├── Auth_Mode ├── README.md ├── plugin.json └── run.rb ├── BurpAppendix ├── README.md ├── ba_cli.rb └── plugin.json ├── ExcelToVariables ├── README.md ├── UDO1.png ├── UDO2.png ├── UDO3.png ├── UDO4.png ├── UDO5.png ├── plugin.json ├── routes.rb └── views │ └── excel_to_variables.haml ├── ExtraFindings ├── README.md ├── data │ └── VulnDB │ │ ├── .gitignore │ │ ├── LICENSE.md │ │ ├── README.md │ │ ├── circle.yml │ │ ├── db │ │ ├── 1-allowed-http-methods.json │ │ ├── 10-common-sensitive-file.json │ │ ├── 11-cookie-set-for-parent-domain.json │ │ ├── 12-credit-card-number-disclosure.json │ │ ├── 13-cross-site-request-forgery.json │ │ ├── 14-cvs-svn-user-disclosure.json │ │ ├── 15-directory-listing.json │ │ ├── 16-e-mail-address-disclosure.json │ │ ├── 17-file-inclusion.json │ │ ├── 18-form-based-file-upload.json │ │ ├── 19-missing-strict-transport-security-header.json │ │ ├── 2-a-backdoor-file-exists-on-the-server.json │ │ ├── 20-misconfiguration-in-limit-directive-of-htaccess-file.json │ │ ├── 21-html-object.json │ │ ├── 22-httponly-cookie.json │ │ ├── 23-publicly-writable-directory.json │ │ ├── 24-insecure-client-access-policy.json │ │ ├── 25-insecure-cookie.json │ │ ├── 26-access-control-allow-origin-star.json │ │ ├── 27-insecure-cross-domain-policy-allow-access-from.json │ │ ├── 29-interesting-response.json │ │ ├── 3-backup-directory.json │ │ ├── 30-ldap-injection.json │ │ ├── 31-exposed-localstart-asp-page.json │ │ ├── 32-mixed-resource.json │ │ ├── 33-nosql-injection.json │ │ ├── 34-blind-nosql-injection-differential-analysis.json │ │ ├── 35-access-restriction-bypass-via-origin-spoof.json │ │ ├── 36-operating-system-command-injection.json │ │ ├── 38-password-field-with-auto-complete.json │ │ ├── 39-path-traversal.json │ │ ├── 4-backup-file.json │ │ ├── 40-private-ip-address-disclosure.json │ │ ├── 41-response-splitting.json │ │ ├── 42-remote-file-inclusion.json │ │ ├── 43-session-fixation.json │ │ ├── 44-source-code-disclosure.json │ │ ├── 45-sql-injection.json │ │ ├── 46-blind-sql-injection.json │ │ ├── 47-blind-sql-injection-timing-attack.json │ │ ├── 48-disclosed-us-social-security-number-ssn.json │ │ ├── 49-unencrypted-password-form.json │ │ ├── 5-captcha-protected-form.json │ │ ├── 50-unvalidated-redirect.json │ │ ├── 51-unvalidated-dom-redirect.json │ │ ├── 52-webdav.json │ │ ├── 53-missing-x-frame-options-header.json │ │ ├── 54-xpath-injection.json │ │ ├── 55-cross-site-scripting-xss.json │ │ ├── 56-dom-based-cross-site-scripting-xss.json │ │ ├── 6-code-injection.json │ │ ├── 63-http-trace.json │ │ ├── 64-xml-external-entity.json │ │ ├── 65-arbitrary-file-upload.json │ │ ├── 66-insecure-ssl-version.json │ │ ├── 67-self-signed-ssl-certificate.json │ │ ├── 68-shellshock.json │ │ ├── 69-insecure-frontpage-configuration.json │ │ ├── 70-persistent-xss.json │ │ ├── 71-reflected-file-download.json │ │ ├── 72-cache-control-headers.json │ │ ├── 73-information-leak-stack-trace.json │ │ ├── 74-phishing-vector.json │ │ ├── 75-guessable-credentials.json │ │ ├── 76-x-content-type-options_header_missing.json │ │ ├── 77-HTTP-Basic-Authenticationcredentials.json │ │ ├── 8-code-injection.json │ │ └── 9-common-directory.json │ │ ├── schema.json │ │ └── tests │ │ ├── __init__.py │ │ ├── requirements.txt │ │ ├── test_all_json.py │ │ ├── test_json_spec.py │ │ ├── test_references.py │ │ ├── test_schema_compatability.py │ │ ├── valid_markdown.py │ │ └── vulndb_test.py ├── installed ├── plugin.json ├── routes.rb └── views │ └── import.haml ├── README.md ├── TestPlugin ├── helpers │ └── testplugin_listener.rb ├── plugin.json ├── routes.rb └── views │ └── test_plugin.haml └── UDV_Worksheet ├── README.md ├── master_udv.rb ├── plugin.json ├── routes.rb ├── udv.db └── views └── sheet.haml /Auth_Mode/README.md: -------------------------------------------------------------------------------- 1 | # WARNING 2 | 3 | This plugin disables all authentication and authorization. Be careful enabling it. 4 | 5 | ## Auth Mode 6 | 7 | Auth Mode is a simple plugin to disable authentication and authorization checks. It's purpose is to: 8 | - Provide an example of the power of monkey patching Serpico. See the [blog post](https://www.serpicoproject.com) for more information. 9 | - Speed up development testing 10 | 11 | ## Installation 12 | 13 | 1. Upload and enable the plug-in using typical means 14 | 2. Create a blank file called "installed" in the directory "./plugins/Auth_Mode" -------------------------------------------------------------------------------- /Auth_Mode/plugin.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Auth_Mode", 3 | "description": "WARNING: Disables all authentication. See the README for instructions.", 4 | "enabled": false, 5 | "report_view": false, 6 | "admin_view": false 7 | } -------------------------------------------------------------------------------- /Auth_Mode/run.rb: -------------------------------------------------------------------------------- 1 | if File.file?("#{Dir.pwd()}/plugins/Auth_Mode/installed") 2 | class Server < Sinatra::Application 3 | def is_administrator? 4 | return true 5 | end 6 | 7 | def valid_session? 8 | return true 9 | end 10 | 11 | def is_plugin? 12 | return true 13 | end 14 | 15 | end 16 | else 17 | puts "|!| Failed to load AuthMode, see the README for installation instructions." 18 | end -------------------------------------------------------------------------------- /BurpAppendix/README.md: -------------------------------------------------------------------------------- 1 | # Overview 2 | 3 | This plug-in generates a branded word document from BurpSuite results XML import. Currently, can only be run from the CLI, access via UI should be soon. 4 | 5 | # Command Line 6 | 7 | The plugin can be run from the command line in the Serpico directory. 8 | 9 | ``` 10 | cd plugins/BurpAppendix 11 | ruby ba_cli.rb [XML_DATA] [TEMPLATE_DOCX] 12 | ``` 13 | 14 | e.g. 15 | ``` 16 | ruby ba_cli.rb burp_results.xml branded.docx 17 | ``` 18 | -------------------------------------------------------------------------------- /BurpAppendix/ba_cli.rb: -------------------------------------------------------------------------------- 1 | require './model/master' 2 | require './helpers/helper' 3 | require './helpers/vuln_importer' 4 | require './helpers/xslt_generation' 5 | require 'nokogiri' 6 | require 'zip' 7 | 8 | # todo usage 9 | 10 | def convert_docx_xslt(docx) 11 | # read the docx in 12 | error = nil 13 | begin 14 | xslt = generate_xslt(docx) 15 | rescue => e 16 | puts e 17 | error = e 18 | end 19 | 20 | 21 | if error 22 | puts "|!| The report template you uploaded threw an error when parsing:#{error}" 23 | exit 24 | else 25 | return xslt 26 | end 27 | end 28 | 29 | 30 | def run(bxml, xsltin) 31 | # parse burp xml 32 | findings = parse_burp_xml(File.read("#{bxml}"))["findings"] 33 | 34 | # set the findings to xml 35 | findings_xml = "" 36 | findings.each do |finding| 37 | findings_xml << finding.to_xml 38 | end 39 | findings_xml << "" 40 | 41 | # Replace the stub elements with real XML elements; add your Company Name 42 | findings_xml = meta_markup_unencode(findings_xml, "Company Name") 43 | 44 | # make a report XML 45 | report_xml = "#{findings_xml}" 46 | 47 | # convert the docx to xslt 48 | xslt_in = convert_docx_xslt(xsltin) 49 | 50 | # Push the finding from XML to XSLT 51 | xslt = Nokogiri::XSLT(xslt_in) 52 | docx_xml = xslt.transform(Nokogiri::XML(report_xml)) 53 | 54 | # We use a temporary file with a random name 55 | rand_file = "./tmp/#{rand(36**12).to_s(36)}.docx" 56 | FileUtils::copy_file(xsltin,rand_file) 57 | 58 | # build the word document using the results 59 | docx_modify(rand_file, docx_xml,'word/document.xml') 60 | 61 | puts "|+| Report generated: #{rand_file}" 62 | end 63 | 64 | if ARGV.size < 2 65 | puts "usage:\n\t\truby ba_cli.rb BURP_XML TEMPLATE" 66 | else 67 | run(ARGV[0],ARGV[1]) 68 | end -------------------------------------------------------------------------------- /BurpAppendix/plugin.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "BurpAppendix", 3 | "description": "This plug-in generates a branded document from Burp XML data.", 4 | "link":"/BurpAppendix/import", 5 | "enabled": false, 6 | "report_view": true, 7 | "admin_view": false 8 | } -------------------------------------------------------------------------------- /ExcelToVariables/README.md: -------------------------------------------------------------------------------- 1 | # What's this 2 | With this module, you can create UDVs and UDOs from an excel file. This is especially usefull if you wan't to use formula to automatically calculate UDVs, or things like that. 3 | 4 | # How 5 | 6 | ## Here's an exemple of Excel containing UDOs and UDVs 7 | 8 | ![Template](UDO1.png) 9 | 10 | ![Template](UDO5.png) 11 | 12 | ## Upload your Excel 13 | 14 | ![Template](UDO2.png) 15 | 16 | ## The UDOs and UDVs are created 17 | 18 | ![Template](UDO3.png) 19 | 20 | ![Template](UDO4.png) 21 | -------------------------------------------------------------------------------- /ExcelToVariables/UDO1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SerpicoProject/SerpicoPlugins/7cec9ef395066fd83fc34544546876fcc761ec8c/ExcelToVariables/UDO1.png -------------------------------------------------------------------------------- /ExcelToVariables/UDO2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SerpicoProject/SerpicoPlugins/7cec9ef395066fd83fc34544546876fcc761ec8c/ExcelToVariables/UDO2.png -------------------------------------------------------------------------------- /ExcelToVariables/UDO3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SerpicoProject/SerpicoPlugins/7cec9ef395066fd83fc34544546876fcc761ec8c/ExcelToVariables/UDO3.png -------------------------------------------------------------------------------- /ExcelToVariables/UDO4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SerpicoProject/SerpicoPlugins/7cec9ef395066fd83fc34544546876fcc761ec8c/ExcelToVariables/UDO4.png -------------------------------------------------------------------------------- /ExcelToVariables/UDO5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SerpicoProject/SerpicoPlugins/7cec9ef395066fd83fc34544546876fcc761ec8c/ExcelToVariables/UDO5.png -------------------------------------------------------------------------------- /ExcelToVariables/plugin.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "ExcelToVariables", 3 | "description": "Plugin to create UDVs and UDOs from Excel", 4 | "link": "/excel_to_variables", 5 | "enabled": true, 6 | "report_view": true, 7 | "admin_view": false 8 | } -------------------------------------------------------------------------------- /ExcelToVariables/routes.rb: -------------------------------------------------------------------------------- 1 | require 'sinatra' 2 | 3 | # upload Excel file to be transformed in udvs and udos 4 | get '/excel_to_variables' do 5 | report_id = params[:report_id] 6 | # Query for the first report matching the id 7 | @report = get_report(report_id) 8 | return 'No Such Report' if @report.nil? 9 | 10 | haml :'../plugins/ExcelToVariables/views/excel_to_variables' 11 | end 12 | 13 | # upload Excel file to be transformed in udvs and udos 14 | post '/excel_to_variables' do 15 | report_id = params[:report_id] 16 | # Query for the first report matching the id 17 | @report = get_report(report_id) 18 | return 'No Such Report' if @report.nil? 19 | sent_file_data = params[:file][:tempfile].read 20 | shared_strings_noko = Nokogiri::XML(read_rels(params[:file][:tempfile], 'xl/sharedStrings.xml')) 21 | excel_worksheets = find_excel_worksheets(params[:file][:tempfile]) 22 | excel_worksheets.each do |worksheet_path_in_zip| 23 | worksheet_xml = read_rels(params[:file][:tempfile], worksheet_path_in_zip) 24 | sheet_noko = Nokogiri::XML(worksheet_xml) 25 | # for every cell that has a shared string... ( contains the id of the shared string in excel) 26 | debug = [] 27 | sheet_noko.xpath('//xmlns:worksheet/xmlns:sheetData/xmlns:row/xmlns:c[xmlns:v]').each do |c| 28 | #if it's a shared string cell 29 | if c['t'] == 's' 30 | # We get the shared string value of the current 31 | cell_value = get_shared_string_value(c, shared_strings_noko) 32 | #if it's not a ss cell 33 | else 34 | cell_value = c.at_xpath('./xmlns:v').content 35 | end 36 | # code part for udos. udos are between æ 37 | if cell_value.include?('æ'.force_encoding('ASCII-8BIT')) 38 | #we look into the next row for the udo values 39 | udo_type = cell_value.tr('æ'.force_encoding('ASCII-8BIT'),'') 40 | next_row = c.at_xpath('./following::xmlns:row') 41 | udo_properties = {} 42 | next unless next_row 43 | next_row.xpath('./xmlns:c[xmlns:v]').each do |c_from_next_row| 44 | cell_value_from_next_row = get_shared_string_value(c_from_next_row, shared_strings_noko) 45 | #strign between π is the property name. Value in the cell to the right is the property value 46 | if cell_value_from_next_row.include?('π'.force_encoding('ASCII-8BIT')) 47 | udo_property_name = cell_value_from_next_row.tr('π'.force_encoding('ASCII-8BIT'),'') 48 | c_from_next_row_index = c_from_next_row['r'] 49 | letter_part = c_from_next_row_index.tr('0-9', '') 50 | number_part = c_from_next_row_index.tr('A-Z', '') 51 | c_containing_property_value = sheet_noko.at_xpath("//xmlns:worksheet/xmlns:sheetData/xmlns:row/xmlns:c[@r=\"#{letter_part.next!}#{number_part}\"]") 52 | if c_containing_property_value && c_containing_property_value.at_xpath('./xmlns:v') 53 | #if it's not a shared string 54 | if c_containing_property_value['t'] == 's' 55 | next_cell_shared_string_value = get_shared_string_value(c_containing_property_value, shared_strings_noko) 56 | #if it's a shared string cell 57 | else 58 | next_cell_shared_string_value = c_containing_property_value.at_xpath('./xmlns:v').content 59 | end 60 | udo_property_value = next_cell_shared_string_value 61 | else 62 | udo_property_value = '' 63 | end 64 | if udo_property_value =~ /\r\n/ 65 | paragraphed_udo_property_value = '' 66 | brs = udo_property_value.split("\r\n") 67 | brs.each do |br| 68 | paragraphed_udo_property_value << '' 69 | paragraphed_udo_property_value << CGI.escapeHTML(br) 70 | paragraphed_udo_property_value << '' 71 | end 72 | udo_property_value = paragraphed_udo_property_value 73 | elsif udo_property_value != '' 74 | udo_property_value = "#{CGI.escapeHTML(udo_property_value.force_encoding('UTF-8'))}" 75 | end 76 | #what an encoding mess 77 | udo_properties[udo_property_name] = "#{udo_property_value.force_encoding('UTF-8')}" 78 | end 79 | end 80 | debug << udo_properties 81 | udo_template_id = false 82 | UserDefinedObjectTemplates.all().each do |udo_template| 83 | #we get the properties of the template. If they match with the udo we'ry trying to build, the template already exists 84 | if udo_type == udo_template.type 85 | if JSON.parse(udo_template.udo_properties).keys.sort == udo_properties.keys.sort 86 | udo_template_id = udo_template.id 87 | end 88 | end 89 | end 90 | #if we didn't find any matching udo template, we create a new one 91 | #return udo_properties.inspect 92 | if not udo_template_id 93 | new_udo_template = UserDefinedObjectTemplates.new 94 | new_udo_template.type = udo_type 95 | #creating the template with properties from excel emptied 96 | new_udo_template.udo_properties = udo_properties.map { |k, str| [k, ""] }.to_h.to_json 97 | if new_udo_template.save 98 | #save successfull 99 | udo_template_id = new_udo_template.id 100 | else 101 | return "

The following error(s) were found while trying to create udo template :

#{new_udo_template.errors.full_messages.flatten.join(', ')}

" 102 | end 103 | end 104 | #now, if udo doesn't exist yet, we create the udo and link it to the created/found udo template 105 | udo_already_exist = false 106 | UserDefinedObjects.all(type: udo_type, report_id: @report.id).each do |already_existing_udo| 107 | if JSON.parse(already_existing_udo.udo_properties) == udo_properties 108 | udo_already_exist = true 109 | next 110 | end 111 | end 112 | if not udo_already_exist 113 | new_udo = UserDefinedObjects.new 114 | new_udo.type = udo_type 115 | new_udo.udo_properties = udo_properties.to_json 116 | new_udo.template_id = udo_template_id 117 | new_udo.report_id = @report.id 118 | if new_udo.save 119 | #save successfull 120 | else 121 | return "

The following error(s) were found while trying to create udo template :

#{new_udo.errors.full_messages.flatten.join(', ')}

" 122 | end 123 | end 124 | #### UDV PART 125 | elsif cell_value.include?('§'.force_encoding('ASCII-8BIT')) 126 | udv_name = cell_value.tr('§'.force_encoding('ASCII-8BIT'),'') 127 | c_index = c['r'] 128 | letter_part = c_index.tr('0-9', '') 129 | number_part = c_index.tr('A-Z', '') 130 | c_containing_udv_value = sheet_noko.at_xpath("//xmlns:worksheet/xmlns:sheetData/xmlns:row/xmlns:c[@r=\"#{letter_part.next!}#{number_part}\"]") 131 | if c_containing_udv_value && c_containing_udv_value.at_xpath('./xmlns:v') 132 | #if it's a shared string 133 | if c_containing_udv_value['t'] == 's' 134 | next_cell_shared_string_value = get_shared_string_value(c_containing_udv_value, shared_strings_noko) 135 | #if it's not a shared string cell 136 | else 137 | next_cell_shared_string_value = c_containing_udv_value.at_xpath('./xmlns:v').content 138 | end 139 | udv_value = next_cell_shared_string_value 140 | else 141 | udv_value = '' 142 | end 143 | if not @report.user_defined_variables.nil? 144 | udvs_from_report = JSON.parse(@report.user_defined_variables) 145 | else 146 | udvs_from_report = {} 147 | end 148 | udvs_from_report[udv_name] = udv_value 149 | if @report.update(user_defined_variables: udvs_from_report.to_json) 150 | #save successfull 151 | else 152 | return "

The following error(s) were found while trying to update report :

#{@report.errors.full_messages.flatten.join(', ')}

" 153 | end 154 | end 155 | end 156 | end 157 | haml :'../plugins/ExcelToVariables/views/excel_to_variables' 158 | end 159 | 160 | # returns the shared string value of a sheet cell 161 | def get_shared_string_value(sheet_cell, shared_strings_noko) 162 | # ...We take the id of the shared string contained by the cell 163 | shared_string_id = sheet_cell.at_xpath('xmlns:v').content 164 | # ...we look in the shared strings file the corresponding value 165 | shared_string_value = shared_strings_noko.at_xpath("/xmlns:sst/xmlns:si[#{shared_string_id.to_i + 1}]/xmlns:t").content.to_s.force_encoding('ASCII-8BIT') 166 | end 167 | 168 | def find_excel_worksheets(excel) 169 | worksheets = [] 170 | Zip::File.open(excel) do |zip| 171 | i = 1 172 | until zip.find_entry("xl/worksheets/sheet#{i}.xml").nil? 173 | worksheets.push("xl/worksheets/sheet#{i}.xml") 174 | i += 1 175 | end 176 | end 177 | worksheets 178 | end 179 | -------------------------------------------------------------------------------- /ExcelToVariables/views/excel_to_variables.haml: -------------------------------------------------------------------------------- 1 | .span10 2 | %form{:method => 'post', :action => "", :enctype=>"multipart/form-data"} 3 | %br 4 | %h2 Add UDVs and UDOs from Excel file 5 | %br 6 | %table 7 | %tr 8 | %tr 9 | %td 10 | Upload Excel containing UDVs and UDOs 11 | %br 12 | %br 13 | %input{:type => 'file', :name => 'file'} 14 | %tr 15 | %td 16 | %br 17 | %br 18 | %br 19 | %input{:type => 'submit', :value => 'Upload' } 20 | -------------------------------------------------------------------------------- /ExtraFindings/README.md: -------------------------------------------------------------------------------- 1 | # Overview 2 | 3 | This project includes findings from other projects to help you grow your findings database. Currently it supports: 4 | 5 | - VulnDB 6 | 7 | 8 | -------------------------------------------------------------------------------- /ExtraFindings/data/VulnDB/.gitignore: -------------------------------------------------------------------------------- 1 | *.py[cod] 2 | *.py~ 3 | *~ 4 | *.swp 5 | 6 | # C extensions 7 | *.so 8 | 9 | # Packages 10 | *.egg 11 | *.egg-info 12 | dist 13 | build 14 | eggs 15 | parts 16 | bin 17 | var 18 | sdist 19 | develop-eggs 20 | .installed.cfg 21 | lib 22 | lib64 23 | 24 | # Installer logs 25 | pip-log.txt 26 | 27 | # Unit test / coverage reports 28 | .coverage 29 | .tox 30 | nosetests.xml 31 | .noseids 32 | noseids.pickle 33 | nose.cfg 34 | 35 | # Translations 36 | *.mo 37 | 38 | # Mr Developer 39 | .mr.developer.cfg 40 | .project 41 | .pydevproject 42 | .settings/ 43 | .idea 44 | 45 | # w3af stuff 46 | parser.out 47 | parsetab.py 48 | output-http.txt 49 | output.txt 50 | 51 | # This is generated by the setup_moth.py script 52 | django-moth 53 | 54 | # Debugging circleci high memory usage 55 | memory-usage.txt 56 | 57 | # Ignore sphinx builds 58 | doc/sphinx/_build/ 59 | 60 | # 404 test stuff 61 | data.shelve 62 | top-1m.csv 63 | top-1m.csv.zip 64 | 65 | # docker build temp files 66 | /.dockerignore 67 | /Dockerfile 68 | 69 | # To make testing easier 70 | test.w3af 71 | output-w3af.txt 72 | 73 | # Ignore some profiling data 74 | *.dump 75 | 76 | # Ignore intermediate XML file 77 | w3af/plugins/crawl/phishtank/index.xml 78 | 79 | # For debian package build 80 | .pc/ 81 | debian/files 82 | debian/w3af-console.debhelper.log 83 | debian/w3af-console.postinst.debhelper 84 | debian/w3af-console.prerm.debhelper 85 | debian/w3af-console.substvars 86 | debian/w3af-console/ 87 | debian/w3af.debhelper.log 88 | debian/w3af.postinst.debhelper 89 | debian/w3af.postrm.debhelper 90 | debian/w3af.prerm.debhelper 91 | debian/w3af.substvars 92 | debian/w3af/ 93 | docker/kali-debootstrap 94 | *.deb 95 | -------------------------------------------------------------------------------- /ExtraFindings/data/VulnDB/LICENSE.md: -------------------------------------------------------------------------------- 1 | Redistribution and use in source and binary forms, with or without 2 | modification, are permitted provided that the following conditions are 3 | met: 4 | 5 | (1) Redistributions of source code must retain the above copyright 6 | notice, this list of conditions and the following disclaimer. 7 | 8 | (2) Redistributions in binary form must reproduce the above copyright 9 | notice, this list of conditions and the following disclaimer in 10 | the documentation and/or other materials provided with the 11 | distribution. 12 | 13 | (3)The name of the author may not be used to 14 | endorse or promote products derived from this software without 15 | specific prior written permission. 16 | 17 | THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 18 | IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 19 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 | DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, 21 | INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 22 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 23 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 | HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 25 | STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 26 | IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 27 | POSSIBILITY OF SUCH DAMAGE. 28 | -------------------------------------------------------------------------------- /ExtraFindings/data/VulnDB/README.md: -------------------------------------------------------------------------------- 1 | User, contributor and developer-friendly vulnerability database. Our goal is to 2 | provide a vulnerability database which is: 3 | 4 | * Actionable, easy to read and understand for developers and sysadmins who need 5 | to fix the vulnerability 6 | 7 | * Easy to integrate by developers into any vulnerability scanner, report 8 | generator, penetration testing tool or related tool. 9 | 10 | * Trivial to contribute to, by using JSON to store the vulnerabilities 11 | 12 | ## SDKs 13 | This repository holds the vulnerability database itself, in order to make the 14 | information easily accessible from different programming languages these SDKs 15 | are available: 16 | 17 | * [python-sdk](https://github.com/vulndb/python-sdk) 18 | * [vulndb-go](https://github.com/vulndb/vulndb-go) 19 | * [php-sdk](https://github.com/vulndb/php-sdk) 20 | 21 | ## Projects using this database 22 | * [w3af](http://www.w3af.org/) 23 | 24 | ## Contributing 25 | We would love to receive your [pull-requests](https://help.github.com/articles/using-pull-requests/)! 