dradis-burp 4.11.0 → 4.13.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 35da1eb748edfacdb634c08f4b652445ef13b9f8beae0e2c02b008e365d84bb3
4
- data.tar.gz: cb96449c95b297b7983644dcd3e7070c6f879caefcdc49aa170e7c8a06b2ea8c
3
+ metadata.gz: 8507ce7cb2316ceaf80bc0076f3efc4358b441a68d356966ac5c50912116b738
4
+ data.tar.gz: fe44ec8ba5a394ab86c0e3ec06b854f55fe12844b35703551886f2d04809d156
5
5
  SHA512:
6
- metadata.gz: 3314aba3f20772abdb4d6ef94d7d67ce087a056ed251fce946e00a8425f371ccd7ce3e4b10150befb61b79472fdda2885bd7596ca3656f71120e107c81061d40
7
- data.tar.gz: 31b097ce674358ce0dcd8e85f781230d09cc2f8ea57e63cae21a3fa3cc505116eb0724edf73f75581f3d9972a84c35ac07254d15ed78333f8405e1c5626df982
6
+ metadata.gz: 43c4017624c5654ea05ebdc2a3fab9abab56d77fe959125b4e0180b6711a70dc10189eefd86757754c185d5d84fdc5ddbf06bcd49100f763adabae93ce6a65c9
7
+ data.tar.gz: 6b8fe9c86c2e30f68564083a5fd0d5395413df49528501a125d32181f76c0dfd1ab9ebffc1650736c1ceee55a31cc61f6dd78bd70c9b7a925e83f88c9c3424e8
data/CHANGELOG.md CHANGED
@@ -1,3 +1,11 @@
1
+ v4.13.0 (July 2024)
2
+ - No changes
3
+
4
+ v4.12.0 (May 2024)
5
+ - Migrate integration to use Mappings Manager
6
+ - Update Dradis links in README
7
+ - Update template names to include uploader
8
+
1
9
  v4.11.0 (January 2024)
2
10
  - Fix compatibility with nokogiri >= 1.15
3
11
 
data/README.md CHANGED
@@ -5,8 +5,7 @@
5
5
 
6
6
  Upload Burp Scanner XML export files into Dradis.
7
7
 
8
- The add-on requires [Dradis CE](https://dradisframework.org/) > 3.0, or [Dradis Pro](https://dradisframework.com/pro/).
9
-
8
+ The add-on requires [Dradis CE](https://dradis.com/ce/) > 3.0, or [Dradis Pro](https://dradis.com/).
10
9
 
11
10
 
12
11
  ## More information
data/dradis-burp.gemspec CHANGED
@@ -26,7 +26,7 @@ Gem::Specification.new do |spec|
26
26
  spec.add_dependency 'dradis-plugins', '~> 4.0'
27
27
  spec.add_dependency 'nokogiri', '~> 1.3'
28
28
 
29
- spec.add_development_dependency 'bundler'
29
+ spec.add_development_dependency 'bundler', '~> 2'
30
30
  spec.add_development_dependency 'rake', '>= 12.3.3'
31
31
  spec.add_development_dependency 'rspec-rails'
32
32
  spec.add_development_dependency 'combustion', '~> 0.5.2'
@@ -8,7 +8,7 @@ module Dradis
8
8
 
9
9
  module VERSION
10
10
  MAJOR = 4
11
- MINOR = 11
11
+ MINOR = 13
12
12
  TINY = 0
13
13
  PRE = nil
14
14
 
@@ -12,7 +12,7 @@ module Dradis::Plugins::Burp
12
12
 
13
13
  class Importer < Dradis::Plugins::Upload::Importer
14
14
  def self.templates
15
- { evidence: 'html_evidence', issue: 'issue' }
15
+ { evidence: 'html_evidence', issue: 'html_issue' }
16
16
  end
17
17
 
18
18
  def initialize(args={})
@@ -56,8 +56,8 @@ module Dradis::Plugins::Burp
56
56
  end
57
57
  issue_id = html_issue.attr('id').value
58
58
  issue_text =
59
- template_service.process_template(
60
- template: 'issue',
59
+ mapping_service.apply_mapping(
60
+ source: 'html_issue',
61
61
  data: html_issue
62
62
  )
63
63
 
