gauntlt 0.1.0 → 0.1.1

data/.gitmodules

@@ -4,3 +4,6 @@
 [submodule "vendor/sqlmap"]
 	path = vendor/sqlmap
 	url = https://github.com/sqlmapproject/sqlmap.git
+[submodule "vendor/Garmr"]
+	path = vendor/Garmr
+	url = https://github.com/freddyb/Garmr.git

data/.travis.yml

@@ -1,15 +1,15 @@
 language: ruby
 rvm:
   - 1.9.3
-  - jruby-1.7.0
+  - jruby-head
 before_install:
   - git submodule update --init --recursive
 before_script:
   - sudo apt-get install nmap
   - export SSLYZE_PATH="/home/vagrant/builds/thegauntlet/gauntlt/vendor/sslyze/sslyze.py"
   - export SQLMAP_PATH="/home/vagrant/builds/thegauntlet/gauntlt/vendor/sqlmap/sqlmap.py"
-
+  - 'cd vendor/Garmr && sudo python setup.py install && sudo easy_install BeautifulSoup && cd ../..'
 
 matrix:
   allow_failures:
-    - rvm: jruby-1.7.0
+    - rvm: jruby-head

data/README.md

@@ -10,6 +10,8 @@ Have questions?  Ask us anything on the [gauntlt google group](http://bit.ly/gau
 
 ## GET STARTED
 
+Note: if you are new to gauntlt, have a look at [gauntlt-starter-kit](https://github.com/thegauntlet/gauntlt-starter-kit), which is the easiest way to get up and running with gauntlt.
+
 You will need ruby version `1.9.3` to run gauntlt, but you can run gauntlt against applications built with any language or platform.
 
 1. Install the gem

data/examples/curl/cookies.attack

@@ -5,7 +5,10 @@ Background:
   And the target hostname is "google.com"
 
 Scenario: Verify server is returning the cookies expected
-  When I launch a "cookies" attack
+  When I launch a "curl" attack with:
+    """
+    curl --include --location --head --silent <hostname>
+    """
   Then the following cookies should be received:
     | name | secure | _rest              |
     | PREF | false  | {}                 |

data/examples/curl/simple.attack

@@ -5,5 +5,11 @@ Background:
   And the target hostname is "google.com"
 
 Scenario: Verify a 301 is received from a curl
-  When I launch a "curl" attack
-  Then the response code should be "301"
+  When I launch a "curl" attack with:
+    """
+    curl --silent --output /dev/null --write-out "%{http_code}" <hostname>
+    """
+  Then it should pass with exactly:
+    """
+    301
+    """

data/examples/garmr/garmr.attack

@@ -0,0 +1,13 @@
+Feature: Run garmr scan on a URL
+
+Scenario: Use Garmr to scan a website for basic security requirements
+  Given "garmr" is installed
+  And the target URL is "http://localhost:9292/inline-js"
+  When I launch a "garmr" attack with:
+    """
+    garmr -u <target_url>
+    """
+  Then it should pass with:
+    """
+    [Garmr.corechecks.InlineJS] Fail Inline JavaScript found
+    """

data/examples/sqlmap/sqlmap.attack

@@ -6,7 +6,7 @@ Scenario: Identify SQL injection vulnerabilities
   And the target URL is "http://localhost:9292/sql-injection?number_id=1"
   When I launch a "sqlmap" attack with:
     """
-      python <sqlmap_path> -u <target_url> --dbms sqlite --batch -v 0
+    python <sqlmap_path> -u <target_url> --dbms sqlite --batch -v 0
     """
   Then the output should contain:
     """

data/examples/sslyze/sslyze.attack

@@ -7,7 +7,7 @@ Background:
 Scenario: Ensure no anonymous certificates
   When I launch an "sslyze" attack with:
     """
-      python <sslyze_path> <hostname>:443
+    python <sslyze_path> <hostname>:443
     """
   Then the output should not contain:
     """

