yawast 0.6.0.beta4 → 0.6.0.beta5
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.travis.yml +3 -2
- data/CHANGELOG.md +1 -0
- data/README.md +2 -1
- data/lib/resources/common_file.txt +214 -29
- data/lib/scanner/core.rb +3 -3
- data/lib/scanner/plugins/dns/generic.rb +48 -40
- data/lib/scanner/plugins/servers/apache.rb +22 -0
- data/lib/scanner/plugins/ssl/ssl.rb +55 -0
- data/lib/scanner/plugins/ssl/ssl_labs/analyze.rb +38 -3
- data/lib/scanner/plugins/ssl/sweet32.rb +7 -13
- data/lib/scanner/ssl.rb +5 -41
- data/lib/scanner/ssl_labs.rb +93 -37
- data/lib/shared/http.rb +16 -0
- data/lib/version.rb +1 -1
- data/lib/yawast.rb +2 -2
- data/test/data/hsts_disabled_server_header.txt +16 -0
- data/test/data/hsts_server_header.txt +17 -0
- data/test/data/ssl_labs_analyze_data_file_zetlab_com.json +3851 -0
- data/test/data/ssl_labs_analyze_data_parivahan_gov_in.json +1440 -0
- data/test/test_scan_apache.rb +50 -0
- data/test/test_scan_dns.rb +23 -0
- data/test/test_ssl.rb +43 -0
- data/test/test_ssl_labs_analyze.rb +29 -0
- data/test/test_ssl_sweet32.rb +29 -0
- data/test/test_yawast.rb +2 -1
- metadata +19 -2
@@ -0,0 +1,50 @@
|
|
1
|
+
require File.dirname(__FILE__) + '/../lib/yawast'
|
2
|
+
require File.dirname(__FILE__) + '/base'
|
3
|
+
|
4
|
+
class TestScannerApache < Minitest::Test
|
5
|
+
include TestBase
|
6
|
+
|
7
|
+
def test_check_tomcat_put_rce
|
8
|
+
override_stdout
|
9
|
+
|
10
|
+
port = rand(60000) + 1024 # pick a random port number
|
11
|
+
server = start_web_server File.dirname(__FILE__) + '/data/apache_server_info.txt', '', port
|
12
|
+
uri = Yawast::Commands::Utils.extract_uri(["http://localhost:#{port}"])
|
13
|
+
|
14
|
+
error = nil
|
15
|
+
begin
|
16
|
+
Yawast::Scanner::Plugins::Servers::Apache.check_tomcat_put_rce uri
|
17
|
+
rescue => e
|
18
|
+
error = e.message
|
19
|
+
end
|
20
|
+
|
21
|
+
assert !stdout_value.include?('[V]'), "Unexpected finding: #{stdout_value}"
|
22
|
+
assert error == nil, "Unexpected error: #{error}"
|
23
|
+
|
24
|
+
restore_stdout
|
25
|
+
|
26
|
+
server.exit
|
27
|
+
end
|
28
|
+
|
29
|
+
def test_check_struts2_samples
|
30
|
+
override_stdout
|
31
|
+
|
32
|
+
port = rand(60000) + 1024 # pick a random port number
|
33
|
+
server = start_web_server File.dirname(__FILE__) + '/data/apache_server_info.txt', '', port
|
34
|
+
uri = Yawast::Commands::Utils.extract_uri(["http://localhost:#{port}"])
|
35
|
+
|
36
|
+
error = nil
|
37
|
+
begin
|
38
|
+
Yawast::Scanner::Plugins::Servers::Apache.check_struts2_samples uri
|
39
|
+
rescue => e
|
40
|
+
error = e.message
|
41
|
+
end
|
42
|
+
|
43
|
+
assert !stdout_value.include?('[W]'), "Unexpected finding: #{stdout_value}"