@@ -95,8 +95,8 @@ module Dradis::Plugins::Burp
95
95
  host = content_service.create_node(label: host_label, type: :host)
96
96
 
97
97
  evidence_text =
98
- template_service.process_template(
99
- template: 'html_evidence',
98
+ mapping_service.apply_mapping(
99
+ source: 'html_evidence',
100
100
  data: html_evidence
101
101
  )
102
102
 
@@ -0,0 +1,106 @@
1
+ module Dradis::Plugins::Burp
2
+ module Mapping
3
+
4
+ DEFAULT_MAPPING = {
5
+ html_evidence: {
6
+ 'Host' => '{{ burp[issue.host] }}',
7
+ 'Path' => '{{ burp[issue.path] }}',
8
+ 'Location' => '{{ burp[issue.location] }}',
9
+ 'Severity' => '{{ burp[issue.severity] }}',
10
+ 'Confidence' => '{{ burp[issue.confidence] }}',
11
+ 'Request' => 'bc.. {{ burp[issue.request] }}',
12
+ 'Response' => 'bc.. {{ burp[issue.response] }}',
13
+ 'Request 1' => 'bc.. {{ burp[issue.request_1] }}',
14
+ 'Response 1' => 'bc.. {{ burp[issue.response_1] }}',
15
+ 'Request 2' => 'bc.. {{ burp[issue.request_2] }}',
16
+ 'Response 2' => 'bc.. {{ burp[issue.response_2] }}',
17
+ 'Request 3' => 'bc.. {{ burp[issue.request_3] }}',
18
+ 'Response 3' => 'bc.. {{ burp[issue.response_3] }}'
19
+ },
20
+ html_issue: {
21
+ 'Title' => '{{ burp[issue.name] }}',
22
+ 'Severity' => '{{ burp[issue.severity] }}',
23
+ 'Background' => '{{ burp[issue.background] }}',
24
+ 'RemediationBackground' => '{{ burp[issue.remediation_background] }}',
25
+ 'Detail' => '{{ burp[issue.detail] }}',
26
+ 'RemediationDetails' => '{{ burp[issue.remediation_detail] }}',
27
+ 'References' => '{{ burp[issue.references] }}',
28
+ 'Classifications' => '{{ burp[issue.vulnerability_classifications] }}'
29
+ },
30
+ xml_evidence: {
31
+ 'Host' => '{{ burp[issue.host] }}',
32
+ 'Path' => '{{ burp[issue.path] }}',
33
+ 'Location' => '{{ burp[issue.location] }}',
34
+ 'Severity' => '{{ burp[issue.severity] }}',
35
+ 'Confidence' => '{{ burp[issue.confidence] }}',
36
+ 'Request' => 'bc.. {{ burp[issue.request] }}',
37
+ 'Response' => 'bc.. {{ burp[issue.response] }}',
38
+ 'Request 1' => 'bc.. {{ burp[issue.request_1] }}',
39
+ 'Response 1' => 'bc.. {{ burp[issue.response_1] }}',
40
+ 'Request 2' => 'bc.. {{ burp[issue.request_2] }}',
41
+ 'Response 2' => 'bc.. {{ burp[issue.response_2] }}',
42
+ 'Request 3' => 'bc.. {{ burp[issue.request_3] }}',
43
+ 'Response 3' => 'bc.. {{ burp[issue.response_3] }}'
44
+ },
45
+ xml_issue: {
46
+ 'Title' => '{{ burp[issue.name] }}',
47
+ 'Severity' => '{{ burp[issue.severity] }}',
48
+ 'Background' => '{{ burp[issue.background] }}',
49
+ 'RemediationBackground' => '{{ burp[issue.remediation_background] }}',
50
+ 'Detail' => '{{ burp[issue.detail] }}',
51
+ 'RemediationDetails' => '{{ burp[issue.remediation_detail] }}',
52
+ 'References' => '{{ burp[issue.references] }}',
53
+ 'Classifications' => '{{ burp[issue.vulnerability_classifications] }}'
54
+ }
55
+ }.freeze
56
+
57
+ SOURCE_FIELDS = {
58
+ html_evidence: [
59
+ 'issue.confidence',
60
+ 'issue.detail',
61
+ 'issue.host',
62
+ 'issue.location',
63
+ 'issue.path',
64
+ 'issue.request',
65
+ 'issue.request_1',
66
+ 'issue.request_2',
67
+ 'issue.request_3',
68
+ 'issue.response',
69
+ 'issue.response_1',
70
+ 'issue.response_2',
71
+ 'issue.response_3',
72
+ 'issue.severity'
73
+ ],
74
+ html_issue: [
75
+ 'issue.background',
76
+ 'issue.detail',
77
+ 'issue.name',
78
+ 'issue.references',
79
+ 'issue.remediation_background',
80
+ 'issue.remediation_detail',
81
+ 'issue.severity',
82
+ 'issue.vulnerability_classifications'
83
+ ],
84
+ xml_evidence: [
85
+ 'issue.host',
86
+ 'issue.path',
87
+ 'issue.location',
88
+ 'issue.severity',
89
+ 'issue.confidence',
90
+ 'issue.request',
91
+ 'issue.response',
92
+ 'issue.detail'
93
+ ],
94
+ xml_issue: [
95
+ 'issue.background',
96
+ 'issue.detail',
97
+ 'issue.name',
98
+ 'issue.references',
99
+ 'issue.remediation_background',
100
+ 'issue.remediation_detail',
101
+ 'issue.severity',
102
+ 'issue.vulnerability_classifications'
103
+ ]
104
+ }.freeze
105
+ end
106
+ end
@@ -16,7 +16,7 @@ module Dradis::Plugins::Burp
16
16
  BURP_SEVERITIES = ['Information', 'Low', 'Medium', 'High'].freeze
17
17
 