data/features/attacks/curl.feature

@@ -1,3 +1,4 @@
+@slow
 Feature: HTTP attacks
   Background:
     Given an attack "curl" exists

data/features/attacks/garmr.feature

@@ -0,0 +1,15 @@
+Feature: Garmr scan
+  Background:
+    Given an attack "curl" exists
+    And scapegoat is running on port 9292
+    And an attack "garmr" exists
+    And I copy the attack files from the "examples/garmr" folder
+    And the following attack files exist:
+      | filename      |
+      | garmr.attack  |
+    When I run `gauntlt`
+    Then it should pass with:
+      """
+      4 steps (4 passed)
+      """
+    And scapegoat should quit

data/features/attacks/generic.feature

@@ -1,3 +1,4 @@
+@slow
 Feature: Generic
   Background:
     Given an attack "generic" exists

data/features/support/scapegoat/scapegoat.rb

@@ -28,23 +28,13 @@ SQL
   end
 
   class Gauntlt::Scapegoat < Sinatra::Base
-    get '/' do
-      content_type :text
-
-      <<-EOS
-
-    ______________________
-   < Welcome to scapegoat >
-    ----------------------
-        \\
-         \\  (__)
-            (\\/)
-     /-------\\/
-    / |     ||
-   /  ||----||
-      ~~    ~~
+    helpers do
+      def page_title
+      end
+    end
 
-EOS
+    get '/' do
+      erb :index
     end
 
     # sqlmap.py -u "http://localhost:9292/sql-injection?number_id=1"  --dbms sqlite
@@ -60,6 +50,10 @@ EOS
       erb :sqlmap, :locals => {:result => result}
     end
 
+    get '/inline-js' do
+      erb :inline_js
+    end
+    
     run! if app_file == $0
   end
 end

data/features/support/scapegoat/views/index.erb

@@ -0,0 +1,17 @@
+<pre>
+
+    ______________________
+   < Welcome to scapegoat >
+    ----------------------
+        \\
+         \\  (__)
+            (\\/)
+     /-------\\/
+    / |     ||
+   /  ||----||
+      ~~    ~~
+
+
+Available goats:     * <a href="/sql-injection">sql-goat</a>
+                     * <a href="/inline-js">inline js</a>
+</pre>

data/features/support/scapegoat/views/inline_js.erb

@@ -0,0 +1,3 @@
+<script>
+  alert("hi from inline javascript");
+</script>

data/features/support/scapegoat/views/layout.erb

@@ -1,3 +1,10 @@
 <html>
-  <%= yield %>
-</html>
+  <head>
+    <title>
+      <%= page_title || 'scapegoat' %>
+    </title>
+  </head>
+  <body>
+    <%= yield %>
+  </body>
+</html>

data/lib/gauntlt/attack_adapters/curl.rb

@@ -2,33 +2,15 @@ When /^"curl" is installed$/ do
   ensure_cli_installed("curl")
 end
 
-When /^I launch a "curl" attack$/ do
-  # curl custom output
-  # from:
-  #   http://beerpla.net/2010/06/10/how-to-display-just-the-http-response-code-in-cli-curl/
-  #
-  # for more output variables, see:
-  #   http://man.he.net/man1/curl
-  @raw_response = `curl --silent --output /dev/null --write-out "%{http_code}" "#{hostname}"`
-  @response = {
-    :code => @raw_response
-  }
-end
-
 When /^I launch a "curl" attack with:$/ do |command|
   command.gsub!('<hostname>', hostname)
   run command
-end
-
-Then /^the response code should be "(.*?)"$/ do |http_code|
-  @response[:code].should == http_code
-end
-
-When /^I launch a "cookies" attack$/ do
-  set_cookies( cookies_for(hostname) )
+  @raw_curl_response = all_output # aruba defines all_output
 end
 
