dradis-calculator_dread 3.19.0 → 4.0.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +17 -0
- data/app/assets/javascripts/dradis/plugins/calculators/dread/calculator.js.coffee +19 -14
- data/app/assets/javascripts/dradis/plugins/calculators/dread/manifests/{application.js.coffee → application.js} +2 -0
- data/app/assets/javascripts/dradis/plugins/calculators/dread/manifests/tylium.js +1 -0
- data/app/assets/stylesheets/dradis/plugins/calculators/dread/manifests/application.css.scss +1 -2
- data/app/controllers/dradis/plugins/calculators/dread/base_controller.rb +3 -0
- data/app/controllers/dradis/plugins/calculators/dread/issues_controller.rb +40 -0
- data/app/models/dradis/plugins/calculators/dread/v1.rb +19 -0
- data/app/views/dradis/plugins/calculators/dread/_addons_menu.html.erb +1 -1
- data/app/views/dradis/plugins/calculators/dread/base/_impact.html.erb +83 -0
- data/app/views/dradis/plugins/calculators/dread/base/_likelihood.html.erb +98 -0
- data/app/views/dradis/plugins/calculators/dread/base/index.html.erb +8 -191
- data/app/views/dradis/plugins/calculators/dread/issues/_show-content.html.erb +20 -0
- data/app/views/dradis/plugins/calculators/dread/issues/_show-tabs.html.erb +3 -0
- data/app/views/dradis/plugins/calculators/dread/issues/edit.html.erb +83 -0
- data/app/views/layouts/dradis/plugins/calculators/dread/base.html.erb +4 -7
- data/config/routes.rb +11 -2
- data/dradis-calculator_dread.gemspec +1 -1
- data/lib/dradis/plugins/calculators/dread/engine.rb +7 -3
- data/lib/dradis/plugins/calculators/dread/gem_version.rb +2 -2
- metadata +14 -7
- data/app/views/dradis/plugins/calculators/dread/_addons_menu_bs4.html.erb +0 -1
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 9932e1f4eda3af48ba6cd95950bf6aada22422ee378a982bec9364de2541b1f1
|
4
|
+
data.tar.gz: 76b7bf9c9d52ea301a7c6061e31faeab83bb4400f7c220477ea7c63873c85699
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 7d08125601734c3b75658f428367077d58f2455d2e2115ab140de565df6e178b238c963a597fc208f337736d9951174f4a37735ba64e4cc3c570d68115f70c6c
|
7
|
+
data.tar.gz: 23a234fc2771ec3261a9d815fcc0dc1211efdc1f35ffcb58ac1a416f6f55f7f12f4835d0ad8558f47b97e099ae29b8e460890592f26cbe3c1d0c3b2bebed7233
|
data/CHANGELOG.md
CHANGED
@@ -1,3 +1,20 @@
|
|
1
|
+
## Dradis Framework 4.0.0 (July, 2021) ##
|
2
|
+
|
3
|
+
* No changes.
|
4
|
+
|
5
|
+
## Dradis Framework 3.22 (April, 2021) ##
|
6
|
+
|
7
|
+
* No changes.
|
8
|
+
|
9
|
+
## Dradis Framework 3.21 (February, 2021) ##
|
10
|
+
|
11
|
+
* Specify exact js and css file name when precompiling assets.
|
12
|
+
|
13
|
+
## Dradis Framework 3.20 (December, 2020) ##
|
14
|
+
|
15
|
+
* Integrate calculator in Issues view.
|
16
|
+
* Use Bootstrap gem vs vendored assets.
|
17
|
+
|
1
18
|
## Dradis Framework 3.19 (September, 2020) ##
|
2
19
|
|
3
20
|
* No changes.
|
@@ -10,8 +10,8 @@
|
|
10
10
|
threat = $("input[name='disc']:checked").data('agent')
|
11
11
|
likelihood = (repro + exploit + disc) / 3
|
12
12
|
|
13
|
-
|
14
|
-
|
13
|
+
dread = (impact + likelihood) / 2
|
14
|
+
dread_vector = "DREAD:1.0/D:#{damage}/A:#{affected}/R:#{repro}/E:#{exploit}/DI:#{disc}"
|
15
15
|
|
16
16
|
impact_fixed = DREADCalculator._fix(impact)
|
17
17
|
likelihood_fixed = DREADCalculator._fix(likelihood)
|
@@ -21,25 +21,28 @@
|
|
21
21
|
$('#likelihood-score').text(likelihood_fixed)
|
22
22
|
