yawast 0.4.0.beta4 → 0.4.0.beta5
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.codeclimate.yml +25 -0
- data/.rubocop.yml +1156 -0
- data/.travis.yml +4 -0
- data/CHANGELOG.md +2 -0
- data/Gemfile +1 -1
- data/README.md +1 -1
- data/Rakefile +25 -4
- data/bin/yawast +1 -1
- data/lib/scanner/apache.rb +2 -2
- data/lib/scanner/core.rb +2 -2
- data/lib/scanner/generic.rb +16 -6
- data/lib/scanner/iis.rb +1 -1
- data/lib/scanner/plugins/http/directory_search.rb +18 -8
- data/lib/scanner/plugins/http/file_presence.rb +1 -1
- data/lib/scanner/ssl.rb +3 -3
- data/lib/scanner/ssl_labs.rb +1 -1
- data/lib/shared/http.rb +1 -0
- data/lib/version.rb +1 -1
- data/lib/yawast.rb +1 -1
- data/test/base.rb +6 -3
- data/test/test_cmd_util.rb +0 -1
- data/test/test_directory_search.rb +54 -0
- data/test/test_helper.rb +6 -3
- data/test/test_object_presence.rb +20 -1
- data/test/test_scan_apache_banner.rb +2 -3
- data/test/test_scan_apache_server_info.rb +2 -1
- data/test/test_scan_apache_server_status.rb +2 -1
- data/test/test_scan_cms.rb +0 -1
- data/test/test_scan_iis_headers.rb +0 -1
- data/test/test_scan_nginx_banner.rb +0 -1
- data/test/test_shared_http.rb +6 -1
- data/test/test_shared_util.rb +0 -1
- data/test/test_string_ext.rb +0 -1
- data/test/test_yawast.rb +0 -1
- data/yawast.gemspec +7 -7
- metadata +6 -2
data/.travis.yml
CHANGED
data/CHANGELOG.md
CHANGED
|
@@ -4,6 +4,8 @@
|
|
|
4
4
|
* [#67](https://github.com/adamcaudill/yawast/issues/67) - Make "Found Redirect" optional
|
|
5
5
|
* [#69](https://github.com/adamcaudill/yawast/issues/69) - False positives on non-standard 404 handling
|
|
6
6
|
* [#73](https://github.com/adamcaudill/yawast/issues/73) - Use `--internalssl` when host is an IP address
|
|
7
|
+
* [#64](https://github.com/adamcaudill/yawast/issues/64) - Add check for secure cookie on HTTP host
|
|
8
|
+
* [#45](https://github.com/adamcaudill/yawast/issues/45) - Access Control Headers Check
|
|
7
9
|
* [#65](https://github.com/adamcaudill/yawast/issues/65) - Bug: Output redirection doesn't work correctly
|
|
8
10
|
* [#70](https://github.com/adamcaudill/yawast/issues/70) - Bug: Handle scans of IP addresses
|
|
9
11
|
* [#72](https://github.com/adamcaudill/yawast/issues/72) - Bug: internalssl & Scanning IPs Fails
|
data/Gemfile
CHANGED
data/README.md
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
## YAWAST [](https://travis-ci.org/adamcaudill/yawast) [](https://codeclimate.com/github/adamcaudill/yawast) [](https://codeclimate.com/github/adamcaudill/yawast/coverage) [](https://badge.fury.io/rb/yawast)
|
|
2
2
|
|
|
3
3
|
**The YAWAST Antecedent Web Application Security Toolkit**
|
|
4
4
|
|
data/Rakefile
CHANGED
|
@@ -1,9 +1,30 @@
|
|
|
1
1
|
require 'rake/testtask'
|
|
2
2
|
|
|
3
|
-
task :default => [:
|
|
3
|
+
task :default => [:codeclimate]
|
|
4
4
|
|
|
5
5
|
task :test do
|
|
6
|
-
|
|
7
|
-
|
|
8
|
-
|
|
6
|
+