26 | The easiest way to contribute is: 27 | * Browse our repository and find the JSON file you would like to edit 28 | * Click on the top-right icon in the github UI that will open the online text editor 29 | * Change the file 30 | * Save/commit 31 | 32 | ## Credits 33 | * JSON format specification by [Andres Riancho](https://github.com/andresriancho/), [Tasos Laskos](https://github.com/Zapotek) and [Vyacheslav Bakhmutov](https://github.com/m0sth8) 34 | * Initial data provided by the [Arachni scanner](http://www.arachni-scanner.com/) project 35 | 36 | ## History 37 | The project founders maintain one or more vulnerability scanners, each of those 38 | tools had a different vulnerability database with different fields, formats, 39 | texts and quality. To reduce our documentation efforts we decided to commoditize 40 | the vulnerability database and created this repository. 41 | 42 | At the beginning we tried to use the CWE data, but we found several problems with 43 | it: 44 | 45 | * The target audience for our vulnerability information is too busy to read the 46 | [long](https://cwe.mitre.org/data/definitions/89.html) descriptions and hundreds 47 | of fields provided by CWE. We want to provide enough information for the users 48 | to know what's wrong and point them to information with more detailed info if 49 | that's what they need. 50 | 51 | * The XML format storing the CWE data is simply too complex for our needs. 52 | 53 | * Mitre never answered our questions on derivated work 54 | 55 | We might still use some paragraphs from the CWE data in our database, but manually 56 | migrated and reviewed for clarity. 57 | 58 | It all started with these two github issues ([1](https://github.com/andresriancho/w3af/issues/53), 59 | [2](https://github.com/vulndb/data/issues/5)) and various emails between Slava, 60 | Andres and Tasos. 61 | 62 | The initial database information was contributed by the [Arachni scanner](http://www.arachni-scanner.com/) 63 | imported in [this commit](https://github.com/vulndb/data/commit/e27222af21b0569525718f591eaa2c517d4c1da2). 64 | 65 | ## Build status 66 | [![Circle CI](https://circleci.com/gh/vulndb/data.svg?style=svg)](https://circleci.com/gh/vulndb/data) 67 | -------------------------------------------------------------------------------- /ExtraFindings/data/VulnDB/circle.yml: -------------------------------------------------------------------------------- 1 | # 2 | # This file is used to configure the continuous integration for vulndb/data 3 | # 4 | # As a user you don't need to understand this file. 5 | # 6 | machine: 7 | python: 8 | version: 2.7.9 9 | 10 | dependencies: 11 | post: 12 | - pip install --upgrade pip 13 | - pip install --upgrade -r tests/requirements.txt 14 | - pip --version 15 | - pip freeze 16 | -------------------------------------------------------------------------------- /ExtraFindings/data/VulnDB/db/1-allowed-http-methods.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 1, 3 | "title": "Allowed HTTP methods", 4 | "severity": "informational", 5 | "description": [ 6 | "There are a number of HTTP methods that can be used on a webserver", 7 | "(`OPTIONS`, `HEAD`, `GET`, `POST`, `PUT`, `DELETE` etc.). Each of", 8 | "these methods perform a different function and each have an associated", 9 | "level of risk when their use is permitted on the webserver.\n\nA client", 10 | "can use the `OPTIONS` method within a request to query a server to", 11 | "determine which methods are allowed.\n\nCyber-criminals will almost", 12 | "always perform this simple test as it will give a very quick", 13 | "indication of any high-risk methods being permitted by the server.", 14 | "The tool discovered that several methods are supported by the server." 15 | ], 16 | "fix": { 17 | "effort": 50, 18 | "guidance": [ 19 | "It is recommended that a whitelisting approach be taken to explicitly", 20 | "permit the HTTP methods required by the application and block all", 21 | "others.\n\nTypically the only HTTP methods required for most", 22 | "applications are `GET` and `POST`. All other methods perform actions", 23 | "that are rarely required or perform actions that are inherently risky.", 24 | "These risky methods (such as `PUT`, `DELETE`, etc) should be protected", 25 | "by strict limitations, such as ensuring that the channel is secure", 26 | "(SSL/TLS enabled) and only authorised and trusted clients are", 27 | "permitted to use them." 28 | ] 29 | }, 30 | "cwe": ["749"], 31 | "tags": [ 32 | "web", 33 | "http", 34 | "methods", 35 | "options" 36 | ], 37 | "references": [ 38 | { 39 | "url": "http://httpd.apache.org/docs/2.2/mod/core.html#limitexcept", 40 | "title": "Apache.org" 41 | } 42 | ] 43 | } -------------------------------------------------------------------------------- /ExtraFindings/data/VulnDB/db/10-common-sensitive-file.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 10, 3 | "title": "Common sensitive file", 4 | "severity": "low", 5 | "description": [ 6 | "Web applications are often made up of multiple files and directories.", 7 | "It is possible that over time some files may become unreferenced", 8 | "(unused) by the web application and forgotten about by the", 9 | "administrator/developer. Because web applications are built using", 10 | "common frameworks, they contain common files that can be discovered", 11 | "(independent of server).\n\nDuring the initial recon stages of an", 12 | "attack, cyber-criminals will attempt to locate unreferenced files in", 13 | "the hope that the file will assist in further compromise of the web", 14 | "application. To achieve this they will make thousands of requests", 15 | "using word lists containing common filenames. The response headers", 16 | "from the server will then indicate if the file exists.\n\nThe tool also", 17 | "contains a list of common file names which it will attempt to access." 18 | ], 19 | "fix": { 20 | "effort": 50, 21 | "guidance": [ 22 | "If files are unreferenced then they should be removed from the web", 23 | "root and/or the application directory.\n\nPreventing access without", 24 | "authentication may also be an option and can stop a client from being", 25 | "able to view the contents of a file, however it is still likely that", 26 | "the directory structure will be able to be discovered.\n\nUsing obscure", 27 | "file names is implementing security through obscurity and is not a", 28 | "recommended option." 29 | ] 30 | }, 31 | "tags": [ 32 | "web", 33 | "common", 34 | "path", 35 | "file", 36 | "discovery" 37 | ], 38 | "references": [ 39 | { 40 | "url": "http://httpd.apache.org/docs/2.0/mod/mod_access.html", 41 | "title": "Apache.org" 42 | } 43 | ] 44 | } -------------------------------------------------------------------------------- /ExtraFindings/data/VulnDB/db/11-cookie-set-for-parent-domain.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 11, 3 | "title": "Cookie set for parent domain", 4 | "severity": "informational", 5 | "description": [ 6 | "HTTP by itself is a stateless protocol. Therefore the server is unable", 7 | "to determine which requests are performed by which client, and which", 8 | "clients are authenticated or unauthenticated.\n\nThe use of HTTP cookies", 9 | "within the headers, allows a web server to identify each individual", 10 | "client and can therefore determine which clients hold valid", 11 | "authentication, from those that do not. These are known as session", 12 | "cookies.\n\nWhen a cookie is set by the server (sent the header of an", 13 | "HTTP response) there are several flags that can be set to configure", 14 | "the properties of the cookie and how it is to be handled by the", 15 | "browser.\n\nOne of these flags represents the host, or domain. for which", 16 | "the cookie can be used.\n\nWhen the cookie is set for the parent domain,", 17 | "rather than the host, this could indicate that the same cookie could", 18 | "be used to access other hosts within that domain. While there are many", 19 | "legitimate reasons for this, it could also be misconfiguration", 20 | "expanding the possible surface of attacks." 21 | ], 22 | "fix": { 23 | "effort": 50, 24 | "guidance": [ 25 | "The first step to remediation is to identify the context in which the", 26 | "cookie is being set and determine if it is required by the whole", 27 | "domain, or just the specific host being tested.\n\nIf it is only", 28 | "required by the host, then the domain flag should be set as such.", 29 | "Depending on the framework being used, the configuration of this flag", 30 | "will be modified in different ways." 31 | ] 32 | }, 33 | "references": [ 34 | { 35 | "url": "https://www.owasp.org/index.php/Testing_for_cookies_attributes_(OTG-SESS-002)", 36 | "title": "OWASP" 37 | } 38 | ] 39 | } -------------------------------------------------------------------------------- /ExtraFindings/data/VulnDB/db/12-credit-card-number-disclosure.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 12, 3 | "title": "Credit card number disclosure", 4 | "severity": "medium", 5 | "description": [ 6 | "Credit card numbers are used in applications where a user is able to", 7 | "purchase goods and/or services.\n\nA credit card number is a sensitive", 8 | "piece of information and should be handled as such. Cyber-criminals", 9 | "will use various methods to attempt to compromise credit card", 10 | "information that can then be used for fraudulent purposes.\n\nThrough", 11 | "the use of regular expressions and CC number format validation,", 12 | "It was possible to discover a credit card number located within the", 13 | "affected page." 14 | ], 15 | "fix": { 16 | "effort": 50, 17 | "guidance": [ 18 | "Initially, the credit card number within the response should be", 19 | "checked to ensure its validity, as it is possible that the regular", 20 | "expression has matched on a similar number with no relation to a real", 21 | "credit card.\n\nIf the response does contain a valid credit card number,", 22 | "then all efforts should be taken to remove or further protect this", 23 | "information. This can be achieved by removing the credit card number", 24 | "altogether, or by masking the number so that only the last few digits", 25 | "are present within the response. (eg. _**********123_).\n\nAdditionally,", 26 | "credit card numbers should not be stored by the application, unless", 27 | "the organisation also complies with other security controls as", 28 | "outlined in the Payment Card Industry Data Security Standard (PCI-", 29 | "DSS)." 30 | ] 31 | }, 32 | "cwe": ["200"], 33 | "references": [ 34 | { 35 | "url": "http://en.wikipedia.org/wiki/Luhn_algorithm", 36 | "title": "Wikipedia - Luhn algorithm" 37 | }, 38 | { 39 | "url": "http://en.wikipedia.org/wiki/Bank_card_number", 40 | "title": "Wikipedia - Bank card number" 41 | } 42 | ] 43 | } -------------------------------------------------------------------------------- /ExtraFindings/data/VulnDB/db/13-cross-site-request-forgery.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 13, 3 | "title": "Cross-Site Request Forgery", 4 | "severity": "high", 5 | "description": [ 6 | "In the majority of today's web applications, clients are required to", 7 | "submit forms which can perform sensitive operations.\n\nAn example of", 8 | "such a form being used would be when an administrator wishes to create", 9 | "a new user for the application.\n\nIn the simplest version of the form,", 10 | "the administrator would fill-in:\n\n* Name * Password * Role (level of", 11 | "access)\n\nContinuing with this example, Cross Site Request Forgery", 12 | "(CSRF) would occur when the administrator is tricked into clicking on", 13 | "a link, which if logged into the application, would automatically", 14 | "submit the form without any further interaction.\n\nCyber-criminals will", 15 | "look for sites where sensitive functions are performed in this manner", 16 | "and then craft malicious requests that will be used against clients", 17 | "via a social engineering attack.\n\nThere are 3 things that are required", 18 | "for a CSRF attack to occur:\n\n1. The form must perform some sort of", 19 | "sensitive action. 2. The victim (the administrator the example above)", 20 | "must have an active session. 3. Most importantly, all parameter values", 21 | "must be **known** or **guessable**.\n\nThe tool discovered that all", 22 | "parameters within the form were known or predictable and therefore the", 23 | "form could be vulnerable to CSRF.\n\n_Manual verification may be", 24 | "required to check whether the submission will then perform a sensitive", 25 | "action, such as reset a password, modify user profiles, post content", 26 | "on a forum, etc._" 27 | ], 28 | "fix": { 29 | "effort": 50, 30 | "guidance": [ 31 | "Based on the risk (determined by manual verification) of whether the", 32 | "form submission performs a sensitive action, the addition of anti-CSRF", 33 | "tokens may be required.\n\nThese tokens can be configured in such a way", 34 | "that each session generates a new anti-CSRF token or such that each", 35 | "individual request requires a new token.\n\nIt is important that the", 36 | "server track and maintain the status of each token (in order to reject", 37 | "requests accompanied by invalid ones) and therefore prevent", 38 | "cyber-criminals from knowing, guessing or reusing them.\n\n_For examples", 39 | "of framework specific remediation options, please refer to the", 40 | "references._" 41 | ] 42 | }, 43 | "cwe": ["352"], 44 | "owasp_top_10": {"2013": [8]}, 45 | "tags": [ 46 | "web", 47 | "csrf", 48 | "form", 49 | "token" 50 | ], 51 | "references": [ 52 | { 53 | "url": "http://www.cgisecurity.com/csrf-faq.html", 54 | "title": "CGI Security - CSRF" 55 | }, 56 | { 57 | "url": "http://en.wikipedia.org/wiki/Cross-site_request_forgery", 58 | "title": "Wikipedia - CSRF" 59 | }, 60 | { 61 | "url": "https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)", 62 | "title": "OWASP - CSRF" 63 | } 64 | ] 65 | } -------------------------------------------------------------------------------- /ExtraFindings/data/VulnDB/db/14-cvs-svn-user-disclosure.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 14, 3 | "title": "CVS/SVN user disclosure", 4 | "severity": "low", 5 | "description": [ 6 | "Concurrent Version System (CVS) and Subversion (SVN) provide a method", 7 | "for application developers to control different versions of their", 8 | "code.\n\nOccasionally, the developer's version or user information can", 9 | "be stored incorrectly within the code and may be visible to the end", 10 | "user (either in the HTML or code comments). As one of the initial", 11 | "steps in information gathering, cyber-criminals will spider a website", 12 | "and using automated methods attempt to discover any CVS/SVN", 13 | "information that may be present in the page.\n\nThis will aid them in", 14 | "developing a better understanding of the deployed application", 15 | "(potentially through the disclosure of version information), or it may", 16 | "assist in further information gathering or social engineering attacks.", 17 | "Using the same automated methods, the tool was able to detect CVS or", 18 | "SVN details stored within the affected page." 19 | ], 20 | "cwe": ["200", "527"], 21 | "fix": { 22 | "effort": 50, 23 | "guidance": [ 24 | "CVS and/or SVN information should not be displayed to the end user.", 25 | "This can be achieved by removing this information all together prior", 26 | "to deployment, or by putting this information into a server-side (PHP,", 27 | "ASP, JSP, etc) code comment block, as opposed to an HTML comment." 28 | ] 29 | } 30 | } 31 | -------------------------------------------------------------------------------- /ExtraFindings/data/VulnDB/db/15-directory-listing.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 15, 3 | "title": "Directory listing", 4 | "severity": "low", 5 | "description": [ 6 | "Web servers permitting directory listing are typically used for", 7 | "sharing files.\n\nDirectory listing allows the client to view a simple", 8 | "list of all the files and folders hosted on the web server. The client", 9 | "is then able to traverse each directory and download the files.", 10 | "Cyber-criminals will utilise the presence of directory listing to", 11 | "discover sensitive files, download protected content, or even just", 12 | "learn how the web application is structured.\n\nThe tool discovered that", 13 | "the affected page permits directory listing." 14 | ], 15 | "fix": { 16 | "effort": 50, 17 | "guidance": [ 18 | "Unless the web server is being utilised to share static and", 19 | "non-sensitive files, enabling directory listing is considered a poor", 20 | "security practice\n\nThis can typically be done with a simple", 21 | "configuration change on the server. The steps to disable the directory", 22 | "listing will differ depending on the type of server being used (IIS,", 23 | "Apache, etc.). If directory listing is required, and permitted, then", 24 | "steps should be taken to ensure that the risk of such a configuration", 25 | "is reduced.\n\nThese can include:\n", 26 | "1. Requiring authentication to access affected pages.\n", 27 | "2. Adding the affected path to the `robots.txt` file to prevent the", 28 | "directory contents being searchable via search engines.\n", 29 | "3. Ensuring that sensitive files are not stored within the", 30 | "web or document root.\n", 31 | "4. Removing any files that are not required for the application to", 32 | "function.\n" 33 | ] 34 | }, 35 | "cwe": ["548"], 36 | "owasp_top_10": {"2013": [5]}, 37 | "tags": [ 38 | "web", 39 | "path", 40 | "directory", 41 | "listing", 42 | "index" 43 | ], 44 | "references": [ 45 | { 46 | "url": "http://projects.webappsec.org/w/page/13246922/Directory%20Indexing", 47 | "title": "WASC" 48 | } 49 | ] 50 | } 51 | -------------------------------------------------------------------------------- /ExtraFindings/data/VulnDB/db/16-e-mail-address-disclosure.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 16, 3 | "title": "E-mail address disclosure", 4 | "severity": "informational", 5 | "description": [ 6 | "Email addresses are typically found on \"Contact us\" pages, however,", 7 | "they can also be found within scripts or code comments of the", 8 | "application. They are used to provide a legitimate means of contacting", 9 | "an organisation.\n\nAs one of the initial steps in information", 10 | "gathering, cyber-criminals will spider a website and using automated", 11 | "methods collect as many email addresses as possible, that they may", 12 | "then use in a social engineering attack.\n\nUsing the same automated", 13 | "methods, the tool was able to detect one or more email addresses that", 14 | "were stored within the affected page." 15 | ], 16 | "fix": { 17 | "effort": 50, 18 | "guidance": [ 19 | "E-mail addresses should be presented in such a way", 20 | "that it is hard to process them automatically." 21 | ] 22 | } 23 | } -------------------------------------------------------------------------------- /ExtraFindings/data/VulnDB/db/17-file-inclusion.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 17, 3 | "title": "File Inclusion", 4 | "severity": "high", 5 | "description": [ 6 | "Web applications occasionally use parameter values to store the", 7 | "location of a file which will later be required by the server.\n\nAn", 8 | "example of this is often seen in error pages, where the actual file", 9 | "path for the error page is stored in a parameter value -- for example", 10 | "`example.com/error.php?page=404.php`.\n\nA file inclusion occurs when", 11 | "the parameter value (ie. path to file) can be substituted with the", 12 | "path of another resource on the same server, effectively allowing the", 13 | "displaying of arbitrary, and possibly restricted/sensitive, files.", 14 | "The tool discovered that it was possible to substitute a parameter", 15 | "value with another resource and have the server return the contents of", 16 | "the resource to the client within the response." 17 | ], 18 | "fix": { 19 | "effort": 50, 20 | "guidance": [ 21 | "It is recommended that untrusted data is never used to form a file", 22 | "location to be included.\n\nTo validate data, the application should", 23 | "ensure that the supplied value for a file is permitted. This can be", 24 | "achieved by performing whitelisting on the parameter value, by", 25 | "matching it against a list of permitted files. If the supplied value", 26 | "does not match any value in the whitelist, then the server should", 27 | "redirect to a standard error page.\n\nIn some scenarios, where dynamic", 28 | "content is being requested, it may not be possible to perform", 29 | "validation against a list of trusted resources, therefore the list", 30 | "must also become dynamic (updated as the files change), or perform", 31 | "filtering to remove extraneous user input (such as semicolons, periods", 32 | "etc.) and only permit `a-z0-9`.\n\nIt is also advised that sensitive", 33 | "files are not stored within the web root and that the user permissions", 34 | "enforced by the directory are correct." 35 | ] 36 | }, 37 | "cwe": ["98"], 38 | "owasp_top_10": {"2013": [1]}, 39 | "tags": [ 40 | "web", 41 | "file", 42 | "inclusion", 43 | "error", 44 | "injection" 45 | ], 46 | "references": [ 47 | { 48 | "url": "https://www.owasp.org/index.php/PHP_File_Inclusion", 49 | "title": "OWASP" 50 | } 51 | ] 52 | } -------------------------------------------------------------------------------- /ExtraFindings/data/VulnDB/db/18-form-based-file-upload.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 18, 3 | "title": "Form-based File Upload", 4 | "severity": "informational", 5 | "description": [ 6 | "The design of many web applications require that users be able to", 7 | "upload files that will either be stored or processed by the receiving", 8 | "web server.\n\nThe tool has flagged this not as a vulnerability, but as a", 9 | "prompt for the penetration tester to conduct further manual testing on", 10 | "the file upload function.\n\nAn insecure form-based file upload could", 11 | "allow a cyber-criminal a means to abuse and successfully exploit the", 12 | "server directly, and/or any third party that may later access the", 13 | "file. This can occur through uploading a file containing server", 14 | "side-code (such as PHP) that is then executed when requested by the", 15 | "client." 16 | ], 17 | "fix": { 18 | "effort": 50, 19 | "guidance": [ 20 | "The identified form handler should at a minimum:", 21 | "\n\n", 22 | "1. Whitelist permitted file types and block all others. This should be", 23 | "conducted on the MIME type of the file rather than its extension.\n", 24 | "2. As the file is uploaded, and prior to being handled (written to the", 25 | "disk) by the server, the filename should be stripped of all control,", 26 | "special, or Unicode characters.\n", 27 | "3. Ensure that the upload is conducted via the HTTP `POST` method rather", 28 | "than `GET` or `PUT`.\n", 29 | "4. Ensure that the file is written to a directory that does not hold", 30 | "any execute permission and that all files within that directory inherit", 31 | "the same permissions.\n", 32 | "5. Scan (if possible) with an up-to-date virus scanner before being", 33 | "stored.\n", 34 | "6. Ensure that the application handles files as per the host operating", 35 | "system. For example, the length of the file name is appropriate, there", 36 | "is adequate space to store the file, protection against overwriting", 37 | "other files etc." 38 | ] 39 | }, 40 | "tags": [ 41 | "web", 42 | "file", 43 | "upload" 44 | ], 45 | "references": [ 46 | { 47 | "url": "https://www.owasp.org/index.php/Unrestricted_File_Upload", 48 | "title": "owasp.org" 49 | } 50 | ] 51 | } -------------------------------------------------------------------------------- /ExtraFindings/data/VulnDB/db/19-missing-strict-transport-security-header.