yawast 0.6.0 → 0.7.0.beta1

data/lib/scanner/plugins/ssl/ssl_labs/analyze.rb

@@ -30,11 +30,17 @@ module Yawast
               code = res.code.to_i
 
               # check for error in the response - if we don't, we'll wait forever for nothing
-              json = JSON.parse body
+              begin
+                json = JSON.parse body
+              rescue => e
+                raise StandardError, "Invalid response from SSL Labs: '#{e.message}'"
+              end
               if json.key?('errors')
                 raise InvocationError, "API returned: #{json['errors']}"
               end
 
+              Yawast::Shared::Output.log_json 'ssl', 'ssl_labs', body
+
               # check the response code, make sure it's 200 - otherwise, we should stop now
               if code != 200
                 case code
@@ -57,7 +63,11 @@ module Yawast
             end
 
             def self.extract_status(body)
-              json = JSON.parse body
+              begin
+                json = JSON.parse body
+              rescue => e
+                raise StandardError, "Invalid response from SSL Labs: '#{e.message}'"
+              end
 
               return json['status']
             end

data/lib/scanner/plugins/ssl/ssl_labs/info.rb

@@ -17,10 +17,17 @@ module Yawast
 
             def self.extract_msg(body)
               ret = Array.new
-              json = JSON.parse body
 
-              json['messages'].each do |msg|
-                ret.push msg
+              begin
+                json = JSON.parse body
+              rescue => e
+                raise Exception, "Invalid response from SSL Labs: '#{e.message}'"
+              end
+
+              unless json['messages'].nil?
+                json['messages'].each do |msg|
+                  ret.push msg
+                end
               end
 
               return ret

data/lib/scanner/plugins/ssl/sweet32.rb

@@ -4,15 +4,21 @@ module Yawast
       module SSL
         class Sweet32
           def self.get_tdes_session_msg_count(uri, limit = 10000)
+            Yawast::Shared::Output.log_value 'ssl', 'sweet32', 'limit', limit
+
             # this method will send a number of HEAD requests to see
             #  if the connection is eventually killed.
             unless check_tdes
-              #if the OpenSSL install doesn't support 3DES, bailout
+              # if the OpenSSL install doesn't support 3DES, bailout
               Yawast::Utilities.puts_error "Your copy of OpenSSL doesn't support 3DES cipher suites - SWEET32 test aborted."
               puts '  See here for more information: https://github.com/adamcaudill/yawast/wiki/OpenSSL-&-3DES-Compatibility'
+
+              Yawast::Shared::Output.log_value 'ssl', 'sweet32', '3des_supported', false
               return
             end
 
+            Yawast::Shared::Output.log_value 'ssl', 'sweet32', '3des_supported', true
+
             puts 'TLS Session Request Limit: Checking number of requests accepted using 3DES suites...'
 
             count = 0
@@ -22,14 +28,14 @@ module Yawast
               req.keep_alive_timeout = 600
               headers = Yawast::Shared::Http.get_headers
 
-              #we will use HEAD by default, but allow GET if we have issues with HEAD
+              # we will use HEAD by default, but allow GET if we have issues with HEAD
               use_head = true
 
-              #force 3DES - this is to ensure that 3DES specific limits are caught
+              # force 3DES - this is to ensure that 3DES specific limits are caught
               req.ciphers = ['3DES']
               cipher = nil
 
-              #attempt to find a version that supports 3DES
+              # attempt to find a version that supports 3DES
               versions = OpenSSL::SSL::SSLContext::METHODS.find_all { |v| !v.to_s.include?('_client') && !v.to_s.include?('_server')}
               versions.each do |version|
                 if version.to_s != 'SSLv23'
@@ -48,7 +54,7 @@ module Yawast
 