18
18
  def self.templates
19
- { evidence: 'evidence', issue: 'issue' }
19
+ { evidence: 'xml_evidence', issue: 'xml_issue' }
20
20
  end
21
21
 
22
22
  def initialize(args={})
@@ -75,8 +75,8 @@ module Dradis::Plugins::Burp
75
75
  xml_issue.at('severity').content = BURP_SEVERITIES[@severities[id]]
76
76
 
77
77
  issue_text =
78
- template_service.process_template(
79
- template: 'issue',
78
+ mapping_service.apply_mapping(
79
+ source: 'xml_issue',
80
80
  data: xml_issue
81
81
  )
82
82
 
@@ -94,8 +94,8 @@ module Dradis::Plugins::Burp
94
94
  end
95
95
 
96
96
  evidence_text =
97
- template_service.process_template(
98
- template: 'evidence',
97
+ mapping_service.apply_mapping(
98
+ source: 'xml_evidence',
99
99
  data: xml_evidence
100
100
  )
101
101
 
@@ -8,5 +8,6 @@ end
8
8
  require 'dradis/plugins/burp/engine'
9
9
  require 'dradis/plugins/burp/field_processor'
10
10
  require 'dradis/plugins/burp/html/importer'
11
+ require 'dradis/plugins/burp/mapping'
11
12
  require 'dradis/plugins/burp/version'
12
13
  require 'dradis/plugins/burp/xml/importer'
@@ -0,0 +1,23 @@
1
+ <issue>
2
+ <serialNumber>5863488220648493056</serialNumber>
3
+ <type>16777984</type>
4
+ <name><![CDATA[Strict transport security not enforced]]></name>
5
+ <host ip="192.168.1.1">https://this.is.a.url</host>
6
+ <path><![CDATA[/]]></path>
7
+ <location><![CDATA[/]]></location>
8
+ <severity>Low</severity>
9
+ <confidence>Certain</confidence>
10
+ <issueBackground><![CDATA[<p> The application fails to prevent users from connecting to it over unencrypted connections. An attacker able to modify a legitimate user's network traffic could bypass the application's use of SSL/TLS encryption, and use the application as a platform for attacks against its users. This attack is performed by rewriting HTTPS links as HTTP, so that if a targeted user follows a link to the site from an HTTP page, their browser never attempts to use an encrypted connection. The sslstrip tool automates this process. </p>
11
+ <p>
12
+ To exploit this vulnerability, an attacker must be suitably positioned to intercept and modify the victim's network traffic.This scenario typically occurs when a client communicates with the server over an insecure connection such as public Wi-Fi, or a corporate or home network that is shared with a compromised computer. Common defenses such as switched networks are not sufficient to prevent this. An attacker situated in the user's ISP or the application's hosting infrastructure could also perform this attack. Note that an advanced adversary could potentially target any connection made over the Internet's core infrastructure. </p>]]></issueBackground>
13
