dradis-ntospider 4.0.0 → 4.3.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.gitignore +4 -0
- data/.rspec +2 -0
- data/CHANGELOG.md +42 -51
- data/CHANGELOG.template +12 -0
- data/README.md +5 -0
- data/dradis-ntospider.gemspec +6 -3
- data/lib/dradis/plugins/ntospider/field_processor.rb +5 -1
- data/lib/dradis/plugins/ntospider/gem_version.rb +1 -1
- data/lib/dradis/plugins/ntospider/importer.rb +10 -7
- data/lib/dradis-ntospider.rb +1 -0
- data/lib/ntospider/attack.rb +75 -0
- data/lib/ntospider/vuln.rb +24 -9
- data/spec/fixtures/files/VulnerabilitiesSummary.xml +484 -379
- data/spec/ntospider_import_spec.rb +87 -0
- data/spec/spec_helper.rb +10 -0
- data/templates/evidence.fields +13 -4
- data/templates/evidence.sample +28 -198
- data/templates/evidence.template +11 -8
- data/templates/vuln.fields +14 -0
- data/templates/vuln.sample +134 -197
- data/templates/vuln.template +3 -3
- metadata +61 -12
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 1987331dcc279d1c8dd41c450b72c73c89f6b3f1b40db57ab432875367543016
|
4
|
+
data.tar.gz: 07e3f53cf6f9f99f3c311293b2b00bf309860973ee3c6e768b0471fd5abc42c4
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 97be744805f078429d5a7767cf345d44094ada49a08c9ee40b51ac26d33a956a29cd73be89df0d7b043b16ff71a77bebaf050dcf6884fbb68a08895232b6ab32
|
7
|
+
data.tar.gz: 7bc9eb986d36009dc49bcdb194edcaa4a1b6d92f263f0127db7468033156035f2c03622608395061670597abb43d9512471a9580abab2ce1dc97a564daf1f7c4
|
data/.gitignore
CHANGED
data/.rspec
ADDED
data/CHANGELOG.md
CHANGED
@@ -1,71 +1,62 @@
|
|
1
|
-
|
1
|
+
v4.3.0 (April 2022)
|
2
|
+
- Expose additional fields for use in both Issue and Evidence.
|
2
3
|
|
3
|
-
|
4
|
+
v4.2.0 (February 2022)
|
5
|
+
- No changes
|
4
6
|
|
5
|
-
|
7
|
+
v4.1.0 (November 2021)
|
8
|
+
- No changes
|
6
9
|
|
7
|
-
|
10
|
+
v4.0.0 (July 2021)
|
11
|
+
- No changes
|
8
12
|
|
9
|
-
|
13
|
+
v3.22.0 (April 2021)
|
14
|
+
- No changes
|
10
15
|
|
11
|
-
|
16
|
+
v3.21.0 (February 2021)
|
17
|
+
- No changes
|
12
18
|
|
13
|
-
|
19
|
+
v3.20.0 (December 2020)
|
20
|
+
- No changes
|
14
21
|
|
15
|
-
|
22
|
+
v3.19.0 (September 2020)
|
23
|
+
- No changes
|
16
24
|
|
17
|
-
|
25
|
+
v3.18.0 (July 2020)
|
26
|
+
- No changes
|
18
27
|
|
19
|
-
|
28
|
+
v3.17.0 (May 2020)
|
29
|
+
- No changes
|
20
30
|
|
21
|
-
|
31
|
+
v3.16.0 (February 2020)
|
32
|
+
- No changes
|
22
33
|
|
23
|
-
|
34
|
+
v3.15.0 (November 2019)
|
35
|
+
- No changes
|
24
36
|
|
25
|
-
|
37
|
+
v3.14.0 (August 2019)
|
38
|
+
- No changes
|
26
39
|
|
27
|
-
|
40
|
+
v3.13.0 (June 2019)
|
41
|
+
- No changes
|
28
42
|
|
29
|
-
|
43
|
+
v3.12.0 (March 2019)
|
44
|
+
- No changes
|
30
45
|
|
31
|
-
|
46
|
+
v3.11.0 (November 2018)
|
47
|
+
- No changes
|
32
48
|
|
33
|
-
|
49
|
+
v3.10.0 (August 2018)
|
50
|
+
- No changes
|
34
51
|
|
35
|
-
|
52
|
+
v3.9.0 (January 2018)
|
53
|
+
- No changes
|
36
54
|
|
37
|
-
|
55
|
+
v3.8.0 (September 2017)
|
56
|
+
- No changes
|
38
57
|
|
39
|
-
|
58
|
+
v3.7.0 (July 2017)
|
59
|
+
- No changes
|
40
60
|
|
41
|
-
|
42
|
-
|
43
|
-
* No changes.
