pwn 0.5.351 → 0.5.353
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/README.md +3 -3
- data/bin/pwn_fuzz_net_app_proto +4 -3
- data/bin/pwn_phone +1 -2
- data/bin/pwn_sast +1 -2
- data/bin/pwn_www_uri_buster +1 -2
- data/lib/pwn/plugins/burp_suite.rb +15 -18
- data/lib/pwn/plugins/git.rb +3 -3
- data/lib/pwn/plugins/sock.rb +2 -2
- data/lib/pwn/reports/fuzz.rb +69 -24
- data/lib/pwn/reports/phone.rb +82 -23
- data/lib/pwn/reports/sast.rb +95 -45
- data/lib/pwn/reports/uri_buster.rb +79 -23
- data/lib/pwn/sast/amqp_connect_as_guest.rb +2 -2
- data/lib/pwn/sast/apache_file_system_util_api.rb +2 -2
- data/lib/pwn/sast/aws.rb +2 -2
- data/lib/pwn/sast/banned_function_calls_c.rb +2 -2
- data/lib/pwn/sast/base64.rb +2 -2
- data/lib/pwn/sast/beef_hook.rb +2 -2
- data/lib/pwn/sast/cmd_execution_java.rb +2 -2
- data/lib/pwn/sast/cmd_execution_python.rb +2 -2
- data/lib/pwn/sast/cmd_execution_ruby.rb +2 -2
- data/lib/pwn/sast/cmd_execution_scala.rb +2 -2
- data/lib/pwn/sast/csrf.rb +2 -2
- data/lib/pwn/sast/deserial_java.rb +2 -2
- data/lib/pwn/sast/emoticon.rb +2 -2
- data/lib/pwn/sast/eval.rb +2 -2
- data/lib/pwn/sast/factory.rb +2 -2
- data/lib/pwn/sast/http_authorization_header.rb +2 -2
- data/lib/pwn/sast/inner_html.rb +2 -2
- data/lib/pwn/sast/keystore.rb +2 -2
- data/lib/pwn/sast/local_storage.rb +2 -2
- data/lib/pwn/sast/location_hash.rb +2 -2
- data/lib/pwn/sast/log4j.rb +2 -2
- data/lib/pwn/sast/logger.rb +2 -2
- data/lib/pwn/sast/md5.rb +2 -2
- data/lib/pwn/sast/outer_html.rb +2 -2
- data/lib/pwn/sast/padding_oracle.rb +2 -2
- data/lib/pwn/sast/password.rb +2 -2
- data/lib/pwn/sast/php_input_mechanisms.rb +2 -2
- data/lib/pwn/sast/php_type_juggling.rb +2 -2
- data/lib/pwn/sast/pom_version.rb +2 -2
- data/lib/pwn/sast/port.rb +2 -2
- data/lib/pwn/sast/post_message.rb +2 -2
- data/lib/pwn/sast/private_key.rb +2 -2
- data/lib/pwn/sast/redirect.rb +2 -2
- data/lib/pwn/sast/redos.rb +2 -2
- data/lib/pwn/sast/shell.rb +2 -2
- data/lib/pwn/sast/signature.rb +2 -2
- data/lib/pwn/sast/sql.rb +2 -2
- data/lib/pwn/sast/ssl.rb +2 -2
- data/lib/pwn/sast/sudo.rb +2 -2
- data/lib/pwn/sast/task_tag.rb +2 -2
- data/lib/pwn/sast/throw_errors.rb +3 -2
- data/lib/pwn/sast/token.rb +2 -2
- data/lib/pwn/sast/type_script_type_juggling.rb +2 -2
- data/lib/pwn/sast/version.rb +2 -2
- data/lib/pwn/sast/window_location_hash.rb +2 -2
- data/lib/pwn/version.rb +1 -1
- metadata +1 -1
data/lib/pwn/reports/sast.rb
CHANGED
|
@@ -78,8 +78,8 @@ module PWN
|
|
|
78
78
|
word-wrap: break-word !important;
|
|
79
79
|
}
|
|
80
80
|
|
|
81
|
-
.highlighted {
|
|
82
|
-
background-color: #
|
|
81
|
+
tr.highlighted td {
|
|
82
|
+
background-color: #FFF396 !important;
|
|
83
83
|
}
|
|
84
84
|
</style>
|
|
85
85
|
|
|
@@ -98,7 +98,11 @@ module PWN
|
|
|
98
98
|
</h1><br /><br />
|
|
99
99
|
<h2 id="report_name"></h2><br />
|
|
100
100
|
|
|
101
|
-
<div
|
|
101
|
+
<div>
|
|
102
|
+
<!--<button type="button" id="button">Rows Selected</button>-->
|
|
103
|
+
<button type="button" id="export_selected">Export Selected to JSON</button>
|
|
104
|
+
</div><br />
|
|
105
|
+
|
|
102
106
|
<div>
|
|
103
107
|
<b>Toggle Column(s):</b>
|
|
104
108
|
<a class="toggle-vis" data-column="1" href="#">Timestamp</a> |
|
|
@@ -127,12 +131,20 @@ module PWN
|
|
|
127
131
|
<th>Test Case (Anti-Pattern) Filter</th>
|
|
128
132
|
</tr>
|
|
129
133
|
</thead>
|
|
134
|
+
<col width="30px" />
|
|
135
|
+
<col width="60px" />
|
|
136
|
+
<col width="300px" />
|
|
137
|
+
<col width="90px" />
|
|
138
|
+
<col width="90px" />
|
|
139
|
+
<col width="300px" />
|
|
140
|
+
<col width="90px" />
|
|
130
141
|
<!-- DataTables <tbody> -->
|
|
131
142
|
</table>
|
|
132
143
|
</div>
|
|
133
144
|
|
|
134
145
|
<script>