                         cipher = http.instance_variable_get(:@socket).io.cipher[0]
                       rescue
-                        #check if we are using HEAD or GET. If we've already switched to GET, no need to do this again.
+                        # check if we are using HEAD or GET. If we've already switched to GET, no need to do this again.
                         if use_head
                           head = http.request_get(uri.path, headers)
 
@@ -58,10 +64,10 @@ module Yawast
                         end
                       end
 
-                      #check to see if this is on Cloudflare - they break Keep-Alive limits, creating a false positive
+                      # check to see if this is on Cloudflare - they break Keep-Alive limits, creating a false positive
                       head.each do |k, v|
                         if k.downcase == 'server'
-                          if v == 'cloudflare-nginx'
+                          if v == 'cloudflare'
                             puts 'Cloudflare server found: SWEET32 mitigated: https://support.cloudflare.com/hc/en-us/articles/231510928'
                           end
                         end
@@ -69,14 +75,19 @@ module Yawast
                     end
 
                     print "Using #{version} (#{cipher})"
+
+                    Yawast::Shared::Output.log_value 'ssl', 'sweet32', 'tls_version', version
+                    Yawast::Shared::Output.log_value 'ssl', 'sweet32', 'tls_cipher', cipher
+                    Yawast::Shared::Output.log_value 'ssl', 'sweet32', 'use_head_req', use_head
+
                     break
                   rescue
-                    #we don't care
+                    # we don't care
                   end
                 end
               end
 
-              #reset the req object
+              # reset the req object
               req = Yawast::Shared::Http.get_http(uri)
               req.use_ssl = uri.scheme == 'https'
               req.keep_alive_timeout = 600
@@ -84,7 +95,6 @@ module Yawast
               req.ciphers = [*cipher]
 
               req.start do |http|
-                #cache the number of hits
                 limit.times do |i|
                   if use_head
                     http.head(uri.path, headers)
@@ -92,7 +102,7 @@ module Yawast
                     http.request_get(uri.path, headers)
                   end
 
-                  # hack to detect transparent disconnects
+                  # HACK: to detect transparent disconnects
                   if http.instance_variable_get(:@ssl_context).session_cache_stats[:cache_hits] != 0
                     raise 'TLS Reconnected'
                   end
@@ -113,24 +123,34 @@ module Yawast
                 Yawast::Utilities.puts_info "TLS Session Request Limit: Connection terminated after #{count} requests (#{e.message})"
               end
 
+              Yawast::Shared::Output.log_value 'ssl', 'sweet32', 'vulnerable', false
+              Yawast::Shared::Output.log_value 'ssl', 'sweet32', 'requests', count
+              Yawast::Shared::Output.log_value 'ssl', 'sweet32', 'exception', e.message
+
               return
             end
 
             puts
             limit_formatted = limit.to_s.reverse.gsub(/(\d{3})(?=\d)/, '\\1,').reverse
             Yawast::Utilities.puts_vuln "TLS Session Request Limit: Connection not terminated after #{limit_formatted} requests; possibly vulnerable to SWEET32"
+
+            Yawast::Shared::Output.log_value 'ssl', 'sweet32', 'vulnerable', true
+            Yawast::Shared::Output.log_value 'ssl', 'sweet32', 'requests', count
           end
 
           def self.check_tdes
+            ret = false
             puts 'Confirming your OpenSSL supports 3DES cipher suites...'
 
-            #find all versions that don't include '_server' or '_client'
+            # find all versions that don't include '_server' or '_client'
             versions = OpenSSL::SSL::SSLContext::METHODS.find_all { |v| !v.to_s.include?('_client') && !v.to_s.include?('_server')}
 
             versions.each do |version|
-              #ignore SSLv23, as it's an auto-negotiate, which just adds noise
+              # ignore SSLv23, as it's an auto-negotiate, which just adds noise
               if version.to_s != 'SSLv23' && version.to_s != 'SSLv2'
-                #try to get the list of ciphers supported for each version
+                # try to get the list of ciphers supported for each version
+                Yawast::Shared::Output.log_append_value 'openssl', 'tls_versions', version.to_s
+
                 ciphers = nil
 