#set this, so that we can modify behavior based on where's it's ran from
|
|
7
|
+
ENV['FROM_RAKE'] = 'true'
|
|
8
|
+
|
|
9
|
+
require File.join(File.dirname(__FILE__), 'test/test_helper')
|
|
10
|
+
Dir.glob('./test/test_*.rb').each { |file| require file}
|
|
11
|
+
|
|
12
|
+
require 'minitest'
|
|
13
|
+
Minitest.run
|
|
14
|
+
end
|
|
15
|
+
|
|
16
|
+
task :codeclimate do
|
|
17
|
+
Rake::Task['test'].execute
|
|
18
|
+
|
|
19
|
+
require 'simplecov'
|
|
20
|
+
require 'codeclimate-test-reporter'
|
|
21
|
+
|
|
22
|
+
ENV['CODECLIMATE_REPO_TOKEN'] ='6fd9c710b9a6e0da2011c62b81075b9bd620200a2a400f4dbeab9c88829f4cb6'
|
|
23
|
+
|
|
24
|
+
SimpleCov.formatter = SimpleCov::Formatter::MultiFormatter.new([
|
|
25
|
+
SimpleCov::Formatter::HTMLFormatter,
|
|
26
|
+
CodeClimate::TestReporter::Formatter
|
|
27
|
+
])
|
|
28
|
+
|
|
29
|
+
CodeClimate::TestReporter::Formatter.new.format(SimpleCov.result)
|
|
9
30
|
end
|
data/bin/yawast
CHANGED
data/lib/scanner/apache.rb
CHANGED
|
@@ -9,7 +9,7 @@ module Yawast
|
|
|
9
9
|
modules = banner.split(' ')
|
|
10
10
|
server = modules[0]
|
|
11
11
|
|
|
12
|
-
#
|
|
12
|
+
#fix '(distro)' issue, such as with 'Apache/2.2.22 (Ubuntu)'
|
|
13
13
|
# if we don't do this, it triggers a false positive on the module check
|
|
14
14
|
if /\(\w*\)/.match modules[1]
|
|
15
15
|
server += " #{modules[1]}"
|
|
@@ -35,7 +35,7 @@ module Yawast
|
|
|
35
35
|
end
|
|
36
36
|
end
|
|
37
37
|
|
|
38
|
-
def self.check_all(uri
|
|
38
|
+
def self.check_all(uri)
|
|
39
39
|
#this check for @apache may yield false negatives.. meh.
|
|
40
40
|
if @apache
|
|
41
41
|
#run all the defined checks
|
data/lib/scanner/core.rb
CHANGED
|
@@ -37,7 +37,7 @@ module Yawast
|
|
|
37
37
|
|
|
38
38
|
#cache the HEAD result, so that we can minimize hits
|
|
39
39
|
head = Yawast::Shared::Http.head(@uri)
|
|
40
|
-
Yawast::Scanner::Generic.head_info(head)
|
|
40
|
+
Yawast::Scanner::Generic.head_info(head, @uri)
|
|
41
41
|
|
|
42
42
|
#perfom SSL checks
|
|
43
43
|
check_ssl(@uri, options, head)
|
|
@@ -45,7 +45,7 @@ module Yawast
|
|
|
45
45
|
#process the 'scan' stuff that goes beyond 'head'
|
|
46
46
|
unless options.head
|
|
47
47
|
#server specific checks
|
|
48
|
-
Yawast::Scanner::Apache.check_all(@uri
|
|
48
|
+
Yawast::Scanner::Apache.check_all(@uri)
|
|
49
49
|
Yawast::Scanner::Iis.check_all(@uri, head)
|
|
50
50
|
|
|
51
51
|
Yawast::Scanner::Plugins::Http::FilePresence.check_all @uri
|
data/lib/scanner/generic.rb
CHANGED
|
@@ -79,7 +79,7 @@ module Yawast
|
|
|
79
79
|
end
|
|
80
80
|
end
|
|
81
81
|
|
|
82
|
-
def self.head_info(head)
|
|
82
|
+
def self.head_info(head, uri)
|
|
83
83
|
begin
|
|
84
84
|
server = ''
|
|
85
85
|
powered_by = ''
|
|
@@ -93,6 +93,7 @@ module Yawast
|
|
|
93
93
|
xss_protection = ''
|
|
94
94
|
via = ''
|
|
95
95
|
hpkp = ''
|
|
96
|
+
acao = ''
|
|
96
97
|
|
|
97
98
|
Yawast::Utilities.puts_info 'HEAD:'
|
|
98
99
|
head.each do |k, v|
