pwn 0.4.505 → 0.4.507
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +2 -2
- data/bin/pwn_sast +0 -1
- data/lib/pwn/reports/sast.rb +5 -5
- data/lib/pwn/sast/amqp_connect_as_guest.rb +5 -3
- data/lib/pwn/sast/apache_file_system_util_api.rb +9 -3
- data/lib/pwn/sast/aws.rb +5 -3
- data/lib/pwn/sast/banned_function_calls_c.rb +9 -3
- data/lib/pwn/sast/base64.rb +6 -7
- data/lib/pwn/sast/beef_hook.rb +5 -3
- data/lib/pwn/sast/cmd_execution_java.rb +5 -3
- data/lib/pwn/sast/cmd_execution_python.rb +5 -3
- data/lib/pwn/sast/cmd_execution_ruby.rb +5 -3
- data/lib/pwn/sast/cmd_execution_scala.rb +5 -3
- data/lib/pwn/sast/csrf.rb +7 -3
- data/lib/pwn/sast/deserial_java.rb +7 -3
- data/lib/pwn/sast/emoticon.rb +5 -3
- data/lib/pwn/sast/eval.rb +5 -3
- data/lib/pwn/sast/factory.rb +7 -3
- data/lib/pwn/sast/http_authorization_header.rb +5 -3
- data/lib/pwn/sast/inner_html.rb +5 -3
- data/lib/pwn/sast/keystore.rb +5 -3
- data/lib/pwn/sast/location_hash.rb +5 -3
- data/lib/pwn/sast/log4j.rb +5 -3
- data/lib/pwn/sast/logger.rb +5 -3
- data/lib/pwn/sast/outer_html.rb +5 -3
- data/lib/pwn/sast/password.rb +5 -3
- data/lib/pwn/sast/pom_version.rb +5 -3
- data/lib/pwn/sast/port.rb +5 -3
- data/lib/pwn/sast/private_key.rb +5 -3
- data/lib/pwn/sast/redirect.rb +5 -3
- data/lib/pwn/sast/redos.rb +5 -3
- data/lib/pwn/sast/shell.rb +5 -3
- data/lib/pwn/sast/signature.rb +5 -3
- data/lib/pwn/sast/sql.rb +5 -3
- data/lib/pwn/sast/ssl.rb +5 -3
- data/lib/pwn/sast/sudo.rb +5 -3
- data/lib/pwn/sast/task_tag.rb +5 -3
- data/lib/pwn/sast/throw_errors.rb +5 -3
- data/lib/pwn/sast/token.rb +5 -3
- data/lib/pwn/sast/version.rb +5 -3
- data/lib/pwn/sast/window_location_hash.rb +5 -3
- data/lib/pwn/sast.rb +0 -1
- data/lib/pwn/version.rb +1 -1
- data/spec/lib/pwn/sast/amqp_connect_as_guest_spec.rb +3 -3
- data/spec/lib/pwn/sast/apache_file_system_util_api_spec.rb +3 -3
- data/spec/lib/pwn/sast/aws_spec.rb +3 -3
- data/spec/lib/pwn/sast/banned_function_calls_c_spec.rb +3 -3
- data/spec/lib/pwn/sast/base64_spec.rb +3 -3
- data/spec/lib/pwn/sast/beef_hook_spec.rb +3 -3
- data/spec/lib/pwn/sast/cmd_execution_java_spec.rb +3 -3
- data/spec/lib/pwn/sast/cmd_execution_python_spec.rb +3 -3
- data/spec/lib/pwn/sast/cmd_execution_ruby_spec.rb +3 -3
- data/spec/lib/pwn/sast/cmd_execution_scala_spec.rb +3 -3
- data/spec/lib/pwn/sast/csrf_spec.rb +3 -3
- data/spec/lib/pwn/sast/deserial_java_spec.rb +3 -3
- data/spec/lib/pwn/sast/emoticon_spec.rb +3 -3
- data/spec/lib/pwn/sast/eval_spec.rb +3 -3
- data/spec/lib/pwn/sast/factory_spec.rb +3 -3
- data/spec/lib/pwn/sast/http_authorization_header_spec.rb +3 -3
- data/spec/lib/pwn/sast/inner_html_spec.rb +3 -3
- data/spec/lib/pwn/sast/keystore_spec.rb +3 -3
- data/spec/lib/pwn/sast/location_hash_spec.rb +3 -3
- data/spec/lib/pwn/sast/log4j_spec.rb +3 -3
- data/spec/lib/pwn/sast/logger_spec.rb +3 -3
- data/spec/lib/pwn/sast/password_spec.rb +3 -3
- data/spec/lib/pwn/sast/pom_version_spec.rb +3 -3
- data/spec/lib/pwn/sast/port_spec.rb +3 -3
- data/spec/lib/pwn/sast/private_key_spec.rb +3 -3
- data/spec/lib/pwn/sast/redirect_spec.rb +3 -3
- data/spec/lib/pwn/sast/redos_spec.rb +3 -3
- data/spec/lib/pwn/sast/shell_spec.rb +3 -3
- data/spec/lib/pwn/sast/signature_spec.rb +3 -3
- data/spec/lib/pwn/sast/sql_spec.rb +3 -3
- data/spec/lib/pwn/sast/ssl_spec.rb +3 -3
- data/spec/lib/pwn/sast/sudo_spec.rb +3 -3
- data/spec/lib/pwn/sast/task_tag_spec.rb +3 -3
- data/spec/lib/pwn/sast/throw_errors_spec.rb +3 -3
- data/spec/lib/pwn/sast/token_spec.rb +3 -3
- data/spec/lib/pwn/sast/version_spec.rb +3 -3
- data/spec/lib/pwn/sast/window_location_hash_spec.rb +3 -3
- metadata +1 -3
- data/lib/pwn/sast/file_permission.rb +0 -142
- data/spec/lib/pwn/sast/file_permission_spec.rb +0 -25
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 13fbc36550dc925df57922b3c0016819d4f67eb472e1b1ad07f772aefad82d2f
|
4
|
+
