dradis-burp 3.15.0 → 3.20.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 605cb0e23d4b8ad4cd405ce901bb975ee53d11483b8cfb3776df9704dfca44be
4
- data.tar.gz: 01615abac54c53772a8caccdf919d01c1cc8c1a75f6e80f68499b35798920d5c
3
+ metadata.gz: 8f71b741a300650b68fb4e479139f8ba6331489e360d0b6d8afb6efe83c85652
4
+ data.tar.gz: 86d549704e91b887b00ead3c0d10939caf7eaad1a6aac22e15113702662d5bed
5
5
  SHA512:
6
- metadata.gz: c0367719e947781e23abc9c5bdb8efec6f8c39d8f4bec3fe9e733721c5075f3e639db084c01c85351fa97f1d5eeda0ce56114b005f4a13feb5b91489c6d8d8d7
7
- data.tar.gz: 622c926a11e2b55039cf8c64237267adf6870900a7bf458484f095ba2d08320f5029e8692fadf0b0375d5979ed3f530298fa3bfa4bcb262330656d9eab60a35f
6
+ metadata.gz: 45b5a6a5a25eff76f2cc295cad4c303214f2982900ad56630640e3ae21c84d04406f72f10c35712c6080d70124d40fa462ce3af0f1a3a84e3050fffa490198a4
7
+ data.tar.gz: 815997dbb84a517d2256f9e37d537685034972dc72802cfea0c6dc5342b6c5859030aebbe8a409e0f7d494cf3500fcc114d3fc92841bab940e1a289af806dffb
@@ -1,3 +1,25 @@
1
+ ## Dradis Framework 3.20 (December, 2020) ##
2
+
3
+ * Convert highlighted HTML code to Dradis highlight format
4
+ * Make `issue.detail` available at the Evidence level for HTML uploads.
5
+ * Make `issue.location` available at the HTML Evidence level.
6
+
7
+ ## Dradis Framework 3.19 (September, 2020) ##
8
+
9
+ * No changes.
10
+
11
+ ## Dradis Framework 3.18 (July, 2020) ##
12
+
13
+ * No changes.
14
+
15
+ ## Dradis Framework 3.17 (May, 2020) ##
16
+
17
+ * No changes.
18
+
19
+ ## Dradis Framework 3.16 (February, 2020) ##
20
+
21
+ * Update severity fixture for specs.
22
+
1
23
  ## Dradis Framework 3.15 (November, 2019) ##
2
24
 
3
25
  * Make `issue.severity` available at the Issue level.
@@ -19,7 +19,7 @@ module Burp
19
19
  :name, :type,
20
20
 
21
21
  # tags with contents retrieved following the span header
22
- :background, :detail,
22
+ :background, :detail, :location,
23
23
  :references, :remediation_background, :remediation_detail,
24
24
  :request, :request_1, :request_2, :request_3,
25
25
  :response, :response_1, :response_2, :response_3,
@@ -84,6 +84,19 @@ module Burp
84
84
  method_names = translations_table.fetch(method, method.to_s)
85
85
  method_names = [method_names].flatten
86
86
 
87
+ # Process the Location field
88
+ if method.to_s == 'location'
89
+ location = @html.at_xpath('/html/body/span[contains(@class, "BODH1")]')&.text
90
+
91
+ if location
92
+ # Remove the header number from the text.
93
+ # E.g. <span class="BODH1" id="1.1">1.1.&nbsp;/sample/text/</span>
94
+ return location.split(/[[:space:]]/).drop(1).join(' ')
95
+ else
96
+ return 'n/a'
97
+ end
98
+ end
99
+
87
100
  h2 = nil
88
101
  method_names.each do |method_name|
89
102
  h2 = @html.xpath("//h2[text()='#{method_name}']").first
@@ -113,6 +126,9 @@ module Burp
113
126
  def cleanup_request_response_html(source)
114
127
  result = source.dup
115
128
 
129
+ # Highlight code
130
+ result.gsub!(/<span class="HIGHLIGHT">(.+?)<\/span>/, '$${{\1}}$$')
131
+
116
132
  result.gsub!(/<b>(.*?)<\/b>/, '\1')
117
133
  result.gsub!(/<br>|<\/br>/){"\n"}
118
134
  result.gsub!(/<span.*?>/, '')
@@ -8,7 +8,7 @@ module Dradis
8
8
 