|
|
@@ -109,6 +110,7 @@ module Yawast
|
|
|
109
110
|
xss_protection = v if k.downcase == 'x-xss-protection'
|
|
110
111
|
via = v if k.downcase == 'via'
|
|
111
112
|
hpkp = v if k.downcase == 'public-key-pins'
|
|
113
|
+
acao = v if k.downcase == 'access-control-allow-origin'
|
|
112
114
|
|
|
113
115
|
if k.downcase == 'set-cookie'
|
|
114
116
|
#this chunk of magic manages to properly split cookies, when multiple are sent together
|
|
@@ -181,6 +183,10 @@ module Yawast
|
|
|
181
183
|
Yawast::Utilities.puts_warn 'Public-Key-Pins Header Not Present'
|
|
182
184
|
end
|
|
183
185
|
|
|
186
|
+
if acao == '*'
|
|
187
|
+
Yawast::Utilities.puts_warn 'Access-Control-Allow-Origin: Unrestricted'
|
|
188
|
+
end
|
|
189
|
+
|
|
184
190
|
puts ''
|
|
185
191
|
|
|
186
192
|
unless cookies.empty?
|
|
@@ -192,12 +198,16 @@ module Yawast
|
|
|
192
198
|
elements = val.strip.split(';')
|
|
193
199
|
|
|
194
200
|
#check for secure cookies
|
|
195
|
-
|
|
201
|
+
if elements.include?(' Secure') || elements.include?(' secure')
|
|
202
|
+
if uri.scheme != 'https'
|
|
203
|
+
Yawast::Utilities.puts_warn "\t\t\tCookie with Secure flag sent over non-HTTPS connection"
|
|
204
|
+
end
|
|
205
|
+
else
|
|
196
206
|
Yawast::Utilities.puts_warn "\t\t\tCookie missing Secure flag"
|
|
197
207
|
end
|
|
198
208
|
|
|
199
209
|
#check for HttpOnly cookies
|
|
200
|
-
unless elements.include?
|
|
210
|
+
unless elements.include?(' HttpOnly') || elements.include?(' httponly')
|
|
201
211
|
Yawast::Utilities.puts_warn "\t\t\tCookie missing HttpOnly flag"
|
|
202
212
|
end
|
|
203
213
|
end
|
|
@@ -262,21 +272,21 @@ module Yawast
|
|
|
262
272
|
|
|
263
273
|
#Custom class to allow using the PROPFIND verb
|
|
264
274
|
class Propfind < Net::HTTPRequest
|
|
265
|
-
METHOD =
|
|
275
|
+
METHOD = 'PROPFIND'
|
|
266
276
|
REQUEST_HAS_BODY = false
|
|
267
277
|
RESPONSE_HAS_BODY = true
|
|
268
278
|
end
|
|
269
279
|
|
|
270
280
|
#Custom class to allow using the OPTIONS verb
|
|
271
281
|
class Options < Net::HTTPRequest
|
|
272
|
-
METHOD =
|
|
282
|
+
METHOD = 'OPTIONS'
|
|
273
283
|
REQUEST_HAS_BODY = false
|
|
274
284
|
RESPONSE_HAS_BODY = true
|
|
275
285
|
end
|
|
276
286
|
|
|
277
287
|
#Custom class to allow using the TRACE verb
|
|
278
288
|
class Trace < Net::HTTPRequest
|
|
279
|
-
METHOD =
|
|
289
|
+
METHOD = 'TRACE'
|
|
280
290
|
REQUEST_HAS_BODY = false
|
|
281
291
|
RESPONSE_HAS_BODY = true
|
|
282
292
|
end
|
data/lib/scanner/iis.rb
CHANGED
|
@@ -3,7 +3,7 @@ module Yawast
|
|
|
3
3
|
module Plugins
|
|
4
4
|
module Http
|
|
5
5
|
class DirectorySearch
|
|
6
|
-
def self.search(uri, recursive, list_redirects)
|
|
6
|
+
def self.search(uri, recursive, list_redirects, search_list = nil)
|
|
7
7
|
@recursive = recursive
|
|
8
8
|
@list_redirects = list_redirects
|
|
9
9
|
|
|
@@ -13,6 +13,18 @@ module Yawast
|
|
|
13
13
|
puts 'Searching for common directories...'