                 get_ciphers_failed = false
@@ -144,8 +164,10 @@ module Yawast
                 if ciphers != nil
                   ciphers.each do |cipher|
                     if cipher[0].include?('3DES') || cipher[0].include?('CBC3')
-                      return true
+                      ret = true
                     end
+
+                    Yawast::Shared::Output.log_append_value 'openssl', 'tls_ciphers', version.to_s, cipher[0]
                   end
                 elsif !get_ciphers_failed
                   Yawast::Utilities.puts_info "\t#{version}: No cipher suites available."
@@ -154,7 +176,7 @@ module Yawast
             end
 
             puts ''
-            return false
+            ret
           end
         end
       end

data/lib/scanner/ssl.rb

@@ -8,6 +8,11 @@ module Yawast
     class Ssl
       def self.info(uri, check_ciphers, tdes_session_count)
         begin
+          puts
+          puts 'DEPRECATED: The Internal SSL Scanner (--internalssl) is deprecated and will not be updated.'
+          puts 'DEPRECATED: Use a tool such as testssl.sh or sslyze instead.'
+          puts
+
           socket = TCPSocket.new(uri.host, uri.port)
 
           ctx = OpenSSL::SSL::SSLContext.new
@@ -89,7 +94,7 @@ module Yawast
           #It looks like a change to Ruby's OpenSSL wrapper is needed to actually fix this right.
 
           if cert.issuer == cert.subject
-            Yawast::Utilities.puts_vuln "\t\tCertificate Is Self-Singed"
+            Yawast::Utilities.puts_vuln "\t\tCertificate Is Self-Signed"
           else
             Yawast::Utilities.puts_warn "\t\tCertificate Chain Is Incomplete"
           end

data/lib/scanner/ssl_labs.rb

@@ -36,7 +36,14 @@ module Yawast
           puts "\tSSL Labs: https://www.ssllabs.com/ssltest/analyze.html?d=#{uri.host}&hideResults=on"
           puts
 
-          process_results uri, JSON.parse(data_body), tdes_session_count
+          json = nil
+          begin
+            json = JSON.parse data_body
+          rescue => e
+            raise Exception, "Invalid response from SSL Labs: '#{e.message}'"
+          end
+
+          process_results uri, json, tdes_session_count
         rescue => e
           puts
           Yawast::Utilities.puts_error "SSL Labs Error: #{e.message}"
@@ -45,24 +52,34 @@ module Yawast
 
       def self.process_results(uri, body, tdes_session_count)
         begin
-          body['endpoints'].each do |ep|
-            Yawast::Utilities.puts_info "IP: #{ep['ipAddress']} - Grade: #{ep['grade']}"
-            puts
-
-            begin
-              if ep['statusMessage'] == 'Ready'
-                get_cert_info ep, body
-                get_config_info ep
-                get_proto_info ep
-              else
-                Yawast::Utilities.puts_error "Error getting information for IP: #{ep['ipAddress']}: #{ep['statusMessage']}"
+          if !body['endpoints'].nil?
+            body['endpoints'].each do |ep|
+              Yawast::Utilities.puts_info "IP: #{ep['ipAddress']} - Grade: #{ep['grade']}"
+              puts
+
+              begin
+                if ep['statusMessage'] == 'Ready'
+                  get_cert_info ep, body
+                  get_config_info ep
+                  get_proto_info ep
+                else
+                  Yawast::Utilities.puts_error "Error getting information for IP: #{ep['ipAddress']}: #{ep['statusMessage']}"
+                end
+              rescue => e
+                Yawast::Utilities.puts_error "Error getting information for IP: #{ep['ipAddress']}: #{e.message}"
               end
-            rescue => e
-              Yawast::Utilities.puts_error "Error getting information for IP: #{ep['ipAddress']}: #{e.message}"
-            end
 
-            Yawast::Scanner::Plugins::SSL::Sweet32.get_tdes_session_msg_count(uri) if tdes_session_count
+              Yawast::Scanner::Plugins::SSL::Sweet32.get_tdes_session_msg_count(uri) if tdes_session_count
+
+              puts
+            end
+          else
+            Yawast::Utilities.puts_error 'SSL Labs Error: No Endpoint Data Received.'
 