|
44
|
+
assert error == nil, "Unexpected error: #{error}"
|
45
|
+
|
46
|
+
restore_stdout
|
47
|
+
|
48
|
+
server.exit
|
49
|
+
end
|
50
|
+
end
|
@@ -0,0 +1,23 @@
|
|
1
|
+
require File.dirname(__FILE__) + '/../lib/yawast'
|
2
|
+
require File.dirname(__FILE__) + '/base'
|
3
|
+
|
4
|
+
class TestScannerDns < Minitest::Test
|
5
|
+
include TestBase
|
6
|
+
|
7
|
+
def test_dns_caa
|
8
|
+
override_stdout
|
9
|
+
|
10
|
+
uri = URI::Parser.new.parse 'https://www.adamcaudill.com/'
|
11
|
+
Yawast::Scanner::Plugins::DNS::CAA.caa_info uri
|
12
|
+
|
13
|
+
assert stdout_value.include?('mailto:adam@adamcaudill.com'), "DNS CAA Record not found: #{stdout_value}"
|
14
|
+
|
15
|
+
restore_stdout
|
16
|
+
end
|
17
|
+
|
18
|
+
def test_get_network_info
|
19
|
+
ret = Yawast::Scanner::Plugins::DNS::Generic.get_network_info '127.0.0.1'
|
20
|
+
|
21
|
+
assert !ret.include?('Error'), "Unexpected error: #{ret}"
|
22
|
+
end
|
23
|
+
end
|
data/test/test_ssl.rb
ADDED
@@ -0,0 +1,43 @@
|
|
1
|
+
require 'webrick'
|
2
|
+
require File.dirname(__FILE__) + '/../lib/yawast'
|
3
|
+
require File.dirname(__FILE__) + '/base'
|
4
|
+
|
5
|
+
class TestSSLLabsAnalyze < Minitest::Test
|
6
|
+
include TestBase
|
7
|
+
|
8
|
+
def test_hsts_header
|
9
|
+
head = parse_headers_from_file File.dirname(__FILE__) + '/data/hsts_server_header.txt'
|
10
|
+
|
11
|
+
override_stdout
|
12
|
+
|
13
|
+
Yawast::Scanner::Plugins::SSL::SSL.check_hsts head
|
14
|
+
|
15
|
+
assert stdout_value.include?('HSTS: Enabled'), "HSTS enabled not found in #{stdout_value}"
|
16
|
+
|
17
|
+
restore_stdout
|
18
|
+
end
|
19
|
+
|
20
|
+
def test_no_hsts_header
|
21
|
+
head = parse_headers_from_file File.dirname(__FILE__) + '/data/hsts_disabled_server_header.txt'
|
22
|
+
|
23
|
+
override_stdout
|
24
|
+
|
25
|
+
Yawast::Scanner::Plugins::SSL::SSL.check_hsts head
|
26
|
+
|
27
|
+
assert stdout_value.include?('HSTS: Not Enabled'), "HSTS disabled not found in #{stdout_value}"
|
28
|
+
|
29
|
+
restore_stdout
|
30
|
+
end
|
31
|
+
|
32
|
+
def test_hsts_preload
|
33
|
+
uri = URI::Parser.new.parse 'https://adamcaudill.com/'
|
34
|
+
|
35
|
+
override_stdout
|
36
|
+
|
37
|
+
Yawast::Scanner::Plugins::SSL::SSL.check_hsts_preload uri
|
38
|
+
|
39
|
+
assert stdout_value.include?('HSTS Preload'), "HSTS Preload not found in #{stdout_value}"
|
40
|
+
|
41
|
+
restore_stdout
|
42
|
+
end
|
43
|
+
end
|
@@ -45,4 +45,33 @@ class TestSSLLabsAnalyze < Minitest::Test
|
|
45
45
|
|
46
46
|
restore_stdout
|
47
47
|
end
|
48
|
+
|
49
|
+
def test_process_data_parivahan
|
50
|
+
override_stdout
|
51
|
+
|
52
|
+
uri = URI.parse 'https://parivahan.gov.in/'