$('#dread-score').text(dread_fixed)
|
23
23
|
|
24
|
-
issue_dread = "#[
|
24
|
+
issue_dread = "#[DREAD.Vector]#\n"
|
25
|
+
issue_dread += "#{dread_vector}\n\n"
|
26
|
+
issue_dread += "#[DREAD.Score]#\n"
|
25
27
|
issue_dread += "#{dread_fixed}\n\n"
|
26
|
-
issue_dread += "#[Damage]#\n"
|
28
|
+
issue_dread += "#[DREAD.Damage]#\n"
|
27
29
|
issue_dread += "#{damage}\n\n"
|
28
|
-
issue_dread += "#[AffectedSystems]#\n"
|
30
|
+
issue_dread += "#[DREAD.AffectedSystems]#\n"
|
29
31
|
issue_dread += "#{affected}\n\n"
|
30
|
-
issue_dread += "#[Impact]#\n"
|
32
|
+
issue_dread += "#[DREAD.Impact]#\n"
|
31
33
|
issue_dread += "#{impact_fixed}\n\n"
|
32
|
-
issue_dread += "#[Reproducibility]#\n"
|
34
|
+
issue_dread += "#[DREAD.Reproducibility]#\n"
|
33
35
|
issue_dread += "#{repro}\n\n"
|
34
|
-
issue_dread += "#[Discoverability]#\n"
|
36
|
+
issue_dread += "#[DREAD.Discoverability]#\n"
|
35
37
|
issue_dread += "#{disc}\n\n"
|
36
|
-
issue_dread += "#[ThreatAgent]#\n"
|
38
|
+
issue_dread += "#[DREAD.ThreatAgent]#\n"
|
37
39
|
issue_dread += "#{threat}\n\n"
|
38
|
-
issue_dread += "#[Exploitability]#\n"
|
40
|
+
issue_dread += "#[DREAD.Exploitability]#\n"
|
39
41
|
issue_dread += "#{exploit}\n\n"
|
40
|
-
issue_dread += "#[Likelihood]#\n"
|
42
|
+
issue_dread += "#[DREAD.Likelihood]#\n"
|
41
43
|
issue_dread += "#{likelihood_fixed}\n"
|
42
|
-
|
44
|
+
|
45
|
+
$('textarea[name=dread_fields]').val(issue_dread)
|
43
46
|
|
44
47
|
_fix: (input) ->
|
45
48
|
if $.isNumeric(input) && Math.floor(input) == input
|
@@ -48,5 +51,7 @@
|
|
48
51
|
input.toFixed(3)
|
49
52
|
|
50
53
|
|
51
|
-
|
52
|
-
$('
|
54
|
+
document.addEventListener "turbolinks:load", ->
|
55
|
+
if $('[data-behavior~=dread-buttons]').length
|
56
|
+
DREADCalculator.calculate()
|
57
|
+
$('input[type=radio]').on 'change', DREADCalculator.calculate
|
@@ -0,0 +1 @@
|
|
1
|
+
//= require dradis/plugins/calculators/dread/calculator
|
@@ -1,2 +1 @@
|
|
1
|
-
@import '
|
2
|
-
@import 'bootstrap-responsive';
|
1
|
+
@import '_bootstrap';
|
@@ -0,0 +1,40 @@
|
|
1
|
+
module Dradis::Plugins::Calculators::DREAD
|
2
|
+
# Does it matter that we're inheriting from the no-frills controller?
|
3
|
+
class IssuesController < ::IssuesController
|
4
|
+
before_action :set_dread_vector, only: :edit
|
5
|
+
|
6
|
+
def edit
|
7
|
+
end
|
8
|
+
|
9
|
+
def update
|
10
|
+
dread_fields = Hash[ *params[:dread_fields].scan(FieldParser::FIELDS_REGEX).flatten.map(&:strip) ]
|
11
|
+
dread_fields.each do |name, value|
|
12
|
+
@issue.set_field(name, value)
|
13
|
+
end
|
14
|
+
|
15
|
+
if @issue.save
|
16
|
+
redirect_to main_app.project_issue_path(current_project, @issue), notice: 'DREAD fields updated.'
|
17
|
+
else
|
18
|
+
render :edit
|
19
|
+
end
|
20
|
+
end
|
21
|
+
|
22
|
+
def set_dread_vector
|
23
|
+
# Undefined values default to 0
|
24
|
+
@dread_vector = Hash.new { |h, k| h[k] = 0 }
|
25
|
+
field_value = @issue.fields['DREAD.Vector']
|
26
|
+
|
27
|
+
# If no vector is set yet, that's OK
|
28
|
+
return if field_value.blank?
|
29
|
+
|
30
|
+
if field_value =~ V1::VECTOR_REGEXP
|
31
|
+
field_value.split('/').each do |pair|
|
32
|
+
field, value = pair.split(':')
|
33
|
+
@dread_vector[field] = value.to_i
|
34
|
+
end
|
35
|
+
else
|
36
|
+
redirect_to main_app.project_issue_path(current_project, @issue), alert: 'The format of the DREAD Vector field is invalid.'