+            #TODO - Remove this before release
+            puts
+            puts "DEBUG DATA (send to adam@adamcaudill.com): #{body}"
+            puts
             puts
           end
         rescue => e
@@ -259,11 +276,37 @@ module Yawast
             puts "\t\t  Path #{path_count}:"
             puts "\t\t   Root Stores: #{trust_paths[key]}"
 
+            # cert chain issues
+            if chain['issues'] & (1<<1) != 0
+              Yawast::Utilities.puts_warn "\t\tCertificate Chain Issue: incomplete chain"
+            end
+
+            if chain['issues'] & (1<<2) != 0
+              Yawast::Utilities.puts_warn "\t\tCertificate Chain Issue: chain contains unrelated/duplicate certificates"
+            end
+
+            if chain['issues'] & (1<<3) != 0
+              Yawast::Utilities.puts_warn "\t\tCertificate Chain Issue: incorrect order"
+            end
+
+            if chain['issues'] & (1<<4) != 0
+              Yawast::Utilities.puts_warn "\t\tCertificate Chain Issue: contains anchor"
+            end
+
+            if cert['issues'] & (1<<5) != 0
+              Yawast::Utilities.puts_warn "\t\tCertificate Chain Issue: untrusted"
+            end
+
             key.each do |path_cert|
               body['certs'].each do |c|
                 if c['id'] == path_cert
                   Yawast::Utilities.puts_info "\t\t\t#{c['subject']}"
                   Yawast::Utilities.puts_info "\t\t\t  Signature: #{c['sigAlg']}  Key: #{c['keyAlg']}-#{c['keySize']}"
+
+                  if Yawast::Scanner::Plugins::SSL::SSL.check_symantec_root(c['sha256Hash'])
+                    Yawast::Utilities.puts_vuln "\t\t\t  Untrusted Symantec Root"
+                  end
+
                   Yawast::Utilities.puts_info "\t\t\t  https://crt.sh/?q=#{c['sha1Hash']}"
 
                   if chain['certIds'].find_index(c['sha256Hash']) != nil
@@ -287,7 +330,11 @@ module Yawast
         protos = Hash.new
         ep['details']['protocols'].each do |proto|
           if proto['name'] == 'SSL'
+            # show a vuln for SSLvX
             Yawast::Utilities.puts_vuln "\t\t\t#{proto['name']} #{proto['version']}"
+          elsif proto['name'] == 'TLS' &&  proto['version'] == '1.0'
+            # show a warn for TLSv1.0
+            Yawast::Utilities.puts_warn "\t\t\t#{proto['name']} #{proto['version']}"
           else
             Yawast::Utilities.puts_info "\t\t\t#{proto['name']} #{proto['version']}"
           end

data/lib/shared/http.rb

@@ -1,5 +1,6 @@
 require 'securerandom'
 require 'json'
+require 'oj'
 
 module Yawast
   module Shared
@@ -33,7 +34,7 @@ module Yawast
         end
       end
 
