yawast 0.5.0.beta1 → 0.5.0.beta2

data/lib/scanner/ssl.rb

@@ -19,75 +19,11 @@ module Yawast
           cert = ssl.peer_cert
 
           unless cert.nil?
-            Yawast::Utilities.puts_info 'Found X509 Certificate:'
-            Yawast::Utilities.puts_info "\t\tIssued To: #{cert.subject.common_name} / #{cert.subject.organization}"
-            Yawast::Utilities.puts_info "\t\tIssuer: #{cert.issuer.common_name} / #{cert.issuer.organization}"
-            Yawast::Utilities.puts_info "\t\tVersion: #{cert.version}"
-            Yawast::Utilities.puts_info "\t\tSerial: #{cert.serial}"
-            Yawast::Utilities.puts_info "\t\tSubject: #{cert.subject}"
-
-            #check to see if cert is expired
-            if cert.not_after > Time.now
-              Yawast::Utilities.puts_info "\t\tExpires: #{cert.not_after}"
-            else
-              Yawast::Utilities.puts_vuln "\t\tExpires: #{cert.not_after} (Expired)"
-            end
-
-            #check for SHA1 & MD5 certs
-            if cert.signature_algorithm.include?('md5') || cert.signature_algorithm.include?('sha1')
-              Yawast::Utilities.puts_vuln "\t\tSignature Algorithm: #{cert.signature_algorithm}"
-            else
-              Yawast::Utilities.puts_info "\t\tSignature Algorithm: #{cert.signature_algorithm}"
-            end
-
-            Yawast::Utilities.puts_info "\t\tKey: #{cert.public_key.class.to_s.gsub('OpenSSL::PKey::', '')}-#{get_x509_pub_key_strength(cert)}"
-            Yawast::Utilities.puts_info "\t\t\tKey Hash: #{Digest::SHA1.hexdigest(cert.public_key.to_s)}"
-            Yawast::Utilities.puts_info "\t\tExtensions:"
-            cert.extensions.each { |ext| Yawast::Utilities.puts_info "\t\t\t#{ext}" unless ext.oid == 'subjectAltName' }
-
-            #alt names
-            alt_names = cert.extensions.find {|e| e.oid == 'subjectAltName'}
-            unless alt_names.nil?
-              Yawast::Utilities.puts_info "\t\tAlternate Names:"
-              alt_names.value.split(',').each { |name| Yawast::Utilities.puts_info "\t\t\t#{name.strip.delete('DNS:')}" }
-            end
-
-            hash = Digest::SHA1.hexdigest(cert.to_der)
-            Yawast::Utilities.puts_info "\t\tHash: #{hash}"
-            puts "\t\t\thttps://censys.io/certificates?q=#{hash}"
-            puts "\t\t\thttps://crt.sh/?q=#{hash}"
-            puts ''
+            get_cert_info cert
           end
 
           cert_chain = ssl.peer_cert_chain
-
-          if cert_chain.count == 1
-            #HACK: This is an ugly way to guess if it's a missing intermediate, or self-signed
-            #tIt looks like a change to Ruby's OpenSSL wrapper is needed to actually fix this right.
-
-            if cert.issuer == cert.subject
-              Yawast::Utilities.puts_vuln "\t\tCertificate Is Self-Singed"
-            else
-              Yawast::Utilities.puts_warn "\t\tCertificate Chain Is Incomplete"
-            end
-
-            puts ''
-          end
-
-          unless cert_chain.nil?
-            Yawast::Utilities.puts_info 'Certificate: Chain'
-            cert_chain.each do |c|
-              Yawast::Utilities.puts_info "\t\tIssued To: #{c.subject.common_name} / #{c.subject.organization}"
-              Yawast::Utilities.puts_info "\t\t\tIssuer: #{c.issuer.common_name} / #{c.issuer.organization}"
-              Yawast::Utilities.puts_info "\t\t\tExpires: #{c.not_after}"
-              Yawast::Utilities.puts_info "\t\t\tKey: #{c.public_key.class.to_s.gsub('OpenSSL::PKey::', '')}-#{get_x509_pub_key_strength(c)}"
-              Yawast::Utilities.puts_info "\t\t\tSignature Algorithm: #{c.signature_algorithm}"
-              Yawast::Utilities.puts_info "\t\t\tHash: #{Digest::SHA1.hexdigest(c.to_der)}"
-              puts ''
-            end
-
-            puts ''
-          end
+          get_cert_chain_info cert_chain, cert
 
