watobo 0.9.21 → 0.9.23

data/plugins/sslchecker/gui/sslchecker.rb

@@ -1,14 +1,5 @@
-#.
-# sslchecker.rb
-#.
-# Copyright 2014 by siberas, http://www.siberas.de
-# This file is part of WATOBO (Web Application Tool Box) http://watobo.sourceforge.com
-# WATOBO is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation version 2 of the License.
-# WATOBO is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
-# You should have received a copy of the GNU General Public License along with WATOBO; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+#path = File.expand_path(File.dirname(__FILE__))
 
-#path = File.expand_path(File.dirname(__FILE__))
-
-require_relative File.join( "..", "lib", "check")
-require_relative "cipher_table"
-require_relative "gui"
+require_relative File.join( "..", "lib", "check")
+require_relative "cipher_table"
+require_relative "gui"

data/plugins/sslchecker/lib/check.rb

@@ -1,68 +1,58 @@
-#.
-# check.rb
-#.
-# Copyright 2014 by siberas, http://www.siberas.de
-# This file is part of WATOBO (Web Application Tool Box) http://watobo.sourceforge.com
-# WATOBO is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation version 2 of the License.
-# WATOBO is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
-# You should have received a copy of the GNU General Public License along with WATOBO; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
-
 # @private 
-module Watobo#:nodoc: all
-  module Plugin
-    module Sslchecker
-      class Check < Watobo::ActiveCheck
-        attr :cipherlist
-        
-         @info.update(
-          :check_name => 'SSL-Checker',    # name of check which briefly describes functionality, will be used for tree and progress views
-          :description => "Test applikation for supportes SSL Ciphers.",   # description of checkfunction
-          :author => "Andreas Schmidt", # author of check
-          :version => "0.9"   # check version
-          )
-
-          @finding.update(
-          :threat => 'Attacks on weak encryption ciphers which may lead loss of privacy',        # thread of vulnerability, e.g. loss of information
-          :class => "SSL Ciphers",    # vulnerability class, e.g. Stored XSS, SQL-Injection, ...
-          :type => FINDING_TYPE_VULN,         # FINDING_TYPE_HINT, FINDING_TYPE_INFO, FINDING_TYPE_VULN
-          :rating => VULN_RATING_LOW
-          )
-          
-          
-        def initialize(project)
-          super(project)
-
-          @result = Hash.new
-          @cipherlist = Array.new
-          
-          
-          OpenSSL::SSL::SSLContext::METHODS.each do |method|
-            next if method =~ /(client|server)/
-            next if method =~ /23/
-          #%w( TLSv1_server SSLv2_server SSLv3_server ).each do |method|
-            puts ">> #{method}"
-            begin
-          ctx = OpenSSL::SSL::SSLContext.new(method)
-          ctx.ciphers="ALL::COMPLEMENTOFALL::eNull"
-          ctx.ciphers.each do |c|
-            @cipherlist.push [ method, c[0]]
-          end
-          #ctx.ciphers="eNULL" # because ALL don't include Null-Ciphers!!!
-          #ctx.ciphers.each do |c|
-          #  @cipherlist.push [ method, c[0]]
-          #end
-
-          
-          rescue => bang
-            puts bang
-          end
-          
-          end
-         # puts @cipherlist.to_yaml
-        end
-
-        def reset()
-          @result.clear
+# Mozillas recommended ciphers (https://wiki.mozilla.org/Security/Server_Side_TLS):
+# ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
+#
+#
+module Watobo#:nodoc: all
+  module Plugin
+    module Sslchecker
+      class Check < Watobo::ActiveCheck
+        attr :cipherlist
+        
+         @info.update(
+          :check_name => 'SSL-Checker',    # name of check which briefly describes functionality, will be used for tree and progress views
+          :description => "Test system for supported SSL Ciphers.",   # description of checkfunction
+          :author => "Andreas Schmidt", # author of check
+          :version => "0.9"   # check version
+          )
+
+          @finding.update(
+          :threat => 'Attacks on weak encryption ciphers which may lead loss of privacy',        # thread of vulnerability, e.g. loss of information
+          :class => "Bad SSL Ciphers",    # vulnerability class, e.g. Stored XSS, SQL-Injection, ...
+          :type => FINDING_TYPE_VULN,         # FINDING_TYPE_HINT, FINDING_TYPE_INFO, FINDING_TYPE_VULN
+          :rating => VULN_RATING_LOW
+          )
+          
+          
+        def initialize(project)
+          super(project)
+
+          @result = Hash.new
+          @cipherlist = Array.new
+          
+          
+          OpenSSL::SSL::SSLContext::METHODS.each do |method|
+            next if method =~ /(client|server)/
+            next if method =~ /23/
+          #%w( TLSv1_server SSLv2_server SSLv3_server ).each do |method|
+            puts ">> #{method}"
+            begin
+          ctx = OpenSSL::SSL::SSLContext.new(method)
+          ctx.ciphers="ALL::COMPLEMENTOFALL::eNull"
+          ctx.ciphers.each do |c|
+            @cipherlist.push [ method, c[0]]
+          end
+          
+          rescue => bang
+            puts bang
+          end
+          
+          end
+         # puts @cipherlist.to_yaml
+        end
+
+        def reset()
+          @result.clear
         end
         
