dradis/dradis-ce/issues) for add-on improvements and bug reports.

data/Rakefile

@@ -0,0 +1 @@
+require "bundler/gem_tasks"

data/dradis-burp.gemspec

@@ -0,0 +1,34 @@
+$:.push File.expand_path('../lib', __FILE__)
+require 'dradis/plugins/burp/version'
+version = Dradis::Plugins::Burp::VERSION::STRING
+
+# Describe your gem and declare its dependencies:
+Gem::Specification.new do |spec|
+  spec.platform    = Gem::Platform::RUBY
+  spec.name        = 'dradis-burp'
+  spec.version     = version
+  spec.summary     = 'Burp Scanner upload plugin for the Dradis Framework.'
+  spec.description = 'This plugin allows you to upload and parse output produced from Portswigger\'s Burp Scanner into Dradis.'
+
+  spec.license     = 'GPL-2'
+
+  spec.authors     = ['Daniel Martin']
+  spec.email       = ['etd@nomejortu.com']
+  spec.homepage    = 'http://dradisframework.org'
+
+  spec.files       = `git ls-files`.split($\)
+  spec.executables = spec.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
+  spec.test_files  = spec.files.grep(%r{^(test|spec|features)/})
+
+  # By not including Rails as a dependency, we can use the gem with different
+  # versions of Rails (a sure recipe for disaster, I'm sure), which is needed
+  # until we bump Dradis Pro to 4.1.
+  # s.add_dependency 'rails', '~> 4.1.1'
+  spec.add_dependency 'dradis-plugins', '~> 3.6'
+  spec.add_dependency 'nokogiri', '~> 1.3'
+
+  spec.add_development_dependency 'bundler'
+  spec.add_development_dependency 'rake', '~> 10.0'
+  spec.add_development_dependency 'rspec-rails'
+  spec.add_development_dependency 'combustion', '~> 0.5.2'
+end

data/lib/burp/html/issue.rb

@@ -0,0 +1,157 @@
+module Burp
+  module Html
+  # This class represents each of the issue elements in the Burp
+  # Scanner HTML document: all elemennts from a span.BODH0 until the next
+  # span.BODH0 (the next one excluded).
+  #
+  # It provides a convenient way to access the information scattered all over
+  # the HTML.
+  class Issue < ::Burp::Issue
+    # Accepts a Nokogiri::XML::NodeSet
+    def initialize(html)
+      @html = Nokogiri::HTML(html.to_s)
+    end
+
+    # List of supported tags
+    def supported_tags
+      [
+        # tags with contents retrieved from inside the span header
+        :name, :type,
+
+        # tags with contents retrieved following the span header
+        :background, :detail,
+        :references, :remediation_background, :remediation_detail,
+        :request, :request_1, :request_2, :request_3,
+        :response, :response_1, :response_2, :response_3,
+        :vulnerability_classifications
+      ] + summary_table_tags
+    end
+
+    def header
+      @header ||= @html.at_css('span')
+    end
+
+    def name
+      @name ||= header.text.gsub(/^\d+\.\S/, '')
+    end
+
+    # Link looks like: https://portswigger.net/kb/issues/00200400_flash-cross-domain-policy
+    # We use that 00200400 as type since in that page it calls it 'Type index'
+    def type
+      @type ||=
+        if header_link = header.at_css('a')
+          header_link.attr('href').to_s[/\/([0-9a-f]+)_.*/, 1].to_i(16)
+        else
+          nil
+        end
+    end
+
+    # This method is invoked by Ruby when a method that is not defined in this
+    # instance is called.
+    #
+    # In our case we inspect the @method@ parameter and try to find the
+    # corresponding header in our HTML, then return the following text.
+    def method_missing(method, *args)
+      # We could remove this check and return nil for any non-recognized tag.
+      # The problem would be that it would make tricky to debug problems with
+      # typos. For instance: <>.potr would return nil instead of raising an
+      # exception
+      unless supported_tags.include?(method)
+        super
+        return
+      end
+
+      # First we try the h2 headers.
+      translations_table = {
+        background: ['Issue background', 'Issue description'],
+        detail: 'Issue detail',
+        references: 'References',
+        remediation_background: ['Remediation background', 'Issue remediation'],
+        remediation_detail: 'Remediation detail',
+        request: 'Request',
+        request_1: 'Request 1',
+        request_2: 'Request 2',
+        request_3: 'Request 3',
+        response: 'Response',
+        response_1: 'Response 1',
+        response_2: 'Response 2',
+        response_3: 'Response 3',
+        serial_number: 'Serial number',
+        vulnerability_classifications: 'Vulnerability classifications'
+      }
+
+      # look for the h2 headers in the html fragment
+      method_names = translations_table.fetch(method, method.to_s)
+      method_names = [method_names].flatten
+
+      h2 = nil
+      method_names.each do |method_name|
+        h2 = @html.xpath("//h2[text()='#{method_name}']").first
+        break if h2
+      end
+
+      if h2
+        content =
+          if h2.text =~ /^(Request|Response)/
+            cleanup_request_response_html(h2.next_element.inner_html)
+          else
+            cleanup_html(h2.next_element.inner_html)
+          end
+
+        return content
+      end
+
+      # look inside the summary table in the html fragment
+      summary[method]
+    end
+
+    private
+
+    # In Request/Response html snippets we don't want to cleanup the whole
+    # html as we ususally do. The snippets may contain html code to be displayed,
+    # and we don't want to convert that to textile.
+    def cleanup_request_response_html(source)
+      result = source.dup
+
+      result.gsub!(/<b>(.*?)<\/b>/, '\1')
+      result.gsub!(/<br>|<\/br>/){"\n"}
+      result.gsub!(/<span.*?>/, '')
+      result.gsub!(/<\/span>/, '')
+
+      result.gsub!(/&quot;/, '"')
+      result.gsub!(/&amp;/, '&')
+      result.gsub!(/&lt;/, '<')
+      result.gsub!(/&gt;/, '>')
+      result.gsub!(/&nbsp;/, ' ')
+
+      result
+    end
+
+    # Returns the summary table in the HTML fragment as a Hash
+    def summary
+      @summary ||= begin
+        @summary = {}
+        h2 = @html.search("h2[text()='Summary']").first
+        return @summary if h2.nil?
+
+        table = h2.next_element
+
+        summary_table_tags.each do |tag|
+          td = table.search("td:starts-with('#{tag.to_s.capitalize}:')").first
+          @summary[tag] = td.next_element.text
+        end
+
+        @summary
+      end
+    end
+
+    # List of supported tags to obtain from the summary html table
+    def summary_table_tags
+      [
+        :confidence, :host, :path, :severity
+      ]
+    end
+
+  end
+  end
+end

