yawast 0.7.0.beta3 → 0.7.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 7b0bb4cac61cb155a8c1bd6ac9393bfd7191e617
-  data.tar.gz: 11d3f67fb4d47496a67021a9802138713d167892
+  metadata.gz: 0ae21762fe7abf26bd16283e6a104c1013c446b7
+  data.tar.gz: 31549266d294f446a7e803e77cecd0e7e2bc999b
 SHA512:
-  metadata.gz: 36da9932032084faf8641741829ad7df7a2bdfa8be6f7c73ad05e6f3a0cedce7092b59be3dbd935b25ffe4ac3d7b22aaffffb55ba3fd6eba4b0219e12a75241d
-  data.tar.gz: a0f36333064f4299d03ba7139fe6fe8821929107730c9b5cdbfe584977be05ee211ffeb3dd1fe1bd33261285015725cc77f77abd99b2c8898fc7e841468140b3
+  metadata.gz: 886b7a4bf891d77eeca0f65a50733eb43aa6414c9d4d38a52acc363c1d6184df4b02d1ebf957ffc9637cb32097b088ae95527a90dbbdad58431403d327ec63a4
+  data.tar.gz: edd06c1933bda3b8643b9e6a06a8e690fa34f8136db9de5abdc446e08cc3fc766ffe8fc6f0ea514f76527630f718e35c30b9279a5dd6a01768d444cc05646e97

data/CHANGELOG.md

@@ -1,4 +1,4 @@
-## 0.7.0 - In Development
+## 0.7.0 - 2019-04-19
 
 * [#38](https://github.com/adamcaudill/yawast/issues/38) - JSON Output Option via `--output=` (work in progress)
 * [#133](https://github.com/adamcaudill/yawast/issues/133) - Include a Timestamp In Output
@@ -16,6 +16,7 @@
 * [#156](https://github.com/adamcaudill/yawast/issues/156) - Check for Rails CVE-2019-5418
 * [#157](https://github.com/adamcaudill/yawast/issues/157) - Add check for Nginx Status Page
 * [#158](https://github.com/adamcaudill/yawast/issues/158) - Add check for Tomcat RCE CVE-2019-0232
+* [#161](https://github.com/adamcaudill/yawast/issues/161) - Add WordPress WP-JSON User Enumeration
 * [#130](https://github.com/adamcaudill/yawast/issues/130) - Bug: HSTS Error leads to printing HTML
 * [#132](https://github.com/adamcaudill/yawast/issues/132) - Bug: Typo in SSL Output
 * [#142](https://github.com/adamcaudill/yawast/issues/142) - Bug: Error In Collecting DNS Information

data/Dockerfile

@@ -1,8 +1,50 @@
 FROM ruby:2.4-jessie
 
+RUN apt-get update && apt-get install -y \
+	apt-transport-https \
+	ca-certificates \
+	curl \
+	wget \
+	gnupg \
+	unzip \
+    --no-install-recommends \
+	&& curl -sSL https://dl.google.com/linux/linux_signing_key.pub | apt-key add - \
+	&& echo "deb https://dl.google.com/linux/chrome/deb/ stable main" > /etc/apt/sources.list.d/google-chrome.list \
+	&& apt-get update && apt-get install -y google-chrome-stable \
+    fontconfig \
+    fonts-ipafont-gothic \
+    fonts-wqy-zenhei \
+    fonts-thai-tlwg \
+    fonts-kacst \
+    fonts-noto \
+    ttf-freefont \
+    --no-install-recommends \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN CHROME_STRING=$(/usr/bin/google-chrome-stable --version) \
+  && CHROME_VERSION_STRING=$(echo "${CHROME_STRING}" | grep -oP "\d+\.\d+\.\d+\.\d+") \
+  && CHROME_MAJOR_VERSION=$(echo "${CHROME_VERSION_STRING%%.*}") \
+  && wget --no-verbose -O /tmp/LATEST_RELEASE "https://chromedriver.storage.googleapis.com/LATEST_RELEASE_${CHROME_MAJOR_VERSION}" \
+  && CD_VERSION=$(cat "/tmp/LATEST_RELEASE") \
+  && rm /tmp/LATEST_RELEASE \
+  && CHROME_DRIVER_VERSION="${CD_VERSION}" \
+  && echo "Using chromedriver version: "$CD_VERSION \
+  && echo "Using Chrome version:       "$CHROME_VERSION_STRING \
+  && wget --no-verbose -O /tmp/chromedriver_linux64.zip https://chromedriver.storage.googleapis.com/$CD_VERSION/chromedriver_linux64.zip \
+  && unzip /tmp/chromedriver_linux64.zip -d /usr/bin/ \
+  && rm /tmp/chromedriver_linux64.zip \
+  && chmod +x /usr/bin/chromedriver
+
+RUN groupadd -r chrome && useradd -r -g chrome -G audio,video chrome \
+    && mkdir -p /home/chrome && chown -R chrome:chrome /home/chrome \
+		&& mkdir -p /opt/google/chrome && chown -R chrome:chrome /opt/google/chrome
+
 COPY . /data
 WORKDIR /data
 