|
44
|
-
|
45
|
-
## Dradis Framework 3.12 (March, 2019) ##
|
46
|
-
|
47
|
-
* No changes.
|
48
|
-
|
49
|
-
## Dradis Framework 3.11 (November, 2018) ##
|
50
|
-
|
51
|
-
* No changes.
|
52
|
-
|
53
|
-
## Dradis Framework 3.10 (August, 2018) ##
|
54
|
-
|
55
|
-
* No changes.
|
56
|
-
|
57
|
-
## Dradis Framework 3.9 (January, 2018) ##
|
58
|
-
|
59
|
-
* No changes.
|
60
|
-
|
61
|
-
## Dradis Framework 3.8 (September, 2017) ##
|
62
|
-
|
63
|
-
* No changes.
|
64
|
-
|
65
|
-
## Dradis Framework 3.7 (July, 2017) ##
|
66
|
-
|
67
|
-
* No changes.
|
68
|
-
|
69
|
-
## Dradis Framework 3.6 (March, 2017) ##
|
70
|
-
|
71
|
-
* No changes.
|
61
|
+
v3.6.0 (March 2017)
|
62
|
+
- No changes
|
data/CHANGELOG.template
ADDED
@@ -0,0 +1,12 @@
|
|
1
|
+
[v#.#.#] ([month] [YYYY])
|
2
|
+
- [future tense verb] [feature]
|
3
|
+
- Upgraded gems:
|
4
|
+
- [gem]
|
5
|
+
- Bugs fixes:
|
6
|
+
- [future tense verb] [bug fix]
|
7
|
+
- Bug tracker items:
|
8
|
+
- [item]
|
9
|
+
- Security Fixes:
|
10
|
+
- High: (Authenticated|Unauthenticated) (admin|author|contributor) [vulnerability description]
|
11
|
+
- Medium: (Authenticated|Unauthenticated) (admin|author|contributor) [vulnerability description]
|
12
|
+
- Low: (Authenticated|Unauthenticated) (admin|author|contributor) [vulnerability description]
|
data/README.md
CHANGED
@@ -17,6 +17,11 @@ See the Dradis Framework's [README.md](https://github.com/dradis/dradisframework
|
|
17
17
|
See the Dradis Framework's [CONTRIBUTING.md](https://github.com/dradis/dradisframework/blob/master/CONTRIBUTING.md)
|
18
18
|
|
19
19
|
|
20
|
+
## Contributors
|
21
|
+
|
22
|
+
- Michael Gargiullo
|
23
|
+
|
24
|
+
|
20
25
|
## License
|
21
26
|
|
22
27
|
Dradis Framework and all its components are released under [GNU General Public License version 2.0](http://www.gnu.org/licenses/old-licenses/gpl-2.0.html) as published by the Free Software Foundation and appearing in the file LICENSE included in the packaging of this file.