|
|
14
14
|
end
|
|
15
15
|
|
|
16
|
+
if search_list == nil
|
|
17
|
+
@search_list = []
|
|
18
|
+
|
|
19
|
+
File.open(File.dirname(__FILE__) + '/../../../resources/common.txt', 'r') do |f|
|
|
20
|
+
f.each_line do |line|
|
|
21
|
+
@search_list.push line.strip
|
|
22
|
+
end
|
|
23
|
+
end
|
|
24
|
+
else
|
|
25
|
+
@search_list = search_list
|
|
26
|
+
end
|
|
27
|
+
|
|
16
28
|
begin
|
|
17
29
|
pool_size = 16
|
|
18
30
|
@jobs = Queue.new
|
|
@@ -58,14 +70,12 @@ module Yawast
|
|
|
58
70
|
end
|
|
59
71
|
|
|
60
72
|
def self.load_queue(uri)
|
|
61
|
-
|
|
62
|
-
|
|
63
|
-
|
|
64
|
-
check.path = check.path + "#{line.strip}/"
|
|
73
|
+
@search_list.each do |line|
|
|
74
|
+
check = uri.copy
|
|
75
|
+
check.path = check.path + "#{line}/"
|
|
65
76
|
|
|
66
|
-
|
|
67
|
-
|
|
68
|
-
end
|
|
77
|
+
#add the job to the queue
|
|
78
|
+
@jobs.push check
|
|
69
79
|
end
|
|
70
80
|
end
|
|
71
81
|
|
data/lib/scanner/ssl.rb
CHANGED
|
@@ -107,7 +107,7 @@ module Yawast
|
|
|
107
107
|
def self.get_ciphers(uri)
|
|
108
108
|
puts 'Supported Ciphers (based on your OpenSSL version):'
|
|
109
109
|
|
|
110
|
-
dns = Resolv::DNS.new
|
|
110
|
+
dns = Resolv::DNS.new
|
|
111
111
|
|
|
112
112
|
if IPAddress.valid? uri.host
|
|
113
113
|
ip = IPAddress.parse uri.host
|
|
@@ -120,7 +120,7 @@ module Yawast
|
|
|
120
120
|
|
|
121
121
|
versions.each do |version|
|
|
122
122
|
#ignore SSLv23, as it's an auto-negotiate, which just adds noise
|
|
123
|
-
if version.to_s !=
|
|
123
|
+
if version.to_s != 'SSLv23'
|
|
124
124
|
ciphers = OpenSSL::SSL::SSLContext.new(version).ciphers
|
|
125
125
|
puts "\tChecking for #{version.to_s} suites (#{ciphers.count} possible suites)"
|
|
126
126
|
|
|
@@ -197,7 +197,7 @@ module Yawast
|
|
|
197
197
|
headers = Yawast::Shared::Http.get_headers
|
|
198
198
|
|
|
199
199
|
#force 3DES - this is to ensure that 3DES specific limits are caught
|
|
200
|
-
req.ciphers = [
|
|
200
|
+
req.ciphers = ['3DES']
|
|
201
201
|
|
|
202
202
|
req.start do |http|
|
|
203
203
|
10000.times do |i|
|
data/lib/scanner/ssl_labs.rb
CHANGED
|
@@ -5,6 +5,7 @@ require 'digest/sha1'
|
|
|
5
5
|
|
|
6
6
|
module Yawast
|
|
7
7
|
module Scanner
|
|
8
|
+
# noinspection RubyResolve
|
|
8
9
|
class SslLabs
|
|
9
10
|
def self.info(uri, tdes_session_count)
|
|
10
11
|
puts 'Beginning SSL Labs scan (this could take a minute or two)'
|
|
@@ -259,7 +260,6 @@ module Yawast
|
|
|
259
260
|
strength = 112
|
|
260
261
|
end
|
|
261
262
|
|
|
262
|
-
suite_info = nil
|
|
263
263
|
if ke != nil
|
|
264
264
|
suite_info = "#{suite.name.ljust(50)} - #{strength}-bits - #{ke}"
|
|
265
265
|
else
|
data/lib/shared/http.rb
CHANGED
data/lib/version.rb