|
|
135
146
|
var htmlEntityEncode = $.fn.dataTable.render.text().display;
|
|
147
|
+
|
|
136
148
|
var line_entry_uri = "";
|
|
137
149
|
$(document).ready(function() {
|
|
138
150
|
var oldStart = 0;
|
|
@@ -153,17 +165,6 @@ module PWN
|
|
|
153
165
|
$('html,body').animate({scrollTop: targetOffset}, 500);
|
|
154
166
|
oldStart = oSettings._iDisplayStart;
|
|
155
167
|
}
|
|
156
|
-
// Select individual lines in a row
|
|
157
|
-
$('#multi_line_select tbody').on('click', 'tr', function () {
|
|
158
|
-
$(this).toggleClass('highlighted');
|
|
159
|
-
if ($('#multi_line_select tr.highlighted').length > 0) {
|
|
160
|
-
$('#multi_line_select tr td button').attr('disabled', 'disabled');
|
|
161
|
-
// Remove multi-line bug button
|
|
162
|
-
} else {
|
|
163
|
-
$('#multi_line_select tr td button').removeAttr('disabled');
|
|
164
|
-
// Add multi-line bug button
|
|
165
|
-
}
|
|
166
|
-
});
|
|
167
168
|
},
|
|
168
169
|
"ajax": "#{report_name}.json",
|
|
169
170
|
//"deferRender": true,
|
|
@@ -182,7 +183,7 @@ module PWN
|
|
|
182
183
|
var sast_module = data['sast_module'].split('::')[2];
|
|
183
184
|
var sast_test_case = sast_module.replace(/\\.?([A-Z])/g, function (x,y){ if (sast_module.match(/\\.?([A-Z][a-z])/g) ) { return "_" + y.toLowerCase(); } else { return y.toLowerCase(); } }).replace(/^_/g, "");
|
|
184
185
|
|
|
185
|
-
return '<tr><td style="width:150px;" align="left"><a href="https://github.com/0dayinc/pwn/tree/master/lib/' + htmlEntityEncode(sast_dirname) + '/' + htmlEntityEncode(sast_test_case) + '.rb" target="_blank">' + htmlEntityEncode(data['sast_module'].split("::")[2]) + '</a><br /><br /><a href="' + htmlEntityEncode(data['nist_800_53_uri']) + '" target="_blank">NIST 800-53: ' + htmlEntityEncode(data['section']) + '</a><br /><br /><a href="' + htmlEntityEncode(data['cwe_uri']) + '" target="_blank">CWE:' + htmlEntityEncode(data['cwe_id']) + '</a></td></tr>';
|
|
186
|
+
return '<table class="squish"><tr><td style="width:150px;" align="left"><a href="https://github.com/0dayinc/pwn/tree/master/lib/' + htmlEntityEncode(sast_dirname) + '/' + htmlEntityEncode(sast_test_case) + '.rb" target="_blank">' + htmlEntityEncode(data['sast_module'].split("::")[2]) + '</a><br /><br /><a href="' + htmlEntityEncode(data['nist_800_53_uri']) + '" target="_blank">NIST 800-53: ' + htmlEntityEncode(data['section']) + '</a><br /><br /><a href="' + htmlEntityEncode(data['cwe_uri']) + '" target="_blank">CWE:' + htmlEntityEncode(data['cwe_id']) + '</a></td></tr></table>';
|
|
186
187
|
}
|
|
187
188
|
},
|
|
188
189
|
{
|
|
@@ -194,30 +195,19 @@ module PWN
|
|
|
194
195
|
|
|
195
196
|
file = htmlEntityEncode(data['entry']);
|
|
196
197
|
|
|
197
|
-
return '<table class="squish"><tr
|
|
198
|
+
return '<table class="squish"><tr><td style="width:150px;" align="left"><a href="' + line_entry_uri + '" target="_blank">' + file + '</a></td></tr></table>';
|
|
198
199
|
}
|
|
199
200
|
},
|
|
200
201
|
{
|
|
201
202
|
"data": "line_no_and_contents",
|
|
202
203
|
"render": function (data, type, row, meta) {
|
|
203
|
-
var pwn_rows = '<
|
|
204
|
+
var pwn_rows = '<table class="multi_line_select squish" style="width: 665px"><tbody>';
|
|
204
205
|
for (var i = 0; i < data.length; i++) {
|
|
205
206
|
var tr_class;
|
|
206
207
|
if (i % 2 == 0) { tr_class = "odd"; } else { tr_class = "even"; }
|
|
207
208
|
|
|
208
209
|
var filename_link = row.filename;
|
|
209
210
|
|
|
210
|
-
var bug_comment = 'Timestamp: ' + row.timestamp + '\\n' +
|
|
211
|
-
'Test Case: http://' + window.location.hostname + ':8808/doc_root/pwn-0.1.0/' +
|
|
212
|
-
row.security_references['sast_module'].replace(/::/g, "/") + '\\n' +
|
|
213
|
-
'Source Code Impacted: ' + $("<div/>").html(filename_link).text() + '\\n\\n' +
