pwn 0.4.504 → 0.4.508
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.rubocop_todo.yml +20 -9
- data/README.md +2 -2
- data/Vagrantfile +1 -1
- data/bin/pwn_arachni_rest +2 -2
- data/bin/pwn_sast +0 -1
- data/bin/pwn_simple_http_server +2 -1
- data/lib/pwn/plugins/owasp_zap.rb +3 -3
- data/lib/pwn/reports/sast.rb +5 -5
- data/lib/pwn/sast/amqp_connect_as_guest.rb +5 -3
- data/lib/pwn/sast/apache_file_system_util_api.rb +9 -3
- data/lib/pwn/sast/aws.rb +5 -3
- data/lib/pwn/sast/banned_function_calls_c.rb +9 -3
- data/lib/pwn/sast/base64.rb +6 -7
- data/lib/pwn/sast/beef_hook.rb +5 -3
- data/lib/pwn/sast/cmd_execution_java.rb +5 -3
- data/lib/pwn/sast/cmd_execution_python.rb +5 -3
- data/lib/pwn/sast/cmd_execution_ruby.rb +5 -3
- data/lib/pwn/sast/cmd_execution_scala.rb +5 -3
- data/lib/pwn/sast/csrf.rb +7 -3
- data/lib/pwn/sast/deserial_java.rb +7 -3
- data/lib/pwn/sast/emoticon.rb +5 -3
- data/lib/pwn/sast/eval.rb +5 -3
- data/lib/pwn/sast/factory.rb +7 -3
- data/lib/pwn/sast/http_authorization_header.rb +5 -3
- data/lib/pwn/sast/inner_html.rb +5 -3
- data/lib/pwn/sast/keystore.rb +5 -3
- data/lib/pwn/sast/location_hash.rb +5 -3
- data/lib/pwn/sast/log4j.rb +5 -3
- data/lib/pwn/sast/logger.rb +5 -3
- data/lib/pwn/sast/outer_html.rb +5 -3
- data/lib/pwn/sast/password.rb +5 -3
- data/lib/pwn/sast/pom_version.rb +5 -3
- data/lib/pwn/sast/port.rb +5 -3
- data/lib/pwn/sast/private_key.rb +5 -3
- data/lib/pwn/sast/redirect.rb +5 -3
- data/lib/pwn/sast/redos.rb +5 -3
- data/lib/pwn/sast/shell.rb +5 -3
- data/lib/pwn/sast/signature.rb +5 -3
- data/lib/pwn/sast/sql.rb +5 -3
- data/lib/pwn/sast/ssl.rb +5 -3
- data/lib/pwn/sast/sudo.rb +5 -3
- data/lib/pwn/sast/task_tag.rb +5 -3
- data/lib/pwn/sast/throw_errors.rb +5 -3
- data/lib/pwn/sast/token.rb +5 -3
- data/lib/pwn/sast/version.rb +5 -3
- data/lib/pwn/sast/window_location_hash.rb +5 -3
- data/lib/pwn/sast.rb +0 -1
- data/lib/pwn/version.rb +1 -1
- data/spec/lib/pwn/sast/amqp_connect_as_guest_spec.rb +3 -3
- data/spec/lib/pwn/sast/apache_file_system_util_api_spec.rb +3 -3
- data/spec/lib/pwn/sast/aws_spec.rb +3 -3
- data/spec/lib/pwn/sast/banned_function_calls_c_spec.rb +3 -3
- data/spec/lib/pwn/sast/base64_spec.rb +3 -3
- data/spec/lib/pwn/sast/beef_hook_spec.rb +3 -3
- data/spec/lib/pwn/sast/cmd_execution_java_spec.rb +3 -3
- data/spec/lib/pwn/sast/cmd_execution_python_spec.rb +3 -3
- data/spec/lib/pwn/sast/cmd_execution_ruby_spec.rb +3 -3
- data/spec/lib/pwn/sast/cmd_execution_scala_spec.rb +3 -3
- data/spec/lib/pwn/sast/csrf_spec.rb +3 -3
- data/spec/lib/pwn/sast/deserial_java_spec.rb +3 -3
- data/spec/lib/pwn/sast/emoticon_spec.rb +3 -3
- data/spec/lib/pwn/sast/eval_spec.rb +3 -3
- data/spec/lib/pwn/sast/factory_spec.rb +3 -3
- data/spec/lib/pwn/sast/http_authorization_header_spec.rb +3 -3
- data/spec/lib/pwn/sast/inner_html_spec.rb +3 -3
- data/spec/lib/pwn/sast/keystore_spec.rb +3 -3
- data/spec/lib/pwn/sast/location_hash_spec.rb +3 -3
- data/spec/lib/pwn/sast/log4j_spec.rb +3 -3
- data/spec/lib/pwn/sast/logger_spec.rb +3 -3
- data/spec/lib/pwn/sast/password_spec.rb +3 -3
- data/spec/lib/pwn/sast/pom_version_spec.rb +3 -3
- data/spec/lib/pwn/sast/port_spec.rb +3 -3
- data/spec/lib/pwn/sast/private_key_spec.rb +3 -3
- data/spec/lib/pwn/sast/redirect_spec.rb +3 -3
- data/spec/lib/pwn/sast/redos_spec.rb +3 -3
- data/spec/lib/pwn/sast/shell_spec.rb +3 -3
- data/spec/lib/pwn/sast/signature_spec.rb +3 -3
- data/spec/lib/pwn/sast/sql_spec.rb +3 -3
- data/spec/lib/pwn/sast/ssl_spec.rb +3 -3
- data/spec/lib/pwn/sast/sudo_spec.rb +3 -3
- data/spec/lib/pwn/sast/task_tag_spec.rb +3 -3
- data/spec/lib/pwn/sast/throw_errors_spec.rb +3 -3
