yawast 0.7.0.beta1 → 0.7.0.beta2

data/lib/scanner/plugins/http/file_presence.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'securerandom'
 
 module Yawast
@@ -6,10 +8,10 @@ module Yawast
       module Http
         class FilePresence
           def self.check_path(uri, path, vuln)
-            #note: this only checks directly at the root, I'm not sure if this is what we want
+            # note: this only checks directly at the root, I'm not sure if this is what we want
             # should probably be relative to what's passed in, instead of overriding the path.
             check = uri.copy
-            check.path = "#{path}"
+            check.path = path.to_s
             code = Yawast::Shared::Http.get_status_code(check)
 
             if code == '200'
@@ -26,7 +28,7 @@ module Yawast
           end
 
           def self.check_all(uri, common_files)
-            #first, we need to see if the site responds to 404 in a reasonable way
+            # first, we need to see if the site responds to 404 in a reasonable way
             unless Yawast::Shared::Http.check_not_found(uri, true)
               puts 'Site does not respond properly to non-existent file requests; skipping some checks.'
 
@@ -41,6 +43,7 @@ module Yawast
             check_elmah_axd uri
             check_readme_html uri
             check_release_notes_txt uri
+            check_change_log_txt uri
 
             if common_files
               puts ''
@@ -69,7 +72,7 @@ module Yawast
           end
 
           def self.check_wsftp_log(uri)
-            #check both upper and lower, as they are both seen in the wild
+            # check both upper and lower, as they are both seen in the wild
             check_path(uri, '/WS_FTP.LOG', false)
             check_path(uri, '/ws_ftp.log', false)
           end
@@ -91,6 +94,11 @@ module Yawast
             check_path(uri, '/docs/RELEASE-NOTES.txt', false)
           end
 
+          def self.check_change_log_txt(uri)
+            check_path(uri, '/CHANGELOG.txt', false)
+            check_path(uri, '/core/CHANGELOG.txt', false)
+          end
+
           def self.check_common(uri)
             begin
               @search_list = []
@@ -105,7 +113,7 @@ module Yawast
               @jobs = Queue.new
               @results = Queue.new
 
-              #load the queue, starting at /
+              # load the queue, starting at /
               base = uri.copy
               base.path = '/'
               load_queue base
@@ -125,19 +133,19 @@ module Yawast
               results = Thread.new do
                 begin
                   while true
-                    if @results.length > 0
+                    if @results.length.positive?
                       out = @results.pop(true)
                       Yawast::Utilities.puts_info out
                     end
                   end
-                rescue ThreadError
-                  #do nothing
+                rescue ThreadError # rubocop:disable Lint/HandleExceptions
+                  # do nothing
                 end
               end
 
               workers.map(&:join)
               results.terminate
-            rescue => e
+            rescue => e # rubocop:disable Style/RescueStandardError
               Yawast::Utilities.puts_error "Error searching for files (#{e.message})"
             end
           end
@@ -149,10 +157,10 @@ module Yawast
               begin
                 check.path = "/#{line}"
 
-                #add the job to the queue
+                # add the job to the queue
                 @jobs.push check
-              rescue
-                #who cares
+              rescue # rubocop:disable Lint/HandleExceptions
+                # who cares
               end
             end
           end
@@ -165,7 +173,7 @@ module Yawast
                 @results.push "'#{uri.path}' found: #{uri}"
                 Yawast::Shared::Output.log_append_value 'http', 'http_file', uri
               end
-            rescue => e
+            rescue => e # rubocop:disable Style/RescueStandardError
               unless e.message.include?('end of file') || e.message.include?('getaddrinfo')
                 Yawast::Utilities.puts_error "Error searching for file '#{uri.path}' (#{e.message})"
               end