|
|
214
|
-
'Test Case Request:\\n' +
|
|
215
|
-
$("<div/>").html(row.test_case_filter.replace(/\\s{2,}/g, " ")).text() + '\\n\\n' +
|
|
216
|
-
'Test Case Response:\\n' +
|
|
217
|
-
'\\tCommitted by: ' + $("<div/>").html(data[i]['author']).text() + '\\t' +
|
|
218
|
-
data[i]['line_no'] + ': ' +
|
|
219
|
-
$("<div/>").html(data[i]['contents'].replace(/\\s{2,}/g, " ")).text() + '\\n\\n';
|
|
220
|
-
|
|
221
211
|
var author_and_email_arr = data[i]['author'].split(" ");
|
|
222
212
|
var email = author_and_email_arr[author_and_email_arr.length - 1];
|
|
223
213
|
var email_user_arr = email.split("@");
|
|
@@ -225,13 +215,13 @@ module PWN
|
|
|
225
215
|
|
|
226
216
|
var uri = '#uri';
|
|
227
217
|
|
|
228
|
-
|
|
229
|
-
|
|
230
|
-
|
|
231
|
-
|
|
232
|
-
|
|
218
|
+
var canned_email_results = 'Timestamp: ' + row.timestamp + '\\n' +
|
|
219
|
+
'Source Code File Impacted: ' + $("<div/>").html(filename_link).text() + '\\n\\n' +
|
|
220
|
+
'Source Code in Question:\\n\\n' +
|
|
221
|
+
data[i]['line_no'] + ': ' +
|
|
222
|
+
$("<div/>").html(data[i]['contents'].replace(/\\s{2,}/g, " ")).text() + '\\n\\n';
|
|
233
223
|
|
|
234
|
-
|
|
224
|
+
var canned_email = email.replace("<", "").replace(">", "") + '?subject=Potential%20Bug%20within%20Source%20File:%20'+ encodeURIComponent(row.filename) +'&body=Greetings,%0A%0AThe%20following%20information%20likely%20represents%20a%20bug%20discovered%20through%20automated%20security%20testing%20initiatives:%0A%0A' + encodeURIComponent(canned_email_results) + 'Is%20this%20something%20that%20can%20be%20addressed%20immediately%20or%20would%20filing%20a%20bug%20be%20more%20appropriate?%20%20Please%20let%20us%20know%20at%20your%20earliest%20convenience%20to%20ensure%20we%20can%20meet%20security%20expectations%20for%20this%20release.%20%20Thanks%20and%20have%20a%20great%20day!';
|
|
235
225
|
|
|
236
226
|
domain = line_entry_uri.replace('http://','').replace('https://','').split(/[/?#]/)[0];
|
|
237
227
|
if (domain.includes('stash') || domain.includes('bitbucket') || domain.includes('gerrit')) {
|
|
@@ -243,7 +233,7 @@ module PWN
|
|
|
243
233
|
|
|
244
234
|
pwn_rows = pwn_rows.concat('<tr class="' + tr_class + '"><td style="width:90px" align="left"><a href="' + htmlEntityEncode(to_line_number) + '" target="_blank">' + htmlEntityEncode(data[i]['line_no']) + '</a>: </td><td style="width:300px" align="left">' + htmlEntityEncode(data[i]['contents']) + '</td><td style="width:200px" align="right"><a href="mailto:' + canned_email + '">' + htmlEntityEncode(data[i]['author']) + '</a></td></tr>');
|
|
245
235
|
}
|
|
246
|
-
pwn_rows = pwn_rows.concat('</tbody></table
|
|
236
|
+
pwn_rows = pwn_rows.concat('</tbody></table>');
|
|
247
237
|
return pwn_rows;
|
|
248
238
|
}
|
|
249
239
|
},
|
|
@@ -255,7 +245,14 @@ module PWN
|
|
|
255
245
|
"data": "test_case_filter",
|
|
256
246
|
"render": $.fn.dataTable.render.text()
|
|
257
247
|
}
|
|
258
|
-
]
|
|
248
|
+
],
|
|
249
|
+
"initComplete": function(settings, json) {
|
|
250
|
+
$('#report_name').text(json.report_name);
|
|
251
|
+
}
|
|
252
|
+
});
|
|
253
|
+
|
|
254
|
+
$('#pwn_scan_git_source_results tbody').on('click', '.multi_line_select tr', function () {
|
|
255
|
+
$(this).toggleClass('highlighted');
|
|
259
256
|
});
|
|
260
257
|
|
|
261
258
|
// Custom advanced search handling
|
|
@@ -318,19 +315,72 @@ module PWN
|
|
|
318
315
|
column.visible( ! column.visible() );
|
|
319
316
|
});
|
|
320
317
|
|
|
321
|
-
// TODO: Open bug for highlighted rows ;)
|
|
322
318
|
$('#button').click( function () {
|
|
323
|
-
alert($('
|
|
319
|
+
alert($('.multi_line_select tr.highlighted').length +' row(s) highlighted');
|
|
324
320
|