- data/spec/lib/pwn/sast/token_spec.rb +3 -3
- data/spec/lib/pwn/sast/version_spec.rb +3 -3
- data/spec/lib/pwn/sast/window_location_hash_spec.rb +3 -3
- metadata +1 -3
- data/lib/pwn/sast/file_permission.rb +0 -142
- data/spec/lib/pwn/sast/file_permission_spec.rb +0 -25
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 3c4e3392221454a18ab169489c67991b2e6706bb6b70f5fe98dab58baf7a965f
|
4
|
+
data.tar.gz: dfd93ac966ab033b918ab2bb03ba31317d9b0a25ca0fcadabd876a9d2ffe8132
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 76051d4152d8aa9b8c708372e1a9d7a2e5f012f7b6c420ac595b6d0df69569f2e733842e5c46605fb31a9bca9e4fa572abb3f692d9a128f27f2828b398a2f20e
|
7
|
+
data.tar.gz: 6f022be505ae8145be9e015ae93c113222bb3ebfc2344723cabb53c47b44659d7c61b1999716fbe8467e69e5714b911ac2005c0247c437aa24d91c0869862e9c
|
data/.rubocop_todo.yml
CHANGED
@@ -1,21 +1,32 @@
|
|
1
1
|
# This configuration was generated by
|
2
2
|
# `rubocop --auto-gen-config`
|
3
|
-
# on 2022-
|
3
|
+
# on 2022-07-08 17:25:42 UTC using RuboCop version 1.31.2.
|
4
4
|
# The point is for the user to remove these configuration records
|
5
5
|
# one by one as the offenses are removed from the code base.
|
6
6
|
# Note that changes in the inspected code, or installation of new
|
7
7
|
# versions of RuboCop, may require this file to be generated again.
|
8
8
|
|
9
|
-
# Offense count:
|
9
|
+
# Offense count: 5
|
10
|
+
# This cop supports safe autocorrection (--autocorrect).
|
11
|
+
# Configuration parameters: AutoCorrect, EnforcedStyle.
|
12
|
+
# SupportedStyles: space, no_space
|
13
|
+
Layout/LineContinuationSpacing:
|
14
|
+
Exclude:
|
15
|
+
- 'packer/provisioners/beef.rb'
|
16
|
+
- 'packer/provisioners/metasploit.rb'
|
17
|
+
- 'packer/provisioners/wpscan.rb'
|
18
|
+
- 'vagrant/provisioners/beef.rb'
|
19
|
+
|
20
|
+
# Offense count: 258
|
10
21
|
Lint/UselessAssignment:
|
11
22
|
Enabled: false
|
12
23
|
|
13
|
-
# Offense count:
|
24
|
+
# Offense count: 260
|
14
25
|
# Configuration parameters: IgnoredMethods, CountRepeatedAttributes.
|
15
26
|
Metrics/AbcSize:
|
16
27
|
Max: 328
|
17
28
|
|
18
|
-
# Offense count:
|
29
|
+
# Offense count: 64
|
19
30
|
# Configuration parameters: CountComments, CountAsOne, ExcludedMethods, IgnoredMethods.
|
20
31
|
# IgnoredMethods: refine
|
21
32
|
Metrics/BlockLength:
|
@@ -26,12 +37,12 @@ Metrics/BlockLength:
|
|
26
37
|
Metrics/BlockNesting:
|
27
38
|
Max: 5
|
28
39
|
|
29
|
-
# Offense count:
|
40
|
+
# Offense count: 91
|
30
41
|
# Configuration parameters: IgnoredMethods.
|
31
42
|
Metrics/CyclomaticComplexity:
|
32
43
|
Max: 231
|
33
44
|
|
34
|
-
# Offense count:
|
45
|
+
# Offense count: 472
|
35
46
|
# Configuration parameters: CountComments, CountAsOne, ExcludedMethods, IgnoredMethods.
|
36
47
|
Metrics/MethodLength:
|
37
48
|
Max: 466
|
@@ -41,16 +52,16 @@ Metrics/MethodLength:
|
|
41
52
|
Metrics/ModuleLength:
|
42
53
|
Max: 1186
|
43
54
|
|
44
|
-
# Offense count:
|
55
|
+
# Offense count: 83
|
45
56
|
# Configuration parameters: IgnoredMethods.
|
46
57
|
Metrics/PerceivedComplexity:
|
47
58
|
Max: 51
|
48
59
|
|
49
|
-
# Offense count:
|
60
|
+
# Offense count: 162
|
50
61
|
Style/ClassVars:
|
51
62
|
Enabled: false
|
52
63
|
|
53
|
-
# Offense count:
|
64
|
+
# Offense count: 283
|
54
65
|
# This cop supports safe autocorrection (--autocorrect).
|
55
66
|
# Configuration parameters: EnforcedStyle, SingleLineConditionsOnly, IncludeTernaryExpressions.
|
56
67
|
# SupportedStyles: assign_to_condition, assign_inside_condition
|
data/README.md
CHANGED
@@ -37,7 +37,7 @@ $ rvm use ruby-3.1.2@pwn
|
|
37
37
|
$ rvm list gemsets
|
38
38
|
$ gem install --verbose pwn
|
39
39
|
$ pwn
|
40
|
-
pwn[v0.4.