CHANGED
data/lib/yawast.rb
CHANGED
|
@@ -44,7 +44,7 @@ module Yawast
|
|
|
44
44
|
def self.set_openssl_options
|
|
45
45
|
#change certain defaults, to make things work better
|
|
46
46
|
#we prefer RSA, to avoid issues with small DH keys
|
|
47
|
-
OpenSSL::SSL::SSLContext::DEFAULT_PARAMS[:ciphers] =
|
|
47
|
+
OpenSSL::SSL::SSLContext::DEFAULT_PARAMS[:ciphers] = 'RSA:ALL:COMPLEMENTOFALL'
|
|
48
48
|
OpenSSL::SSL::SSLContext::DEFAULT_PARAMS[:verify_mode] = OpenSSL::SSL::VERIFY_NONE
|
|
49
49
|
OpenSSL::SSL::SSLContext::DEFAULT_PARAMS[:options] = OpenSSL::SSL::OP_ALL
|
|
50
50
|
end
|
data/test/base.rb
CHANGED
|
@@ -1,3 +1,8 @@
|
|
|
1
|
+
require File.join(File.dirname(__FILE__), 'test_helper')
|
|
2
|
+
|
|
3
|
+
#if we are running from RubyMine, we need this, but it breaks things when called from Rake.
|
|
4
|
+
require 'minitest/autorun' unless ENV['FROM_RAKE'] == 'true'
|
|
5
|
+
|
|
1
6
|
module TestBase
|
|
2
7
|
def override_stdout
|
|
3
8
|
@orig_stdout = $stdout
|
|
@@ -17,7 +22,7 @@ module TestBase
|
|
|
17
22
|
end
|
|
18
23
|
|
|
19
24
|
def start_web_server(file, url, port = 1234)
|
|
20
|
-
|
|
25
|
+
Thread.new {
|
|
21
26
|
server = WEBrick::HTTPServer.new :Port => port,
|
|
22
27
|
:BindAddress => 'localhost',
|
|
23
28
|
:AccessLog => [],
|
|
@@ -25,8 +30,6 @@ module TestBase
|
|
|
25
30
|
server.mount "/#{url}", WEBrick::HTTPServlet::FileHandler, file
|
|
26
31
|
server.start
|
|
27
32
|
}
|
|
28
|
-
|
|
29
|
-
thr
|
|
30
33
|
end
|
|
31
34
|
|
|
32
35
|
def parse_headers_from_file(file)
|
data/test/test_cmd_util.rb
CHANGED
|
@@ -0,0 +1,54 @@
|
|
|
1
|
+
require 'webrick'
|
|
2
|
+
require File.dirname(__FILE__) + '/../lib/yawast'
|
|
3
|
+
require File.dirname(__FILE__) + '/base'
|
|
4
|
+
|
|
5
|
+
class TestDirectorySearch < Minitest::Test
|
|
6
|
+
include TestBase
|
|
7
|
+
|
|
8
|
+
def test_directory_search_recurs
|
|
9
|
+
port = rand(60000) + 1024 # pick a random port number
|
|
10
|
+
server = run_server port
|
|
11
|
+
|
|
12
|
+
override_stdout
|
|
13
|
+
uri = Yawast::Commands::Utils.extract_uri(["http://localhost:#{port}"])
|
|
14
|
+
|
|
15
|
+
Yawast::Shared::Http.setup nil, nil
|
|
16
|
+
Yawast::Scanner::Plugins::Http::DirectorySearch.search uri, true, true, %w(test data)
|
|
17
|
+
|
|
18
|
+
assert stdout_value.include?('Recursively searching for common directories'), 'Output not found'
|
|
19
|
+
|
|
20
|
+
server.exit
|
|
21
|
+
restore_stdout
|
|
22
|
+
end
|
|
23
|
+
|
|
24
|
+
def test_directory_search
|
|
25
|
+
port = rand(60000) + 1024 # pick a random port number
|
|
26
|
+
server = run_server port
|
|
27
|
+
|
|
28
|
+
override_stdout
|
|
29
|
+
uri = Yawast::Commands::Utils.extract_uri(["http://localhost:#{port}"])