|
37
|
+
end
|
38
|
+
end
|
39
|
+
end
|
40
|
+
end
|
@@ -0,0 +1,19 @@
|
|
1
|
+
module Dradis::Plugins::Calculators::DREAD
|
2
|
+
class V1
|
3
|
+
FIELD_NAMES = %i{
|
4
|
+
Vector
|
5
|
+
Score
|
6
|
+
Impact
|
7
|
+
Damage
|
8
|
+
AffectedSystems
|
9
|
+
Likelihood
|
10
|
+
Reproducibility
|
11
|
+
Exploitability
|
12
|
+
Discoverability
|
13
|
+
ThreatAgent
|
14
|
+
}.freeze
|
15
|
+
|
16
|
+
FIELDS = FIELD_NAMES.map { |name| "DREAD.#{name}".freeze }.freeze
|
17
|
+
VECTOR_REGEXP = /DREAD:1.0\/D:\d\/A:\d\/R:\d\/E:\d\/DI:\d/.freeze
|
18
|
+
end
|
19
|
+
end
|
@@ -1 +1 @@
|
|
1
|
-
|
1
|
+
<%= link_to 'Risk Calculators - DREAD', dread_calculator.calculators_dread_path, class: 'dropdown-item', data: { turbolinks: false } %>
|
@@ -0,0 +1,83 @@
|
|
1
|
+
<section data-behavior="dread-buttons">
|
2
|
+
<p class="lead text-center">Impact = (Damage + Affected)/2</p>
|
3
|
+
|
4
|
+
<h3>Damage Potential</h3>
|
5
|
+
<p>If a vulnerability exploit occurs, how much damage will be caused?</p>
|
6
|
+
|
7
|
+
<table class="table table-striped">
|
8
|
+
<thead>
|
9
|
+
<tr>
|
10
|
+
<th></th>
|
11
|
+
<th>Sens. Data</th>
|
12
|
+
<th>Infra.</th>
|
13
|
+
<th>Phys. access</th>
|
14
|
+
</tr>
|
15
|
+
</thead>
|
16
|
+
<tbody>
|
17
|
+
<tr>
|
18
|
+
<td>
|
19
|
+
<input type="radio" name="damage" value="0" <%= 'checked' if @dread_vector['D'] == 0 %>/> 0
|
20
|
+
</td>
|
21
|
+
<td colspan="3">
|
22
|
+
Information leakage that could lead to compromise of sensitive data or systems
|
23
|
+
</td>
|
24
|
+
</tr>
|
25
|
+
<tr>
|
26
|
+
<td>
|
27
|
+
<input type="radio" name="damage" value="1" <%= 'checked' if @dread_vector['D'] == 1 %>/> 1
|
28
|
+
</td>
|
29
|
+
<td colspan="3">
|
30
|
+
The presence of this vulnerability contributes to other vulnerabilities being exploited
|
31
|
+
</td>
|
32
|
+
</tr>
|
33
|
+
<tr>
|
34
|
+
<td>
|
35
|
+
<input type="radio" name="damage" value="2" <%= 'checked' if @dread_vector['D'] == 2 %>/> 2
|
36
|
+
</td>
|
37
|
+
<td colspan="2">
|
38
|
+
Sensitive data compromised
|
39
|
+
</td>
|
40
|
+
<td>
|
41
|
+
Access to places with no critical systems
|
42
|
+
</td>
|
43
|
+
</tr>
|
44
|
+
<tr>
|
45
|
+
<td>
|
46
|
+
<input type="radio" name="damage" value="3" <%= 'checked' if @dread_vector['D'] == 3 %>/> 3
|
47
|
+
</td>
|
48
|
+
<td colspan="2">
|
49
|
+
User account compromised System completely compromised
|
50
|
+
</td>
|
51
|
+
<td>
|
52
|
+
Access to places with critical systems
|
53
|
+
</td>
|
54
|
+
</tr>
|
55
|
+
</tbody>
|
56
|
+
</table>
|
57
|
+
|
58
|
+
<p class="alert alert-warning"><strong>NOTE</strong>: If vulnerability violates PCI compliance it is automatically marked as 3</p>
|
59
|
+
|
60
|
+
<h3>Affected users or systems</h3>
|
61
|
+
<p>How many users or systems will be affected if the vulnerability is exploited?</p>
|
62
|
+
|
63
|
+
<table class="table table-striped">
|
64
|
+
<tbody>
|
65
|
+
<tr>
|
66
|
+
<td><input type="radio" name="affected" value="0" <%= 'checked' if @dread_vector['A'] == 0 %>/> 0</td>
|
67
|
+
<td>None</td>
|
68
|
+
</tr>
|
69
|
+
<tr>
|
70
|
+
<td><input type="radio" name="affected" value="1" <%= 'checked' if @dread_vector['A'] == 1 %>/> 1</td>
|
71
|
+
<td>Less than half of the systems/users are affected</td>
|
72
|
+
</tr>
|
73
|
+
<tr>
|
74
|
+
<td><input type="radio" name="affected" value="2" <%= 'checked' if @dread_vector['A'] == 2 %>/> 2</td>
|
75
|
+
<td>More than half of the systems/users are affected</td>
|
76
|
+
</tr>
|
77
|
+
<tr>
|
78
|
+
<td><input type="radio" name="affected" value="3" <%= 'checked' if @dread_vector['A'] == 3 %>/> 3</td>
|
79
|
+
<td>All systems or users are affected</td>
|
80
|
+
</tr>
|
81
|
+
</tbody>
|
82
|
+
</table>
|
83
|
+
</section>
|
@@ -0,0 +1,98 @@
|
|
1
|
+
<section data-behavior="dread-buttons">
|
2
|
+
<p class="lead text-center">Likelihood = (Repro + Exploit + Disc)/3</p>
|
3
|
+
|
4
|
+
<h3>Reproducibility</h3>
|
5
|
+
<p>What kind of access is necessary to exploit this vulnerability?</p>
|
6
|
+
|
7
|
+
<table class="table table-striped">
|
8
|
+
<tbody>
|
9
|
+
<tr>
|
10
|
+
<td><input type="radio" name="repro" value="0" <%= 'checked' if @dread_vector['R'] == 0 %>/> 0</td>