|
40
|
+
pwn[v0.4.508]:001 >>> PWN.help
|
41
41
|
```
|
42
42
|
|
43
43
|
[![Installing the pwn Security Automation Framework](https://raw.githubusercontent.com/0dayInc/pwn/master/documentation/pwn_install.png)](https://youtu.be/G7iLUY4FzsI)
|
@@ -52,7 +52,7 @@ $ rvm use ruby-3.1.2@pwn
|
|
52
52
|
$ gem uninstall --all --executables pwn
|
53
53
|
$ gem install --verbose pwn
|
54
54
|
$ pwn
|
55
|
-
pwn[v0.4.
|
55
|
+
pwn[v0.4.508]:001 >>> PWN.help
|
56
56
|
```
|
57
57
|
|
58
58
|
|
data/Vagrantfile
CHANGED
data/bin/pwn_arachni_rest
CHANGED
@@ -105,8 +105,8 @@ rescue Interrupt
|
|
105
105
|
exit 1
|
106
106
|
ensure
|
107
107
|
Process.kill('TERM', fork_pid) if fork_pid
|
108
|
-
File.unlink(arachni_stdout_log_path)
|
109
|
-
File.unlink(trained_attack_vectors_yaml)
|
108
|
+
File.unlink(arachni_stdout_log_path)
|
109
|
+
File.unlink(trained_attack_vectors_yaml)
|
110
110
|
end
|
111
111
|
|
112
112
|
# Watch for Arachni proxy plugin to intialize prior to invoking navigation-REST.instruct
|
data/bin/pwn_sast
CHANGED
data/bin/pwn_simple_http_server
CHANGED
@@ -139,10 +139,10 @@ module PWN
|
|
139
139
|
end
|
140
140
|
rescue PTY::ChildExited, SystemExit, Interrupt, Errno::EIO
|
141
141
|
puts 'Spawned OWASP Zap PTY exiting...'
|
142
|
-
File.unlink(pwn_stdout_log_path)
|
142
|
+
File.unlink(pwn_stdout_log_path)
|
143
143
|
rescue StandardError => e
|
144
144
|
puts 'Spawned process exiting...'
|
145
|
-
File.unlink(pwn_stdout_log_path)
|
145
|
+
File.unlink(pwn_stdout_log_path)
|
146
146
|
raise e
|
147
147
|
end
|
148
148
|
Process.detach(fork_pid)
|
@@ -475,7 +475,7 @@ module PWN
|
|
475
475
|
zap_obj = opts[:zap_obj]
|
476
476
|
unless zap_obj.nil?
|
477
477
|
pid = zap_obj[:pid]
|
478
|
-
File.unlink(zap_obj[:stdout_log])
|
478
|
+
File.unlink(zap_obj[:stdout_log])
|
479
479
|
|
480
480
|
Process.kill('TERM', pid)
|
481
481
|
end
|
data/lib/pwn/reports/sast.rb
CHANGED
@@ -101,7 +101,7 @@ module PWN
|
|
101
101
|
<div>
|
102
102
|
<b>Toggle Column(s):</b>
|
103
103
|
<a class="toggle-vis" data-column="1" href="#">Timestamp</a> |
|
104
|
-
<a class="toggle-vis" data-column="2" href="#">Test Case
|
104
|
+
<a class="toggle-vis" data-column="2" href="#">Test Case / Security Requirements</a> |
|
105
105
|
<a class="toggle-vis" data-column="3" href="#">Path</a> |
|
106
106
|
<a class="toggle-vis" data-column="4" href="#">Line#, Formatted Content, & Last Committed By</a> |
|
107
107
|
<a class="toggle-vis" data-column="5" href="#">Raw Content</a> |
|
@@ -115,7 +115,7 @@ module PWN
|
|
115
115
|
<tr>
|
116
116
|
<th>#</th>
|
117
117
|
<th>Timestamp</th>
|
118
|
-
<th>Test Case /
|
118
|
+
<th>Test Case / Security Requirements</th>
|
119
119
|
<th>Path</th>
|
120
120
|
<th>Line#, Formatted Content, & Last Committed By</th>
|
121
121
|
<th>Raw Content</th>
|
@@ -170,13 +170,13 @@ module PWN
|
|
170
170
|
"render": $.fn.dataTable.render.text()
|
171
171
|
},
|
172
172
|
{
|
173
|
-
"data": "
|
173
|
+
"data": "security_requirements",
|
174
174
|
"render": function (data, type, row, meta) {
|
175
175
|
var sast_dirname = data['sast_module'].split('::')[0].toLowerCase() + '/' + data['sast_module'].split('::')[1].toLowerCase();
|
176
176
|
var sast_module = data['sast_module'].split('::')[2];
|
177
177
|
var sast_test_case = sast_module.replace(/\.?([A-Z])/g, function (x,y){ if (sast_module.match(/\.?([A-Z][a-z])/g) ) { return "_" + y.toLowerCase(); } else { return y.toLowerCase(); } }).replace(/^_/g, "");
|
178
178
|
|
179
|
-