});
|
|
325
|
-
});
|
|
326
321
|
|
|
327
|
-
|
|
328
|
-
|
|
329
|
-
|
|
330
|
-
|
|
331
|
-
|
|
322
|
+
$('#export_selected').click( function () {
|
|
323
|
+
if ($('.multi_line_select tr.highlighted').length === 0) {
|
|
324
|
+
alert('No rows selected');
|
|
325
|
+
return;
|
|
326
|
+
}
|
|
332
327
|
|
|
333
|
-
|
|
328
|
+
$.getJSON(table.ajax.url(), function(original_json) {
|
|
329
|
+
var selected_results = {};
|
|
330
|
+
|
|
331
|
+
$('.multi_line_select tr.highlighted').each(function() {
|
|
332
|
+
var inner_tr = $(this);
|
|
333
|
+
var main_tr = inner_tr.closest('td').parent();
|
|
334
|
+
var row = table.row(main_tr);
|
|
335
|
+
var row_index = row.index();
|
|
336
|
+
var line_index = inner_tr.index();
|
|
337
|
+
|
|
338
|
+
if (selected_results[row_index] === undefined) {
|
|
339
|
+
selected_results[row_index] = {
|
|
340
|
+
row: row,
|
|
341
|
+
lines: []
|
|
342
|
+
};
|
|
343
|
+
}
|
|
344
|
+
|
|
345
|
+
selected_results[row_index].lines.push(line_index);
|
|
346
|
+
});
|
|
347
|
+
|
|
348
|
+
var new_data = [];
|
|
349
|
+
|
|
350
|
+
Object.keys(selected_results).forEach(function(ri) {
|
|
351
|
+
var sel = selected_results[ri];
|
|
352
|
+
var orig_row_data = sel.row.data();
|
|
353
|
+
var new_row_data = JSON.parse(JSON.stringify(orig_row_data));
|
|
354
|
+
|
|
355
|
+
sel.lines.sort((a, b) => a - b);
|
|
356
|
+
new_row_data.line_no_and_contents = sel.lines.map(function(li) {
|
|
357
|
+
return orig_row_data.line_no_and_contents[li];
|
|
358
|
+
});
|
|
359
|
+
|
|
360
|
+
new_row_data.raw_content = new_row_data.line_no_and_contents.map(l => l.contents).join('\\n');
|
|
361
|
+
|
|
362
|
+
new_data.push(new_row_data);
|
|
363
|
+
});
|
|
364
|
+
|
|
365
|
+
original_json.data = new_data;
|
|
366
|
+
|
|
367
|
+
if (original_json.report_name) {
|
|
368
|
+
original_json.report_name += '_selected';
|
|
369
|
+
}
|
|
370
|
+
|
|
371
|
+
var json_str = JSON.stringify(original_json, null, 2);
|
|
372
|
+
var blob = new Blob([json_str], { type: 'application/json' });
|
|
373
|
+
var url = URL.createObjectURL(blob);
|
|
374
|
+
var a = document.createElement('a');
|
|
375
|
+
a.href = url;
|
|
376
|
+
a.download = (original_json.report_name || 'selected') + '.json';
|
|
377
|
+
document.body.appendChild(a);
|
|
378
|
+
a.click();
|
|
379
|
+
document.body.removeChild(a);
|
|
380
|
+
URL.revokeObjectURL(url);
|
|
381
|
+
});
|
|
382
|
+
});
|
|
383
|
+
});
|
|
334
384
|
</script>
|
|
335
385
|
</body>
|
|
336
386
|
</html>
|
|
@@ -71,8 +71,8 @@ module PWN
|
|
|
71
71
|
word-wrap: break-word !important;
|
|
72
72
|
}
|
|
73
73
|
|
|
74
|
-
.highlighted {
|
|
75
|
-
background-color: #
|
|
74
|
+
tr.highlighted td {
|
|
75
|
+
background-color: #FFF396 !important;
|
|
76
76
|
}
|
|
77
77
|
</style>
|
|
78
78
|
|
|
@@ -92,7 +92,11 @@ module PWN
|
|
|
92
92
|
</h1><br /><br />
|
|
93
93
|
<h2 id="report_name"></h2><br />
|
|
94
94
|
|
|
95
|
-
<div
|
|
95
|
+
<div>
|
|
96
|
+
<!--<button type="button" id="button">Rows Selected</button>-->
|
|
97
|
+
<button type="button" id="export_selected">Export Selected to JSON</button>
|
|
98
|
+
</div><br />
|
|
99
|
+
|
|
96
100
|
<div>
|
|
97
101
|
<b>Toggle Column(s):</b>
|
|
98
102
|
<a class="toggle-vis" data-column="1" href="#">Request Time</a> |
|
|
@@ -127,6 +131,16 @@ module PWN
|
|
|
127
131
|
<th>HTTP Response Body (300 bytes)</th>
|
|
128
132
|
</tr>
|
|
129
133
|
</thead>
|
|
134
|
+
<col width="30px" />
|
|
135
|
+
<col width="60px" />
|
|
136
|
+
<col width="60px" />
|
|
137
|
+
<col width="30px" />
|
|
138
|
+
<col width="90px" />
|
|
139
|
+
<col width="30px" />
|
|
140
|
+
<col width="30px" />
|
|
141
|
+
<col width="30px" />
|
|
142
|
+
<col width="300px" />
|
|
143
|
+