|
11
|
+
<td>Physical access to target machine</td>
|
12
|
+
</tr>
|
13
|
+
<tr>
|
14
|
+
<td><input type="radio" name="repro" value="1" <%= 'checked' if @dread_vector['R'] == 1 %>/> 1</td>
|
15
|
+
<td>Valid credentials to the system</td>
|
16
|
+
</tr>
|
17
|
+
<tr>
|
18
|
+
<td><input type="radio" name="repro" value="2" <%= 'checked' if @dread_vector['R'] == 2 %>/> 2</td>
|
19
|
+
<td>Same network as the victim</td>
|
20
|
+
</tr>
|
21
|
+
<tr>
|
22
|
+
<td><input type="radio" name="repro" value="3" <%= 'checked' if @dread_vector['R'] == 3 %>/> 3</td>
|
23
|
+
<td>Internet access with no credentials</td>
|
24
|
+
</tr>
|
25
|
+
</tbody>
|
26
|
+
</table>
|
27
|
+
|
28
|
+
<h3>Exploitability</h3>
|
29
|
+
<p>What is needed to exploit this vulnerability?</p>
|
30
|
+
|
31
|
+
<table class="table table-striped">
|
32
|
+
<tbody>
|
33
|
+
|
34
|
+
<tr>
|
35
|
+
<td><input type="radio" name="exploit" value="0" <%= 'checked' if @dread_vector['E'] == 0 %>/> 0</td>
|
36
|
+
<td>
|
37
|
+
<ul>
|
38
|
+
<li>Advanced programming and networking knowledge</li>
|
39
|
+
<li>Custom or advanced attack tools</li>
|
40
|
+
<li>Depends on other vulnerabilities being present which have not been discovered</li>
|
41
|
+
</ul>
|
42
|
+
</td>
|
43
|
+
</tr>
|
44
|
+
<tr>
|
45
|
+
<td><input type="radio" name="exploit" value="1" <%= 'checked' if @dread_vector['E'] == 1 %>/> 1</td>
|
46
|
+
<td>Requires victim’s intervention, possibly through social engineering</td>
|
47
|
+
</tr>
|
48
|
+
<tr>
|
49
|
+
<td><input type="radio" name="exploit" value="2" <%= 'checked' if @dread_vector['E'] == 2 %>/> 2</td>
|
50
|
+
<td>
|
51
|
+
<ul>
|
52
|
+
<li>Tool or malware is available on the Internet</li>
|
53
|
+
<li>Exploit is easily performed</li>
|
54
|
+
</ul>
|
55
|
+
</td>
|
56
|
+
</tr>
|
57
|
+
<tr>
|
58
|
+
<td><input type="radio" name="exploit" value="3" <%= 'checked' if @dread_vector['E'] == 3 %>/> 3</td>
|
59
|
+
<td>Just a web browser or no tools necessary</td>
|
60
|
+
</tr>
|
61
|
+
</tbody>
|
62
|
+
</table>
|
63
|
+
|
64
|
+
<h3>Discoverability</h3>
|
65
|
+
<p>How easy is it to discover and exploit this vulnerability?</p>
|
66
|
+
|
67
|
+
<table class="table table-striped">
|
68
|
+
<thead>
|
69
|
+
<tr>
|
70
|
+
<th></th>
|
71
|
+
<th>Difficulty</th>
|
72
|
+
<th>Equivalent threat agent</th>
|
73
|
+
</tr>
|
74
|
+
</thead>
|
75
|
+
<tbody>
|
76
|
+
<tr>
|
77
|
+
<td><input type="radio" name="disc" value="0" data-agent="Organized crime, inside job" <%= 'checked' if @dread_vector['DI'] == 0 %>/> 0</td>
|
78
|
+
<td>Very hard to impossible; requires source code, administrative access or classified information</td>
|
79
|
+
<td>Organized crime, inside job</td>
|
80
|
+
</tr>
|
81
|
+
<tr>
|
82
|
+
<td><input type="radio" name="disc" value="1" data-agent="Motivated attacker" <%= 'checked' if @dread_vector['DI'] == 1 %>/> 1</td>
|
83
|
+
<td>Hard; requires partial knowledge of internal structure, or involves guessing</td>
|
84
|
+
<td>Motivated attacker</td>
|
85
|
+
</tr>
|
86
|
+
<tr>
|
87
|
+
<td><input type="radio" name="disc" value="2" data-agent="Script kiddie, curious attacker" <%= 'checked' if @dread_vector['DI'] == 2 %>/> 2</td>
|
88
|
+
<td>Medium; details of faults like this are already in public domain and can be easily discovered using a search engine</td>
|
89
|
+
<td>Script kiddie, curious attacker</td>
|
90
|
+
</tr>
|
91
|
+
<tr>
|
92
|
+
<td><input type="radio" name="disc" value="3" data-agent="Automated malware, accidental discovery" <%= 'checked' if @dread_vector['DI'] == 3 %>/> 3</td>
|
93
|
+
<td>Low; information is visible in a browser address bar, form, or readily visible or accessible in case of physical vulnerabilities</td>
|
94
|
+
<td>Automated malware, accidental discovery</td>
|
95
|
+
</tr>
|
96
|
+
</tbody>
|
97
|
+
</table>
|
98
|
+
</section>
|
@@ -5,228 +5,45 @@
|
|
5
5
|
<p class="lead">Use this page to calculate the <abbr title="Damage potential, Reproducibility, Exploitability, Affected Users, Discoverability">DREAD</abbr> score of a given finding.</p>
|
6
6
|
|
7
7
|