           puts "\t\tQualys SSL Labs: https://www.ssllabs.com/ssltest/analyze.html?d=#{uri.host}&hideResults=on"
           puts ''
@@ -104,6 +40,84 @@ module Yawast
         end
       end
 
+      def self.get_cert_info(cert)
+        Yawast::Utilities.puts_info 'Found X509 Certificate:'
+        Yawast::Utilities.puts_info "\t\tIssued To: #{cert.subject.common_name} / #{cert.subject.organization}"
+        Yawast::Utilities.puts_info "\t\tIssuer: #{cert.issuer.common_name} / #{cert.issuer.organization}"
+        Yawast::Utilities.puts_info "\t\tVersion: #{cert.version}"
+        Yawast::Utilities.puts_info "\t\tSerial: #{cert.serial}"
+        Yawast::Utilities.puts_info "\t\tSubject: #{cert.subject}"
+
+        #check to see if cert is expired
+        if cert.not_after > Time.now
+          Yawast::Utilities.puts_info "\t\tExpires: #{cert.not_after}"
+        else
+          Yawast::Utilities.puts_vuln "\t\tExpires: #{cert.not_after} (Expired)"
+        end
+
+        #check for SHA1 & MD5 certs
+        if cert.signature_algorithm.include?('md5') || cert.signature_algorithm.include?('sha1')
+          Yawast::Utilities.puts_vuln "\t\tSignature Algorithm: #{cert.signature_algorithm}"
+        else
+          Yawast::Utilities.puts_info "\t\tSignature Algorithm: #{cert.signature_algorithm}"
+        end
+
+        Yawast::Utilities.puts_info "\t\tKey: #{cert.public_key.class.to_s.gsub('OpenSSL::PKey::', '')}-#{get_x509_pub_key_strength(cert)}"
+        Yawast::Utilities.puts_info "\t\t\tKey Hash: #{Digest::SHA1.hexdigest(cert.public_key.to_s)}"
+        Yawast::Utilities.puts_info "\t\tExtensions:"
+        cert.extensions.each { |ext| Yawast::Utilities.puts_info "\t\t\t#{ext}" unless ext.oid == 'subjectAltName' || ext.oid == 'ct_precert_scts' }
+
+        #ct_precert_scts
+        scts = cert.extensions.find {|e| e.oid == 'ct_precert_scts'}
+        unless scts.nil?
+          Yawast::Utilities.puts_info "\t\tSCTs:"
+          scts.value.split("\n").each { |line| puts "\t\t\t#{line}" }
+        end
+
+        #alt names
+        alt_names = cert.extensions.find {|e| e.oid == 'subjectAltName'}
+        unless alt_names.nil?
+          Yawast::Utilities.puts_info "\t\tAlternate Names:"
+          alt_names.value.split(',').each { |name| Yawast::Utilities.puts_info "\t\t\t#{name.strip.delete('DNS:')}" }
+        end
+
+        hash = Digest::SHA1.hexdigest(cert.to_der)
+        Yawast::Utilities.puts_info "\t\tHash: #{hash}"
+        puts "\t\t\thttps://censys.io/certificates?q=#{hash}"
+        puts "\t\t\thttps://crt.sh/?q=#{hash}"
+        puts ''
+      end
+
+      def self.get_cert_chain_info(cert_chain, cert)
+        if cert_chain.count == 1
+          #HACK: This is an ugly way to guess if it's a missing intermediate, or self-signed
+          #tIt looks like a change to Ruby's OpenSSL wrapper is needed to actually fix this right.
+
+          if cert.issuer == cert.subject
+            Yawast::Utilities.puts_vuln "\t\tCertificate Is Self-Singed"
+          else
+            Yawast::Utilities.puts_warn "\t\tCertificate Chain Is Incomplete"
+          end
+
+          puts ''
+        end
+
+        unless cert_chain.nil?
+          Yawast::Utilities.puts_info 'Certificate: Chain'
+          cert_chain.each do |c|
+            Yawast::Utilities.puts_info "\t\tIssued To: #{c.subject.common_name} / #{c.subject.organization}"
+            Yawast::Utilities.puts_info "\t\t\tIssuer: #{c.issuer.common_name} / #{c.issuer.organization}"
+            Yawast::Utilities.puts_info "\t\t\tExpires: #{c.not_after}"
+            Yawast::Utilities.puts_info "\t\t\tKey: #{c.public_key.class.to_s.gsub('OpenSSL::PKey::', '')}-#{get_x509_pub_key_strength(c)}"
+            Yawast::Utilities.puts_info "\t\t\tSignature Algorithm: #{c.signature_algorithm}"
+            Yawast::Utilities.puts_info "\t\t\tHash: #{Digest::SHA1.hexdigest(c.to_der)}"
+            puts ''
+          end
+
+          puts ''
+        end
+      end
+
       def self.get_ciphers(uri)
         puts 'Supported Ciphers (based on your OpenSSL version):'
 
