pentest 1.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 195a88c8e21c3486bb9a1873e5009952b6b5948876f1329e18b0dabc4cfa247c
+  data.tar.gz: b8386287f2655eba62b96bb715676cb19572995904980ba3d2445713baff7ed8
+SHA512:
+  metadata.gz: 2e7da539e2433c292b9be7f6cf937a63cfc3556f0ed8a4f801457ad26de60aacac276a599245985bb96bb2b686121e6d5b5fd43bbe3f36fdfd5959e1e86b7ba7
+  data.tar.gz: f7771f7d8ea746e4ae8bfbce8083d9612cb24dc9378c5c2f4aa9c66e892256cfbb0d19295bdd98de2df16483db252d10fae61e22ffdebedc41eceb551e08e493

data/.gitignore

@@ -0,0 +1,11 @@
+/.bundle/
+/.yardoc
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+
+# rspec failure tracking
+.rspec_status

data/.rspec

@@ -0,0 +1,3 @@
+--format documentation
+--color
+--require spec_helper

data/.travis.yml

@@ -0,0 +1,7 @@
+---
+sudo: false
+language: ruby
+cache: bundler
+rvm:
+  - 2.6.3
+before_install: gem install bundler -v 1.17.2

data/Gemfile

@@ -0,0 +1,6 @@
+source "https://rubygems.org"
+
+git_source(:github) {|repo_name| "https://github.com/#{repo_name}" }
+
+# Specify your gem's dependencies in pentest.gemspec
+gemspec

data/Gemfile.lock

@@ -0,0 +1,75 @@
+PATH
+  remote: .
+  specs:
+    pentest (0.1.2)
+      arproxy
+      callsite
+      gda
+      nokogiri
+      pairwise
+      ruby_parser
+      term-ansicolor
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    activemodel (6.0.0)
+      activesupport (= 6.0.0)
+    activerecord (6.0.0)
+      activemodel (= 6.0.0)
+      activesupport (= 6.0.0)
+    activesupport (6.0.0)
+      concurrent-ruby (~> 1.0, >= 1.0.2)
+      i18n (>= 0.7, < 2)
+      minitest (~> 5.1)
+      tzinfo (~> 1.1)
+      zeitwerk (~> 2.1, >= 2.1.8)
+    arproxy (0.2.6)
+      activerecord (>= 4.2.0)
+    callsite (0.0.11)
+    concurrent-ruby (1.1.5)
+    diff-lcs (1.3)
+    gda (1.1.0)
+    i18n (1.6.0)
+      concurrent-ruby (~> 1.0)
+    mini_portile2 (2.4.0)
+    minitest (5.11.3)
+    nokogiri (1.10.4)
+      mini_portile2 (~> 2.4.0)
+    pairwise (0.2.1)
+    rake (10.5.0)
+    rspec (3.8.0)
+      rspec-core (~> 3.8.0)
+      rspec-expectations (~> 3.8.0)
+      rspec-mocks (~> 3.8.0)
+    rspec-core (3.8.2)
+      rspec-support (~> 3.8.0)
+    rspec-expectations (3.8.4)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.8.0)
+    rspec-mocks (3.8.1)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.8.0)
+    rspec-support (3.8.2)
+    ruby_parser (3.13.1)
+      sexp_processor (~> 4.9)
+    sexp_processor (4.12.1)
+    term-ansicolor (1.7.1)
+      tins (~> 1.0)
+    thread_safe (0.3.6)
+    tins (1.21.1)
+    tzinfo (1.2.5)
+      thread_safe (~> 0.1)
+    zeitwerk (2.1.9)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  bundler (~> 1.17)
+  pentest!
+  rake (~> 10.0)
+  rspec (~> 3.0)
+
+BUNDLED WITH
+   1.17.2

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2019 Koki Takahashi
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,59 @@
+# Pentest
+
+Welcome to your new gem! In this directory, you'll find the files you need to be able to package up your Ruby library into a gem. Put your Ruby code in the file `lib/pentest`. To experiment with that code, run `bin/console` for an interactive prompt.
+
+TODO: Delete this and the text above, and describe your gem
+
+## Prerequisite
+
+* libgda
+
+### Windows
+
+### Mac
+
+Please be reminded that you should link keg-only dependent libxml2.
+
+```
+brew install libgda
+brew link libxml2 --force
+bundle install
+```
+
+### Ubuntu
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'pentest'
+```
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install pentest
+
+## Usage
+
+```
+$ RAILS_ENV=test bundle exec pentest
+```
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/[USERNAME]/pentest.
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).

data/Rakefile

@@ -0,0 +1,6 @@
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+RSpec::Core::RakeTask.new(:spec)
+
+task :default => :spec

data/bin/console

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+require "bundler/setup"
+require "pentest"
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require "irb"
+IRB.start(__FILE__)