data/lib/burp/issue.rb

@@ -0,0 +1,43 @@
+module Burp
+  # We use this string to replace invalid UTF-8 bytes with.
+  INVALID_UTF_REPLACE = '<?>'
+
+  class Issue
+
+    # This allows external callers (and specs) to check for implemented
+    # properties
+    def respond_to?(method, include_private=false)
+      return true if supported_tags.include?(method.to_sym)
+      super
+    end
+
+    private
+
+    def cleanup_html(source)
+      result = source.dup
+      result.gsub!(/&quot;/, '"')
+      result.gsub!(/&amp;/, '&')
+      result.gsub!(/&lt;/, '<')
+      result.gsub!(/&gt;/, '>')
+      result.gsub!(/&nbsp;/, ' ')
+
+      result.gsub!(/<b>(.*?)<\/b>/, '*\1*')
+      result.gsub!(/<br>|<\/br>/){"\n"}
+      result.gsub!(/<font.*?>(.*?)<\/font>/m, '\1')
+      result.gsub!(/<h\d?>(.*?)<\/h\d?>/, '*\1*')
+      result.gsub!(/<i>(.*?)<\/i>/, '\1')
+      result.gsub!(/<p>|<\/p>/){"\n"}
+      result.gsub!(/<pre.*?>(.*?)<\/pre>/m){|m| "\n\nbc.. #{ $1 }\n\np.  \n" }
+
+      result.gsub!(/<ul>(.*?)<\/ul>/m){|m| "#{ $1 }\n"}
+      result.gsub!(/<li>(.*?)<\/li>/m){|m| "\n* #{ $1 }"}
+      result.gsub!(/<a href=\"(.*?)\">(.*?)<\/a>/im) { "\"#{$2.strip}\":#{$1.strip}" }
+
+      result.gsub!(/<table>(.*?)<\/table>/m){|m| "\n\n#{ $1 }\n\n" }
+      result.gsub!(/<tr>(.*?)<\/tr>/m){|m| "|#{ $1 }\n" }
+      result.gsub!(/<td>(.*?)<\/td>/, '\1|')
+
+      result
+    end
+  end
+end

