yawast 0.2.2 → 0.3.0.beta1

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 137841009f16eb238019ed11dc7ec40e06935e45
4
- data.tar.gz: cc4e24cecc340ec42719b00e558332a6375bf1b4
3
+ metadata.gz: 79985d80e1ef75ebc9280fe083940f9709c6b9c3
4
+ data.tar.gz: 628bcc0da114c9c153554b5687b0c85b96390ccf
5
5
  SHA512:
6
- metadata.gz: 454285f569b8ab407fd84b3b7387531a4cfe6d4ba2ca988fbdd891f2af7febf825729452230d4be1ea4813b19c6d795207dd8ae05a0b9c60acfe7330e88950e5
7
- data.tar.gz: ce9a9c94ca64a13561e6cba6bad628e86b37ac28473584683c54ac8fc76fa1477e26827c267cf323b9b303862ac36bdefe88f7447fb0da53265cdf5043a06e71
6
+ metadata.gz: 6ff471e7849b98ce68f6c2d83e23e6358a7f863bb98f7430ad715b2d5dcd9fc77c8c4d17d49bb5611f2f3488e475cb51c40013d320e56b98f0970c9f6df01925
7
+ data.tar.gz: 0fff13c7d0e3b06e9fbb0c0a02b13430200d1312762fef5a1fc268093d1d9322e5d056d23db1c37c974b44c98919e0c8c7dd66d7fe157f1faab4b4e38c29afc2
data/CHANGELOG.md CHANGED
@@ -1,3 +1,8 @@
1
+ ## 0.3.0 - In Development
2
+
3
+ * [#61](https://github.com/adamcaudill/yawast/issues/61) - SSL Session Count: force 3DES suites
4
+ * [#23](https://github.com/adamcaudill/yawast/issues/23) - Add check for HTTP to HTTPS redirect
5
+
1
6
  ## 0.2.2 - 2016-08-07
2
7
 
3
8
  * [#55](https://github.com/adamcaudill/yawast/issues/55) - Add Protocol Intolerance information.
@@ -7,29 +7,7 @@ module Yawast
7
7
  #this might be a bad assumption
8
8
  url = args[0]
9
9
 
10
- #this might be buggy - actually, I know it is...
11
- url = 'http://' + url unless url.include?('http://') || url.include?('https://')
12
-
13
- #make sure the path is at least a slash
14
- uri = URI.parse(url)
15
- uri.path = '/' if uri.path == ''
16
-
17
- #this is buggy, but we don't handle files anyhow...
18
- #if the path doesn't end in a slash, add one.
19
- if uri.path[-1, 1] != '/'
20
- uri.path.concat '/'
21
- end
22
-
23
- #see if we can resolve the host
24
- # we don't really need it, it just serves as validation
25
- begin
26
- dns = Resolv::DNS.new()
27
- dns.getaddress(uri.host)
28
- rescue => e
29
- raise ArgumentError.new("Invalid URL (#{e.message})") unless uri.host == 'localhost'
30
- end
31
-
32
- return uri
10
+ return Yawast::Shared::Uri.extract_uri url
33
11
  end
34
12
  end
35
13
  end
data/lib/scanner/core.rb CHANGED
@@ -1,19 +1,28 @@
1
1
  module Yawast
2
2
  module Scanner
3
3
  class Core
4
- def self.print_header(uri)
4
+ def self.print_header
5
5
  Yawast.header
6
6
 
7
- puts "Scanning: #{uri.to_s}"
7
+ puts "Scanning: #{@uri.to_s}"
8
8
  puts
9
9
  end
10
10
 
11
11
  def self.setup(uri, options)
12
12
  unless @setup
13
- print_header(uri)
13
+ @uri = uri
14
+
15
+ print_header
16
+
17
+ ssl_redirect = check_for_ssl_redirect
18
+ if ssl_redirect
19
+ @uri = ssl_redirect
20
+ puts "Server redirects to TLS: Scanning: #{@uri.to_s}"
21
+ end
22
+
14
23
  Yawast.set_openssl_options
15
24
 
16
- Yawast::Scanner::Generic.server_info(uri, options)
25
+ Yawast::Scanner::Generic.server_info(@uri, options)
17
26
  end
18
27
 
19
28
  @setup = true
@@ -27,37 +36,37 @@ module Yawast
27
36
  Yawast::Shared::Http.setup(options.proxy, options.cookie)
28
37
 
29
38
  #cache the HEAD result, so that we can minimize hits
30
- head = Yawast::Shared::Http.head(uri)
39
+ head = Yawast::Shared::Http.head(@uri)
31
40
  Yawast::Scanner::Generic.head_info(head)
32
41
 
33
42
  #perfom SSL checks
34
- check_ssl(uri, options, head)
43
+ check_ssl(@uri, options, head)
35
44
 
