yawast 0.7.0.beta1 → 0.7.0.beta2

data/lib/scanner/plugins/applications/cms/generic.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+module Yawast
+  module Scanner
+    module Plugins
+      module Applications
+        module CMS
+          class Generic
+            def self.get_generator(body)
+              regex = /<meta name="generator[^>]+content\s*=\s*['"]([^'"]+)['"][^>]*>/
+              match = body.match regex
+
+              Yawast::Utilities.puts_info "Meta Generator: #{match[1]}" if match
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/scanner/plugins/applications/generic/password_reset.rb

@@ -0,0 +1,180 @@
+# frozen_string_literal: true
+
+require 'selenium-webdriver'
+require 'securerandom'
+
+module Yawast
+  module Scanner
+    module Plugins
+      module Applications
+        module Generic
+          class PasswordReset
+            def self.setup
+              @reset_page = if Yawast.options.pass_reset_page.nil?
+                              Yawast::Utilities.prompt 'What is the application password reset page?'
+                            else
+                              Yawast.options.pass_reset_page
+                            end
+
+              @valid_user = if Yawast.options.user.nil?
+                              Yawast::Utilities.prompt 'What is a valid user?'
+                            else
+                              Yawast.options.user
+                            end
+
+              @timing = {true => [], false => []}
+            end
+
+            def self.check_resp_user_enum
+              begin
+                # checks for user enum via differences in response
+                # run each test 5 times to collect timing info
+                good_user_res = fill_form_get_body @reset_page, @valid_user, true, true
+                fill_form_get_body @reset_page, @valid_user, true, false
+                fill_form_get_body @reset_page, @valid_user, true, false
+                fill_form_get_body @reset_page, @valid_user, true, false
+                fill_form_get_body @reset_page, @valid_user, true, false
+
+                bad_user_res = fill_form_get_body @reset_page, SecureRandom.hex + '@invalid.example.com', false, true
+                fill_form_get_body @reset_page, SecureRandom.hex + '@invalid.example.com', false, false
+                fill_form_get_body @reset_page, SecureRandom.hex + '@invalid.example.com', false, false
+                fill_form_get_body @reset_page, SecureRandom.hex + '@invalid.example.com', false, false
+                fill_form_get_body @reset_page, SecureRandom.hex + '@invalid.example.com', false, false
+
+                puts
+                # check for difference in response
+                if good_user_res != bad_user_res
+                  Yawast::Shared::Output.log_hash 'vulnerabilities',
+                                                  'password_reset_resp_user_enum',
+                                                  {vulnerable: true, url: @reset_page}
+
+                  Yawast::Utilities.puts_raw
+                  Yawast::Utilities.puts_vuln 'Password Reset: Possible User Enumeration - Difference In Response (see below for details)'
+                  Yawast::Utilities.puts_raw
+                  Yawast::Utilities.puts_raw Yawast::Utilities.diff_text(good_user_res, bad_user_res)
+                  Yawast::Utilities.puts_raw
+                  Yawast::Utilities.puts_raw
+                else
+                  Yawast::Shared::Output.log_hash 'vulnerabilities',
+                                                  'password_reset_resp_user_enum',
+                                                  {vulnerable: false, url: @reset_page}
+                end
+
+                # check for timing issues
+                valid_average = (@timing[true].inject(0, :+) / 5)
+                invalid_average = (@timing[false].inject(0, :+) / 5)
+                timing_diff = valid_average - invalid_average
+                if timing_diff.abs > 10
+                  # in this case, we have a difference in the averages of greater than 10ms.
+                  # this is an arbitrary number, but 10ms is likely good enough
+                  Yawast::Utilities.puts_vuln 'Password Reset: Possible User Enumeration - Response Timing (see below for details)'
+                  Yawast::Utilities.puts_raw "\tDifference in average: #{timing_diff.abs.round(2)}ms  Valid user: #{valid_average.round(2)}ms  Invalid user: #{invalid_average.round(2)}ms"
+                  Yawast::Utilities.puts_raw "\tValid Users     Invalid Users"
+                  Yawast::Utilities.puts_raw "\t-----------------------------"
+                  (0..4).each do |i|
+                    Yawast::Utilities.puts_raw "\t#{format('%.2f', @timing[true][i].round(2)).rjust(11)}"\
+                                                "     #{format('%.2f', @timing[false][i].round(2)).rjust(13)}"
+                  end
+                  puts
+
+                  Yawast::Shared::Output.log_hash 'vulnerabilities',
