dradis-burp 3.19.0 → 4.0.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: c2b4b8bdaf8da575ef3f15de612a85d43f4400811306de8fde2955001b4dbc21
4
- data.tar.gz: 7102211128794fe2a6abd210bd76b4c89456731a4a4199661b15a4db7160af2a
3
+ metadata.gz: 90c3cf118c82f6d8570fda1960043c9f84a62a0f0ba3b38f46ffe94051a92e64
4
+ data.tar.gz: 3d0e19e3bca681e0506a31bbd1872f20a4504b12cbb5fb261a9215569614f0fb
5
5
  SHA512:
6
- metadata.gz: ac25b69093399bfd453a500bf19e75a57fc56ec146e34f875f1737b9481fca961e5edc4eabb8bf1860b718dedecd1efb4882e15f6b41db9bac6f67a90e0c080d
7
- data.tar.gz: 61e8a46ac255f3884d19ad16525861c94088275e67d73732282b8d586d647f3d12f3d366c2cc3c898ebba656f146352179417bc997dcebfee5f798a9bb7da33b
6
+ metadata.gz: 57568d233c50bd1bf1333da265fa6b4b13dd3bbb03a9790af59a6bff9c76807f045909b1548435979a2a9955b05c67c42180043b259bd0be88f0b4d803045ed2
7
+ data.tar.gz: 03654f017b5a3ea6e7df78724196c3c87c002f809f703ec62bf2d8e013cdd47bca5efadccf20b67d04cc9fa8d6ef12a0b7c0bf9e4be9838f9aae43848d58408f
data/CHANGELOG.md CHANGED
@@ -1,3 +1,21 @@
1
+ ## Dradis Framework 4.0.0 (July, 2021) ##
2
+
3
+ * No changes.
4
+
5
+ ## Dradis Framework 3.22 (April, 2021) ##
6
+
7
+ * No changes.
8
+
9
+ ## Dradis Framework 3.21 (February, 2021) ##
10
+
11
+ * No changes.
12
+
13
+ ## Dradis Framework 3.20 (December, 2020) ##
14
+
15
+ * Convert highlighted HTML code to Dradis highlight format
16
+ * Make `issue.detail` available at the Evidence level for HTML uploads.
17
+ * Make `issue.location` available at the HTML Evidence level.
18
+
1
19
  ## Dradis Framework 3.19 (September, 2020) ##
2
20
 
3
21
  * No changes.
data/dradis-burp.gemspec CHANGED
@@ -24,7 +24,7 @@ Gem::Specification.new do |spec|
24
24
  # versions of Rails (a sure recipe for disaster, I'm sure), which is needed
25
25
  # until we bump Dradis Pro to 4.1.
26
26
  # s.add_dependency 'rails', '~> 4.1.1'
27
- spec.add_dependency 'dradis-plugins', '~> 3.6'
27
+ spec.add_dependency 'dradis-plugins', '~> 4.0.0'
28
28
  spec.add_dependency 'nokogiri', '~> 1.3'
29
29
 
30
30
  spec.add_development_dependency 'bundler'
@@ -19,7 +19,7 @@ module Burp
19
19
  :name, :type,
20
20
 
21
21
  # tags with contents retrieved following the span header
22
- :background, :detail,
22
+ :background, :detail, :location,
23
23
  :references, :remediation_background, :remediation_detail,
24
24
  :request, :request_1, :request_2, :request_3,
25
25
  :response, :response_1, :response_2, :response_3,
@@ -84,6 +84,19 @@ module Burp
84
84
  method_names = translations_table.fetch(method, method.to_s)
85
85
  method_names = [method_names].flatten
86
86
 
87
+ # Process the Location field
88
+ if method.to_s == 'location'
89
+ location = @html.at_xpath('/html/body/span[contains(@class, "BODH1")]')&.text
90
+
91
+ if location
92
+ # Remove the header number from the text.
93
+ # E.g. <span class="BODH1" id="1.1">1.1.&nbsp;/sample/text/</span>
94
+ return location.split(/[[:space:]]/).drop(1).join(' ')
95
+ else
96
+ return 'n/a'
97
+ end
98
+ end
99
+
87
100
  h2 = nil
88
101
  method_names.each do |method_name|
89
102
  h2 = @html.xpath("//h2[text()='#{method_name}']").first
@@ -113,6 +126,9 @@ module Burp
113
126
  def cleanup_request_response_html(source)
114
127
  result = source.dup
115
128
 