data/lib/scanner/plugins/http/generic.rb

@@ -0,0 +1,95 @@
+# frozen_string_literal: true
+
+module Yawast
+  module Scanner
+    module Plugins
+      module Http
+        class Generic
+          def self.check_propfind(uri)
+            begin
+              req = Yawast::Shared::Http.get_http(uri)
+              req.use_ssl = uri.scheme == 'https'
+              headers = Yawast::Shared::Http.get_headers
+              res = req.request(Propfind.new('/', headers))
+
+              if res.code.to_i <= 400 && res.body.length.positive? && res['Content-Type'] == 'text/xml'
+                Yawast::Utilities.puts_warn 'Possible Info Disclosure: PROPFIND Enabled'
+                puts "\t\t\"curl -X PROPFIND #{uri}\""
+
+                puts ''
+              end
+
+              Yawast::Shared::Output.log_value 'http', 'propfind', 'raw', res.body
+              Yawast::Shared::Output.log_value 'http', 'propfind', 'code', res.code
+              Yawast::Shared::Output.log_value 'http', 'propfind', 'content-type', res['Content-Type']
+              Yawast::Shared::Output.log_value 'http', 'propfind', 'length', res.body.length
+            end
+          end
+
+          def self.check_trace(uri)
+            begin
+              req = Yawast::Shared::Http.get_http(uri)
+              req.use_ssl = uri.scheme == 'https'
+              headers = Yawast::Shared::Http.get_headers
+              res = req.request(Trace.new('/', headers))
+
+              if res.body.include?('TRACE / HTTP/1.1') && res.code == '200'
+                Yawast::Utilities.puts_warn 'HTTP TRACE Enabled'
+                puts "\t\t\"curl -X TRACE #{uri}\""
+
+                puts ''
+              end
+
+              Yawast::Shared::Output.log_value 'http', 'trace', 'raw', res.body
+              Yawast::Shared::Output.log_value 'http', 'trace', 'code', res.code
+            end
+          end
+
+          def self.check_options(uri)
+            begin
+              req = Yawast::Shared::Http.get_http(uri)
+              req.use_ssl = uri.scheme == 'https'
+              headers = Yawast::Shared::Http.get_headers
+              res = req.request(Options.new('/', headers))
+
+              unless res['Public'].nil?
+                Yawast::Utilities.puts_info "Public HTTP Verbs (OPTIONS): #{res['Public']}"
+                Yawast::Shared::Output.log_value 'http', 'options', 'public', res['Public']
+
+                puts ''
+              end
+
+              unless res['Allow'].nil?
+                Yawast::Utilities.puts_info "Allow HTTP Verbs (OPTIONS): #{res['Allow']}"
+                Yawast::Shared::Output.log_value 'http', 'options', 'allow', res['Allow']
+
+                puts ''
+              end
+            end
+          end
+        end
+
+        # Custom class to allow using the PROPFIND verb
+        class Propfind < Net::HTTPRequest
+          METHOD = 'PROPFIND'
+          REQUEST_HAS_BODY = false
+          RESPONSE_HAS_BODY = true
+        end
+
+        # Custom class to allow using the TRACE verb
+        class Trace < Net::HTTPRequest
+          METHOD = 'TRACE'
+          REQUEST_HAS_BODY = false
+          RESPONSE_HAS_BODY = true
+        end
+
+        # Custom class to allow using the OPTIONS verb
+        class Options < Net::HTTPRequest
+          METHOD = 'OPTIONS'
+          REQUEST_HAS_BODY = false
+          RESPONSE_HAS_BODY = true
+        end
+      end
+    end
+  end
+end

data/lib/scanner/plugins/servers/apache.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'base64'
 require 'securerandom'
 
@@ -7,30 +9,30 @@ module Yawast
       module Servers
         class Apache
           def self.check_banner(banner)
-            #don't bother if this doesn't look like Apache
+            # don't bother if this doesn't look like Apache
             return unless banner.include? 'Apache'
             @apache = true
 
             modules = banner.split(' ')
             server = modules[0]
 
-            #fix '(distro)' issue, such as with 'Apache/2.2.22 (Ubuntu)'
+            # fix '(distro)' issue, such as with 'Apache/2.2.22 (Ubuntu)'
             # if we don't do this, it triggers a false positive on the module check
-            if /\(\w*\)/.match modules[1]
+            if /\(\w*\)/.match? modules[1]
               server += " #{modules[1]}"
               modules.delete_at 1
             end
 
-            #print the server info no matter what we do next
+            # print the server info no matter what we do next
             Yawast::Utilities.puts_info "Apache Server: #{server}"
             modules.delete_at 0
 