data.tar.gz: b82a0bf11f719584a998d9998e932f5fa0b7e66725ad2d2231b3d27b9853bfc6
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 212c9352d648bc5f497ceca10e78867a347bae086d93dd1c65dd65595bd7f32ff9a02065be3f092a5ec318f10e5e0ba223893feac4940f03aa75a9c19ca864f0
|
7
|
+
data.tar.gz: bdf727826c0421b696abe80d805dd7f93a018959e1dc675c5dae20929e5b2977ce235a241f679e6a79f9d3a0e8e94f0a3403fc3270610083e98b1f3065c73330
|
data/README.md
CHANGED
@@ -37,7 +37,7 @@ $ rvm use ruby-3.1.2@pwn
|
|
37
37
|
$ rvm list gemsets
|
38
38
|
$ gem install --verbose pwn
|
39
39
|
$ pwn
|
40
|
-
pwn[v0.4.
|
40
|
+
pwn[v0.4.507]:001 >>> PWN.help
|
41
41
|
```
|
42
42
|
|
43
43
|
[![Installing the pwn Security Automation Framework](https://raw.githubusercontent.com/0dayInc/pwn/master/documentation/pwn_install.png)](https://youtu.be/G7iLUY4FzsI)
|
@@ -52,7 +52,7 @@ $ rvm use ruby-3.1.2@pwn
|
|
52
52
|
$ gem uninstall --all --executables pwn
|
53
53
|
$ gem install --verbose pwn
|
54
54
|
$ pwn
|
55
|
-
pwn[v0.4.
|
55
|
+
pwn[v0.4.507]:001 >>> PWN.help
|
56
56
|
```
|
57
57
|
|
58
58
|
|
data/bin/pwn_sast
CHANGED
data/lib/pwn/reports/sast.rb
CHANGED
@@ -101,7 +101,7 @@ module PWN
|
|
101
101
|
<div>
|
102
102
|
<b>Toggle Column(s):</b>
|
103
103
|
<a class="toggle-vis" data-column="1" href="#">Timestamp</a> |
|
104
|
-
<a class="toggle-vis" data-column="2" href="#">Test Case
|
104
|
+
<a class="toggle-vis" data-column="2" href="#">Test Case / Security Requirements</a> |
|
105
105
|
<a class="toggle-vis" data-column="3" href="#">Path</a> |
|
106
106
|
<a class="toggle-vis" data-column="4" href="#">Line#, Formatted Content, & Last Committed By</a> |
|
107
107
|
<a class="toggle-vis" data-column="5" href="#">Raw Content</a> |
|
@@ -115,7 +115,7 @@ module PWN
|
|
115
115
|
<tr>
|
116
116
|
<th>#</th>
|
117
117
|
<th>Timestamp</th>
|
118
|
-
<th>Test Case /
|
118
|
+
<th>Test Case / Security Requirements</th>
|
119
119
|
<th>Path</th>
|
120
120
|
<th>Line#, Formatted Content, & Last Committed By</th>
|
121
121
|
<th>Raw Content</th>
|
@@ -170,13 +170,13 @@ module PWN
|
|
170
170
|
"render": $.fn.dataTable.render.text()
|
171
171
|
},
|
172
172
|
{
|
173
|
-
"data": "
|
173
|
+
"data": "security_requirements",
|
174
174
|
"render": function (data, type, row, meta) {
|
175
175
|
var sast_dirname = data['sast_module'].split('::')[0].toLowerCase() + '/' + data['sast_module'].split('::')[1].toLowerCase();
|
176
176
|
var sast_module = data['sast_module'].split('::')[2];
|
177
177
|
var sast_test_case = sast_module.replace(/\.?([A-Z])/g, function (x,y){ if (sast_module.match(/\.?([A-Z][a-z])/g) ) { return "_" + y.toLowerCase(); } else { return y.toLowerCase(); } }).replace(/^_/g, "");
|
178
178
|
|
179
|
-
return '<tr><td style="width:150px;" align="left"><a href="https://github.com/0dayinc/pwn/tree/master/lib/' + htmlEntityEncode(sast_dirname) + '/' + htmlEntityEncode(sast_test_case) + '.rb" target="_blank">' + htmlEntityEncode(data['sast_module'].split("::")[2]) + '</a><br /><a href="' + htmlEntityEncode(data['nist_800_53_uri']) + '" target="_blank">' + htmlEntityEncode(data['section']) + '</a></td></tr>';
|
179
|
+
return '<tr><td style="width:150px;" align="left"><a href="https://github.com/0dayinc/pwn/tree/master/lib/' + htmlEntityEncode(sast_dirname) + '/' + htmlEntityEncode(sast_test_case) + '.rb" target="_blank">' + htmlEntityEncode(data['sast_module'].split("::")[2]) + '</a><br /><a href="' + htmlEntityEncode(data['nist_800_53_uri']) + '" target="_blank">NIST 800-53:' + htmlEntityEncode(data['section']) + '</a><a href="' + htmlEntityEncode(data['cwe_uri']) + '" target="_blank">CWE:' + htmlEntityEncode(data['cwe_id']) + '</a></td></tr>';
|
180
180
|
}
|
181
181
|
},
|
182
182
|
{
|
@@ -202,7 +202,7 @@ module PWN
|
|
202
202
|
|
203
203
|
var bug_comment = 'Timestamp: ' + row.timestamp + '\n' +
|
204
204
|
'Test Case: http://' + window.location.hostname + ':8808/doc_root/pwn-0.1.0/' +
|
205
|
-
row.