+USER chrome
+
 ENV LANG      C.UTF-8
 ENV LANGUAGE  C.UTF-8
 ENV LC_ALL    C.UTF-8

data/README.md

@@ -75,9 +75,10 @@ The following tests are performed:
 * *(ASP.NET)* Presence of Trace.axd
 * *(ASP.NET)* Presence of Elmah.axd
 * *(ASP.NET)* Debugging Enabled
-* *(nginx)* Info Disclosure: Server version
 * *(PHP)* Info Disclosure: PHP version
 * *(Rails)* File Content Disclosure: CVE-2019-5418
+* *(WordPress)* Version detection
+* *(WordPress)* WP-JSON User Enumeration
 
 CMS Detection:
 

data/lib/scanner/generic.rb

@@ -63,6 +63,8 @@ module Yawast
               Yawast::Utilities.puts_info 'NOTE: Server appears to be Cloudflare; WAF may be in place.'
               puts
             end
+
+            Yawast::Shared::Output.log_value 'server', server
           end
 
           Yawast::Utilities.puts_warn "X-Powered-By Header Present: #{powered_by}" if powered_by != ''

data/lib/scanner/plugins/applications/cms/wordpress.rb

@@ -0,0 +1,99 @@
+# frozen_string_literal: true
+
+module Yawast
+  module Scanner
+    module Plugins
+      module Applications
+        module CMS
+          class WordPress
+            # check to see if we can confirm the presence of WordPress
+            def self.identify(uri)
+              ret = nil
+
+              # check for wp-login.php in the current directory
+              resp = identify_by_path uri, uri.path
+
+              if resp.nil?
+                # if we don't get a hit at the current path, try under /blog/
+                resp = identify_by_path uri, uri.path + 'blog/'
+              end
+
+              unless resp.nil?
+                # confirmed hit
+                res = resp[:result]
+                ret = resp[:uri]
+
+                # strip the file name from the path
+                ret.path = ret.path.sub! 'wp-login.php', ''
+
+                css = res[:body].scan /login.min.css\?ver=\d+\.\d+\.?\d*/
+
+                ver = 'Unknown'
+                if !css.count.zero?
+                  ver = css[0].to_s.split('=')[1]
+                else
+                  # the current method doesn't work, fall back to an older method
+                  css = res[:body].scan /load-styles.php\?[\w\,\;\=\&\%]+;ver=\d+\.\d+\.?\d*/
+                  ver = css[0].to_s.split('=')[-1] unless css.count.zero?
+                end
+
+                Yawast::Utilities.puts_info "Found WordPress v#{ver} at #{ret}"
+                Yawast::Shared::Output.log_value 'application', 'wordpress', 'uri', ret
+                Yawast::Shared::Output.log_value 'application', 'wordpress', 'version', ver
+                Yawast::Shared::Output.log_value 'application', 'wordpress', 'login_body', res[:body]
+              end
+
+              ret
+            end
+
+            def self.identify_by_path(uri, path)
+              login_uri = uri.copy
+              login_uri.path = path + 'wp-login.php'
+
+              res = Yawast::Shared::Http.get_with_code login_uri
+
+              if res[:code] == '200' && res[:body].include?('Powered by WordPress')
+                return {result: res, uri: login_uri}
+              else
+                return nil
+              end
+            end
+
+            def self.check_json_user_enum(uri)
+              Yawast::Shared::Output.log_hash 'vulnerabilities',
+                                              'wordpress_json_user_enum',
+                                              {vulnerable: false, users: nil}
+
+              json_uri = uri.copy
+              json_uri.path = json_uri.path + 'wp-json/wp/v2/users'
+              res = Yawast::Shared::Http.get_with_code json_uri
+
+              if res[:code] == '200' && res[:body].include?('slug')
+                # we have a likely hit
+                users = nil
+                begin
+                  users = JSON.parse res[:body]
+                rescue # rubocop:disable Style/RescueStandardError, Lint/HandleExceptions
+                  # don't care why it failed
+                end
+
+                unless users.nil?
+                  Yawast::Shared::Output.log_hash 'vulnerabilities',
+                                                  'wordpress_json_user_enum',
+                                                  {vulnerable: true, users: users}
+                  Yawast::Utilities.puts_warn "WordPress WP-JSON User Enumeration at #{json_uri}"
+
+                  users.each do |user|
+                    Yawast::Utilities.puts_raw "ID: #{user['id']}\tUser Slug: '#{user['slug']}'\t\tUser Name: '#{user['name']}'"
+                  end
+
+                  puts
+                end
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/scanner/plugins/applications/generic/password_reset.rb