|
53
|
+
body = JSON.parse(File.read(File.dirname(__FILE__) + '/data/ssl_labs_analyze_data_parivahan_gov_in.json'))
|
54
|
+
|
55
|
+
Yawast::Scanner::SslLabs.process_results uri, body, false
|
56
|
+
|
57
|
+
assert stdout_value.include?('parivahan.gov.in'), "domain name not found in #{stdout_value}"
|
58
|
+
assert !stdout_value.include?('[E]'), "Error message found in #{stdout_value}"
|
59
|
+
|
60
|
+
restore_stdout
|
61
|
+
end
|
62
|
+
|
63
|
+
def test_process_data_file_zetlab
|
64
|
+
override_stdout
|
65
|
+
|
66
|
+
uri = URI.parse 'https://file.zetlab.com/'
|
67
|
+
body = JSON.parse(File.read(File.dirname(__FILE__) + '/data/ssl_labs_analyze_data_file_zetlab_com.json'))
|
68
|
+
|
69
|
+
Yawast::Scanner::SslLabs.process_results uri, body, false
|
70
|
+
|
71
|
+
assert stdout_value.include?('file.zetlab.com'), "domain name not found in #{stdout_value}"
|
72
|
+
assert stdout_value.include?('Certificate Issue: hostname mismatch'), "hostname mismatch not found in #{stdout_value}"
|
73
|
+
assert !stdout_value.include?('[E]'), "Error message found in #{stdout_value}"
|
74
|
+
|
75
|
+
restore_stdout
|
76
|
+
end
|
48
77
|
end
|
@@ -0,0 +1,29 @@
|
|
1
|
+
require File.dirname(__FILE__) + '/../lib/yawast'
|
2
|
+
require File.dirname(__FILE__) + '/base'
|
3
|
+
|
4
|
+
class TestSharedHttp < Minitest::Test
|
5
|
+
include TestBase
|
6
|
+
|
7
|
+
def test_check_tdes
|
8
|
+
override_stdout
|
9
|
+
|
10
|
+
res = Yawast::Scanner::Plugins::SSL::Sweet32.check_tdes
|
11
|
+
|
12
|
+
assert stdout_value.include?('OpenSSL supports 3DES'), "Header line not found in #{stdout_value}"
|
13
|
+
assert res, '3DES support check failed'
|
14
|
+
|
15
|
+
restore_stdout
|
16
|
+
end
|
17
|
+
|
18
|
+
def test_session_count
|
19
|
+
override_stdout
|
20
|
+
|
21
|
+
uri = URI::Parser.new.parse 'https://3des.badssl.com/'
|
22
|
+
Yawast::Scanner::Plugins::SSL::Sweet32.get_tdes_session_msg_count uri, 1
|
23
|
+
|
24
|
+
assert stdout_value.include?('Connection not terminated after'), "SWEET32 warning not found in #{stdout_value}"
|
25
|
+
|
26
|
+
restore_stdout
|
27
|
+
end
|
28
|
+
|
29
|
+
end
|
data/test/test_yawast.rb
CHANGED
@@ -9,7 +9,8 @@ class TestYawast < Minitest::Test
|
|
9
9
|
|
10
10
|
Yawast.header
|
11
11
|
header = stdout_value
|
12
|
-
assert header.include?('Copyright'),
|
12
|
+
assert header.include?('Copyright'), "Header not found in #{header}"
|
13
|
+
assert header.include?(Yawast::VERSION), "Version not found in #{header}"
|
13
14
|
|
14
15
|
restore_stdout
|
15
16
|
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: yawast
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.6.0.