return '<tr><td style="width:150px;" align="left"><a href="https://github.com/0dayinc/pwn/tree/master/lib/' + htmlEntityEncode(sast_dirname) + '/' + htmlEntityEncode(sast_test_case) + '.rb" target="_blank">' + htmlEntityEncode(data['sast_module'].split("::")[2]) + '</a><br /><a href="' + htmlEntityEncode(data['nist_800_53_uri']) + '" target="_blank">' + htmlEntityEncode(data['section']) + '</a></td></tr>';
|
179
|
+
return '<tr><td style="width:150px;" align="left"><a href="https://github.com/0dayinc/pwn/tree/master/lib/' + htmlEntityEncode(sast_dirname) + '/' + htmlEntityEncode(sast_test_case) + '.rb" target="_blank">' + htmlEntityEncode(data['sast_module'].split("::")[2]) + '</a><br /><a href="' + htmlEntityEncode(data['nist_800_53_uri']) + '" target="_blank">NIST 800-53:' + htmlEntityEncode(data['section']) + '</a><a href="' + htmlEntityEncode(data['cwe_uri']) + '" target="_blank">CWE:' + htmlEntityEncode(data['cwe_id']) + '</a></td></tr>';
|
180
180
|
}
|
181
181
|
},
|
182
182
|
{
|
@@ -202,7 +202,7 @@ module PWN
|
|
202
202
|
|
203
203
|
var bug_comment = 'Timestamp: ' + row.timestamp + '\n' +
|
204
204
|
'Test Case: http://' + window.location.hostname + ':8808/doc_root/pwn-0.1.0/' +
|
205
|
-
row.
|
205
|
+
row.security_requirements['sast_module'].replace(/::/g, "/") + '\n' +
|
206
206
|
'Source Code Impacted: ' + $("<div/>").html(filename_link).text() + '\n\n' +
|
207
207
|
'Test Case Request:\n' +
|
208
208
|
$("<div/>").html(row.test_case_filter.replace(/\s{2,}/g, " ")).text() + '\n\n' +
|
@@ -50,7 +50,7 @@ module PWN
|
|
50
50
|
|
51
51
|
hash_line = {
|
52
52
|
timestamp: Time.now.strftime('%Y-%m-%d %H:%M:%S.%9N %z').to_s,
|
53
|
-
|
53
|
+
security_requirements: security_requirements,
|
54
54
|
filename: filename_arr.push(git_repo_root_uri: git_repo_root_uri, entry: entry),
|
55
55
|
line_no_and_contents: '',
|
56
56
|
raw_content: str,
|
@@ -105,11 +105,13 @@ module PWN
|
|
105
105
|
# to PWN Exploit & Static Code Anti-Pattern Matching Modules to
|
106
106
|
# Determine the level of Testing Coverage w/ PWN.
|
107
107
|
|
108
|
-
public_class_method def self.
|
108
|
+
public_class_method def self.security_requirements
|
109
109
|
{
|
110
110
|
sast_module: self,
|
111
111
|
section: 'ACCOUNT MANAGEMENT',
|
112
|
-
nist_800_53_uri: 'https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control/?version=5.1&number=AC-2'
|
112
|
+
nist_800_53_uri: 'https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control/?version=5.1&number=AC-2',
|
113
|
+
cwe_id: '285',
|
114
|
+
cwe_uri: 'https://cwe.mitre.org/data/definitions/285.html'
|
113
115
|
}
|
114
116
|
rescue StandardError => e
|
115
117
|
raise e
|
@@ -49,7 +49,7 @@ module PWN
|
|
49
49
|
|
50
50
|
hash_line = {
|
51
51
|
timestamp: Time.now.strftime('%Y-%m-%d %H:%M:%S.%9N %z').to_s,
|
52
|
-
|
52
|
+
security_requirements: security_requirements,
|
53
53
|
filename: filename_arr.push(git_repo_root_uri: git_repo_root_uri, entry: entry),
|
54
54
|
line_no_and_contents: '',
|
55
55
|
raw_content: str,
|
@@ -97,6 +97,8 @@ module PWN
|
|
97
97
|
@@logger.info("#{logger_banner} => #{logger_results}complete.\n")
|
98
98
|
end
|
99
99
|
result_arr
|
100
|
+
rescue StandardError => e
|
101
|
+
raise e
|
100
102
|
end
|
101
103
|
|
102
104
|
# Used primarily to map NIST 800-53 Revision 4 Security Controls
|
@@ -104,12 +106,16 @@ module PWN
|
|
104
106
|
# to PWN Exploit & Static Code Anti-Pattern Matching Modules to
|
105
107
|
# Determine the level of Testing Coverage w/ PWN.
|
106
108
|
|
107
|
-
public_class_method def self.