|
205
|
+
row.security_requirements['sast_module'].replace(/::/g, "/") + '\n' +
|
206
206
|
'Source Code Impacted: ' + $("<div/>").html(filename_link).text() + '\n\n' +
|
207
207
|
'Test Case Request:\n' +
|
208
208
|
$("<div/>").html(row.test_case_filter.replace(/\s{2,}/g, " ")).text() + '\n\n' +
|
@@ -50,7 +50,7 @@ module PWN
|
|
50
50
|
|
51
51
|
hash_line = {
|
52
52
|
timestamp: Time.now.strftime('%Y-%m-%d %H:%M:%S.%9N %z').to_s,
|
53
|
-
|
53
|
+
security_requirements: security_requirements,
|
54
54
|
filename: filename_arr.push(git_repo_root_uri: git_repo_root_uri, entry: entry),
|
55
55
|
line_no_and_contents: '',
|
56
56
|
raw_content: str,
|
@@ -105,11 +105,13 @@ module PWN
|
|
105
105
|
# to PWN Exploit & Static Code Anti-Pattern Matching Modules to
|
106
106
|
# Determine the level of Testing Coverage w/ PWN.
|
107
107
|
|
108
|
-
public_class_method def self.
|
108
|
+
public_class_method def self.security_requirements
|
109
109
|
{
|
110
110
|
sast_module: self,
|
111
111
|
section: 'ACCOUNT MANAGEMENT',
|
112
|
-
nist_800_53_uri: 'https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control/?version=5.1&number=AC-2'
|
112
|
+
nist_800_53_uri: 'https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control/?version=5.1&number=AC-2',
|
113
|
+
cwe_id: '285',
|
114
|
+
cwe_uri: 'https://cwe.mitre.org/data/definitions/285.html'
|
113
115
|
}
|
114
116
|
rescue StandardError => e
|
115
117
|
raise e
|
@@ -49,7 +49,7 @@ module PWN
|
|
49
49
|
|
50
50
|
hash_line = {
|
51
51
|
timestamp: Time.now.strftime('%Y-%m-%d %H:%M:%S.%9N %z').to_s,
|
52
|
-
|
52
|
+
security_requirements: security_requirements,
|
53
53
|
filename: filename_arr.push(git_repo_root_uri: git_repo_root_uri, entry: entry),
|
54
54
|
line_no_and_contents: '',
|
55
55
|
raw_content: str,
|
@@ -97,6 +97,8 @@ module PWN
|
|
97
97
|
@@logger.info("#{logger_banner} => #{logger_results}complete.\n")
|
98
98
|
end
|
99
99
|
result_arr
|
100
|
+
rescue StandardError => e
|
101
|
+
raise e
|
100
102
|
end
|
101
103
|
|
102
104
|
# Used primarily to map NIST 800-53 Revision 4 Security Controls
|
@@ -104,12 +106,16 @@ module PWN
|
|
104
106
|
# to PWN Exploit & Static Code Anti-Pattern Matching Modules to
|
105
107
|
# Determine the level of Testing Coverage w/ PWN.
|
106
108
|
|
107
|
-
public_class_method def self.
|
109
|
+
public_class_method def self.security_requirements
|
108
110
|
{
|
109
111
|
sast_module: self,
|
110
112
|
section: 'INFORMATION INPUT VALIDATION',
|
111
|
-
nist_800_53_uri: 'https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control/?version=5.1&number=SI-10'
|
113
|
+
nist_800_53_uri: 'https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control/?version=5.1&number=SI-10',
|
114
|
+
cwe_id: '78',
|
115
|
+
cwe_uri: 'https://cwe.mitre.org/data/definitions/78.html'
|
112
116
|
}
|
117
|
+
rescue StandardError => e
|
118
|
+
raise e
|
113
119
|
end
|
114
120
|
|
115
121
|
# Author(s):: 0day Inc. <request.pentest@0dayinc.com>
|
data/lib/pwn/sast/aws.rb
CHANGED
@@ -50,7 +50,7 @@ module PWN
|
|
50
50
|
|
51
51
|
hash_line = {
|
52
52
|
timestamp: Time.now.strftime('%Y-%m-%d %H:%M:%S.%9N %z').to_s,
|
53
|
-
|
53
|
+
security_requirements: security_requirements,
|
54
54
|
filename: filename_arr.push(git_repo_root_uri: git_repo_root_uri, entry: entry),
|
55
55
|
line_no_and_contents: '',
|
56
56
|
raw_content: str,
|
@@ -107,11 +107,13 @@ module PWN
|
|
107
107
|
# to PWN Exploit & Static Code Anti-Pattern Matching Modules to
|
108
108
|
# Determine the level of Testing Coverage w/ PWN.
|
109
109
|
|
110
|
-
public_class_method def self.