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 19, 3 | "title": "Missing 'Strict-Transport-Security' header", 4 | "severity": "medium", 5 | "description": [ 6 | "The HTTP protocol by itself is clear text, meaning that any data that", 7 | "is transmitted via HTTP can be captured and the contents viewed. To", 8 | "keep data private and prevent it from being intercepted, HTTP is often", 9 | "tunnelled through either Secure Sockets Layer (SSL) or Transport Layer", 10 | "Security (TLS). When either of these encryption standards are used, it", 11 | "is referred to as HTTPS.\n\nHTTP Strict Transport Security (HSTS) is an", 12 | "optional response header that can be configured on the server to", 13 | "instruct the browser to only communicate via HTTPS. This will be", 14 | "enforced by the browser even if the user requests a HTTP resource on", 15 | "the same server.\n\nCyber-criminals will often attempt to compromise", 16 | "sensitive information passed from the client to the server using HTTP.", 17 | "This can be conducted via various Man-in-The-Middle (MiTM) attacks or", 18 | "through network packet captures.\n\nThe tool discovered that the affected", 19 | "application is using HTTPS however does not use the HSTS header." 20 | ], 21 | "fix": { 22 | "effort": 50, 23 | "guidance": [ 24 | "Depending on the framework being used the implementation methods will", 25 | "vary, however it is advised that the `Strict-Transport-Security`", 26 | "header be configured on the server.\n\nOne of the options for this", 27 | "header is `max-age`, which is a representation (in milliseconds)", 28 | "determining the time in which the client's browser will adhere to the", 29 | "header policy.\n\nDepending on the environment and the application this", 30 | "time period could be from as low as minutes to as long as days." 31 | ] 32 | }, 33 | "references": [ 34 | { 35 | "url": "http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security", 36 | "title": "Wikipedia - HSTS" 37 | }, 38 | { 39 | "url": "https://www.owasp.org/index.php/HTTP_Strict_Transport_Security", 40 | "title": "OWASP - HSTS" 41 | } 42 | ] 43 | } -------------------------------------------------------------------------------- /ExtraFindings/data/VulnDB/db/2-a-backdoor-file-exists-on-the-server.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 2, 3 | "title": "A backdoor file exists on the server", 4 | "severity": "high", 5 | "description": [ 6 | "If a server has been previously compromised, there is a high", 7 | "probability that the cyber-criminal has installed a backdoor so that", 8 | "they can easily return to the server if required. One method of", 9 | "achieving this is to place a web backdoor or web shell within the web", 10 | "root of the web server. This will then enable the cyber-criminal to", 11 | "access the server through a HTTP/S session.\n\nAlthough extremely bad", 12 | "practice, it is possible that the web backdoor or web shell has been", 13 | "placed there by an administrator so they can perform administrative", 14 | "activities remotely.\n\nDuring the initial recon stages of an attack,", 15 | "cyber-criminals will attempt to locate these web backdoors or shells", 16 | "by requesting the names of the most common and well known ones.\n\nBy", 17 | "analysing the response, they are able to determine if a web backdoor", 18 | "or web shell exists. These web backdoors or web shells can then", 19 | "provide an easy path for further compromise of the server.\n\nBy", 20 | "utilising the same methods as the cyber-criminals, the tool was able to", 21 | "discover a possible web backdoor or web shell." 22 | ], 23 | "fix": { 24 | "effort": 50, 25 | "guidance": [ 26 | "If manual confirmation reveals that a web backdoor or web shell does", 27 | "exist on the server, then it should be removed. It is also recommended", 28 | "that an incident response investigation be conducted on the server to", 29 | "establish how the web backdoor or web shell came to end up on the", 30 | "server.\n\nDepending on the environment, investigation into the", 31 | "compromise of any other services or servers should be conducted." 32 | ] 33 | }, 34 | "cwe": ["489"], 35 | "tags": [ 36 | "web", 37 | "path", 38 | "backdoor", 39 | "file", 40 | "discovery" 41 | ], 42 | "references": [ 43 | { 44 | "url": "https://www.blackhat.com/presentations/bh-usa-07/Wysopal_and_Eng/Presentation/bh-usa-07-wysopal_and_eng.pdf", 45 | "title": "Static Detection of Application Backdoors" 46 | } 47 | ] 48 | } -------------------------------------------------------------------------------- /ExtraFindings/data/VulnDB/db/20-misconfiguration-in-limit-directive-of-htaccess-file.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 20, 3 | "title": "Misconfiguration in LIMIT directive of .htaccess file", 4 | "severity": "high", 5 | "description": [ 6 | "There are a number of HTTP methods that can be used on a webserver", 7 | "(for example `OPTIONS`, `HEAD`, `GET`, `POST`, `PUT`, `DELETE `etc.).", 8 | "Each of these methods perform a different function, and each has an", 9 | "associated level of risk when their use is permitted on the webserver.", 10 | "The `` directive within Apache's `.htaccess` file allows", 11 | "administrators to define which of the methods they would like to", 12 | "block. However, as this is a blacklisting approach, it is inevitable", 13 | "that a server administrator may accidentally miss adding certain HTTP", 14 | "methods to be blocked, thus increasing the level of risk to the", 15 | "application and/or server." 16 | ], 17 | "fix": { 18 | "effort": 50, 19 | "guidance": [ 20 | "The preferred configuration is to prevent the use of unauthorised HTTP", 21 | "methods by utilising the `` directive.\n\nThis directive", 22 | "uses a whitelisting approach to permit HTTP methods while blocking all", 23 | "others not listed in the directive, and will therefor block any method", 24 | "tampering attempts.\n\nMost commonly, the only HTTP methods required for", 25 | "most scenarios are `GET` and `POST`. An example of permitting these", 26 | "HTTP methods is: ` require valid-user", 27 | "`" 28 | ] 29 | }, 30 | "tags": [ 31 | "web", 32 | "htaccess", 33 | "server", 34 | "limit" 35 | ], 36 | "references": [ 37 | { 38 | "url": "http://httpd.apache.org/docs/2.2/mod/core.html#limit", 39 | "title": "Apache.org" 40 | } 41 | ] 42 | } -------------------------------------------------------------------------------- /ExtraFindings/data/VulnDB/db/21-html-object.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 21, 3 | "title": "HTML object", 4 | "severity": "informational", 5 | "description": [ 6 | "Most automated tools are not able to analyze the security of client-side", 7 | "technologies such as Flash and Java applets. This informational finding", 8 | "serves as a heads-up to the information security specialist to review", 9 | "the objects in question using a different method." 10 | ], 11 | "fix": { 12 | "effort": 120, 13 | "guidance": [ 14 | "Analyze the objects using manual analysis techniques such as", 15 | "a local proxy, decompilation or reverse engineering." 16 | ] 17 | } 18 | } -------------------------------------------------------------------------------- /ExtraFindings/data/VulnDB/db/22-httponly-cookie.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 22, 3 | "title": "HttpOnly cookie", 4 | "severity": "informational", 5 | "description": [ 6 | "HTTP by itself is a stateless protocol. Therefore the server is unable", 7 | "to determine which requests are performed by which client, and which", 8 | "clients are authenticated or unauthenticated.\n\nThe use of HTTP cookies", 9 | "within the headers, allows a web server to identify each individual", 10 | "client and can therefore determine which clients hold valid", 11 | "authentication, from those that do not. These are known as session", 12 | "cookies.\n\nWhen a cookie is set by the server (sent the header of an", 13 | "HTTP response) there are several flags that can be set to configure", 14 | "the properties of the cookie and how it is to be handled by the", 15 | "browser.\n\nThe `HttpOnly` flag assists in the prevention of client", 16 | "side-scripts (such as JavaScript) accessing and using the cookie.", 17 | "This can help prevent XSS attacks targeting the cookies holding the", 18 | "client's session token (setting the `HttpOnly` flag does not prevent,", 19 | "nor safeguard against XSS vulnerabilities themselves)." 20 | ], 21 | "fix": { 22 | "effort": 50, 23 | "guidance": [ 24 | "The initial step to remedy this would be to determine whether any", 25 | "client-side scripts (such as JavaScript) need to access the cookie and", 26 | "if not, set the `HttpOnly` flag.\n\nAdditionally, it should be noted", 27 | "that some older browsers are not compatible with the `HttpOnly` flag,", 28 | "and therefore setting this flag will not protect those clients against", 29 | "this form of attack." 30 | ] 31 | }, 32 | "cwe": ["87"], 33 | "owasp_top_10": {"2013": [2]}, 34 | "references": [ 35 | { 36 | "url": "https://www.owasp.org/index.php/HttpOnly", 37 | "title": "HttpOnly - OWASP" 38 | } 39 | ] 40 | } -------------------------------------------------------------------------------- /ExtraFindings/data/VulnDB/db/23-publicly-writable-directory.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 23, 3 | "title": "Publicly writable directory", 4 | "severity": "high", 5 | "description": [ 6 | "There are various methods in which a file (or files) may be uploaded", 7 | "to a webserver. One method that can be used is the HTTP `PUT` method.", 8 | "The `PUT` method is mainly used during development of applications and", 9 | "allows developers to upload (or put) files on the server within the", 10 | "web root.\n\nBy nature of the design, the `PUT` method typically does", 11 | "not provide any filtering and therefore allows sever side executable", 12 | "code (PHP, ASP, etc) to be uploaded to the server.\n\nCyber-criminals", 13 | "will search for servers supporting the `PUT` method with the intention", 14 | "of modifying existing pages, or uploading web shells to take control", 15 | "of the server.\n\nThe tool has discovered that the affected path allows", 16 | "clients to use the `PUT` method. During this test, the tool has `PUT` a", 17 | "file on the server within the web root and successfully performed a", 18 | "`GET` request to its location and verified the contents." 19 | ], 20 | "fix": { 21 | "effort": 50, 22 | "guidance": [ 23 | "Where possible the HTTP `PUT` method should be globally disabled. This", 24 | "can typically be done with a simple configuration change on the", 25 | "server. The steps to disable the `PUT` method will differ depending on", 26 | "the type of server being used (IIS, Apache, etc.).\n\nFor cases where", 27 | "the `PUT` method is required to meet application functionality, such", 28 | "as REST style web services, strict limitations should be implemented", 29 | "to ensure that only secure (SSL/TLS enabled) and authorised clients", 30 | "are permitted to use the `PUT` method.\n\nAdditionally, the server's", 31 | "file system permissions should also enforce strict limitations." 32 | ] 33 | }, 34 | "tags": [ 35 | "web", 36 | "http", 37 | "methods", 38 | "put", 39 | "server" 40 | ], 41 | "references": [ 42 | { 43 | "url": "http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html", 44 | "title": "RFC-2616 document" 45 | } 46 | ] 47 | } -------------------------------------------------------------------------------- /ExtraFindings/data/VulnDB/db/24-insecure-client-access-policy.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 24, 3 | "title": "Insecure client-access policy", 4 | "severity": "low", 5 | "description": [ 6 | "The browser security model normally prevents web content from one", 7 | "domain from accessing data from another domain. This is commonly known", 8 | "as the \"same origin policy\".\n\nURL policy files grant cross-domain", 9 | "permissions for reading data. They permit operations that are not", 10 | "permitted by default. The URL policy file for Silverlight is located,", 11 | "by default, in the root directory of the target server, with the name", 12 | "`ClientAccessPolicy.xml` (for example, at", 13 | "`www.example.com/ClientAccessPolicy.xml`).\n\nWhen a domain is specified", 14 | "in `ClientAccessPolicy.xml`, the site declares that it is willing to", 15 | "allow the operators of any servers in that domain to obtain any", 16 | "document on the server where the policy file resides.\n\nThe", 17 | "`ClientAccessPolicy.xml` file deployed on this website opens the", 18 | "server to all domains (use of a single asterisk \"*\" as a pure wildcard", 19 | "is supported)." 20 | ], 21 | "fix": { 22 | "effort": 50, 23 | "guidance": [ 24 | "Carefully evaluate which sites will be allowed to make cross-domain", 25 | "calls.\n\nConsider network topology and any authentication mechanisms", 26 | "that will be affected by the configuration or implementation of the", 27 | "cross-domain policy." 28 | ] 29 | }, 30 | "cwe": ["346"], 31 | "references": [ 32 | { 33 | "url": "https://msdn.microsoft.com/en-us/library/cc197955%28v=vs.95%29.aspx", 34 | "title": "MSDN" 35 | }, 36 | { 37 | "url": "https://www.owasp.org/index.php/Test_Cross_Origin_Resource_Sharing_%28OTG-CLIENT-007%29", 38 | "title": "OWASP" 39 | } 40 | ] 41 | } -------------------------------------------------------------------------------- /ExtraFindings/data/VulnDB/db/25-insecure-cookie.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 25, 3 | "title": "Insecure cookie", 4 | "severity": "informational", 5 | "description": [ 6 | "HTTP by itself is a stateless protocol. Therefore the server is unable", 7 | "to determine which requests are performed by which client, and which", 8 | "clients are authenticated or unauthenticated.\n\nThe use of HTTP cookies", 9 | "within the headers, allows a web server to identify each individual", 10 | "client and can therefore determine which clients hold valid", 11 | "authentication, from those that do not. These are known as session", 12 | "cookies.\n\nWhen a cookie is set by the server (sent the header of an", 13 | "HTTP response) there are several flags that can be set to configure", 14 | "the properties of the cookie and how it is to be handled by the", 15 | "browser.\n\nOne of these flags is known as the `secure` flag. When the", 16 | "secure flag is set, the browser will prevent it from being sent over a", 17 | "clear text channel (HTTP) and only allow it to be sent when an", 18 | "encrypted channel is used (HTTPS).\n\nThe tool discovered that a cookie", 19 | "was set by the server without the secure flag being set. Although the", 20 | "initial setting of this cookie was via an HTTPS connection, any HTTP", 21 | "link to the same server will result in the cookie being send in clear", 22 | "text." 23 | ], 24 | "fix": { 25 | "effort": 50, 26 | "guidance": [ 27 | "The initial steps to remedy this should be determined on whether the", 28 | "cookie is sensitive in nature. If the cookie does not contain any", 29 | "sensitive information then the risk of this vulnerability is reduced;", 30 | "however, if the cookie does contain sensitive information, then the", 31 | "server should ensure that the cookie has its `secure` flag set." 32 | ] 33 | }, 34 | "cwe": ["614"], 35 | "owasp_top_10": {"2013": [2]}, 36 | "references": [ 37 | { 38 | "url": "https://www.owasp.org/index.php/SecureFlag", 39 | "title": "SecureFlag - OWASP" 40 | } 41 | ] 42 | } -------------------------------------------------------------------------------- /ExtraFindings/data/VulnDB/db/26-access-control-allow-origin-star.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 26, 3 | "title": "Access-Control-Allow-Origin header set to '*'", 4 | "severity": "medium", 5 | "description": [ 6 | "Cross-Origin Resource Sharing (CORS) is one of the new HTML5", 7 | "technologies which is widely implemented to create Web2.0 applications.", 8 | "CORS allows the browser to perform HTTP requests to a domain outside", 9 | "the Same-Origin Policy and access the response body. This feature is", 10 | "secured by a new set of HTTP headers, being `Access-Control-Allow-Origin`", 11 | "one of the most important ones.", 12 | "\n\n", 13 | "It was possible to identify an HTTP response which contained the", 14 | "`Access-Control-Allow-Origin` header value set to '*', which allows any", 15 | "third-party domain to perform requests and read the responses.", 16 | "While this configuration is not a vulnerability per-se, it's only", 17 | "recommended for sites which provide information that's public such as", 18 | "weather or stock prices." 19 | ], 20 | "fix": { 21 | "effort": 50, 22 | "guidance": [ 23 | "All CORS requests include the `Origin` header which indicates", 24 | "the source domain name. Create a server-side list of trusted", 25 | "domains which can consume the CORS resources and when a request is", 26 | "received set the `Access-Control-Allow-Origin` response header", 27 | "to the right value from the list matching the `Origin` request header." 28 | ] 29 | }, 30 | "cwe": ["346"], 31 | "references": [ 32 | { 33 | "url": "https://www.owasp.org/index.php/CORS_OriginHeaderScrutiny", 34 | "title": "CORS security" 35 | }, 36 | { 37 | "url": "http://www.w3.org/TR/cors/", 38 | "title": "CORS W3C Specification" 39 | }, 40 | { 41 | "url": "https://en.wikipedia.org/wiki/Cross-origin_resource_sharing", 42 | "title": "CORS article at Wikipedia" 43 | } 44 | ] 45 | } -------------------------------------------------------------------------------- /ExtraFindings/data/VulnDB/db/27-insecure-cross-domain-policy-allow-access-from.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 27, 3 | "title": "Insecure cross-domain policy", 4 | "severity": "low", 5 | "description": [ 6 | "The browser security model normally prevents web content from one", 7 | "domain from accessing data from another domain. This is commonly known", 8 | "as the \"same origin policy\".\n\nURL policy files grant cross-domain", 9 | "permissions for reading data. They permit operations that are not", 10 | "permitted by default. The URL policy file for Silverlight is located,", 11 | "by default, in the root directory of the target server, with the name", 12 | "`crossdomain.xml` (for example, at `www.example.com/crossdomain.xml`).", 13 | "When a domain is specified in `crossdomain.xml`, the site declares", 14 | "that it is willing to allow the operators of any servers in that", 15 | "domain to obtain any document on the server where the policy file", 16 | "resides.\n\nThe `crossdomain.xml` file deployed on this website opens", 17 | "the server to all domains (use of a single asterisk \"*\" as a pure", 18 | "wildcard is supported)." 19 | ], 20 | "fix": { 21 | "effort": 50, 22 | "guidance": [ 23 | "Carefully evaluate which sites will be allowed to make cross-domain", 24 | "calls.\n\nConsider network topology and any authentication mechanisms", 25 | "that will be affected by the configuration or implementation of the", 26 | "cross-domain policy." 27 | ] 28 | }, 29 | "cwe": ["346"], 30 | "references": [ 31 | { 32 | "url": "http://blogs.adobe.com/stateofsecurity/2007/07/crossdomain_policy_files_1.html", 33 | "title": "Adobe" 34 | }, 35 | { 36 | "url": "https://www.owasp.org/index.php/Test_Cross_Origin_Resource_Sharing_%28OTG-CLIENT-007%29", 37 | "title": "OWASP" 38 | } 39 | ] 40 | } -------------------------------------------------------------------------------- /ExtraFindings/data/VulnDB/db/29-interesting-response.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 29, 3 | "title": "Interesting response", 4 | "severity": "informational", 5 | "description": [ 6 | "The server responded with a strange HTTP status code. This is a non-issue", 7 | "however exotic HTTP response status codes can provide useful insights", 8 | "into the behavior of the web application and assist with the information", 9 | "security analysis." 10 | ], 11 | "fix": { 12 | "effort": 60, 13 | "guidance": "Manually inspect the HTTP response status code and body" 14 | }, 15 | "tags": [ 16 | "web", 17 | "interesting", 18 | "response", 19 | "server" 20 | ], 21 | "references": [ 22 | { 23 | "url": "http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html", 24 | "title": "RFC-2616" 25 | } 26 | ] 27 | } -------------------------------------------------------------------------------- /ExtraFindings/data/VulnDB/db/3-backup-directory.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 3, 3 | "title": "Backup directory", 4 | "severity": "medium", 5 | "description": [ 6 | "A common practice when administering web applications is to create a", 7 | "copy/backup of a particular directory prior to making any", 8 | "modification. Another common practice is to add an extension or change", 9 | "the name of the original directory to signify that it is a backup", 10 | "(examples include `.bak`, `.orig`, `.backup`, etc.).\n\nDuring the", 11 | "initial recon stages of an attack, cyber-criminals will attempt to", 12 | "locate backup directories by adding common extensions onto directories", 13 | "already discovered on the webserver. By analysing the response headers", 14 | "from the server they are able to determine if a backup directory", 15 | "exists. These backup directories can then assist in the compromise of", 16 | "the web application.\n\nBy utilising the same method, the tool was able", 17 | "to discover a possible backup directory." 18 | ], 19 | "fix": { 20 | "effort": 50, 21 | "guidance": [ 22 | "Do not keep obsolete versions of directories under the virtual web", 23 | "server root.\n\nWhen updating the site, delete or move the directories", 24 | "to a directory outside the virtual root, edit them there, and move (or", 25 | "copy) the directories back to the virtual root. Make sure that only", 26 | "the directories that are actually in use reside under the virtual", 27 | "root.\n\nPreventing access without authentication may also be an option", 28 | "and stop a client being able to view the contents of a directory,", 29 | "however it is still likely that the filenames will be able to be", 30 | "discovered.\n\nUsing obscure filenames is only implementing security", 31 | "through obscurity and is not a recommended option." 32 | ] 33 | }, 34 | "cwe": ["530"], 35 | "owasp_top_10": {"2013": [5]}, 36 | "tags": [ 37 | "web", 38 | "path", 39 | "backup", 40 | "file", 41 | "discovery" 42 | ], 43 | "references": [ 44 | { 45 | "url": "http://www.webappsec.org/projects/threat/classes/information_leakage.shtml", 46 | "title": "WebAppSec" 47 | } 48 | ] 49 | } -------------------------------------------------------------------------------- /ExtraFindings/data/VulnDB/db/30-ldap-injection.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 30, 3 | "title": "LDAP Injection", 4 | "severity": "high", 5 | "description": [ 6 | "Lightweight Directory Access Protocol (LDAP) is used by web", 7 | "applications to access and maintain directory information services.", 8 | "One of the most common uses for LDAP is to provide a Single-Sign-On", 9 | "(SSO) service that will allow clients to authenticate with a web site", 10 | "without any interaction (assuming their credentials have been", 11 | "validated by the SSO provider).\n\nLDAP injection occurs when untrusted", 12 | "data is used by the web application to query the LDAP directory", 13 | "without prior sanitisation.\n\nThis is a serious security risk, as it", 14 | "could allow cyber-criminals the ability to query, modify, or remove", 15 | "anything from the LDAP tree. It could also allow other advanced", 16 | "injection techniques that perform other more serious attacks.\n\nThe tool", 17 | "was able to detect a page that is vulnerable to LDAP injection based", 18 | "on known error messages." 19 | ], 20 | "fix": { 21 | "effort": 50, 22 | "guidance": [ 23 | "It is recommended that untrusted data is never used to form a LDAP", 24 | "query.\n\nTo validate data, the application should ensure that the", 25 | "supplied value contains only the characters that are required to", 26 | "perform the required action. For example, where a username is", 27 | "required, then no non-alphanumeric characters should be accepted.