|
109
|
+
public_class_method def self.security_requirements
|
108
110
|
{
|
109
111
|
sast_module: self,
|
110
112
|
section: 'INFORMATION INPUT VALIDATION',
|
111
|
-
nist_800_53_uri: 'https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control/?version=5.1&number=SI-10'
|
113
|
+
nist_800_53_uri: 'https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control/?version=5.1&number=SI-10',
|
114
|
+
cwe_id: '78',
|
115
|
+
cwe_uri: 'https://cwe.mitre.org/data/definitions/78.html'
|
112
116
|
}
|
117
|
+
rescue StandardError => e
|
118
|
+
raise e
|
113
119
|
end
|
114
120
|
|
115
121
|
# Author(s):: 0day Inc. <request.pentest@0dayinc.com>
|
data/lib/pwn/sast/aws.rb
CHANGED
@@ -50,7 +50,7 @@ module PWN
|
|
50
50
|
|
51
51
|
hash_line = {
|
52
52
|
timestamp: Time.now.strftime('%Y-%m-%d %H:%M:%S.%9N %z').to_s,
|
53
|
-
|
53
|
+
security_requirements: security_requirements,
|
54
54
|
filename: filename_arr.push(git_repo_root_uri: git_repo_root_uri, entry: entry),
|
55
55
|
line_no_and_contents: '',
|
56
56
|
raw_content: str,
|
@@ -107,11 +107,13 @@ module PWN
|
|
107
107
|
# to PWN Exploit & Static Code Anti-Pattern Matching Modules to
|
108
108
|
# Determine the level of Testing Coverage w/ PWN.
|
109
109
|
|
110
|
-
public_class_method def self.
|
110
|
+
public_class_method def self.security_requirements
|
111
111
|
{
|
112
112
|
sast_module: self,
|
113
113
|
section: 'TRANSMISSION CONFIDENTIALITY AND INTEGRITY',
|
114
|
-
nist_800_53_uri: 'https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control/?version=5.1&number=SC-8'
|
114
|
+
nist_800_53_uri: 'https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control/?version=5.1&number=SC-8',
|
115
|
+
cwe_id: '256',
|
116
|
+
cwe_uri: 'https://cwe.mitre.org/data/definitions/256.html'
|
115
117
|
}
|
116
118
|
rescue StandardError => e
|
117
119
|
raise e
|
@@ -177,7 +177,7 @@ module PWN
|
|
177
177
|
|
178
178
|
hash_line = {
|
179
179
|
timestamp: Time.now.strftime('%Y-%m-%d %H:%M:%S.%9N %z').to_s,
|
180
|
-
|
180
|
+
security_requirements: security_requirements,
|
181
181
|
filename: filename_arr.push(git_repo_root_uri: git_repo_root_uri, entry: entry),
|
182
182
|
line_no_and_contents: '',
|
183
183
|
raw_content: str,
|
@@ -225,6 +225,8 @@ module PWN
|
|
225
225
|
@@logger.info("#{logger_banner} => #{logger_results}complete.\n")
|
226
226
|
end
|
227
227
|
result_arr
|
228
|
+
rescue StandardError => e
|
229
|
+
raise e
|
228
230
|
end
|
229
231
|
|
230
232
|
# Used primarily to map NIST 800-53 Revision 4 Security Controls
|
@@ -232,12 +234,16 @@ module PWN
|
|
232
234
|
# to PWN Exploit & Static Code Anti-Pattern Matching Modules to
|
233
235
|
# Determine the level of Testing Coverage w/ PWN.
|
234
236
|
|
235
|
-
public_class_method def self.
|
237
|
+
public_class_method def self.security_requirements
|
236
238
|
{
|
237
239
|
sast_module: self,
|
238
240
|
section: 'INFORMATION INPUT VALIDATION',
|
239
|
-
nist_800_53_uri: 'https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control/?version=5.1&number=SI-10'
|
241
|
+
nist_800_53_uri: 'https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control/?version=5.1&number=SI-10',
|
242
|
+
cwe_id: '676',
|
243
|
+
cwe_uri: 'https://cwe.mitre.org/data/definitions/676.html'
|
240
244
|
}
|
245
|
+
rescue StandardError => e
|
246
|
+
raise e
|
241
247
|
end
|
242
248
|
|
243
249
|
# Author(s):: 0day Inc. <request.pentest@0dayinc.com>
|
data/lib/pwn/sast/base64.rb
CHANGED
@@ -51,7 +51,7 @@ module PWN
|
|
51
51
|
|
52
52
|
hash_line = {
|
53
53
|
timestamp: Time.now.strftime('%Y-%m-%d %H:%M:%S.%9N %z').to_s,
|
54
|
-
|
54
|
+
security_requirements: security_requirements,
|
55
55
|
filename: filename_arr.push(git_repo_root_uri: git_repo_root_uri, entry: entry),
|
56
56
|
line_no_and_contents: '',
|
57
57
|
raw_content: str,
|
@@ -103,16 +103,15 @@ module PWN
|
|
103
103
|
raise e
|
104
104
|
end
|
105
105
|
|
106
|
-
# Used
|
107
|
-
# https://web.nvd.nist.gov/view/800-53/Rev4/impact?impactName=HIGH
|
108
|
-
# to PWN Exploit & Static Code Anti-Pattern Matching Modules to
|
109
|
-
# Determine the level of Testing Coverage w/ PWN.
|
106
|
+
# Used to dictate Security Control Requirements for a Given SAST module.
|
110
107
|
|
111
|
-
public_class_method def self.
