yawast 0.2.0.beta1

data/lib/scanner/apache.rb

@@ -0,0 +1,72 @@
+module Yawast
+  module Scanner
+    class Apache
+      def self.check_banner(banner)
+        #don't bother if this doesn't look like Apache
+        return if !banner.include? 'Apache'
+        @apache = true
+
+        modules = banner.split(' ')
+        server = modules[0]
+
+        #hack - fix '(distro)' issue, such as with 'Apache/2.2.22 (Ubuntu)'
+        # if we don't do this, it triggers a false positive on the module check
+        if /\(\w*\)/.match modules[1]
+          server += " #{modules[1]}"
+          modules.delete_at 1
+        end
+
+        #print the server info no matter what we do next
+        Yawast::Utilities.puts_info "Apache Server: #{server}"
+        modules.delete_at 0
+
+        if modules.count > 0
+          Yawast::Utilities.puts_warn 'Apache Server: Module listing enabled'
+          modules.each { |mod| Yawast::Utilities.puts_warn "\t\t#{mod}" }
+          puts ''
+
+          #check for special items
+          modules.each do |mod|
+            if mod.include? 'OpenSSL'
+              Yawast::Utilities.puts_warn "OpenSSL Version Disclosure: #{mod}"
+              puts ''
+            end
+          end
+        end
+      end
+
+      def self.check_all(uri, head)
+        #this check for @apache may yield false negatives.. meh.
+        if @apache
+          #run all the defined checks
+          check_server_status(uri.copy)
+          check_server_info(uri.copy)
+        end
+      end
+
+      def self.check_server_status(uri)
+        uri.path = '/server-status'
+        uri.query = '' if uri.query != nil
+
+        ret = Yawast::Shared::Http.get(uri)
+
+        if ret.include? 'Apache Server Status'
+          Yawast::Utilities.puts_vuln "Apache Server Status page found: #{uri}"
+          puts ''
+        end
+      end
+
+      def self.check_server_info(uri)
+        uri.path = '/server-info'
+        uri.query = '' if uri.query != nil
+
+        ret = Yawast::Shared::Http.get(uri)
+
+        if ret.include? 'Apache Server Information'
+          Yawast::Utilities.puts_vuln "Apache Server Info page found: #{uri}"
+          puts ''
+        end
+      end
+    end
+  end
+end

data/lib/scanner/cms.rb

@@ -0,0 +1,14 @@
+module Yawast
+  module Scanner
+    class Cms
+      def self.get_generator(body)
+        regex = /<meta name="generator[^>]+content\s*=\s*['"]([^'"]+)['"][^>]*>/
+        match = body.match regex
+
+        if match
+          Yawast::Utilities.puts_info "Meta Generator: #{match[1]}"
+        end
+      end
+    end
+  end
+end

