pwn 0.5.402 → 0.5.403
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/README.md +3 -3
- data/bin/pwn_zaproxy_active_rest_api_scan +9 -5
- data/lib/pwn/plugins/zaproxy.rb +58 -0
- data/lib/pwn/version.rb +1 -1
- metadata +1 -1
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 3e5390f3bf6209a6f425edc5c920dbd6869add40979a7f25e8962356d5c9a6bd
|
|
4
|
+
data.tar.gz: 5cf631f4bc2838ed8f016bc0da2d34c4543b4610300783ce39ace423d501be57
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 36181bae24a6d150c6badf0f42a5c1e7a76fc0f385ffe775eaf0b1d2403fbbcb577aaf5dd746b0f5f6cacbcd34fdd3b40be5bf31006f1a701499906236f38b21
|
|
7
|
+
data.tar.gz: cabc729dc772df80d270bc43192db6127cf1f6c418f580031d909a1c66488d8e75c24212e137758b01fe94eb45ae955fdee2d803a1ca6da553c38a3966e7ed27
|
data/README.md
CHANGED
|
@@ -37,7 +37,7 @@ $ cd /opt/pwn
|
|
|
37
37
|
$ ./install.sh
|
|
38
38
|
$ ./install.sh ruby-gem
|
|
39
39
|
$ pwn
|
|
40
|
-
pwn[v0.5.
|
|
40
|
+
pwn[v0.5.403]:001 >>> PWN.help
|
|
41
41
|
```
|
|
42
42
|
|
|
43
43
|
[](https://youtu.be/G7iLUY4FzsI)
|
|
@@ -52,7 +52,7 @@ $ rvm use ruby-3.4.4@pwn
|
|
|
52
52
|
$ gem uninstall --all --executables pwn
|
|
53
53
|
$ gem install --verbose pwn
|
|
54
54
|
$ pwn
|
|
55
|
-
pwn[v0.5.
|
|
55
|
+
pwn[v0.5.403]:001 >>> PWN.help
|
|
56
56
|
```
|
|
57
57
|
|
|
58
58
|
If you're using a multi-user install of RVM do:
|
|
@@ -62,7 +62,7 @@ $ rvm use ruby-3.4.4@pwn
|
|
|
62
62
|
$ rvmsudo gem uninstall --all --executables pwn
|
|
63
63
|
$ rvmsudo gem install --verbose pwn
|
|
64
64
|
$ pwn
|
|
65
|
-
pwn[v0.5.
|
|
65
|
+
pwn[v0.5.403]:001 >>> PWN.help
|
|
66
66
|
```
|
|
67
67
|
|
|
68
68
|
PWN periodically upgrades to the latest version of Ruby which is reflected in `/opt/pwn/.ruby-version`. The easiest way to upgrade to the latest version of Ruby from a previous PWN installation is to run the following script:
|
|
@@ -106,8 +106,6 @@ begin
|
|
|
106
106
|
)
|
|
107
107
|
|
|
108
108
|
additional_http_headers = opts[:additional_http_headers]
|
|
109
|
-
additional_http_headers = JSON.parse(additional_http_headers, symbolize_names: true) if additional_http_headers.is_a?(String)
|
|
110
|
-
|
|
111
109
|
exlude_paths = opts[:exclude_paths]
|
|
112
110
|
exlude_paths = exlude_paths.split(',').map(&:strip) if exlude_paths.is_a?(String)
|
|
113
111
|
|
|
@@ -133,11 +131,17 @@ begin
|
|
|
133
131
|
zap_obj: zap_obj,
|
|
134
132
|
openapi_spec: openapi_spec
|
|
135
133
|
)
|
|
136
|
-
|
|
137
|
-
# TODO: Initialize authorization header if required by API
|
|
138
|
-
|
|
139
134
|
raise "ERROR: Failed to import OpenAPI/Swagger spec #{openapi_spec} into ZAP's Sitemap." if json_sitemap.nil? || json_sitemap.empty?