 Then /^the following cookies should be received:$/ do |table|
+  set_cookies( cookies_for_last_curl_request )
+
   names = table.hashes.map{|h| h['name'] }
   names.each do |name|
     cookies.any?{|s| s =~ /^#{name}/}.should be_true

data/lib/gauntlt/attack_adapters/garmr.rb

@@ -0,0 +1,9 @@
+When /^"garmr" is installed$/ do
+  ensure_cli_installed("garmr")
+end
+
+When /^I launch a "garmr" attack with:$/ do |command|
+  command.gsub!('<target_url>', target_url)
+  run command
+  @raw_garmr_output = all_output
+end

data/lib/gauntlt/attack_adapters/support/cookie_helper.rb

@@ -1,10 +1,10 @@
 module Gauntlt
   module Support
     module CookieHelper
-      def cookies_for(url)
-        output = `curl --include --location --head --silent "#{url}"`
+      def cookies_for_last_curl_request
+        raise "no curl output found!" unless @raw_curl_response
 
-        output.scan(/^Set-Cookie:.+$/).map do |header|
+        @raw_curl_response.scan(/^Set-Cookie:.+$/).map do |header|
           "#{$1}=#{$2}" if header =~ /^Set-Cookie: ([^=]+)=([^;]+;)/
         end
       end

data/lib/gauntlt/attack_adapters/support/profile_helper.rb

@@ -8,7 +8,7 @@ module Gauntlt
       end
 
       def target_url
-        raise "No host defined" if @target_url.nil?
+        raise "No target URL defined" if @target_url.nil?
 
         @target_url
       end

data/lib/gauntlt/version.rb

@@ -1,3 +1,3 @@
 module Gauntlt
-  VERSION = "0.1.0"
+  VERSION = "0.1.1"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: gauntlt
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.1.1
   prerelease: 
 platform: ruby
 authors:
@@ -10,7 +10,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2012-10-24 00:00:00.000000000 Z
+date: 2012-10-27 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: cucumber
@@ -161,6 +161,7 @@ files:
 - examples/curl/cookies.attack
 - examples/curl/simple.attack
 - examples/curl/verbs.attack
+- examples/garmr/garmr.attack
 - examples/generic/generic.attack
 - examples/nmap/nmap.attack
 - examples/nmap/os_detection.attack
@@ -171,6 +172,7 @@ files:
 - examples/sslyze/sslyze.attack
 - features/attack.feature
 - features/attacks/curl.feature
+- features/attacks/garmr.feature
 - features/attacks/generic.feature
 - features/attacks/nmap.feature
 - features/attacks/sqlmap.feature
@@ -183,6 +185,8 @@ files:
 - features/support/env.rb
 - features/support/hooks.rb
 - features/support/scapegoat/scapegoat.rb
+- features/support/scapegoat/views/index.erb
+- features/support/scapegoat/views/inline_js.erb
 - features/support/scapegoat/views/layout.erb
 - features/support/scapegoat/views/sqlmap.erb
 - features/tags.feature
@@ -192,6 +196,7 @@ files:
 - lib/gauntlt.rb
 - lib/gauntlt/attack.rb
 - lib/gauntlt/attack_adapters/curl.rb
+- lib/gauntlt/attack_adapters/garmr.rb
 - lib/gauntlt/attack_adapters/gauntlt.rb
 - lib/gauntlt/attack_adapters/generic.rb
 - lib/gauntlt/attack_adapters/nmap.rb
@@ -236,6 +241,7 @@ summary: behaviour-driven security using cucumber
 test_files:
 - features/attack.feature
 - features/attacks/curl.feature
+- features/attacks/garmr.feature
 - features/attacks/generic.feature
 - features/attacks/nmap.feature
 - features/attacks/sqlmap.feature
@@ -248,6 +254,8 @@ test_files:
 - features/support/env.rb
 - features/support/hooks.rb
 - features/support/scapegoat/scapegoat.rb
+- features/support/scapegoat/views/index.erb
+- features/support/scapegoat/views/inline_js.erb
 - features/support/scapegoat/views/layout.erb
 - features/support/scapegoat/views/sqlmap.erb
 - features/tags.feature