|
110
|
+
public_class_method def self.security_requirements
|
111
111
|
{
|
112
112
|
sast_module: self,
|
113
113
|
section: 'TRANSMISSION CONFIDENTIALITY AND INTEGRITY',
|
114
|
-
nist_800_53_uri: 'https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control/?version=5.1&number=SC-8'
|
114
|
+
nist_800_53_uri: 'https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control/?version=5.1&number=SC-8',
|
115
|
+
cwe_id: '256',
|
116
|
+
cwe_uri: 'https://cwe.mitre.org/data/definitions/256.html'
|
115
117
|
}
|
116
118
|
rescue StandardError => e
|
117
119
|
raise e
|
@@ -177,7 +177,7 @@ module PWN
|
|
177
177
|
|
178
178
|
hash_line = {
|
179
179
|
timestamp: Time.now.strftime('%Y-%m-%d %H:%M:%S.%9N %z').to_s,
|
180
|
-
|
180
|
+
security_requirements: security_requirements,
|
181
181
|
filename: filename_arr.push(git_repo_root_uri: git_repo_root_uri, entry: entry),
|
182
182
|
line_no_and_contents: '',
|
183
183
|
raw_content: str,
|
@@ -225,6 +225,8 @@ module PWN
|
|
225
225
|
@@logger.info("#{logger_banner} => #{logger_results}complete.\n")
|
226
226
|
end
|
227
227
|
result_arr
|
228
|
+
rescue StandardError => e
|
229
|
+
raise e
|
228
230
|
end
|
229
231
|
|
230
232
|
# Used primarily to map NIST 800-53 Revision 4 Security Controls
|
@@ -232,12 +234,16 @@ module PWN
|
|
232
234
|
# to PWN Exploit & Static Code Anti-Pattern Matching Modules to
|
233
235
|
# Determine the level of Testing Coverage w/ PWN.
|
234
236
|
|
235
|
-
public_class_method def self.
|
237
|
+
public_class_method def self.security_requirements
|
236
238
|
{
|
237
239
|
sast_module: self,
|
238
240
|
section: 'INFORMATION INPUT VALIDATION',
|
239
|
-
nist_800_53_uri: 'https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control/?version=5.1&number=SI-10'
|
241
|
+
nist_800_53_uri: 'https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control/?version=5.1&number=SI-10',
|
242
|
+
cwe_id: '676',
|
243
|
+
cwe_uri: 'https://cwe.mitre.org/data/definitions/676.html'
|
240
244
|
}
|
245
|
+
rescue StandardError => e
|
246
|
+
raise e
|
241
247
|
end
|
242
248
|
|
243
249
|
# Author(s):: 0day Inc. <request.pentest@0dayinc.com>
|
data/lib/pwn/sast/base64.rb
CHANGED
@@ -51,7 +51,7 @@ module PWN
|
|
51
51
|
|
52
52
|
hash_line = {
|
53
53
|
timestamp: Time.now.strftime('%Y-%m-%d %H:%M:%S.%9N %z').to_s,
|
54
|
-
|
54
|
+
security_requirements: security_requirements,
|
55
55
|
filename: filename_arr.push(git_repo_root_uri: git_repo_root_uri, entry: entry),
|
56
56
|
line_no_and_contents: '',
|
57
57
|
raw_content: str,
|
@@ -103,16 +103,15 @@ module PWN
|
|
103
103
|
raise e
|
104
104
|
end
|
105
105
|
|
106
|
-
# Used
|
107
|
-
# https://web.nvd.nist.gov/view/800-53/Rev4/impact?impactName=HIGH
|
108
|
-
# to PWN Exploit & Static Code Anti-Pattern Matching Modules to
|
109
|
-
# Determine the level of Testing Coverage w/ PWN.
|
106
|
+
# Used to dictate Security Control Requirements for a Given SAST module.
|
110
107
|
|
111
|
-
public_class_method def self.
|
108
|
+
public_class_method def self.security_requirements
|
112
109
|
{
|
113
110
|
sast_module: self,
|
114
111
|
section: 'PROTECTION OF INFORMATION AT REST',
|
115
|
-
nist_800_53_uri: 'https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control/?version=5.1&number=SC-28'
|
112
|
+
nist_800_53_uri: 'https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control/?version=5.1&number=SC-28',
|
113
|
+
cwe_id: '95',
|
114
|
+
cwe_uri: 'https://cwe.mitre.org/data/definitions/95.html'
|
116
115
|
}
|
117
116
|
rescue StandardError => e
|
118
117
|
raise e
|
data/lib/pwn/sast/beef_hook.rb
CHANGED
@@ -45,7 +45,7 @@ module PWN
|
|
45
45
|
|
46
46
|
hash_line = {
|
47
47
|
timestamp: Time.now.strftime('%Y-%m-%d %H:%M:%S.%9N %z').to_s,
|
48
|
-
|
48
|
+
security_requirements: security_requirements,
|
49
49
|
filename: filename_arr.push(git_repo_root_uri: git_repo_root_uri, entry: entry),
|
50
50
|
line_no_and_contents: '',
|
51
51
|
raw_content: str,
|
@@ -102,11 +102,13 @@ module PWN
|
|
102
102
|
# to PWN Exploit & Static Code Anti-Pattern Matching Modules to
|
103
103
|
# Determine the level of Testing Coverage w/ PWN.
|
104
104
|
|
105
|
-
public_class_method def self.