\n\nIf", 28 | "this is not possible, special characters should be escaped so they are", 29 | "treated accordingly. The following characters should be escaped with a", 30 | "`\\`:\n\n* `&` * `!` * `|` * `=` * `<` * `>` * `,` * `+` * `-` * `\"` *", 31 | "`'` * `;`\n\nAdditional character filtering must be applied to:\n\n* `(` *", 32 | "`)` * `\\` * `/` * `*` * `NULL`\n\nThese characters require ASCII", 33 | "escaping." 34 | ] 35 | }, 36 | "cwe": ["90"], 37 | "owasp_top_10": {"2013": [1]}, 38 | "tags": [ 39 | "web", 40 | "ldap", 41 | "injection" 42 | ], 43 | "references": [ 44 | { 45 | "url": "http://projects.webappsec.org/w/page/13246947/LDAP-Injection", 46 | "title": "WASC" 47 | }, 48 | { 49 | "url": "https://www.owasp.org/index.php/LDAP_injection", 50 | "title": "OWASP" 51 | } 52 | ] 53 | } -------------------------------------------------------------------------------- /ExtraFindings/data/VulnDB/db/31-exposed-localstart-asp-page.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 31, 3 | "title": "Exposed localstart.asp page", 4 | "severity": "low", 5 | "description": [ 6 | "To restrict access to specific pages on a webserver, developers can", 7 | "implement various methods of authentication, therefore only allowing", 8 | "access to clients with valid credentials. There are several forms of", 9 | "authentication that can be used. The simplest forms of authentication", 10 | "are known as 'Basic' and 'Basic Realm'. These methods of", 11 | "authentication have several known weaknesses such as being susceptible", 12 | "to brute force attacks.\n\nAdditionally, when utilising the NTLM", 13 | "mechanism in a windows environment, several disclosures of information", 14 | "exist, and any brute force attack occurs against the server's local", 15 | "users, or domain users if the web server is a domain member.", 16 | "Cyber-criminals will attempt to locate protected pages to gain access", 17 | "to them and also perform brute force attacks to discover valid", 18 | "credentials.\n\nThe tool discovered the following page requires NTLM", 19 | "based basic authentication in order to be accessed." 20 | ], 21 | "fix": { 22 | "effort": 50, 23 | "guidance": [ 24 | "If the pages being protected are not required for the functionality of", 25 | "the web application they should be removed, otherwise, it is", 26 | "recommended that basic and basic realm authentication are not used to", 27 | "protect against pages requiring authentication.\n\nIf NTLM based basic", 28 | "authentication must be used, then default server and domain accounts", 29 | "such as `administrator` and `root` should be disabled, as these will", 30 | "undoubtedly be the first accounts to be targeted in any such attack.", 31 | "Additionally, the webserver should not be joined to any corporate", 32 | "domain where usernames are readily available (such as from email", 33 | "addresses). If the pages are required, and it is possible to remove", 34 | "the basic authentication, then a stronger and more resilient", 35 | "form-based authentication mechanism should be implemented to protect", 36 | "the affected pages." 37 | ] 38 | }, 39 | "tags": [ 40 | "web", 41 | "asp", 42 | "iis", 43 | "server" 44 | ] 45 | } -------------------------------------------------------------------------------- /ExtraFindings/data/VulnDB/db/32-mixed-resource.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 32, 3 | "title": "Mixed Resource", 4 | "severity": "medium", 5 | "description": [ 6 | "The HTTP protocol by itself is clear text, meaning that any data that", 7 | "is transmitted via HTTP can be captured and the contents viewed. To", 8 | "keep data private and prevent it from being intercepted, HTTP is often", 9 | "tunnelled through either a Secure Sockets Layer (SSL), or Transport", 10 | "Layer Security (TLS) connection. When either of these encryption", 11 | "standards are used, it is referred to as HTTPS.\n\nCyber-criminals will", 12 | "often attempt to compromise sensitive information passed from the", 13 | "client to the server using HTTP. This can be conducted via various", 14 | "different Man-in-The-Middle (MiTM) attacks or through network packet", 15 | "captures.\n\nThe tool discovered that the affected site is utilising both", 16 | "HTTP and HTTPS. While the HTML code is served over HTTPS, the server", 17 | "is also serving resources over an unencrypted channel, which can lead", 18 | "to the compromise of data, while providing a false sense of security", 19 | "to the user." 20 | ], 21 | "fix": { 22 | "effort": 50, 23 | "guidance": [ 24 | "All pages and/or resources on the affected site should be secured", 25 | "equally, utilising the latest and most secure encryption protocols.", 26 | "These include SSL version 3.0 and TLS version 1.2.\n\nWhile TLS 1.2 is", 27 | "the latest and the most preferred protocol, not all browsers will", 28 | "support this encryption method. Therefore, the more common SSL is", 29 | "included. Older protocols such as SSL version 2, and weak ciphers (<", 30 | "128 bit) should also be disabled." 31 | ] 32 | }, 33 | "tags": [ 34 | "web", 35 | "unencrypted", 36 | "resource", 37 | "javascript", 38 | "stylesheet" 39 | ], 40 | "references": [ 41 | { 42 | "url": "http://googleonlinesecurity.blogspot.com/2011/06/trying-to-end-mixed-scripting.html", 43 | "title": "Google Online Security Blog" 44 | } 45 | ] 46 | } -------------------------------------------------------------------------------- /ExtraFindings/data/VulnDB/db/33-nosql-injection.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 33, 3 | "title": "NoSQL Injection", 4 | "severity": "high", 5 | "description": [ 6 | "A NoSQL injection occurs when a value originating from the client's", 7 | "request is used within a NoSQL call without prior sanitisation.\n\nThis", 8 | "can allow cyber-criminals to execute arbitrary NoSQL code and thus", 9 | "steal data, or use the additional functionality of the database server", 10 | "to take control of further server components.\n\nThe tool discovered that", 11 | "the affected page and parameter are vulnerable. This injection was", 12 | "detected as the tool was able to discover known error messages within", 13 | "the server's response." 14 | ], 15 | "fix": { 16 | "effort": 50, 17 | "guidance": [ 18 | "The most effective remediation against NoSQL injection attacks is to", 19 | "ensure that NoSQL API calls are not constructed via string", 20 | "concatenation that includes unsanitized data.\n\nSanitization is best", 21 | "achieved using existing escaping libraries." 22 | ] 23 | }, 24 | "cwe": ["89"], 25 | "owasp_top_10": {"2013": [1]}, 26 | "tags": [ 27 | "web", 28 | "nosql", 29 | "injection", 30 | "database", 31 | "error" 32 | ], 33 | "references": [ 34 | { 35 | "url": "https://www.owasp.org/index.php/Testing_for_NoSQL_injection", 36 | "title": "OWASP" 37 | } 38 | ] 39 | } -------------------------------------------------------------------------------- /ExtraFindings/data/VulnDB/db/34-blind-nosql-injection-differential-analysis.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 34, 3 | "title": "Blind NoSQL Injection (differential analysis)", 4 | "severity": "high", 5 | "description": [ 6 | "A NoSQL injection occurs when a value originating from the client's", 7 | "request is used within a NoSQL call without prior sanitisation.\n\nThis", 8 | "can allow cyber-criminals to execute arbitrary NoSQL code and thus", 9 | "steal data, or use the additional functionality of the database server", 10 | "to take control of further server components.\n\nThe tool discovered that", 11 | "the affected page and parameter are vulnerable. This injection was", 12 | "detected as the tool was able to inject specific NoSQL queries that if", 13 | "vulnerable result in the responses for each injection being different.", 14 | "This is known as a blind NoSQL injection vulnerability." 15 | ], 16 | "fix": { 17 | "effort": 50, 18 | "guidance": [ 19 | "The most effective remediation against NoSQL injection attacks is to", 20 | "ensure that NoSQL API calls are not constructed via string", 21 | "concatenation that includes unsanitized data.\n\nSanitization is best", 22 | "achieved using existing escaping libraries." 23 | ] 24 | }, 25 | "cwe": ["89"], 26 | "tags": [ 27 | "web", 28 | "nosql", 29 | "blind", 30 | "injection", 31 | "database" 32 | ], 33 | "references": [ 34 | { 35 | "url": "https://www.owasp.org/index.php/Testing_for_NoSQL_injection", 36 | "title": "OWASP" 37 | } 38 | ] 39 | } -------------------------------------------------------------------------------- /ExtraFindings/data/VulnDB/db/35-access-restriction-bypass-via-origin-spoof.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 35, 3 | "title": "Access restriction bypass via origin spoof", 4 | "severity": "high", 5 | "description": [ 6 | "Origin headers are utilised by proxies and/or load balancers to track", 7 | "the originating IP address of the client.\n\nAs the request progresses", 8 | "through a proxy, the origin header is added to the existing headers,", 9 | "and the value of the client's IP is then set within this header.", 10 | "Occasionally, poorly implemented access restrictions are based off of", 11 | "the originating IP address alone.\n\nFor example, any public IP address", 12 | "may be forced to authenticate, while an internal IP address may not.", 13 | "Because this header can also be set by the client, it allows", 14 | "cyber-criminals to spoof their IP address and potentially gain access", 15 | "to restricted pages.\n\nThe tool discovered a resource that it did not", 16 | "have permission to access, but been granted access after spoofing the", 17 | "address of localhost (127.0.0.1), thus bypassing any requirement to", 18 | "authenticate." 19 | ], 20 | "fix": { 21 | "effort": 50, 22 | "guidance": [ 23 | "Remediation actions may be vastly different depending on the framework", 24 | "being used, and how the application has been coded. However, the", 25 | "origin header should never be used to validate a client's access as it", 26 | "is trivial to change." 27 | ] 28 | }, 29 | "tags": [ 30 | "web", 31 | "access", 32 | "restriction", 33 | "server", 34 | "bypass" 35 | ] 36 | } -------------------------------------------------------------------------------- /ExtraFindings/data/VulnDB/db/36-operating-system-command-injection.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 36, 3 | "title": "Operating system command injection", 4 | "severity": "high", 5 | "description": [ 6 | "To perform specific actions from within a web application, it is", 7 | "occasionally required to run Operating System commands and have the", 8 | "output of these commands captured by the web application and returned", 9 | "to the client.\n\nOS command injection occurs when user supplied input", 10 | "is inserted into one of these commands without proper sanitisation and", 11 | "is then executed by the server.\n\nCyber-criminals will abuse this", 12 | "weakness to perform their own arbitrary commands on the server. This", 13 | "can include everything from simple `ping` commands to map the internal", 14 | "network, to obtaining full control of the server.", 15 | "\n\n", 16 | "It was possible to inject and verify the execution of specific Operating", 17 | "System commands which indicates that proper input sanitisation is not", 18 | "occurring." 19 | ], 20 | "fix": { 21 | "effort": 50, 22 | "guidance": [ 23 | "It is recommended that untrusted data is never used to form a command", 24 | "to be executed by the OS.\n\nTo validate data, the application should", 25 | "ensure that the supplied value contains only the characters that are", 26 | "required to perform the required action.\n\nFor example, where the form", 27 | "field expects an IP address, only numbers and periods should be", 28 | "accepted. Additionally, all control operators (`&`, `&&`, `|`, `||`,", 29 | "`$`, `\\`, `#`) should be explicitly denied and never accepted as valid", 30 | "input by the server." 31 | ] 32 | }, 33 | "cwe": ["78"], 34 | "owasp_top_10": {"2013": [1]}, 35 | "tags": [ 36 | "web", 37 | "os", 38 | "command", 39 | "code", 40 | "injection" 41 | ], 42 | "references": [ 43 | { 44 | "url": "http://projects.webappsec.org/w/page/13246950/OS%20Commanding", 45 | "title": "WASC" 46 | }, 47 | { 48 | "url": "https://www.owasp.org/index.php/OS_Command_Injection", 49 | "title": "OWASP" 50 | } 51 | ] 52 | } -------------------------------------------------------------------------------- /ExtraFindings/data/VulnDB/db/38-password-field-with-auto-complete.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 38, 3 | "title": "Password field with auto-complete", 4 | "severity": "low", 5 | "description": [ 6 | "In typical form-based web applications, it is common practice for", 7 | "developers to allow `autocomplete` within the HTML form to improve the", 8 | "usability of the page. With `autocomplete` enabled (default), the", 9 | "browser is allowed to cache previously entered form values.\n\nFor", 10 | "legitimate purposes, this allows the user to quickly re-enter the same", 11 | "data when completing the form multiple times.\n\nWhen `autocomplete` is", 12 | "enabled on either/both the username and password fields, this could", 13 | "allow a cyber-criminal with access to the victim's computer the", 14 | "ability to have the victim's credentials automatically entered as the", 15 | "cyber-criminal visits the affected page.\n\nThe tool has discovered that", 16 | "the affected page contains a form containing a password field that has", 17 | "not disabled `autocomplete`." 18 | ], 19 | "fix": { 20 | "effort": 50, 21 | "guidance": [ 22 | "The `autocomplete` value can be configured in two different locations.", 23 | "The first and most secure location is to disable the `autocomplete`", 24 | "attribute on the `

` HTML tag. This will disable `autocomplete`", 25 | "for all inputs within that form. An example of disabling", 26 | "`autocomplete` within the form tag is ``.\n\nThe", 27 | "second slightly less desirable option is to disable the `autocomplete`", 28 | "attribute for a specific `` HTML tag. While this may be the", 29 | "less desired solution from a security perspective, it may be preferred", 30 | "method for usability reasons, depending on size of the form. An", 31 | "example of disabling the `autocomplete` attribute within a password", 32 | "input tag is ``." 33 | ] 34 | }, 35 | "cwe": ["522"], 36 | "owasp_top_10": {"2013": [2]} 37 | } -------------------------------------------------------------------------------- /ExtraFindings/data/VulnDB/db/39-path-traversal.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 39, 3 | "title": "Path Traversal", 4 | "severity": "high", 5 | "description": [ 6 | "Web applications occasionally use parameter values to store the", 7 | "location of a file which will later be required by the server.\n\nAn", 8 | "example of this is often seen in error pages, where the actual file", 9 | "path for the error page is stored in a parameter value -- for example", 10 | "`example.com/error.php?page=404.php`.\n\nA path traversal occurs when", 11 | "the parameter value (ie. path to file being called by the server) can", 12 | "be substituted with the relative path of another resource which is", 13 | "located outside of the applications working directory. The server then", 14 | "loads the resource and includes its contents in the response to the", 15 | "client.\n\nCyber-criminals will abuse this vulnerability to view files", 16 | "that should otherwise not be accessible.\n\nA very common example of", 17 | "this, on *nix servers, is gaining access to the `/etc/passwd` file in", 18 | "order to retrieve a list of server users. This attack would look like:", 19 | "`yoursite.com/error.php?page=../../../../etc/passwd`\n\nAs path", 20 | "traversal is based on the relative path, the payload must first", 21 | "traverse to the file system's root directory, hence the string of", 22 | "`../../../../`.\n\nThe tool discovered that it was possible to substitute", 23 | "a parameter value with a relative path to a common operating system", 24 | "file and have the contents of the file included in the response." 25 | ], 26 | "fix": { 27 | "effort": 50, 28 | "guidance": [ 29 | "It is recommended that untrusted data is never used to form a file", 30 | "location to be included.\n\nTo validate data, the application should", 31 | "ensure that the supplied value for a file is permitted. This can be", 32 | "achieved by performing whitelisting on the parameter value, by", 33 | "matching it against a list of permitted files. If the supplied value", 34 | "does not match any value in the whitelist, then the server should", 35 | "redirect to a standard error page.\n\nIn some scenarios, where dynamic", 36 | "content is being requested, it may not be possible to perform", 37 | "validation against a list of trusted resources, therefore the list", 38 | "must also become dynamic (updated as the files change), or perform", 39 | "filtering to remove extraneous user input (such as semicolons, periods", 40 | "etc.) and only permit `a-z0-9`.\n\nIt is also advised that sensitive", 41 | "files are not stored within the web root and that the user permissions", 42 | "enforced by the directory are correct." 43 | ] 44 | }, 45 | "cwe": ["22"], 46 | "owasp_top_10": {"2013": [4]}, 47 | "tags": [ 48 | "web", 49 | "path", 50 | "traversal", 51 | "injection" 52 | ], 53 | "references": [ 54 | { 55 | "url": "http://projects.webappsec.org/Path-Traversal", 56 | "title": "WASC" 57 | }, 58 | { 59 | "url": "https://www.owasp.org/index.php/Path_Traversal", 60 | "title": "OWASP" 61 | } 62 | ] 63 | } -------------------------------------------------------------------------------- /ExtraFindings/data/VulnDB/db/4-backup-file.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 4, 3 | "title": "Backup file", 4 | "severity": "medium", 5 | "description": [ 6 | "A common practice when administering web applications is to create a", 7 | "copy/backup of a particular file or directory prior to making any", 8 | "modification to the file. Another common practice is to add an", 9 | "extension or change the name of the original file to signify that it", 10 | "is a backup (examples include `.bak`, `.orig`, `.backup`, etc.).", 11 | "During the initial recon stages of an attack, cyber-criminals will", 12 | "attempt to locate backup files by adding common extensions onto files", 13 | "already discovered on the webserver. By analysing the response headers", 14 | "from the server they are able to determine if the backup file exists.", 15 | "These backup files can then assist in the compromise of the web", 16 | "application.\n\nBy utilising the same method, the tool was able to", 17 | "discover a possible backup file." 18 | ], 19 | "fix": { 20 | "effort": 50, 21 | "guidance": [ 22 | "Do not keep obsolete versions of files under the virtual web server", 23 | "root.\n\nWhen updating the site, delete or move the files to a directory", 24 | "outside the virtual root, edit them there, and move (or copy) the", 25 | "files back to the virtual root. Make sure that only the files that are", 26 | "actually in use reside under the virtual root.\n\nPreventing access", 27 | "without authentication may also be an option and stop a client being", 28 | "able to view the contents of a file, however it is still likely that", 29 | "the filenames will be able to be discovered.\n\nUsing obscure filenames", 30 | "is only implementing security through obscurity and is not a", 31 | "recommended option." 32 | ] 33 | }, 34 | "cwe": ["530"], 35 | "owasp_top_10": {"2013": [5]}, 36 | "tags": [ 37 | "web", 38 | "path", 39 | "backup", 40 | "file", 41 | "discovery" 42 | ], 43 | "references": [ 44 | { 45 | "url": "http://www.webappsec.org/projects/threat/classes/information_leakage.shtml", 46 | "title": "WebAppSec" 47 | } 48 | ] 49 | } -------------------------------------------------------------------------------- /ExtraFindings/data/VulnDB/db/40-private-ip-address-disclosure.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 40, 3 | "title": "Private IP address disclosure", 4 | "severity": "low", 5 | "description": [ 6 | "Private, or non-routable, IP addresses are generally used within a", 7 | "home or company network and are typically unknown to anyone outside of", 8 | "that network.\n\nCyber-criminals will attempt to identify the private IP", 9 | "address range being used by their victim, to aid in collecting further", 10 | "information that could then lead to a possible compromise.\n\nThe tool", 11 | "discovered that the affected page returned a RFC 1918 compliant", 12 | "private IP address and therefore could be revealing sensitive", 13 | "information.\n\n_This finding typically requires manual verification to", 14 | "ensure the context is correct, as any private IP address within the", 15 | "HTML body will trigger it." 16 | ], 17 | "fix": { 18 | "effort": 50, 19 | "guidance": [ 20 | "Identifying the context in which the affected page displays a Private", 21 | "IP address is necessary.\n\nIf the page is publicly accessible and", 22 | "displays the Private IP of the affected server (or supporting", 23 | "infrastructure), then measures should be put in place to ensure that", 24 | "the IP address is removed from any response." 25 | ] 26 | }, 27 | "cwe": ["200"], 28 | "owasp_top_10": {"2013": [6]}, 29 | "references": [ 30 | { 31 | "url": "http://projects.webappsec.org/w/page/13246936/Information%20Leakage", 32 | "title": "WebAppSec" 33 | } 34 | ] 35 | } -------------------------------------------------------------------------------- /ExtraFindings/data/VulnDB/db/41-response-splitting.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 41, 3 | "title": "Response Splitting", 4 | "severity": "medium", 5 | "description": [ 6 | "HTTP response splitting occurs when untrusted data is inserted into", 7 | "the response headers without any sanitisation.\n\nIf successful, this", 8 | "allows cyber-criminals to essentially split the HTTP response in two.", 9 | "This is abused by cyber-criminals injecting CR (Carriage Return --", 10 | "`/r`) and LF (Line Feed -- `\n`) characters which will then form the", 11 | "split. If the CR or LF characters are not processed by the server then", 12 | "it cannot be exploited.\n\nAlong with these characters, cyber-criminals", 13 | "can then construct their own arbitrary response headers and body which", 14 | "would then form the second response. The second response is entirely", 15 | "under their control, allowing for a number of other attacks." 16 | ], 17 | "fix": { 18 | "effort": 50, 19 | "guidance": [ 20 | "It is recommended that untrusted data is never used to form the", 21 | "contents of the response header.\n\nWhere any untrusted source is", 22 | "required to be used in the response headers, it is important to ensure", 23 | "that any hazardous characters (`/r`, `/n` and potentially others) are", 24 | "sanitised prior to being used.\n\nThis is especially important when", 25 | "setting cookie values, redirecting, etc.." 26 | ] 27 | }, 28 | "tags": [ 29 | "web", 30 | "response", 31 | "splitting", 32 | "injection", 33 | "header" 34 | ], 35 | "cwe": ["98"], 36 | "owasp_top_10": {"2013": [1]}, 37 | "references": [ 38 | { 39 | "url": "http://www.securiteam.com/securityreviews/5WP0E2KFGK.html", 40 | "title": "SecuriTeam" 41 | }, 42 | { 43 | "url": "https://www.owasp.org/index.php/HTTP_Response_Splitting", 44 | "title": "OWASP" 45 | } 46 | ] 47 | } -------------------------------------------------------------------------------- /ExtraFindings/data/VulnDB/db/42-remote-file-inclusion.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 42, 3 | "title": "Remote File Inclusion", 4 | "severity": "high", 5 | "description": [ 6 | "Web applications occasionally use parameter values to store the", 7 | "location of a file which will later be required by the server.\n\nAn", 8 | "example of this is often seen in error pages, where the actual file", 9 | "path for the error page is stored in a parameter value -- for example", 10 | "`example.com/error.php?page=404.php`.