dradis-burp 4.10.0 → 4.12.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 8bd1fa2f6a54abe2a9883e3050ce4b3aa41e2181bc1e875f2e3d71f4eb8d2b3f
-  data.tar.gz: 83aad8a3721efd3b2ecb987c4a5bbd3eb95f8ab4677a85acce9113e1ad138c65
+  metadata.gz: 1531ccba2803d7f9ca739f542614ba6e0027e1f6e86633fb224846b2fe3c41a9
+  data.tar.gz: f734f7465981b8af0cf5650507b9317f997079bc8d01a668d6df2af6c4f5208b
 SHA512:
-  metadata.gz: 2840df6b1a43ec4adfbafaaeed355f6a4c0c4b9eb8d79fea36b2937c2e6dfeef6a09cd81e4606fc472d214c47f99f89e6ae4ef719511d608ff993fcdf917a6e6
-  data.tar.gz: 1f2ad7d6df4a86765b96ceebaf8498c1d1bf61432fcf016ac9c7c6e596690b6d4c38f59b2262e32088a3d3d8da040d58c48387dc3c305e4bd6e282453a1006b2
+  metadata.gz: 066761056c7763e19d5951bf2848aaf34a6b6f5aeef4873c2d349092eb3043cca4bfac434364af22d9f3e3e6ff6dafba4e016c6e2224fc0e2f5a72c48af1a9a8
+  data.tar.gz: f6cfe890151d6dfd507727ebf0900dacdaabbce0e72bc92594ba9b9bf34259483ff0cdf78a3e8dc690a51824685c9ca154c0dd8a7e112a14e95f592454acaec8

data/.github/pull_request_template.md

@@ -1,3 +1,5 @@
+Please review [CONTRIBUTING.md](https://github.com/dradis/dradis-ce/blob/develop/CONTRIBUTING.md) and remove this line.
+
 ### Summary
 
 Provide a general description of the code changes in your pull
@@ -6,6 +8,11 @@ these bugs have open GitHub issues, be sure to tag them here as well,
 to keep the conversation linked together.
 
 
+### Testing Steps
+
+Provide steps to test functionality, described in detail for someone not familiar with this part of the application / code base
+
+
 ### Other Information
 
 If there's anything else that's important and relevant to your pull
@@ -26,11 +33,13 @@ products, we must have the copyright associated with the entire
 codebase. Any code you create which is merged must be owned by us.
 That's not us trying to be a jerks, that's just the way it works.
 
-Please review the [CONTRIBUTING.md](https://github.com/dradis/dradis-ce/blob/master/CONTRIBUTING.md)
-file for the details.
-
 You can delete this section, but the following sentence needs to
 remain in the PR's description:
 
 > I assign all rights, including copyright, to any future Dradis
 > work by myself to Security Roots.
+
+### Check List
+
+- [ ] Added a CHANGELOG entry
+- [ ] Added specs

data/CHANGELOG.md

@@ -1,3 +1,11 @@
+v4.12.0 (May 2024)
+  - Migrate integration to use Mappings Manager
+  - Update Dradis links in README
+  - Update template names to include uploader
+
+v4.11.0 (January 2024)
+  - Fix compatibility with nokogiri >= 1.15
+
 v4.10.0 (September 2023)
   - Update gemspec links
 

data/README.md

@@ -5,18 +5,17 @@
 
 Upload Burp Scanner XML export files into Dradis.
 
-The add-on requires [Dradis CE](https://dradisframework.org/) > 3.0, or [Dradis Pro](https://dradisframework.com/pro/).
-
+The add-on requires [Dradis CE](https://dradis.com/ce/) > 3.0, or [Dradis Pro](https://dradis.com/).
 
 
 ## More information
 
-See the Dradis Framework's [README.md](https://github.com/dradis/dradisframework/blob/master/README.md)
+See the Dradis Framework's [README.md](https://github.com/dradis/dradis-ce/blob/develop/README.md)
 
 
 ## Contributing
 
-See the Dradis Framework's [CONTRIBUTING.md](https://github.com/dradis/dradisframework/blob/master/CONTRIBUTING.md)
+See the Dradis Framework's [CONTRIBUTING.md](https://github.com/dradis/dradis-ce/blob/develop/CONTRIBUTING.md)
 