9
9
  module VERSION
10
10
  MAJOR = 3
11
- MINOR = 15
11
+ MINOR = 20
12
12
  TINY = 0
13
13
  PRE = nil
14
14
 
@@ -114,11 +114,10 @@ describe 'Burp upload plugin' do
114
114
 
115
115
  it 'returns the highest <severity> at the Issue level' do
116
116
 
117
- # create_issue should be called once for each issue in the xml
118
117
  expect(@content_service).to receive(:create_issue) do |args|
119
118
  expect(args[:id]).to eq(8781630)
120
119
  expect(args[:text]).to include("#[Title]#\nIssue 1")
121
- expect(args[:text]).to include("#[Severity]#\nCritical")
120
+ expect(args[:text]).to include("#[Severity]#\nInformation")
122
121
  OpenStruct.new(args)
123
122
  end
124
123
 
@@ -129,23 +128,23 @@ describe 'Burp upload plugin' do
129
128
  end.once
130
129
  expect(@content_service).to receive(:create_evidence) do |args|
131
130
  expect(args[:content]).to include("#[Severity]#\nHigh")
132
- expect(args[:issue].text).to include("#[Title]#\nIssue 1")
131
+ expect(args[:issue].text).to include("#[Title]#\nIssue 2")
133
132
  expect(args[:node].label).to eq('10.0.0.1')
134
133
  OpenStruct.new(args)
135
134
  end.once
136
135
  expect(@content_service).to receive(:create_evidence) do |args|
137
136
  expect(args[:content]).to include("#[Severity]#\nMedium")
138
- expect(args[:issue].text).to include("#[Title]#\nIssue 1")
137
+ expect(args[:issue].text).to include("#[Title]#\nIssue 3")
139
138
  expect(args[:node].label).to eq('10.0.0.1')
140
139
  end.once
141
140
  expect(@content_service).to receive(:create_evidence) do |args|
142
- expect(args[:content]).to include("#[Severity]#\nCritical")
143
- expect(args[:issue].text).to include("#[Title]#\nIssue 1")
141
+ expect(args[:content]).to include("#[Severity]#\nHigh")
142
+ expect(args[:issue].text).to include("#[Title]#\nIssue 4")
144
143
  expect(args[:node].label).to eq('10.0.0.1')
145
144
  end.once
146
145
  expect(@content_service).to receive(:create_evidence) do |args|
147
146
  expect(args[:content]).to include("#[Severity]#\nLow")
148
- expect(args[:issue].text).to include("#[Title]#\nIssue 1")
147
+ expect(args[:issue].text).to include("#[Title]#\nIssue 5")
149
148
  expect(args[:node].label).to eq('10.0.0.1')
150
149
  end.once
151
150
 
