dradis-burp 3.12.0 → 3.17.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +5 -5
- data/.github/issue_template.md +16 -0
- data/.github/pull_request_template.md +36 -0
- data/CHANGELOG.md +27 -7
- data/dradis-burp.gemspec +1 -1
- data/lib/burp/html/issue.rb +157 -0
- data/lib/burp/issue.rb +1 -118
- data/lib/burp/xml/issue.rb +127 -0
- data/lib/dradis-burp.rb +2 -0
- data/lib/dradis/plugins/burp.rb +2 -1
- data/lib/dradis/plugins/burp/engine.rb +13 -2
- data/lib/dradis/plugins/burp/field_processor.rb +6 -2
- data/lib/dradis/plugins/burp/gem_version.rb +1 -1
- data/lib/dradis/plugins/burp/html/importer.rb +144 -0
- data/lib/dradis/plugins/burp/xml/importer.rb +144 -0
- data/lib/tasks/thorfile.rb +12 -3
- data/spec/burp_upload_spec.rb +110 -6
- data/spec/fixtures/files/burp.html +229 -0
- data/spec/fixtures/files/burp_issue_severity.xml +118 -0
- data/templates/evidence.fields +1 -1
- data/templates/html_evidence.fields +13 -0
- data/templates/html_evidence.sample +36 -0
- data/templates/html_evidence.template +50 -0
- data/templates/issue.fields +4 -3
- data/templates/issue.template +4 -0
- metadata +20 -9
- data/lib/dradis/plugins/burp/importer.rb +0 -138
data/templates/issue.fields
CHANGED
data/templates/issue.template
CHANGED
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: dradis-burp
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 3.
|
4
|
+
version: 3.17.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Daniel Martin
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2020-06-02 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: dradis-plugins
|
@@ -42,16 +42,16 @@ dependencies:
|
|
42
42
|
name: bundler
|
43
43
|
requirement: !ruby/object:Gem::Requirement
|
44
44
|
requirements:
|
45
|
-
- - "
|
45
|
+
- - ">="
|
46
46
|
- !ruby/object:Gem::Version
|
47
|
-
version: '
|
47
|
+
version: '0'
|
48
48
|
type: :development
|
49
49
|
prerelease: false
|
50
50
|
version_requirements: !ruby/object:Gem::Requirement
|
51
51
|
requirements:
|
52
|
-
- - "
|
52
|
+
- - ">="
|
53
53
|
- !ruby/object:Gem::Version
|
54
|
-
version: '
|
54
|
+
version: '0'
|
55
55
|
- !ruby/object:Gem::Dependency
|
56
56
|
name: rake
|
57
57
|
requirement: !ruby/object:Gem::Requirement
|
@@ -102,6 +102,8 @@ executables: []
|
|
102
102
|
extensions: []
|
103
103
|
extra_rdoc_files: []
|
104
104
|
files:
|
105
|
+
- ".github/issue_template.md"
|
106
|
+
- ".github/pull_request_template.md"
|
105
107
|
- ".gitignore"
|
106
108
|
- ".rspec"
|
107
109
|
- CHANGELOG.md
|
@@ -111,23 +113,31 @@ files:
|
|
111
113
|
- README.md
|
112
114
|
- Rakefile
|
113
115
|
- dradis-burp.gemspec
|
116
|
+
- lib/burp/html/issue.rb
|
114
117
|
- lib/burp/issue.rb
|
118
|
+
- lib/burp/xml/issue.rb
|
115
119
|
- lib/dradis-burp.rb
|
116
120
|
- lib/dradis/plugins/burp.rb
|
117
121
|
- lib/dradis/plugins/burp/engine.rb
|
118
122
|
- lib/dradis/plugins/burp/field_processor.rb
|
119
123
|
- lib/dradis/plugins/burp/gem_version.rb
|
120
|
-
- lib/dradis/plugins/burp/importer.rb
|
124
|
+
- lib/dradis/plugins/burp/html/importer.rb
|
121
125
|
- lib/dradis/plugins/burp/version.rb
|
126
|
+
- lib/dradis/plugins/burp/xml/importer.rb
|
122
127
|
- lib/tasks/thorfile.rb
|
123
128
|
- spec/burp_upload_spec.rb