 
 ## License

data/lib/burp/html/issue.rb

@@ -153,7 +153,7 @@ module Burp
         table = h2.next_element
 
         summary_table_tags.each do |tag|
-          td = table.search("td:starts-with('#{tag.to_s.capitalize}:')").first
+          td = table.xpath("//td[starts-with(.,'#{tag.to_s.capitalize}:')]").first
           @summary[tag] = td.next_element.text
         end
 

data/lib/dradis/plugins/burp/gem_version.rb

@@ -8,7 +8,7 @@ module Dradis
 
       module VERSION
         MAJOR = 4
-        MINOR = 10
+        MINOR = 12
         TINY = 0
         PRE = nil
 

data/lib/dradis/plugins/burp/html/importer.rb

@@ -12,7 +12,7 @@ module Dradis::Plugins::Burp
 
     class Importer < Dradis::Plugins::Upload::Importer
       def self.templates
-        { evidence: 'html_evidence', issue: 'issue' }
+        { evidence: 'html_evidence', issue: 'html_issue' }
       end
 
       def initialize(args={})
@@ -56,8 +56,8 @@ module Dradis::Plugins::Burp
           end
         issue_id   = html_issue.attr('id').value
         issue_text =
-          template_service.process_template(
-            template: 'issue',
+          mapping_service.apply_mapping(
+            source: 'html_issue',
             data: html_issue
           )
 
@@ -90,13 +90,13 @@ module Dradis::Plugins::Burp
         evidence_id = html_evidence.attr('id').value
         logger.info { "Processing evidence #{evidence_id}" }
 
-        host_td    = html_evidence.search("td:starts-with('Host:')").first
+        host_td    = html_evidence.xpath("//td[starts-with(.,'Host:')]").first
         host_label = host_td.next_element.text.split('//').last
         host       = content_service.create_node(label: host_label, type: :host)
 
         evidence_text =
-          template_service.process_template(
-            template: 'html_evidence',
+          mapping_service.apply_mapping(
+            source: 'html_evidence',
             data: html_evidence
           )
 

data/lib/dradis/plugins/burp/mapping.rb

@@ -0,0 +1,106 @@
+module Dradis::Plugins::Burp
+  module Mapping
+
+    DEFAULT_MAPPING = {
+      html_evidence: {
+        'Host' => '{{ burp[issue.host] }}',
+        'Path' => '{{ burp[issue.path] }}',
+        'Location' => '{{ burp[issue.location] }}',
+        'Severity' => '{{ burp[issue.severity] }}',
+        'Confidence' => '{{ burp[issue.confidence] }}',
+        'Request' => 'bc.. {{ burp[issue.request] }}',
+        'Response' => 'bc.. {{ burp[issue.response] }}',
+        'Request 1' => 'bc.. {{ burp[issue.request_1] }}',
+        'Response 1' => 'bc.. {{ burp[issue.response_1] }}',
+        'Request 2' => 'bc.. {{ burp[issue.request_2] }}',
+        'Response 2' => 'bc.. {{ burp[issue.response_2] }}',
+        'Request 3' => 'bc.. {{ burp[issue.request_3] }}',
+        'Response 3' => 'bc.. {{ burp[issue.response_3] }}'
+      },
+      html_issue: {
+        'Title' => '{{ burp[issue.name] }}',
+        'Severity' => '{{ burp[issue.severity] }}',
+        'Background' => '{{ burp[issue.background] }}',
+        'RemediationBackground' => '{{ burp[issue.remediation_background] }}',
+        'Detail' => '{{ burp[issue.detail] }}',
+        'RemediationDetails' => '{{ burp[issue.remediation_detail] }}',
+        'References' => '{{ burp[issue.references] }}',
+        'Classifications' => '{{ burp[issue.vulnerability_classifications] }}'
+      },
+      xml_evidence: {
+        'Host' => '{{ burp[issue.host] }}',
+        'Path' => '{{ burp[issue.path] }}',
+        'Location' => '{{ burp[issue.location] }}',
+        'Severity' => '{{ burp[issue.severity] }}',
+        'Confidence' => '{{ burp[issue.confidence] }}',
+        'Request' => 'bc.. {{ burp[issue.request] }}',
+        'Response' => 'bc.. {{ burp[issue.response] }}',
+        'Request 1' => 'bc.. {{ burp[issue.request_1] }}',
+        'Response 1' => 'bc.. {{ burp[issue.response_1] }}',
+        'Request 2' => 'bc.. {{ burp[issue.request_2] }}',
+        'Response 2' => 'bc.. {{ burp[issue.response_2] }}',
+        'Request 3' => 'bc.. {{ burp[issue.request_3] }}',
+        'Response 3' => 'bc.. {{ burp[issue.response_3] }}'
+      },
+      xml_issue: {
+        'Title' => '{{ burp[issue.name] }}',
+        'Severity' => '{{ burp[issue.severity] }}',
+        'Background' => '{{ burp[issue.background] }}',
+        'RemediationBackground' => '{{ burp[issue.remediation_background] }}',
+        'Detail' => '{{ burp[issue.detail] }}',
+        'RemediationDetails' => '{{ burp[issue.remediation_detail] }}',
+        'References' => '{{ burp[issue.references] }}',
+        'Classifications' => '{{ burp[issue.vulnerability_classifications] }}'
+      }
+    }.freeze
+
+    SOURCE_FIELDS = {
+      html_evidence: [
+        'issue.confidence',
+        'issue.detail',
+        'issue.host',
+        'issue.location',
+        'issue.path',
+        'issue.request',
+        'issue.request_1',
+        'issue.request_2',
+        'issue.request_3',
+        'issue.response',
+        'issue.response_1',
+        'issue.response_2',
+        'issue.response_3',
+        'issue.severity'
+      ],
+      html_issue: [
+        'issue.background',
+        'issue.detail',
+        'issue.name',
+        'issue.references',
+        'issue.remediation_background',
+        'issue.remediation_detail',
+        'issue.severity',
+        'issue.vulnerability_classifications'
+      ],
+      xml_evidence: [
+        'issue.host',
+        'issue.path',
+        'issue.location',
+        'issue.severity',
+        'issue.confidence',
+        'issue.request',
+        'issue.response',
+        'issue.detail'
+      ],
+      xml_issue: [
+        'issue.background',
+        'issue.detail',
+        'issue.name',
+        'issue.references',
+        'issue.remediation_background',
+        'issue.remediation_detail',
+        'issue.severity',
+        'issue.vulnerability_classifications'
+      ]
+    }.freeze
+  end
+end