@@ -124,14 +138,18 @@ module Yawast
             #try to get the list of ciphers supported for each version
             ciphers = nil
 
+            get_ciphers_failed = false
             begin
               ciphers = OpenSSL::SSL::SSLContext.new(version).ciphers
             rescue => e
-              Yawast::Utilities.puts_error "\tError getting cipher suites for #{version.to_s}, skipping. (#{e.message})"
+              Yawast::Utilities.puts_error "\tError getting cipher suites for #{version}, skipping. (#{e.message})"
+              get_ciphers_failed = true
             end
 
             if ciphers != nil
               check_version_suites uri, ip, ciphers, version
+            elsif get_ciphers_failed == false
+              Yawast::Utilities.puts_info "\t#{version}: No cipher suites available."
             end
           end
         end
@@ -140,7 +158,7 @@ module Yawast
       end
 
       def self.check_version_suites(uri, ip, ciphers, version)
-        puts "\tChecking for #{version.to_s} suites (#{ciphers.count} possible suites)"
+        puts "\tChecking for #{version} suites (#{ciphers.count} possible suites)"
 
         ciphers.each do |cipher|
           #try to connect and see what happens
@@ -153,23 +171,15 @@ module Yawast
 
             ssl.connect
 
-            if cipher[2] < 112 || cipher[0].include?('RC4')
-              #less than 112 bits or RC4, flag as a vuln
-              Yawast::Utilities.puts_vuln "\t\tVersion: #{ssl.ssl_version.ljust(7)}\tBits: #{cipher[2]}\tCipher: #{cipher[0]}"
-            elsif cipher[2] >= 128
-              #secure, probably safe
-              Yawast::Utilities.puts_info "\t\tVersion: #{ssl.ssl_version.ljust(7)}\tBits: #{cipher[2]}\tCipher: #{cipher[0]}"
-            else
-              #weak, but not "omg!" weak.
-              Yawast::Utilities.puts_warn "\t\tVersion: #{ssl.ssl_version.ljust(7)}\tBits: #{cipher[2]}\tCipher: #{cipher[0]}"
-            end
+            check_cipher_strength cipher, ssl
 
             ssl.sysclose
           rescue OpenSSL::SSL::SSLError => e
             unless e.message.include?('alert handshake failure') ||
                 e.message.include?('no ciphers available') ||
                 e.message.include?('wrong version number') ||
-                e.message.include?('alert protocol version')
+                e.message.include?('alert protocol version') ||
+                e.message.include?('Connection reset by peer')
               Yawast::Utilities.puts_error "\t\tVersion: #{ssl.ssl_version.ljust(7)}\tBits: #{cipher[2]}\tCipher: #{cipher[0]}\t(Supported But Failed)"
             end
           rescue => e
@@ -180,6 +190,19 @@ module Yawast
         end
       end
 