<div class="row">
|
8
|
-
<div class="col-
|
8
|
+
<div class="col-8">
|
9
9
|
<h2>Impact score: <span id="impact-score">0</span></h2>
|
10
|
-
|
11
|
-
|
12
|
-
<h3>Damage Potential</h3>
|
13
|
-
<p>If a vulnerability exploit occurs, how much damage will be caused?</p>
|
14
|
-
|
15
|
-
<table class="table table-striped">
|
16
|
-
<thead>
|
17
|
-
<tr>
|
18
|
-
<th></th>
|
19
|
-
<th>Sens. Data</th>
|
20
|
-
<th>Infra.</th>
|
21
|
-
<th>Phys. access</th>
|
22
|
-
</tr>
|
23
|
-
</thead>
|
24
|
-
<tbody>
|
25
|
-
<tr>
|
26
|
-
<td>
|
27
|
-
<input type="radio" name="damage" value="0" checked /> 0
|
28
|
-
</td>
|
29
|
-
<td colspan="3">
|
30
|
-
Information leakage that could lead to compromise of sensitive data or systems
|
31
|
-
</td>
|
32
|
-
</tr>
|
33
|
-
<tr>
|
34
|
-
<td>
|
35
|
-
<input type="radio" name="damage" value="1"/> 1
|
36
|
-
</td>
|
37
|
-
<td colspan="3">
|
38
|
-
The presence of this vulnerability contributes to other vulnerabilities being exploited
|
39
|
-
</td>
|
40
|
-
</tr>
|
41
|
-
<tr>
|
42
|
-
<td>
|
43
|
-
<input type="radio" name="damage" value="2"/> 2
|
44
|
-
</td>
|
45
|
-
<td colspan="2">
|
46
|
-
Sensitive data compromised
|
47
|
-
</td>
|
48
|
-
<td>
|
49
|
-
Access to places with no critical systems
|
50
|
-
</td>
|
51
|
-
</tr>
|
52
|
-
<tr>
|
53
|
-
<td>
|
54
|
-
<input type="radio" name="damage" value="3"/> 3
|
55
|
-
</td>
|
56
|
-
<td colspan="2">
|
57
|
-
3 User account compromised System completely compromised
|
58
|
-
</td>
|
59
|
-
<td>
|
60
|
-
Access to places with critical systems
|
61
|
-
</td>
|
62
|
-
</tr>
|
63
|
-
</tbody>
|
64
|
-
</table>
|
65
|
-
|
66
|
-
<p class="alert alert-danger"><strong>NOTE</strong>: If vulnerability violates PCI compliance it is automatically marked as 3</p>
|
67
|
-
|
68
|
-
<h3>Affected users or systems</h3>
|
69
|
-
<p>How many users or systems will be affected if the vulnerability is exploited?</p>
|
70
|
-
|
71
|
-
<table class="table table-striped">
|
72
|
-
<tbody>
|
73
|
-
<tr>
|
74
|
-
<td><input type="radio" name="affected" value="0" checked/> 0</td>
|
75
|
-
<td>None</td>
|
76
|
-
</tr>
|
77
|
-
<tr>
|
78
|
-
<td><input type="radio" name="affected" value="1"/> 1</td>
|
79
|
-
<td>Less than half of the systems/users are affected</td>
|
80
|
-
</tr>
|
81
|
-
<tr>
|
82
|
-
<td><input type="radio" name="affected" value="2"/> 2</td>
|
83
|
-
<td>More than half of the systems/users are affected</td>
|
84
|
-
</tr>
|
85
|
-
<tr>
|
86
|
-
<td><input type="radio" name="affected" value="3"/> 3</td>
|
87
|
-
<td>All systems or users are affected</td>
|
88
|
-
</tr>
|
89
|
-
</tbody>
|
90
|
-
</table>
|
91
|
-
</div>
|
10
|
+
<%= render 'dradis/plugins/calculators/dread/base/impact' %>
|
92
11
|
|
93
|
-
<div class="col-4">
|
94
12
|
<h2>Likelihood score: <span id="likelihood-score">0</span></h2>
|
95
|
-
|
96
|
-
|
97
|
-
<h3>Reproducibility</h3>
|
98
|
-
<p>What kind of access is necessary to exploit this vulnerability?</p>
|
99
|
-
|
100
|
-
<table class="table table-striped">
|
101
|
-
<tbody>
|
102
|
-
<tr>
|
103
|
-
<td><input type="radio" name="repro" value="0" checked/> 0</td>
|
104
|
-
<td>Physical access to target machine</td>
|
105
|
-
</tr>
|
106
|
-
<tr>
|
107
|
-
<td><input type="radio" name="repro" value="1"/> 1</td>
|
108
|
-
<td>Valid credentials to the system</td>
|
109
|
-
</tr>
|
110
|
-
<tr>
|
111
|
-
<td><input type="radio" name="repro" value="2"/> 2</td>
|
112
|
-
<td>Same network as the victim</td>
|
113
|
-
</tr>
|
114
|
-
<tr>
|
115
|
-
<td><input type="radio" name="repro" value="3"/> 3</td>
|
116
|
-
<td>Internet access with no credentials</td>
|
117
|
-
</tr>
|
118
|
-
</tbody>
|
119
|
-
</table>
|
120
|
-
|
121
|
-
<h3>Exploitability</h3>
|
122
|
-
<p>What is needed to exploit this vulnerability?</p>
|
123
|
-
|
124
|
-
<table class="table table-striped">
|
125
|
-
<tbody>
|
126
|
-
|
127
|
-
<tr>
|
128
|
-
<td><input type="radio" name="exploit" value="0" checked/> 0</td>
|
129
|
-
<td>
|
130
|
-
<ul>
|
131
|
-
<li>Advanced programming and networking knowledge</li>
|
132
|
-
<li>Custom or advanced attack tools</li>
|
133
|
-