data/lib/dradis/plugins/burp/xml/importer.rb

@@ -16,7 +16,7 @@ module Dradis::Plugins::Burp
       BURP_SEVERITIES     = ['Information', 'Low', 'Medium', 'High'].freeze
 
       def self.templates
-        { evidence: 'evidence', issue: 'issue' }
+        { evidence: 'xml_evidence', issue: 'xml_issue' }
       end
 
       def initialize(args={})
@@ -75,8 +75,8 @@ module Dradis::Plugins::Burp
         xml_issue.at('severity').content = BURP_SEVERITIES[@severities[id]]
 
         issue_text =
-          template_service.process_template(
-            template: 'issue',
+          mapping_service.apply_mapping(
+            source: 'xml_issue',
             data: xml_issue
           )
 
@@ -94,8 +94,8 @@ module Dradis::Plugins::Burp
         end
 
         evidence_text =
-          template_service.process_template(
-            template: 'evidence',
+          mapping_service.apply_mapping(
+            source: 'xml_evidence',
             data: xml_evidence
           )
 

data/lib/dradis/plugins/burp.rb

@@ -8,5 +8,6 @@ end
 require 'dradis/plugins/burp/engine'
 require 'dradis/plugins/burp/field_processor'
 require 'dradis/plugins/burp/html/importer'
+require 'dradis/plugins/burp/mapping'
 require 'dradis/plugins/burp/version'
 require 'dradis/plugins/burp/xml/importer'

data/templates/xml_issue.sample

@@ -0,0 +1,23 @@
+<issue>
+  <serialNumber>5863488220648493056</serialNumber>
+  <type>16777984</type>
+  <name><![CDATA[Strict transport security not enforced]]></name>
+  <host ip="192.168.1.1">https://this.is.a.url</host>
+  <path><![CDATA[/]]></path>
+  <location><![CDATA[/]]></location>
+  <severity>Low</severity>
+  <confidence>Certain</confidence>
+  <issueBackground><![CDATA[<p> The application fails to prevent users from connecting  to it over unencrypted connections.  An attacker able to modify a legitimate user's network traffic could bypass the application's use of SSL/TLS encryption, and use the application as a platform for attacks against its users. This attack is performed by rewriting HTTPS links as HTTP, so that if a targeted user follows a link to the site from an HTTP page, their browser never attempts to use an encrypted connection. The sslstrip tool  automates this process. </p>
+<p>
+To exploit this vulnerability, an attacker must be suitably positioned to intercept and modify the victim's network traffic.This scenario typically occurs when a client communicates with the server over an insecure connection such as public Wi-Fi, or a corporate or home network that is shared with a compromised computer. Common defenses such as switched networks are not sufficient to prevent this. An attacker situated in the user's ISP or the application's hosting infrastructure could also perform this attack. Note that an advanced adversary could potentially target any connection made over the Internet's core infrastructure. </p>]]></issueBackground>
+  <remediationBackground><![CDATA[<p>The application should instruct web browsers to only access the application using HTTPS. To do this, enable HTTP Strict Transport Security (HSTS) by adding a response header with the name 'Strict-Transport-Security' and the value 'max-age=expireTime', where expireTime is the time in seconds that browsers should remember that the site should only be accessed using HTTPS. Consider adding the 'includeSubDomains' flag if appropriate.</p>
+<p>Note that because HSTS is a &quot;trust on first use&quot; (TOFU) protocol, a user who has never accessed the application will never have seen the HSTS header, and will therefore still be vulnerable to SSL stripping attacks. To mitigate this risk, you can optionally add the 'preload' flag to the HSTS header, and submit the domain for review by browser vendors.</p>]]></remediationBackground>
+  <references><![CDATA[<ul>
+<li><a href="https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security">HTTP Strict Transport Security</a></li>
+<li><a href="http://www.thoughtcrime.org/software/sslstrip/">sslstrip</a></li>
+<li><a href="https://hstspreload.appspot.com/">HSTS Preload Form</a></li>
+</ul>]]></references>
+  <vulnerabilityClassifications><![CDATA[<ul>
+<li><a href="https://cwe.mitre.org/data/definitions/523.html">CWE-523: Unprotected Transport of Credentials</a></li>
+</ul>]]></vulnerabilityClassifications>
+</issue>