+      def self.check_cipher_strength(cipher, ssl)
+        if cipher[2] < 112 || cipher[0].include?('RC4')
+          #less than 112 bits or RC4, flag as a vuln
+          Yawast::Utilities.puts_vuln "\t\tVersion: #{ssl.ssl_version.ljust(7)}\tBits: #{cipher[2]}\tCipher: #{cipher[0]}"
+        elsif cipher[2] >= 128
+          #secure, probably safe
+          Yawast::Utilities.puts_info "\t\tVersion: #{ssl.ssl_version.ljust(7)}\tBits: #{cipher[2]}\tCipher: #{cipher[0]}"
+        else
+          #weak, but not "omg!" weak.
+          Yawast::Utilities.puts_warn "\t\tVersion: #{ssl.ssl_version.ljust(7)}\tBits: #{cipher[2]}\tCipher: #{cipher[0]}"
+        end
+      end
+
       def self.check_hsts(head)
         found = ''
 
@@ -194,57 +217,69 @@ module Yawast
         else
           Yawast::Utilities.puts_info "HSTS: Enabled (#{found})"
         end
-
-        puts ''
       end
 
-        def self.get_tdes_session_msg_count(uri)
-          # this method will send a number of HEAD requests to see
-          #  if the connection is eventually killed.
-          puts 'TLS Session Request Limit: Checking number of requests accepted using 3DES suites...'
+      def self.check_hsts_preload(uri)
+        begin
+          info = JSON.parse(Net::HTTP.get(URI("https://hstspreload.com/api/v1/status/#{uri.host}")))
 
-          count = 0
-          begin
-            req = Yawast::Shared::Http.get_http(uri)
-            req.use_ssl = uri.scheme == 'https'
-            req.keep_alive_timeout = 600
-            headers = Yawast::Shared::Http.get_headers
+          chrome = info['chrome'] != nil
+          firefox = info['firefox'] != nil
+          tor = info['tor'] != nil
 
-            #force 3DES - this is to ensure that 3DES specific limits are caught
-            req.ciphers = ['3DES']
+          Yawast::Utilities.puts_info "HSTS Preload: Chrome - #{chrome}; Firefox - #{firefox}; Tor - #{tor}"
+        rescue => e
+          Yawast::Utilities.puts_error "Error getting HSTS preload information: #{e.message}"
+        end
+      end
 
-            req.start do |http|
-              10000.times do |i|
-                http.head(uri.path, headers)
+      def self.get_tdes_session_msg_count(uri)
+        # this method will send a number of HEAD requests to see
+        #  if the connection is eventually killed.
+        puts 'TLS Session Request Limit: Checking number of requests accepted using 3DES suites...'
 
-                # hack to detect transparent disconnects
-                if http.instance_variable_get(:@ssl_context).session_cache_stats[:cache_hits] != 0
-                  raise 'TLS Reconnected'
-                end
+        count = 0
+        begin
+          req = Yawast::Shared::Http.get_http(uri)
+          req.use_ssl = uri.scheme == 'https'
+          req.keep_alive_timeout = 600
+          headers = Yawast::Shared::Http.get_headers
+
+          #force 3DES - this is to ensure that 3DES specific limits are caught
+          req.ciphers = ['3DES']
 
-                count += 1
+          req.start do |http|
+            10000.times do |i|
+              http.head(uri.path, headers)
 
-                if i % 20 == 0
-                  print '.'
-                end
+              # hack to detect transparent disconnects
+              if http.instance_variable_get(:@ssl_context).session_cache_stats[:cache_hits] != 0
+                raise 'TLS Reconnected'
               end
-            end
-          rescue => e
-            puts
 