129
+ # Highlight code
130
+ result.gsub!(/<span class="HIGHLIGHT">(.+?)<\/span>/, '$${{\1}}$$')
131
+
116
132
  result.gsub!(/<b>(.*?)<\/b>/, '\1')
117
133
  result.gsub!(/<br>|<\/br>/){"\n"}
118
134
  result.gsub!(/<span.*?>/, '')
@@ -1,25 +1,21 @@
1
- module Dradis
2
- module Plugins
3
- module Burp
4
- class Engine < ::Rails::Engine
5
- isolate_namespace Dradis::Plugins::Burp
1
+ module Dradis::Plugins::Burp
2
+ class Engine < ::Rails::Engine
3
+ isolate_namespace Dradis::Plugins::Burp
6
4
 
7
- include ::Dradis::Plugins::Base
8
- description 'Processes Burp Scanner output'
9
- provides :upload
5
+ include ::Dradis::Plugins::Base
6
+ description 'Processes Burp Scanner output'
7
+ provides :upload
10
8
 
11
- # Because this plugin provides two export modules, we have to overwrite
12
- # the default .uploaders() method.
13
- #
14
- # See:
15
- # Dradis::Plugins::Upload::Base in dradis-plugins
16
- def self.uploaders
17
- [
18
- Dradis::Plugins::Burp::Html,
19
- Dradis::Plugins::Burp::Xml
20
- ]
21
- end
22
- end
9
+ # Because this plugin provides two export modules, we have to overwrite
10
+ # the default .uploaders() method.
11
+ #
12
+ # See:
13
+ # Dradis::Plugins::Upload::Base in dradis-plugins
14
+ def self.uploaders
15
+ [
16
+ Dradis::Plugins::Burp::Html,
17
+ Dradis::Plugins::Burp::Xml
18
+ ]
23
19
  end
24
20
  end
25
21
  end
@@ -7,8 +7,8 @@ module Dradis
7
7
  end
8
8
 
9
9
  module VERSION
10
- MAJOR = 3
11
- MINOR = 19
10
+ MAJOR = 4
11
+ MINOR = 0
12
12
  TINY = 0
13
13
  PRE = nil
14
14
 
@@ -114,11 +114,10 @@ describe 'Burp upload plugin' do
114
114
 
115
115
  it 'returns the highest <severity> at the Issue level' do
116
116
 
117
- # create_issue should be called once for each issue in the xml
118
117
  expect(@content_service).to receive(:create_issue) do |args|
119
118
  expect(args[:id]).to eq(8781630)
120
119
  expect(args[:text]).to include("#[Title]#\nIssue 1")
121
- expect(args[:text]).to include("#[Severity]#\nCritical")
120
+ expect(args[:text]).to include("#[Severity]#\nInformation")
122
121
  OpenStruct.new(args)
123
122
  end
124
123
 
@@ -129,23 +128,23 @@ describe 'Burp upload plugin' do
129
128
  end.once
130
129
  expect(@content_service).to receive(:create_evidence) do |args|
131
130
  expect(args[:content]).to include("#[Severity]#\nHigh")
132
- expect(args[:issue].text).to include("#[Title]#\nIssue 1")
131
+ expect(args[:issue].text).to include("#[Title]#\nIssue 2")
133
132
  expect(args[:node].label).to eq('10.0.0.1')
134
133
  OpenStruct.new(args)
135
134
  end.once
136
135
  expect(@content_service).to receive(:create_evidence) do |args|
137
136
  expect(args[:content]).to include("#[Severity]#\nMedium")
138
- expect(args[:issue].text).to include("#[Title]#\nIssue 1")
137
+ expect(args[:issue].text).to include("#[Title]#\nIssue 3")
139
138
  expect(args[:node].label).to eq('10.0.0.1')
140
139
  end.once
141
140
  expect(@content_service).to receive(:create_evidence) do |args|
142
- expect(args[:content]).to include("#[Severity]#\nCritical")
143
- expect(args[:issue].text).to include("#[Title]#\nIssue 1")
141
+ expect(args[:content]).to include("#[Severity]#\nHigh")
142
+ expect(args[:issue].text).to include("#[Title]#\nIssue 4")
144
143
  expect(args[:node].label).to eq('10.0.0.1')
145
144
  end.once
146
145
  expect(@content_service).to receive(:create_evidence) do |args|
147
146
  expect(args[:content]).to include("#[Severity]#\nLow")
148
- expect(args[:issue].text).to include("#[Title]#\nIssue 1")
147
+ expect(args[:issue].text).to include("#[Title]#\nIssue 5")
149
148
  expect(args[:node].label).to eq('10.0.0.1')
150
149
  end.once
151
150
 