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dradis-burp
 version: !ruby/object:Gem::Version
-  version: 4.10.0
+  version: 4.12.0
 platform: ruby
 authors:
 - Daniel Martin
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2023-09-07 00:00:00.000000000 Z
+date: 2024-05-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dradis-plugins
@@ -122,6 +122,7 @@ files:
 - lib/dradis/plugins/burp/field_processor.rb
 - lib/dradis/plugins/burp/gem_version.rb
 - lib/dradis/plugins/burp/html/importer.rb
+- lib/dradis/plugins/burp/mapping.rb
 - lib/dradis/plugins/burp/version.rb
 - lib/dradis/plugins/burp/xml/importer.rb
 - lib/tasks/thorfile.rb
@@ -132,15 +133,10 @@ files:
 - spec/fixtures/files/invalid-utf-issue.xml
 - spec/fixtures/files/without-base64.xml
 - spec/spec_helper.rb
-- templates/evidence.fields
-- templates/evidence.sample
-- templates/evidence.template
-- templates/html_evidence.fields
 - templates/html_evidence.sample
-- templates/html_evidence.template
-- templates/issue.fields
-- templates/issue.sample
-- templates/issue.template
+- templates/html_issue.sample
+- templates/xml_evidence.sample
+- templates/xml_issue.sample
 homepage: https://dradis.com/integrations/burp.html
 licenses:
 - GPL-2

data/templates/evidence.fields

@@ -1,8 +0,0 @@
-issue.host
-issue.path
-issue.location
-issue.severity
-issue.confidence
-issue.request
-issue.response
-issue.detail

data/templates/evidence.template

@@ -1,20 +0,0 @@
-#[Host]#
-%issue.host%
-
-#[Path]#
-%issue.path%
-
-#[Location]#
-%issue.location%
-
-#[Severity]#
-%issue.severity%
-
-#[Confidence]#
-%issue.confidence%
-
-#[Request]#
-bc.. %issue.request%
-
-#[Response]#
-bc.. %issue.response%

data/templates/html_evidence.fields

@@ -1,14 +0,0 @@
-issue.confidence
-issue.detail
-issue.host
-issue.location
-issue.path
-issue.request
-issue.request_1
-issue.request_2
-issue.request_3
-issue.response
-issue.response_1
-issue.response_2
-issue.response_3
-issue.severity

data/templates/html_evidence.template

@@ -1,50 +0,0 @@
-#[Host]#
-%issue.host%
-
-
-#[Path]#
-%issue.path%
-
-
-#[Location]#
-%issue.location%
-
-
-#[Severity]#
-%issue.severity%
-
-
-#[Confidence]#
-%issue.confidence%
-
-
-#[Request]#
-bc.. %issue.request%
-
-
-#[Response]#
-bc.. %issue.response%
-
-
-#[Request 1]#
-bc.. %issue.request_1%
-
-
-#[Response 1]#
-bc.. %issue.response_1%
-
-
-#[Request 2]#
-bc.. %issue.request_2%
-
-
-#[Response 2]#
-bc.. %issue.response_2%
-
-
-#[Request 3]#
-bc.. %issue.request_3%
-
-
-#[Response 3]#
-bc.. %issue.response_3%

data/templates/issue.fields

@@ -1,8 +0,0 @@
-issue.background
-issue.detail
-issue.name
-issue.references
-issue.remediation_background
-issue.remediation_detail
-issue.severity
-issue.vulnerability_classifications

data/templates/issue.template

@@ -1,30 +0,0 @@
-#[Title]#
-%issue.name%
-
-
-#[Severity]#
-%issue.severity%
-
-
-#[Background]#
-%issue.background%
-
-
-#[RemediationBackground]#
-%issue.remediation_background%
-
-
-#[Detail]#
-%issue.detail%
-
-
-#[RemediationDetails]#
-%issue.remediation_detail%
-
-
-#[References]#
-%issue.references%
-
-
-#[Classifications]#
-%issue.vulnerability_classifications%