+                                                  'password_reset_time_user_enum',
+                                                  {vulnerable: true, difference: timing_diff,
+                                                   valid_1: @timing[true][0], valid_2: @timing[true][1], valid_3: @timing[true][2],
+                                                   valid_4: @timing[true][3], valid_5: @timing[true][4],
+                                                   invalid_1: @timing[false][0], invalid_2: @timing[false][1], invalid_3: @timing[false][2],
+                                                   invalid_4: @timing[false][3], invalid_5: @timing[false][4]}
+                else
+                  Yawast::Shared::Output.log_hash 'vulnerabilities',
+                                                  'password_reset_time_user_enum',
+                                                  {vulnerable: false, difference: timing_diff,
+                                                   valid_1: @timing[true][0], valid_2: @timing[true][1], valid_3: @timing[true][2],
+                                                   valid_4: @timing[true][3], valid_5: @timing[true][4],
+                                                   invalid_1: @timing[false][0], invalid_2: @timing[false][1], invalid_3: @timing[false][2],
+                                                   invalid_4: @timing[false][3], invalid_5: @timing[false][4]}
+                end
+              rescue ArgumentError => e
+                Yawast::Utilities.puts "Unable to find a matching element to perform the User Enumeration via Password Reset Response test (#{e.message})"
+              end
+            end
+
+            def self.fill_form_get_body(uri, user, valid, log_output)
+              options = Selenium::WebDriver::Chrome::Options.new({args: ['headless']})
+
+              # if we have a proxy set, use that
+              if !Yawast.options.proxy.nil?
+                proxy = Selenium::WebDriver::Proxy.new({http: "http://#{Yawast.options.proxy}", ssl: "http://#{Yawast.options.proxy}"})
+                caps = Selenium::WebDriver::Remote::Capabilities.chrome({acceptInsecureCerts: true, proxy: proxy})
+              else
+                caps = Selenium::WebDriver::Remote::Capabilities.chrome({acceptInsecureCerts: true})
+              end
+
+              driver = Selenium::WebDriver.for(:chrome, {options: options, desired_capabilities: caps})
+              driver.get uri
+
+              # find the page form element - this is going to be a best effort thing, and may not always be right
+              element = find_user_field driver
+
+              element.send_keys user
+
+              beginning_time = Time.now
+              element.submit
+              end_time = Time.now
+              @timing[valid].push((end_time - beginning_time) * 1000)
+
+              res = driver.page_source
+              img = driver.screenshot_as(:base64)
+
+              valid_text = 'valid'
+              valid_text = 'invalid' unless valid
+
+              if log_output
+                # log response
+                Yawast::Shared::Output.log_hash 'applications',
+                                                'password_reset_form',
+                                                "pwd_reset_resp_#{valid_text}",
+                                                {body: res, img: img, user: user}
+              end
+
+              driver.close
+
+              res
+            end
+
+            def self.find_user_field(driver)
+              # find the page form element - this is going to be a best effort thing, and may not always be right
+              element = find_element driver, 'user_login'
+              return element unless element.nil?
+
+              element = find_element driver, 'email'
+              return element unless element.nil?
+
+              element = find_element driver, 'email_address'
+              return element unless element.nil?
+
+              element = find_element driver, 'forgetPasswordEmailOrUsername'
+              return element unless element.nil?
+
+              # if we got here, it means that we don't have an element we know about, so we have to prompt
+              Yawast::Utilities.puts_raw 'Unable to find a known element to enter the user name. Please identify the proper element.'
+              Yawast::Utilities.puts_raw 'If this element name seems to be common, please request that it be added: https://github.com/adamcaudill/yawast/issues'
+              element_name = Yawast::Utilities.prompt 'What is the user/email entry element name?'
+              element = find_element driver, element_name
+              return element unless element.nil?
+
+              raise ArgumentError, 'No matching element found.'
+            end
+
+            def self.find_element(driver, name)
+              begin
+                return driver.find_element({name: name})
+              rescue ArgumentError
+                return nil
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/scanner/plugins/dns/caa.rb