|
105
|
+
public_class_method def self.security_requirements
|
106
106
|
{
|
107
107
|
sast_module: self,
|
108
108
|
section: 'MALICIOUS CODE PROTECTION',
|
109
|
-
nist_800_53_uri: 'https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control/?version=5.1&number=SI-3'
|
109
|
+
nist_800_53_uri: 'https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control/?version=5.1&number=SI-3',
|
110
|
+
cwe_id: '506',
|
111
|
+
cwe_uri: 'https://cwe.mitre.org/data/definitions/506.html'
|
110
112
|
}
|
111
113
|
rescue StandardError => e
|
112
114
|
raise e
|
@@ -50,7 +50,7 @@ module PWN
|
|
50
50
|
|
51
51
|
hash_line = {
|
52
52
|
timestamp: Time.now.strftime('%Y-%m-%d %H:%M:%S.%9N %z').to_s,
|
53
|
-
|
53
|
+
security_requirements: security_requirements,
|
54
54
|
filename: filename_arr.push(git_repo_root_uri: git_repo_root_uri, entry: entry),
|
55
55
|
line_no_and_contents: '',
|
56
56
|
raw_content: str,
|
@@ -107,11 +107,13 @@ module PWN
|
|
107
107
|
# to PWN Exploit & Static Code Anti-Pattern Matching Modules to
|
108
108
|
# Determine the level of Testing Coverage w/ PWN.
|
109
109
|
|
110
|
-
public_class_method def self.
|
110
|
+
public_class_method def self.security_requirements
|
111
111
|
{
|
112
112
|
sast_module: self,
|
113
113
|
section: 'INFORMATION INPUT VALIDATION',
|
114
|
-
nist_800_53_uri: 'https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control/?version=5.1&number=SI-10'
|
114
|
+
nist_800_53_uri: 'https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control/?version=5.1&number=SI-10',
|
115
|
+
cwe_id: '78',
|
116
|
+
cwe_uri: 'https://cwe.mitre.org/data/definitions/78.html'
|
115
117
|
}
|
116
118
|
rescue StandardError => e
|
117
119
|
raise e
|
@@ -52,7 +52,7 @@ module PWN
|
|
52
52
|
|
53
53
|
hash_line = {
|
54
54
|
timestamp: Time.now.strftime('%Y-%m-%d %H:%M:%S.%9N %z').to_s,
|
55
|
-
|
55
|
+
security_requirements: security_requirements,
|
56
56
|
filename: filename_arr.push(git_repo_root_uri: git_repo_root_uri, entry: entry),
|
57
57
|
line_no_and_contents: '',
|
58
58
|
raw_content: str,
|
@@ -109,11 +109,13 @@ module PWN
|
|
109
109
|
# to PWN Exploit & Static Code Anti-Pattern Matching Modules to
|
110
110
|
# Determine the level of Testing Coverage w/ PWN.
|
111
111
|
|
112
|
-
public_class_method def self.
|
112
|
+
public_class_method def self.security_requirements
|
113
113
|
{
|
114
114
|
sast_module: self,
|
115
115
|
section: 'INFORMATION INPUT VALIDATION',
|
116
|
-
nist_800_53_uri: 'https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control/?version=5.1&number=SI-10'
|
116
|
+
nist_800_53_uri: 'https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control/?version=5.1&number=SI-10',
|
117
|
+
cwe_id: '78',
|
118
|
+
cwe_uri: 'https://cwe.mitre.org/data/definitions/78.html'
|
117
119
|
}
|
118
120
|
rescue StandardError => e
|
119
121
|
raise e
|
@@ -60,7 +60,7 @@ module PWN
|
|
60
60
|
|
61
61
|
hash_line = {
|
62
62
|
timestamp: Time.now.strftime('%Y-%m-%d %H:%M:%S.%9N %z').to_s,
|
63
|
-
|
63
|
+
security_requirements: security_requirements,
|
64
64
|
filename: filename_arr.push(git_repo_root_uri: git_repo_root_uri, entry: entry),
|
65
65
|
line_no_and_contents: '',
|
66
66
|
raw_content: str,
|
@@ -117,11 +117,13 @@ module PWN
|
|
117
117
|
# to PWN Exploit & Static Code Anti-Pattern Matching Modules to
|
118
118
|
# Determine the level of Testing Coverage w/ PWN.
|
119
119
|
|
120
|
-
public_class_method def self.