|
data/dradis-ntospider.gemspec
CHANGED
@@ -25,8 +25,11 @@ Gem::Specification.new do |spec|
|
|
25
25
|
# versions of Rails (a sure recipe for disaster, I'm sure), which is needed
|
26
26
|
# until we bump Dradis Pro to 4.1.
|
27
27
|
# s.add_dependency 'rails', '~> 4.1.1'
|
28
|
-
spec.add_dependency 'dradis-plugins', '~> 4.0
|
28
|
+
spec.add_dependency 'dradis-plugins', '~> 4.0'
|
29
29
|
|
30
|
-
spec.add_development_dependency 'bundler'
|
31
|
-
spec.add_development_dependency '
|
30
|
+
spec.add_development_dependency 'bundler'
|
31
|
+
spec.add_development_dependency 'byebug'
|
32
|
+
spec.add_development_dependency 'rake'
|
33
|
+
spec.add_development_dependency 'rspec-rails'
|
34
|
+
spec.add_development_dependency 'combustion'
|
32
35
|
end
|
@@ -2,7 +2,11 @@ module Dradis::Plugins::NTOSpider
|
|
2
2
|
class FieldProcessor < Dradis::Plugins::Upload::FieldProcessor
|
3
3
|
|
4
4
|
def post_initialize(args={})
|
5
|
-
|
5
|
+
if data.name == 'Vuln'
|
6
|
+
@nto_object = ::NTOSpider::Vuln.new(data)
|
7
|
+
else
|
8
|
+
@nto_object = ::NTOSpider::Attack.new(data)
|
9
|
+
end
|
6
10
|
end
|
7
11
|
|
8
12
|
def value(args={})
|
@@ -53,13 +53,16 @@ module Dradis::Plugins::NTOSpider
|
|
53
53
|
)
|
54
54
|
issue = content_service.create_issue text: issue_text, id: plugin_id
|
55
55
|
|
56
|
-
|
57
|
-
|
58
|
-
|
59
|
-
|
60
|
-
|
61
|
-
|
62
|
-
|
56
|
+
# App Spider can provide multiple pieces of evidence for an issue.
|
57
|
+
xml_vuln.xpath('./AttackList/Attack').each do |attack_xml|
|
58
|
+
logger.info{ "\t\t => Creating new evidence" }
|
59
|
+
evidence_content = template_service.process_template(
|
60
|
+
template: 'evidence', data: attack_xml
|
61
|
+
)
|
62
|
+
content_service.create_evidence(
|
63
|
+
issue: issue, node: host_node, content: evidence_content
|
64
|
+
)
|
65
|
+
end
|
63
66
|
end
|
64
67
|
|
65
68
|
true
|
data/lib/dradis-ntospider.rb
CHANGED
@@ -0,0 +1,75 @@
|
|
1
|
+
module NTOSpider
|
2
|
+
# This class represents each of the vulnerabilities reported in the
|
3
|
+
# AppSpider VulnerabilitiesSummary.xml file as
|
4
|
+
# <AttackList/Attack> entities.
|
5
|
+
class Attack
|
6
|
+
attr_accessor :xml
|
7
|
+
# Accepts an XML node from Nokogiri::XML.
|
8
|
+
def initialize(xml_node)
|
9
|
+
@xml = xml_node
|
10
|
+
end
|
11
|
+
|
12
|
+
# List of supported tags. They can be attributes, simple descendants or
|
13
|
+
# collections (e.g. <references/>, <tags/>)
|
14
|
+
def supported_tags
|
15
|
+
[
|
16
|
+
# attributes
|
17
|
+
|
18
|
+
# simple tags
|
19
|
+
:attack_config_description, :attack_description, :attack_id,
|
20
|
+
:attack_matched_string, :attack_post_params, :attack_user_notes,
|
21
|
+
:attack_value, :attack_vuln_url, :original_response_code,
|
22
|
+
:original_value,
|
23
|
+
|
24
|
+
# nested tags
|
25
|
+
:attack_request, :attack_response, :benign
|
26
|
+
]
|
27
|
+
end
|
28
|
+
|
29
|
+
# This allows external callers (and specs) to check for implemented
|
30
|
+
# properties
|
31
|
+
def respond_to?(method, include_private=false)
|
32
|
+
return true if supported_tags.include?(method.to_sym)
|
33
|
+
super
|
34
|
+
end
|
35
|
+
|
36
|
+
# This method is invoked by Ruby when a method that is not defined in this
|
37
|
+
# instance is called.
|
38
|
+
#
|
39
|
+
# In our case we inspect the @method@ parameter and try to find the
|
40
|
+
# attribute, simple descendent or collection that it maps to in the XML
|
41
|
+
# tree.
|
42
|
+
def method_missing(method, *args)
|
43
|
+
# We could remove this check and return nil for any non-recognized tag.
|
44
|
+
# The problem would be that it would make tricky to debug problems with
|
45
|
+
# typos. For instance: <>.potr would return nil instead of raising an
|
46
|
+
# exception
|
47
|
+
unless supported_tags.include?(method)
|
48
|
+
super
|
49
|
+
return
|
50
|
+
end
|
51
|
+
|
52
|
+
# First we try the attributes. In Ruby we use snake_case, but in XML
|
53
|
+
# CamelCase is used for some attributes
|
54
|
+
translations_table = {
|
55
|
+
attack_request: 'AttackRequestList/AttackRequest/Request',
|
56
|
+
attack_response: 'AttackRequestList/AttackRequest/Response',
|
57
|
+
benign: 'AttackRequestList/AttackRequest/Benign'
|
58
|
+
}
|
59
|
+
|
60
|
+
method_name = translations_table.fetch(method, method.to_s.camelcase)
|
61
|
+
|
62
|
+
# no attributes in the <attack> node
|
63
|
+
# return @xml.attributes[method_name].value if @xml.attributes.key?(method_name)
|
64
|
+
|
65
|
+
# Then we try simple children tags: name, type, ...
|
66
|
+
tag = @xml.at_xpath("./#{method_name}")
|
67
|
+
if tag && !tag.text.blank?