\n\nA remote file inclusion occurs", 11 | "when the parameter value (ie. path to file being called by the server)", 12 | "can be substituted with the address of remote resource -- for example:", 13 | "`yoursite.com/error.asp?page=http://anothersite.com/somethingBad.php`", 14 | "In some cases, the server will process the fetched resource;", 15 | "therefore, if the resource contains server-side code matching that of", 16 | "the framework being used (ASP, PHP, JSP, etc.), it is probable that", 17 | "the resource will be executed as if it were part of the web", 18 | "application.\n\nThe tool discovered that it was possible to substitute a", 19 | "parameter value with an external resource and have the server fetch it", 20 | "and include its contents in the response." 21 | ], 22 | "fix": { 23 | "effort": 50, 24 | "guidance": [ 25 | "It is recommended that untrusted data is never used to form a file", 26 | "location to be included.\n\nTo validate data, the application should", 27 | "ensure that the supplied value for a file is permitted. This can be", 28 | "achieved by performing whitelisting on the parameter value, by", 29 | "matching it against a list of permitted files. If the supplied value", 30 | "does not match any value in the whitelist, then the server should", 31 | "redirect to a standard error page.\n\nIn some scenarios, where dynamic", 32 | "content is being requested, it may not be possible to perform", 33 | "validation against a list of trusted resources, therefore the list", 34 | "must also become dynamic (updated as the files change), or perform", 35 | "filtering to remove extraneous user input (such as semicolons, periods", 36 | "etc.) and only permit `a-z0-9`.\n\nIt is also advised that sensitive", 37 | "files are not stored within the web root and that the user permissions", 38 | "enforced by the directory are correct." 39 | ] 40 | }, 41 | "cwe": ["98"], 42 | "owasp_top_10": {"2013": [1]}, 43 | "tags": [ 44 | "web", 45 | "remote", 46 | "file", 47 | "inclusion", 48 | "injection" 49 | ], 50 | "references": [ 51 | { 52 | "url": "http://projects.webappsec.org/Remote-File-Inclusion", 53 | "title": "WASC" 54 | }, 55 | { 56 | "url": "http://en.wikipedia.org/wiki/Remote_File_Inclusion", 57 | "title": "Wikipedia" 58 | } 59 | ] 60 | } -------------------------------------------------------------------------------- /ExtraFindings/data/VulnDB/db/43-session-fixation.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 43, 3 | "title": "Session fixation", 4 | "severity": "high", 5 | "description": [ 6 | "HTTP by itself is a stateless protocol; therefore, the server is", 7 | "unable to determine which requests are performed by which client and", 8 | "which clients are authenticated or unauthenticated.\n\nThe use of HTTP", 9 | "cookies within the headers allows a web server to identify each", 10 | "individual client and can thus determine which clients hold valid", 11 | "authentication from those that do not. These are known as session", 12 | "cookies or session tokens.\n\nTo prevent clients from being able to", 13 | "guess each other's session token, each assigned session token should", 14 | "be entirely random and be different whenever a session is established", 15 | "with the server.\n\nSession fixation occurs when the client is able to", 16 | "specify their own session token value and the value of the session", 17 | "cookie is not changed by the server after successful authentication.", 18 | "Occasionally, the session token will also remain unchanged for the", 19 | "user independently of how many times they have authenticated.", 20 | "Cyber-criminals will abuse this functionality by sending crafted URL", 21 | "links with a predetermined session token within the link. The", 22 | "cyber-criminal will then wait for the victim to login and become", 23 | "authenticated. If successful, the cyber-criminal will know a valid", 24 | "session ID and therefore have access to the victim's session.\n\nThe tool", 25 | "has discovered that it is able to set its own session token." 26 | ], 27 | "fix": { 28 | "effort": 50, 29 | "guidance": [ 30 | "The most important remediation action is to prevent the server from", 31 | "accepting client supplied data as session tokens.\n\nAdditionally, the", 32 | "client's session token should be changed at specific key stages of the", 33 | "application flow, such as during authentication. This will ensure that", 34 | "even if clients are able to set their own cookie, it will not persist", 35 | "into an authenticated session." 36 | ] 37 | }, 38 | "cwe": ["384"], 39 | "owasp_top_10": {"2013": [2]}, 40 | "tags": [ 41 | "web", 42 | "session", 43 | "cookie", 44 | "injection", 45 | "fixation", 46 | "hijacking" 47 | ], 48 | "references": [ 49 | { 50 | "url": "http://projects.webappsec.org/w/page/13246960/Session%20Fixation", 51 | "title": "WASC" 52 | }, 53 | { 54 | "url": "https://www.owasp.org/index.php/Session_fixation", 55 | "title": "OWASP - Session fixation" 56 | } 57 | ] 58 | } -------------------------------------------------------------------------------- /ExtraFindings/data/VulnDB/db/44-source-code-disclosure.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 44, 3 | "title": "Source code disclosure", 4 | "severity": "high", 5 | "description": [ 6 | "A modern web application will be reliant on several different", 7 | "programming languages.\n\nThese languages can be broken up in two", 8 | "flavours. These are client-side languages (such as those that run in", 9 | "the browser -- like JavaScript) and server-side languages (which are", 10 | "executed by the server -- like ASP, PHP, JSP, etc.) to form the", 11 | "dynamic pages (client-side code) that are then sent to the client.", 12 | "Because all server side code should be executed by the server, it", 13 | "should never be seen by the client. However in some scenarios, it is", 14 | "possible that:\n\n", 15 | "1. The server side code has syntax errors and therefore is not executed", 16 | "by the server but is instead sent to the client\n", 17 | "2. Using crafted requests it is possible to force the server", 18 | "into displaying the source code of the application without executing it.", 19 | "\n\n", 20 | "As the server-side source code often contains sensitive", 21 | "information, such as database connection strings or details into the", 22 | "application workflow, this can be extremely risky.\n\nCyber-criminals", 23 | "will attempt to discover pages that either accidentally or forcefully", 24 | "allow the server-side source code to be disclosed, to assist in", 25 | "discovering further vulnerabilities or sensitive information.\n\nThe tool", 26 | "has detected server-side source code within the server's response.", 27 | "_(False positives may occur when requesting binary files such as", 28 | "images (.JPG or .PNG) and may require manual verification.)_" 29 | ], 30 | "fix": { 31 | "effort": 50, 32 | "guidance": [ 33 | "It is important that input sanitisation be conducted to prevent", 34 | "application files (ASP, JSP, PHP or config files) from being called.", 35 | "It is also important that the file system permissions are correctly", 36 | "configured and that all unused files are removed from the web root.", 37 | "If these are not an option, then the vulnerable file should be removed", 38 | "from the server." 39 | ] 40 | }, 41 | "cwe": ["200", "548"], 42 | "owasp_top_10": {"2013": [6]}, 43 | "tags": [ 44 | "web", 45 | "code", 46 | "source", 47 | "file", 48 | "inclusion", 49 | "disclosure" 50 | ] 51 | } 52 | -------------------------------------------------------------------------------- /ExtraFindings/data/VulnDB/db/45-sql-injection.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 45, 3 | "title": "SQL Injection", 4 | "severity": "high", 5 | "description": [ 6 | "Due to the requirement for dynamic content of today's web", 7 | "applications, many rely on a database backend to store data that will", 8 | "be called upon and processed by the web application (or other", 9 | "programs). Web applications retrieve data from the database by using", 10 | "Structured Query Language (SQL) queries.\n\nTo meet demands of many", 11 | "developers, database servers (such as MSSQL, MySQL, Oracle etc.) have", 12 | "additional built-in functionality that can allow extensive control of", 13 | "the database and interaction with the host operating system itself.", 14 | "An SQL injection occurs when a value originating from the client's", 15 | "request is used within a SQL query without prior sanitisation. This", 16 | "could allow cyber-criminals to execute arbitrary SQL code and steal", 17 | "data or use the additional functionality of the database server to", 18 | "take control of more server components.\n\nThe successful exploitation", 19 | "of a SQL injection can be devastating to an organisation and is one of", 20 | "the most commonly exploited web application vulnerabilities.\n\nThis", 21 | "injection was detected as the tool was able to cause the server to", 22 | "respond to the request with a database related error." 23 | ], 24 | "fix": { 25 | "effort": 50, 26 | "guidance": [ 27 | "The only proven method to prevent against SQL injection attacks while", 28 | "still maintaining full application functionality is to use", 29 | "parameterized queries (also known as prepared statements). When", 30 | "utilising this method of querying the database, any value supplied by", 31 | "the client will be handled as a string value rather than part of the", 32 | "SQL query.\n\nAdditionally, when utilising parameterized queries, the", 33 | "database engine will automatically check to make sure the string being", 34 | "used matches that of the column. For example, the database engine will", 35 | "check that the user supplied input is an integer if the database", 36 | "column is configured to contain integers." 37 | ] 38 | }, 39 | "cwe": ["89"], 40 | "owasp_top_10": {"2013": [1]}, 41 | "tags": [ 42 | "web", 43 | "sql", 44 | "injection", 45 | "database", 46 | "error" 47 | ], 48 | "references": [ 49 | { 50 | "url": "http://www.securiteam.com/securityreviews/5DP0N1P76E.html", 51 | "title": "SecuriTeam" 52 | }, 53 | { 54 | "url": "http://en.wikipedia.org/wiki/SQL_injection", 55 | "title": "Wikipedia" 56 | }, 57 | { 58 | "url": "https://www.owasp.org/index.php/SQL_Injection", 59 | "title": "OWASP" 60 | }, 61 | { 62 | "url": "http://projects.webappsec.org/w/page/13246963/SQL%20Injection", 63 | "title": "WASC" 64 | }, 65 | { 66 | "url": "http://www.w3schools.com/sql/sql_injection.asp", 67 | "title": "W3 Schools" 68 | }, 69 | { 70 | "url": "http://unixwiz.net/techtips/sql-injection.html", 71 | "title": "UnixWiz" 72 | } 73 | ] 74 | } -------------------------------------------------------------------------------- /ExtraFindings/data/VulnDB/db/46-blind-sql-injection.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 46, 3 | "title": "Blind SQL Injection", 4 | "severity": "high", 5 | "description": [ 6 | "Due to the requirement for dynamic content of today's web", 7 | "applications, many rely on a database backend to store data that will", 8 | "be called upon and processed by the web application (or other", 9 | "programs). Web applications retrieve data from the database by using", 10 | "Structured Query Language (SQL) queries.\n\nTo meet demands of many", 11 | "developers, database servers (such as MSSQL, MySQL, Oracle etc.) have", 12 | "additional built-in functionality that can allow extensive control of", 13 | "the database and interaction with the host operating system itself.", 14 | "An SQL injection occurs when a value originating from the client's", 15 | "request is used within a SQL query without prior sanitisation. This", 16 | "could allow cyber-criminals to execute arbitrary SQL code and steal", 17 | "data or use the additional functionality of the database server to", 18 | "take control of more server components.\n\nThe successful exploitation", 19 | "of a SQL injection can be devastating to an organisation and is one of", 20 | "the most commonly exploited web application vulnerabilities.", 21 | "\n\n", 22 | "Injection was detected as it was possible to inject specific SQL", 23 | "queries, that if vulnerable, result in the responses for each", 24 | "injection being different. This is known as a blind SQL injection", 25 | "vulnerability." 26 | ], 27 | "fix": { 28 | "effort": 50, 29 | "guidance": [ 30 | "The only proven method to prevent against SQL injection attacks while", 31 | "still maintaining full application functionality is to use", 32 | "parameterized queries (also known as prepared statements). When", 33 | "utilising this method of querying the database, any value supplied by", 34 | "the client will be handled as a string value rather than part of the", 35 | "SQL query.\n\nAdditionally, when utilising parameterized queries, the", 36 | "database engine will automatically check to make sure the string being", 37 | "used matches that of the column. For example, the database engine will", 38 | "check that the user supplied input is an integer if the database", 39 | "column is configured to contain integers." 40 | ] 41 | }, 42 | "cwe": ["89"], 43 | "owasp_top_10": {"2013": [1]}, 44 | "tags": [ 45 | "web", 46 | "sql", 47 | "blind", 48 | "injection", 49 | "database" 50 | ], 51 | "references": [ 52 | { 53 | "url": "http://capec.mitre.org/data/definitions/7.html", 54 | "title": "MITRE - CAPEC" 55 | }, 56 | { 57 | "url": "http://projects.webappsec.org/w/page/13246963/SQL%20Injection", 58 | "title": "WASC" 59 | }, 60 | { 61 | "url": "http://www.w3schools.com/sql/sql_injection.asp", 62 | "title": "W3 Schools" 63 | }, 64 | { 65 | "url": "https://www.owasp.org/index.php/Blind_SQL_Injection", 66 | "title": "OWASP" 67 | } 68 | ] 69 | } -------------------------------------------------------------------------------- /ExtraFindings/data/VulnDB/db/47-blind-sql-injection-timing-attack.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 47, 3 | "title": "Blind SQL Injection (timing attack)", 4 | "severity": "high", 5 | "description": [ 6 | "Due to the requirement for dynamic content of today's web", 7 | "applications, many rely on a database backend to store data that will", 8 | "be called upon and processed by the web application (or other", 9 | "programs). Web applications retrieve data from the database by using", 10 | "Structured Query Language (SQL) queries.\n\nTo meet demands of many", 11 | "developers, database servers (such as MSSQL, MySQL, Oracle etc.) have", 12 | "additional built-in functionality that can allow extensive control of", 13 | "the database and interaction with the host operating system itself.", 14 | "An SQL injection occurs when a value originating from the client's", 15 | "request is used within a SQL query without prior sanitisation. This", 16 | "could allow cyber-criminals to execute arbitrary SQL code and steal", 17 | "data or use the additional functionality of the database server to", 18 | "take control of more server components.\n\nThe successful exploitation", 19 | "of a SQL injection can be devastating to an organisation and is one of", 20 | "the most commonly exploited web application vulnerabilities.\n\nThis", 21 | "injection was detected as the tool was able to inject specific SQL", 22 | "queries, that if vulnerable, result in the responses for each request", 23 | "being delayed before being sent by the server. This is known as a", 24 | "time-based blind SQL injection vulnerability." 25 | ], 26 | "fix": { 27 | "effort": 50, 28 | "guidance": [ 29 | "The only proven method to prevent against SQL injection attacks while", 30 | "still maintaining full application functionality is to use", 31 | "parameterized queries (also known as prepared statements). When", 32 | "utilising this method of querying the database, any value supplied by", 33 | "the client will be handled as a string value rather than part of the", 34 | "SQL query.\n\nAdditionally, when utilising parameterized queries, the", 35 | "database engine will automatically check to make sure the string being", 36 | "used matches that of the column. For example, the database engine will", 37 | "check that the user supplied input is an integer if the database", 38 | "column is configured to contain integers." 39 | ] 40 | }, 41 | "tags": [ 42 | "web", 43 | "sql", 44 | "blind", 45 | "injection", 46 | "database" 47 | ], 48 | "references": [ 49 | { 50 | "url": "http://capec.mitre.org/data/definitions/7.html", 51 | "title": "MITRE - CAPEC" 52 | }, 53 | { 54 | "url": "http://projects.webappsec.org/w/page/13246963/SQL%20Injection", 55 | "title": "WASC" 56 | }, 57 | { 58 | "url": "http://www.w3schools.com/sql/sql_injection.asp", 59 | "title": "W3 Schools" 60 | }, 61 | { 62 | "url": "https://www.owasp.org/index.php/Blind_SQL_Injection", 63 | "title": "OWASP" 64 | } 65 | ] 66 | } -------------------------------------------------------------------------------- /ExtraFindings/data/VulnDB/db/48-disclosed-us-social-security-number-ssn.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 48, 3 | "title": "Disclosed US Social Security Number (SSN)", 4 | "severity": "high", 5 | "description": [ 6 | "The US Social Security Number (SSN) is a personally identifiable", 7 | "number that is issued to its citizens.\n\nA stolen or leaked SSN can", 8 | "lead to a compromise, and/or the theft of the affected individual's", 9 | "identity.\n\nThrough the use of regular expressions, the tool has", 10 | "discovered an SSN located within the response of the affected page." 11 | ], 12 | "fix": { 13 | "effort": 50, 14 | "guidance": [ 15 | "Initially, the SSN within the response should be checked to ensure its", 16 | "validity, as it is possible that the regular expression has matched a", 17 | "similar number with no relation to a real SSN.\n\nIf the response does", 18 | "contain a valid SSN, then all efforts should be taken to remove or", 19 | "further protect this information. This can be achieved by removing the", 20 | "SSN altogether or by masking the number so that only the last few", 21 | "digits are present within the response (eg. _**********123_)." 22 | ] 23 | }, 24 | "cwe": ["213"], 25 | "references": [ 26 | { 27 | "url": "http://www.ssa.gov/pubs/10064.html", 28 | "title": "ssa.gov" 29 | } 30 | ] 31 | } -------------------------------------------------------------------------------- /ExtraFindings/data/VulnDB/db/49-unencrypted-password-form.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 49, 3 | "title": "Unencrypted password form", 4 | "severity": "medium", 5 | "description": [ 6 | "The HTTP protocol by itself is clear text, meaning that any data that", 7 | "is transmitted via HTTP can be captured and the contents viewed.\n\nTo", 8 | "keep data private, and prevent it from being intercepted, HTTP is", 9 | "often tunnelled through either Secure Sockets Layer (SSL), or", 10 | "Transport Layer Security (TLS). When either of these encryption", 11 | "standards are used it is referred to as HTTPS.\n\nCyber-criminals will", 12 | "often attempt to compromise credentials passed from the client to the", 13 | "server using HTTP. This can be conducted via various different", 14 | "Man-in-The-Middle (MiTM) attacks or through network packet captures.", 15 | "The tool discovered that the affected page contains a `password` input,", 16 | "however, the value of the field is not sent to the server utilising", 17 | "HTTPS. Therefore it is possible that any submitted credential may", 18 | "become compromised." 19 | ], 20 | "fix": { 21 | "effort": 50, 22 | "guidance": [ 23 | "The affected site should be secured utilising the latest and most", 24 | "secure encryption protocols. These include SSL version 3.0 and TLS", 25 | "version 1.2. While TLS 1.2 is the latest and the most preferred", 26 | "protocol, not all browsers will support this encryption method.", 27 | "Therefore, the more common SSL is included. Older protocols such as", 28 | "SSL version 2, and weak ciphers (< 128 bit) should also be disabled." 29 | ] 30 | }, 31 | "cwe": ["319"], 32 | "tags": [ 33 | "web", 34 | "unencrypted", 35 | "password", 36 | "form" 37 | ], 38 | "references": [ 39 | { 40 | "url": "http://www.owasp.org/index.php/Top_10_2010-A9-Insufficient_Transport_Layer_Protection", 41 | "title": "OWASP Top 10 2010" 42 | } 43 | ] 44 | } -------------------------------------------------------------------------------- /ExtraFindings/data/VulnDB/db/5-captcha-protected-form.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 5, 3 | "title": "CAPTCHA protected form", 4 | "severity": "informational", 5 | "description": [ 6 | "To prevent the automated abuse of a page, applications can implement", 7 | "what is known as a CAPTCHA.\n\nThese are used to ensure human", 8 | "interaction with the application and are often used on forms where the", 9 | "application conducts sensitive actions. These typically include user", 10 | "registration, or submitting emails via \"Contact Us\" pages etc.", 11 | "The tool has flagged this not as a vulnerability, but as a prompt for", 12 | "the penetration tester to conduct further manual testing on the", 13 | "CAPTCHA function, as The tool cannon audit CAPTCHA protected forms.", 14 | "Testing for insecurely implemented CAPTCHA is a manual process, and an", 15 | "insecurely implemented CAPTCHA could allow a cyber-criminal a means to", 16 | "abuse these sensitive actions." 17 | ], 18 | "fix": { 19 | "effort": 50, 20 | "guidance": [ 21 | "Although no remediation may be required based on this finding alone,", 22 | "manual testing should ensure that:\n", 23 | "1. The server keeps track of CAPTCHA tokens in use and has the token", 24 | "terminated after its first use or after a period of time. Therefore", 25 | "preventing replay attacks.\n", 26 | "2. The CAPTCHA answer is not hidden in plain text within the response", 27 | "that is sent to the client.\n", 28 | "3. The CAPTCHA image should not be weak and easily solved.\n" 29 | ] 30 | } 31 | } -------------------------------------------------------------------------------- /ExtraFindings/data/VulnDB/db/50-unvalidated-redirect.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 50, 3 | "title": "Unvalidated redirect", 4 | "severity": "medium", 5 | "description": [ 6 | "Web applications occasionally use parameter values to store the", 7 | "address of the page to which the client will be redirected -- for", 8 | "example: `yoursite.com/page.asp?redirect=www.yoursite.com/404.asp`\n\nAn", 9 | "unvalidated redirect occurs when the client is able to modify the", 10 | "affected parameter value in the request and thus control the location", 11 | "of the redirection. For example, the following URL", 12 | "`yoursite.com/page.asp?redirect=www.anothersite.com` will redirect to", 13 | "`www.anothersite.com`.\n\nCyber-criminals will abuse these", 14 | "vulnerabilities in social engineering attacks to get users to", 15 | "unknowingly visit malicious web sites.\n\nThe tool has discovered that", 16 | "the server does not validate the parameter value prior to redirecting", 17 | "the client to the injected value." 18 | ], 19 | "fix": { 20 | "effort": 50, 21 | "guidance": [ 22 | "The application should ensure that the supplied value for a redirect", 23 | "is permitted. This can be achieved by performing whitelisting on the", 24 | "parameter value.\n\nThe whitelist should contain a list of pages or", 25 | "sites that the application is permitted to redirect users to. If the", 26 | "supplied value does not match any value in the whitelist then the", 27 | "server should redirect to a standard error page." 28 | ] 29 | }, 30 | "cwe": ["601"], 31 | "owasp_top_10": {"2013": [10]}, 32 | "tags": [ 33 | "web", 34 | "unvalidated", 35 | "redirect", 36 | "injection", 37 | "header", 38 | "location" 39 | ], 40 | "references": [ 41 | { 42 | "url": "https://www.owasp.org/index.php/Top_10_2010-A10-Unvalidated_Redirects_and_Forwards", 43 | "title": "OWASP Top 10 2010" 44 | } 45 | ] 46 | } -------------------------------------------------------------------------------- /ExtraFindings/data/VulnDB/db/51-unvalidated-dom-redirect.