36
45
  #process the 'scan' stuff that goes beyond 'head'
37
46
  unless options.head
38
47
  #server specific checks
39
- Yawast::Scanner::Apache.check_all(uri, head)
40
- Yawast::Scanner::Iis.check_all(uri, head)
41
-
42
- Yawast::Scanner::ObjectPresence.check_source_control(uri)
43
- Yawast::Scanner::ObjectPresence.check_sitemap(uri)
44
- Yawast::Scanner::ObjectPresence.check_cross_domain(uri)
45
- Yawast::Scanner::ObjectPresence.check_wsftp_log(uri)
46
- Yawast::Scanner::ObjectPresence.check_trace_axd(uri)
47
- Yawast::Scanner::ObjectPresence.check_elmah_axd(uri)
48
- Yawast::Scanner::ObjectPresence.check_readme_html(uri)
49
- Yawast::Scanner::ObjectPresence.check_release_notes_txt(uri)
50
-
51
- Yawast::Scanner::Generic.check_propfind(uri)
52
- Yawast::Scanner::Generic.check_options(uri)
53
- Yawast::Scanner::Generic.check_trace(uri)
48
+ Yawast::Scanner::Apache.check_all(@uri, head)
49
+ Yawast::Scanner::Iis.check_all(@uri, head)
50
+
51
+ Yawast::Scanner::ObjectPresence.check_source_control(@uri)
52
+ Yawast::Scanner::ObjectPresence.check_sitemap(@uri)
53
+ Yawast::Scanner::ObjectPresence.check_cross_domain(@uri)
54
+ Yawast::Scanner::ObjectPresence.check_wsftp_log(@uri)
55
+ Yawast::Scanner::ObjectPresence.check_trace_axd(@uri)
56
+ Yawast::Scanner::ObjectPresence.check_elmah_axd(@uri)
57
+ Yawast::Scanner::ObjectPresence.check_readme_html(@uri)
58
+ Yawast::Scanner::ObjectPresence.check_release_notes_txt(@uri)
59
+
60
+ Yawast::Scanner::Generic.check_propfind(@uri)
61
+ Yawast::Scanner::Generic.check_options(@uri)
62
+ Yawast::Scanner::Generic.check_trace(@uri)
54
63
 
55
64
  #check for common directories
56
65
  if options.dir
57
- Yawast::Scanner::Generic.directory_search(uri, options.dirrecursive)
66
+ Yawast::Scanner::Generic.directory_search(@uri, options.dirrecursive)
58
67
  end
59
68
 
60
- get_cms(uri, options)
69
+ get_cms(@uri, options)
61
70
  end
62
71
 
63
72
  puts 'Scan complete.'
@@ -73,20 +82,42 @@ module Yawast
73
82
  Yawast::Scanner::Cms.get_generator(body)
74
83
  end
75
84
 
85
+ def self.check_for_ssl_redirect
86
+ #check to see if the site redirects to SSL by default
87
+ if @uri.scheme != 'https'
88
+ head = Yawast::Shared::Http.head(@uri)
89
+
90
+ if head['Location'] != nil
91
+ begin
92
+ location = URI.parse(head['Location'])
93
+
94
+ if location.scheme == 'https'
95
+ #we run this through extract_uri as it performs a few checks we need
96
+ return Yawast::Shared::Uri.extract_uri location.to_s
97
+ end
98
+ rescue
99
+ #we don't care if this fails
100
+ end
101
+ end
102
+ end
103
+
104
+ return nil
105
+ end
106
+
76
107
  def self.check_ssl(uri, options, head)
77
108
  setup(uri, options)
78
109
 
79
- if uri.scheme == 'https' && !options.nossl
80
- head = Yawast::Shared::Http.head(uri) if head == nil
110
+ if @uri.scheme == 'https' && !options.nossl
111
+ head = Yawast::Shared::Http.head(@uri) if head == nil
81
112
 
82
113
  if options.internalssl
83
- Yawast::Scanner::Ssl.info(uri, !options.nociphers, options.sweet32count)
114
+ Yawast::Scanner::Ssl.info(uri, !options.nociphers, options.sslsessioncount)
84
115
  else
85
- Yawast::Scanner::SslLabs.info(uri, options.sslsessioncount)
116
+ Yawast::Scanner::SslLabs.info(@uri, options.sslsessioncount)
86
117
  end
87
118
 
88
119
  Yawast::Scanner::Ssl.check_hsts(head)
89
- elsif uri.scheme == 'http'
120
+ elsif @uri.scheme == 'http'
90
121
  puts 'Skipping TLS checks; URL is not HTTPS'
91
122
  end
92
123
  end
@@ -273,7 +273,7 @@ module Yawast
273
273
  headers = Yawast::Shared::Http.get_headers
274
274
  res = req.request(Trace.new('/', headers))
275
275
 