@@ -92,11 +92,13 @@ module Yawast
                 end
               rescue ArgumentError => e
                 Yawast::Utilities.puts_error "Unable to find a matching element to perform the User Enumeration via Password Reset Response test (#{e.message})"
+              rescue => e # rubocop:disable Style/RescueStandardError
+                Yawast::Utilities.puts_error "Failed to execute Password Reset Page User Enumeration: Error: #{e.message}"
               end
             end
 
             def self.fill_form_get_body(uri, user, valid, log_output)
-              options = Selenium::WebDriver::Chrome::Options.new({args: ['headless', 'incognito']})
+              options = Selenium::WebDriver::Chrome::Options.new({args: ['headless', 'incognito', 'disable-dev-shm-usage', 'no-sandbox']})
 
               # if we have a proxy set, use that
               if !Yawast.options.proxy.nil?

data/lib/scanner/ssl_labs.rb

@@ -391,6 +391,7 @@ module Yawast
           elsif proto['name'] == 'TLS' &&  proto['version'] == '1.3'
             # capture TLS 1.3 status
             tls13_enabled = true
+            Yawast::Utilities.puts_info "\t\t\t#{proto['name']} #{proto['version']}"
             Yawast::Shared::Output.log_hash 'vulnerabilities',
                                             'tls_tls13_not_enabled',
                                             {vulnerable: false}

data/lib/scanner/vuln_scan.rb

@@ -34,6 +34,11 @@ module Yawast
 
         # check for framework specific issues
         Yawast::Scanner::Plugins::Applications::Framework::Rails.check_all uri, links
+
+        wordpress_uri = Yawast::Scanner::Plugins::Applications::CMS::WordPress.identify uri
+        unless wordpress_uri.nil?
+          Yawast::Scanner::Plugins::Applications::CMS::WordPress.check_json_user_enum wordpress_uri
+        end
       end
     end
   end

data/lib/shared/http.rb

@@ -45,8 +45,8 @@ module Yawast
           res = req.request_get(uri, get_headers(headers))
           body = res.read_body
           code = res.code
-        rescue # rubocop:disable Style/RescueStandardError, Lint/HandleExceptions
-          # do nothing for now
+        rescue => e # rubocop:disable Style/RescueStandardError
+          Yawast::Utilities.puts_error "Error sending request to #{uri} - '#{e.message}'"
         end
 