@@ -208,6 +207,7 @@ describe 'Burp upload plugin' do
208
207
  end.once
209
208
  expect(@content_service).to receive(:create_evidence) do |args|
210
209
  expect(args[:content]).to include("Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8")
210
+ expect(args[:content]).to include("#[Location]#\nhttp://1.1.1.1/dradis/sessions")
211
211
  expect(args[:issue].text).to include("#[Title]#\nStrict transport security not enforced")
212
212
  expect(args[:node].label).to eq("github.com/dradis/dradis-burp")
213
213
  end.once
@@ -179,8 +179,13 @@ div.scan_issue_medium_tentative_rpt{width: 32px; height: 32px; background-image:
179
179
  <div class="rule"></div>
180
180
  <h1>Contents</h1>
181
181
  <p class="TOCH0"><a href="#1">1.&nbsp;Strict transport security not enforced</a></p>
182
+ <p class="TOCH1"><a href="#1.1">1.1.&nbsp;http://1.1.1.1/dradis/sessions</a></p>
182
183
  <br><div class="rule"></div>
183
184
  <span class="BODH0" id="1">1.&nbsp;<a href="https://portswigger.net/knowledgebase/issues/details/01000300_stricttransportsecuritynotenforced">Strict transport security not enforced</a></span>
185
+ <br><span class="TEXT">There are 1 instances of this issue:
186
+ <ul>
187
+ <li><a href="#1.1">/dradis/sessions</a></li>
188
+ </ul></span>
184
189
  <br>
185
190
  <h2>Summary</h2>
186
191
  <table cellpadding="0" cellspacing="0" class="summary_table">
@@ -218,6 +223,33 @@ To exploit this vulnerability, an attacker must be suitably positioned to interc
218
223
  <h2>Vulnerability classifications</h2><span class="TEXT"><ul>
219
224
  <li><a href="https://cwe.mitre.org/data/definitions/523.html">CWE-523: Unprotected Transport of Credentials</a></li>
220
225
  </ul></span>
226
+ <br><div class="rule"></div>
227
+ <span class="BODH1" id="2.1">1.1.&nbsp;http://1.1.1.1/dradis/sessions</span>
228
+ <br><a class="PREVNEXT" href="#2.2">Next</a>
229
+ <br>
230
+ <h2>Summary</h2>
231
+ <table cellpadding="0" cellspacing="0" class="summary_table">
232
+ <tr>
233
+ <td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_high_certain_rpt'></div></td>
234
+ <td>Severity:&nbsp;&nbsp;</td>
235
+ <td><b>High</b></td>
236
+ </tr>
237
+ <tr>
238
+ <td>Confidence:&nbsp;&nbsp;</td>
239
+ <td><b>Certain</b></td>
240
+ </tr>
241
+ <tr>
242
+ <td>Host:&nbsp;&nbsp;</td>
243
+ <td><b>http://1.1.1.1</b></td>
244
+ </tr>
245
+ <tr>
246
+ <td>Path:&nbsp;&nbsp;</td>
247
+ <td><b>/dradis/sessions</b></td>
248
+ </tr>
249
+ </table>
250
+ <h2>Issue detail</h2>
251
+ <span class="TEXT">The page contains a form with the following action URL, which is submitted over clear-text HTTP:<ul><li>http://1.1.1.1/dradis/sessions</li></ul>The form contains the following password field:<ul><li>session[password]</li></ul></span>
252
+
221
253
  <h2>Request</h2>
222
254
