yawast 0.2.2 → 0.3.0.beta1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 137841009f16eb238019ed11dc7ec40e06935e45
-  data.tar.gz: cc4e24cecc340ec42719b00e558332a6375bf1b4
+  metadata.gz: 79985d80e1ef75ebc9280fe083940f9709c6b9c3
+  data.tar.gz: 628bcc0da114c9c153554b5687b0c85b96390ccf
 SHA512:
-  metadata.gz: 454285f569b8ab407fd84b3b7387531a4cfe6d4ba2ca988fbdd891f2af7febf825729452230d4be1ea4813b19c6d795207dd8ae05a0b9c60acfe7330e88950e5
-  data.tar.gz: ce9a9c94ca64a13561e6cba6bad628e86b37ac28473584683c54ac8fc76fa1477e26827c267cf323b9b303862ac36bdefe88f7447fb0da53265cdf5043a06e71
+  metadata.gz: 6ff471e7849b98ce68f6c2d83e23e6358a7f863bb98f7430ad715b2d5dcd9fc77c8c4d17d49bb5611f2f3488e475cb51c40013d320e56b98f0970c9f6df01925
+  data.tar.gz: 0fff13c7d0e3b06e9fbb0c0a02b13430200d1312762fef5a1fc268093d1d9322e5d056d23db1c37c974b44c98919e0c8c7dd66d7fe157f1faab4b4e38c29afc2

data/CHANGELOG.md

@@ -1,3 +1,8 @@
+## 0.3.0 - In Development
+
+* [#61](https://github.com/adamcaudill/yawast/issues/61) - SSL Session Count: force 3DES suites
+* [#23](https://github.com/adamcaudill/yawast/issues/23) - Add check for HTTP to HTTPS redirect
+
 ## 0.2.2 - 2016-08-07
 
 * [#55](https://github.com/adamcaudill/yawast/issues/55) - Add Protocol Intolerance information. 

data/lib/commands/utils.rb

@@ -7,29 +7,7 @@ module Yawast
         #this might be a bad assumption
         url = args[0]
 
-        #this might be buggy - actually, I know it is...
-        url = 'http://' + url unless url.include?('http://') || url.include?('https://')
-
-        #make sure the path is at least a slash
-        uri = URI.parse(url)
-        uri.path = '/' if uri.path == ''
-
-        #this is buggy, but we don't handle files anyhow...
-        #if the path doesn't end in a slash, add one.
-        if uri.path[-1, 1] != '/'
-          uri.path.concat '/'
-        end
-
-        #see if we can resolve the host
-        # we don't really need it, it just serves as validation
-        begin
-          dns = Resolv::DNS.new()
-          dns.getaddress(uri.host)
-        rescue => e
-          raise ArgumentError.new("Invalid URL (#{e.message})") unless uri.host == 'localhost'
-        end
-
-        return uri
+        return Yawast::Shared::Uri.extract_uri url
       end
     end
   end

data/lib/scanner/core.rb

@@ -1,19 +1,28 @@
 module Yawast
   module Scanner
     class Core
-      def self.print_header(uri)
+      def self.print_header
         Yawast.header
 
-        puts "Scanning: #{uri.to_s}"
+        puts "Scanning: #{@uri.to_s}"
         puts
       end
 
       def self.setup(uri, options)
         unless @setup
-          print_header(uri)
+          @uri = uri
+
+          print_header
+
+          ssl_redirect = check_for_ssl_redirect
+          if ssl_redirect
+            @uri = ssl_redirect
+            puts "Server redirects to TLS: Scanning: #{@uri.to_s}"
+          end
+
           Yawast.set_openssl_options
 
-          Yawast::Scanner::Generic.server_info(uri, options)
+          Yawast::Scanner::Generic.server_info(@uri, options)
         end
 
         @setup = true
@@ -27,37 +36,37 @@ module Yawast
           Yawast::Shared::Http.setup(options.proxy, options.cookie)
 
           #cache the HEAD result, so that we can minimize hits
-          head = Yawast::Shared::Http.head(uri)
+          head = Yawast::Shared::Http.head(@uri)
           Yawast::Scanner::Generic.head_info(head)
 
           #perfom SSL checks
-          check_ssl(uri, options, head)
+          check_ssl(@uri, options, head)
 