<col width="300px" />
|
|
130
144
|
<!-- DataTables <tbody> -->
|
|
131
145
|
</table>
|
|
132
146
|
</div>
|
|
@@ -153,17 +167,6 @@ module PWN
|
|
|
153
167
|
$('html,body').animate({scrollTop: targetOffset}, 500);
|
|
154
168
|
oldStart = oSettings._iDisplayStart;
|
|
155
169
|
}
|
|
156
|
-
// Select individual lines in a row
|
|
157
|
-
$('#multi_line_select tbody').on('click', 'tr', function () {
|
|
158
|
-
$(this).toggleClass('highlighted');
|
|
159
|
-
if ($('#multi_line_select tr.highlighted').length > 0) {
|
|
160
|
-
$('#multi_line_select tr td button').attr('disabled', 'disabled');
|
|
161
|
-
// Remove multi-line bug button
|
|
162
|
-
} else {
|
|
163
|
-
$('#multi_line_select tr td button').removeAttr('disabled');
|
|
164
|
-
// Add multi-line bug button
|
|
165
|
-
}
|
|
166
|
-
});
|
|
167
170
|
},
|
|
168
171
|
"ajax": "#{report_name}.json",
|
|
169
172
|
//"deferRender": true,
|
|
@@ -272,19 +275,72 @@ module PWN
|
|
|
272
275
|
column.visible( ! column.visible() );
|
|
273
276
|
});
|
|
274
277
|
|
|
275
|
-
// TODO: Open bug for highlighted rows ;)
|
|
276
278
|
$('#button').click( function () {
|
|
277
|
-
alert($('
|
|
279
|
+
alert($('.multi_line_select tr.highlighted').length +' row(s) highlighted');
|
|
278
280
|
});
|
|
279
|
-
});
|
|
280
281
|
|
|
281
|
-
|
|
282
|
-
|
|
283
|
-
|
|
284
|
-
|
|
285
|
-
|
|
282
|
+
$('#export_selected').click( function () {
|
|
283
|
+
if ($('.multi_line_select tr.highlighted').length === 0) {
|
|
284
|
+
alert('No rows selected');
|
|
285
|
+
return;
|
|
286
|
+
}
|
|
286
287
|
|
|
287
|
-
|
|
288
|
+
$.getJSON(table.ajax.url(), function(original_json) {
|
|
289
|
+
var selected_results = {};
|
|
290
|
+
|
|
291
|
+
$('.multi_line_select tr.highlighted').each(function() {
|
|
292
|
+
var inner_tr = $(this);
|
|
293
|
+
var main_tr = inner_tr.closest('td').parent();
|
|
294
|
+
var row = table.row(main_tr);
|
|
295
|
+
var row_index = row.index();
|
|
296
|
+
var line_index = inner_tr.index();
|
|
297
|
+
|
|
298
|
+
if (selected_results[row_index] === undefined) {
|
|
299
|
+
selected_results[row_index] = {
|
|
300
|
+
row: row,
|
|
301
|
+
lines: []
|
|
302
|
+
};
|
|
303
|
+
}
|
|
304
|
+
|
|
305
|
+
selected_results[row_index].lines.push(line_index);
|
|
306
|
+
});
|
|
307
|
+
|
|
308
|
+
var new_data = [];
|
|
309
|
+
|
|
310
|
+
Object.keys(selected_results).forEach(function(ri) {
|
|
311
|
+
var sel = selected_results[ri];
|
|
312
|
+
var orig_row_data = sel.row.data();
|
|
313
|
+
var new_row_data = JSON.parse(JSON.stringify(orig_row_data));
|
|
314
|
+
|
|
315
|
+
sel.lines.sort((a, b) => a - b);
|
|
316
|
+
new_row_data.line_no_and_contents = sel.lines.map(function(li) {
|
|
317
|
+
return orig_row_data.line_no_and_contents[li];
|
|
318
|
+
});
|
|
319
|
+
|
|
320
|
+
new_row_data.raw_content = new_row_data.line_no_and_contents.map(l => l.contents).join('\\n');
|
|
321
|
+
|
|
322
|
+
new_data.push(new_row_data);
|
|
323
|
+
});
|
|
324
|
+
|
|
325
|
+
original_json.data = new_data;
|
|
326
|
+
|
|
327
|
+
if (original_json.report_name) {
|
|
328
|
+
original_json.report_name += '_selected';
|
|
329
|
+
}
|
|
330
|
+
|
|
331
|
+
var json_str = JSON.stringify(original_json, null, 2);
|
|
332
|
+
var blob = new Blob([json_str], { type: 'application/json' });
|
|
333
|
+
var url = URL.createObjectURL(blob);
|
|
334
|
+
var a = document.createElement('a');
|
|
335
|
+
a.href = url;
|
|
336
|
+
a.download = (original_json.report_name || 'selected') + '.json';
|
|
337
|
+
document.body.appendChild(a);
|
|
338
|
+
a.click();
|
|
339
|
+
document.body.removeChild(a);
|
|
340
|
+
URL.revokeObjectURL(url);
|
|
341
|
+
});
|
|
342
|
+
});
|
|
343
|
+
});
|
|
288
344
|
</script>
|
|
289
345