-            if modules.count > 0
+            if modules.count.positive?
               Yawast::Utilities.puts_warn 'Apache Server: Module listing enabled'
               modules.each { |mod| Yawast::Utilities.puts_warn "\t\t#{mod}" }
               puts ''
 
-              #check for special items
+              # check for special items
               modules.each do |mod|
                 if mod.include? 'OpenSSL'
                   Yawast::Utilities.puts_warn "OpenSSL Version Disclosure: #{mod}"
@@ -41,7 +43,7 @@ module Yawast
           end
 
           def self.check_all(uri)
-            #run all the defined checks
+            # run all the defined checks
             check_server_status(uri.copy)
             check_server_info(uri.copy)
             check_tomcat_manager(uri.copy)
@@ -65,14 +67,14 @@ module Yawast
               headers = Yawast::Shared::Http.get_headers
               res = req.request(Xyz.new('/', headers))
 
-              if res.body != nil && res.body.include?('Apache Tomcat') && res.code == '501'
-                #check to see if there's a version number
+              if !res.body.nil? && res.body.include?('Apache Tomcat') && res.code == '501'
+                # check to see if there's a version number
                 version = /Apache Tomcat\/\d*.\d*.\d*\b/.match res.body
 
-                if version != nil && version[0] != nil
+                if !version.nil? && !version[0].nil?
                   Yawast::Utilities.puts_warn "Apache Tomcat Version Found: #{version[0]}"
                   Yawast::Shared::Output.log_value 'apache', 'tomcat_version', version[0]
-                  
+
                   puts "\t\t\"curl -X XYZ #{uri}\""
 
                   puts ''
@@ -88,19 +90,19 @@ module Yawast
 
           def self.check_tomcat_manager_paths(uri, base_path, manager)
             uri.path = "/#{base_path}/html"
-            uri.query = '' if uri.query != nil
+            uri.query = '' unless uri.query.nil?
 
             ret = Yawast::Shared::Http.get(uri)
 
             if ret.include? '<tt>conf/tomcat-users.xml</tt>'
-              #this will get Tomcat 7+
+              # this will get Tomcat 7+
               Yawast::Utilities.puts_warn "Apache Tomcat #{manager} page found: #{uri}"
               Yawast::Shared::Output.log_value 'apache', 'tomcat_mgr', manager, uri
               check_tomcat_manager_passwords uri, manager
 
               puts ''
             else
-              #check for Tomcat 6 and below
+              # check for Tomcat 6 and below
               uri = uri.copy
               uri.path = "/#{base_path}"
               ret = Yawast::Shared::Http.get(uri)
@@ -116,7 +118,7 @@ module Yawast
           end
 
           def self.check_tomcat_manager_passwords(uri, manager)
-            #check for known passwords
+            # check for known passwords
             check_tomcat_manager_pwd_check uri, manager, 'tomcat:tomcat'
             check_tomcat_manager_pwd_check uri, manager, 'tomcat:password'
             check_tomcat_manager_pwd_check uri, manager, 'tomcat:'
@@ -128,7 +130,7 @@ module Yawast
           def self.check_tomcat_manager_pwd_check(uri, manager, credentials)
             ret = Yawast::Shared::Http.get(uri, {'Authorization' => "Basic #{Base64.encode64(credentials)}"})
             if ret.include?('<font size="+2">Tomcat Web Application Manager</font>') ||
-                ret.include?('<font size="+2">Tomcat Virtual Host Manager</font>')
+               ret.include?('<font size="+2">Tomcat Virtual Host Manager</font>')
               Yawast::Utilities.puts_vuln "Apache Tomcat #{manager} weak password: #{credentials}"
 
               Yawast::Shared::Output.log_value 'apache', 'tomcat_mgr_pwd', uri, credentials
@@ -138,7 +140,7 @@ module Yawast
           def self.check_tomcat_put_rce(uri)
             # CVE-2017-12615
             uri.path = "/#{SecureRandom.hex}.jsp/"
-            uri.query = '' if uri.query != nil
+            uri.query = '' unless uri.query.nil?
 