|
108
|
+
public_class_method def self.security_requirements
|
112
109
|
{
|
113
110
|
sast_module: self,
|
114
111
|
section: 'PROTECTION OF INFORMATION AT REST',
|
115
|
-
nist_800_53_uri: 'https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control/?version=5.1&number=SC-28'
|
112
|
+
nist_800_53_uri: 'https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control/?version=5.1&number=SC-28',
|
113
|
+
cwe_id: '95',
|
114
|
+
cwe_uri: 'https://cwe.mitre.org/data/definitions/95.html'
|
116
115
|
}
|
117
116
|
rescue StandardError => e
|
118
117
|
raise e
|
data/lib/pwn/sast/beef_hook.rb
CHANGED
@@ -45,7 +45,7 @@ module PWN
|
|
45
45
|
|
46
46
|
hash_line = {
|
47
47
|
timestamp: Time.now.strftime('%Y-%m-%d %H:%M:%S.%9N %z').to_s,
|
48
|
-
|
48
|
+
security_requirements: security_requirements,
|
49
49
|
filename: filename_arr.push(git_repo_root_uri: git_repo_root_uri, entry: entry),
|
50
50
|
line_no_and_contents: '',
|
51
51
|
raw_content: str,
|
@@ -102,11 +102,13 @@ module PWN
|
|
102
102
|
# to PWN Exploit & Static Code Anti-Pattern Matching Modules to
|
103
103
|
# Determine the level of Testing Coverage w/ PWN.
|
104
104
|
|
105
|
-
public_class_method def self.
|
105
|
+
public_class_method def self.security_requirements
|
106
106
|
{
|
107
107
|
sast_module: self,
|
108
108
|
section: 'MALICIOUS CODE PROTECTION',
|
109
|
-
nist_800_53_uri: 'https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control/?version=5.1&number=SI-3'
|
109
|
+
nist_800_53_uri: 'https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control/?version=5.1&number=SI-3',
|
110
|
+
cwe_id: '506',
|
111
|
+
cwe_uri: 'https://cwe.mitre.org/data/definitions/506.html'
|
110
112
|
}
|
111
113
|
rescue StandardError => e
|
112
114
|
raise e
|
@@ -50,7 +50,7 @@ module PWN
|
|
50
50
|
|
51
51
|
hash_line = {
|
52
52
|
timestamp: Time.now.strftime('%Y-%m-%d %H:%M:%S.%9N %z').to_s,
|
53
|
-
|
53
|
+
security_requirements: security_requirements,
|
54
54
|
filename: filename_arr.push(git_repo_root_uri: git_repo_root_uri, entry: entry),
|
55
55
|
line_no_and_contents: '',
|
56
56
|
raw_content: str,
|
@@ -107,11 +107,13 @@ module PWN
|
|
107
107
|
# to PWN Exploit & Static Code Anti-Pattern Matching Modules to
|
108
108
|
# Determine the level of Testing Coverage w/ PWN.
|
109
109
|
|
110
|
-
public_class_method def self.
|
110
|
+
public_class_method def self.security_requirements
|
111
111
|
{
|
112
112
|
sast_module: self,
|
113
113
|
section: 'INFORMATION INPUT VALIDATION',
|
114
|
-
nist_800_53_uri: 'https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control/?version=5.1&number=SI-10'
|
114
|
+
nist_800_53_uri: 'https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control/?version=5.1&number=SI-10',
|
115
|
+
cwe_id: '78',
|
116
|
+
cwe_uri: 'https://cwe.mitre.org/data/definitions/78.html'
|
115
117
|
}
|
116
118
|
rescue StandardError => e
|
117
119
|
raise e
|
@@ -52,7 +52,7 @@ module PWN
|
|
52
52
|
|
53
53
|
hash_line = {
|
54
54
|
timestamp: Time.now.strftime('%Y-%m-%d %H:%M:%S.%9N %z').to_s,
|
55
|
-
|
55
|
+
security_requirements: security_requirements,
|
56
56
|
filename: filename_arr.push(git_repo_root_uri: git_repo_root_uri, entry: entry),
|
57
57
|
line_no_and_contents: '',
|
58
58
|
raw_content: str,
|
@@ -109,11 +109,13 @@ module PWN
|
|
109
109
|
# to PWN Exploit & Static Code Anti-Pattern Matching Modules to
|
110
110
|
# Determine the level of Testing Coverage w/ PWN.
|
111
111
|
|
112
|
-
public_class_method def self.
|
112
|
+
public_class_method def self.security_requirements
|
113
113
|
{
|
114
114
|
sast_module: self,
|
115
115
|
section: 'INFORMATION INPUT VALIDATION',
|
116
|
-
nist_800_53_uri: 'https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control/?version=5.1&number=SI-10'
|
116
|
+
nist_800_53_uri: 'https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control/?version=5.1&number=SI-10',
|
117
|
+
cwe_id: '78',
|
118
|
+
cwe_uri: 'https://cwe.mitre.org/data/definitions/78.html'
|
117
119
|
}
|
118
120
|
rescue StandardError => e
|
119
121
|
raise e
|
@@ -60,7 +60,7 @@ module PWN
|
|
60
60
|
|
61
61
|
hash_line = {
|
62
62
|
timestamp: Time.now.strftime('%Y-%m-%d %H:%M:%S.%9N %z').to_s,
|
63
|
-
|
63
|
+
security_requirements: security_requirements,
|
64
64
|
filename: filename_arr.push(git_repo_root_uri: git_repo_root_uri, entry: entry),
|
65
65
|
line_no_and_contents: '',
|
66
66
|
raw_content: str,
|
@@ -117,11 +117,13 @@ module PWN
|
|
117
117
|
# to PWN Exploit & Static Code Anti-Pattern Matching Modules to
|
118
118
|
# Determine the level of Testing Coverage w/ PWN.
|
119
119
|
|
120
|
-
public_class_method def self.