         {body: body, code: code}

data/lib/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Yawast
-  VERSION = '0.7.0.beta3'
+  VERSION = '0.7.0'
 end

data/test/data/wp-json-users.txt

@@ -0,0 +1 @@
+[{"id":1,"name":"Adam Caudill","url":"https:\/\/adamcaudill.com","description":"","link":"https:\/\/underhandedcrypto.com\/author\/adam\/","slug":"adam","avatar_urls":{"24":"https:\/\/secure.gravatar.com\/avatar\/49e14cf9f67c48aad082dec4f106f19a?s=24&d=mm&r=g","48":"https:\/\/secure.gravatar.com\/avatar\/49e14cf9f67c48aad082dec4f106f19a?s=48&d=mm&r=g","96":"https:\/\/secure.gravatar.com\/avatar\/49e14cf9f67c48aad082dec4f106f19a?s=96&d=mm&r=g"},"meta":[],"_links":{"self":[{"href":"https:\/\/underhandedcrypto.com\/wp-json\/wp\/v2\/users\/1"}],"collection":[{"href":"https:\/\/underhandedcrypto.com\/wp-json\/wp\/v2\/users"}]}},{"id":2,"name":"Taylor Hornby","url":"https:\/\/defuse.ca\/","description":"","link":"https:\/\/underhandedcrypto.com\/author\/taylor\/","slug":"taylor","avatar_urls":{"24":"https:\/\/secure.gravatar.com\/avatar\/8b1f016c79a6b82740427da6fff77de2?s=24&d=mm&r=g","48":"https:\/\/secure.gravatar.com\/avatar\/8b1f016c79a6b82740427da6fff77de2?s=48&d=mm&r=g","96":"https:\/\/secure.gravatar.com\/avatar\/8b1f016c79a6b82740427da6fff77de2?s=96&d=mm&r=g"},"meta":[],"_links":{"self":[{"href":"https:\/\/underhandedcrypto.com\/wp-json\/wp\/v2\/users\/2"}],"collection":[{"href":"https:\/\/underhandedcrypto.com\/wp-json\/wp\/v2\/users"}]}}]

data/test/data/wp-login-4.9.8.txt

@@ -0,0 +1,61 @@
+
+<!DOCTYPE html>
+<!--[if IE 8]>
+		<html xmlns="http://www.w3.org/1999/xhtml" class="ie8" lang="en-US">
+	<![endif]-->
+<!--[if !(IE 8) ]><!-->
+<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US">
+<!--<![endif]-->
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
+<title>Log In &lsaquo; Underhanded Crypto Contest &#8212; WordPress</title>
+<link rel='dns-prefetch' href='//s.w.org' />
+<link rel='stylesheet' href='https://underhandedcrypto.com/wp-admin/load-styles.php?c=0&amp;dir=ltr&amp;load%5B%5D=dashicons,buttons,forms,l10n,login&amp;ver=4.9.8' type='text/css' media='all' />
+<meta name='robots' content='noindex,follow' />
+<meta name="viewport" content="width=device-width" />
+<link rel="icon" href="https://underhandedcrypto.com/wp-content/uploads/2014/09/cropped-logo1-32x32.png" sizes="32x32" />
+<link rel="icon" href="https://underhandedcrypto.com/wp-content/uploads/2014/09/cropped-logo1-192x192.png" sizes="192x192" />
+<link rel="apple-touch-icon-precomposed" href="https://underhandedcrypto.com/wp-content/uploads/2014/09/cropped-logo1-180x180.png" />
+<meta name="msapplication-TileImage" content="https://underhandedcrypto.com/wp-content/uploads/2014/09/cropped-logo1-270x270.png" />
+</head>
+<body class="login login-action-login wp-core-ui  locale-en-us">
+<div id="login">
+<h1><a href="https://wordpress.org/" title="Powered by WordPress" tabindex="-1">Powered by WordPress</a></h1>
+<form name="loginform" id="loginform" action="https://underhandedcrypto.com/wp-login.php" method="post">
+<p>
+<label for="user_login">Username or Email Address<br />
+<input type="text" name="log" id="user_login" class="input" value="" size="20" /></label>
+</p>
+<p>
+<label for="user_pass">Password<br />
+<input type="password" name="pwd" id="user_pass" class="input" value="" size="20" /></label>
+</p>
+<p class="forgetmenot"><label for="rememberme"><input name="rememberme" type="checkbox" id="rememberme" value="forever" /> Remember Me</label></p>
+<p class="submit">
+<input type="submit" name="wp-submit" id="wp-submit" class="button button-primary button-large" value="Log In" />
+<input type="hidden" name="redirect_to" value="https://underhandedcrypto.com/wp-admin/" />
+<input type="hidden" name="testcookie" value="1" />
+</p>
+</form>
+<p id="nav">
+<a href="https://underhandedcrypto.com/wp-login.php?action=lostpassword">Lost your password?</a>
+</p>
+<script type="text/javascript">
+function wp_attempt_focus(){
+setTimeout( function(){ try{
+d = document.getElementById('user_login');
+d.focus();
+d.select();
+} catch(e){}
+}, 200);
+}
+
+wp_attempt_focus();
+if(typeof wpOnload=='function')wpOnload();
+</script>
+<p id="backtoblog"><a href="https://underhandedcrypto.com/">&larr; Back to Underhanded Crypto Contest</a></p>
+</div>
+<link rel='stylesheet' id='jetpack_css-css' href='https://underhandedcrypto.com/wp-content/plugins/jetpack/css/jetpack.css?ver=6.4.2' type='text/css' media='all' />
+<div class="clear"></div>
+</body>
+</html>