@@ -208,6 +207,7 @@ describe 'Burp upload plugin' do
208
207
  end.once
209
208
  expect(@content_service).to receive(:create_evidence) do |args|
210
209
  expect(args[:content]).to include("Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8")
210
+ expect(args[:content]).to include("#[Location]#\nhttp://1.1.1.1/dradis/sessions")
211
211
  expect(args[:issue].text).to include("#[Title]#\nStrict transport security not enforced")
212
212
  expect(args[:node].label).to eq("github.com/dradis/dradis-burp")
213
213
  end.once
@@ -179,8 +179,13 @@ div.scan_issue_medium_tentative_rpt{width: 32px; height: 32px; background-image:
179
179
  <div class="rule"></div>
180
180
  <h1>Contents</h1>
181
181
  <p class="TOCH0"><a href="#1">1.&nbsp;Strict transport security not enforced</a></p>
182
+ <p class="TOCH1"><a href="#1.1">1.1.&nbsp;http://1.1.1.1/dradis/sessions</a></p>
182
183
  <br><div class="rule"></div>
183
184
  <span class="BODH0" id="1">1.&nbsp;<a href="https://portswigger.net/knowledgebase/issues/details/01000300_stricttransportsecuritynotenforced">Strict transport security not enforced</a></span>
185
+ <br><span class="TEXT">There are 1 instances of this issue:
186
+ <ul>
187
+ <li><a href="#1.1">/dradis/sessions</a></li>
188
+ </ul></span>
184
189
  <br>
185
190
  <h2>Summary</h2>
186
191
  <table cellpadding="0" cellspacing="0" class="summary_table">
@@ -218,6 +223,33 @@ To exploit this vulnerability, an attacker must be suitably positioned to interc
218
223
  <h2>Vulnerability classifications</h2><span class="TEXT"><ul>
219
224
  <li><a href="https://cwe.mitre.org/data/definitions/523.html">CWE-523: Unprotected Transport of Credentials</a></li>
220
225
  </ul></span>
226
+ <br><div class="rule"></div>
227
+ <span class="BODH1" id="2.1">1.1.&nbsp;http://1.1.1.1/dradis/sessions</span>
228
+ <br><a class="PREVNEXT" href="#2.2">Next</a>
229
+ <br>
230
+ <h2>Summary</h2>
231
+ <table cellpadding="0" cellspacing="0" class="summary_table">
232
+ <tr>
233
+ <td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_high_certain_rpt'></div></td>
234
+ <td>Severity:&nbsp;&nbsp;</td>
235
+ <td><b>High</b></td>
236
+ </tr>
237
+ <tr>
238
+ <td>Confidence:&nbsp;&nbsp;</td>
239
+ <td><b>Certain</b></td>
240
+ </tr>
241
+ <tr>
242
+ <td>Host:&nbsp;&nbsp;</td>
243
+ <td><b>http://1.1.1.1</b></td>
244
+ </tr>
245
+ <tr>
246
+ <td>Path:&nbsp;&nbsp;</td>
247
+ <td><b>/dradis/sessions</b></td>
248
+ </tr>
249
+ </table>
250
+ <h2>Issue detail</h2>
251
+ <span class="TEXT">The page contains a form with the following action URL, which is submitted over clear-text HTTP:<ul><li>http://1.1.1.1/dradis/sessions</li></ul>The form contains the following password field:<ul><li>session[password]</li></ul></span>
252
+
221
253
  <h2>Request</h2>
222
254
  <div class="rr_div"><span>GET / HTTP/1.1<br>Host: github.com/dradis/dradis-burp<br>User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:66.0) Gecko/20100101 Firefox/66.0<br>Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8<br>Accept-Language: en,es-ES;q=0.8,es;q=0.5,en-US;q=0.3<br>Accept-Encoding: gzip, deflate<br>Connection: close<br>Cookie: hpage=1; AMCV_2387401053DB208C0A490D4C%40AdobeOrg=-1891778711%7CMCIDTS%7C17970%7CMCMID%7C21612935572021633722025223033275851039%7CMCAAMLH-1553169173%7C6%7CMCAAMB-1553169173%7CRKhpRz8krg2tLO6pguXWp5olkAcUniQYPHaMWWgdJ3xzPWQmdj0y%7CMCOPTOUT-1552571573s%7CNONE%7CMCAID%7CNONE%7CvVersion%7C2.4.0; uid=W9g/8Fux09NcLDHUBLt6Ag==#b4a7fa78e6c4983b02b41f0c993c2043; uid_ns=W9g/8Fux09NcLDHUBLt6Ag==; dtm_dds=3/14/2019%7C; s_lv=1538401711844; asaleatorio=v6|NO; _cb_ls=1; _cb=CHsEZNVjLgK9Eh3g; _chartbeat2=.1538380775140.1552564528405.0000000000000001.DULUU_5XcVyr-M7oTDU5YBMxsZ0.2; __gads=ID=06fd97433187c959:T=1538380762:S=ALNI_MZNHKQ5IoHIQX9fc91pDzlf7PDN4g; pbsconsent=BOU8kdHOU8kdHABABAENBq-AAAAht7_______9______9uz_Gv_v_f__33e8__9v_l_7_-___u_-33d4-_1vX99yfm1-7ftr3tp_86ues2_Xur_959_-njE; _v__chartbeat3=ChrB4_B73EobCceMDU; kppid=W9g/8Fux09NcLDHUBLt6Ag==; assegmento=v14|#feminismo; asnumdisplays=v14|1; aslastdisplay=v14|1552564374379; _fbp=fb.1.1552564376436.938848531; hst=1552520446_153124; cto_lwid=a6243aac-07e7-4c94-b258-b67ada2611d6; cto_idcpy=fec01c29-01e9-4fa7-b32d-b9ca0b82f535<br>Upgrade-Insecure-Requests: 1<br><br></span></div>