|
120
|
+
public_class_method def self.security_requirements
|
121
121
|
{
|
122
122
|
sast_module: self,
|
123
123
|
section: 'INFORMATION INPUT VALIDATION',
|
124
|
-
nist_800_53_uri: 'https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control/?version=5.1&number=SI-10'
|
124
|
+
nist_800_53_uri: 'https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control/?version=5.1&number=SI-10',
|
125
|
+
cwe_id: '78',
|
126
|
+
cwe_uri: 'https://cwe.mitre.org/data/definitions/78.html'
|
125
127
|
}
|
126
128
|
rescue StandardError => e
|
127
129
|
raise e
|
@@ -50,7 +50,7 @@ module PWN
|
|
50
50
|
|
51
51
|
hash_line = {
|
52
52
|
timestamp: Time.now.strftime('%Y-%m-%d %H:%M:%S.%9N %z').to_s,
|
53
|
-
|
53
|
+
security_requirements: security_requirements,
|
54
54
|
filename: filename_arr.push(git_repo_root_uri: git_repo_root_uri, entry: entry),
|
55
55
|
line_no_and_contents: '',
|
56
56
|
raw_content: str,
|
@@ -107,11 +107,13 @@ module PWN
|
|
107
107
|
# to PWN Exploit & Static Code Anti-Pattern Matching Modules to
|
108
108
|
# Determine the level of Testing Coverage w/ PWN.
|
109
109
|
|
110
|
-
public_class_method def self.
|
110
|
+
public_class_method def self.security_requirements
|
111
111
|
{
|
112
112
|
sast_module: self,
|
113
113
|
section: 'INFORMATION INPUT VALIDATION',
|
114
|
-
nist_800_53_uri: 'https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control/?version=5.1&number=SI-10'
|
114
|
+
nist_800_53_uri: 'https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control/?version=5.1&number=SI-10',
|
115
|
+
cwe_id: '78',
|
116
|
+
cwe_uri: 'https://cwe.mitre.org/data/definitions/78.html'
|
115
117
|
}
|
116
118
|
rescue StandardError => e
|
117
119
|
raise e
|
data/lib/pwn/sast/csrf.rb
CHANGED
@@ -48,7 +48,7 @@ module PWN
|
|
48
48
|
|
49
49
|
hash_line = {
|
50
50
|
timestamp: Time.now.strftime('%Y-%m-%d %H:%M:%S.%9N %z').to_s,
|
51
|
-
|
51
|
+
security_requirements: security_requirements,
|
52
52
|
filename: filename_arr.push(git_repo_root_uri: git_repo_root_uri, entry: entry),
|
53
53
|
line_no_and_contents: '',
|
54
54
|
raw_content: str,
|
@@ -103,12 +103,16 @@ module PWN
|
|
103
103
|
# to PWN Exploit & Static Code Anti-Pattern Matching Modules to
|
104
104
|
# Determine the level of Testing Coverage w/ PWN.
|
105
105
|
|
106
|
-
public_class_method def self.
|
106
|
+
public_class_method def self.security_requirements
|
107
107
|
{
|
108
108
|
sast_module: self,
|
109
109
|
section: 'MALICIOUS CODE PROTECTION',
|
110
|
-
nist_800_53_uri: 'https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control/?version=5.1&number=SI-3'
|
110
|
+
nist_800_53_uri: 'https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control/?version=5.1&number=SI-3',
|
111
|
+
cwe_id: '352',
|
112
|
+
cwe_uri: 'https://cwe.mitre.org/data/definitions/352.html'
|
111
113
|
}
|
114
|
+
rescue StandardError => e
|
115
|
+
raise e
|
112
116
|
end
|
113
117
|
|
114
118
|
# Author(s):: 0day Inc. <request.pentest@0dayinc.com>
|
@@ -47,7 +47,7 @@ module PWN
|
|
47
47
|
|
48
48
|
hash_line = {
|
49
49
|
timestamp: Time.now.strftime('%Y-%m-%d %H:%M:%S.%9N %z').to_s,
|
50
|
-
|
50
|
+
security_requirements: security_requirements,
|
51
51
|
filename: filename_arr.push(git_repo_root_uri: git_repo_root_uri, entry: entry),
|
52
52
|
line_no_and_contents: '',
|
53
53
|
raw_content: str,
|
@@ -102,12 +102,16 @@ module PWN
|
|
102
102
|
# to PWN Exploit & Static Code Anti-Pattern Matching Modules to
|
103
103
|
# Determine the level of Testing Coverage w/ PWN.
|
104
104
|
|
105
|
-
public_class_method def self.