+ <remediationBackground><![CDATA[<p>The application should instruct web browsers to only access the application using HTTPS. To do this, enable HTTP Strict Transport Security (HSTS) by adding a response header with the name 'Strict-Transport-Security' and the value 'max-age=expireTime', where expireTime is the time in seconds that browsers should remember that the site should only be accessed using HTTPS. Consider adding the 'includeSubDomains' flag if appropriate.</p>
14
+ <p>Note that because HSTS is a &quot;trust on first use&quot; (TOFU) protocol, a user who has never accessed the application will never have seen the HSTS header, and will therefore still be vulnerable to SSL stripping attacks. To mitigate this risk, you can optionally add the 'preload' flag to the HSTS header, and submit the domain for review by browser vendors.</p>]]></remediationBackground>
15
+ <references><![CDATA[<ul>
16
+ <li><a href="https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security">HTTP Strict Transport Security</a></li>
17
+ <li><a href="http://www.thoughtcrime.org/software/sslstrip/">sslstrip</a></li>
18
+ <li><a href="https://hstspreload.appspot.com/">HSTS Preload Form</a></li>
19
+ </ul>]]></references>
20
+ <vulnerabilityClassifications><![CDATA[<ul>
21
+ <li><a href="https://cwe.mitre.org/data/definitions/523.html">CWE-523: Unprotected Transport of Credentials</a></li>
22
+ </ul>]]></vulnerabilityClassifications>
23
+ </issue>
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: dradis-burp
3
3
  version: !ruby/object:Gem::Version
4
- version: 4.11.0
4
+ version: 4.13.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Daniel Martin
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2024-01-17 00:00:00.000000000 Z
11
+ date: 2024-08-07 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: dradis-plugins
@@ -42,16 +42,16 @@ dependencies:
42
42
  name: bundler
43
43
  requirement: !ruby/object:Gem::Requirement
44
44
  requirements:
45
- - - ">="
45
+ - - "~>"
46
46
  - !ruby/object:Gem::Version
47
- version: '0'
47
+ version: '2'
48
48
  type: :development
49
49
  prerelease: false
50
50
  version_requirements: !ruby/object:Gem::Requirement
51
51
  requirements:
52
- - - ">="
52
+ - - "~>"
53
53
  - !ruby/object:Gem::Version
54
- version: '0'
54
+ version: '2'
55
55
  - !ruby/object:Gem::Dependency
56
56
  name: rake
57
57
  requirement: !ruby/object:Gem::Requirement
@@ -122,6 +122,7 @@ files:
122
122
  - lib/dradis/plugins/burp/field_processor.rb
123
123
  - lib/dradis/plugins/burp/gem_version.rb
124
124
  - lib/dradis/plugins/burp/html/importer.rb
125
+ - lib/dradis/plugins/burp/mapping.rb
125
126
  - lib/dradis/plugins/burp/version.rb
126
127
  - lib/dradis/plugins/burp/xml/importer.rb
127
128
  - lib/tasks/thorfile.rb
@@ -132,15 +133,10 @@ files:
132
133
  - spec/fixtures/files/invalid-utf-issue.xml
133
134
  - spec/fixtures/files/without-base64.xml
134
135
  - spec/spec_helper.rb
135
- - templates/evidence.fields
136
- - templates/evidence.sample
137
- - templates/evidence.template
138
- - templates/html_evidence.fields
139
136