|
|
140
135
|
|
|
136
|
+
if additional_http_headers.is_a?(String)
|
|
137
|
+
additional_http_headers = JSON.parse(additional_http_headers, symbolize_names: true)
|
|
138
|
+
PWN::Plugins::Zaproxy.inject_additional_http_headers(
|
|
139
|
+
zap_obj: zap_obj,
|
|
140
|
+
target_regex: in_scope,
|
|
141
|
+
additional_http_headers: additional_http_headers
|
|
142
|
+
)
|
|
143
|
+
end
|
|
144
|
+
|
|
141
145
|
PWN::Plugins::Zaproxy.add_to_scope(
|
|
142
146
|
zap_obj: zap_obj,
|
|
143
147
|
target_regex: in_scope
|
data/lib/pwn/plugins/zaproxy.rb
CHANGED
|
@@ -257,6 +257,52 @@ module PWN
|
|
|
257
257
|
raise e
|
|
258
258
|
end
|
|
259
259
|
|
|
260
|
+
# Supported Method Parameters::
|
|
261
|
+
# PWN::Plugins::Zaproxy.inject_additional_http_headers(
|
|
262
|
+
# zap_obj: 'required - zap_obj returned from #open method',
|
|
263
|
+
# target_regex: 'required - url regex to inject headers into (e.g. https://test.domain.local.*)',
|
|
264
|
+
# headers: 'required - hash of additional headers to inject into each request',
|
|
265
|
+
# )
|
|
266
|
+
|
|
267
|
+
public_class_method def self.inject_additional_http_headers(opts = {})
|
|
268
|
+
zap_obj = opts[:zap_obj]
|
|
269
|
+
api_key = zap_obj[:api_key].to_s.scrub
|
|
270
|
+
target_regex = opts[:target_regex]
|
|
271
|
+
raise 'ERROR: target_regex must be provided' if target_regex.nil?
|
|
272
|
+
|
|
273
|
+
headers = opts[:headers] ||= {}
|
|
274
|
+
raise 'ERROR: headers must be provided' if headers.empty? || !headers.is_a?(Hash)
|
|
275
|
+
|
|
276
|
+
replacer_resp_arr = []
|
|
277
|
+
headers.each_key do |header_key|
|
|
278
|
+
params = {
|
|
279
|
+
apikey: api_key,
|
|
280
|
+
description: header_key,
|
|
281
|
+
enabled: true,
|
|
282
|
+
matchType: 'REQ_HEADER',
|
|
283
|
+
matchRegex: false,
|
|
284
|
+
matchString: header_key,
|
|
285
|
+
replacement: "#{header_key}: #{headers[header_key]}",
|
|
286
|
+
initiators: '',
|
|
287
|
+
url: target_regex
|
|
288
|
+
}
|
|
289
|
+
|
|
290
|
+
response = zap_rest_call(
|
|
291
|
+
zap_obj: zap_obj,
|
|
292
|
+
rest_call: 'JSON/replacer/action/addRule/',
|
|
293
|
+
params: params
|
|
294
|
+
)
|
|
295
|
+
|
|
296
|
+
json_resp = JSON.parse(response.body, symbolize_names: true)
|
|
297
|
+
replacer_resp_arr.push(json_resp)
|
|
298
|
+
end
|
|
299
|
+
|
|
300
|
+
replacer_resp_arr
|
|
301
|
+
rescue StandardError, SystemExit, Interrupt => e
|
|
302
|
+
stop(zap_obj: zap_obj) unless zap_obj.nil?
|
|
303
|
+
raise e
|
|
304
|
+
end
|
|
305
|
+
|
|
260
306
|
# Supported Method Parameters::
|
|
261
307
|
# PWN::Plugins::Zaproxy.active_scan(
|
|
262
308
|
# zap_obj: 'required - zap_obj returned from #open method',
|
|
@@ -525,6 +571,18 @@ module PWN
|
|
|
525
571
|
openapi_spec: 'required - path to OpenAPI JSON or YAML spec file'
|
|
526
572
|
)
|
|
527
573
|
|
|
574
|
+
#{self}.add_to_scope(
|
|
575
|
+
zap_obj: 'required - zap_obj returned from #open method',
|
|
576
|
+
target_regex: 'required - url regex to add to scope (e.g. https://test.domain.local.*)',
|
|
577
|
+
context_name: 'optional - context name to add target_regex to (defaults to Default Context)'
|
|
578
|
+
)
|
|
579
|
+
|
|
580
|
+
#{self}.inject_additional_http_headers(
|
|
581
|
+
zap_obj: 'required - zap_obj returned from #open method',
|
|
582
|
+
target_regex: 'required - url regex to inject headers into (e.g. https://test.domain.local.*)',
|
|
583
|
+
headers: 'required - hash of additional headers to inject into each request'
|
|
584
|
+
)
|
|
585
|
+
|
|
528
586
|
#{self}.active_scan(
|
|
529
587
|
zap_obj: 'required - zap_obj returned from #open method'
|
|
530
588
|
target_url: 'required - url to scan',
|
data/lib/pwn/version.rb
CHANGED