|
120
|
+
public_class_method def self.security_requirements
|
121
121
|
{
|
122
122
|
sast_module: self,
|
123
123
|
section: 'INFORMATION INPUT VALIDATION',
|
124
|
-
nist_800_53_uri: 'https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control/?version=5.1&number=SI-10'
|
124
|
+
nist_800_53_uri: 'https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control/?version=5.1&number=SI-10',
|
125
|
+
cwe_id: '78',
|
126
|
+
cwe_uri: 'https://cwe.mitre.org/data/definitions/78.html'
|
125
127
|
}
|
126
128
|
rescue StandardError => e
|
127
129
|
raise e
|
@@ -50,7 +50,7 @@ module PWN
|
|
50
50
|
|
51
51
|
hash_line = {
|
52
52
|
timestamp: Time.now.strftime('%Y-%m-%d %H:%M:%S.%9N %z').to_s,
|
53
|
-
|
53
|
+
security_requirements: security_requirements,
|
54
54
|
filename: filename_arr.push(git_repo_root_uri: git_repo_root_uri, entry: entry),
|
55
55
|
line_no_and_contents: '',
|
56
56
|
raw_content: str,
|
@@ -107,11 +107,13 @@ module PWN
|
|
107
107
|
# to PWN Exploit & Static Code Anti-Pattern Matching Modules to
|
108
108
|
# Determine the level of Testing Coverage w/ PWN.
|
109
109
|
|
110
|
-
public_class_method def self.
|
110
|
+
public_class_method def self.security_requirements
|
111
111
|
{
|
112
112
|
sast_module: self,
|
113
113
|
section: 'INFORMATION INPUT VALIDATION',
|
114
|
-
nist_800_53_uri: 'https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control/?version=5.1&number=SI-10'
|
114
|
+
nist_800_53_uri: 'https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control/?version=5.1&number=SI-10',
|
115
|
+
cwe_id: '78',
|
116
|
+
cwe_uri: 'https://cwe.mitre.org/data/definitions/78.html'
|
115
117
|
}
|
116
118
|
rescue StandardError => e
|
117
119
|
raise e
|
data/lib/pwn/sast/csrf.rb
CHANGED
@@ -48,7 +48,7 @@ module PWN
|
|
48
48
|
|
49
49
|
hash_line = {
|
50
50
|
timestamp: Time.now.strftime('%Y-%m-%d %H:%M:%S.%9N %z').to_s,
|
51
|
-
|
51
|
+
security_requirements: security_requirements,
|
52
52
|
filename: filename_arr.push(git_repo_root_uri: git_repo_root_uri, entry: entry),
|
53
53
|
line_no_and_contents: '',
|
54
54
|
raw_content: str,
|
@@ -103,12 +103,16 @@ module PWN
|
|
103
103
|
# to PWN Exploit & Static Code Anti-Pattern Matching Modules to
|
104
104
|
# Determine the level of Testing Coverage w/ PWN.
|
105
105
|
|
106
|
-
public_class_method def self.
|
106
|
+
public_class_method def self.security_requirements
|
107
107
|
{
|
108
108
|
sast_module: self,
|
109
109
|
section: 'MALICIOUS CODE PROTECTION',
|
110
|
-
nist_800_53_uri: 'https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control/?version=5.1&number=SI-3'
|
110
|
+
nist_800_53_uri: 'https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control/?version=5.1&number=SI-3',
|
111
|
+
cwe_id: '352',
|
112
|
+
cwe_uri: 'https://cwe.mitre.org/data/definitions/352.html'
|
111
113
|
}
|
114
|
+
rescue StandardError => e
|
115
|
+
raise e
|
112
116
|
end
|
113
117
|
|
114
118
|
# Author(s):: 0day Inc. <request.pentest@0dayinc.com>
|
@@ -47,7 +47,7 @@ module PWN
|
|
47
47
|
|
48
48
|
hash_line = {
|
49
49
|
timestamp: Time.now.strftime('%Y-%m-%d %H:%M:%S.%9N %z').to_s,
|
50
|
-
|
50
|
+
security_requirements: security_requirements,
|
51
51
|
filename: filename_arr.push(git_repo_root_uri: git_repo_root_uri, entry: entry),
|
52
52
|
line_no_and_contents: '',
|
53
53
|
raw_content: str,
|
@@ -102,12 +102,16 @@ module PWN
|
|
102
102
|
# to PWN Exploit & Static Code Anti-Pattern Matching Modules to
|
103
103
|
# Determine the level of Testing Coverage w/ PWN.
|
104
104
|
|
105
|
-
public_class_method def self.
|
105
|
+
public_class_method def self.security_requirements
|
106
106
|
{
|
107
107
|
sast_module: self,
|
108
108
|
section: 'INFORMATION INPUT VALIDATION',
|
109
|
-
nist_800_53_uri: 'https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control/?version=5.1&number=SI-10'
|
109
|
+
nist_800_53_uri: 'https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control/?version=5.1&number=SI-10',
|
110
|
+
cwe_id: '502',
|
111
|
+
cwe_uri: 'https://cwe.mitre.org/data/definitions/502.html'