             Yawast::Shared::Output.log_value 'apache', 'cve_2017_12615', 'path', uri
 
@@ -166,7 +168,7 @@ module Yawast
           end
 
           def self.check_struts2_samples(uri)
-            search = Array.new
+            search = []
             search.push '/Struts2XMLHelloWorld/User/home.action'
             search.push '/struts2-showcase/showcase.action'
             search.push '/struts2-showcase/titles/index.action'
@@ -182,15 +184,13 @@ module Yawast
               ret = Yawast::Shared::Http.get_status_code uri
               Yawast::Shared::Output.log_value 'apache', 'struts2_sample_files', uri, ret
 
-              if ret == 200
-                Yawast::Utilities.puts_warn "Apache Struts2 Sample Files: #{uri}"
-              end
+              Yawast::Utilities.puts_warn "Apache Struts2 Sample Files: #{uri}" if ret == 200
             end
           end
 
           def self.check_page_for_string(uri, path, search)
             uri.path = path
-            uri.query = '' if uri.query != nil
+            uri.query = '' unless uri.query.nil?
 
             ret = Yawast::Shared::Http.get(uri)
 
@@ -202,7 +202,7 @@ module Yawast
           end
         end
 
-        #Custom class to allow using the XYZ verb
+        # Custom class to allow using the XYZ verb
         class Xyz < Net::HTTPRequest
           METHOD = 'XYZ'
           REQUEST_HAS_BODY = false

data/lib/scanner/plugins/servers/generic.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+module Yawast
+  module Scanner
+    module Plugins
+      module Servers
+        class Generic
+          def self.check_banner_php(banner)
+            # don't bother if this doesn't include PHP
+            return unless banner.include? 'PHP/'
+
+            modules = banner.split(' ')
+
+            modules.each do |mod|
+              if mod.include? 'PHP/'
+                Yawast::Utilities.puts_warn "PHP Version: #{mod}"
+                puts ''
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/scanner/plugins/servers/iis.rb

@@ -1,10 +1,12 @@
+# frozen_string_literal: true
+
 module Yawast
   module Scanner
     module Plugins
       module Servers
         class Iis
           def self.check_banner(banner)
-            #don't bother if this doesn't include IIS
+            # don't bother if this doesn't include IIS
             return unless banner.include? 'Microsoft-IIS/'
             @iis = true
 
@@ -13,7 +15,7 @@ module Yawast
           end
 
           def self.check_all(uri, head)
-            #run all the defined checks
+            # run all the defined checks
             check_asp_banner(head)
             check_mvc_version(head)
             check_asp_net_debug(uri)
@@ -45,9 +47,7 @@ module Yawast
               headers['Accept'] = '*/*'
               res = req.request(Debug.new('/', headers))
 
-              if res.code == 200
-                Yawast::Utilities.puts_vuln 'ASP.NET Debugging Enabled'
-              end
+              Yawast::Utilities.puts_vuln 'ASP.NET Debugging Enabled' if res.code == 200
 
               Yawast::Shared::Output.log_value 'http', 'asp_net_debug', 'raw', res.body
               Yawast::Shared::Output.log_value 'http', 'asp_net_debug', 'code', res.code
@@ -55,7 +55,7 @@ module Yawast
           end
         end
 
-        #Custom class to allow using the DEBUG verb
+        # Custom class to allow using the DEBUG verb
         class Debug < Net::HTTPRequest
           METHOD = 'DEBUG'
           REQUEST_HAS_BODY = false

data/lib/scanner/plugins/servers/nginx.rb

@@ -1,10 +1,12 @@
+# frozen_string_literal: true
+
 module Yawast
   module Scanner
     module Plugins
       module Servers
         class Nginx
           def self.check_banner(banner)
-            #don't bother if this doesn't include nginx
+            # don't bother if this doesn't include nginx
             return unless banner.include? 'nginx/'
 
             Yawast::Utilities.puts_warn "nginx Version: #{banner}"

data/lib/scanner/plugins/servers/python.rb

@@ -1,10 +1,12 @@
+# frozen_string_literal: true
+
 module Yawast
   module Scanner
     module Plugins
       module Servers
         class Python
           def self.check_banner(banner)
-            #don't bother if this doesn't include Python
+            # don't bother if this doesn't include Python
             return unless banner.include? 'Python/'
 
             Yawast::Utilities.puts_warn "Python Version: #{banner}"