|
|
30
|
+
|
|
31
|
+
Yawast::Shared::Http.setup nil, nil
|
|
32
|
+
Yawast::Scanner::Plugins::Http::DirectorySearch.search uri, false, true, %w(test data)
|
|
33
|
+
|
|
34
|
+
assert stdout_value.include?('Searching for common directories'), 'Output not found'
|
|
35
|
+
|
|
36
|
+
server.exit
|
|
37
|
+
restore_stdout
|
|
38
|
+
end
|
|
39
|
+
|
|
40
|
+
def run_server(port)
|
|
41
|
+
Thread.new {
|
|
42
|
+
sockets = WEBrick::Utils.create_listeners nil, port
|
|
43
|
+
|
|
44
|
+
server = WEBrick::HTTPServer.new :Port => port,
|
|
45
|
+
:BindAddress => 'localhost',
|
|
46
|
+
:AccessLog => [],
|
|
47
|
+
:Logger => WEBrick::Log.new('/dev/null'),
|
|
48
|
+
:DocumentRoot => File.dirname(__FILE__),
|
|
49
|
+
:DoNotListen => true
|
|
50
|
+
server.listeners.replace sockets
|
|
51
|
+
server.start
|
|
52
|
+
}
|
|
53
|
+
end
|
|
54
|
+
end
|
data/test/test_helper.rb
CHANGED
|
@@ -1,4 +1,3 @@
|
|
|
1
|
-
require 'minitest/autorun'
|
|
2
1
|
require 'webrick'
|
|
3
2
|
require File.dirname(__FILE__) + '/../lib/yawast'
|
|
4
3
|
require File.dirname(__FILE__) + '/base'
|
|
@@ -12,6 +11,8 @@ class TestScannerApacheServerStatus < Minitest::Test
|
|
|
12
11
|
|
|
13
12
|
override_stdout
|
|
14
13
|
uri = Yawast::Commands::Utils.extract_uri(["http://localhost:#{port}"])
|
|
14
|
+
|
|
15
|
+
Yawast::Shared::Http.setup nil, nil
|
|
15
16
|
Yawast::Scanner::Plugins::Http::FilePresence.check_readme_html uri
|
|
16
17
|
|
|
17
18
|
assert stdout_value.include?('\'/readme.html\' found:'), 'readme.html page warning not found'
|
|
@@ -20,12 +21,30 @@ class TestScannerApacheServerStatus < Minitest::Test
|
|
|
20
21
|
restore_stdout
|
|
21
22
|
end
|
|
22
23
|
|
|
24
|
+
def test_readme_html_present_all
|
|
25
|
+
port = rand(60000) + 1024 # pick a random port number
|
|
26
|
+
server = start_web_server File.dirname(__FILE__) + '/data/wordpress_readme_html.txt', 'readme.html', port
|
|
27
|
+
|
|
28
|
+
override_stdout
|
|
29
|
+
uri = Yawast::Commands::Utils.extract_uri(["http://localhost:#{port}"])
|
|
30
|
+
|
|
31
|
+
Yawast::Shared::Http.setup nil, nil
|
|
32
|
+
Yawast::Scanner::Plugins::Http::FilePresence.check_all uri
|
|
33
|
+
|
|
34
|
+
assert stdout_value.include?('\'/readme.html\' found:'), 'readme.html page warning not found'
|
|
35
|
+
|
|
36
|
+
server.exit
|
|
37
|
+
restore_stdout
|
|
38
|
+
end
|
|
39
|
+
|
|
23
40
|
def test_release_notes_txt_present
|
|
24
41
|
port = rand(60000) + 1024 # pick a random port number
|
|
25
42
|
server = start_web_server File.dirname(__FILE__) + '/data/tomcat_release_notes.txt', 'RELEASE-NOTES.txt', port
|
|
26
43
|
|
|
27
44
|
override_stdout
|
|
28
45
|