-      def self.get(uri, headers = nil)
+      def self.get_with_code(uri, headers = nil)
         body = ''
 
         begin
@@ -41,11 +42,19 @@ module Yawast
           req.use_ssl = uri.scheme == 'https'
           res = req.request_get(uri, get_headers(headers))
           body = res.read_body
+          code = res.code
+
+          Yawast::Shared::Output.log_json 'debug', 'http_get', uri, Oj.dump(res)
         rescue
           # do nothing for now
         end
 
         body
+        return {:body => body, :code => code}
+      end
+
+      def self.get(uri, headers = nil)
+        return get_with_code(uri, headers)[:body]
       end
 
       def self.get_json(uri)
@@ -79,6 +88,9 @@ module Yawast
         req = get_http(uri)
         req.use_ssl = uri.scheme == 'https'
         res = req.head(uri, get_headers)
+
+        Yawast::Shared::Output.log_json 'debug', 'http_get_status_code', uri, Oj.dump(res)
+
         res.code
       end
 

data/lib/shared/output.rb

@@ -0,0 +1,151 @@
+require 'json'
+require 'base64'
+
+module Yawast
+  module Shared
+    class Output
+      def self.setup(uri, options)
+        return if @setup
+
+        @setup = true
+
+        time = Time.new.to_i.to_s
+        @file = options.output
+
+        # get the absolute path
+        @file = File.absolute_path @file
+
+        # see if this is a file or directory
+        if File.directory? @file
+          # in this case, the user just gave us a directory, se we will create a file name
+          @file = File.join(@file, uri.hostname + '_' + time + '.json')
+        else
+          # this means that it's a file, or doesn't exist
+          # so, let's see if it exists, if so, warn
+          if File.exist? @file
+            puts 'WARNING: Output file already exists; it will be replaced.'
+          end
+        end
+
+        puts "Saving output to '#{@file}'"
+        puts
+
+        @data = {}
+
+        # add the initial entries to the output
+        log_value 'start_time', time
+        log_value 'yawast_version', VERSION
+        log_value 'ruby_version', "#{RUBY_VERSION}-p#{RUBY_PATCHLEVEL}"
+        log_value 'openssl_version', OpenSSL::OPENSSL_VERSION
+        log_value 'platform', RUBY_PLATFORM
+        log_value 'target_uri', uri
+        log_value 'options', options.__hash__
+        log_value 'encoding', __ENCODING__
+      end
+
+      def self.log_value(super_parent = nil, parent = nil, key, value)
+        return unless @setup
+
+        target = get_target super_parent, parent
+
+        target[key] = encode_utf8(value.to_s)
+      end
+
+      def self.log_append_value(super_parent = nil, parent = nil, key, value)
+        return unless @setup
+
+        target = get_target super_parent, parent
+
+        if target[key].nil?
+          target[key] = []
+        end
+
+        # add value, after checking if it's already included
+        target[key].push encode_utf8(value.to_s) unless target[key].include? encode_utf8(value.to_s)
+      end
+
+      def self.log_json(super_parent = nil, parent = nil, key, json_block)
+        return unless @setup
+
+        target = get_target super_parent, parent
+
+        target[key] = JSON.parse(json_block)
+      end
+
+      def self.log_hash(super_parent = nil, parent = nil, key, hash)
+        return unless @setup
+
+        target = get_target super_parent, parent
+
+        target[key] = hash
+      end
+
+      def self.encode_utf8(str)
+        str = str.dup
+
+        str = str.force_encoding('UTF-8') if [Encoding::ASCII_8BIT, Encoding::US_ASCII].include?(str.encoding)
+
+        str
+      end
+
+      def self.get_target(super_parent = nil, parent = nil)
+        target = @data
+
+        # fix parent vs super confusion
+        if parent.nil? && !super_parent.nil?
+          parent = super_parent
+          super_parent = nil
+        end
+
+        unless super_parent.nil?
+          if target[super_parent].nil?
+            target[super_parent] = {}
+          end
+
+          target = target[super_parent]
+        end
+
+        unless parent.nil?
+          if target[parent].nil?
+            target[parent] = {}
+          end
+
+          target = target[parent]
+        end
+
+        target
+      end
+
+      def self.escape_hash(hash)
+        hash.each_pair do |k,v|
+          if v.is_a?(Hash)
+            escape_hash(v)
+          else
+            if v.is_a?(String)
+              unless v.valid_encoding?
+                hash[k] = Base64.encode64 v
+              end
+            end
+          end
+        end
+      end
+
+      def self.write_file
+        return unless @setup
+
+        # note the ending time
+        log_value 'end_time', Time.new.to_i.to_s
+
+        begin
+          json = JSON.pretty_generate @data
+        rescue JSON::GeneratorError
+          # this means that we don't have valid data to encode - need to perform some cleanup
+          @data = escape_hash @data
+          json = JSON.pretty_generate @data
+        end
+
+        File.open(@file, 'w') { |file| file.write(json) }
+      end
+    end
+  end
+end