|
129
|
+
- spec/fixtures/files/burp.html
|
124
130
|
- spec/fixtures/files/burp.xml
|
131
|
+
- spec/fixtures/files/burp_issue_severity.xml
|
125
132
|
- spec/fixtures/files/invalid-utf-issue.xml
|
126
133
|
- spec/fixtures/files/without-base64.xml
|
127
134
|
- spec/spec_helper.rb
|
128
135
|
- templates/evidence.fields
|
129
136
|
- templates/evidence.sample
|
130
137
|
- templates/evidence.template
|
138
|
+
- templates/html_evidence.fields
|
139
|
+
- templates/html_evidence.sample
|
140
|
+
- templates/html_evidence.template
|
131
141
|
- templates/issue.fields
|
132
142
|
- templates/issue.sample
|
133
143
|
- templates/issue.template
|
@@ -150,14 +160,15 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
150
160
|
- !ruby/object:Gem::Version
|
151
161
|
version: '0'
|
152
162
|
requirements: []
|
153
|
-
|
154
|
-
rubygems_version: 2.6.12
|
163
|
+
rubygems_version: 3.0.1
|
155
164
|
signing_key:
|
156
165
|
specification_version: 4
|
157
166
|
summary: Burp Scanner upload plugin for the Dradis Framework.
|
158
167
|
test_files:
|
159
168
|
- spec/burp_upload_spec.rb
|
169
|
+
- spec/fixtures/files/burp.html
|
160
170
|
- spec/fixtures/files/burp.xml
|
171
|
+
- spec/fixtures/files/burp_issue_severity.xml
|
161
172
|
- spec/fixtures/files/invalid-utf-issue.xml
|
162
173
|
- spec/fixtures/files/without-base64.xml
|
163
174
|
- spec/spec_helper.rb
|
@@ -1,138 +0,0 @@
|
|
1
|
-
module Dradis::Plugins::Burp
|
2
|
-
class Importer < Dradis::Plugins::Upload::Importer
|
3
|
-
|
4
|
-
# The framework will call this function if the user selects this plugin from
|
5
|
-
# the dropdown list and uploads a file.
|
6
|
-
# @returns true if the operation was successful, false otherwise
|
7
|
-
def import(params = {})
|
8
|
-
file_content = File.read(params[:file])
|
9
|
-
|
10
|
-
if file_content =~ /base64="false"/
|
11
|
-
error = "Burp input contains HTTP request / response data that hasn't been Base64-encoded.\n"
|
12
|
-
error << 'Please re-export your scanner results making sure the Base-64 encode option is selected.'
|
13
|
-
|
14
|
-
logger.fatal{ error }
|
15
|
-
content_service.create_note text: error
|
16
|
-
return false
|
17
|
-
end
|
18
|
-
|
19
|
-
logger.info { 'Parsing Burp Scanner output file...' }
|
20
|
-
doc = Nokogiri::XML(file_content)
|
21
|
-
logger.info { 'Done.' }
|
22
|
-
|
23
|
-
if doc.root.name != 'issues'
|
24
|
-
error = "Document doesn't seem to be in the Burp Scanner XML format."
|
25
|
-
logger.fatal { error }
|
26
|
-
content_service.create_note text: error
|
27
|
-
return false
|
28
|
-
end
|
29
|
-
|
30
|
-
# This will be filled in by the Processor while iterating over the issues
|
31
|
-
@hosts = []
|
32
|
-
@affected_host = nil
|
33
|
-
@issue_text = nil
|
34
|
-
@evidence_text = nil
|
35
|
-
|
36
|
-
doc.xpath('issues/issue').each do |xml_issue|
|
37
|
-
process_issue(xml_issue)
|
38
|
-
end
|
39
|
-
|
40
|
-
logger.info { 'Burp Scanner results successfully imported' }
|
41
|
-
true
|
42
|
-
end
|
43
|
-
|
44
|
-
private
|
45
|
-
|
46
|
-
# Creates the Nodes/properties
|
47
|
-
def process_issue(xml_issue)
|
48
|
-
host_label = xml_issue.at('host')['ip']
|
49
|
-
host_label = xml_issue.at('host').text if host_label.empty?