|
</body>
|
|
290
346
|
</html>
|
|
@@ -28,7 +28,7 @@ module PWN
|
|
|
28
28
|
entry_beautified = false
|
|
29
29
|
|
|
30
30
|
if File.extname(entry) == '.js' && (`wc -l #{entry}`.split.first.to_i < 20 || entry.include?('.min.js') || entry.include?('-all.js'))
|
|
31
|
-
js_beautify = `js-beautify #{entry} > #{entry}.JS-BEAUTIFIED`.to_s.scrub
|
|
31
|
+
js_beautify = `js-beautify #{entry} > #{entry}.JS-BEAUTIFIED 2> /dev/null`.to_s.scrub
|
|
32
32
|
entry = "#{entry}.JS-BEAUTIFIED"
|
|
33
33
|
entry_beautified = true
|
|
34
34
|
end
|
|
@@ -36,7 +36,7 @@ module PWN
|
|
|
36
36
|
test_case_filter = "
|
|
37
37
|
grep -in \
|
|
38
38
|
-e amqp \
|
|
39
|
-
-e rabbit #{entry} | \
|
|
39
|
+
-e rabbit #{entry} 2> /dev/null | \
|
|
40
40
|
grep guest
|
|
41
41
|
"
|
|
42
42
|
|
|
@@ -27,7 +27,7 @@ module PWN
|
|
|
27
27
|
entry_beautified = false
|
|
28
28
|
|
|
29
29
|
if File.extname(entry) == '.js' && (`wc -l #{entry}`.split.first.to_i < 20 || entry.include?('.min.js') || entry.include?('-all.js'))
|
|
30
|
-
js_beautify = `js-beautify #{entry} > #{entry}.JS-BEAUTIFIED`.to_s.scrub
|
|
30
|
+
js_beautify = `js-beautify #{entry} > #{entry}.JS-BEAUTIFIED 2> /dev/null`.to_s.scrub
|
|
31
31
|
entry = "#{entry}.JS-BEAUTIFIED"
|
|
32
32
|
entry_beautified = true
|
|
33
33
|
end
|
|
@@ -35,7 +35,7 @@ module PWN
|
|
|
35
35
|
test_case_filter = "
|
|
36
36
|
grep -n \
|
|
37
37
|
-e 'import org.apache.commons.io.FileSystemUtils' \
|
|
38
|
-
-e 'freeSpaceKb' #{entry}
|
|
38
|
+
-e 'freeSpaceKb' #{entry} 2> /dev/null
|
|
39
39
|
"
|
|
40
40
|
|
|
41
41
|
str = `#{test_case_filter}`.to_s.scrub
|
data/lib/pwn/sast/aws.rb
CHANGED
|
@@ -26,7 +26,7 @@ module PWN
|
|
|
26
26
|
entry_beautified = false
|
|
27
27
|
|
|
28
28
|
if File.extname(entry) == '.js' && (`wc -l #{entry}`.split.first.to_i < 20 || entry.include?('.min.js') || entry.include?('-all.js'))
|
|
29
|
-
js_beautify = `js-beautify #{entry} > #{entry}.JS-BEAUTIFIED`.to_s.scrub
|
|
29
|
+
js_beautify = `js-beautify #{entry} > #{entry}.JS-BEAUTIFIED 2> /dev/null`.to_s.scrub
|
|
30
30
|
entry = "#{entry}.JS-BEAUTIFIED"
|
|
31
31
|
entry_beautified = true
|
|
32
32
|
end
|
|
@@ -36,7 +36,7 @@ module PWN
|
|
|
36
36
|
-e 'ec2-' \
|
|
37
37
|
-e 'access.key' \
|
|
38
38
|
-e 'secret.access' \
|
|
39
|
-
-e 'secret.key' #{entry}
|
|
39
|
+
-e 'secret.key' #{entry} 2> /dev/null
|
|
40
40
|
"
|
|
41
41
|
|
|
42
42
|
str = `#{test_case_filter}`.to_s.scrub
|
|
@@ -28,7 +28,7 @@ module PWN
|
|
|
28
28
|
entry_beautified = false
|
|
29
29
|
|
|
30
30
|
if File.extname(entry) == '.js' && (`wc -l #{entry}`.split.first.to_i < 20 || entry.include?('.min.js') || entry.include?('-all.js'))
|
|
31
|
-
js_beautify = `js-beautify #{entry} > #{entry}.JS-BEAUTIFIED`.to_s.scrub
|
|
31
|
+
js_beautify = `js-beautify #{entry} > #{entry}.JS-BEAUTIFIED 2> /dev/null`.to_s.scrub
|
|
32
32
|
entry = "#{entry}.JS-BEAUTIFIED"
|
|
33
33
|
entry_beautified = true
|
|
34
34
|
end
|
|
@@ -163,7 +163,7 @@ module PWN
|
|
|
163
163
|
-e 'memcpy' \
|
|
164
164
|
-e 'RtlCopyMemory' \
|
|
165
165
|
-e 'CopyMemory' \
|
|
166
|
-
-e 'wmemcpy' #{entry}
|
|
166
|
+
-e 'wmemcpy' #{entry} 2> /dev/null
|
|
167
167
|
"
|
|
168
168
|
|
|
169
169
|
str = `#{test_case_filter}`.to_s.scrub
|
data/lib/pwn/sast/base64.rb
CHANGED
|
@@ -27,7 +27,7 @@ module PWN
|
|
|
27
27
|
entry_beautified = false
|
|
28
28
|
|
|
29
29
|
if File.extname(entry) == '.js' && (`wc -l #{entry}`.split.first.to_i < 20 || entry.include?('.min.js') || entry.include?('-all.js'))
|
|
30
|
-
js_beautify = `js-beautify #{entry} > #{entry}.JS-BEAUTIFIED`.to_s.scrub
|
|
30
|
+
js_beautify = `js-beautify #{entry} > #{entry}.JS-BEAUTIFIED 2> /dev/null`.to_s.scrub
|
|
31
31
|
entry = "#{entry}.JS-BEAUTIFIED"