@@ -1,39 +1,56 @@
+# frozen_string_literal: true
+
 require 'dnsruby'
-include Dnsruby
 
 module Yawast
   module Scanner
     module Plugins
       module DNS
         class CAA
+          include Dnsruby
+
           def self.caa_info(uri)
             # force DNS resolver to something that works
             # this is done to ensure that ISP resolvers don't get in the way
             # at some point, should probably do something else, but works for now
-            @res = Resolver.new({:nameserver => ['8.8.8.8']})
+            @res = Resolver.new({nameserver: ['8.8.8.8']})
 
             # setup a list of domains already checked, so we can skip them
-            @checked = Array.new
+            @checked = []
+
+            # setup a counter, so we can see if we actually got anything
+            @records = 0
 
             domain = uri.host.to_s
 
             chase_domain domain
+
+            if @records.zero?
+              Yawast::Shared::Output.log_hash 'vulnerabilities',
+                                              'missing_caa_records',
+                                              {vulnerable: true}
+
+              puts
+              Yawast::Utilities.puts_vuln 'DNS CAA: No records found.'
+            else
+              Yawast::Shared::Output.log_hash 'vulnerabilities',
+                                              'missing_caa_records',
+                                              {vulnerable: false, record_count: @records}
+            end
           end
 
           def self.chase_domain(domain)
-            while domain != '' do
+            while domain != ''
               begin
                 # check to see if we've already ran into this one
-                if @checked.include? domain
-                  return
-                end
+                return if @checked.include? domain
                 @checked.push domain
 
                 # first, see if this is a CNAME. we do this explicitly because
                 # some resolvers flatten in an odd way that prevents just checking
                 # for the CAA record directly
                 cname = get_cname_record(domain)
-                if cname != nil
+                if !cname.nil?
                   Yawast::Utilities.puts_info "\t\tCAA (#{domain}): CNAME Found: -> #{cname}"
                   Yawast::Shared::Output.log_value 'dns', 'caa', domain, "CNAME: #{cname}"
 
@@ -41,7 +58,7 @@ module Yawast
                 else
                   print_caa_record domain
                 end
-              rescue => e
+              rescue => e # rubocop:disable Style/RescueStandardError
                 Yawast::Utilities.puts_error "\t\tCAA (#{domain}): #{e.message}"
               end
 
@@ -53,7 +70,7 @@ module Yawast
           def self.get_cname_record(domain)
             ans = @res.query(domain, 'CNAME')
 
-            if ans.answer[0] != nil
+            if !ans.answer[0].nil?
               return ans.answer[0].rdata
             else
               return nil
@@ -63,13 +80,14 @@ module Yawast
           def self.print_caa_record(domain)
             ans = @res.query(domain, 'CAA')
 
-            if ans.answer.count > 0
+            if ans.answer.count.positive?
               ans.answer.each do |rec|
                 # check for RDATA
-                if rec.rdata != nil
+                if !rec.rdata.nil?
                   Yawast::Utilities.puts_info "\t\tCAA (#{domain}): #{rec.rdata}"
 
                   Yawast::Shared::Output.log_append_value 'dns', 'caa', domain, rec.rdata
+                  @records += 1
                 else
                   Yawast::Utilities.puts_error "\t\tCAA (#{domain}): Invalid Response: #{ans.answer}"
                 end

data/lib/scanner/plugins/dns/generic.rb

@@ -1,7 +1,11 @@
+require 'dnsruby'
+
 module Yawast
   module Scanner
     module Plugins
       module DNS
+        include Dnsruby
+
         class Generic
           def self.dns_info(uri, options)
             begin
@@ -177,11 +181,23 @@ module Yawast
           end
 
           def self.find_subdomains(root_domain, resv)
+            res = Resolver.new()
+
             File.open(File.dirname(__FILE__) + '/../../../resources/subdomain_list.txt', 'r') do |f|
               f.each_line do |line|
                 host = line.strip + '.' + root_domain
 
                 begin
+                  ## get CNAME records
+                  cname = res.query(host, 'CNAME')
+                  if cname.answer[0] != nil
+                    Yawast::Utilities.puts_info "\t\tCNAME: #{host}: #{cname.answer[0].rdata}"
+
+                    Yawast::Shared::Output.log_value 'dns', 'subdomain', host, cname.answer[0].rdata
+                    next
+                  end
+
+                  ## get A records
                   a = resv.getresources(host, Resolv::DNS::Resource::IN::A)
 