         def check_cipher(request, method, cipher)
@@ -88,7 +78,7 @@ module Watobo#:nodoc: all
           puts request.first
           return false, "WATOBO: Could not resolve hostname #{host}", nil
         rescue => bang
-          #puts bang
+          puts bang
           puts bang.backtrace if $DEBUG
         end
         
@@ -118,6 +108,66 @@ module Watobo#:nodoc: all
             @cipherlist.each do |method, c|
             checker = proc {
 
+#              test_request = nil
+#              test_response = nil
+
+              # MAKE COPY BEFORE MODIFIYING REQUEST
+              request = chat.copyRequest
+
+              
+                ctx = OpenSSL::SSL::SSLContext.new(method)
+                ctx.ciphers = c
+                cypher = ctx.ciphers.first
+                bits = cypher[2].to_i
+                algo = cypher[0]
+                
+                result = {
+                    :method => method, 
+                    :algo => algo, 
+                    :bits => bits, 
+                    :support => true
+                  }
+              
+                if check_cipher(request, method, c) == true 
+              
+                  notify( :cipher_checked, result)
+                  if bits < 128
+              fake_headers = ["200 SSL-Handshake OK\r\n", "SSL-Method: #{method}\r\n" ]
+              fake_headers << "SSL-Algorithm: #{algo}\r\n"
+              fake_headers << "SSL-Bits: #{bits}\r\n"
+              fake_response = Watobo::Response.new(fake_headers)
+
+                  addFinding(  request, fake_response,
+                  :test_item => "#{algo}#{bits}",
+                  #:proof_pattern => "#{match}",
+                  :chat => chat,
+                  :title => "[#{method}/#{algo}] - #{bits} Bit"
+                  )
+                  end
+                else
+                  result[:support] = false
+                notify(:cipher_checked, result)
+                #              puts "!!! ERROR: #{c}"
+                end
+              
+              [ request, fake_response ]
+
+            }
+            yield checker
+            end
+          rescue => bang
+          puts "!error in module #{Module.nesting[0].name}"
+          puts bang
+          end
+        end
+  
+
+
+        def generateChecks_UNUSED(chat)
+          begin
+            @cipherlist.each do |method, c|
+            checker = proc {
+
               test_request = nil
               test_response = nil
               # !!! ATTENTION !!!
@@ -130,7 +180,8 @@ module Watobo#:nodoc: all
                 cypher = ctx.ciphers.first
                 bits = cypher[2].to_i
                 algo = cypher[0]
-                
+              
+                test_request, test_response = doRequest( request, :ssl_cipher => c )
                 result = {
                     :method => method, 
                     :algo => algo, 
@@ -138,7 +189,8 @@ module Watobo#:nodoc: all
                     :support => true
                   }
               
-                if check_cipher(request, method, c) == true 
+                unless test_response.status =~ /555/ 
+                  
               
                   notify( :cipher_checked, result)
                   if bits < 128
@@ -166,69 +218,11 @@ module Watobo#:nodoc: all
           puts bang
           end
         end
-  
-
-
-        def generateChecks_UNUSED(chat)
-          begin
-            @cipherlist.each do |method, c|
-            checker = proc {
-
-              test_request = nil
-              test_response = nil
-              # !!! ATTENTION !!!
-              # MAKE COPY BEFORE MODIFIYING REQUEST
-              request = chat.copyRequest
-
-              
-                ctx = OpenSSL::SSL::SSLContext.new(method)
-                ctx.ciphers = c
-                cypher = ctx.ciphers.first
-                bits = cypher[2].to_i
-                algo = cypher[0]
-              
-                test_request, test_response = doRequest( request, :ssl_cipher => c )
-                result = {
-                    :method => method, 
-                    :algo => algo, 
-                    :bits => bits, 
-                    :support => true
-                  }
-              
-                unless test_response.status =~ /555/ 
-                  
-              
-                  notify( :cipher_checked, result)
-                  if bits < 128
-
-                  addFinding(  test_request, test_response,
-                  :test_item => "#{algo}#{bits}",
-                  #:proof_pattern => "#{match}",
-                  :chat => chat,
-                  :title => "[#{algo}] - #{bits} Bit"
-                  )
-                  end
-                else
-                  result[:support] = false
-                notify(:cipher_checked, result)
-                #              puts "!!! ERROR: #{c}"
-                end
-              
-              [ test_request, test_response ]
-
-            }
-            yield checker
-            end
-          rescue => bang
-          puts "!error in module #{Module.nesting[0].name}"
-          puts bang
-          end
-        end
-      end
-
-      
-    end
-  end
-end
-
-
+      end
+
+      
+    end
+  end
+end
+
+