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 51, 3 | "title": "Unvalidated DOM redirect", 4 | "severity": "medium", 5 | "description": [ 6 | "Web applications occasionally use DOM input values to store the", 7 | "address of the page to which the client will be redirected -- for", 8 | "example: `yoursite.com/#/?redirect=www.yoursite.com/404.asp`\n\nAn", 9 | "unvalidated redirect occurs when the client is able to modify the", 10 | "affected parameter value and thus control the location of the", 11 | "redirection. For example, the following URL", 12 | "`yoursite.com/#/?redirect=www.anothersite.com` will redirect to", 13 | "`www.anothersite.com`.\n\nCyber-criminals will abuse these", 14 | "vulnerabilities in social engineering attacks to get users to", 15 | "unknowingly visit malicious web sites.\n\nThe tool has discovered that", 16 | "the web page does not validate the parameter value prior to", 17 | "redirecting the client to the injected value." 18 | ], 19 | "cwe": ["601"], 20 | "owasp_top_10": {"2013": [10]}, 21 | "fix": { 22 | "effort": 50, 23 | "guidance": [ 24 | "The application should ensure that the supplied value for a redirect", 25 | "is permitted. This can be achieved by performing whitelisting on the", 26 | "parameter value.\n\nThe whitelist should contain a list of pages or", 27 | "sites that the application is permitted to redirect users to. If the", 28 | "supplied value does not match any value in the whitelist then the", 29 | "server should redirect to a standard error page." 30 | ] 31 | }, 32 | "tags": [ 33 | "web", 34 | "unvalidated", 35 | "redirect", 36 | "dom", 37 | "injection" 38 | ], 39 | "references": [ 40 | { 41 | "url": "https://www.owasp.org/index.php/Top_10_2010-A10-Unvalidated_Redirects_and_Forwards", 42 | "title": "OWASP Top 10 2010" 43 | } 44 | ] 45 | } -------------------------------------------------------------------------------- /ExtraFindings/data/VulnDB/db/52-webdav.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 52, 3 | "title": "WebDAV", 4 | "severity": "informational", 5 | "description": [ 6 | "Web Distributed Authoring and Versioning (WebDAV) is a facility that", 7 | "enables basic file management (reading and writing) to a web server.", 8 | "It essentially allows the webserver to be mounted by the client as a", 9 | "traditional file system allowing users a very simplistic means to", 10 | "access it as they would any other medium or network share.\n\nIf", 11 | "discovered, attackers will attempt to harvest information from the", 12 | "WebDAV enabled directories, or even upload malicious files that could", 13 | "then be used to compromise the server.\n\nThe tool discovered that the", 14 | "affected page allows WebDAV access. This was discovered as the server", 15 | "allowed several specific methods that are specific to WebDAV", 16 | "(`PROPFIND`, `PROPPATCH`, etc.), however, further testing should be", 17 | "conducted on the WebDAV component specifically as the tool does support", 18 | "this feature." 19 | ], 20 | "fix": { 21 | "effort": 50, 22 | "guidance": [ 23 | "Identification of the requirement to run a WebDAV server should be", 24 | "considered. If it is not required then it should be disabled. However,", 25 | "if it is required to meet the application functionality, then it", 26 | "should be protected by SSL/TLS as well as the implementation of a", 27 | "strong authentication mechanism." 28 | ] 29 | }, 30 | "tags": [ 31 | "web", 32 | "webdav", 33 | "options", 34 | "methods", 35 | "server" 36 | ], 37 | "references": [ 38 | { 39 | "url": "http://www.webdav.org/specs/rfc4918.html", 40 | "title": "WebDAV.org" 41 | }, 42 | { 43 | "url": "http://en.wikipedia.org/wiki/WebDAV", 44 | "title": "Wikipedia" 45 | } 46 | ] 47 | } -------------------------------------------------------------------------------- /ExtraFindings/data/VulnDB/db/53-missing-x-frame-options-header.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 53, 3 | "title": "Missing 'X-Frame-Options' header", 4 | "severity": "low", 5 | "description": [ 6 | "Clickjacking (User Interface redress attack, UI redress attack, UI", 7 | "redressing) is a malicious technique of tricking a Web user into", 8 | "clicking on something different from what the user perceives they are", 9 | "clicking on, thus potentially revealing confidential information or", 10 | "taking control of their computer while clicking on seemingly innocuous", 11 | "web pages.\n\nThe server didn't return an `X-Frame-Options` header which", 12 | "means that this website could be at risk of a clickjacking attack.", 13 | "The `X-Frame-Options` HTTP response header can be used to indicate", 14 | "whether or not a browser should be allowed to render a page inside a", 15 | "frame or iframe. Sites can use this to avoid clickjacking attacks, by", 16 | "ensuring that their content is not embedded into other sites." 17 | ], 18 | "fix": { 19 | "effort": 50, 20 | "guidance": "Configure your web server to include an X-Frame-Options header." 21 | }, 22 | "references": [ 23 | { 24 | "url": "http://tools.ietf.org/html/rfc7034", 25 | "title": "RFC-7034" 26 | }, 27 | { 28 | "url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options", 29 | "title": "Mozilla developer network" 30 | }, 31 | { 32 | "url": "https://www.owasp.org/index.php/Clickjacking", 33 | "title": "OWASP Clickjacking document" 34 | } 35 | ] 36 | } -------------------------------------------------------------------------------- /ExtraFindings/data/VulnDB/db/54-xpath-injection.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 54, 3 | "title": "XPath Injection", 4 | "severity": "high", 5 | "description": [ 6 | "XML Path Language (XPath) queries are used by web applications for", 7 | "selecting nodes from XML documents. Once selected, the value of these", 8 | "nodes can then be used by the application.\n\nA simple example for the", 9 | "use of XML documents is to store user information. As part of the", 10 | "authentication process, the application will perform an XPath query to", 11 | "confirm the login credentials and retrieve that user's information to", 12 | "use in the following request.\n\nXPath injection occurs where untrusted", 13 | "data is used to build XPath queries.\n\nCyber-criminals may abuse this", 14 | "injection vulnerability to bypass authentication, query other user's", 15 | "information, or, if the XML document contains privileged user", 16 | "credentials, allow the cyber-criminal to escalate their privileges.", 17 | "The tool injected special XPath query characters into the page and", 18 | "based on the responses from the server, has determined that the page", 19 | "is vulnerable to XPath injection." 20 | ], 21 | "fix": { 22 | "effort": 50, 23 | "guidance": [ 24 | "The preferred way to protect against XPath injection is to utilise", 25 | "parameterized (also known as prepared) XPath queries. When utilising", 26 | "this method of querying the XML document any value supplied by the", 27 | "client will be handled as a string rather than part of the XPath", 28 | "query.\n\nAn alternative to parameterized queries it to use precompiled", 29 | "XPath queries. Precompiled XPath queries are not generated dynamically", 30 | "and will therefor never process user supplied input as XPath." 31 | ] 32 | }, 33 | "cwe": ["91", "643"], 34 | "owasp_top_10": {"2013": [1]}, 35 | "tags": [ 36 | "web", 37 | "xpath", 38 | "database", 39 | "error", 40 | "injection" 41 | ], 42 | "references": [ 43 | { 44 | "url": "http://projects.webappsec.org/w/page/13247005/XPath%20Injection", 45 | "title": "WASC" 46 | }, 47 | { 48 | "url": "https://www.owasp.org/index.php/XPATH_Injection", 49 | "title": "OWASP" 50 | } 51 | ] 52 | } -------------------------------------------------------------------------------- /ExtraFindings/data/VulnDB/db/55-cross-site-scripting-xss.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 55, 3 | "title": "Reflected Cross-Site Scripting (XSS)", 4 | "severity": "high", 5 | "description": [ 6 | "Client-side scripts are used extensively by modern web applications.", 7 | "They perform from simple functions (such as the formatting of text) up", 8 | "to full manipulation of client-side data and Operating System", 9 | "interaction.", 10 | "\n\n", 11 | "Cross Site Scripting (XSS) allows clients to inject arbitrary scripting", 12 | "code into a request and have the server return the script to the", 13 | "client in the response. This occurs because the application is taking", 14 | "untrusted data (in this example, from the client) and reusing it", 15 | "without performing any validation or encoding." 16 | ], 17 | "fix": { 18 | "effort": 10, 19 | "guidance": [ 20 | "To remedy XSS vulnerabilities, it is important to never use untrusted", 21 | "or unfiltered data within the code of a HTML page.", 22 | "\n\n", 23 | "Untrusted data can originate not only form the client but potentially", 24 | "a third party or previously uploaded file etc. Filtering of untrusted", 25 | "data typically involves converting special characters to their HTML", 26 | "entity encoded counterparts (however, other methods do exist, see", 27 | "references). These special characters include:", 28 | "\n\n", 29 | "* `&`\n", 30 | "* `<`\n", 31 | "* `>`\n", 32 | "* `\"`\n", 33 | "* `'`\n", 34 | "* `/`\n", 35 | "\n\n", 36 | "An example of HTML entity encoding is converting `<` to `<`. Although", 37 | "it is possible to filter untrusted input, there are five locations", 38 | "within an HTML page where untrusted input (even if it has been", 39 | "filtered) should never be placed:", 40 | "\n\n", 41 | "1. Directly in a script.\n", 42 | "2. Inside an HTML comment.\n", 43 | "3. In an attribute name.\n", 44 | "4. In a tag name.\n", 45 | "5. Directly in CSS.\n", 46 | "\n\n", 47 | "Each of these locations have their own form of escaping and filtering.", 48 | "\n\n", 49 | "_Because many browsers attempt to implement", 50 | "XSS protection, any manual verification of this finding should be", 51 | "conducted using multiple different browsers and browser versions._" 52 | ] 53 | }, 54 | "cwe": ["79"], 55 | "owasp_top_10": {"2013": [3]}, 56 | "tags": [ 57 | "web", 58 | "xss", 59 | "injection", 60 | "script" 61 | ], 62 | "references": [ 63 | { 64 | "url": "http://projects.webappsec.org/w/page/13246920/Cross%20Site%20Scripting", 65 | "title": "WASC" 66 | }, 67 | { 68 | "url": "http://secunia.com/advisories/9716/", 69 | "title": "Secunia" 70 | }, 71 | { 72 | "url": "https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet", 73 | "title": "OWASP" 74 | } 75 | ] 76 | } -------------------------------------------------------------------------------- /ExtraFindings/data/VulnDB/db/56-dom-based-cross-site-scripting-xss.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 56, 3 | "title": "DOM-based Cross-Site Scripting (XSS)", 4 | "severity": "high", 5 | "description": [ 6 | "Client-side scripts are used extensively by modern web applications.", 7 | "They perform from simple functions (such as the formatting of text) up", 8 | "to full manipulation of client-side data and Operating System", 9 | "interaction.\n\nUnlike traditional Cross-Site Scripting (XSS), where the", 10 | "client is able to inject scripts into a request and have the server", 11 | "return the script to the client, DOM XSS does not require that a", 12 | "request be sent to the server and may be abused entirely within the", 13 | "loaded page.\n\nThis occurs when elements of the DOM (known as the", 14 | "sources) are able to be manipulated to contain untrusted data, which", 15 | "the client-side scripts (known as the sinks) use or execute an unsafe", 16 | "way." 17 | ], 18 | "fix": { 19 | "effort": 50, 20 | "guidance": [ 21 | "Client-side document rewriting, redirection, or other sensitive", 22 | "action, using untrusted data, should be avoided wherever possible, as", 23 | "these may not be inspected by server side filtering.\n\nTo remedy DOM", 24 | "XSS vulnerabilities where these sensitive document actions must be", 25 | "used, it is essential to:\n", 26 | "1. Ensure any untrusted data is treated as text, as opposed to being", 27 | "interpreted as code or mark-up within the page.\n", 28 | "2. Escape untrusted data prior to being used within the page. Escaping", 29 | "methods will vary depending on where the untrusted data is being used.", 30 | "(See references for details.)\n", 31 | "3. Use `document.createElement`, `element.setAttribute`,", 32 | "`element.appendChild`, etc. to build dynamic interfaces as opposed", 33 | "to HTML rendering methods such as `document.write`,", 34 | "`document.writeIn`, `element.innerHTML`, or `element.outerHTML `etc.\n" 35 | ] 36 | }, 37 | "cwe": ["79"], 38 | "owasp_top_10": {"2013": [3]}, 39 | "tags": [ 40 | "web", 41 | "xss", 42 | "dom", 43 | "injection", 44 | "script" 45 | ], 46 | "references": [ 47 | { 48 | "url": "http://projects.webappsec.org/w/page/13246920/Cross%20Site%20Scripting", 49 | "title": "WASC" 50 | }, 51 | { 52 | "url": "https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet", 53 | "title": "OWASP - Prevention" 54 | }, 55 | { 56 | "url": "https://www.owasp.org/index.php/DOM_Based_XSS", 57 | "title": "OWASP" 58 | } 59 | ] 60 | } -------------------------------------------------------------------------------- /ExtraFindings/data/VulnDB/db/6-code-injection.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 6, 3 | "title": "Code injection", 4 | "severity": "high", 5 | "description": [ 6 | "A modern web application will be reliant on several different", 7 | "programming languages.\n\nThese languages can be broken up in two", 8 | "flavours. These are client-side languages (such as those that run in", 9 | "the browser -- like JavaScript) and server-side languages (which are", 10 | "executed by the server -- like ASP, PHP, JSP, etc.) to form the", 11 | "dynamic pages (client-side code) that are then sent to the client.", 12 | "Because all server-side code should be executed by the server, it", 13 | "should only ever come from a trusted source.\n\nCode injection occurs", 14 | "when the server takes untrusted code (ie. from the client) and", 15 | "executes it.\n\nCyber-criminals will abuse this weakness to execute", 16 | "arbitrary code on the server, which could result in complete server", 17 | "compromise.\n\nThe tool was able to inject specific server-side code and", 18 | "have the executed output from the code contained within the server", 19 | "response. This indicates that proper input sanitisation is not", 20 | "occurring." 21 | ], 22 | "fix": { 23 | "effort": 50, 24 | "guidance": [ 25 | "It is recommended that untrusted input is never processed as", 26 | "server-side code.\n\nTo validate input, the application should ensure", 27 | "that the supplied value contains only the data that are required to", 28 | "perform the relevant action.\n\nFor example, where a username is", 29 | "required, then no non-alpha characters should not be accepted." 30 | ] 31 | }, 32 | "cwe": ["94", "95"], 33 | "owasp_top_10": {"2013": [1]}, 34 | "tags": [ 35 | "web", 36 | "code", 37 | "injection" 38 | ], 39 | "references": [ 40 | { 41 | "url": "http://docs.python.org/py3k/library/functions.html#eval", 42 | "title": "Python eval documentation" 43 | }, 44 | { 45 | "url": "http://www.aspdev.org/asp/asp-eval-execute/", 46 | "title": "ASP eval documentation" 47 | }, 48 | { 49 | "url": "http://php.net/manual/en/function.eval.php", 50 | "title": "PHP eval documentation" 51 | }, 52 | { 53 | "url": "http://perldoc.perl.org/functions/eval.html", 54 | "title": "Perl eval documentation" 55 | } 56 | ] 57 | } -------------------------------------------------------------------------------- /ExtraFindings/data/VulnDB/db/63-http-trace.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 63, 3 | "title": "HTTP TRACE", 4 | "severity": "medium", 5 | "description": [ 6 | "The `TRACE` HTTP method allows a client so send a request to the", 7 | "server, and have the same request then send back in the server's", 8 | "response. This allows the client to determine if the server is", 9 | "receiving the request as expected or if specific parts of the request", 10 | "are not arriving as expected. For example incorrect encoding or a load", 11 | "balancer has filtered or changed a value. On many default", 12 | "installations the `TRACE` method is still enabled.\n\nWhile not", 13 | "vulnerable by itself, it does provide a method for cyber-criminals to", 14 | "bypass the `HTTPOnly` cookie flag, and therefore could allow a XSS", 15 | "attack to successfully access a session token.\n\nThe tool has discovered", 16 | "that the affected page permits the HTTP `TRACE` method." 17 | ], 18 | "fix": { 19 | "effort": 50, 20 | "guidance": [ 21 | "The HTTP `TRACE` method is normally not required within production", 22 | "sites and should therefore be disabled.\n\nDepending on the function", 23 | "being performed by the web application, the risk level can start low", 24 | "and increase as more functionality is implemented.\n\nThe remediation is", 25 | "typically a very simple configuration change and in most cases will", 26 | "not have any negative impact on the server or application." 27 | ] 28 | }, 29 | "owasp_top_10": {"2013": [5]}, 30 | "tags": [ 31 | "web", 32 | "xst", 33 | "methods", 34 | "trace", 35 | "server" 36 | ], 37 | "references": [ 38 | { 39 | "url": "http://capec.mitre.org/data/definitions/107.html", 40 | "title": "CAPEC" 41 | }, 42 | { 43 | "url": "http://www.owasp.org/index.php/Cross_Site_Tracing", 44 | "title": "OWASP" 45 | } 46 | ] 47 | } -------------------------------------------------------------------------------- /ExtraFindings/data/VulnDB/db/64-xml-external-entity.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 64, 3 | "title": "XML External Entity", 4 | "severity": "high", 5 | "description": [ 6 | "An XML External Entity attack is a type of attack against an", 7 | "application that parses XML input.\n\nThis attack occurs when XML input", 8 | "containing a reference to an external entity is processed by a weakly", 9 | "configured XML parser.\n\nThis attack may lead to the disclosure of", 10 | "confidential data, denial of service, port scanning from the", 11 | "perspective of the machine where the parser is located, and other", 12 | "system impacts." 13 | ], 14 | "fix": { 15 | "effort": 50, 16 | "guidance": [ 17 | "Since the whole XML document is communicated from an untrusted client,", 18 | "it's not usually possible to selectively validate or escape tainted", 19 | "data within the system identifier in the DTD.\n\nTherefore, the XML", 20 | "processor should be configured to use a local static DTD and disallow", 21 | "any declared DTD included in the XML document." 22 | ] 23 | }, 24 | "cwe": ["611"], 25 | "owasp_top_10": {"2013": [1]}, 26 | "references": [ 27 | { 28 | "url": "https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Processing", 29 | "title": "OWASP" 30 | } 31 | ] 32 | } -------------------------------------------------------------------------------- /ExtraFindings/data/VulnDB/db/65-arbitrary-file-upload.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 65, 3 | "title": "Unrestricted file upload", 4 | "severity": "high", 5 | "description": [ 6 | "Many web applications allow users to upload files that will either be", 7 | "stored or processed by the receiving web server.", 8 | "\n\n", 9 | "It was possible to identify a form which allows files with arbitrary", 10 | "content and extension to be uploaded to the remote server, and then", 11 | "stores the uploaded file to a guessable path in the server's web root.", 12 | "\n\n", 13 | "This could be used by a cyber-criminal to host content from the vulnerable", 14 | "server for phishing and Cross-Site Scripting attacks. In cases where the", 15 | "server is configured to execute scripts (PHP, Ruby, etc.) this", 16 | "vulnerability can be used to gain remote code execution on the server." 17 | ], 18 | "fix": { 19 | "effort": 10, 20 | "guidance": [ 21 | "The identified form handler should at a minimum:", 22 | "\n\n", 23 | "1. Whitelist permitted file types and block all others. This should be", 24 | "conducted on the MIME type of the file rather than its extension.\n", 25 | "2. As the file is uploaded, and prior to being handled (written to the", 26 | "disk) by the server, the filename should be stripped of all control,", 27 | "special, or Unicode characters.\n", 28 | "3. Ensure that the upload is conducted via the HTTP `POST` method rather", 29 | "than `GET` or `PUT`.\n", 30 | "4. Ensure that the file is written to a directory that does not hold", 31 | "any execute permission and that all files within that directory inherit", 32 | "the same permissions.\n", 33 | "5. Scan (if possible) with an up-to-date virus scanner before being", 34 | "stored.\n", 35 | "6. Ensure that the application handles files as per the host operating", 36 | "system. For example, the length of the file name is appropriate, there", 37 | "is adequate space to store the file, protection against overwriting", 38 | "other files etc." 39 | ] 40 | }, 41 | "tags": [ 42 | "web", 43 | "file", 44 | "upload" 45 | ], 46 | "cwe": ["434"], 47 | "owasp_top_10": {"2013": [4]}, 48 | "references": [ 49 | { 50 | "url": "https://www.owasp.org/index.php/Unrestricted_File_Upload", 51 | "title": "owasp.org" 52 | } 53 | ] 54 | } -------------------------------------------------------------------------------- /ExtraFindings/data/VulnDB/db/66-insecure-ssl-version.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 66, 3 | "title": "Insecure SSL version enabled", 4 | "severity": "medium", 5 | "description": [ 6 | "The server accepts SSL connections which use the insecure SSLv2", 7 | "protocol. SSLv2 is an old implementation of the Secure Sockets Layer", 8 | "protocol which suffers from a number of security flaws allowing attackers", 9 | "to capture and alter information passed between a client and the server.", 10 | "\n\n", 11 | "SSLv2 has been deprecated and is no longer recommended. Note that", 12 | "neither SSLv2 nor SSLv3 meet the U.S. FIPS 140-2 standard, which governs", 13 | "cryptographic modules for use in federal information systems. Only the", 14 | "newer TLS (Transport Layer Security) protocol meets FIPS 140-2", 15 | "requirements." 16 | ], 17 | "fix": { 18 | "effort": 10, 19 | "guidance": [ 20 | "Change the web server configuration in order to disable SSLv2" 21 | ] 22 | }, 23 | "tags": [ 24 | "web", 25 | "ssl" 26 | ], 27 | "cwe": ["326"], 28 | "owasp_top_10": { 29 | "2010": [9] 30 | }, 31 | "references": [ 32 | { 33 | "url": "https://support.microsoft.com/en-us/kb/187498", 34 | "title": "How to Disable SSL 2.0 in IIS" 35 | } 36 | ] 37 | } -------------------------------------------------------------------------------- /ExtraFindings/data/VulnDB/db/67-self-signed-ssl-certificate.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 67, 3 | "title": "Self-signed TLS/SSL certificate", 4 | "severity": "medium", 5 | "description": [ 6 | "The server's TLS/SSL certificate is self-signed. Self-signed", 7 | "certificates are not trusted by browsers and other HTTP clients,", 8 | "especially because TLS/SSL man-in-the-middle attacks typically use", 9 | "self-signed certificates to eavesdrop on TLS/SSL connections." 10 | ], 11 | "fix": { 12 | "effort": 60, 13 | "guidance": [ 14 | "Create a new TLS/SSL certificate, request a trusted certificate", 15 | "authority (CA) to sign it and replace the self-signed certificate with", 16 | "the newly generated one." 17 | ] 18 | }, 19 | "cwe": ["296"], 20 | "tags": [ 21 | "web", 22 | "unencrypted", 23 | "tls", 24 | "ssl" 25 | ], 26 | "references": [ 27 | { 28 | "url": "https://en.wikipedia.org/wiki/Self-signed_certificate", 29 | "title": "Wikipedia article on self-signed certificates" 30 | } 31 | ] 32 | } -------------------------------------------------------------------------------- /ExtraFindings/data/VulnDB/db/68-shellshock.