|
|
32
32
|
entry_beautified = true
|
|
33
33
|
end
|
|
@@ -35,7 +35,7 @@ module PWN
|
|
|
35
35
|
# TODO: Include regex to search for Base64 strings
|
|
36
36
|
test_case_filter = "
|
|
37
37
|
grep -Ein \
|
|
38
|
-
-e 'BASE64' #{entry}
|
|
38
|
+
-e 'BASE64' #{entry} 2> /dev/null
|
|
39
39
|
"
|
|
40
40
|
|
|
41
41
|
str = `#{test_case_filter}`.to_s.scrub
|
data/lib/pwn/sast/beef_hook.rb
CHANGED
|
@@ -27,14 +27,14 @@ module PWN
|
|
|
27
27
|
entry_beautified = false
|
|
28
28
|
|
|
29
29
|
if File.extname(entry) == '.js' && (`wc -l #{entry}`.split.first.to_i < 20 || entry.include?('.min.js') || entry.include?('-all.js'))
|
|
30
|
-
js_beautify = `js-beautify #{entry} > #{entry}.JS-BEAUTIFIED`.to_s.scrub
|
|
30
|
+
js_beautify = `js-beautify #{entry} > #{entry}.JS-BEAUTIFIED 2> /dev/null`.to_s.scrub
|
|
31
31
|
entry = "#{entry}.JS-BEAUTIFIED"
|
|
32
32
|
entry_beautified = true
|
|
33
33
|
end
|
|
34
34
|
|
|
35
35
|
test_case_filter = "
|
|
36
36
|
grep -Fin \
|
|
37
|
-
-e 'hook.js' #{entry}
|
|
37
|
+
-e 'hook.js' #{entry} 2> /dev/null
|
|
38
38
|
"
|
|
39
39
|
|
|
40
40
|
str = `#{test_case_filter}`.to_s.scrub
|
|
@@ -27,7 +27,7 @@ module PWN
|
|
|
27
27
|
entry_beautified = false
|
|
28
28
|
|
|
29
29
|
if File.extname(entry) == '.js' && (`wc -l #{entry}`.split.first.to_i < 20 || entry.include?('.min.js') || entry.include?('-all.js'))
|
|
30
|
-
js_beautify = `js-beautify #{entry} > #{entry}.JS-BEAUTIFIED`.to_s.scrub
|
|
30
|
+
js_beautify = `js-beautify #{entry} > #{entry}.JS-BEAUTIFIED 2> /dev/null`.to_s.scrub
|
|
31
31
|
entry = "#{entry}.JS-BEAUTIFIED"
|
|
32
32
|
entry_beautified = true
|
|
33
33
|
end
|
|
@@ -36,7 +36,7 @@ module PWN
|
|
|
36
36
|
grep -Fn \
|
|
37
37
|
-e 'getEngineByName(' \
|
|
38
38
|
-e 'ProcessBuilder(' \
|
|
39
|
-
-e '.exec(' #{entry}
|
|
39
|
+
-e '.exec(' #{entry} 2> /dev/null
|
|
40
40
|
"
|
|
41
41
|
|
|
42
42
|
str = `#{test_case_filter}`.to_s.scrub
|
|
@@ -27,7 +27,7 @@ module PWN
|
|
|
27
27
|
entry_beautified = false
|
|
28
28
|
|
|
29
29
|
if File.extname(entry) == '.js' && (`wc -l #{entry}`.split.first.to_i < 20 || entry.include?('.min.js') || entry.include?('-all.js'))
|
|
30
|
-
js_beautify = `js-beautify #{entry} > #{entry}.JS-BEAUTIFIED`.to_s.scrub
|
|
30
|
+
js_beautify = `js-beautify #{entry} > #{entry}.JS-BEAUTIFIED 2> /dev/null`.to_s.scrub
|
|
31
31
|
entry = "#{entry}.JS-BEAUTIFIED"
|
|
32
32
|
entry_beautified = true
|
|
33
33
|
end
|
|
@@ -38,7 +38,7 @@ module PWN
|
|
|
38
38
|
-e 'os.popen' \
|
|
39
39
|
-e 'os.system' \
|
|
40
40
|
-e 'subprocess.call' \
|
|
41
|
-
-e 'subprocess.Popen' #{entry}
|
|
41
|
+
-e 'subprocess.Popen' #{entry} 2> /dev/null
|
|
42
42
|
"
|
|
43
43
|
|
|
44
44
|
str = `#{test_case_filter}`.to_s.scrub
|
|
@@ -27,7 +27,7 @@ module PWN
|
|
|
27
27
|
entry_beautified = false
|
|
28
28
|
|
|
29
29
|
if File.extname(entry) == '.js' && (`wc -l #{entry}`.split.first.to_i < 20 || entry.include?('.min.js') || entry.include?('-all.js'))
|
|
30
|
-
js_beautify = `js-beautify #{entry} > #{entry}.JS-BEAUTIFIED`.to_s.scrub
|
|
30
|
+
js_beautify = `js-beautify #{entry} > #{entry}.JS-BEAUTIFIED 2> /dev/null`.to_s.scrub
|
|
31
31
|
entry = "#{entry}.JS-BEAUTIFIED"
|
|
32
32
|
entry_beautified = true
|
|
33
33
|
end
|
|
@@ -46,7 +46,7 @@ module PWN
|
|
|
46
46
|
-e 'Facter::Util::Resolution::exec' \
|
|
47
47
|
-e 'PTY.spawn' \
|
|
48
48
|
-e 'Process.fork' \
|
|
49
|
-
-e '%x' #{entry}
|
|
49
|
+
-e '%x' #{entry} 2> /dev/null
|
|
50
50
|
"
|
|
51
51
|
|
|
52
52
|
str = `#{test_case_filter}`.to_s.scrub
|
|
@@ -27,7 +27,7 @@ module PWN
|
|
|
27
27
|
entry_beautified = false
|
|
28
28
|
|
|
29
29
|
if File.extname(entry) == '.js' && (`wc -l #{entry}`.split.first.to_i < 20 || entry.include?('.min.js') || entry.include?('-all.js'))