<li>Depends on other vulnerabilities being present which have not been discovered</li>
|
134
|
-
</ul>
|
135
|
-
</td>
|
136
|
-
</tr>
|
137
|
-
<tr>
|
138
|
-
<td><input type="radio" name="exploit" value="1"/> 1</td>
|
139
|
-
<td>Requires victim’s intervention, possibly through social engineering</td>
|
140
|
-
</tr>
|
141
|
-
<tr>
|
142
|
-
<td><input type="radio" name="exploit" value="2"/> 2</td>
|
143
|
-
<td>
|
144
|
-
<ul>
|
145
|
-
<li>Tool or malware is available on the Internet</li>
|
146
|
-
<li>Exploit is easily performed</li>
|
147
|
-
</ul>
|
148
|
-
</td>
|
149
|
-
</tr>
|
150
|
-
<tr>
|
151
|
-
<td><input type="radio" name="exploit" value="3"/> 3</td>
|
152
|
-
<td>Just a web browser or no tools necessary</td>
|
153
|
-
</tr>
|
154
|
-
</tbody>
|
155
|
-
</table>
|
156
|
-
|
157
|
-
<h3>Discoverability</h3>
|
158
|
-
<p>How easy is it to discover and exploit this vulnerability?</p>
|
159
|
-
|
160
|
-
<table class="table table-striped">
|
161
|
-
<thead>
|
162
|
-
<tr>
|
163
|
-
<th></th>
|
164
|
-
<th>Difficulty</th>
|
165
|
-
<th>Equivalent threat agent</th>
|
166
|
-
</tr>
|
167
|
-
</thead>
|
168
|
-
<tbody>
|
169
|
-
<tr>
|
170
|
-
<td><input type="radio" name="disc" value="0" checked data-agent="Organized crime, inside job"/> 0</td>
|
171
|
-
<td>Very hard to impossible; requires source code, administrative access or classified information</td>
|
172
|
-
<td>Organized crime, inside job</td>
|
173
|
-
</tr>
|
174
|
-
<tr>
|
175
|
-
<td><input type="radio" name="disc" value="1" data-agent="Motivated attacker"/> 1</td>
|
176
|
-
<td>Hard; requires partial knowledge of internal structure, or involves guessing</td>
|
177
|
-
<td>Motivated attacker</td>
|
178
|
-
</tr>
|
179
|
-
<tr>
|
180
|
-
<td><input type="radio" name="disc" value="2" data-agent="Script kiddie, curious attacker"/> 2</td>
|
181
|
-
<td>Medium; details of faults like this are already in public domain and can be easily discovered using a search engine</td>
|
182
|
-
<td>Script kiddie, curious attacker</td>
|
183
|
-
</tr>
|
184
|
-
<tr>
|
185
|
-
<td><input type="radio" name="disc" value="3" data-agent="Automated malware, accidental discovery"/> 3</td>
|
186
|
-
<td>Low; information is visible in a browser address bar, form, or readily visible or accessible in case of physical vulnerabilities</td>
|
187
|
-
<td>Automated malware, accidental discovery</td>
|
188
|
-
</tr>
|
189
|
-
</tbody>
|
190
|
-
</table>
|
13
|
+
<%= render 'dradis/plugins/calculators/dread/base/likelihood' %>
|
191
14
|
</div>
|
192
15
|
|
193
16
|
<div class="col-4">
|
194
17
|
<h2>DREAD score: <span id="dread-score">0</span></h2>
|
195
18
|
<p class="lead text-center">DREAD = (Impact + Likelihood)/2</p>
|
196
|
-
<
|
19
|
+
<textarea class="form-control" name="dread_fields" rows="28" style="width:95%">#[DreadValue]#
|
197
20
|
N/A
|
198
21
|
|
199
|
-
|
200
22
|
#[Damage]#
|
201
23
|
N/A
|
202
24
|
|
203
|
-
|
204
25
|
#[AffectedSystems]#
|
205
26
|
N/A
|
206
27
|
|
207
|
-
|
208
28
|
#[Impact]#
|
209
29
|
N/A
|
210
30
|
|
211
|
-
|
212
31
|
#[Reproducibility]#
|
213
32
|
N/A
|
214
33
|
|
215
|
-
|
216
34
|
#[Discoverability]#
|
217
35
|
N/A
|
218
36
|
|
219
|
-
|
220
37
|
#[ThreatAgent]#
|
221
38
|
N/A
|
222
39
|
|
223
|
-
|
224
40
|
#[Exploitability]#
|
225
41
|
N/A
|
226
42
|
|
227
|
-
|
228
43
|
#[Likelihood]#
|
229
44
|
N/A
|
230
|
-
|
45
|
+
|
46
|
+
|
47
|
+
</textarea>
|
231
48
|
</div>
|
232
|
-
</div>
|
49
|
+
</div>
|
@@ -0,0 +1,20 @@
|
|
1
|
+
<div class="tab-pane" id="dread-tab">
|
2
|
+
<div class="inner">
|
3
|
+
<h4 class="header-underline">DREAD Risk Scoring -
|
4
|
+
<span class="actions">
|
5
|
+
<%= link_to dread_calculator.dread_project_issue_path(current_project, @issue) do %>
|
6
|
+
<i class="fa fa-pencil"></i> Edit
|
7
|
+
<% end %>
|
8
|
+
</h4>
|
9
|
+
|
10
|
+
<div class="mb-4 content-textile">
|
11
|
+
<%=
|
12
|
+
markup(
|
13
|
+
@issue.fields
|
14
|
+
.select { |k,v| Dradis::Plugins::Calculators::DREAD::V1::FIELDS.include?(k) }
|
15
|
+
.map { |k,v| "#[#{k}]#\n#{v}" }.join("\n\n")
|
16
|
+
)
|
17
|
+
%>
|
18
|
+
</div>
|
19
|
+
</div>
|
20
|
+
</div>
|
@@ -0,0 +1,83 @@