|
4
|
+
version: 0.6.0.beta5
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Adam Caudill
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2017-10-
|
11
|
+
date: 2017-10-23 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: commander
|
@@ -178,6 +178,7 @@ files:
|
|
178
178
|
- lib/scanner/plugins/servers/iis.rb
|
179
179
|
- lib/scanner/plugins/servers/nginx.rb
|
180
180
|
- lib/scanner/plugins/servers/python.rb
|
181
|
+
- lib/scanner/plugins/ssl/ssl.rb
|
181
182
|
- lib/scanner/plugins/ssl/ssl_labs/analyze.rb
|
182
183
|
- lib/scanner/plugins/ssl/ssl_labs/info.rb
|
183
184
|
- lib/scanner/plugins/ssl/sweet32.rb
|
@@ -195,8 +196,12 @@ files:
|
|
195
196
|
- test/data/apache_server_status.txt
|
196
197
|
- test/data/cms_none_body.txt
|
197
198
|
- test/data/cms_wordpress_body.txt
|
199
|
+
- test/data/hsts_disabled_server_header.txt
|
200
|
+
- test/data/hsts_server_header.txt
|
198
201
|
- test/data/iis_server_header.txt
|
199
202
|
- test/data/ssl_labs_analyze_data.json
|
203
|
+
- test/data/ssl_labs_analyze_data_file_zetlab_com.json
|
204
|
+
- test/data/ssl_labs_analyze_data_parivahan_gov_in.json
|
200
205
|
- test/data/ssl_labs_analyze_start.json
|
201
206
|
- test/data/ssl_labs_info.json
|
202
207
|
- test/data/tomcat_release_notes.txt
|
@@ -206,16 +211,20 @@ files:
|
|
206
211
|
- test/test_helper.rb
|
207
212
|
- test/test_internalssl.rb
|
208
213
|
- test/test_object_presence.rb
|
214
|
+
- test/test_scan_apache.rb
|
209
215
|
- test/test_scan_apache_banner.rb
|
210
216
|
- test/test_scan_apache_server_info.rb
|
211
217
|
- test/test_scan_apache_server_status.rb
|
212
218
|
- test/test_scan_cms.rb
|
219
|
+
- test/test_scan_dns.rb
|
213
220
|
- test/test_scan_iis_headers.rb
|
214
221
|
- test/test_scan_nginx_banner.rb
|
215
222
|
- test/test_shared_http.rb
|
216
223
|
- test/test_shared_util.rb
|
224
|
+
- test/test_ssl.rb
|
217
225
|
- test/test_ssl_labs_analyze.rb
|
218
226
|
- test/test_ssl_labs_info.rb
|
227
|
+
- test/test_ssl_sweet32.rb
|
219
228
|
- test/test_string_ext.rb
|
220
229
|
- test/test_yawast.rb
|
221
230
|
- yawast.gemspec
|
@@ -249,8 +258,12 @@ test_files:
|
|
249
258
|
- test/data/apache_server_status.txt
|
250
259
|
- test/data/cms_none_body.txt
|
251
260
|
- test/data/cms_wordpress_body.txt
|
261
|
+
- test/data/hsts_disabled_server_header.txt
|
262
|
+
- test/data/hsts_server_header.txt
|
252
263
|
- test/data/iis_server_header.txt
|
253
264
|
- test/data/ssl_labs_analyze_data.json
|
265
|
+
- test/data/ssl_labs_analyze_data_file_zetlab_com.json
|
266
|
+
- test/data/ssl_labs_analyze_data_parivahan_gov_in.json
|
254
267
|
- test/data/ssl_labs_analyze_start.json
|
255
268
|
- test/data/ssl_labs_info.json
|
256
269
|
- test/data/tomcat_release_notes.txt
|
@@ -260,15 +273,19 @@ test_files:
|
|
260
273
|
- test/test_helper.rb
|
261
274
|
- test/test_internalssl.rb
|
262
275
|
- test/test_object_presence.rb
|
276
|
+
- test/test_scan_apache.rb
|
263
277
|
- test/test_scan_apache_banner.rb
|
264
278
|
- test/test_scan_apache_server_info.rb
|
265
279
|
- test/test_scan_apache_server_status.rb
|
266
280
|
- test/test_scan_cms.rb
|
281
|
+
- test/test_scan_dns.rb
|
267
282
|
- test/test_scan_iis_headers.rb
|
268
283
|
- test/test_scan_nginx_banner.rb
|
269
284
|
- test/test_shared_http.rb
|
270
285
|
- test/test_shared_util.rb
|
286
|
+
- test/test_ssl.rb
|
271
287
|
- test/test_ssl_labs_analyze.rb
|
272
288
|
- test/test_ssl_labs_info.rb
|
289
|
+
- test/test_ssl_sweet32.rb
|
273
290
|
- test/test_string_ext.rb
|
274
291
|
- test/test_yawast.rb
|