data/plugins/wshell/gui/main.rb

@@ -1,118 +1,120 @@
-#.
-# main.rb
-#.
-# Copyright 2014 by siberas, http://www.siberas.de
-# This file is part of WATOBO (Web Application Tool Box) http://watobo.sourceforge.com
-# WATOBO is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation version 2 of the License.
-# WATOBO is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
-# You should have received a copy of the GNU General Public License along with WATOBO; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
-
 # @private 
-module Watobo#:nodoc: all
-  module Plugin
-    class WShell
-      class Gui < Watobo::PluginGui
-
-        window_title "WATOBO Shell (experimental)"
-        icon_file "wsh.ico"
-        def initialize()
-          super()
-
-          @history_pos = 0
-          
-           hs_green = FXHiliteStyle.new
-       # hs_green.normalForeColor = FXRGBA(255,255,255,255) 
-       # hs_green.normalForeColor = FXRGBA(0,255,0,1)   
-        #hs_green.normalBackColor = FXRGBA(0,255,0,1)   
-        hs_green.style = FXText::STYLE_BOLD
-        
-        hs_red = FXHiliteStyle.new
-        hs_red.normalForeColor = FXRGBA(255,0,0,1) 
-        #hs_red.normalBackColor = FXRGBA(255,0,0,1)   
-        hs_red.style = FXText::STYLE_BOLD
-          
-          frame = FXVerticalFrame.new(self, :opts => LAYOUT_FILL_X|LAYOUT_FILL_Y)
-          output_frame = FXVerticalFrame.new(frame, :opts => LAYOUT_FILL_X|LAYOUT_FILL_Y|FRAME_SUNKEN|FRAME_THICK, :padding => 0)
-          @output = FXText.new(output_frame, :opts => LAYOUT_FILL_X|LAYOUT_FILL_Y)
-          @output.editable = false
-          @output.styled = true
-          #@font = FXFont.new(getApp(), "courier", 12, FONTWEIGHT_BOLD)
-          @output.setFont(FXFont.new(getApp(), "courier", 10,  FONTSLANT_ITALIC, FONTENCODING_DEFAULT))
-            @output.hiliteStyles = [ hs_red, hs_green]
-
-          @output.appendStyledText Watobo::Plugin::WShell::HELP_TEXT, 2
-
-          FXLabel.new(frame, "Enter 'help' for more information.")
-
-          cmd_frame = FXHorizontalFrame.new(frame, :opts => LAYOUT_FILL_X)
-          @cmd = FXTextField.new(cmd_frame, 25, nil, 0, :opts => TEXTFIELD_NORMAL|LAYOUT_FILL_X|LAYOUT_LEFT)
-          @cmd.connect(SEL_COMMAND){ run_cmd }
-
-          @cmd.connect(SEL_KEYPRESS) do |sender, sel, event|
-            fin = false
-            if event.code == KEY_Up
-              @history_pos -=1 if @history_pos > 0
-              set_history_cmd
-            fin = true
-            elsif event.code == KEY_Down
-              @history_pos += 1 if @history_pos < Watobo::Plugin::WShell.history_length-1
-              set_history_cmd
-            fin = true
-            end
-            fin
-          end
-
-          @cmd.setFocus()
-          @cmd.setDefault()
-
-          @cmd_btn = FXButton.new(cmd_frame, "run")
-          @executions = Watobo::Plugin::WShell.executions
-
-          @cmd_btn.connect(SEL_COMMAND){ run_cmd }
-
-          update_timer{
-            unless @executions.empty?
-              cmd, result = @executions.pop
-
-             # @output.appendText(">> #{cmd}\n")
-              @output.appendText("#{result}\n")
-              @output.appendText("\n---\n")
-
-              @output.makePositionVisible @output.length-1
-
-              @cmd.enabled = true
-              @cmd.backColor = FXColor::White
-              @cmd.text = ''
-            @cmd.setFocus
-
-            end
-          }
-        end
-
-        private
-
-        def set_history_cmd()
-          cmd = Watobo::Plugin::WShell.history_at @history_pos
-          @cmd.text = cmd
-        end
-
-        def run_cmd
-          unless @cmd.text.empty?
-            if @cmd.text =~ /^help$/i
-            #  @output.appendText(Watobo::Plugin::WShell.help)
-            @output.appendStyledText Watobo::Plugin::WShell::HELP_TEXT, 2
-              @cmd.text = ''
-            return true
-            end
-            @output.appendStyledText ">> #{@cmd.text}\n", 1
-            @history_pos = Watobo::Plugin::WShell.history_length+1
-            @cmd.enabled = false
-            @cmd.backColor = @cmd.parent.backColor
-