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 68, 3 | "title": "ShellShock", 4 | "severity": "high", 5 | "description": [ 6 | "GNU Bash through 4.3 processes trailing strings after function", 7 | "definitions in the values of environment variables, which allows remote", 8 | "attackers to execute arbitrary code via a crafted environment, as", 9 | "demonstrated by vectors involving the ForceCommand feature in OpenSSH", 10 | "sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts", 11 | "executed by unspecified DHCP clients, and other situations in which", 12 | "setting the environment occurs across a privilege boundary from Bash", 13 | "execution, aka 'ShellShock'" 14 | ], 15 | "fix": { 16 | "effort": 60, 17 | "guidance": [ 18 | "Upgrade Bash to version 4.3.025 or newer" 19 | ] 20 | }, 21 | "tags": [ 22 | "web", 23 | "bash", 24 | "shellshock" 25 | ], 26 | "references": [ 27 | { 28 | "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271", 29 | "title": "CVE-2014-6271" 30 | }, 31 | { 32 | "url": "https://en.wikipedia.org/wiki/Shellshock_%28software_bug%29", 33 | "title": "Wikipedia article for Shellshock" 34 | } 35 | ] 36 | } 37 | -------------------------------------------------------------------------------- /ExtraFindings/data/VulnDB/db/69-insecure-frontpage-configuration.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 69, 3 | "title": "Insecure Frontpage extensions configuration", 4 | "severity": "high", 5 | "description": [ 6 | "Incorrect permissions and/or missing authentication were discovered on", 7 | "FrontPage extensions used for publishing content.", 8 | "\n\n", 9 | "A cyber-criminal might use this vulnerability to deface web sites and", 10 | "potentially gain remote code execution on the server." 11 | ], 12 | "fix": { 13 | "effort": 10, 14 | "guidance": [ 15 | " 1. Change the permissions on directories and files accessible via IIS\n", 16 | "2. Setup authentication and authorization for FrontPage extension access" 17 | ] 18 | }, 19 | "tags": [ 20 | "web", 21 | "windows", 22 | "frontpage" 23 | ], 24 | "owasp_top_10": { 25 | "2013": [5] 26 | }, 27 | "references": [ 28 | { 29 | "url": "https://msdn.microsoft.com/en-us/library/bb742372.aspx", 30 | "title": "Configuring FrontPage Server Extensions" 31 | } 32 | ] 33 | } -------------------------------------------------------------------------------- /ExtraFindings/data/VulnDB/db/70-persistent-xss.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 70, 3 | "title": "Persistent Cross-Site Scripting (XSS)", 4 | "severity": "high", 5 | "description": [ 6 | "Client-side scripts are used extensively by modern web applications.", 7 | "They perform from simple functions (such as the formatting of text) up", 8 | "to full manipulation of client-side data and Operating System", 9 | "interaction.", 10 | "\n\n", 11 | "Cross Site Scripting (XSS) allows clients to inject arbitrary scripting", 12 | "code into a request and have the server return the script to the", 13 | "client in the response. This occurs because the application is taking", 14 | "untrusted data (in this example, from the client) and reusing it", 15 | "without performing any validation or encoding.", 16 | "\n\n", 17 | "Persistent Cross Site Scripting vulnerabilities occur when the application", 18 | "stores user controlled information and then uses it to render HTTP", 19 | "response bodies to other clients.", 20 | "\n\n", 21 | "This type of vulnerability can be used by a cyber-criminal to perform", 22 | "session hijacking, phishing or denial of service attacks against other", 23 | "web application users." 24 | ], 25 | "fix": { 26 | "effort": 10, 27 | "guidance": [ 28 | "To remedy XSS vulnerabilities, it is important to never use untrusted", 29 | "or unfiltered data within the code of a HTML page.", 30 | "\n\n", 31 | "Untrusted data can originate not only form the client but potentially", 32 | "a third party or previously uploaded file etc. Filtering of untrusted", 33 | "data typically involves converting special characters to their HTML", 34 | "entity encoded counterparts (however, other methods do exist, see", 35 | "references). These special characters include:", 36 | "\n\n", 37 | "* `&`\n", 38 | "* `<`\n", 39 | "* `>`\n", 40 | "* `\"`\n", 41 | "* `'`\n", 42 | "* `/`\n", 43 | "\n\n", 44 | "An example of HTML entity encoding is converting `<` to `<`. Although", 45 | "it is possible to filter untrusted input, there are five locations", 46 | "within an HTML page where untrusted input (even if it has been", 47 | "filtered) should never be placed:", 48 | "\n\n", 49 | "1. Directly in a script.\n", 50 | "2. Inside an HTML comment.\n", 51 | "3. In an attribute name.\n", 52 | "4. In a tag name.\n", 53 | "5. Directly in CSS.\n", 54 | "\n\n", 55 | "Each of these locations have their own form of escaping and filtering.", 56 | "\n\n", 57 | "_Because many browsers attempt to implement", 58 | "XSS protection, any manual verification of this finding should be", 59 | "conducted using multiple different browsers and browser versions._" 60 | ] 61 | }, 62 | "cwe": ["79"], 63 | "owasp_top_10": {"2013": [3]}, 64 | "tags": [ 65 | "web", 66 | "xss", 67 | "persistent", 68 | "script" 69 | ], 70 | "references": [ 71 | { 72 | "url": "http://projects.webappsec.org/w/page/13246920/Cross%20Site%20Scripting", 73 | "title": "WASC" 74 | }, 75 | { 76 | "url": "http://secunia.com/advisories/9716/", 77 | "title": "Secunia" 78 | }, 79 | { 80 | "url": "https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet", 81 | "title": "OWASP" 82 | } 83 | ] 84 | } -------------------------------------------------------------------------------- /ExtraFindings/data/VulnDB/db/71-reflected-file-download.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 71, 3 | "title": "Reflected File Download", 4 | "severity": "medium", 5 | "description": [ 6 | "The reflected file download vulnerability is an application weakness", 7 | "which allows a cyber-criminal to perform advanced social engineering", 8 | "attacks where an arbitrary executable file is downloaded by the user from", 9 | "vulnerable site. The contents of the executable file are controlled by", 10 | "the attacker and are never uploaded to the vulnerable site.", 11 | "\n\n", 12 | "This vulnerability, like many other Web attacks, begins by sending a", 13 | "malicious link to a victim. Unlike other attacks the exploitation finishes", 14 | "outside of the browser context:", 15 | "\n\n", 16 | "1. The user follows a malicious link to a trusted web site\n", 17 | "2. An executable file is downloaded and saved on the user's machine.", 18 | "All security indicators show that the file is 'hosted' on the trusted web", 19 | "site\n", 20 | "3. The user executes the file which contains shell commands that gain", 21 | "complete control over the computer." 22 | ], 23 | "fix": { 24 | "effort": 10, 25 | "guidance": [ 26 | "1. Explicitly set the `filename` attribute in the Content-disposition", 27 | "HTTP response header.\n", 28 | "2. Perform strict whitelist validation on user input before using it", 29 | "in the creation of HTTP response bodies\n" 30 | ] 31 | }, 32 | "cwe": ["79"], 33 | "owasp_top_10": {"2013": [1]}, 34 | "tags": [ 35 | "web", 36 | "rfd", 37 | "reflected" 38 | ], 39 | "references": [ 40 | { 41 | "url": "https://www.trustwave.com/Resources/SpiderLabs-Blog/Reflected-File-Download---A-New-Web-Attack-Vector/", 42 | "title": "Reflected File Download - A New Web Attack Vector" 43 | } 44 | ] 45 | } -------------------------------------------------------------------------------- /ExtraFindings/data/VulnDB/db/72-cache-control-headers.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 72, 3 | "title": "Insecure or no Cache-Control header", 4 | "severity": "low", 5 | "description": [ 6 | "The `cache-control` and `pragma` HTTP header have not been set properly", 7 | "allowing the browser and proxies to cache the HTTP response." 8 | ], 9 | "fix": { 10 | "effort": 10, 11 | "guidance": [ 12 | "Ensure that the `Cache-control` HTTP response header is set to", 13 | "`no-cache, no-store` and the `Pragma` header must be set to `no-cache`." 14 | ] 15 | }, 16 | "cwe": ["524", "525"], 17 | "owasp_top_10": {"2013": [5]}, 18 | "tags": [ 19 | "web", 20 | "browser", 21 | "cache", 22 | "session" 23 | ], 24 | "references": [ 25 | { 26 | "url": "https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching", 27 | "title": "Session Management Cheat Sheet" 28 | } 29 | ] 30 | } -------------------------------------------------------------------------------- /ExtraFindings/data/VulnDB/db/73-information-leak-stack-trace.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 73, 3 | "title": "Application error message", 4 | "severity": "low", 5 | "description": [ 6 | "Information Leakage is an application weakness where an application", 7 | "reveals sensitive data, such as technical details of the web application,", 8 | "environment, or user-specific data. Sensitive data may be used by an", 9 | "attacker to exploit the target web application, its hosting network,", 10 | "or its users.", 11 | "\n\n", 12 | "In its most common form, information leakage is the result of one or more", 13 | "of the following conditions:\n", 14 | "* A failure to scrub out HTML/Script comments containing sensitive", 15 | "information\n", 16 | "* Improper application or server configurations\n", 17 | "* Improper application error handling\n" 18 | ], 19 | "fix": { 20 | "effort": 60, 21 | "guidance": [ 22 | " * Ensure that the application source handles exceptions and errors in", 23 | "a such a way that no sensitive information is disclosed to the users\n", 24 | "* Configure the application server to handle and log any exceptions", 25 | "that the application might yield\n" 26 | ] 27 | }, 28 | "cwe": ["200"], 29 | "owasp_top_10": {"2013": [6]}, 30 | "tags": [ 31 | "web", 32 | "error", 33 | "information leak" 34 | ], 35 | "references": [ 36 | { 37 | "url": "http://projects.webappsec.org/w/page/13246936/Information%20Leakage", 38 | "title": "WASC threat classification" 39 | } 40 | ] 41 | } -------------------------------------------------------------------------------- /ExtraFindings/data/VulnDB/db/74-phishing-vector.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 74, 3 | "title": "Phishing vector", 4 | "severity": "low", 5 | "description": [ 6 | "The web user interface (UI) does not properly represent critical", 7 | "information to the user, allowing the information - or its source -", 8 | "to be obscured or spoofed. This is often a component in phishing attacks.", 9 | "\n\n", 10 | "If an attacker can cause the UI to display erroneous data, or to otherwise", 11 | "convince the user to display information that appears to come from a", 12 | "trusted source, then the attacker could trick the user into performing the", 13 | "wrong action. An example of this vulnerability is the possibility to", 14 | "control the `src` attribute of an iframe tag using a query string", 15 | "parameter." 16 | ], 17 | "fix": { 18 | "effort": 30, 19 | "guidance": [ 20 | " * Review the generated HTML source and ensure that none of it's sections", 21 | "can be used in a UI misrepresentation attack.\n", 22 | "* Perform strict data validation (e.g. syntax, length, etc.) before", 23 | "using the user-provided data to render HTML pages.\n" 24 | ] 25 | }, 26 | "cwe": ["451"], 27 | "tags": [ 28 | "web", 29 | "phishing" 30 | ], 31 | "references": [ 32 | { 33 | "url": "https://www.owasp.org/index.php/Phishing", 34 | "title": "Phishing - OWASP" 35 | } 36 | ] 37 | } -------------------------------------------------------------------------------- /ExtraFindings/data/VulnDB/db/75-guessable-credentials.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 75, 3 | "title": "Guessable credentials", 4 | "severity": "low", 5 | "description": [ 6 | "Web Applications often have predictable usernames and weak password policies set.", 7 | "This can easily allow an attacker to gain unauthorized access into the application", 8 | "by guessing the credentials used for authentication.\n\nIt was possible to guess and", 9 | "gain a set a valid credentials for the application is scope." 10 | ], 11 | "fix": { 12 | "effort": 40, 13 | "guidance": [ 14 | "Do not have any default credentials set on the application. Any known usernames", 15 | "or passwords associated with the application framework should also be removed.", 16 | "Furthermore, Web Applications should implement a strong password policy consisting", 17 | "of a combination of alphanumeric characters and a minimum length of 8 characters." 18 | ] 19 | }, 20 | "cwe": ["522"], 21 | "owasp_top_10": {"2013": [5]}, 22 | "tags": [ 23 | "guessable", 24 | "credentials", 25 | "weak", 26 | "predictable" 27 | ], 28 | "references": [ 29 | { 30 | "url": "https://www.owasp.org/index.php/Testing_for_User_Enumeration_and_Guessable_User_Account_(OWASP-AT-002)", 31 | "title": "OWASP Reference" 32 | } 33 | ] 34 | } 35 | -------------------------------------------------------------------------------- /ExtraFindings/data/VulnDB/db/76-x-content-type-options_header_missing.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 76, 3 | "title": "X-Content-Type-Options header missing", 4 | "severity": "low", 5 | "description": [ 6 | "'X-Content-Type-Options' is a type of HTTP header that can be used to prevent MIME", 7 | "content-sniffing attacks in Internet Explorer and Google Chrome. MIME content-sniffing", 8 | "is a mechanism that allows browsers to inspect and dynamically guess the content", 9 | "type and file type.\n\nMIME Sniffing checking algorithm has known problems which", 10 | "might allow users to upload files that might contain malicous code. If an attacker", 11 | "can spoof a file type/content and upload it to the application successfully, it is", 12 | "possible to inject malicous code which can be downloaded and viewed by other", 13 | "users of the application. This can lead to attacks such as persistant Cross-Site Scripting." 14 | ], 15 | "fix": { 16 | "effort": 50, 17 | "guidance": [ 18 | "'X-Content-Type-Options: nosniff' header should be implemented which", 19 | "allows a web server to force the browser into disabling MIME Sniffing", 20 | "for a served file. The nosniff option will only load any external resource", 21 | "if the content-type maches what is expected of the file type." 22 | ] 23 | }, 24 | "cwe": [], 25 | "owasp_top_10": {"2013": [7]}, 26 | "tags": [ 27 | "content", 28 | "sniffing", 29 | "missing", 30 | "header" 31 | ], 32 | "references": [ 33 | { 34 | "url": "https://msdn.microsoft.com/en-us/library/gg622941(v=vs.85).aspx", 35 | "title": "Reducing MIME type security risks" 36 | } 37 | ] 38 | } 39 | -------------------------------------------------------------------------------- /ExtraFindings/data/VulnDB/db/77-HTTP-Basic-Authenticationcredentials.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 77, 3 | "title": "HTTP Basic Authentication credentials", 4 | "severity": "low", 5 | "description": [ 6 | "Basic Access Authentication is an authentication method which uses base64 encoding", 7 | "and transmits login credentials in cleartext between a server and client. This is", 8 | "considered insecure because credentials are transmitted over unencrypted channels", 9 | "which makes it vulnerable to network eavesdropping attacks. Furthermore, base64", 10 | "encoding is considered weak because it can be easily decoded to reveal the original", 11 | "content.\n\nIf an application requires authentication, it will send a `WWW-Authenticate`", 12 | "header with a `401 Unauthorized` HTTP status code. Then, the client will need to send", 13 | "the server credentials through an `Authorization` header. The credentials are transmitted", 14 | "as a 'name:password' string format in the header.A well-positioned attacker can capture", 15 | "the usernames and passwords by sniffing traffic coming to these services." 16 | ], 17 | "fix": { 18 | "effort": 60, 19 | "guidance": [ 20 | "Other methods of authentication, like cookie based authentication must be", 21 | "used as a replacement. This can still be considered insecure if credentials are", 22 | "submitted in clear text. TLS Encryption must be used when transmitting sensitive", 23 | "information." 24 | ] 25 | }, 26 | "cwe": ["311"], 27 | "owasp_top_10": {"2013": [2]}, 28 | "tags": [ 29 | "basic", 30 | "authentication", 31 | "clear-text", 32 | "base64" 33 | ], 34 | "references": [ 35 | { 36 | "url": "https://www.owasp.org/index.php/OWASP_Periodic_Table_of_Vulnerabilities_-_Weak_Authentication_Methods", 37 | "title": "OWASP Weak Authentication Methods" 38 | } 39 | ] 40 | } 41 | -------------------------------------------------------------------------------- /ExtraFindings/data/VulnDB/db/8-code-injection.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 8, 3 | "title": "Code injection (timing attack)", 4 | "severity": "high", 5 | "description": [ 6 | "A modern web application will be reliant on several different", 7 | "programming languages.\n\nThese languages can be broken up in two", 8 | "flavours. These are client-side languages (such as those that run in", 9 | "the browser -- like JavaScript) and server-side languages (which are", 10 | "executed by the server -- like ASP, PHP, JSP, etc.) to form the", 11 | "dynamic pages (client-side code) that are then sent to the client.", 12 | "Because all server-side code should be executed by the server, it", 13 | "should only ever come from a trusted source.\n\nCode injection occurs", 14 | "when the server takes untrusted code (ie. from the client) and", 15 | "executes it.\n\nCyber-criminals will abuse this weakness to execute", 16 | "arbitrary code on the server, which could result in complete server", 17 | "compromise." 18 | ], 19 | "cwe": ["95"], 20 | "owasp_top_10": {"2013": [1]}, 21 | "fix": { 22 | "effort": 50, 23 | "guidance": [ 24 | "It is recommended that untrusted input is never processed as", 25 | "server-side code.\n\nTo validate input, the application should ensure", 26 | "that the supplied value contains only the data that are required to", 27 | "perform the relevant action.\n\nFor example, where a username is", 28 | "required, then no non-alpha characters should not be accepted." 29 | ] 30 | }, 31 | "tags": [ 32 | "web", 33 | "code", 34 | "injection", 35 | "blind" 36 | ], 37 | "references": [ 38 | { 39 | "url": "http://docs.python.org/py3k/library/functions.html#eval", 40 | "title": "Python eval documentation" 41 | }, 42 | { 43 | "url": "http://www.aspdev.org/asp/asp-eval-execute/", 44 | "title": "ASP eval documentation" 45 | }, 46 | { 47 | "url": "http://en.wikipedia.org/wiki/Eval#Ruby", 48 | "title": "Ruby eval documentation" 49 | }, 50 | { 51 | "url": "http://php.net/manual/en/function.eval.php", 52 | "title": "PHP eval documentation" 53 | }, 54 | { 55 | "url": "http://perldoc.perl.org/functions/eval.html", 56 | "title": "Perl eval documentation" 57 | } 58 | ] 59 | } -------------------------------------------------------------------------------- /ExtraFindings/data/VulnDB/db/9-common-directory.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 9, 3 | "title": "Common directory", 4 | "severity": "medium", 5 | "description": [ 6 | "Web applications are often made up of multiple files and directories.", 7 | "It is possible that over time some directories may become unreferenced", 8 | "(unused) by the web application and forgotten about by the", 9 | "administrator/developer. Because web applications are built using", 10 | "common frameworks, they contain common directories that can be", 11 | "discovered (independent of server).\n\nDuring the initial recon stages", 12 | "of an attack, cyber-criminals will attempt to locate unreferenced", 13 | "directories in the hope that the directory will assist in further", 14 | "compromise of the web application. To achieve this they will make", 15 | "thousands of requests using word lists containing common names. The", 16 | "response headers from the server will then indicate if the directory", 17 | "exists.\n\nThe tool also contains a list of common directory names which", 18 | "it will attempt to access." 19 | ], 20 | "cwe": ["538"], 21 | "owasp_top_10": {"2013": [5]}, 22 | "fix": { 23 | "effort": 50, 24 | "guidance": [ 25 | "If directories are unreferenced then they should be removed from the", 26 | "web root and/or the application directory.\n\nPreventing access without", 27 | "authentication may also be an option and can stop a client from being", 28 | "able to view the contents of a file, however it is still likely that", 29 | "the directory structure will be able to be discovered.\n\nUsing obscure", 30 | "directory names is implementing security through obscurity and is not", 31 | "a recommended option." 32 | ] 33 | }, 34 | "tags": [ 35 | "web", 36 | "path", 37 | "directory", 38 | "common", 39 | "discovery" 40 | ], 41 | "references": [ 42 | { 43 | "url": "https://www.owasp.org/index.php/Forced_browsing", 44 | "title": "OWASP - Forced browsing" 45 | } 46 | ] 47 | } -------------------------------------------------------------------------------- /ExtraFindings/data/VulnDB/schema.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "http://json-schema.org/draft-04/schema#", 3 | "type": "object", 4 | "title": "Vulnerability schema", 5 | "description": "This schema describes json format for vulnerability", 6 | "definitions": { 7 | "multiString": { 8 | "oneof": [ 9 | { 10 | "type": "string", 11 | "maxLength": 90, 12 | "minLength": 30 13 | }, 14 | { 15 | "type": "array", 16 | "minItems": 1, 17 | "items": { 18 | "type": "string", 19 | "maxLength": 90 20 | } 21 | } 22 | ] 23 | } 24 | }, 25 | "properties": { 26 | "id": { 27 | "type": "integer", 28 | "title": "Vulnerability unique id", 29 | "minimum": 1 30 | }, 31 | "title": { 32 | "type": "string", 33 | "title": "Vulnerability title", 34 | "minLength": 4, 35 | "maxLength": 255 36 | }, 37 | "description": { 38 | "title": "A very long description for vulnerability", 39 | "$ref": "#/definitions/multiString" 40 | }, 41 | "severity": { 42 | "type": "string", 43 | "title": "Vulnerability severity", 44 | "enum": [ 45 | "high", 46 | "medium", 47 | "low", 48 | "informational" 49 | ] 50 | }, 51 | "wasc": { 52 | "type": "array", 53 | "title": "WASC identifiers", 54 | "description": "http://projects.webappsec.org/w/page/13246974/Threat%20Classification%20Reference%20Grid", 55 | "uniqueItems": true, 56 | "minItems": 1, 57 | "items": { 58 | "type": "string", 59 | "minLength": 1 60 | } 61 | }, 62 | "tags": { 63 | "type": "array", 64 | "uniqueItems": true, 65 | "minItems": 1, 66 | "items": { 67 | "type": "string", 68 | "minLength": 2, 69 | "maxLength": 255 70 | } 71 | }, 72 | "cwe": { 73 | "type": "array", 74 | "title": "CWE indentifiers", 75 | "description": "https://cwe.mitre.org/data/index.html", 76 | "uniqueItems": true, 77 | "items": { 78 | "type": "string", 79 | "minLength": 1 80 | } 81 | }, 82 | "owasp_top_10": { 83 | "type": "object", 84 | "description": "position in owasp top ten splitted by years", 85 | "patternProperties": { 86 | "^[12][0-9]{3}$": { 87 | "type": "array", 88 | "minItems": 1, 89 | "items": { 90 | "type": "integer", 91 | "minimum": 1 92 | } 93 | } 94 | }, 95 | "additionalProperties": false 96 | }, 97 | "fix": { 98 | "type": "object", 99 | "properties": { 100 | "guidance": { 101 | "$ref": "#/definitions/multiString", 102 | "title": "A very long text explaining how to fix the vulnerability" 103 | }, 104 | "effort": { 105 | "type": "integer", 106 | "minimum": 0 107 | } 108 | }, 109 | "additionalProperties": false, 110 | "required": [ 111 | "guidance", 112 | "effort" 113 | ] 114 | }, 115 | "references": { 116 | "type": "array", 117 | "minItems": 1, 118 | "items": { 119 | "type": "object", 120 | "properties": { 121 | "url": { 122 | "type": "string", 123 | "format": "uri" 124 | }, 125 | "title": { 126 | "type": "string", 127 | "minLength": 4, 128 | "maxLength": 255 129 | } 130 | }, 131 | "additionalProperties": false, 132 | "required": [ 133 | "url", 134 | "title" 135 | ] 136 | } 137 | } 138 | }, 139 | "additionalProperties": false, 140 | "required": [ 141 | "id", 142 | "title", 143 | "description", 144 | "severity", 145 | "fix" 146 | ] 147 | } -------------------------------------------------------------------------------- /ExtraFindings/data/VulnDB/tests/__init__.py: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /ExtraFindings/data/VulnDB/tests/requirements.txt: -------------------------------------------------------------------------------- 1 | vulndb>=0.0.8 2 | requests 3 | jsonschema 4 | pyopenssl 5 | ndg-httpsclient 6 | pyasn1 7 | markdown -------------------------------------------------------------------------------- /ExtraFindings/data/VulnDB/tests/test_all_json.py: -------------------------------------------------------------------------------- 1 | import unittest 2 | import json 3 | import os 4 | 5 | 6 | class TestAllFilesAreJSON(unittest.TestCase): 7 | """ 8 | Basic test to make sure that all the files inside the db directory end 9 | with the json extension and have valid json content 10 | """ 11 | maxDiff = None 12 | 13 | def test_all_files_JSON(self): 14 | not_json = [] 15 | 16 | for _file in os.listdir('db'): 17 | if not _file.endswith('.json'): 18 | not_json.append(_file) 19 | 20 | self.assertEqual(not_json, []) 21 | 22 | def test_all_files_JSON_content(self): 23 | not_json = [] 24 | 25 | for _file in os.listdir('db'): 26 | try: 27 | json.loads(file(os.path.join('db', _file)).read()) 28 | except: 29 | not_json.append(_file) 30 | 31 | self.assertEqual(not_json, []) 32 | -------------------------------------------------------------------------------- /ExtraFindings/data/VulnDB/tests/test_json_spec.