276
- if res.body.include? 'TRACE / HTTP/1.1'
276
+ if res.body.include? 'TRACE / HTTP/1.1' && res.code == '200'
277
277
  Yawast::Utilities.puts_warn 'HTTP TRACE Enabled'
278
278
  puts "\t\t\"curl -X TRACE #{uri}\""
279
279
 
data/lib/scanner/ssl.rb CHANGED
@@ -181,7 +181,7 @@ module Yawast
181
181
  def self.get_session_msg_count(uri)
182
182
  # this method will send a number of HEAD requests to see
183
183
  # if the connection is eventually killed.
184
- puts 'TLS Session Request Limit: Checking number of requests accepted...'
184
+ puts 'TLS Session Request Limit: Checking number of requests accepted using 3DES suites...'
185
185
 
186
186
  count = 0
187
187
  begin
@@ -190,6 +190,9 @@ module Yawast
190
190
  req.keep_alive_timeout = 600
191
191
  headers = Yawast::Shared::Http.get_headers
192
192
 
193
+ #force 3DES - this is to ensure that 3DES specific limits are caught
194
+ req.ciphers = ["3DES"]
195
+
193
196
  req.start do |http|
194
197
  10000.times do |i|
195
198
  http.head(uri.path, headers)
@@ -208,13 +211,18 @@ module Yawast
208
211
  end
209
212
  rescue => e
210
213
  puts
211
- Yawast::Utilities.puts_info "TLS Session Request Limit: Connection terminated after #{count} requests (#{e.message})"
214
+
215
+ if e.message.include? 'alert handshake failure'
216
+ Yawast::Utilities.puts_info 'TLS Session Request Limit: Server does not support 3DES cipher suites'
217
+ else
218
+ Yawast::Utilities.puts_info "TLS Session Request Limit: Connection terminated after #{count} requests (#{e.message})"
219
+ end
220
+
212
221
  return
213
222
  end
214
223
 
215
224
  puts
216
- Yawast::Utilities.puts_warn 'TLS Session Request Limit: Connection not terminated after 10,000 requests'
217
- Yawast::Utilities.puts_warn 'TLS Session Request Limit: If server supports 3DES, may be affected by SWEET32'
225
+ Yawast::Utilities.puts_vuln 'TLS Session Request Limit: Connection not terminated after 10,000 requests; possibly vulnerable to SWEET32'
218
226
  end
219
227
 
220
228
  #private methods
@@ -491,6 +491,8 @@ module Yawast
491
491
  if ep.details.protocol_intolerance & (1<<5) != 0
492
492
  Yawast::Utilities.puts_warn "\t\t\tProtocol Intolerance: TLS 2.152"
493
493
  end
494
+ else
495
+ Yawast::Utilities.puts_info "\t\t\tProtocol Intolerance: No"
494
496
  end
495
497
 
496
498
  puts
data/lib/shared/uri.rb ADDED
@@ -0,0 +1,31 @@
1
+ module Yawast
2
+ module Shared
3
+ class Uri
4
+ def self.extract_uri(url)
5
+ #this might be buggy - actually, I know it is...
6
+ url = 'http://' + url unless url.include?('http://') || url.include?('https://')
7
+
8
+ #make sure the path is at least a slash
9
+ uri = URI.parse(url)
10
+ uri.path = '/' if uri.path == ''
11
+
12
+ #this is buggy, but we don't handle files anyhow...
13
+ #if the path doesn't end in a slash, add one.
14
+ if uri.path[-1, 1] != '/'
15
+ uri.path.concat '/'
16
+ end
17
+
18
+ #see if we can resolve the host
19
+ # we don't really need it, it just serves as validation
20
+ begin
21
+ dns = Resolv::DNS.new
22
+ dns.getaddress(uri.host)
23
+ rescue => e
24
+ raise ArgumentError.new("Invalid URL (#{e.message})") unless uri.host == 'localhost'
25
+ end
26
+
27
+ return uri
28
+ end
29
+ end
30
+ end
31
+ end
data/lib/version.rb CHANGED
@@ -1,3 +1,3 @@
1
1
  module Yawast
2
- VERSION = '0.2.2'
2
+ VERSION = '0.3.0.beta1'
3
3
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: yawast
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.2.2
4
+ version: 0.3.0.beta1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Adam Caudill
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2016-09-07 00:00:00.000000000 Z
11
+ date: 2016-09-12 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: ssllabs
@@ -127,6 +127,7 @@ files:
127
127
  - lib/scanner/ssl.rb
128
128
  - lib/scanner/ssl_labs.rb
129
129
  - lib/shared/http.rb
130
+ - lib/shared/uri.rb
130
131
  - lib/string_ext.rb
131
132
  - lib/uri_ext.rb
132
133
  - lib/util.rb
@@ -169,9 +170,9 @@ required_ruby_version: !ruby/object:Gem::Requirement
169
170
  version: '0'
170
171
  required_rubygems_version: !ruby/object:Gem::Requirement
171
172
  requirements:
172
- - - ">="
173
+ - - ">"
173
174
  - !ruby/object:Gem::Version
174
- version: '0'
175
+ version: 1.3.1
175
176
  requirements: []
176
177
  rubyforge_project: yawast
177
178
  rubygems_version: 2.6.6