-            if e.message.include? 'alert handshake failure'
-              Yawast::Utilities.puts_info 'TLS Session Request Limit: Server does not support 3DES cipher suites'
-            else
-              Yawast::Utilities.puts_info "TLS Session Request Limit: Connection terminated after #{count} requests (#{e.message})"
+              count += 1
+
+              if i % 20 == 0
+                print '.'
+              end
             end
+          end
+        rescue => e
+          puts
 
-            return
+          if e.message.include? 'alert handshake failure'
+            Yawast::Utilities.puts_info 'TLS Session Request Limit: Server does not support 3DES cipher suites'
+          else
+            Yawast::Utilities.puts_info "TLS Session Request Limit: Connection terminated after #{count} requests (#{e.message})"
           end
 
-          puts
-          Yawast::Utilities.puts_vuln 'TLS Session Request Limit: Connection not terminated after 10,000 requests; possibly vulnerable to SWEET32'
+          return
         end
 
+        puts
+        Yawast::Utilities.puts_vuln 'TLS Session Request Limit: Connection not terminated after 10,000 requests; possibly vulnerable to SWEET32'
+      end
+
       #private methods
       class << self
         private

data/lib/shared/http.rb

@@ -21,13 +21,13 @@ module Yawast
         req.head(uri.path, get_headers)
       end
 
-      def self.get(uri)
+      def self.get(uri, headers = nil)
         body = ''
 
         begin
           req = get_http(uri)
           req.use_ssl = uri.scheme == 'https'
-          res = req.request_get(uri.path, get_headers)
+          res = req.request_get(uri.path, get_headers(headers))
           body = res.read_body
         rescue
           #do nothing for now
@@ -54,13 +54,17 @@ module Yawast
       end
 
       # noinspection RubyStringKeysInHashInspection
-      def self.get_headers
+      def self.get_headers(extra_headers = nil)
         if @cookie == nil
           headers = { 'User-Agent' => HTTP_UA }
         else
           headers = { 'User-Agent' => HTTP_UA, 'Cookie' => @cookie }
         end
 
+        if extra_headers != nil
+          headers.merge! extra_headers
+        end
+
         headers
       end
     end

data/lib/version.rb

@@ -1,3 +1,3 @@
 module Yawast
-  VERSION = '0.5.0.beta1'
+  VERSION = '0.5.0.beta2'
 end

data/lib/yawast.rb

@@ -24,7 +24,7 @@ require_all '/shared'
 
 module Yawast
   DESCRIPTION = 'The YAWAST Antecedent Web Application Security Toolkit'
-  HTTP_UA = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_4) AppleWebKit/537.36 (KHTML, like Gecko) Yawast/#{VERSION} Chrome/52.0.2743.24 Safari/537.36"
+  HTTP_UA = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/537.36 (KHTML, like Gecko) Yawast/#{VERSION} Chrome/56.0.2924.28 Safari/537.36"
 
   def self.header
     puts '__   _____  _    _  ___   _____ _____ '
@@ -35,7 +35,7 @@ module Yawast
     puts '  \_/\_| |_/\/  \/\_| |_/\____/  \_/  '
     puts ''
     puts "YAWAST v#{VERSION} - #{DESCRIPTION}"
-    puts ' Copyright (c) 2013-2016 Adam Caudill <adam@adamcaudill.com>'
+    puts ' Copyright (c) 2013-2017 Adam Caudill <adam@adamcaudill.com>'
     puts ' Support & Documentation: https://github.com/adamcaudill/yawast'
     puts " Ruby #{RUBY_VERSION}-p#{RUBY_PATCHLEVEL}; #{OpenSSL::OPENSSL_VERSION} (#{RUBY_PLATFORM})"
     puts ''