223
255
  <h2>Response</h2>
@@ -45,8 +45,8 @@
45
45
  </issue>
46
46
  <issue>
47
47
  <serialNumber>1833460934674078321</serialNumber>
48
- <type>8781630</type>
49
- <name>Issue 1</name>
48
+ <type>8781631</type>
49
+ <name>Issue 2</name>
50
50
  <host ip="10.0.0.1">http://www.test.com</host>
51
51
  <path><![CDATA[/Common/login.aspx]]></path>
52
52
  <location><![CDATA[/Common/login.aspx]]></location>
@@ -63,8 +63,8 @@
63
63
  </issue>
64
64
  <issue>
65
65
  <serialNumber>1833460934674078322</serialNumber>
66
- <type>8781630</type>
67
- <name>Issue 1</name>
66
+ <type>134217728</type>
67
+ <name>Issue 3</name>
68
68
  <host ip="10.0.0.1">http://www.test.com</host>
69
69
  <path><![CDATA[/Common/login.aspx]]></path>
70
70
  <location><![CDATA[/Common/login.aspx]]></location>
@@ -81,12 +81,12 @@
81
81
  </issue>
82
82
  <issue>
83
83
  <serialNumber>1833460934674078323</serialNumber>
84
- <type>8781630</type>
85
- <name>Issue 1</name>
84
+ <type>8781632</type>
85
+ <name>Issue 4</name>
86
86
  <host ip="10.0.0.1">http://www.test.com</host>
87
87
  <path><![CDATA[/Common/login.aspx]]></path>
88
88
  <location><![CDATA[/Common/login.aspx]]></location>
89
- <severity>Critical</severity>
89
+ <severity>High</severity>
90
90
  <confidence>Firm</confidence>
91
91
  <issueBackground><![CDATA[Lorem ipsum dolor sit amet, consectetur adipisicing elit. Veniam fugiat possimus quaerat esse aspernatur cumque, fugit incidunt tempora nam ex atque, magni alias ullam illo voluptate sed consequatur reprehenderit qui.]]></issueBackground>
92
92
  <remediationBackground><![CDATA[Lorem ipsum dolor sit amet, consectetur adipisicing elit. Explicabo itaque unde numquam, nihil eveniet deleniti dignissimos architecto quo neque ea impedit nam autem iusto iste, esse, aut minus animi repellat.]]></remediationBackground>
@@ -99,8 +99,8 @@
99
99
  </issue>
100
100
  <issue>
101
101
  <serialNumber>1833460934674078323</serialNumber>
102
- <type>8781630</type>
103
- <name>Issue 1</name>
102
+ <type>8781633</type>
103
+ <name>Issue 5</name>
104
104
  <host ip="10.0.0.1">http://www.test.com</host>
105
105
  <path><![CDATA[/Common/login.aspx]]></path>
106
106
  <location><![CDATA[/Common/login.aspx]]></location>
@@ -1,8 +1,8 @@
1
+ issue.confidence
2
+ issue.detail
1
3
  issue.host
2
- issue.path
3
4
  issue.location
4
- issue.severity
5
- issue.confidence
5
+ issue.path
6
6
  issue.request
7
7
  issue.request_1
8
8
  issue.request_2
@@ -11,3 +11,4 @@ issue.response
11
11
  issue.response_1
12
12
  issue.response_2
13
13
  issue.response_3
14
+ issue.severity
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: dradis-burp
3
3
  version: !ruby/object:Gem::Version
4
- version: 3.15.0
4
+ version: 3.20.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Daniel Martin
8
- autorequire:
8
+ autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2019-12-11 00:00:00.000000000 Z
11
+ date: 2021-01-07 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: dradis-plugins
@@ -145,7 +145,7 @@ homepage: http://dradisframework.org
145
145
  licenses:
146
146
  - GPL-2
147
147
  metadata: {}
148
- post_install_message:
148
+ post_install_message:
149
149
  rdoc_options: []
150
150
  require_paths:
151
151
  - lib
@@ -160,8 +160,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
160
160
  - !ruby/object:Gem::Version
161
161
  version: '0'
162
162
  requirements: []
163
- rubygems_version: 3.0.1
164
- signing_key:
163
+ rubygems_version: 3.2.4
164
+ signing_key:
165
165
  specification_version: 4
166
166
  summary: Burp Scanner upload plugin for the Dradis Framework.
167
167
  test_files: