yawast 0.6.0.beta4 → 0.6.0.beta5
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.travis.yml +3 -2
- data/CHANGELOG.md +1 -0
- data/README.md +2 -1
- data/lib/resources/common_file.txt +214 -29
- data/lib/scanner/core.rb +3 -3
- data/lib/scanner/plugins/dns/generic.rb +48 -40
- data/lib/scanner/plugins/servers/apache.rb +22 -0
- data/lib/scanner/plugins/ssl/ssl.rb +55 -0
- data/lib/scanner/plugins/ssl/ssl_labs/analyze.rb +38 -3
- data/lib/scanner/plugins/ssl/sweet32.rb +7 -13
- data/lib/scanner/ssl.rb +5 -41
- data/lib/scanner/ssl_labs.rb +93 -37
- data/lib/shared/http.rb +16 -0
- data/lib/version.rb +1 -1
- data/lib/yawast.rb +2 -2
- data/test/data/hsts_disabled_server_header.txt +16 -0
- data/test/data/hsts_server_header.txt +17 -0
- data/test/data/ssl_labs_analyze_data_file_zetlab_com.json +3851 -0
- data/test/data/ssl_labs_analyze_data_parivahan_gov_in.json +1440 -0
- data/test/test_scan_apache.rb +50 -0
- data/test/test_scan_dns.rb +23 -0
- data/test/test_ssl.rb +43 -0
- data/test/test_ssl_labs_analyze.rb +29 -0
- data/test/test_ssl_sweet32.rb +29 -0
- data/test/test_yawast.rb +2 -1
- metadata +19 -2
|
@@ -0,0 +1,50 @@
|
|
|
1
|
+
require File.dirname(__FILE__) + '/../lib/yawast'
|
|
2
|
+
require File.dirname(__FILE__) + '/base'
|
|
3
|
+
|
|
4
|
+
class TestScannerApache < Minitest::Test
|
|
5
|
+
include TestBase
|
|
6
|
+
|
|
7
|
+
def test_check_tomcat_put_rce
|
|
8
|
+
override_stdout
|
|
9
|
+
|
|
10
|
+
port = rand(60000) + 1024 # pick a random port number
|
|
11
|
+
server = start_web_server File.dirname(__FILE__) + '/data/apache_server_info.txt', '', port
|
|
12
|
+
uri = Yawast::Commands::Utils.extract_uri(["http://localhost:#{port}"])
|
|
13
|
+
|
|
14
|
+
error = nil
|
|
15
|
+
begin
|
|
16
|
+
Yawast::Scanner::Plugins::Servers::Apache.check_tomcat_put_rce uri
|
|
17
|
+
rescue => e
|
|
18
|
+
error = e.message
|
|
19
|
+
end
|
|
20
|
+
|
|
21
|
+
assert !stdout_value.include?('[V]'), "Unexpected finding: #{stdout_value}"
|
|
22
|
+
assert error == nil, "Unexpected error: #{error}"
|
|
23
|
+
|
|
24
|
+
restore_stdout
|
|
25
|
+
|
|
26
|
+
server.exit
|
|
27
|
+
end
|
|
28
|
+
|
|
29
|
+
def test_check_struts2_samples
|
|
30
|
+
override_stdout
|
|
31
|
+
|
|
32
|
+
port = rand(60000) + 1024 # pick a random port number
|
|
33
|
+
server = start_web_server File.dirname(__FILE__) + '/data/apache_server_info.txt', '', port
|
|
34
|
+
uri = Yawast::Commands::Utils.extract_uri(["http://localhost:#{port}"])
|
|
35
|
+
|
|
36
|
+
error = nil
|
|
37
|
+
begin
|
|
38
|
+
Yawast::Scanner::Plugins::Servers::Apache.check_struts2_samples uri
|
|
39
|
+
rescue => e
|
|
40
|
+
error = e.message
|
|
41
|
+
end
|
|
42
|
+
|
|
43
|
+
assert !stdout_value.include?('[W]'), "Unexpected finding: #{stdout_value}"
|
|
44
|
+
assert error == nil, "Unexpected error: #{error}"
|
|
45
|
+
|
|
46
|
+
restore_stdout
|
|
47
|
+
|
|
48
|
+
server.exit
|
|
49
|
+
end
|
|
50
|
+
end
|
|
@@ -0,0 +1,23 @@
|
|
|
1
|
+
require File.dirname(__FILE__) + '/../lib/yawast'
|
|
2
|
+
require File.dirname(__FILE__) + '/base'
|
|
3
|
+
|
|
4
|
+
class TestScannerDns < Minitest::Test
|
|
5
|
+
include TestBase
|
|
6
|
+
|
|
7
|
+
def test_dns_caa
|
|
8
|
+
override_stdout
|
|
9
|
+
|
|
10
|
+
uri = URI::Parser.new.parse 'https://www.adamcaudill.com/'
|
|
11
|
+
Yawast::Scanner::Plugins::DNS::CAA.caa_info uri
|
|
12
|
+
|
|
13
|
+
assert stdout_value.include?('mailto:adam@adamcaudill.com'), "DNS CAA Record not found: #{stdout_value}"
|
|
14
|
+
|
|
15
|
+
restore_stdout
|
|
16
|
+
end
|
|
17
|
+
|
|
18
|
+
def test_get_network_info
|
|
19
|
+
ret = Yawast::Scanner::Plugins::DNS::Generic.get_network_info '127.0.0.1'
|
|
20
|
+
|
|
21
|
+
assert !ret.include?('Error'), "Unexpected error: #{ret}"
|
|
22
|
+
end
|
|
23
|
+
end
|
data/test/test_ssl.rb
ADDED
|
@@ -0,0 +1,43 @@
|
|
|
1
|
+
require 'webrick'
|
|
2
|
+
require File.dirname(__FILE__) + '/../lib/yawast'
|
|
3
|
+
require File.dirname(__FILE__) + '/base'
|
|
4
|
+
|
|
5
|
+
class TestSSLLabsAnalyze < Minitest::Test
|
|
6
|
+
include TestBase
|
|
7
|
+
|
|
8
|
+
def test_hsts_header
|
|
9
|
+
head = parse_headers_from_file File.dirname(__FILE__) + '/data/hsts_server_header.txt'
|
|
10
|
+
|
|
11
|
+
override_stdout
|
|
12
|
+
|
|
13
|
+
Yawast::Scanner::Plugins::SSL::SSL.check_hsts head
|
|
14
|
+
|
|
15
|
+
assert stdout_value.include?('HSTS: Enabled'), "HSTS enabled not found in #{stdout_value}"
|
|
16
|
+
|
|
17
|
+
restore_stdout
|
|
18
|
+
end
|
|
19
|
+
|
|
20
|
+
def test_no_hsts_header
|
|
21
|
+
head = parse_headers_from_file File.dirname(__FILE__) + '/data/hsts_disabled_server_header.txt'
|
|
22
|
+
|
|
23
|
+
override_stdout
|
|
24
|
+
|
|
25
|
+
Yawast::Scanner::Plugins::SSL::SSL.check_hsts head
|
|
26
|
+
|
|
27
|
+
assert stdout_value.include?('HSTS: Not Enabled'), "HSTS disabled not found in #{stdout_value}"
|
|
28
|
+
|
|
29
|
+
restore_stdout
|
|
30
|
+
end
|
|
31
|
+
|
|
32
|
+
def test_hsts_preload
|
|
33
|
+
uri = URI::Parser.new.parse 'https://adamcaudill.com/'
|
|
34
|
+
|
|
35
|
+
override_stdout
|
|
36
|
+
|
|
37
|
+
Yawast::Scanner::Plugins::SSL::SSL.check_hsts_preload uri
|
|
38
|
+
|
|
39
|
+
assert stdout_value.include?('HSTS Preload'), "HSTS Preload not found in #{stdout_value}"
|
|
40
|
+
|
|
41
|
+
restore_stdout
|
|
42
|
+
end
|
|
43
|
+
end
|
|
@@ -45,4 +45,33 @@ class TestSSLLabsAnalyze < Minitest::Test
|
|
|
45
45
|
|
|
46
46
|
restore_stdout
|
|
47
47
|
end
|
|
48
|
+
|
|
49
|
+
def test_process_data_parivahan
|
|
50
|
+
override_stdout
|
|
51
|
+
|
|
52
|
+
uri = URI.parse 'https://parivahan.gov.in/'
|
|
53
|
+
body = JSON.parse(File.read(File.dirname(__FILE__) + '/data/ssl_labs_analyze_data_parivahan_gov_in.json'))
|
|
54
|
+
|
|
55
|
+
Yawast::Scanner::SslLabs.process_results uri, body, false
|
|
56
|
+
|
|
57
|
+
assert stdout_value.include?('parivahan.gov.in'), "domain name not found in #{stdout_value}"
|
|
58
|
+
assert !stdout_value.include?('[E]'), "Error message found in #{stdout_value}"
|
|
59
|
+
|
|
60
|
+
restore_stdout
|
|
61
|
+
end
|
|
62
|
+
|
|
63
|
+
def test_process_data_file_zetlab
|
|
64
|
+
override_stdout
|
|
65
|
+
|
|
66
|
+
uri = URI.parse 'https://file.zetlab.com/'
|
|
67
|
+
body = JSON.parse(File.read(File.dirname(__FILE__) + '/data/ssl_labs_analyze_data_file_zetlab_com.json'))
|
|
68
|
+
|
|
69
|
+
Yawast::Scanner::SslLabs.process_results uri, body, false
|
|
70
|
+
|
|
71
|
+
assert stdout_value.include?('file.zetlab.com'), "domain name not found in #{stdout_value}"
|
|
72
|
+
assert stdout_value.include?('Certificate Issue: hostname mismatch'), "hostname mismatch not found in #{stdout_value}"
|
|
73
|
+
assert !stdout_value.include?('[E]'), "Error message found in #{stdout_value}"
|
|
74
|
+
|
|
75
|
+
restore_stdout
|
|
76
|
+
end
|
|
48
77
|
end
|
|
@@ -0,0 +1,29 @@
|
|
|
1
|
+
require File.dirname(__FILE__) + '/../lib/yawast'
|
|
2
|
+
require File.dirname(__FILE__) + '/base'
|
|
3
|
+
|
|
4
|
+
class TestSharedHttp < Minitest::Test
|
|
5
|
+
include TestBase
|
|
6
|
+
|
|
7
|
+
def test_check_tdes
|
|
8
|
+
override_stdout
|
|
9
|
+
|
|
10
|
+
res = Yawast::Scanner::Plugins::SSL::Sweet32.check_tdes
|
|
11
|
+
|
|
12
|
+
assert stdout_value.include?('OpenSSL supports 3DES'), "Header line not found in #{stdout_value}"
|
|
13
|
+
assert res, '3DES support check failed'
|
|
14
|
+
|
|
15
|
+
restore_stdout
|
|
16
|
+
end
|
|
17
|
+
|
|
18
|
+
def test_session_count
|
|
19
|
+
override_stdout
|
|
20
|
+
|
|
21
|
+
uri = URI::Parser.new.parse 'https://3des.badssl.com/'
|
|
22
|
+
Yawast::Scanner::Plugins::SSL::Sweet32.get_tdes_session_msg_count uri, 1
|
|
23
|
+
|
|
24
|
+
assert stdout_value.include?('Connection not terminated after'), "SWEET32 warning not found in #{stdout_value}"
|
|
25
|
+
|
|
26
|
+
restore_stdout
|
|
27
|
+
end
|
|
28
|
+
|
|
29
|
+
end
|
data/test/test_yawast.rb
CHANGED
|
@@ -9,7 +9,8 @@ class TestYawast < Minitest::Test
|
|
|
9
9
|
|
|
10
10
|
Yawast.header
|
|
11
11
|
header = stdout_value
|
|
12
|
-
assert header.include?('Copyright'),
|
|
12
|
+
assert header.include?('Copyright'), "Header not found in #{header}"
|
|
13
|
+
assert header.include?(Yawast::VERSION), "Version not found in #{header}"
|
|
13
14
|
|
|
14
15
|
restore_stdout
|
|
15
16
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: yawast
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.6.0.
|
|
4
|
+
version: 0.6.0.beta5
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Adam Caudill
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2017-10-
|
|
11
|
+
date: 2017-10-23 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: commander
|
|
@@ -178,6 +178,7 @@ files:
|
|
|
178
178
|
- lib/scanner/plugins/servers/iis.rb
|
|
179
179
|
- lib/scanner/plugins/servers/nginx.rb
|
|
180
180
|
- lib/scanner/plugins/servers/python.rb
|
|
181
|
+
- lib/scanner/plugins/ssl/ssl.rb
|
|
181
182
|
- lib/scanner/plugins/ssl/ssl_labs/analyze.rb
|
|
182
183
|
- lib/scanner/plugins/ssl/ssl_labs/info.rb
|
|
183
184
|
- lib/scanner/plugins/ssl/sweet32.rb
|
|
@@ -195,8 +196,12 @@ files:
|
|
|
195
196
|
- test/data/apache_server_status.txt
|
|
196
197
|
- test/data/cms_none_body.txt
|
|
197
198
|
- test/data/cms_wordpress_body.txt
|
|
199
|
+
- test/data/hsts_disabled_server_header.txt
|
|
200
|
+
- test/data/hsts_server_header.txt
|
|
198
201
|
- test/data/iis_server_header.txt
|
|
199
202
|
- test/data/ssl_labs_analyze_data.json
|
|
203
|
+
- test/data/ssl_labs_analyze_data_file_zetlab_com.json
|
|
204
|
+
- test/data/ssl_labs_analyze_data_parivahan_gov_in.json
|
|
200
205
|
- test/data/ssl_labs_analyze_start.json
|
|
201
206
|
- test/data/ssl_labs_info.json
|
|
202
207
|
- test/data/tomcat_release_notes.txt
|
|
@@ -206,16 +211,20 @@ files:
|
|
|
206
211
|
- test/test_helper.rb
|
|
207
212
|
- test/test_internalssl.rb
|
|
208
213
|
- test/test_object_presence.rb
|
|
214
|
+
- test/test_scan_apache.rb
|
|
209
215
|
- test/test_scan_apache_banner.rb
|
|
210
216
|
- test/test_scan_apache_server_info.rb
|
|
211
217
|
- test/test_scan_apache_server_status.rb
|
|
212
218
|
- test/test_scan_cms.rb
|
|
219
|
+
- test/test_scan_dns.rb
|
|
213
220
|
- test/test_scan_iis_headers.rb
|
|
214
221
|
- test/test_scan_nginx_banner.rb
|
|
215
222
|
- test/test_shared_http.rb
|
|
216
223
|
- test/test_shared_util.rb
|
|
224
|
+
- test/test_ssl.rb
|
|
217
225
|
- test/test_ssl_labs_analyze.rb
|
|
218
226
|
- test/test_ssl_labs_info.rb
|
|
227
|
+
- test/test_ssl_sweet32.rb
|
|
219
228
|
- test/test_string_ext.rb
|
|
220
229
|
- test/test_yawast.rb
|
|
221
230
|
- yawast.gemspec
|
|
@@ -249,8 +258,12 @@ test_files:
|
|
|
249
258
|
- test/data/apache_server_status.txt
|
|
250
259
|
- test/data/cms_none_body.txt
|
|
251
260
|
- test/data/cms_wordpress_body.txt
|
|
261
|
+
- test/data/hsts_disabled_server_header.txt
|
|
262
|
+
- test/data/hsts_server_header.txt
|
|
252
263
|
- test/data/iis_server_header.txt
|
|
253
264
|
- test/data/ssl_labs_analyze_data.json
|
|
265
|
+
- test/data/ssl_labs_analyze_data_file_zetlab_com.json
|
|
266
|
+
- test/data/ssl_labs_analyze_data_parivahan_gov_in.json
|
|
254
267
|
- test/data/ssl_labs_analyze_start.json
|
|
255
268
|
- test/data/ssl_labs_info.json
|
|
256
269
|
- test/data/tomcat_release_notes.txt
|
|
@@ -260,15 +273,19 @@ test_files:
|
|
|
260
273
|
- test/test_helper.rb
|
|
261
274
|
- test/test_internalssl.rb
|
|
262
275
|
- test/test_object_presence.rb
|
|
276
|
+
- test/test_scan_apache.rb
|
|
263
277
|
- test/test_scan_apache_banner.rb
|
|
264
278
|
- test/test_scan_apache_server_info.rb
|
|
265
279
|
- test/test_scan_apache_server_status.rb
|
|
266
280
|
- test/test_scan_cms.rb
|
|
281
|
+
- test/test_scan_dns.rb
|
|
267
282
|
- test/test_scan_iis_headers.rb
|
|
268
283
|
- test/test_scan_nginx_banner.rb
|
|
269
284
|
- test/test_shared_http.rb
|
|
270
285
|
- test/test_shared_util.rb
|
|
286
|
+
- test/test_ssl.rb
|
|
271
287
|
- test/test_ssl_labs_analyze.rb
|
|
272
288
|
- test/test_ssl_labs_info.rb
|
|
289
|
+
- test/test_ssl_sweet32.rb
|
|
273
290
|
- test/test_string_ext.rb
|
|
274
291
|
- test/test_yawast.rb
|