data/lib/scanner/core.rb

@@ -0,0 +1,95 @@
+module Yawast
+  module Scanner
+    class Core
+      def self.print_header(uri)
+        Yawast.header
+
+        puts "Scanning: #{uri.to_s}"
+        puts
+      end
+
+      def self.setup(uri, options)
+        unless @setup
+          print_header(uri)
+          Yawast.set_openssl_options
+
+          Yawast::Scanner::Generic.server_info(uri, options)
+        end
+
+        @setup = true
+      end
+
+      def self.process(uri, options)
+        setup(uri, options)
+
+        begin
+          #setup the proxy
+          Yawast::Shared::Http.setup(options.proxy, options.cookie)
+
+          #cache the HEAD result, so that we can minimize hits
+          head = Yawast::Shared::Http.head(uri)
+          Yawast::Scanner::Generic.head_info(head)
+
+          #perfom SSL checks
+          check_ssl(uri, options, head)
+
+          #process the 'scan' stuff that goes beyond 'head'
+          unless options.head
+            #server specific checks
+            Yawast::Scanner::Apache.check_all(uri, head)
+            Yawast::Scanner::Iis.check_all(uri, head)
+
+            Yawast::Scanner::ObjectPresence.check_source_control(uri)
+            Yawast::Scanner::ObjectPresence.check_sitemap(uri)
+            Yawast::Scanner::ObjectPresence.check_cross_domain(uri)
+            Yawast::Scanner::ObjectPresence.check_wsftp_log(uri)
+            Yawast::Scanner::ObjectPresence.check_trace_axd(uri)
+            Yawast::Scanner::ObjectPresence.check_elmah_axd(uri)
+            Yawast::Scanner::ObjectPresence.check_readme_html(uri)
+            Yawast::Scanner::ObjectPresence.check_release_notes_txt(uri)
+
+            Yawast::Scanner::Generic.check_propfind(uri)
+            Yawast::Scanner::Generic.check_options(uri)
+            Yawast::Scanner::Generic.check_trace(uri)
+
+            #check for common directories
+            if options.dir
+              Yawast::Scanner::Generic.directory_search(uri, options.dirrecursive)
+            end
+
+            get_cms(uri, options)
+          end
+
+          puts 'Scan complete.'
+        rescue => e
+          Yawast::Utilities.puts_error "Fatal Error: Can not continue. (#{e.message})"
+        end
+      end
+
+      def self.get_cms(uri, options)
+        setup(uri, options)
+
+        body = Yawast::Shared::Http.get(uri)
+        Yawast::Scanner::Cms.get_generator(body)
+      end
+
+      def self.check_ssl(uri, options, head)
+        setup(uri, options)
+
+        if uri.scheme == 'https' && !options.nossl
+          head = Yawast::Shared::Http.head(uri) if head == nil
+
+          if options.internalssl
+            Yawast::Scanner::Ssl.info(uri, !options.nociphers, options.sweet32count)
+          else
+            Yawast::Scanner::SslLabs.info(uri, options.sslsessioncount)
+          end
+
+          Yawast::Scanner::Ssl.check_hsts(head)
+        elsif uri.scheme == 'http'
+          puts 'Skipping TLS checks; URL is not HTTPS'
+        end
+      end
+    end
+  end
+end

data/lib/scanner/generic.rb

@@ -0,0 +1,323 @@
+require 'ipaddr_extensions'
+
+module Yawast
+  module Scanner
+    class Generic
+      def self.server_info(uri, options)
+        begin
+          puts 'DNS Information:'
+
+          dns = Resolv::DNS.new
+          Resolv::DNS.open do |resv|
+            a = resv.getresources(uri.host, Resolv::DNS::Resource::IN::A)
+            unless a.empty?
+              a.each do |ip|
+                begin
+                  host_name = dns.getname(ip.address)
+                rescue
+                  host_name = 'N/A'
+                end
+
+                Yawast::Utilities.puts_info "\t\t#{ip.address} (#{host_name})"
+
+                # if address is private, force internal SSL mode, don't show links
+                if IPAddr.new(ip.address.to_s, Socket::AF_INET).private?
+                  options.internalssl = true
+                else
+                  puts "\t\t\t\thttps://www.shodan.io/host/#{ip.address}"
+                  puts "\t\t\t\thttps://censys.io/ipv4/#{ip.address}"
+                end
+              end
+            end
+
+            aaaa = resv.getresources(uri.host, Resolv::DNS::Resource::IN::AAAA)
+            unless aaaa.empty?
+              aaaa.each do |ip|
+                begin
+                  host_name = dns.getname(ip.address)
+                rescue
+                  host_name = 'N/A'
+                end
+
+                Yawast::Utilities.puts_info "\t\t#{ip.address} (#{host_name})"
+
+                # if address is private, force internal SSL mode, don't show links
+                if IPAddr.new(ip.address.to_s, Socket::AF_INET6).private?
+                  options.internalssl = true
+                else
+                  puts "\t\t\t\thttps://www.shodan.io/host/#{ip.address.to_s.downcase}"
+                end
+              end
+            end
+
+            txt = resv.getresources(uri.host, Resolv::DNS::Resource::IN::TXT)
+            unless txt.empty?
+              txt.each do |rec|
+                Yawast::Utilities.puts_info "\t\tTXT: #{rec.data}"
+              end
+            end
+
+            mx = resv.getresources(uri.host, Resolv::DNS::Resource::IN::MX)
+            unless mx.empty?
+              mx.each do |rec|
+                Yawast::Utilities.puts_info "\t\tMX: #{rec.exchange} (#{rec.preference})"
+              end
+            end
+
+            ns = resv.getresources(uri.host, Resolv::DNS::Resource::IN::NS)
+            unless ns.empty?
+              ns.each do |rec|
+                Yawast::Utilities.puts_info "\t\tNS: #{rec.name}"
+              end
+            end
+          end
+
+          puts
+        rescue => e
+          Yawast::Utilities.puts_error "Error getting basic information: #{e.message}"
+          raise
+        end
+      end
+
+      def self.head_info(head)
+        begin
+          server = ''
+          powered_by = ''
+          cookies = Array.new
+          pingback = ''
+          frame_options = ''
+          content_options = ''
+          csp = ''
+          backend_server = ''
+          runtime = ''
+          xss_protection = ''
+          via = ''
+          hpkp = ''
+
+          Yawast::Utilities.puts_info 'HEAD:'
+          head.each do |k, v|
+            Yawast::Utilities.puts_info "\t\t#{k}: #{v}"
+
+            server = v if k.downcase == 'server'
+            powered_by = v if k.downcase == 'x-powered-by'
+            pingback = v if k.downcase == 'x-pingback'
+            frame_options = v if k.downcase == 'x-frame-options'
+            content_options = v if k.downcase == 'x-content-type-options'
+            csp = v if k.downcase == 'content-security-policy'
+            backend_server = v if k.downcase == 'x-backend-server'
+            runtime = v if k.downcase == 'x-runtime'
+            xss_protection = v if k.downcase == 'x-xss-protection'
+            via = v if k.downcase == 'via'
+            hpkp = v if k.downcase == 'public-key-pins'
+
+            if k.downcase == 'set-cookie'
+              #this chunk of magic manages to properly split cookies, when multiple are sent together
+              v.gsub(/(,([^;,]*=)|,$)/) { "\r\n#{$2}" }.split(/\r\n/).each { |c| cookies.push(c) }
+            end
+          end
+          puts ''
+
+          if server != ''
+            Yawast::Scanner::Apache.check_banner(server)
+            Yawast::Scanner::Php.check_banner(server)
+            Yawast::Scanner::Iis.check_banner(server)
+            Yawast::Scanner::Nginx.check_banner(server)
+
+            if server == 'cloudflare-nginx'
+              Yawast::Utilities.puts_info 'NOTE: Server appears to be Cloudflare; WAF may be in place.'
+              puts
+            end
+          end
+
+          if powered_by != ''
+            Yawast::Utilities.puts_warn "X-Powered-By Header Present: #{powered_by}"
+          end
+
+          if xss_protection == '0'
+            Yawast::Utilities.puts_warn 'X-XSS-Protection Disabled Header Present'
+          end
+
+          unless pingback == ''
+            Yawast::Utilities.puts_info "X-Pingback Header Present: #{pingback}"
+          end
+
+          unless runtime == ''
+            if runtime.is_number?
+              Yawast::Utilities.puts_warn 'X-Runtime Header Present; likely indicates a RoR application'
+            else
+              Yawast::Utilities.puts_warn "X-Runtime Header Present: #{runtime}"
+            end
+          end
+
+          unless backend_server == ''
+            Yawast::Utilities.puts_warn "X-Backend-Server Header Present: #{backend_server}"
+          end
+
+          unless via == ''
+            Yawast::Utilities.puts_warn "Via Header Present: #{via}"
+          end
+
+          if frame_options == ''
+            Yawast::Utilities.puts_warn 'X-Frame-Options Header Not Present'
+          else
+            if frame_options.downcase == 'allow'
+              Yawast::Utilities.puts_vuln "X-Frame-Options Header: #{frame_options}"
+            else
+              Yawast::Utilities.puts_info "X-Frame-Options Header: #{frame_options}"
+            end
+          end
+
+          if content_options == ''
+            Yawast::Utilities.puts_warn 'X-Content-Type-Options Header Not Present'
+          else
+            Yawast::Utilities.puts_info "X-Content-Type-Options Header: #{content_options}"
+          end
+
+          if csp == ''
+            Yawast::Utilities.puts_warn 'Content-Security-Policy Header Not Present'
+          end
+
+          if hpkp == ''
+            Yawast::Utilities.puts_warn 'Public-Key-Pins Header Not Present'
+          end
+
+          puts ''
+
+          unless cookies.empty?
+            Yawast::Utilities.puts_info 'Cookies:'
+
+            cookies.each do |val|
+              Yawast::Utilities.puts_info "\t\t#{val.strip}"
+
+              elements = val.strip.split(';')
+
+              #check for secure cookies
+              unless elements.include? ' Secure'
+                Yawast::Utilities.puts_warn "\t\t\tCookie missing Secure flag"
+              end
+
+              #check for HttpOnly cookies
+              unless elements.include? ' HttpOnly'
+                Yawast::Utilities.puts_warn "\t\t\tCookie missing HttpOnly flag"
+              end
+            end
+
+            puts ''
+          end
+
+          puts ''
+        rescue => e
+          Yawast::Utilities.puts_error "Error getting head information: #{e.message}"
+          raise
+        end
+      end
+
+      def self.directory_search(uri, recursive, banner = true)
+        if banner
+          if recursive
+            puts 'Recursively searching for common directories (this will take a while)...'
+          else
+            puts 'Searching for common directories...'
+          end
+        end
+
+        begin
+          req = Yawast::Shared::Http.get_http(uri)
+          req.use_ssl = uri.scheme == 'https'
+          req.keep_alive_timeout = 600
+          headers = Yawast::Shared::Http.get_headers
+
+          req.start do |http|
+            File.open("lib/resources/common.txt", "r") do |f|
+              f.each_line do |line|
+                check = uri.copy
+                check.path = check.path + "#{line.strip}/"
+
+                res = http.head(check, headers)
+
+                if res.code == '200'
+                  Yawast::Utilities.puts_info "\tFound: '#{check.to_s}'"
+                  directory_search check, recursive, false if recursive
+                elsif res.code == '301'
+                  Yawast::Utilities.puts_info "\tFound Redirect: '#{check.to_s} -> '#{res['Location']}'"
+                end
+              end
+            end
+          end
+        rescue => e
+          Yawast::Utilities.puts_error "Error searching for directories (#{e.message})"
+        end
+
+        puts '' if banner
+      end
+
+      def self.check_options(uri)
+        begin
+          req = Yawast::Shared::Http.get_http(uri)
+          req.use_ssl = uri.scheme == 'https'
+          headers = Yawast::Shared::Http.get_headers
+          res = req.request(Options.new('/', headers))
+
+          if res['Public'] != nil
+            Yawast::Utilities.puts_info "Public HTTP Verbs (OPTIONS): #{res['Public']}"
+
+            puts ''
+          end
+        end
+      end
+
+      def self.check_trace(uri)
+        begin
+          req = Yawast::Shared::Http.get_http(uri)
+          req.use_ssl = uri.scheme == 'https'
+          headers = Yawast::Shared::Http.get_headers
+          res = req.request(Trace.new('/', headers))
+
+          if res.body.include? 'TRACE / HTTP/1.1'
+            Yawast::Utilities.puts_warn 'HTTP TRACE Enabled'
+            puts "\t\t\"curl -X TRACE #{uri}\""
+
+            puts ''
+          end
+        end
+      end
+
+      def self.check_propfind(uri)
+        begin
+          req = Yawast::Shared::Http.get_http(uri)
+          req.use_ssl = uri.scheme == 'https'
+          headers = Yawast::Shared::Http.get_headers
+          res = req.request(Propfind.new('/', headers))
+
+          if res.code.to_i <= 400 && res.body.length > 0 && res['Content-Type'] == 'text/xml'
+            Yawast::Utilities.puts_warn 'Possible Info Disclosure: PROPFIND Enabled'
+            puts "\t\t\"curl -X PROPFIND #{uri}\""
+
+            puts ''
+          end
+        end
+      end
+    end
+
+    #Custom class to allow using the PROPFIND verb
+    class Propfind < Net::HTTPRequest
+      METHOD = "PROPFIND"
+      REQUEST_HAS_BODY = false
+      RESPONSE_HAS_BODY = true
+    end
+
+    #Custom class to allow using the OPTIONS verb
+    class Options < Net::HTTPRequest
+      METHOD = "OPTIONS"
+      REQUEST_HAS_BODY = false
+      RESPONSE_HAS_BODY = true
+    end
+
+    #Custom class to allow using the TRACE verb
+    class Trace < Net::HTTPRequest
+      METHOD = "TRACE"
+      REQUEST_HAS_BODY = false
+      RESPONSE_HAS_BODY = true
+    end
+  end
+end