data/test/data/wp-login-5.1.1.txt

@@ -0,0 +1,80 @@
+
+<!DOCTYPE html>
+	<!--[if IE 8]>
+		<html xmlns="http://www.w3.org/1999/xhtml" class="ie8" lang="en-US">
+	<![endif]-->
+	<!--[if !(IE 8) ]><!-->
+		<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US">
+	<!--<![endif]-->
+	<head>
+	<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
+	<title>Log In &lsaquo; Adam Caudill &#8212; WordPress</title>
+	<link rel='dns-prefetch' href='//s.w.org' />
+<link rel='stylesheet' id='dashicons-css'  href='https://adamcaudill.com/wp-includes/css/dashicons.min.css?ver=5.1.1' type='text/css' media='all' />
+<link rel='stylesheet' id='buttons-css'  href='https://adamcaudill.com/wp-includes/css/buttons.min.css?ver=5.1.1' type='text/css' media='all' />
+<link rel='stylesheet' id='forms-css'  href='https://adamcaudill.com/wp-admin/css/forms.min.css?ver=5.1.1' type='text/css' media='all' />
+<link rel='stylesheet' id='l10n-css'  href='https://adamcaudill.com/wp-admin/css/l10n.min.css?ver=5.1.1' type='text/css' media='all' />
+<link rel='stylesheet' id='login-css'  href='https://adamcaudill.com/wp-admin/css/login.min.css?ver=5.1.1' type='text/css' media='all' />
+	<meta name='robots' content='noindex,noarchive' />
+	<meta name='referrer' content='strict-origin-when-cross-origin' />
+		<meta name="viewport" content="width=device-width" />
+		</head>
+	<body class="login login-action-login wp-core-ui  locale-en-us">
+		<div id="login">
+		<h1><a href="https://wordpress.org/" title="Powered by WordPress">Powered by WordPress</a></h1>
+
+	<form name="loginform" id="loginform" action="https://adamcaudill.com/wp-login.php" method="post">
+	<p>
+		<label for="user_login">Username or Email Address<br />
+		<input type="text" name="log" id="user_login" class="input" value="" size="20" autocapitalize="off" /></label>
+	</p>
+	<p>
+		<label for="user_pass">Password<br />
+		<input type="password" name="pwd" id="user_pass" class="input" value="" size="20" /></label>
+	</p>
+			<p>
+		<label title="If you don't have Google Authenticator enabled for your WordPress account, leave this field empty.">Google Authenticator code<span id="google-auth-info"></span><br />
+		<input type="text" name="googleotp" id="user_email" class="input" value="" size="20" style="ime-mode: inactive;" /></label>
+	</p>
+	<p class="forgetmenot"><label for="rememberme"><input name="rememberme" type="checkbox" id="rememberme" value="forever"  /> Remember Me</label></p>
+	<p class="submit">
+		<input type="submit" name="wp-submit" id="wp-submit" class="button button-primary button-large" value="Log In" />
+				<input type="hidden" name="redirect_to" value="https://adamcaudill.com/wp-admin/" />
+					<input type="hidden" name="testcookie" value="1" />
+	</p>
+	</form>
+
+			<p id="nav">
+					<a href="https://adamcaudill.com/wp-login.php?action=lostpassword">Lost your password?</a>
+				</p>
+
+	<script type="text/javascript">
+	function wp_attempt_focus(){
+	setTimeout( function(){ try{
+			d = document.getElementById('user_login');
+				d.focus();
+	d.select();
+	} catch(e){}
+	}, 200);
+	}
+
+			wp_attempt_focus();
+			if(typeof wpOnload=='function')wpOnload();
+			</script>
+
+			<p id="backtoblog"><a href="https://adamcaudill.com/">
+		&larr; Back to Adam Caudill	</a></p>
+
+	</div>
+
+
+
+<script type="text/javascript">
+	try{
+		document.getElementById('user_email').setAttribute('autocomplete','off');
+	} catch(e){}
+</script>
+<link rel='stylesheet' id='jetpack_css-css'  href='https://adamcaudill.com/wp-content/plugins/jetpack/css/jetpack.css?ver=7.1.1' type='text/css' media='all' />
+	<div class="clear"></div>
+	</body>
+	</html>