data/lib/util.rb

@@ -8,18 +8,22 @@ module Yawast
 
     def self.puts_error(msg)
       puts_msg('[E]'.red, msg)
+      Yawast::Shared::Output.log_append_value 'messages', 'error', msg
     end
 
     def self.puts_vuln(msg)
       puts_msg('[V]'.magenta, msg)
+      Yawast::Shared::Output.log_append_value 'messages', 'vulnerability', msg
     end
 
     def self.puts_warn(msg)
       puts_msg('[W]'.yellow, msg)
+      Yawast::Shared::Output.log_append_value 'messages', 'warning', msg
     end
 
     def self.puts_info(msg)
       puts_msg('[I]'.green, msg)
+      Yawast::Shared::Output.log_append_value 'messages', 'info', msg
     end
   end
 end

data/lib/version.rb

@@ -1,3 +1,3 @@
 module Yawast
-  VERSION = '0.6.0'
+  VERSION = '0.7.0.beta1'
 end

data/lib/yawast.rb

@@ -36,9 +36,10 @@ module Yawast
     puts '  \_/\_| |_/\/  \/\_| |_/\____/  \_/  '
     puts ''
     puts "YAWAST v#{VERSION} - #{DESCRIPTION}"
-    puts ' Copyright (c) 2013-2017 Adam Caudill <adam@adamcaudill.com>'
+    puts ' Copyright (c) 2013-2019 Adam Caudill <adam@adamcaudill.com>'
     puts ' Support & Documentation: https://github.com/adamcaudill/yawast'
     puts " Ruby #{RUBY_VERSION}-p#{RUBY_PATCHLEVEL}; #{OpenSSL::OPENSSL_VERSION} (#{RUBY_PLATFORM})"
+    puts " Started at #{Time.now.strftime("%Y-%m-%d %H:%M:%S %Z")}"
 
     begin
       version = Yawast::Shared::Http.get_json(URI('https://rubygems.org/api/v1/versions/yawast/latest.json'))['version']
@@ -58,6 +59,10 @@ module Yawast
   trap 'SIGINT' do
     puts
     puts 'Scan cancelled by user.'
+
+    # attempt to save the output
+    Yawast::Shared::Output.write_file
+
     exit 0
   end
 end

data/test/test_internalssl.rb

@@ -10,7 +10,7 @@ class TestInternalSSL < Minitest::Test
     uri = URI.parse 'https://self-signed.badssl.com/'
     Yawast::Scanner::Ssl.info uri, false, false
 
-    assert stdout_value.include?('Certificate Is Self-Singed'), 'self-signed certificate warning not found'
+    assert stdout_value.include?('Certificate Is Self-Signed'), 'self-signed certificate warning not found'
 
     restore_stdout
   end

data/yawast.gemspec

@@ -22,6 +22,8 @@ Gem::Specification.new do |s|
   s.add_runtime_dependency 'public_suffix', '~> 2.0'
   s.add_runtime_dependency 'sslshake', '~> 1.1'
   s.add_runtime_dependency 'dnsruby', '~> 1.60'
+  s.add_runtime_dependency 'nokogiri', '~> 1.8'
+  s.add_runtime_dependency 'oj', '~> 3.6'
 
   s.bindir            = 'bin'
   s.files             = `git ls-files`.split("\n")