|
110
112
|
}
|
113
|
+
rescue StandardError => e
|
114
|
+
raise e
|
111
115
|
end
|
112
116
|
|
113
117
|
# Author(s):: 0day Inc. <request.pentest@0dayinc.com>
|
data/lib/pwn/sast/emoticon.rb
CHANGED
@@ -52,7 +52,7 @@ module PWN
|
|
52
52
|
|
53
53
|
hash_line = {
|
54
54
|
timestamp: Time.now.strftime('%Y-%m-%d %H:%M:%S.%9N %z').to_s,
|
55
|
-
|
55
|
+
security_requirements: security_requirements,
|
56
56
|
filename: filename_arr.push(git_repo_root_uri: git_repo_root_uri, entry: entry),
|
57
57
|
line_no_and_contents: '',
|
58
58
|
raw_content: str,
|
@@ -110,11 +110,13 @@ module PWN
|
|
110
110
|
# to PWN Exploit & Static Code Anti-Pattern Matching Modules to
|
111
111
|
# Determine the level of Testing Coverage w/ PWN.
|
112
112
|
|
113
|
-
public_class_method def self.
|
113
|
+
public_class_method def self.security_requirements
|
114
114
|
{
|
115
115
|
sast_module: self,
|
116
116
|
section: 'LEAST PRIVILEGE',
|
117
|
-
nist_800_53_uri: 'https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control/?version=5.1&number=AC-6'
|
117
|
+
nist_800_53_uri: 'https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control/?version=5.1&number=AC-6',
|
118
|
+
cwe_id: '546',
|
119
|
+
cwe_uri: 'https://cwe.mitre.org/data/definitions/546.html'
|
118
120
|
}
|
119
121
|
rescue StandardError => e
|
120
122
|
raise e
|
data/lib/pwn/sast/eval.rb
CHANGED
@@ -48,7 +48,7 @@ module PWN
|
|
48
48
|
|
49
49
|
hash_line = {
|
50
50
|
timestamp: Time.now.strftime('%Y-%m-%d %H:%M:%S.%9N %z').to_s,
|
51
|
-
|
51
|
+
security_requirements: security_requirements,
|
52
52
|
filename: filename_arr.push(git_repo_root_uri: git_repo_root_uri, entry: entry),
|
53
53
|
line_no_and_contents: '',
|
54
54
|
raw_content: str,
|
@@ -105,11 +105,13 @@ module PWN
|
|
105
105
|
# to PWN Exploit & Static Code Anti-Pattern Matching Modules to
|
106
106
|
# Determine the level of Testing Coverage w/ PWN.
|
107
107
|
|
108
|
-
public_class_method def self.
|
108
|
+
public_class_method def self.security_requirements
|
109
109
|
{
|
110
110
|
sast_module: self,
|
111
111
|
section: 'MALICIOUS CODE PROTECTION',
|
112
|
-
nist_800_53_uri: 'https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control/?version=5.1&number=SI-3'
|
112
|
+
nist_800_53_uri: 'https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control/?version=5.1&number=SI-3',
|
113
|
+
cwe_id: '95',
|
114
|
+
cwe_uri: 'https://cwe.mitre.org/data/definitions/95.html'
|
113
115
|
}
|
114
116
|
rescue StandardError => e
|
115
117
|
raise e
|
data/lib/pwn/sast/factory.rb
CHANGED
@@ -47,7 +47,7 @@ module PWN
|
|
47
47
|
|
48
48
|
hash_line = {
|
49
49
|
timestamp: Time.now.strftime('%Y-%m-%d %H:%M:%S.%9N %z').to_s,
|
50
|
-
|
50
|
+
security_requirements: security_requirements,
|
51
51
|
filename: filename_arr.push(git_repo_root_uri: git_repo_root_uri, entry: entry),
|
52
52
|
line_no_and_contents: '',
|
53
53
|
raw_content: str,
|
@@ -102,12 +102,16 @@ module PWN
|
|
102
102
|
# to PWN Exploit & Static Code Anti-Pattern Matching Modules to
|
103
103
|
# Determine the level of Testing Coverage w/ PWN.
|
104
104
|
|
105
|
-
public_class_method def self.
|
105
|
+
public_class_method def self.security_requirements
|
106
106
|
{
|
107
107
|
sast_module: self,
|
108
108
|
section: 'DEVELOPER CONFIGURATION MANAGEMENT',
|
109
|
-
nist_800_53_uri: 'https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control/?version=5.1&number=SA-10'
|
109
|
+
nist_800_53_uri: 'https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control/?version=5.1&number=SA-10',
|
110
|
+
cwe_id: '611',
|
111
|
+
cwe_uri: 'https://cwe.mitre.org/data/definitions/611.html'
|
110
112
|
}
|
113
|
+
rescue StandardError => e
|
114
|
+
raise e
|
111
115
|
end
|
112
116
|
|
113
117
|
# Author(s):: 0day Inc. <request.pentest@0dayinc.com>
|
@@ -57,7 +57,7 @@ module PWN
|
|
57
57
|
|
58
58
|
hash_line = {
|
59
59
|
timestamp: Time.now.strftime('%Y-%m-%d %H:%M:%S.%9N %z').to_s,
|
60
|
-
|
60
|
+
security_requirements: security_requirements,
|
61
61
|
filename: filename_arr.push(git_repo_root_uri: git_repo_root_uri, entry: entry),
|
62
62
|
line_no_and_contents: '',
|
63
63
|
raw_content: str,
|
@@ -112,11 +112,13 @@ module PWN
|
|
112
112
|
# to PWN Exploit & Static Code Anti-Pattern Matching Modules to
|
113
113
|
# Determine the level of Testing Coverage w/ PWN.
|
114
114
|
|
115
|
-
public_class_method def self.