                   unless a.empty?
@@ -195,6 +211,21 @@ module Yawast
                       Yawast::Shared::Output.log_value 'dns', 'subdomain', host, ip.address
                     end
                   end
+
+                  ## get AAAA records
+                  aaaa = resv.getresources(host, Resolv::DNS::Resource::IN::AAAA)
+
+                  unless aaaa.empty?
+                    aaaa.each do |ip|
+                      if IPAddr.new(ip.address.to_s, Socket::AF_INET6).private?
+                        Yawast::Utilities.puts_info "\t\tAAAA: #{host}: #{ip.address}"
+                      else
+                        Yawast::Utilities.puts_info "\t\tAAAA: #{host}: #{ip.address} (#{get_network_info(ip.address)})"
+                      end
+
+                      Yawast::Shared::Output.log_value 'dns', 'subdomain', host, ip.address
+                    end
+                  end
                 rescue
                   #if this fails, don't really care
                 end
@@ -223,7 +254,13 @@ module Yawast
               return ret
             rescue => e
               @netinfo_failed = true
-              return "Error: getting network information failed (#{e.message})"
+
+              if e.message.include? 'unexpected token'
+                # this means that the service returned something invalid, like HTML
+                return "Error: getting network information failed (the service returned an unexpected message)"
+              else
+                return "Error: getting network information failed (#{e.message})"
+              end
             end
           end
         end

data/lib/scanner/plugins/http/directory_search.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'securerandom'
 
 module Yawast
@@ -6,7 +8,7 @@ module Yawast
       module Http
         class DirectorySearch
           def self.search(uri, recursive, list_redirects, search_list = nil)
-            #first, we need to see if the site responds to 404 in a reasonable way
+            # first, we need to see if the site responds to 404 in a reasonable way
             unless Yawast::Shared::Http.check_not_found(uri, false)
               puts 'Site does not respond properly to non-existent directory requests; skipping some checks.'
 
@@ -22,7 +24,7 @@ module Yawast
               puts 'Searching for common directories...'
             end
 
-            if search_list == nil
+            if search_list.nil?
               @search_list = []
 
               File.open(File.dirname(__FILE__) + '/../../../resources/common_dir.txt', 'r') do |f|
@@ -39,7 +41,7 @@ module Yawast
               @jobs = Queue.new
               @results = Queue.new
 
-              #load the queue, starting at /
+              # load the queue, starting at /
               base = uri.copy
               base.path = '/'
               load_queue base
@@ -50,7 +52,7 @@ module Yawast
                     while (check = @jobs.pop(true))
                       process check
                     end
-                  rescue ThreadError
+                  rescue ThreadError # rubocop:disable Lint/HandleExceptions
                     #do nothing
                   end
                 end
@@ -59,19 +61,19 @@ module Yawast
               results = Thread.new do
                 begin
                   while true
-                    if @results.length > 0
+                    if @results.length.positive?
                       out = @results.pop(true)
                       Yawast::Utilities.puts_info out
                     end
                   end
-                rescue ThreadError
-                  #do nothing
+                rescue ThreadError # rubocop:disable Lint/HandleExceptions
+                  # do nothing
                 end
               end
 
               workers.map(&:join)
               results.terminate
-            rescue => e
+            rescue => e # rubocop:disable Style/RescueStandardError
               Yawast::Utilities.puts_error "Error searching for directories (#{e.message})"
             end
 
@@ -85,10 +87,10 @@ module Yawast
               begin
                 check.path = check.path + "#{line}/"
 
-                #add the job to the queue
+                # add the job to the queue
                 @jobs.push check
-              rescue
-                #who cares
+              rescue # rubocop:disable Style/RescueStandardError, Lint/HandleExceptions
+                # who cares
               end
             end
           end
@@ -106,7 +108,7 @@ module Yawast
                 @results.push "\tFound Redirect: '#{uri} -> '#{res['Location']}'"
                 Yawast::Shared::Output.log_value 'http', 'http_dir_redirect', uri, res['Location']
               end
-            rescue => e
+            rescue => e # rubocop:disable Style/RescueStandardError
               unless e.message.include?('end of file') || e.message.include?('getaddrinfo')
                 Yawast::Utilities.puts_error "Error searching for directory '#{uri.path}' (#{e.message})"
               end