data/lib/scanner/iis.rb

@@ -0,0 +1,63 @@
+module Yawast
+  module Scanner
+    class Iis
+      def self.check_banner(banner)
+        #don't bother if this doesn't include IIS
+        return if !banner.include? 'Microsoft-IIS/'
+        @iis = true
+
+        Yawast::Utilities.puts_warn "IIS Version: #{banner}"
+        puts ''
+      end
+
+      def self.check_all(uri, head)
+        return if !@iis
+
+        #run all the defined checks
+        check_asp_banner(head)
+        check_mvc_version(head)
+        check_asp_net_debug(uri)
+      end
+
+      def self.check_asp_banner(head)
+        head.each do |k, v|
+          if k.downcase == 'x-aspnet-version'
+            Yawast::Utilities.puts_warn "ASP.NET Version: #{v}"
+            puts ''
+          end
+        end
+      end
+
+      def self.check_mvc_version(head)
+        head.each do |k, v|
+          if k.downcase == 'x-aspnetmvc-version'
+            Yawast::Utilities.puts_warn "ASP.NET MVC Version: #{v}"
+            puts ''
+          end
+        end
+      end
+
+      def self.check_asp_net_debug(uri)
+        begin
+          req = Yawast::Shared::Http.get_http(uri)
+          req.use_ssl = uri.scheme == 'https'
+          headers = Yawast::Shared::Http.get_headers
+          headers['Command'] = 'stop-debug'
+          headers['Accept'] = '*/*'
+          res = req.request(Debug.new('/', headers))
+
+          if res.code == 200
+            Yawast::Utilities.puts_vuln 'ASP.NET Debugging Enabled'
+          end
+        end
+      end
+    end
+
+    #Custom class to allow using the DEBUG verb
+    class Debug < Net::HTTPRequest
+      METHOD = "DEBUG"
+      REQUEST_HAS_BODY = false
+      RESPONSE_HAS_BODY = true
+    end
+  end
+end

data/lib/scanner/nginx.rb

@@ -0,0 +1,13 @@
+module Yawast
+  module Scanner
+    class Nginx
+      def self.check_banner(banner)
+        #don't bother if this doesn't include nginx
+        return if !banner.include? 'nginx/'
+
+        Yawast::Utilities.puts_warn "nginx Version: #{banner}"
+        puts ''
+      end
+    end
+  end
+end

data/lib/scanner/obj_presence.rb

@@ -0,0 +1,63 @@
+module Yawast
+  module Scanner
+    class ObjectPresence
+      def self.check_source_control(uri)
+        check_path(uri, '/.git/', true)
+        check_path(uri, '/.hg/', true)
+        check_path(uri, '/.svn/', true)
+        check_path(uri, '/.bzr/', true)
+      end
+
+      def self.check_cross_domain(uri)
+        check_path(uri, '/crossdomain.xml', false)
+        check_path(uri, '/clientaccesspolicy.xml', false)
+      end
+
+      def self.check_sitemap(uri)
+        check_path(uri, '/sitemap.xml', false)
+      end
+
+      def self.check_wsftp_log(uri)
+        #check both upper and lower, as they are both seen in the wild
+        check_path(uri, '/WS_FTP.LOG', false)
+        check_path(uri, '/ws_ftp.log', false)
+      end
+
+      def self.check_trace_axd(uri)
+        check_path(uri, '/Trace.axd', false)
+      end
+
+      def self.check_elmah_axd(uri)
+        check_path(uri, '/elmah.axd', false)
+      end
+
+      def self.check_readme_html(uri)
+        check_path(uri, '/readme.html', false)
+      end
+
+      def self.check_release_notes_txt(uri)
+        check_path(uri, '/RELEASE-NOTES.txt', false)
+      end
+
+      def self.check_path(uri, path, vuln)
+        #note: this only checks directly at the root, I'm not sure if this is what we want
+        # should probably be relative to what's passed in, instead of overriding the path.
+        check = uri.copy
+        check.path = "#{path}"
+        code = Yawast::Shared::Http.get_status_code(check)
+
+        if code == "200"
+          msg = "'#{path}' found: #{check}"
+
+          if vuln
+            Yawast::Utilities.puts_vuln msg
+          else
+            Yawast::Utilities.puts_warn msg
+          end
+
+          puts ''
+        end
+      end
+    end
+  end
+end

data/lib/scanner/php.rb

@@ -0,0 +1,19 @@
+module Yawast
+  module Scanner
+    class Php
+      def self.check_banner(banner)
+        #don't bother if this doesn't include PHP
+        return if !banner.include? 'PHP/'
+
+        modules = banner.split(' ')
+
+        modules.each do |mod|
+          if mod.include? 'PHP/'
+            Yawast::Utilities.puts_warn "PHP Version: #{mod}"
+            puts ''
+          end
+        end
+      end
+    end
+  end
+end