|
115
|
+
public_class_method def self.security_requirements
|
116
116
|
{
|
117
117
|
sast_module: self,
|
118
118
|
section: 'PROTECTION OF INFORMATION AT REST',
|
119
|
-
nist_800_53_uri: 'https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control/?version=5.1&number=SC-28'
|
119
|
+
nist_800_53_uri: 'https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control/?version=5.1&number=SC-28',
|
120
|
+
cwe_id: '285',
|
121
|
+
cwe_uri: 'https://cwe.mitre.org/data/definitions/285.html'
|
120
122
|
}
|
121
123
|
end
|
122
124
|
|
data/lib/pwn/sast/inner_html.rb
CHANGED
@@ -48,7 +48,7 @@ module PWN
|
|
48
48
|
|
49
49
|
hash_line = {
|
50
50
|
timestamp: Time.now.strftime('%Y-%m-%d %H:%M:%S.%9N %z').to_s,
|
51
|
-
|
51
|
+
security_requirements: security_requirements,
|
52
52
|
filename: filename_arr.push(git_repo_root_uri: git_repo_root_uri, entry: entry),
|
53
53
|
line_no_and_contents: '',
|
54
54
|
raw_content: str,
|
@@ -105,11 +105,13 @@ module PWN
|
|
105
105
|
# to PWN Exploit & Static Code Anti-Pattern Matching Modules to
|
106
106
|
# Determine the level of Testing Coverage w/ PWN.
|
107
107
|
|
108
|
-
public_class_method def self.
|
108
|
+
public_class_method def self.security_requirements
|
109
109
|
{
|
110
110
|
sast_module: self,
|
111
111
|
section: 'MALICIOUS CODE PROTECTION',
|
112
|
-
nist_800_53_uri: 'https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control/?version=5.1&number=SI-3'
|
112
|
+
nist_800_53_uri: 'https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control/?version=5.1&number=SI-3',
|
113
|
+
cwe_id: '79',
|
114
|
+
uri: 'https://cwe.mitre.org/data/definitions/79.html'
|
113
115
|
}
|
114
116
|
rescue StandardError => e
|
115
117
|
raise e
|
data/lib/pwn/sast/keystore.rb
CHANGED
@@ -45,7 +45,7 @@ module PWN
|
|
45
45
|
|
46
46
|
hash_line = {
|
47
47
|
timestamp: Time.now.strftime('%Y-%m-%d %H:%M:%S.%9N %z').to_s,
|
48
|
-
|
48
|
+
security_requirements: security_requirements,
|
49
49
|
filename: filename_arr.push(git_repo_root_uri: git_repo_root_uri, entry: entry),
|
50
50
|
line_no_and_contents: '',
|
51
51
|
raw_content: str,
|
@@ -102,11 +102,13 @@ module PWN
|
|
102
102
|
# to PWN Exploit & Static Code Anti-Pattern Matching Modules to
|
103
103
|
# Determine the level of Testing Coverage w/ PWN.
|
104
104
|
|
105
|
-
public_class_method def self.
|
105
|
+
public_class_method def self.security_requirements
|
106
106
|
{
|
107
107
|
sast_module: self,
|
108
108
|
section: 'CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT',
|
109
|
-
nist_800_53_uri: 'https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control/?version=5.1&number=SC-12'
|
109
|
+
nist_800_53_uri: 'https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control/?version=5.1&number=SC-12',
|
110
|
+
cwe_id: '522',
|
111
|
+
cwe_uri: 'https://cwe.mitre.org/data/definitions/522.html'
|
110
112
|
}
|
111
113
|
rescue StandardError => e
|
112
114
|
raise e.mesasge
|
@@ -48,7 +48,7 @@ module PWN
|
|
48
48
|
|
49
49
|
hash_line = {
|
50
50
|
timestamp: Time.now.strftime('%Y-%m-%d %H:%M:%S.%9N %z').to_s,
|
51
|
-
|
51
|
+
security_requirements: security_requirements,
|
52
52
|
filename: filename_arr.push(git_repo_root_uri: git_repo_root_uri, entry: entry),
|
53
53
|
line_no_and_contents: '',
|
54
54
|
raw_content: str,
|
@@ -105,11 +105,13 @@ module PWN
|
|
105
105
|
# to PWN Exploit & Static Code Anti-Pattern Matching Modules to
|
106
106
|
# Determine the level of Testing Coverage w/ PWN.
|
107
107
|
|
108
|
-
public_class_method def self.
|
108
|
+
public_class_method def self.security_requirements
|
109
109
|
{
|
110
110
|
sast_module: self,
|
111
111
|
section: 'MALICIOUS CODE PROTECTION',
|
112
|
-
nist_800_53_uri: 'https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control/?version=5.1&number=SI-3'
|
112
|
+
nist_800_53_uri: 'https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control/?version=5.1&number=SI-3',
|
113
|
+
cwe_id: '79',
|
114
|
+
cwe_uri: 'https://cwe.mitre.org/data/definitions/79.html'
|
113
115
|
}
|
114
116
|
rescue StandardError => e
|
115
117
|
raise e
|