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import json 3 | import os 4 | 5 | from vulndb import DBVuln 6 | from tests.vulndb_test import VulnDBTest 7 | 8 | SEVERITIES = {'high', 'medium', 'low', 'informational'} 9 | 10 | 11 | class TestAllFilesHaveValidSpec(VulnDBTest): 12 | 13 | def url_is_404(self, session, url): 14 | try: 15 | response = session.get(url) 16 | except KeyboardInterrupt: 17 | raise 18 | except: 19 | return True 20 | else: 21 | return response.status_code == 404 22 | 23 | def test_severity(self): 24 | invalid = [] 25 | 26 | for _file, db_data in self.get_all_json(): 27 | if db_data['severity'] not in SEVERITIES: 28 | invalid.append((_file, db_data['severity'])) 29 | 30 | self.assertEqual(invalid, []) 31 | 32 | def test_lengths(self): 33 | invalid = [] 34 | 35 | for _file, db_data in self.get_all_json(): 36 | description = self.to_string(db_data['description']) 37 | if len(description) <= 30: 38 | invalid.append(_file) 39 | 40 | guidance = self.to_string(db_data['fix']['guidance']) 41 | if len(guidance) <= 30: 42 | invalid.append(_file) 43 | 44 | self.assertEqual(invalid, []) 45 | 46 | def test_url_is_not_404(self): 47 | all_urls = set() 48 | invalid = [] 49 | 50 | for vuln_id in DBVuln.get_all_db_ids(): 51 | db_vuln = DBVuln.from_id(vuln_id) 52 | 53 | if db_vuln.wasc: 54 | for wasc_id in db_vuln.wasc: 55 | all_urls.add(db_vuln.get_wasc_url(wasc_id)) 56 | 57 | if db_vuln.cwe: 58 | for cwe_id in db_vuln.cwe: 59 | all_urls.add(db_vuln.get_cwe_url(cwe_id)) 60 | 61 | for _, _, link in db_vuln.get_owasp_top_10_references(): 62 | all_urls.add(link) 63 | 64 | for reference in db_vuln.references: 65 | all_urls.add(reference.url) 66 | 67 | session = requests.Session() 68 | for url in all_urls: 69 | if self.url_is_404(session, url): 70 | invalid.append(url) 71 | 72 | self.assertEqual(invalid, []) 73 | 74 | def test_id_match(self): 75 | invalid = [] 76 | 77 | for vuln_id in DBVuln.get_all_db_ids(): 78 | db_path_file = DBVuln.get_file_for_id(vuln_id) 79 | json_data = json.loads(file(db_path_file).read()) 80 | json_id = json_data['id'] 81 | 82 | db_file = os.path.split(db_path_file)[1] 83 | 84 | if not db_file.startswith('%s-' % json_id): 85 | invalid.append(db_file) 86 | 87 | self.assertEqual(invalid, []) 88 | 89 | def test_no_multiple_spaces(self): 90 | invalid = [] 91 | 92 | for vuln_id in DBVuln.get_all_db_ids(): 93 | db_vuln = DBVuln.from_id(vuln_id) 94 | 95 | if ' ' in db_vuln.fix_guidance: 96 | invalid.append((db_vuln.db_file, 'fix_guidance')) 97 | 98 | if ' ' in db_vuln.description: 99 | invalid.append((db_vuln.db_file, 'description')) 100 | 101 | self.assertEqual(invalid, []) 102 | -------------------------------------------------------------------------------- /ExtraFindings/data/VulnDB/tests/test_references.py: -------------------------------------------------------------------------------- 1 | import re 2 | 3 | from vulndb import DBVuln 4 | from tests.vulndb_test import VulnDBTest 5 | 6 | CVE_URL_PATTERN = '^http://cwe.mitre.org/data/definitions/[0-9]+\.html$' 7 | 8 | class TestReferences(VulnDBTest): 9 | """ 10 | We don't want redundant references. Test for the presence of a 11 | reference URL that contains a cve.mitre.org URL. If an invalid 12 | reference is detected, simply remove the reference and add the 13 | CWE-ID to the "cwe" section of the vulnerability. 14 | """ 15 | def test_no_redundant_cve_mitre_org_urls(self): 16 | invalid = [] 17 | 18 | for vuln_id in DBVuln.get_all_db_ids(): 19 | db_vuln = DBVuln.from_id(vuln_id) 20 | 21 | for reference in db_vuln.references: 22 | if re.match(CVE_URL_PATTERN, reference.url): 23 | invalid.append(reference.url) 24 | 25 | self.assertEqual(invalid, []) 26 | -------------------------------------------------------------------------------- /ExtraFindings/data/VulnDB/tests/test_schema_compatability.py: -------------------------------------------------------------------------------- 1 | import json 2 | import jsonschema 3 | 4 | from tests.vulndb_test import VulnDBTest 5 | 6 | SCHEMA_FILENAME = "schema.json" 7 | 8 | 9 | class TestAllFilesSchemaCompatability(VulnDBTest): 10 | """ 11 | Basic test to make sure that all the files inside the db directory end 12 | with the json extension and have valid json content 13 | """ 14 | def test_all_files_JSON_content(self): 15 | try: 16 | schema = json.loads(file(SCHEMA_FILENAME).read()) 17 | except (ValueError, IOError) as e: 18 | self.fail(e) 19 | 20 | try: 21 | jsonschema.Draft4Validator.check_schema(schema) 22 | except jsonschema.SchemaError as e: 23 | self.fail(e) 24 | 25 | incompatible = [] 26 | for _file, db_data in self.get_all_json(): 27 | try: 28 | jsonschema.validate(db_data, schema) 29 | except jsonschema.ValidationError as e: 30 | incompatible.append((_file, e,)) 31 | 32 | self.assertEqual(incompatible, []) 33 | -------------------------------------------------------------------------------- /ExtraFindings/data/VulnDB/tests/valid_markdown.py: -------------------------------------------------------------------------------- 1 | from markdown import markdown 2 | from tests.vulndb_test import VulnDBTest 3 | 4 | 5 | class TestValidMarkdown(VulnDBTest): 6 | def test_valid_markdown(self): 7 | invalid = [] 8 | 9 | for _file, db_data in self.get_all_json(): 10 | description = self.to_string(db_data['description']) 11 | try: 12 | markdown(description) 13 | except: 14 | invalid.append(_file) 15 | 16 | guidance = self.to_string(db_data['fix']['guidance']) 17 | try: 18 | markdown(guidance) 19 | except: 20 | invalid.append(_file) 21 | 22 | self.assertEqual(invalid, []) 23 | 24 | -------------------------------------------------------------------------------- /ExtraFindings/data/VulnDB/tests/vulndb_test.py: -------------------------------------------------------------------------------- 1 | import unittest 2 | import os 3 | import json 4 | 5 | from vulndb import DBVuln 6 | 7 | 8 | class VulnDBTest(unittest.TestCase): 9 | maxDiff = None 10 | 11 | def get_all_json(self): 12 | for _file in os.listdir('db'): 13 | yield _file, json.loads(file(os.path.join('db', _file)).read()) 14 | 15 | def to_string(self, data): 16 | if isinstance(data, basestring): 17 | return data 18 | else: 19 | return ' '.join(data) 20 | 21 | def setUp(self): 22 | DBVuln.DB_PATH = 'db' 23 | 24 | -------------------------------------------------------------------------------- /ExtraFindings/installed: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SerpicoProject/SerpicoPlugins/7cec9ef395066fd83fc34544546876fcc761ec8c/ExtraFindings/installed -------------------------------------------------------------------------------- /ExtraFindings/plugin.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "ExtraFindings", 3 | "description": "A collection of findings from other projects.", 4 | "link":"/ExtraFindings/import", 5 | "enabled": false, 6 | "report_view": false, 7 | "admin_view": true 8 | } -------------------------------------------------------------------------------- /ExtraFindings/routes.rb: -------------------------------------------------------------------------------- 1 | require 'sinatra' 2 | require 'json' 3 | require './model/master' 4 | 5 | # TODO doesn't enforce roles properly 6 | 7 | get '/ExtraFindings/import' do 8 | if !File.file?("#{Dir.pwd()}/plugins/ExtraFindings/installed") 9 | return "Please run setup.sh for the ExtraFindings plugin." 10 | end 11 | 12 | # for now hand write the findings to import 13 | @sets = [] 14 | 15 | # VulnDB: https://github.com/vulndb/data 16 | a = {} 17 | a["name"] = "VulnDB" 18 | a["link"] = "https://github.com/vulndb/data" 19 | a["license"] = "BSD 3-Clause" 20 | a["license_link"] = "https://github.com/vulndb/data/blob/master/LICENSE.md" 21 | @sets.push(a) 22 | 23 | haml :"../plugins/ExtraFindings/views/import" 24 | end 25 | 26 | post '/ExtraFindings/import' do 27 | if params["VulnDB"] 28 | import_vulndb 29 | options.finding_types.push("VulnDB") 30 | end 31 | @success = "Imported findings" 32 | haml :"../plugins/ExtraFindings/views/import" 33 | end 34 | 35 | # Simple helper method rather than hand cleaning every string 36 | def c(value) 37 | c_value = value.gsub("\n\n","") 38 | c_value = c_value.gsub("`","'") 39 | return c_value 40 | end 41 | 42 | 43 | def import_vulndb() 44 | # Iterate the VulnDB database 45 | vulndb_dir = "#{Dir.pwd()}/plugins/ExtraFindings/data/VulnDB/db/" 46 | Dir.entries(vulndb_dir).each do |json_file| 47 | next if json_file == "." or json_file == ".." 48 | 49 | # Read in the JSON file and store as json obj 50 | file = File.read(vulndb_dir+json_file) 51 | json_data = JSON.parse(file) 52 | 53 | #### Change this portion if the VulnDB Schema changes 54 | finding = {} 55 | puts "|+| Importing #{json_data["title"]}" 56 | finding["title"] = c(json_data["title"]) 57 | 58 | finding["overview"] = "" 59 | finding["overview"] += c(json_data["description"].join(" ")) 60 | finding["overview"] += "" 61 | 62 | if json_data["fix"]["guidance"].kind_of?(Array) 63 | finding["remediation"] = "" 64 | finding["remediation"] += c(json_data["fix"]["guidance"].join(" ")) 65 | finding["remediation"] += "" 66 | else 67 | finding["remediation"] = c(json_data["fix"]["guidance"]) 68 | end 69 | 70 | finding["references"] = "VulnDB: https://github.com/vulndb/data" 71 | if json_data["references"] != nil 72 | json_data["references"].each do |ref| 73 | finding["references"] += ""+c(ref["url"])+"" 74 | end 75 | end 76 | 77 | finding["type"] = "VulnDB" 78 | finding["approved"] = true 79 | 80 | finding["risk"] = 1 if json_data["severity"] == "informational" 81 | finding["risk"] = 2 if json_data["severity"] == "low" 82 | finding["risk"] = 3 if json_data["severity"] == "medium" 83 | finding["risk"] = 4 if json_data["severity"] == "high" 84 | 85 | # TODO: add a true DREAD score calculator 86 | finding["damage"] = 1 87 | finding["reproducability"] = 1 88 | finding["exploitability"] = 1 89 | finding["affected_users"] = 1 90 | finding["discoverability"] = 1 91 | finding["dread_total"] = 5 92 | #### 93 | 94 | # write the database 95 | finding_db = TemplateFindings.create(finding) 96 | finding_db.save 97 | end 98 | end 99 | -------------------------------------------------------------------------------- /ExtraFindings/views/import.haml: -------------------------------------------------------------------------------- 1 | .span10 2 | - if @success 3 | Imported findings, view findings 4 | %a{ :href => "/master/findings"} here 5 | - else 6 | %form{:method => 'post', :action => '/ExtraFindings/import'} 7 | .table 8 | %table{:style => 'width: 60%'} 9 | %tbody 10 | %tr 11 | %td 12 | Source 13 | %td 14 | License 15 | %td 16 | Include 17 | %td 18 | Label 19 | 20 | - @sets.each do |item| 21 | %tr 22 | %td 23 | %a{ :href => "#{item["link"]}"} #{item["name"]} 24 | %td 25 | %a{ :href => "#{item["license_link"]}"} #{item["license"]} 26 | %td 27 | %input{:type => 'checkbox', :name => "#{item['name']}"} 28 | %input{:type => 'submit', :value => 'Import Checked Items' } 29 | %a{ :href => "/ExtraFindings/import"} 30 | %input{ :type => "button", :value => 'Cancel'} 31 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # SerpicoPlugins 2 | This repository includes plugins for Serpico. The [wiki](https://github.com/SerpicoProject/SerpicoPlugins/wiki/Main-Page) has more information on how to build plug-ins. 3 | 4 | 5 | Plug-ins are ideally suited to: 6 | - Add functionality that involves third party components 7 | - Proto-typing functionality 8 | 9 | # Installation 10 | 11 | ## Install the Plugin 12 | 13 | ### Preferred Installation 14 | Ideally plug-ins should be individually installed following the instructions (here)[https://github.com/SerpicoProject/Serpico/wiki/Plug-ins#pre-built-version] 15 | 16 | ### Developers 17 | From the Serpico project root directory: 18 | ``` 19 | git clone https://github.com/SerpicoProject/SerpicoPlugins.git plugins 20 | ``` 21 | 22 | ## Enable the plugin 23 | Plugins can be enabled from the Administrative Plug-in Menu; https://IP:8443/admin/admin_plugins -------------------------------------------------------------------------------- /TestPlugin/helpers/testplugin_listener.rb: -------------------------------------------------------------------------------- 1 | require './helpers/plugin_listener' 2 | 3 | class TestPluginListener < PluginListener 4 | def notify_report_generated(report_object) 5 | # This should never happend since the notify method is called from safe locations, but we never know 6 | if !report_object 7 | return 8 | end 9 | 10 | plugin_xml = "" 11 | # Generate some extra XML to be added in the report if necessary 12 | # if not, you can safely delete this method 13 | plugin_xml << "" 14 | return plugin_xml 15 | end 16 | 17 | def notify_report_deleted(report_object) 18 | # This should never happend since the notify method is called from safe locations, but we never know 19 | if !report_object 20 | return 21 | end 22 | 23 | # Cleanup the local database if necessary 24 | # if not, you can safely delete this method 25 | return 26 | end 27 | end 28 | -------------------------------------------------------------------------------- /TestPlugin/plugin.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "TestPlugin", 3 | "description": "Test Plugin is a test.", 4 | "link":"/TestPlugin/hello", 5 | "enabled": false, 6 | "report_view": true, 7 | "admin_view": true 8 | } 9 | -------------------------------------------------------------------------------- /TestPlugin/routes.rb: -------------------------------------------------------------------------------- 1 | require 'sinatra' 2 | require './plugins/TestPlugin/helpers/testplugin_listener' 3 | 4 | PluginNotifier.instance.attach_plugin(TestPluginListener.new) 5 | 6 | # List current reports 7 | get '/TestPlugin/hello' do 8 | haml :'../plugins/TestPlugin/views/test_plugin' 9 | end 10 | -------------------------------------------------------------------------------- /TestPlugin/views/test_plugin.haml: -------------------------------------------------------------------------------- 1 | hello world 2 | -------------------------------------------------------------------------------- /UDV_Worksheet/README.md: -------------------------------------------------------------------------------- 1 | # Overview 2 | 3 | This plugin allows an administrator to add questions that can be filled out by a user. The answers to the question are assigned as a User Defined Variables. 4 | 5 | ## As an Administrator 6 | 7 | Go to Administrator Specific Plugins (https://IP:8443/admin/admin_plugins) > UDV_Worksheet 8 | 9 | Add the questions that the user should fill out. 10 | 11 | ## As a User 12 | 13 | 1. Create a report 14 | 2. Edit Report > Enabled Plugins > UDV_Worksheet 15 | 3. Answer the Questions, Save 16 | 17 | 18 | 19 | 20 | 21 | -------------------------------------------------------------------------------- /UDV_Worksheet/master_udv.rb: -------------------------------------------------------------------------------- 1 | require 'data_mapper' 2 | require 'dm-migrations' 3 | 4 | # /plugins/UDV_Worksheet/udv.db 5 | 6 | # Initialize the Master DB 7 | DataMapper.setup(:udv, "sqlite://#{Dir.pwd}/plugins/UDV_Worksheet/udv.db") 8 | 9 | class Questions 10 | include DataMapper::Resource 11 | 12 | property :id, Serial 13 | property :udv_name, String, :required => true, :length => 200 14 | property :question, String, :required => true, :length => 200 15 | property :question_answer, String, :required => false, :length => 200 16 | property :report_id, Integer, :required => false 17 | 18 | end 19 | 20 | DataMapper.repository(:udv).auto_migrate! 21 | -------------------------------------------------------------------------------- /UDV_Worksheet/plugin.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "UDV_Worksheet", 3 | "description": "Worksheet for users. The answers become user defined variables.", 4 | "link":"/UDV_Worksheet/sheet", 5 | "enabled": false, 6 | "report_view": true, 7 | "admin_view": true 8 | } 9 | -------------------------------------------------------------------------------- /UDV_Worksheet/routes.rb: -------------------------------------------------------------------------------- 1 | require 'sinatra' 2 | require './plugins/UDV_Worksheet/master_udv' 3 | 4 | get '/UDV_Worksheet/sheet' do 5 | redirect to("/") unless valid_session? 6 | 7 | if request.referrer =~ /admin/ or params[:admin_view] == "true" 8 | redirect to("/no_access") if not is_administrator? 9 | @admin = true 10 | @report_id = 0 11 | 12 | if params[:delete] 13 | # delete the id 14 | DataMapper.repository(:udv) { 15 | q = Questions.get(params[:delete]) 16 | if q 17 | q.destroy 18 | end 19 | @questions = Questions.all(:report_id => 0) 20 | } 21 | end 22 | 23 | DataMapper.repository(:udv) { 24 | @questions = Questions.all(:report_id => 0) 25 | } 26 | else 27 | if request.referrer =~ /report_pl/ 28 | # grab the questions for report id 29 | id = request.referrer.split("report_plugins").first.split("/")[-1] 30 | else 31 | id = params[:report_id] 32 | end 33 | 34 | # Query for the first report matching the id 35 | @report = get_report(id) 36 | 37 | if @report == nil 38 | return "No Such Report" 39 | end 40 | @report_id = id 41 | 42 | DataMapper.repository(:udv) { 43 | @questions = Questions.all(:report_id => id) 44 | } 45 | 46 | # if dne create a set for that report id 47 | if @questions.size == 0 48 | # replicate all master questions 49 | DataMapper.repository(:udv) { 50 | @questions = Questions.all(:report_id => 0) 51 | 52 | @questions.each do |master_q| 53 | q = Questions.new 54 | q.udv_name = master_q.udv_name 55 | q.question = master_q.question 56 | q.question_answer = master_q.question_answer 57 | q.report_id = id 58 | q.save() 59 | end 60 | 61 | @questions = Questions.all(:report_id => id) 62 | } 63 | end 64 | end 65 | 66 | haml :"../plugins/UDV_Worksheet/views/sheet" 67 | end 68 | 69 | post '/UDV_Worksheet/sheet' do 70 | redirect to("/") unless valid_session? 71 | data = url_escape_hash(request.POST) 72 | 73 | if params["admin_view"] == "true" 74 | redirect to("/no_access") if not is_administrator? 75 | @report_id = 0 76 | 77 | # todo doesn't handle updates to other questions 78 | DataMapper.repository(:udv) { 79 | q = Questions.new 80 | q.udv_name = data["udv_name"] 81 | q.question = data["question"] 82 | q.question_answer = data["question_answer"] 83 | q.report_id = 0 84 | q.save() 85 | 86 | @admin = true 87 | @questions = Questions.all(:report_id => 0) 88 | } 89 | else 90 | # grab the questions for report id 91 | id = data["report_id"] 92 | 93 | # Query for the first report matching the id 94 | @report = get_report(id) 95 | 96 | if @report == nil 97 | return "No Such Report" 98 | end 99 | @report_id = id 100 | 101 | data.each do |key,value| 102 | if key =~ /question_answer/ 103 | q_id = key.split("_").last 104 | end 105 | if q_id 106 | DataMapper.repository(:udv){ 107 | q = Questions.first(:report_id => id, :id => q_id) 108 | q.question_answer = value 109 | q.save() 110 | } 111 | end 112 | end 113 | 114 | DataMapper.repository(:udv){ 115 | @questions = Questions.all(:report_id => id) 116 | } 117 | 118 | # save to UDVs 119 | if @report.user_defined_variables 120 | @user_variables = JSON.parse(@report.user_defined_variables) 121 | else 122 | @user_variables = {} 123 | end 124 | 125 | @questions.each do |question| 126 | @user_variables[question.udv_name] = question.question_answer 127 | end 128 | @report.user_defined_variables = @user_variables.to_json 129 | @report.save 130 | end 131 | 132 | # redirect back to sheet display 133 | haml :"../plugins/UDV_Worksheet/views/sheet" 134 | end 135 | -------------------------------------------------------------------------------- /UDV_Worksheet/udv.db: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SerpicoProject/SerpicoPlugins/7cec9ef395066fd83fc34544546876fcc761ec8c/UDV_Worksheet/udv.db -------------------------------------------------------------------------------- /UDV_Worksheet/views/sheet.haml: -------------------------------------------------------------------------------- 1 | .span10 2 | - if @admin 3 | %h3 4 | Existing Questions 5 | %form{:method => 'post', :action => '/UDV_Worksheet/sheet?admin_view=true'} 6 | .table.table-striped 7 | %table{:style => 'width: 40%'} 8 | %tbody 9 | %tr 10 | %td 11 | UDV NAME 12 | %td 13 | Question 14 | %td 15 | Default Answer 16 | %td 17 | Delete? 18 | - if @questions 19 | - if @questions.size > 0 20 | - @questions.each do |item| 21 | %tr 22 | %td 23 | %input{:type => 'text', :name => "udv_name", :value => "#{item["udv_name"]}"} 24 | %td 25 | %textarea{:rows => '3', :class => 'input-xlarge', :name => "question"} 26 | - if item['question'] 27 | #{meta_markup(item['question'])} 28 | %td 29 | %textarea{:rows => '3', :class => 'input-xlarge', :name => "question_answer"} 30 | - if item['question_answer'] 31 | #{meta_markup(item['question_answer'])} 32 | %td 33 | %a{ :class => "btn btn-danger btn-sm", :href => "/UDV_Worksheet/sheet?admin_view=true&delete=#{item["id"]}"} X 34 | %form{:method => 'post', :action => '/UDV_Worksheet/sheet?admin_view=true'} 35 | %br 36 | %br 37 | %h3 38 | Add a new question 39 | .table 40 | %table{:style => 'width: 60%'} 41 | %tbody 42 | %tr 43 | %td 44 | User Defined Variable Name 45 | %td 46 | %input{:type => 'text', :name => "udv_name", :required => true, :value => ""} 47 | %tr 48 | %td 49 | Question to Ask 50 | %td 51 | %textarea{:rows => '3', :class => 'input-xxlarge', :required => true, :name => "question", :value => ""} 52 | %tr 53 | %td 54 | Default Value 55 | %td 56 | %textarea{:rows => '3', :class => 'input-xxlarge', :name => "question_answer", :value => ""} 57 | 58 | %input{:type => 'submit', :value => 'Save' } 59 | %a{ :href => "/UDV_Worksheet/sheet"} 60 | %input{ :type => "button", :value => 'Cancel'} 61 | - else 62 | %h3 63 | Questions To Complete 64 | %form{:method => 'post', :action => "/UDV_Worksheet/sheet?report_id=#{@report_id}"} 65 | .table.table-striped 66 | %table{:style => 'width: 40%'} 67 | %tbody 68 | %tr 69 | %td 70 | Question 71 | %td 72 | Answer 73 | - if @questions 74 | - if @questions.size > 0 75 | - @questions.each do |item| 76 | %tr 77 | %td 78 | - if item['question'] 79 | #{meta_markup(item['question'])} 80 | %td 81 | %textarea{:rows => '3', :class => 'input-xlarge', :name => "question_answer_#{item['id']}"} 82 | - if item['question_answer'] 83 | #{meta_markup(item['question_answer'])} 84 | %input{:type => "hidden", :name => "report_id", :value => "#{@report_id}"} 85 | %input{:type => 'submit', :value => 'Save' } 86 | %a{ :href => "/UDV_Worksheet/sheet"} 87 | %input{ :type => "button", :value => 'Cancel'} 88 | 89 | 90 | :javascript 91 | function confirmDelete(evt) { 92 | if (!confirm('Are you sure you want to permanently delete the select element ?')) { 93 | evt.preventDefault(); 94 | } 95 | } 96 | 97 | var deleteElements = $('a.btn-danger'); 98 | for (var index = 0, length = deleteElements.length; index < length; index++) { 99 | deleteElements[index].addEventListener('click', confirmDelete, false); 100 | } --------------------------------------------------------------------------------