           #process the 'scan' stuff that goes beyond 'head'
           unless options.head
             #server specific checks
-            Yawast::Scanner::Apache.check_all(uri, head)
-            Yawast::Scanner::Iis.check_all(uri, head)
-
-            Yawast::Scanner::ObjectPresence.check_source_control(uri)
-            Yawast::Scanner::ObjectPresence.check_sitemap(uri)
-            Yawast::Scanner::ObjectPresence.check_cross_domain(uri)
-            Yawast::Scanner::ObjectPresence.check_wsftp_log(uri)
-            Yawast::Scanner::ObjectPresence.check_trace_axd(uri)
-            Yawast::Scanner::ObjectPresence.check_elmah_axd(uri)
-            Yawast::Scanner::ObjectPresence.check_readme_html(uri)
-            Yawast::Scanner::ObjectPresence.check_release_notes_txt(uri)
-
-            Yawast::Scanner::Generic.check_propfind(uri)
-            Yawast::Scanner::Generic.check_options(uri)
-            Yawast::Scanner::Generic.check_trace(uri)
+            Yawast::Scanner::Apache.check_all(@uri, head)
+            Yawast::Scanner::Iis.check_all(@uri, head)
+
+            Yawast::Scanner::ObjectPresence.check_source_control(@uri)
+            Yawast::Scanner::ObjectPresence.check_sitemap(@uri)
+            Yawast::Scanner::ObjectPresence.check_cross_domain(@uri)
+            Yawast::Scanner::ObjectPresence.check_wsftp_log(@uri)
+            Yawast::Scanner::ObjectPresence.check_trace_axd(@uri)
+            Yawast::Scanner::ObjectPresence.check_elmah_axd(@uri)
+            Yawast::Scanner::ObjectPresence.check_readme_html(@uri)
+            Yawast::Scanner::ObjectPresence.check_release_notes_txt(@uri)
+
+            Yawast::Scanner::Generic.check_propfind(@uri)
+            Yawast::Scanner::Generic.check_options(@uri)
+            Yawast::Scanner::Generic.check_trace(@uri)
 
             #check for common directories
             if options.dir
-              Yawast::Scanner::Generic.directory_search(uri, options.dirrecursive)
+              Yawast::Scanner::Generic.directory_search(@uri, options.dirrecursive)
             end
 
-            get_cms(uri, options)
+            get_cms(@uri, options)
           end
 
           puts 'Scan complete.'
@@ -73,20 +82,42 @@ module Yawast
         Yawast::Scanner::Cms.get_generator(body)
       end
 
+      def self.check_for_ssl_redirect
+        #check to see if the site redirects to SSL by default
+        if @uri.scheme != 'https'
+          head = Yawast::Shared::Http.head(@uri)
+
+          if head['Location'] != nil
+            begin
+              location = URI.parse(head['Location'])
+
+              if location.scheme == 'https'
+                #we run this through extract_uri as it performs a few checks we need
+                return Yawast::Shared::Uri.extract_uri location.to_s
+              end
+            rescue
+              #we don't care if this fails
+            end
+          end
+        end
+
+        return nil
+      end
+
       def self.check_ssl(uri, options, head)
         setup(uri, options)
 
-        if uri.scheme == 'https' && !options.nossl
-          head = Yawast::Shared::Http.head(uri) if head == nil
+        if @uri.scheme == 'https' && !options.nossl
+          head = Yawast::Shared::Http.head(@uri) if head == nil
 
           if options.internalssl
-            Yawast::Scanner::Ssl.info(uri, !options.nociphers, options.sweet32count)
+            Yawast::Scanner::Ssl.info(uri, !options.nociphers, options.sslsessioncount)
           else
-            Yawast::Scanner::SslLabs.info(uri, options.sslsessioncount)
+            Yawast::Scanner::SslLabs.info(@uri, options.sslsessioncount)
           end
 
           Yawast::Scanner::Ssl.check_hsts(head)
-        elsif uri.scheme == 'http'
+        elsif @uri.scheme == 'http'
           puts 'Skipping TLS checks; URL is not HTTPS'
         end
       end

data/lib/scanner/generic.rb

@@ -273,7 +273,7 @@ module Yawast
           headers = Yawast::Shared::Http.get_headers
           res = req.request(Trace.new('/', headers))
 