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/exe/pentest

@@ -0,0 +1,6 @@
+#!/usr/bin/env ruby
+
+require 'pentest'
+require 'pentest/commandline'
+
+Pentest::Commandline.run

data/lib/pentest.rb

@@ -0,0 +1,77 @@
+require "pentest/initializer"
+
+require "pentest/version"
+require "pentest/runner"
+require "pentest/logger"
+require "pentest/ruby_parser"
+require "pentest/ast_utils"
+require "pentest/checkers"
+require "pentest/dsl"
+
+module Pentest
+  class Error < StandardError; end
+
+  #Run Pentest scan. Returns Tracker object.
+  #
+  #Options:
+  #
+  #  * :app_path - path to root of Rails app (required)
+  class << self
+    @@hooks = {before_attacks: [], setups: []}
+
+    def run options
+      Logger.debug "launched"
+
+      ENV['RAILS_ENV'] ||= 'test'
+
+      Logger.debug "Loading Rails project..."
+      @app_path = File.expand_path(options[:app_path])
+
+      # TODO: Check if app_path directory exists
+      # TODO: Check if app_path directory is valid rails project
+      # TODO: Detect rails version
+      require File.expand_path('config/environment', @app_path)
+
+      unless is_project_loaded?
+        # TODO: handle
+      end
+
+      Logger.debug "Loaded Rails project #{get_project_name.inspect}"
+
+      # TODO: Check if Pentestfile exists
+      pentestfile_path = options[:pentestfile] || 'Pentestfile'
+
+      Logger.debug "Loading #{pentestfile_path}..."
+      load_pentestfile(pentestfile_path)
+
+      Logger.debug "Initializing scanner..."
+      runner = Runner.new(@app_path, @@hooks)
+
+      runner.run
+    end
+    
+    def is_project_loaded?
+      defined?(::Rails)
+    end
+
+    def get_project_name
+      if defined?(::Rails)
+        ::Rails.application.class.parent_name
+      end
+    end
+
+    def add_setup(*args, &block)
+      @@hooks[:setups] << block
+    end
+
+    def add_before_attack(*args, &block)
+      @@hooks[:before_attacks] << block
+    end
+
+    private
+
+    def load_pentestfile(pentestfile_path)
+      load(File.expand_path(pentestfile_path, @app_path))
+    end
+  end
+end

data/lib/pentest/ast_utils.rb

@@ -0,0 +1,76 @@
+require 'ruby_parser'
+
+module Pentest
+  module AstUtils
+    class << self
+      # Match "params"
+      def is_params?(exp)
+        return false unless Sexp === exp
+        
+        if exp[0] == :call
+          type, callee, method = exp
+          if callee.nil? && method == :params
+            true
+          else
+            false
+          end
+        end
+      end
+
+      # Match "params[:hoge]" and return :hoge
+      def get_params_key(exp)
+        return nil unless Sexp === exp
+
+        if exp[0] == :call
+          type, callee, method, arg = exp
+          if is_params?(callee) && method == :[]
+            if Sexp === arg && arg[0] == :lit
+              return arg[1]
+            end
+            if Sexp === arg && arg[0] == :str
+              return arg[1].to_sym
+            end
+          end
+        end
+        
+        nil
+      end
+
+      def search_for_params(exp)
+        return Set.new unless Sexp === exp
+
+        ret = Set.new
+
+        params_key = get_params_key(exp)
+
+        unless params_key.nil?
+          ret << [params_key, nil, nil]
+        end
+
+        if exp[0] == :call
+          type, callee, method, arg = exp
+
+          callee_params = get_params_key(callee)
+          if callee_params.nil?
+            ret.merge search_for_params callee
+          else
+            ret << [callee_params, :callee, method, arg]
+          end
+
+          arg_params = get_params_key(arg)
+          if arg_params.nil?
+            ret.merge search_for_params arg
+          else
+            ret << [arg_params, :call_arg, callee, method]
+          end
+        else
+          exp.each do |child|
+            ret.merge search_for_params child
+          end
+        end
+
+        ret
+      end
+    end
+  end
+end

data/lib/pentest/checkers.rb

@@ -0,0 +1,21 @@
+module Pentest
+  class Checkers
+    @checkers = []
+
+    class << self
+      def add(checker)
+        @checkers << checker unless @checkers.include? checker
+      end
+
+      def run_checkers(endpoint, params)
+        @checkers.each do |checker_class|
+          checker = checker_class.new(endpoint, params)
+          yield(checker)
+        end
+      end
+    end
+  end
+end
+
+require 'pentest/checkers/sqli_checker'
+require 'pentest/checkers/xss_checker'

data/lib/pentest/checkers/base_checker.rb

@@ -0,0 +1,49 @@
+class Pentest::BaseChecker
+  class << self
+    attr_reader :description
+  end
+
+  def initialize(endpoint, params)
+    @params = params
+    @warnings = []
+    @endpoint = endpoint
+    @route = endpoint.route
+    @app_path = endpoint.app_path
+  end
+
+  private
+
+  def dispatch(payload)
+    @endpoint.dispatch(payload)
+  end
+
+  def get_status(err)
+    if err.nil?
+      nil
+    elsif err.respond_to?(:status)
+      err.status
+    elsif ActiveRecord::RecordNotFound === err || ActionController::UrlGenerationError === err
+      404
+    else
+      500
+    end
+  end
+
+  def normalize_error(err, payload)
+    return if err.nil?
+
+    status = get_status(err)
+
+    return if status.nil? || status / 100 != 5
+    
+    message = err.message.lines.first.strip
+    payload.params_hash.values.sort_by(&:size).reverse.each do |param|
+      message = message.gsub(param.inspect, '"[parameter]"')
+      if param.size >= 4
+        message = message.gsub(param, '[parameter]')
+      end
+    end
+
+    message
+  end
+end