|
50
|
-
affected_host = content_service.create_node(label: host_label, type: :host)
|
51
|
-
logger.info { "\taffects: #{host_label}" }
|
52
|
-
|
53
|
-
unless @hosts.include?(affected_host.label)
|
54
|
-
@hosts << affected_host.label
|
55
|
-
url = xml_issue.at('host').text
|
56
|
-
affected_host.set_property(:hostname, url)
|
57
|
-
affected_host.save
|
58
|
-
end
|
59
|
-
|
60
|
-
# Burp extensions don't follow the "unique type for every Issue" logic
|
61
|
-
# so we have to deal with them separately
|
62
|
-
if xml_issue.at('type').text.to_str == '134217728'
|
63
|
-
process_extension_issues(affected_host, xml_issue)
|
64
|
-
else
|
65
|
-
process_burp_issues(affected_host, xml_issue)
|
66
|
-
end
|
67
|
-
end
|
68
|
-
|
69
|
-
# If the Issues come from the Burp app, use the type as the plugin_ic
|
70
|
-
def process_burp_issues(affected_host, xml_issue)
|
71
|
-
issue_name = xml_issue.at('name').text
|
72
|
-
issue_type = xml_issue.at('type').text.to_i
|
73
|
-
|
74
|
-
logger.info { "Adding #{issue_name} (#{issue_type})" }
|
75
|
-
|
76
|
-
create_issue(
|
77
|
-
affected_host: affected_host,
|
78
|
-
id: issue_type,
|
79
|
-
xml_issue: xml_issue
|
80
|
-
)
|
81
|
-
end
|
82
|
-
|
83
|
-
# If the Issues come from a Burp extension (type = 134217728), then
|
84
|
-
# use the name (spaces removed) as the plugin_id
|
85
|
-
def process_extension_issues(affected_host, xml_issue)
|
86
|
-
ext_name = xml_issue.at('name').text
|
87
|
-
ext_name = ext_name.gsub!(" ", "")
|
88
|
-
|
89
|
-
logger.info { "Adding #{ext_name}" }
|
90
|
-
|
91
|
-
create_issue(
|
92
|
-
affected_host: affected_host,
|
93
|
-
id: ext_name,
|
94
|
-
xml_issue: xml_issue
|
95
|
-
)
|
96
|
-
end
|
97
|
-
|
98
|
-
def create_issue(affected_host:, id:, xml_issue:)
|
99
|
-
issue_text =
|
100
|
-
template_service.process_template(
|
101
|
-
template: 'issue',
|
102
|
-
data: xml_issue
|
103
|
-
)
|
104
|
-
|
105
|
-
if issue_text.include?(::Burp::INVALID_UTF_REPLACE)
|
106
|
-
logger.info do
|
107
|
-
"\tdetected invalid UTF-8 bytes in your issue. " \
|
108
|
-
"Replacing them with '#{::Burp::INVALID_UTF_REPLACE}'."
|
109
|
-
end
|
110
|
-
end
|
111
|
-
|
112
|
-
issue = content_service.create_issue(text: issue_text, id: id)
|
113
|
-
|
114
|
-
logger.info do
|
115
|
-
"\tadding evidence for this instance to #{affected_host.label}."
|
116
|
-
end
|
117
|
-
|
118
|
-
evidence_text =
|
119
|
-
template_service.process_template(
|
120
|
-
template: 'evidence',
|
121
|
-
data: xml_issue
|
122
|
-
)
|
123
|
-
|
124
|
-
if evidence_text.include?(::Burp::INVALID_UTF_REPLACE)
|
125
|
-
logger.info do
|
126
|
-
"\tdetected invalid UTF-8 bytes in your evidence. " \
|
127
|
-
"Replacing them with '#{::Burp::INVALID_UTF_REPLACE}'."
|
128
|
-
end
|
129
|
-
end
|
130
|
-
|
131
|
-
content_service.create_evidence(
|
132
|
-
issue: issue,
|
133
|
-
node: affected_host,
|
134
|
-
content: evidence_text
|
135
|
-
)
|
136
|
-
end
|
137
|
-
end
|
138
|
-
end
|