  - templates/html_evidence.sample
140
- - templates/html_evidence.template
141
- - templates/issue.fields
142
- - templates/issue.sample
143
- - templates/issue.template
137
+ - templates/html_issue.sample
138
+ - templates/xml_evidence.sample
139
+ - templates/xml_issue.sample
144
140
  homepage: https://dradis.com/integrations/burp.html
145
141
  licenses:
146
142
  - GPL-2
@@ -160,7 +156,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
160
156
  - !ruby/object:Gem::Version
161
157
  version: '0'
162
158
  requirements: []
163
- rubygems_version: 3.3.7
159
+ rubygems_version: 3.5.6
164
160
  signing_key:
165
161
  specification_version: 4
166
162
  summary: Burp Scanner upload plugin for the Dradis Framework.
@@ -1,8 +0,0 @@
1
- issue.host
2
- issue.path
3
- issue.location
4
- issue.severity
5
- issue.confidence
6
- issue.request
7
- issue.response
8
- issue.detail
@@ -1,20 +0,0 @@
1
- #[Host]#
2
- %issue.host%
3
-
4
- #[Path]#
5
- %issue.path%
6
-
7
- #[Location]#
8
- %issue.location%
9
-
10
- #[Severity]#
11
- %issue.severity%
12
-
13
- #[Confidence]#
14
- %issue.confidence%
15
-
16
- #[Request]#
17
- bc.. %issue.request%
18
-
19
- #[Response]#
20
- bc.. %issue.response%
@@ -1,14 +0,0 @@
1
- issue.confidence
2
- issue.detail
3
- issue.host
4
- issue.location
5
- issue.path
6
- issue.request
7
- issue.request_1
8
- issue.request_2
9
- issue.request_3
10
- issue.response
11
- issue.response_1
12
- issue.response_2
13
- issue.response_3
14
- issue.severity
@@ -1,50 +0,0 @@
1
- #[Host]#
2
- %issue.host%
3
-
4
-
5
- #[Path]#
6
- %issue.path%
7
-
8
-
9
- #[Location]#
10
- %issue.location%
11
-
12
-
13
- #[Severity]#
14
- %issue.severity%
15
-
16
-
17
- #[Confidence]#
18
- %issue.confidence%
19
-
20
-
21
- #[Request]#
22
- bc.. %issue.request%
23
-
24
-
25
- #[Response]#
26
- bc.. %issue.response%
27
-
28
-
29
- #[Request 1]#
30
- bc.. %issue.request_1%
31
-
32
-
33
- #[Response 1]#
34
- bc.. %issue.response_1%
35
-
36
-
37
- #[Request 2]#
38
- bc.. %issue.request_2%
39
-
40
-
41
- #[Response 2]#
42
- bc.. %issue.response_2%
43
-
44
-
45
- #[Request 3]#
46
- bc.. %issue.request_3%
47
-
48
-
49
- #[Response 3]#
50
- bc.. %issue.response_3%
@@ -1,8 +0,0 @@
1
- issue.background
2
- issue.detail
3
- issue.name
4
- issue.references
5
- issue.remediation_background
6
- issue.remediation_detail
7
- issue.severity
8
- issue.vulnerability_classifications
@@ -1,30 +0,0 @@
1
- #[Title]#
2
- %issue.name%
3
-
4
-
5
- #[Severity]#
6
- %issue.severity%
7
-
8
-
9
- #[Background]#
10
- %issue.background%
11
-
12
-
13
- #[RemediationBackground]#
14
- %issue.remediation_background%
15
-
16
-
17
- #[Detail]#
18
- %issue.detail%
19
-
20
-
21
- #[RemediationDetails]#
22
- %issue.remediation_detail%
23
-
24
-
25
- #[References]#
26
- %issue.references%
27
-
28
-
29
- #[Classifications]#
30
- %issue.vulnerability_classifications%
File without changes
File without changes