uri = Yawast::Commands::Utils.extract_uri(["http://localhost:#{port}"])
|
|
46
|
+
|
|
47
|
+
Yawast::Shared::Http.setup nil, nil
|
|
29
48
|
Yawast::Scanner::Plugins::Http::FilePresence.check_release_notes_txt uri
|
|
30
49
|
|
|
31
50
|
assert stdout_value.include?('\'/RELEASE-NOTES.txt\' found:'), 'RELEASE-NOTES.txt page warning not found'
|
|
@@ -1,11 +1,10 @@
|
|
|
1
|
-
require 'minitest/autorun'
|
|
2
1
|
require File.dirname(__FILE__) + '/../lib/yawast'
|
|
3
2
|
require File.dirname(__FILE__) + '/base'
|
|
4
3
|
|
|
5
4
|
class TestScannerApacheBanner < Minitest::Test
|
|
6
5
|
include TestBase
|
|
7
6
|
|
|
8
|
-
def
|
|
7
|
+
def test_apache_banner_no_version
|
|
9
8
|
server = 'Apache'
|
|
10
9
|
override_stdout
|
|
11
10
|
Yawast::Scanner::Apache.check_banner server
|
|
@@ -25,7 +24,7 @@ class TestScannerApacheBanner < Minitest::Test
|
|
|
25
24
|
restore_stdout
|
|
26
25
|
end
|
|
27
26
|
|
|
28
|
-
def
|
|
27
|
+
def test_apache_banner_distro
|
|
29
28
|
server = 'Apache/2.4.7 (Ubuntu)'
|
|
30
29
|
override_stdout
|
|
31
30
|
Yawast::Scanner::Apache.check_banner server
|
|
@@ -1,4 +1,3 @@
|
|
|
1
|
-
require 'minitest/autorun'
|
|
2
1
|
require 'webrick'
|
|
3
2
|
require File.dirname(__FILE__) + '/../lib/yawast'
|
|
4
3
|
require File.dirname(__FILE__) + '/base'
|
|
@@ -12,6 +11,8 @@ class TestScannerApacheServerInfo < Minitest::Test
|
|
|
12
11
|
|
|
13
12
|
override_stdout
|
|
14
13
|
uri = Yawast::Commands::Utils.extract_uri(["http://localhost:#{port}"])
|
|
14
|
+
|
|
15
|
+
Yawast::Shared::Http.setup nil, nil
|
|
15
16
|
Yawast::Scanner::Apache.check_server_info uri
|
|
16
17
|
|
|
17
18
|
assert stdout_value.include?('Apache Server Info page found'), 'Apache Server Info page warning not found'
|
|
@@ -1,4 +1,3 @@
|
|
|
1
|
-
require 'minitest/autorun'
|
|
2
1
|
require 'webrick'
|
|
3
2
|
require File.dirname(__FILE__) + '/../lib/yawast'
|
|
4
3
|
require File.dirname(__FILE__) + '/base'
|
|
@@ -12,6 +11,8 @@ class TestScannerApacheServerStatus < Minitest::Test
|
|
|
12
11
|
|
|
13
12
|
override_stdout
|
|
14
13
|
uri = Yawast::Commands::Utils.extract_uri(["http://localhost:#{port}"])
|
|
14
|
+
|
|
15
|
+
Yawast::Shared::Http.setup nil, nil
|
|
15
16
|
Yawast::Scanner::Apache.check_server_status uri
|
|
16
17
|
|
|
17
18
|
assert stdout_value.include?('Apache Server Status page found'), 'Apache Server Status page warning not found'
|
data/test/test_scan_cms.rb
CHANGED
data/test/test_shared_http.rb
CHANGED
|
@@ -1,4 +1,3 @@
|
|
|
1
|
-
require 'minitest/autorun'
|
|
2
1
|
require File.dirname(__FILE__) + '/../lib/yawast'
|
|
3
2
|
require File.dirname(__FILE__) + '/base'
|
|
4
3
|
|
|
@@ -10,12 +9,14 @@ class TestSharedHttp < Minitest::Test