|
105
|
+
public_class_method def self.security_requirements
|
106
106
|
{
|
107
107
|
sast_module: self,
|
108
108
|
section: 'INFORMATION INPUT VALIDATION',
|
109
|
-
nist_800_53_uri: 'https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control/?version=5.1&number=SI-10'
|
109
|
+
nist_800_53_uri: 'https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control/?version=5.1&number=SI-10',
|
110
|
+
cwe_id: '502',
|
111
|
+
cwe_uri: 'https://cwe.mitre.org/data/definitions/502.html'
|
110
112
|
}
|
113
|
+
rescue StandardError => e
|
114
|
+
raise e
|
111
115
|
end
|
112
116
|
|
113
117
|
# Author(s):: 0day Inc. <request.pentest@0dayinc.com>
|
data/lib/pwn/sast/emoticon.rb
CHANGED
@@ -52,7 +52,7 @@ module PWN
|
|
52
52
|
|
53
53
|
hash_line = {
|
54
54
|
timestamp: Time.now.strftime('%Y-%m-%d %H:%M:%S.%9N %z').to_s,
|
55
|
-
|
55
|
+
security_requirements: security_requirements,
|
56
56
|
filename: filename_arr.push(git_repo_root_uri: git_repo_root_uri, entry: entry),
|
57
57
|
line_no_and_contents: '',
|
58
58
|
raw_content: str,
|
@@ -110,11 +110,13 @@ module PWN
|
|
110
110
|
# to PWN Exploit & Static Code Anti-Pattern Matching Modules to
|
111
111
|
# Determine the level of Testing Coverage w/ PWN.
|
112
112
|
|
113
|
-
public_class_method def self.
|
113
|
+
public_class_method def self.security_requirements
|
114
114
|
{
|
115
115
|
sast_module: self,
|
116
116
|
section: 'LEAST PRIVILEGE',
|
117
|
-
nist_800_53_uri: 'https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control/?version=5.1&number=AC-6'
|
117
|
+
nist_800_53_uri: 'https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control/?version=5.1&number=AC-6',
|
118
|
+
cwe_id: '546',
|
119
|
+
cwe_uri: 'https://cwe.mitre.org/data/definitions/546.html'
|
118
120
|
}
|
119
121
|
rescue StandardError => e
|
120
122
|
raise e
|
data/lib/pwn/sast/eval.rb
CHANGED
@@ -48,7 +48,7 @@ module PWN
|
|
48
48
|
|
49
49
|
hash_line = {
|
50
50
|
timestamp: Time.now.strftime('%Y-%m-%d %H:%M:%S.%9N %z').to_s,
|
51
|
-
|
51
|
+
security_requirements: security_requirements,
|
52
52
|
filename: filename_arr.push(git_repo_root_uri: git_repo_root_uri, entry: entry),
|
53
53
|
line_no_and_contents: '',
|
54
54
|
raw_content: str,
|
@@ -105,11 +105,13 @@ module PWN
|
|
105
105
|
# to PWN Exploit & Static Code Anti-Pattern Matching Modules to
|
106
106
|
# Determine the level of Testing Coverage w/ PWN.
|
107
107
|
|
108
|
-
public_class_method def self.
|
108
|
+
public_class_method def self.security_requirements
|
109
109
|
{
|
110
110
|
sast_module: self,
|
111
111
|
section: 'MALICIOUS CODE PROTECTION',
|
112
|
-
nist_800_53_uri: 'https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control/?version=5.1&number=SI-3'
|
112
|
+
nist_800_53_uri: 'https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control/?version=5.1&number=SI-3',
|
113
|
+
cwe_id: '95',
|
114
|
+
cwe_uri: 'https://cwe.mitre.org/data/definitions/95.html'
|
113
115
|
}
|
114
116
|
rescue StandardError => e
|
115
117
|
raise e
|
data/lib/pwn/sast/factory.rb
CHANGED
@@ -47,7 +47,7 @@ module PWN
|
|
47
47
|
|
48
48
|
hash_line = {
|
49
49
|
timestamp: Time.now.strftime('%Y-%m-%d %H:%M:%S.%9N %z').to_s,
|
50
|
-
|
50
|
+
security_requirements: security_requirements,
|
51
51
|
filename: filename_arr.push(git_repo_root_uri: git_repo_root_uri, entry: entry),
|
52
52
|
line_no_and_contents: '',
|
53
53
|
raw_content: str,
|
@@ -102,12 +102,16 @@ module PWN
|
|
102
102
|
# to PWN Exploit & Static Code Anti-Pattern Matching Modules to
|
103
103
|
# Determine the level of Testing Coverage w/ PWN.
|
104
104
|
|
105
|
-
public_class_method def self.
|
105
|
+
public_class_method def self.security_requirements
|
106
106
|
{
|
107
107
|
sast_module: self,
|
108
108
|
section: 'DEVELOPER CONFIGURATION MANAGEMENT',
|
109
|
-
nist_800_53_uri: 'https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control/?version=5.1&number=SA-10'
|
109
|
+
nist_800_53_uri: 'https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control/?version=5.1&number=SA-10',
|
110
|
+
cwe_id: '611',
|
111
|
+
cwe_uri: 'https://cwe.mitre.org/data/definitions/611.html'
|
110
112
|
}
|
113
|
+
rescue StandardError => e
|
114
|
+
raise e
|
111
115
|
end
|
112
116
|
|
113
117
|
# Author(s):: 0day Inc. <request.pentest@0dayinc.com>
|