dradis-netsparker 3.12.0 → 3.13.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 9dd196e151bf9ca25d8cb0db7c567d6a5304be1e
-  data.tar.gz: a5089c0007bac27aa333e6358a470305f7b11acf
+  metadata.gz: 3c208fd09188d0fec2b5898d52bf9c7e600dadf8
+  data.tar.gz: 6dcece49ce83c7b127d7ecd69a1b413877fff868
 SHA512:
-  metadata.gz: 32516dccc206766d06f5355dd17dc059af39414fc11371376d3673a5599814d783ad56fb27b8f5a0f859a46e721c6df9d361c52cced8318b8ebb5e22caa1622b
-  data.tar.gz: fab2932b1293e827b10a25d78b89af5a8f7dcdc51b15dc8d1818839274534fbb02e0fa32d02e9277a3bec81cd44a22715d1551bc11a00b83dbcc16d95adc4ac3
+  metadata.gz: c9a3c156f2cb35e4ed97a7ac49041fa35d5156b1769aa30e9d3cd0febab83b59fe3d3f476383925de93f2531db2c7fbbb699cbc01041563017839d0efdd53120
+  data.tar.gz: aa5396878ddb4bc18e9e960f87f4cfc150c8af85e3e4c79450d5b75156f5cd74318bb6f389698683034dbcb68117b131d68f03eeb22a6ae4a7fd29d7d688e95b

data/CHANGELOG.md

@@ -1,3 +1,8 @@
+## Dradis Framework 3.13 (June, 2019)
+
+* Add Known Vulnerabilities and OWASP 2017 Classification as available Issue fields
+* Add :vulnerableparameter, :vulnerableparametertype, and :vulnerableparametervalue Evidence fields
+
 ## Dradis Framework 3.12 (March, 2019)
 
 * Change alphabetical lists to bullet lists

data/lib/dradis/plugins/netsparker/gem_version.rb

@@ -8,7 +8,7 @@ module Dradis
 
       module VERSION
         MAJOR = 3
-        MINOR = 12
+        MINOR = 13
         TINY = 0
         PRE = nil
 

data/lib/netsparker/vulnerability.rb

@@ -24,11 +24,13 @@ module Netsparker
 
         # simple tags
         :actions_to_take, :certainty, :description, :external_references,
-        :extrainformation, :impact, :rawrequest, :rawresponse, :remedy,
+        :extrainformation, :impact, :knownvulnerabilities, 
+        :rawrequest, :rawresponse, :remedy,
         :remedy_references, :required_skills_for_exploitation, :severity,
         :type, :url,
 
         # tags that correspond to Evidence
+        :vulnerableparameter, :vulnerableparametertype, :vulnerableparametervalue,
 
         # nested tags
         :classification_capec,
@@ -39,7 +41,7 @@ module Netsparker
         :classification_cvss_temporal_value, :classification_cvss_temporal_severity,
 
         :classification_cwe, :classification_hipaa,
-        :classification_owasp2013, :classification_owasppc,
+        :classification_owasp2013, :classification_owasp2017, :classification_owasppc,
         :classification_pci31, :classification_pci32, :classification_wasc,
 
         # multiple tags
@@ -86,6 +88,7 @@ module Netsparker
         classification_cvss_temporal_severity:      "classification/CVSS/score/type[text()='Temporal']/../severity",
         classification_hipaa:                       'classification/HIPAA',
         classification_owasp2013:                   'classification/OWASP2013',
+        classification_owasp2017:                   'classification/OWASP2017',
         classification_owasppc:                     'classification/OWASPPC',
         classification_pci31:                       'classification/PCI31',
         classification_pci32:                       'classification/PCI32',

data/templates/evidence.fields

@@ -1,3 +1,6 @@
 evidence.rawrequest
 evidence.rawresponse
 evidence.url
+evidence.vulnerableparameter
+evidence.vulnerableparametertype
+evidence.vulnerableparametervalue

data/templates/evidence.sample

@@ -6,6 +6,9 @@
   ​<description><![CDATA[<p>Netsparker detected a missing <code>X-XSS-Protection</code> header which means that this website could be at risk of a Cross-site Scripting (XSS) attacks.</p>]]></description>
   <remedy><![CDATA[<div>Add the X-XSS-Protection header with a value of "1; mode= block".<ul><li><pre class="code">X-XSS-Protection: 1; mode=block</pre></li></ul></div>]]></remedy>
 
+  <vulnerableparametertype>GET</vulnerableparametertype>
+  <vulnerableparameter>value</vulnerableparameter>
+  <vulnerableparametervalue>1;expr 268409241 - 85983;x</vulnerableparametervalue>
   <rawrequest><![CDATA[GET /javascripts/responsive.js HTTP/1.1
 Host: test.testlab.com:3000
 Cache-Control: no-cache

data/templates/evidence.template

@@ -6,3 +6,12 @@ bc.. %evidence.rawrequest%
 
 #[Response]#
 bc.. %evidence.rawresponse%
+
+#[VulnerableParameter]#
+bc. %evidence.vulnerableparameter%
+
+#[VulnerableParameterType]#
+bc. %evidence.vulnerableparametertype%
+
+#[VulnerableParameterValue]#
+bc. %evidence.vulnerableparametervalue%

data/templates/issue.fields

@@ -11,6 +11,7 @@ issue.classification_cvss_temporal_severity
 issue.classification_cwe
 issue.classification_hipaa
 issue.classification_owasp2013
+issue.classification_owasp2017
 issue.classification_owasppc
 issue.classification_pci31
 issue.classification_pci32
@@ -19,6 +20,7 @@ issue.description
 issue.external_references
 issue.extrainformation
 issue.impact
+issue.knownvulnerabilities
 issue.remedy
 issue.remedy_references
 issue.required_skills_for_exploitation

data/templates/issue.sample

@@ -51,7 +51,8 @@ function openFlyout() {
 
 
   <classification>
-    <OWASP2013></OWASP2013>
+    <OWASP2013>A2</OWASP2013>
+    <OWASP2017>A1</OWASP2017>
     <WASC></WASC>
     <CWE></CWE>
     <CAPEC></CAPEC>
@@ -79,5 +80,14 @@ function openFlyout() {
       </score>
     </CVSS>
   </classification>
+  
+  <knownvulnerabilities>
+    <knownvulnerability>
+      <title>Apache Denial of Service Vulnerabillity</title>
+      <severity>Low</severity>
+      <references>CVE-2013-1896</references>
+      <affectedversions>2.2.2 to 2.2.21</affectedversions>
+    </knownvulnerability>
+  </knownvulnerabilities>
 
 </vulnerability>

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dradis-netsparker
 version: !ruby/object:Gem::Version
-  version: 3.12.0
+  version: 3.13.0
 platform: ruby
 authors:
 - Daniel Martin
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-04-01 00:00:00.000000000 Z
+date: 2019-06-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dradis-plugins