def saveAsXml(self):
p = ET.Element("participant")
p.set("filename", self.fileName)
p.set("number", str(self.number))
fixes = ET.SubElement(p, "fixations")
for fix in self.fixationList:
fixes.append(fix.saveAsXml())
rawfixes = ET.SubElement(p, "rawFixations")
for fix in self.rawFixationList:
rawfixes.append(fix.saveAsXml())
boxes = ET.SubElement(p, "boxes")
if self.boxes:
for i in range(self.gridX):
for j in range(self.gridY):
b = self.boxes[i][j].saveAsXml()
b.set('x', str(i))
b.set('y', str(j))
boxes.append(b)
gridsize = ET.SubElement(p, "gridSize")
if self.gridX:
gridx = ET.SubElement(gridsize, "width")
gridx.text = str(self.gridX)
if self.gridY:
gridy = ET.SubElement(gridsize, "height")
gridy.text = str(self.gridY)
times = ET.SubElement(p, "times")
t0 = ET.SubElement(times, "start")
t0.text = str(self.startTime)
t1 = ET.SubElement(times, "finish")
t1.text = str(self.endTime)
if self.offScreen:
os = self.offScreen.saveAsXml()
os.set('offscreen', str(True))
boxes.append(os)
# paths...
return p
def customer_xml():
"""
Generates an XML file suitable for Customer usage
"""
from lxml import etree
location_attribute = '{%s}noNameSpaceSchemaLocation' % "http://www.w3.org/2001/XMLSchema-instance"
kvasir_results_xml = etree.Element('KvasirResults',
attrib={
location_attribute: 'kvasir.xsd',
})
summary_xml = etree.SubElement(kvasir_results_xml, 'summary')
customer = etree.SubElement(summary_xml, 'customer')
customer.text = settings.customer or 'CUSTOMER NAME'
assessment = etree.SubElement(summary_xml, 'assessment')
assessment.set('type', settings.assessment_type)
start_date = etree.SubElement(assessment, 'start-date')
start_date.text = settings.start_date or 'START DATE'
end_date = etree.SubElement(assessment, 'end-date')
end_date.text = settings.end_date or 'END DATE'
hosts_xml = etree.SubElement(kvasir_results_xml, 'hosts')
os_xml = etree.SubElement(kvasir_results_xml, 'os_records')
vulns_xml = etree.SubElement(kvasir_results_xml, 'vulns')
# this is a little hack to ensure a record is either blank or None
# use it as "if variable not in notin:"
notin = [None, '']
unknown_cpeid_counter = 0
# go through each host, adding the os, services and vulns accordingly
query = create_hostfilter_query(session.hostfilter)
for host_rec in db(query).select():
host_xml = etree.SubElement(hosts_xml, 'host')
host_xml.set('ipaddr', host_rec.f_ipaddr)
host_xml.set('assetgroup', host_rec.f_asset_group)
if host_rec.f_macaddr:
host_xml.set('macaddr', host_rec.f_macaddr)
if host_rec.f_hostname:
host_xml.set('hostname', host_rec.f_hostname.decode('utf-8'))
if host_rec.f_netbios_name:
host_xml.set('netbios', host_rec.f_netbios_name.decode('utf-8'))
# build the os information using the highest certainty record
highest = (0, None)
for os_rec in db(db.t_host_os_refs.f_hosts_id == host_rec.id).select():
if os_rec.f_certainty > highest[0]:
highest = (os_rec.f_certainty, os_rec)
if highest[0] > 0:
# add os element to the host
record = highest[1]
os = etree.SubElement(host_xml, 'os')
os.set('certainty', str(highest[0]))
if record.f_class not in notin:
os.set('class', record.f_class)
if record.f_family not in notin:
os.set('family', record.f_family)
# since some os records may not have a cpe id we'll mask them with
# using their title, replacing spaces with underscores
t_os_rec = db.t_os[record.f_os_id]
if t_os_rec.f_cpename in notin:
cpeid = t_os_rec.f_title.replace(' ', '_')
else:
cpeid = t_os_rec.f_cpename
os.set('id', cpeid)
# if the id isn't in os_records, add it
if len(os_xml.findall('.//os[@id="%s"]' %
(os.get('id', None)))) < 1:
os_info_xml = etree.SubElement(os_xml, 'os')
os_rec = db.t_os[highest[1].f_os_id]
os_info_xml.set('id', cpeid)
os_info_xml.set('title', os_rec.f_title)