|
|
1
|
+
<% content_for :title, 'Edit DREAD score' %>
|
2
|
+
|
3
|
+
<% content_for :sidebar do %>
|
4
|
+
<%= render 'issues/sidebar'%>
|
5
|
+
<% end %>
|
6
|
+
|
7
|
+
<div class="content-container">
|
8
|
+
<h4 class="header-underline">Edit DREAD Risk Scoring</h4>
|
9
|
+
<div id="issues_editor">
|
10
|
+
<div class="inner note-text-inner">
|
11
|
+
|
12
|
+
<%= simple_form_for [:dread, current_project, @issue], method: :patch do |f| %>
|
13
|
+
|
14
|
+
<ul class="nav nav-pills w-100" id="cvss-tabs">
|
15
|
+
<li class="nav-item">
|
16
|
+
<a href="#dread-edit-impact" data-toggle="pill" class="nav-link active">Impact: <span id="impact-score">0</span></a>
|
17
|
+
</li>
|
18
|
+
<li class="nav-item">
|
19
|
+
<a href="#dread-edit-likelihood" data-toggle="pill" class="nav-link">Likelihood: <span id="likelihood-score">0</span></a>
|
20
|
+
</li>
|
21
|
+
<li class="nav-item pull-right">
|
22
|
+
<a href="#dread-edit-result" data-toggle="pill" class="nav-link">Result: <span id="dread-score">0</span></a>
|
23
|
+
</li>
|
24
|
+
</ul>
|
25
|
+
|
26
|
+
<div class="tab-content mt-4">
|
27
|
+
<div class="tab-pane active" id="dread-edit-impact">
|
28
|
+
<%= render 'dradis/plugins/calculators/dread/base/impact' %>
|
29
|
+
</div>
|
30
|
+
<div class="tab-pane" id="dread-edit-likelihood">
|
31
|
+
<%= render 'dradis/plugins/calculators/dread/base/likelihood' %>
|
32
|
+
</div>
|
33
|
+
|
34
|
+
<div class="tab-pane" id="dread-edit-result">
|
35
|
+
<p class="lead text-center">DREAD = (Impact + Likelihood)/2</p>
|
36
|
+
|
37
|
+
<textarea class="form-control" name="dread_fields" rows="10" style="width:95%">#[DreadValue]#
|
38
|
+
N/A
|
39
|
+
|
40
|
+
|
41
|
+
#[Damage]#
|
42
|
+
N/A
|
43
|
+
|
44
|
+
|
45
|
+
#[AffectedSystems]#
|
46
|
+
N/A
|
47
|
+
|
48
|
+
|
49
|
+
#[Impact]#
|
50
|
+
N/A
|
51
|
+
|
52
|
+
|
53
|
+
#[Reproducibility]#
|
54
|
+
N/A
|
55
|
+
|
56
|
+
|
57
|
+
#[Discoverability]#
|
58
|
+
N/A
|
59
|
+
|
60
|
+
|
61
|
+
#[ThreatAgent]#
|
62
|
+
N/A
|
63
|
+
|
64
|
+
|
65
|
+
#[Exploitability]#
|
66
|
+
N/A
|
67
|
+
|
68
|
+
|
69
|
+
#[Likelihood]#
|
70
|
+
N/A
|
71
|
+
|
72
|
+
</textarea>
|
73
|
+
</div>
|
74
|
+
</div>
|
75
|
+
|
76
|
+
<div class="form-actions">
|
77
|
+
<%= f.button :submit, nil, class: 'btn btn-primary' %> or
|
78
|
+
<%= link_to 'Cancel', main_app.project_issue_path(current_project, @issue), class: 'cancel-link' %>
|
79
|
+
</div>
|
80
|
+
<% end %>
|
81
|
+
</div>
|
82
|
+
</div>
|
83
|
+
</div>
|
@@ -3,6 +3,7 @@
|
|
3
3
|
<head>
|
4
4
|
<title>DREAD Score Calculator | Dradis Framework</title>
|
5
5
|
<%= stylesheet_link_tag 'dradis/plugins/calculators/dread/manifests/application', media: 'all', 'data-turbolinks-track' => true %>
|
6
|
+
<%= javascript_include_tag 'dradis/plugins/calculators/dread/manifests/application', 'data-turbolinks-track' => true %>
|
6
7
|
<%= csrf_meta_tags %>
|
7
8
|
|
8
9
|
<meta name="viewport" content="width=device-width, initial-scale=1.0">
|
@@ -13,18 +14,14 @@
|
|
13
14
|
<a href="javascript:void(0)" class="navbar-brand">DREAD score calculator</a>
|
14
15
|
<ul class="navbar-nav pull-right">
|
15
16
|
<li class="nav-item">
|
16
|
-
<%= link_to main_app.root_path, class: 'nav-link' do %>
|
17
|
+
<%= link_to main_app.root_path, class: 'nav-link', data: { turbolinks: false } do %>
|
17
18
|
Back to the app →
|
18
19
|
<% end %>
|
19
20
|
</li>
|
20
21
|
</ul>
|
21
22
|
</nav>
|
22
|
-
<%= yield%>
|
23
|
-
</div>
|
24
23
|
|
25
|
-
|
26
|
-
<%= debug main_app.methods(false).sort %>
|
24
|
+
<%= yield %>
|
27
25
|
</div>
|
28
|
-
<%= javascript_include_tag 'dradis/plugins/calculators/dread/manifests/application', 'data-turbolinks-track' => true %>
|
29
26
|
</body>
|
30
|
-
</html>
|
27
|
+
</html>
|
data/config/routes.rb
CHANGED
@@ -1,3 +1,12 @@
|
|
1
1
|
Dradis::Plugins::Calculators::DREAD::Engine.routes.draw do
|
2
|
-
get '/dread' =>
|
3
|
-
|
2
|
+
get '/calculators/dread' => 'base#index'
|
3
|
+
|
4
|
+
resources :projects, only: [] do
|
5
|
+
resources :issues, only: [] do
|
6
|
+
member do
|
7
|
+
get 'dread' => 'issues#edit'
|
8
|
+
patch 'dread' => 'issues#update'