  <div class="rr_div"><span>GET / HTTP/1.1<br>Host: github.com/dradis/dradis-burp<br>User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:66.0) Gecko/20100101 Firefox/66.0<br>Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8<br>Accept-Language: en,es-ES;q=0.8,es;q=0.5,en-US;q=0.3<br>Accept-Encoding: gzip, deflate<br>Connection: close<br>Cookie: hpage=1; AMCV_2387401053DB208C0A490D4C%40AdobeOrg=-1891778711%7CMCIDTS%7C17970%7CMCMID%7C21612935572021633722025223033275851039%7CMCAAMLH-1553169173%7C6%7CMCAAMB-1553169173%7CRKhpRz8krg2tLO6pguXWp5olkAcUniQYPHaMWWgdJ3xzPWQmdj0y%7CMCOPTOUT-1552571573s%7CNONE%7CMCAID%7CNONE%7CvVersion%7C2.4.0; uid=W9g/8Fux09NcLDHUBLt6Ag==#b4a7fa78e6c4983b02b41f0c993c2043; uid_ns=W9g/8Fux09NcLDHUBLt6Ag==; dtm_dds=3/14/2019%7C; s_lv=1538401711844; asaleatorio=v6|NO; _cb_ls=1; _cb=CHsEZNVjLgK9Eh3g; _chartbeat2=.1538380775140.1552564528405.0000000000000001.DULUU_5XcVyr-M7oTDU5YBMxsZ0.2; __gads=ID=06fd97433187c959:T=1538380762:S=ALNI_MZNHKQ5IoHIQX9fc91pDzlf7PDN4g; pbsconsent=BOU8kdHOU8kdHABABAENBq-AAAAht7_______9______9uz_Gv_v_f__33e8__9v_l_7_-___u_-33d4-_1vX99yfm1-7ftr3tp_86ues2_Xur_959_-njE; _v__chartbeat3=ChrB4_B73EobCceMDU; kppid=W9g/8Fux09NcLDHUBLt6Ag==; assegmento=v14|#feminismo; asnumdisplays=v14|1; aslastdisplay=v14|1552564374379; _fbp=fb.1.1552564376436.938848531; hst=1552520446_153124; cto_lwid=a6243aac-07e7-4c94-b258-b67ada2611d6; cto_idcpy=fec01c29-01e9-4fa7-b32d-b9ca0b82f535<br>Upgrade-Insecure-Requests: 1<br><br></span></div>
223
255
  <h2>Response</h2>
@@ -1,8 +1,8 @@
1
+ issue.confidence
2
+ issue.detail
1
3
  issue.host
2
- issue.path
3
4
  issue.location
4
- issue.severity
5
- issue.confidence
5
+ issue.path
6
6
  issue.request
7
7
  issue.request_1
8
8
  issue.request_2
@@ -11,3 +11,4 @@ issue.response
11
11
  issue.response_1
12
12
  issue.response_2
13
13
  issue.response_3
14
+ issue.severity
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: dradis-burp
3
3
  version: !ruby/object:Gem::Version
4
- version: 3.19.0
4
+ version: 4.0.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Daniel Martin
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2020-09-04 00:00:00.000000000 Z
11
+ date: 2021-08-03 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: dradis-plugins
@@ -16,14 +16,14 @@ dependencies:
16
16
  requirements:
17
17
  - - "~>"
18
18
  - !ruby/object:Gem::Version
19
- version: '3.6'
19
+ version: 4.0.0
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - "~>"
25
25
  - !ruby/object:Gem::Version
26
- version: '3.6'
26
+ version: 4.0.0
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: nokogiri
29
29
  requirement: !ruby/object:Gem::Requirement
@@ -160,7 +160,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
160
160
  - !ruby/object:Gem::Version
161
161
  version: '0'
162
162
  requirements: []
163
- rubygems_version: 3.0.1
163
+ rubygems_version: 3.1.4
164
164
  signing_key:
165
165
  specification_version: 4
166
166
  summary: Burp Scanner upload plugin for the Dradis Framework.