-            Watobo::Plugin::WShell.execute_cmd @cmd.text
-          end
-        end
-      end
-    end
-  end
-end
+module Watobo #:nodoc: all
+  module Plugin
+    class WShell
+      class Gui < Watobo::PluginGui
+
+        window_title "WATOBO Shell (experimental)"
+        icon_file "wsh.ico"
+
+        def initialize()
+          super()
+
+          @history = []
+          @history_pos = 0
+
+          hs_green = FXHiliteStyle.new
+          # hs_green.normalForeColor = FXRGBA(255,255,255,255) 
+          # hs_green.normalForeColor = FXRGBA(0,255,0,1)   
+          #hs_green.normalBackColor = FXRGBA(0,255,0,1)   
+          hs_green.style = FXText::STYLE_BOLD
+
+          hs_red = FXHiliteStyle.new
+          hs_red.normalForeColor = FXRGBA(255, 0, 0, 255)
+          #hs_red.normalBackColor = FXRGBA(255,0,0,1)   
+          hs_red.style = FXText::STYLE_BOLD
+
+          frame = FXVerticalFrame.new(self, :opts => LAYOUT_FILL_X|LAYOUT_FILL_Y)
+          output_frame = FXVerticalFrame.new(frame, :opts => LAYOUT_FILL_X|LAYOUT_FILL_Y|FRAME_SUNKEN|FRAME_THICK, :padding => 0)
+          @output = FXText.new(output_frame, :opts => LAYOUT_FILL_X|LAYOUT_FILL_Y)
+          @output.editable = false
+          @output.styled = true
+          #@font = FXFont.new(getApp(), "courier", 12, FONTWEIGHT_BOLD)
+          @output.setFont(FXFont.new(getApp(), "courier", 10, FONTSLANT_ITALIC, FONTENCODING_DEFAULT))
+          @output.hiliteStyles = [hs_green, hs_red]
+
+          @output.appendStyledText Watobo::Plugin::WShell::HELP_TEXT, 1
+
+          FXLabel.new(frame, "Enter 'help' for more information.")
+
+          cmd_frame = FXHorizontalFrame.new(frame, :opts => LAYOUT_FILL_X)
+          @cmd = FXTextField.new(cmd_frame, 25, nil, 0, :opts => TEXTFIELD_NORMAL|LAYOUT_FILL_X|LAYOUT_LEFT)
+          @cmd.connect(SEL_COMMAND) { run_cmd }
+
+          @cmd.connect(SEL_KEYPRESS) do |sender, sel, event|
+            fin = false
+            if event.code == KEY_Up
+              @history_pos -=1 if @history_pos > 0
+              set_history_cmd
+              fin = true
+            elsif event.code == KEY_Down
+              @history_pos += 1 if @history_pos < @history.length-1
+              set_history_cmd
+              fin = true
+            end
+            fin
+          end
+
+          @cmd.setFocus()
+          @cmd.setDefault()
+
+          @cmd_btn = FXButton.new(cmd_frame, "run")
+
+          @cmd_btn.connect(SEL_COMMAND) { run_cmd }
+
+        end
+
+        private
+
+        def set_history_cmd()
+          @cmd.text = @history[@history_pos]
+        end
+
+        def run_cmd
+
+          cmd = @cmd.text.strip
+          unless cmd.empty?
+            if cmd =~ /^help$/i
+              #  @output.appendText(Watobo::Plugin::WShell.help)
+              @output.appendStyledText Watobo::Plugin::WShell::HELP_TEXT, 2
+              @cmd.text = ''
+            else
+              @output.appendStyledText ">> #{cmd}\n", 2
+              @cmd.enabled = false
+              @cmd.backColor = @cmd.parent.backColor
+              begin
+                @history << cmd unless @history.include? cmd
+                @history.shift if @history.length > 20
+                # set history_pos to length, because it will be reduced before it will be
+                # displayes
+                @history_pos = @history.length
+
+                #                    command = "out = StringIO.new; out << #{cmd}; out.string"
+                command = cmd
+                r = eval(command)
+                @output.appendStyledText "---\n#{r}\n---\n", 1
+
+              rescue SyntaxError, LocalJumpError, NameError => e
+                @output.appendStyledText ">> #{e}\n", 2
+              rescue => bang
+                puts bang.backtrace
+                @output.appendStyledText ">> #{bang}\n#{bang.backtrace}", 2
+
+              end
+              @output.makePositionVisible @output.length-1
+
+              @cmd.enabled = true
+              @cmd.backColor = FXColor::White
+              @cmd.text = ''
+              @cmd.setFocus
+            end
+
+          end
+
+
+        end
+
+      end
+    end
+  end
+end