data/test/test_app_cms_wp.rb

@@ -0,0 +1,76 @@
+require 'webrick'
+require File.dirname(__FILE__) + '/../lib/yawast'
+require File.dirname(__FILE__) + '/base'
+
+class TestAppCMSWordPress < Minitest::Test
+  include TestBase
+
+  def test_identify_wp_551
+    override_stdout
+
+    port = rand(60000) + 1024 # pick a random port number
+    server = start_web_server File.dirname(__FILE__) + '/data/wp-login-5.1.1.txt', '', port
+    uri = Yawast::Commands::Utils.extract_uri(["http://localhost:#{port}"])
+
+    error = nil
+    begin
+      Yawast::Shared::Http.setup nil, nil
+      Yawast::Scanner::Plugins::Applications::CMS::WordPress.identify uri
+    rescue => e
+      error = e.message
+    end
+
+    assert stdout_value.include?('Found WordPress v5.1.1'), "WordPress version not found: #{stdout_value}"
+    assert error == nil, "Unexpected error: #{error}"
+
+    restore_stdout
+
+    server.exit
+  end
+
+  def test_identify_wp_498
+    override_stdout
+
+    port = rand(60000) + 1024 # pick a random port number
+    server = start_web_server File.dirname(__FILE__) + '/data/wp-login-4.9.8.txt', '', port
+    uri = Yawast::Commands::Utils.extract_uri(["http://localhost:#{port}"])
+
+    error = nil
+    begin
+      Yawast::Shared::Http.setup nil, nil
+      Yawast::Scanner::Plugins::Applications::CMS::WordPress.identify uri
+    rescue => e
+      error = e.message
+    end
+
+    assert stdout_value.include?('Found WordPress v4.9.8'), "WordPress version not found: #{stdout_value}"
+    assert error == nil, "Unexpected error: #{error}"
+
+    restore_stdout
+
+    server.exit
+  end
+
+  def test_wp_json_enum
+    override_stdout
+
+    port = rand(60000) + 1024 # pick a random port number
+    server = start_web_server File.dirname(__FILE__) + '/data/wp-json-users.txt', '', port
+    uri = Yawast::Commands::Utils.extract_uri(["http://localhost:#{port}"])
+
+    error = nil
+    begin
+      Yawast::Shared::Http.setup nil, nil
+      Yawast::Scanner::Plugins::Applications::CMS::WordPress.check_json_user_enum uri
+    rescue => e
+      error = e.message
+    end
+
+    assert stdout_value.include?('WordPress WP-JSON User Enumeration at'), "WordPress WP-JSON User Enum not found: #{stdout_value}"
+    assert error == nil, "Unexpected error: #{error}"
+
+    restore_stdout
+
+    server.exit
+  end
+end

data/test/test_app_fw_rails.rb

@@ -1,7 +1,7 @@
 require File.dirname(__FILE__) + '/../lib/yawast'
 require File.dirname(__FILE__) + '/base'
 
