def _load_checks(configs):
"""
Loads and instantiates active, blind, and/or passive checks. Blind checks are loaded with their listener configs.
:param configs: AVA configs
:return: checks as list
"""
checks = []
# active checks
if configs['actives']:
logger.debug("Loading active checks.")
actives = utility.get_package_classes('actives', configs['actives'])
checks += [clazz() for clazz in actives]
# blind checks
if configs['blinds']:
logger.debug("Loading blind checks.")
listeners = configs['blinds']
blinds = utility.get_package_classes('blinds', list(listeners))
checks += [
clazz(listeners[clazz.__module__.split('.')[-1]])
for clazz in blinds
]
# passive checks
if configs['passives']:
logger.debug("Loading passive checks.")
passives = utility.get_package_classes('passives', configs['passives'])
checks += [clazz() for clazz in passives]
return checks
def _check_keys(values):
"""
Checks the keys are defined in check classes. InvalidValueException is raised, if a key is not defined.
:param values: dictionary of payloads with keys
:return: dictionary of payloads with keys
"""
# get keys
keys = []
for clazz in utility.get_package_classes('actives'):
keys.append(clazz.key)
for clazz in utility.get_package_classes('blinds'):
keys.append(clazz.key)
# verify each key exists
for key in values:
if key not in keys:
raise InvalidValueException("Check key '{}' not found".format(key))
return values
def test_get_package_classes(mocker):
actives = [OpenRedirectCheck, OpenRedirectHtmlCheck, OpenRedirectScriptCheck]
auditors = [QueryParameterAuditor, PostParameterAuditor]
# checks includes
test = utility.get_package_classes("actives", ["open_redirect"])
assert test == set(actives)
# auditors includes
test = utility.get_package_classes("auditors", ["parameter"])
assert test == set(auditors)
# checks listdir
mocker.patch("os.listdir", return_value=["__init__.py", "open_redirect.py"])
test = utility.get_package_classes("actives", [])
assert test == set(actives)
# auditors listdir
mocker.patch("os.listdir", return_value=["__init__.py", "parameter.py"])
test = utility.get_package_classes("auditors", [])
assert test == set(auditors)
def test_get_package_classes(mocker):
actives = [
OpenRedirectCheck, OpenRedirectHtmlCheck, OpenRedirectScriptCheck
]
auditors = [QueryParameterAuditor, PostParameterAuditor]
# checks includes
test = utility.get_package_classes("actives", ["open_redirect"])
assert test == set(actives)
# auditors includes
test = utility.get_package_classes("auditors", ["parameter"])
assert test == set(auditors)
# get checks by key
test = utility.get_package_classes("actives", ["redirect.value.script"])
assert test == set([actives[2]])
# list
test = utility.get_package_classes("actives",
["open_redirect", "code.timing.python"])
assert test == set(actives + [PythonCodeInjectionTimingCheck])
# checks listdir
mocker.patch("os.listdir",
return_value=["__init__.py", "open_redirect.py"])
test = utility.get_package_classes("actives", [])
assert test == set(actives)
# auditors listdir
mocker.patch("os.listdir", return_value=["__init__.py", "parameter.py"])
test = utility.get_package_classes("auditors", [])
assert test == set(auditors)
def _print_examples():
"""
Prints examples of payloads.
"""
packages = ['actives', 'blinds']
print("'{}' will be replaced with random string, url or script\n")
for package in packages:
print(package + ':')
for clazz in sorted(utility.get_package_classes(package),
key=lambda cls: cls.key):
if not issubclass(clazz, _DifferentialCheck):
print(" {:26s} {}".format(clazz.key, clazz.example))
if package != packages[-1]:
print('')
def _run_scanner(configs):
"""
Loads vectors, checks, and auditors. Then runs audits and prints results. Results can be saved to a report.
:param configs: AVA configs
"""
results = []
# read vectors
logger.info("Loading vectors.")
reader = HarReader(configs['hars'])
vectors = reader.parse(configs)
# reduce duplicates
if configs['reduce']:
logger.debug("Reducing vectors.")
vectors = _reduce_vectors(vectors)
# check vectors
if not vectors:
raise MissingComponentException("Vector list is empty")
# load and instantiate checks
logger.info("Loading scanner.")
checks = _load_checks(configs)
# if no checks, default to active checks
if not checks:
logger.debug("No checks loaded. Loading all active checks.")
actives = utility.get_package_classes('actives')
checks += [clazz() for clazz in actives]
# load and instantiate auditors
logger.debug("Loading auditors.")
auditors = utility.get_package_classes('auditors', configs['auditors'])
auditors = [auditor(configs, checks, vectors) for auditor in auditors]
# start time
start_time = datetime.now(timezone.utc)
# run checks
logger.debug("Running auditors and checks.")
for auditor in auditors:
issues = auditor.run()
results.extend(issues)
# end time
end_time = datetime.now(timezone.utc)
# print metrics
elapsed = str(end_time - start_time).partition('.')[0]
logger.info("Found %d %s in %s.", len(results),
'issue' if len(results) == 1 else 'issues', elapsed)
# save report
if configs['report']:
logger.info("Saving report.")
reporter = JsonReporter(results, configs, auditors, checks, vectors)
reporter.report(configs['report'], start_time, end_time)
# print summary
if configs['summary']:
print('')
reporter = TableReporter(results, auditors, checks)
reporter.report()