|
9
|
+
end
|
10
|
+
end
|
11
|
+
end
|
12
|
+
end
|
@@ -25,7 +25,7 @@ Gem::Specification.new do |spec|
|
|
25
25
|
# versions of Rails (a sure recipe for disaster, I'm sure), which is needed
|
26
26
|
# until we bump Dradis Pro to 4.1.
|
27
27
|
# s.add_dependency 'rails', '~> 4.1.1'
|
28
|
-
spec.add_dependency 'dradis-plugins', '~>
|
28
|
+
spec.add_dependency 'dradis-plugins', '~> 4.0.0'
|
29
29
|
|
30
30
|
spec.add_development_dependency 'bundler', '~> 1.6'
|
31
31
|
spec.add_development_dependency 'rake', '~> 10.0'
|
@@ -4,10 +4,14 @@ module Dradis::Plugins::Calculators::DREAD
|
|
4
4
|
|
5
5
|
include Dradis::Plugins::Base
|
6
6
|
provides :addon
|
7
|
-
description '
|
7
|
+
description 'Risk Calculators: DREAD'
|
8
8
|
|
9
9
|
initializer 'calculator_dread.asset_precompile_paths' do |app|
|
10
|
-
app.config.assets.precompile += [
|
10
|
+
app.config.assets.precompile += [
|
11
|
+
'dradis/plugins/calculators/dread/manifests/application.css',
|
12
|
+
'dradis/plugins/calculators/dread/manifests/application.js',
|
13
|
+
'dradis/plugins/calculators/dread/manifests/tylium.js'
|
14
|
+
]
|
11
15
|
end
|
12
16
|
|
13
17
|
initializer "calculator_dread.inflections" do |app|
|
@@ -18,7 +22,7 @@ module Dradis::Plugins::Calculators::DREAD
|
|
18
22
|
|
19
23
|
initializer 'calculator_dread.mount_engine' do
|
20
24
|
Rails.application.routes.append do
|
21
|
-
mount Dradis::Plugins::Calculators::DREAD::Engine => '/
|
25
|
+
mount Dradis::Plugins::Calculators::DREAD::Engine => '/', as: :dread_calculator
|
22
26
|
end
|
23
27
|
end
|
24
28
|
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: dradis-calculator_dread
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version:
|
4
|
+
version: 4.0.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Daniel Martin
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2021-08-03 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: dradis-plugins
|
@@ -16,14 +16,14 @@ dependencies:
|
|
16
16
|
requirements:
|
17
17
|
- - "~>"
|
18
18
|
- !ruby/object:Gem::Version
|
19
|
-
version:
|
19
|
+
version: 4.0.0
|
20
20
|
type: :runtime
|
21
21
|
prerelease: false
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
23
23
|
requirements:
|
24
24
|
- - "~>"
|
25
25
|
- !ruby/object:Gem::Version
|
26
|
-
version:
|
26
|
+
version: 4.0.0
|
27
27
|
- !ruby/object:Gem::Dependency
|
28
28
|
name: bundler
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
@@ -69,12 +69,19 @@ files:
|
|
69
69
|
- README.md
|
70
70
|
- Rakefile
|
71
71
|
- app/assets/javascripts/dradis/plugins/calculators/dread/calculator.js.coffee
|
72
|
-
- app/assets/javascripts/dradis/plugins/calculators/dread/manifests/application.js
|
72
|
+
- app/assets/javascripts/dradis/plugins/calculators/dread/manifests/application.js
|
73
|
+
- app/assets/javascripts/dradis/plugins/calculators/dread/manifests/tylium.js
|
73
74
|
- app/assets/stylesheets/dradis/plugins/calculators/dread/manifests/application.css.scss
|
74
75
|
- app/controllers/dradis/plugins/calculators/dread/base_controller.rb
|
76
|
+
- app/controllers/dradis/plugins/calculators/dread/issues_controller.rb
|
77
|
+
- app/models/dradis/plugins/calculators/dread/v1.rb
|
75
78
|
- app/views/dradis/plugins/calculators/dread/_addons_menu.html.erb
|
76
|
-
- app/views/dradis/plugins/calculators/dread/
|
79
|
+
- app/views/dradis/plugins/calculators/dread/base/_impact.html.erb
|
80
|
+
- app/views/dradis/plugins/calculators/dread/base/_likelihood.html.erb
|
77
81
|
- app/views/dradis/plugins/calculators/dread/base/index.html.erb
|
82
|
+
- app/views/dradis/plugins/calculators/dread/issues/_show-content.html.erb
|
83
|
+
- app/views/dradis/plugins/calculators/dread/issues/_show-tabs.html.erb
|
84
|
+
- app/views/dradis/plugins/calculators/dread/issues/edit.html.erb
|
78
85
|
- app/views/layouts/dradis/plugins/calculators/dread/base.html.erb
|
79
86
|
- config/routes.rb
|
80
87
|
- dradis-calculator_dread.gemspec
|
@@ -101,7 +108,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
101
108
|
- !ruby/object:Gem::Version
|
102
109
|
version: '0'
|
103
110
|
requirements: []
|
104
|
-
rubygems_version: 3.
|
111
|
+
rubygems_version: 3.1.4
|
105
112
|
signing_key:
|
106
113
|
specification_version: 4
|
107
114
|
summary: This plugin adds a DREAD score calculator to Dradis.
|
@@ -1 +0,0 @@
|
|
1
|
-
<%= link_to 'Risk Calculators - DREAD', dread_calculator.dread_path, class: 'dropdown-item' %>
|