|
|
|
10
9
|
end
|
|
11
10
|
|
|
12
11
|
def test_get_apple_success
|
|
12
|
+
Yawast::Shared::Http.setup nil, nil
|
|
13
13
|
body = Yawast::Shared::Http.get @uri
|
|
14
14
|
|
|
15
15
|
assert body.include?('Success'), 'Failed to receive "Success" message from Apple.com'
|
|
16
16
|
end
|
|
17
17
|
|
|
18
18
|
def test_status_apple_success
|
|
19
|
+
Yawast::Shared::Http.setup nil, nil
|
|
19
20
|
status = Yawast::Shared::Http.get_status_code @uri
|
|
20
21
|
|
|
21
22
|
assert_equal status, '200'
|
|
@@ -24,13 +25,17 @@ class TestSharedHttp < Minitest::Test
|
|
|
24
25
|
def test_status_apple_failure
|
|
25
26
|
uri = @uri
|
|
26
27
|
uri.path += '.404'
|
|
28
|
+
|
|
29
|
+
Yawast::Shared::Http.setup nil, nil
|
|
27
30
|
status = Yawast::Shared::Http.get_status_code uri
|
|
28
31
|
|
|
29
32
|
assert_equal status, '404'
|
|
30
33
|
end
|
|
31
34
|
|
|
32
35
|
def test_head_apple_success
|
|
36
|
+
Yawast::Shared::Http.setup nil, nil
|
|
33
37
|
head = Yawast::Shared::Http.head @uri
|
|
38
|
+
|
|
34
39
|
head.each do |k, v|
|
|
35
40
|
if k.downcase == 'server'
|
|
36
41
|
assert_equal v, 'Apache'
|
data/test/test_shared_util.rb
CHANGED
data/test/test_string_ext.rb
CHANGED
data/test/test_yawast.rb
CHANGED
data/yawast.gemspec
CHANGED
|
@@ -1,17 +1,17 @@
|
|
|
1
|
-
$:.push File.expand_path(
|
|
2
|
-
require File.expand_path(
|
|
1
|
+
$:.push File.expand_path('../lib', __FILE__)
|
|
2
|
+
require File.expand_path('../lib/version', __FILE__)
|
|
3
3
|
|
|
4
4
|
Gem::Specification.new do |s|
|
|
5
5
|
s.name = 'yawast'
|
|
6
6
|
s.version = Yawast::VERSION
|
|
7
7
|
s.platform = Gem::Platform::RUBY
|
|
8
|
-
s.summary =
|
|
9
|
-
s.description =
|
|
10
|
-
s.authors = [
|
|
8
|
+
s.summary = 'The YAWAST Antecedent Web Application Security Toolkit'
|
|
9
|
+
s.description = 'YAWAST is an application meant to simplify initial analysis and information gathering for penetration testers and security auditors.'
|
|
10
|
+
s.authors = ['Adam Caudill']
|
|
11
11
|
s.email = 'adam@adamcaudill.com'
|
|
12
12
|
s.homepage = 'https://github.com/adamcaudill/yawast'
|
|
13
13
|
s.license = 'MIT'
|
|
14
|
-
s.rubyforge_project =
|
|
14
|
+
s.rubyforge_project = 'yawast'
|
|
15
15
|
|
|
16
16
|
s.add_runtime_dependency 'ssllabs', '~> 1.24'
|
|
17
17
|
s.add_runtime_dependency 'commander', '~> 4.4'
|
|
@@ -25,5 +25,5 @@ Gem::Specification.new do |s|
|
|
|
25
25
|
s.files = `git ls-files`.split("\n")
|
|
26
26
|
s.test_files = `git ls-files -- {test,spec,features}/*`.split("\n")
|
|
27
27
|
s.executables = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
|
|
28
|
-
s.require_path = [
|
|
28
|
+
s.require_path = ['lib']
|
|
29
29
|
end
|