data/lib/burp/xml/issue.rb

@@ -0,0 +1,127 @@
+module Burp
+  module Xml
+
+  # This class represents each of the /issues/issue elements in the Burp
+  # Scanner XML document.
+  #
+  # It provides a convenient way to access the information scattered all over
+  # the XML in attributes and nested tags.
+  #
+  # Instead of providing separate methods for each supported property we rely
+  # on Ruby's #method_missing to do most of the work.
+  class Issue < ::Burp::Issue
+
+    # Accepts an XML node from Nokogiri::XML.
+    def initialize(xml_node)
+      @xml = xml_node
+    end
+
+    # List of supported tags. They can be attributes, simple descendants or
+    # collections (e.g. <references/>, <tags/>)
+    def supported_tags
+      [
+        # attributes
+
+        # simple tags
+        :background, :confidence, :detail, :host, :location, :name, :path,
+        :references, :remediation_background, :remediation_detail,
+        :serial_number, :severity, :type,
+        :vulnerability_classifications,
+
+        # nested tags
+        :request, :response
+      ]
+    end
+
+    # This method is invoked by Ruby when a method that is not defined in this
+    # instance is called.
+    #
+    # In our case we inspect the @method@ parameter and try to find the
+    # attribute, simple descendent or collection that it maps to in the XML
+    # tree.
+    def method_missing(method, *args)
+
+      # We could remove this check and return nil for any non-recognized tag.
+      # The problem would be that it would make tricky to debug problems with
+      # typos. For instance: <>.potr would return nil instead of raising an
+      # exception
+      unless supported_tags.include?(method)
+        super
+        return
+      end
+
+      # First we try the attributes. In Ruby we use snake_case, but in XML
+      # CamelCase is used for some attributes
+      translations_table = {
+        background: 'issueBackground',
+        detail: 'issueDetail',
+        remediation_background: 'remediationBackground',
+        remediation_detail: 'remediationDetail',
+        vulnerability_classifications: 'vulnerabilityClassifications',
+        serial_number: 'serialNumber'
+      }
+
+      method_name = translations_table.fetch(method, method.to_s)
+
+      # no attributes in the <issue> node
+      # return @xml.attributes[method_name].value if @xml.attributes.key?(method_name)
+
+      # Then we try simple children tags: name, type, ...
+      tag = @xml.xpath("./#{method_name}").first
+      if tag && !tag.text.blank?
+        if tags_with_html_content.include?(method)
+          return cleanup_html(tag.text)
+        else
+          return tag.text
+        end
+      end
+
+      if (['request', 'response'].include?(method_name))
+        requestresponse_child(method_name)
+      else
+        # nothing found, the tag is valid but not present in this ReportItem
+        return nil
+      end
+    end
+
+    private
+
+    # Some of the values have embedded HTML content that we need to strip
+    def tags_with_html_content
+      [:background, :detail, :remediation_background, :remediation_detail, :references, :vulnerability_classifications]
+    end
+
+    def requestresponse_child(field)
+      return 'n/a' unless @xml.at('requestresponse') && @xml.at("requestresponse/#{field}")
+
+      xml_node = @xml.at("requestresponse/#{field}")
+      result = "[unprocessable #{field}]"
+
+      if xml_node['base64'] == 'true'
+        result = Base64::strict_decode64(xml_node.text)
+
+        # don't pass binary data to the DB.
+        if result =~ /\0/
+          header, _ = result.split("\r\n\r\n")
+          result = header << "\r\n\r\n" << '[Binary Data Not Displayed]'
+        end
+      else
+        result = xml_node.text
+      end
+
+      # Just in case a null byte was left by Burp
+      result.gsub!(/\0/,'&#00;')
+
+      # We truncate the request/response because it can be pretty big.
+      # If it is > 1M MySQL will die when trying to INSERT
+      #
+      # TODO: maybe add a reference to this node's XPATH so the user can go
+      # back to the burp scanner file and look up the original request/response
+      result.truncate(50000, omission: '... (truncated)')
+
+      # Encode the string to UTF-8 to catch invalid bytes.
+      result.encode('utf-8', invalid: :replace, undef: :replace, replace: ::Burp::INVALID_UTF_REPLACE)
+    end
+  end
+end
+end

data/lib/dradis-burp.rb

@@ -0,0 +1,10 @@
+# Hook to the framework base clases
+require 'dradis-plugins'
+
+# Load this add-on's engine
+require 'dradis/plugins/burp'
+
+# Load supporting Burp classes
+require 'burp/issue'
+require 'burp/html/issue'
+require 'burp/xml/issue'

data/lib/dradis/plugins/burp.rb

@@ -0,0 +1,12 @@
+module Dradis
+  module Plugins
+    module Burp
+    end
+  end
+end
+
+require 'dradis/plugins/burp/engine'
+require 'dradis/plugins/burp/field_processor'
+require 'dradis/plugins/burp/html/importer'
+require 'dradis/plugins/burp/version'
+require 'dradis/plugins/burp/xml/importer'

data/lib/dradis/plugins/burp/engine.rb

@@ -0,0 +1,25 @@
+module Dradis
+  module Plugins
+    module Burp
+      class Engine < ::Rails::Engine
+        isolate_namespace Dradis::Plugins::Burp
+
+        include ::Dradis::Plugins::Base
+        description 'Processes Burp Scanner output'
+        provides :upload
+
+        # Because this plugin provides two export modules, we have to overwrite
+        # the default .uploaders() method.
+        #
+        # See:
+        #  Dradis::Plugins::Upload::Base in dradis-plugins
+        def self.uploaders
+          [
+            Dradis::Plugins::Burp::Html,
+            Dradis::Plugins::Burp::Xml
+          ]
+        end
+      end
+    end
+  end
+end