data/test/test_internalssl.rb

@@ -0,0 +1,31 @@
+require File.dirname(__FILE__) + '/../lib/yawast'
+require File.dirname(__FILE__) + '/base'
+
+class TestInternalSSL < Minitest::Test
+  include TestBase
+
+  def test_internalssl_ss_cert
+    override_stdout
+
+    uri = URI.parse 'https://self-signed.badssl.com/'
+    Yawast::Scanner::Ssl.info uri, false, false
+
+    assert stdout_value.include?('Certificate Is Self-Singed'), 'self-signed certificate warning not found'
+
+    restore_stdout
+  end
+
+  def test_internalssl_known_suite
+    override_stdout
+
+    uri = URI.parse 'https://self-signed.badssl.com/'
+    Yawast::Scanner::Ssl.info uri, true, false
+
+    #HACK: This is an awful test, as it depends on the configuration of the server above, so could
+    # easily break if they make any changes, and only tests for a single value, but it's better than nothing.
+    # The other awful thing is that this is slow, and may take 60 seconds or more to complete.
+    assert stdout_value.include?('Cipher: AES256-SHA'), 'known cipher suite not found in output'
+
+    restore_stdout
+  end
+end

data/test/test_object_presence.rb

@@ -29,7 +29,7 @@ class TestScannerApacheServerStatus < Minitest::Test
     uri = Yawast::Commands::Utils.extract_uri(["http://localhost:#{port}"])
 
     Yawast::Shared::Http.setup nil, nil
-    Yawast::Scanner::Plugins::Http::FilePresence.check_all uri
+    Yawast::Scanner::Plugins::Http::FilePresence.check_all uri, false
 
     assert stdout_value.include?('\'/readme.html\' found:'), 'readme.html page warning not found'
 

data/test/test_scan_apache_server_info.rb

@@ -15,7 +15,7 @@ class TestScannerApacheServerInfo < Minitest::Test
     Yawast::Shared::Http.setup nil, nil
     Yawast::Scanner::Apache.check_server_info uri
 
-    assert stdout_value.include?('Apache Server Info page found'), 'Apache Server Info page warning not found'
+    assert stdout_value.include?('Apache Server Information page found'), 'Apache Server Info page warning not found'
 
     server.exit
     restore_stdout

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: yawast
 version: !ruby/object:Gem::Version
-  version: 0.5.0.beta1
+  version: 0.5.0.beta2
 platform: ruby
 authors:
 - Adam Caudill
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-12-18 00:00:00.000000000 Z
+date: 2017-03-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: ssllabs
@@ -123,6 +123,7 @@ files:
 - ".travis.yml"
 - CHANGELOG.md
 - Gemfile
+- LICENSE
 - README.md
 - Rakefile
 - bin/yawast
@@ -132,7 +133,8 @@ files:
 - lib/commands/scan.rb
 - lib/commands/ssl.rb
 - lib/commands/utils.rb
-- lib/resources/common.txt
+- lib/resources/common_dir.txt
+- lib/resources/common_file.txt
 - lib/scanner/apache.rb
 - lib/scanner/cert.rb
 - lib/scanner/cms.rb
@@ -163,6 +165,7 @@ files:
 - test/test_cmd_util.rb
 - test/test_directory_search.rb
 - test/test_helper.rb
+- test/test_internalssl.rb
 - test/test_object_presence.rb
 - test/test_scan_apache_banner.rb
 - test/test_scan_apache_server_info.rb
@@ -195,7 +198,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: 1.3.1
 requirements: []
 rubyforge_project: yawast
-rubygems_version: 2.6.6
+rubygems_version: 2.4.8
 signing_key: 
 specification_version: 4
 summary: The YAWAST Antecedent Web Application Security Toolkit
@@ -211,6 +214,7 @@ test_files:
 - test/test_cmd_util.rb
 - test/test_directory_search.rb
 - test/test_helper.rb
+- test/test_internalssl.rb
 - test/test_object_presence.rb
 - test/test_scan_apache_banner.rb
 - test/test_scan_apache_server_info.rb