|
68
|
+
return tag.text
|
69
|
+
else
|
70
|
+
# nothing found, the tag is valid but not present in this Attack
|
71
|
+
return nil
|
72
|
+
end
|
73
|
+
end
|
74
|
+
end
|
75
|
+
end
|
data/lib/ntospider/vuln.rb
CHANGED
@@ -22,12 +22,18 @@ module NTOSpider
|
|
22
22
|
|
23
23
|
# simple tags
|
24
24
|
:attack_class, :attack_score, :attack_type, :attack_value, :capec,
|
25
|
-
:cwe_id, :description, :dissa_asc, :
|
26
|
-
:
|
27
|
-
:
|
25
|
+
:confidence, :cwe_id, :description, :dissa_asc, :html_entity_attacked,
|
26
|
+
:normalized_url, :oval, :owasp2007, :owasp2010, :owasp2013, :owasp2017,
|
27
|
+
:page, :recommendation, :scan_date,
|
28
|
+
:statistically_prevalent_original_response_code, :url, :vuln_method,
|
29
|
+
:vuln_param, :vuln_param_type, :vuln_type, :vuln_url, :wasc, :web_site,
|
30
|
+
:web_site_ip,
|
31
|
+
|
28
32
|
# nested tags
|
33
|
+
:imperva_bl, :imperva_wl, :mod_security_bl, :mod_security_wl,
|
34
|
+
:pcre_regex_bl, :pcre_regex_wl, :snort_bl, :snort_wl
|
29
35
|
]
|
30
|
-
end
|
36
|
+
end
|
31
37
|
|
32
38
|
# This allows external callers (and specs) to check for implemented
|
33
39
|
# properties
|
@@ -55,18 +61,28 @@ end
|
|
55
61
|
# First we try the attributes. In Ruby we use snake_case, but in XML
|
56
62
|
# CamelCase is used for some attributes
|
57
63
|
translations_table = {
|
58
|
-
capec:
|
64
|
+
capec: 'CAPEC',
|
59
65
|
dissa_asc: 'DISSA_ASC',
|
66
|
+
imperva_bl: 'DefenseBL/Imperva',
|
67
|
+
imperva_wl: 'DefenseWL/Imperva',
|
68
|
+
mod_security_bl: 'DefenseBL/ModSecurity',
|
69
|
+
mod_security_wl: 'DefenseWL/ModSecurity',
|
70
|
+
oval: 'OVAL',
|
60
71
|
owasp2007: 'OWASP2007',
|
61
72
|
owasp2010: 'OWASP2010',
|
62
73
|
owasp2013: 'OWASP2013',
|
63
|
-
|
64
|
-
|
74
|
+
owasp2017: 'OWASP2017',
|
75
|
+
pcre_regex_bl: 'DefenseBL/PcreRegex',
|
76
|
+
pcre_regex_wl: 'DefenseWL/PcreRegex',
|
77
|
+
snort_bl: 'DefenseBL/Snort',
|
78
|
+
snort_wl: 'DefenseWL/Snort',
|
79
|
+
wasc: 'WASC',
|
80
|
+
web_site_ip: 'WebSiteIP'
|
65
81
|
}
|
66
82
|
|
67
83
|
method_name = translations_table.fetch(method, method.to_s.camelcase)
|
68
84
|
|
69
|
-
# no attributes in the <
|
85
|
+
# no attributes in the <Vuln> node
|
70
86
|
# return @xml.attributes[method_name].value if @xml.attributes.key?(method_name)
|
71
87
|
|
72
88
|
# Then we try simple children tags: name, type, ...
|
@@ -113,6 +129,5 @@ end
|
|
113
129
|
def tags_with_html_content
|
114
130
|
[:description, :recommendation]
|
115
131
|
end
|
116
|
-
|
117
132
|
end
|
118
133
|
end
|