|
|
30
|
-
js_beautify = `js-beautify #{entry} > #{entry}.JS-BEAUTIFIED`.to_s.scrub
|
|
30
|
+
js_beautify = `js-beautify #{entry} > #{entry}.JS-BEAUTIFIED 2> /dev/null`.to_s.scrub
|
|
31
31
|
entry = "#{entry}.JS-BEAUTIFIED"
|
|
32
32
|
entry_beautified = true
|
|
33
33
|
end
|
|
@@ -36,7 +36,7 @@ module PWN
|
|
|
36
36
|
grep -Fn \
|
|
37
37
|
-e 'Process(' \
|
|
38
38
|
-e '.!' \
|
|
39
|
-
-e '.!!' #{entry}
|
|
39
|
+
-e '.!!' #{entry} 2> /dev/null
|
|
40
40
|
"
|
|
41
41
|
|
|
42
42
|
str = `#{test_case_filter}`.to_s.scrub
|
data/lib/pwn/sast/csrf.rb
CHANGED
|
@@ -28,14 +28,14 @@ module PWN
|
|
|
28
28
|
entry_beautified = false
|
|
29
29
|
|
|
30
30
|
if File.extname(entry) == '.js' && (`wc -l #{entry}`.split.first.to_i < 20 || entry.include?('.min.js') || entry.include?('-all.js'))
|
|
31
|
-
js_beautify = `js-beautify #{entry} > #{entry}.JS-BEAUTIFIED`.to_s.scrub
|
|
31
|
+
js_beautify = `js-beautify #{entry} > #{entry}.JS-BEAUTIFIED 2> /dev/null`.to_s.scrub
|
|
32
32
|
entry = "#{entry}.JS-BEAUTIFIED"
|
|
33
33
|
entry_beautified = true
|
|
34
34
|
end
|
|
35
35
|
|
|
36
36
|
test_case_filter = "
|
|
37
37
|
grep -ni \
|
|
38
|
-
-e 'csrf' #{entry}
|
|
38
|
+
-e 'csrf' #{entry} 2> /dev/null
|
|
39
39
|
"
|
|
40
40
|
|
|
41
41
|
str = `#{test_case_filter}`.to_s.scrub
|
|
@@ -29,7 +29,7 @@ module PWN
|
|
|
29
29
|
entry_beautified = false
|
|
30
30
|
|
|
31
31
|
if File.extname(entry) == '.js' && (`wc -l #{entry}`.split.first.to_i < 20 || entry.include?('.min.js') || entry.include?('-all.js'))
|
|
32
|
-
js_beautify = `js-beautify #{entry} > #{entry}.JS-BEAUTIFIED`.to_s.scrub
|
|
32
|
+
js_beautify = `js-beautify #{entry} > #{entry}.JS-BEAUTIFIED 2> /dev/null`.to_s.scrub
|
|
33
33
|
entry = "#{entry}.JS-BEAUTIFIED"
|
|
34
34
|
entry_beautified = true
|
|
35
35
|
end
|
|
@@ -43,7 +43,7 @@ module PWN
|
|
|
43
43
|
-e readResolve \
|
|
44
44
|
-e readExternal \
|
|
45
45
|
-e readUnshared \
|
|
46
|
-
-e Serializable #{entry}
|
|
46
|
+
-e Serializable #{entry} 2> /dev/null
|
|
47
47
|
"
|
|
48
48
|
|
|
49
49
|
str = `#{test_case_filter}`.to_s.scrub
|
data/lib/pwn/sast/emoticon.rb
CHANGED
|
@@ -27,7 +27,7 @@ module PWN
|
|
|
27
27
|
entry_beautified = false
|
|
28
28
|
|
|
29
29
|
if File.extname(entry) == '.js' && (`wc -l #{entry}`.split.first.to_i < 20 || entry.include?('.min.js') || entry.include?('-all.js'))
|
|
30
|
-
js_beautify = `js-beautify #{entry} > #{entry}.JS-BEAUTIFIED`.to_s.scrub
|
|
30
|
+
js_beautify = `js-beautify #{entry} > #{entry}.JS-BEAUTIFIED 2> /dev/null`.to_s.scrub
|
|
31
31
|
entry = "#{entry}.JS-BEAUTIFIED"
|
|
32
32
|
entry_beautified = true
|
|
33
33
|
end
|
|
@@ -41,7 +41,7 @@ module PWN
|
|
|
41
41
|
-e '\_o_/' \
|
|
42
42
|
-e '\_O_/' \
|
|
43
43
|
-e '\_0_/' \
|
|
44
|
-
-e ':-O' #{entry}
|
|
44
|
+
-e ':-O' #{entry} 2> /dev/null
|
|
45
45
|
"
|
|
46
46
|
|
|
47
47
|
str = `#{test_case_filter}`.to_s.scrub
|
data/lib/pwn/sast/eval.rb
CHANGED
|
@@ -28,14 +28,14 @@ module PWN
|
|
|
28
28
|
entry_beautified = false
|
|
29
29
|
|
|
30
30
|
if File.extname(entry) == '.js' && (`wc -l #{entry}`.split.first.to_i < 20 || entry.include?('.min.js') || entry.include?('-all.js'))
|
|
31
|
-
js_beautify = `js-beautify #{entry} > #{entry}.JS-BEAUTIFIED`.to_s.scrub
|
|
31
|
+
js_beautify = `js-beautify #{entry} > #{entry}.JS-BEAUTIFIED 2> /dev/null`.to_s.scrub
|
|
32
32
|
entry = "#{entry}.JS-BEAUTIFIED"
|
|
33
33
|
entry_beautified = true
|
|
34
34
|
end
|
|
35
35
|
|
|
36
36
|
test_case_filter = "
|
|
37
37
|
grep -n \
|
|
38
|
-
-e 'eval(' #{entry}
|
|
38
|
+
-e 'eval(' #{entry} 2> /dev/null
|
|
39
39
|
"
|
|
40
40
|
|
|
41
41
|
str = `#{test_case_filter}`.to_s.scrub
|