-class TestScannerApache < Minitest::Test
+class TestAppFWRails < Minitest::Test
   include TestBase
 
   def test_check_cve_2019_5418

data/test/test_ssl_sweet32.rb

@@ -4,26 +4,26 @@ require File.dirname(__FILE__) + '/base'
 class TestSharedHttp < Minitest::Test
   include TestBase
 
-  def test_check_tdes
-    override_stdout
-
-    res = Yawast::Scanner::Plugins::SSL::Sweet32.check_tdes
-
-    assert stdout_value.include?('OpenSSL supports 3DES'), "Header line not found in #{stdout_value}"
-    assert res, '3DES support check failed'
-
-    restore_stdout
-  end
-
-  def test_session_count
-    override_stdout
-
-    uri = URI::Parser.new.parse 'https://3des.badssl.com/'
-    Yawast::Scanner::Plugins::SSL::Sweet32.get_tdes_session_msg_count uri, 1
-
-    assert stdout_value.include?('Connection not terminated after'), "SWEET32 warning not found in #{stdout_value}"
-
-    restore_stdout
-  end
+  # def test_check_tdes
+  #   override_stdout
+  #
+  #   res = Yawast::Scanner::Plugins::SSL::Sweet32.check_tdes
+  #
+  #   assert stdout_value.include?('OpenSSL supports 3DES'), "Header line not found in #{stdout_value}"
+  #   assert res, '3DES support check failed'
+  #
+  #   restore_stdout
+  # end
+  #
+  # def test_session_count
+  #   override_stdout
+  #
+  #   uri = URI::Parser.new.parse 'https://3des.badssl.com/'
+  #   Yawast::Scanner::Plugins::SSL::Sweet32.get_tdes_session_msg_count uri, 1
+  #
+  #   assert stdout_value.include?('Connection not terminated after'), "SWEET32 warning not found in #{stdout_value}"
+  #
+  #   restore_stdout
+  # end
 
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: yawast
 version: !ruby/object:Gem::Version
-  version: 0.7.0.beta3
+  version: 0.7.0
 platform: ruby
 authors:
 - Adam Caudill
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-04-15 00:00:00.000000000 Z
+date: 2019-04-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: colorize
@@ -225,6 +225,7 @@ files:
 - lib/scanner/core.rb
 - lib/scanner/generic.rb
 - lib/scanner/plugins/applications/cms/generic.rb
+- lib/scanner/plugins/applications/cms/wordpress.rb
 - lib/scanner/plugins/applications/framework/rails.rb
 - lib/scanner/plugins/applications/generic/password_reset.rb
 - lib/scanner/plugins/dns/caa.rb
@@ -274,6 +275,10 @@ files:
 - test/data/ssl_labs_info.json
 - test/data/tomcat_release_notes.txt
 - test/data/wordpress_readme_html.txt
+- test/data/wp-json-users.txt
+- test/data/wp-login-4.9.8.txt
+- test/data/wp-login-5.1.1.txt
+- test/test_app_cms_wp.rb
 - test/test_app_fw_rails.rb
 - test/test_cmd_util.rb
 - test/test_directory_search.rb
@@ -312,9 +317,9 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">"
+  - - ">="
     - !ruby/object:Gem::Version
-      version: 1.3.1
+      version: '0'
 requirements: []
 rubyforge_project: yawast
 rubygems_version: 2.6.14
@@ -343,6 +348,10 @@ test_files:
 - test/data/ssl_labs_info.json
 - test/data/tomcat_release_notes.txt
 - test/data/wordpress_readme_html.txt
+- test/data/wp-json-users.txt
+- test/data/wp-login-4.9.8.txt
+- test/data/wp-login-5.1.1.txt
+- test/test_app_cms_wp.rb
 - test/test_app_fw_rails.rb
 - test/test_cmd_util.rb
 - test/test_directory_search.rb