-          if res.body.include? 'TRACE / HTTP/1.1'
+          if res.body.include? 'TRACE / HTTP/1.1' && res.code == '200'
             Yawast::Utilities.puts_warn 'HTTP TRACE Enabled'
             puts "\t\t\"curl -X TRACE #{uri}\""
 

data/lib/scanner/ssl.rb

@@ -181,7 +181,7 @@ module Yawast
         def self.get_session_msg_count(uri)
           # this method will send a number of HEAD requests to see
           #  if the connection is eventually killed.
-          puts 'TLS Session Request Limit: Checking number of requests accepted...'
+          puts 'TLS Session Request Limit: Checking number of requests accepted using 3DES suites...'
 
           count = 0
           begin
@@ -190,6 +190,9 @@ module Yawast
             req.keep_alive_timeout = 600
             headers = Yawast::Shared::Http.get_headers
 
+            #force 3DES - this is to ensure that 3DES specific limits are caught
+            req.ciphers = ["3DES"]
+
             req.start do |http|
               10000.times do |i|
                 http.head(uri.path, headers)
@@ -208,13 +211,18 @@ module Yawast
             end
           rescue => e
             puts
-            Yawast::Utilities.puts_info "TLS Session Request Limit: Connection terminated after #{count} requests (#{e.message})"
+
+            if e.message.include? 'alert handshake failure'
+              Yawast::Utilities.puts_info 'TLS Session Request Limit: Server does not support 3DES cipher suites'
+            else
+              Yawast::Utilities.puts_info "TLS Session Request Limit: Connection terminated after #{count} requests (#{e.message})"
+            end
+
             return
           end
 
           puts
-          Yawast::Utilities.puts_warn 'TLS Session Request Limit: Connection not terminated after 10,000 requests'
-          Yawast::Utilities.puts_warn 'TLS Session Request Limit: If server supports 3DES, may be affected by SWEET32'
+          Yawast::Utilities.puts_vuln 'TLS Session Request Limit: Connection not terminated after 10,000 requests; possibly vulnerable to SWEET32'
         end
 
       #private methods

data/lib/scanner/ssl_labs.rb

@@ -491,6 +491,8 @@ module Yawast
           if ep.details.protocol_intolerance & (1<<5) != 0
             Yawast::Utilities.puts_warn "\t\t\tProtocol Intolerance: TLS 2.152"
           end
+        else
+          Yawast::Utilities.puts_info "\t\t\tProtocol Intolerance: No"
         end
 
         puts

data/lib/shared/uri.rb

@@ -0,0 +1,31 @@
+module Yawast
+  module Shared
+    class Uri
+      def self.extract_uri(url)
+        #this might be buggy - actually, I know it is...
+        url = 'http://' + url unless url.include?('http://') || url.include?('https://')
+
+        #make sure the path is at least a slash
+        uri = URI.parse(url)
+        uri.path = '/' if uri.path == ''
+
+        #this is buggy, but we don't handle files anyhow...
+        #if the path doesn't end in a slash, add one.
+        if uri.path[-1, 1] != '/'
+          uri.path.concat '/'
+        end
+
+        #see if we can resolve the host
+        # we don't really need it, it just serves as validation
+        begin
+          dns = Resolv::DNS.new
+          dns.getaddress(uri.host)
+        rescue => e
+          raise ArgumentError.new("Invalid URL (#{e.message})") unless uri.host == 'localhost'
+        end
+
+        return uri
+      end
+    end
+  end
+end

data/lib/version.rb

@@ -1,3 +1,3 @@
 module Yawast
-  VERSION = '0.2.2'
+  VERSION = '0.3.0.beta1'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: yawast
 version: !ruby/object:Gem::Version
-  version: 0.2.2
+  version: 0.3.0.beta1
 platform: ruby
 authors:
 - Adam Caudill
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-09-07 00:00:00.000000000 Z
+date: 2016-09-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: ssllabs
@@ -127,6 +127,7 @@ files:
 - lib/scanner/ssl.rb
 - lib/scanner/ssl_labs.rb
 - lib/shared/http.rb
+- lib/shared/uri.rb
 - lib/string_ext.rb
 - lib/uri_ext.rb
 - lib/util.rb
@@ -169,9 +170,9 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">="
+  - - ">"
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 1.3.1
 requirements: []
 rubyforge_project: yawast
 rubygems_version: 2.6.6