if os_rec.f_vendor not in notin:
vendor = etree.SubElement(os_info_xml, 'vendor')
vendor.text = os_rec.f_vendor
if os_rec.f_product not in notin:
product = etree.SubElement(os_info_xml, 'product')
product.text = os_rec.f_product
if os_rec.f_version not in notin:
version = etree.SubElement(os_info_xml, 'version')
version.text = os_rec.f_version
if os_rec.f_update not in notin:
update = etree.SubElement(os_info_xml, 'update')
update.text = os_rec.f_update
if os_rec.f_edition not in notin:
edition = etree.SubElement(os_info_xml, 'edition')
edition.text = os_rec.f_edition
if os_rec.f_language not in notin:
language = etree.SubElement(os_info_xml, 'language')
language.text = os_rec.f_language
# snmp strings
snmp_recs = db(db.t_snmp.f_hosts_id == host_rec.id).select()
if len(snmp_recs) > 0:
snmp_top_xml = etree.SubElement(hosts_xml, 'snmps')
for record in snmp_recs:
snmp_xml = etree.SubElement(snmp_top_xml, 'snmp')
if record.f_community not in notin:
snmp_xml.set('community',
record.f_community.decode('utf-8'))
snmp_xml.set('version', record.f_version)
snmp_xml.set('access', record.f_access)
# netbios information
netb_record = db(
db.t_netbios.f_hosts_id == host_rec.id).select().first() or None
if netb_record:
netbios_xml = etree.SubElement(hosts_xml, 'netbios')
if netb_record.f_type not in notin:
netbios_xml.set('type', netb_record.f_type)
if netb_record.f_domain not in notin:
netbios_xml.set('domain', netb_record.f_domain.decode('utf-8'))
if netb_record.f_lockout_limit not in notin:
netbios_xml.set('lockout_limit',
str(netb_record.f_lockout_limit))
if netb_record.f_lockout_duration not in notin:
netbios_xml.set('lockout_duration',
str(netb_record.f_lockout_duration))
if netb_record.f_advertised_names is not None:
adv_names_xml = etree.SubElement(netbios_xml,
'advertised_names')
for name in netb_record.f_advertised_names:
name_xml = etree.SubElement(adv_names_xml, 'name')
name.text = name.decode('utf-8')
# build the services and vulnerabilities
services_xml = etree.SubElement(host_xml, 'services')
for svc_rec in db(db.t_services.f_hosts_id == host_rec.id).select():
service_xml = etree.SubElement(services_xml, 'service')
service_xml.set('proto', svc_rec.f_proto)
service_xml.set('number', svc_rec.f_number)
if svc_rec.f_name not in notin:
name = etree.SubElement(service_xml, 'name')
name.text = svc_rec.f_name.decode('utf-8')
if svc_rec.f_banner not in notin:
banner = etree.SubElement(service_xml, 'banner')
banner.text = svc_rec.f_banner.decode('utf-8')
# service configuration records
svc_info_recs = db(
db.t_service_info.f_services_id == svc_rec.id).select()
if len(svc_info_recs) > 0:
config_xml = etree.SubElement(service_xml, 'configuration')
for info_rec in svc_info_recs:
rec_xml = etree.SubElement(config_xml, 'config')
if info_rec.f_name not in notin:
rec_xml.set('name', info_rec.f_name)
if info_rec.f_text not in notin:
rec_xml.text = info_rec.f_text.decode('utf-8')
# vulnerabilities
svc_vuln_recs = db(
db.t_service_vulns.f_services_id == svc_rec.id).select()
if len(svc_vuln_recs) > 0:
svc_vulns_xml = etree.SubElement(service_xml, 'vulns')
for vuln_rec in svc_vuln_recs:
vuln_xml = etree.SubElement(svc_vulns_xml, 'vuln')
vuln_xml.set('status', vuln_rec.f_status)
vuln_xml.set(
'id', db.t_vulndata[vuln_rec.f_vulndata_id].f_vulnid)
proof = etree.SubElement(vuln_xml, 'proof')
proof.text = etree.CDATA(
unicode(MARKMIN(vuln_rec.f_proof).xml(), 'utf-8'))
# search for the nexpose id in vulns_xml
if len(
vuln_xml.findall('.//vuln[@id="%s"]' %
vuln_xml.get('id', None))) < 1:
new_vuln_xml = etree.SubElement(vulns_xml, 'vuln')
vulndata = db.t_vulndata[vuln_rec.f_vulndata_id]
new_vuln_xml.set('id', vulndata.f_vulnid)
new_vuln_xml.set('title', vulndata.f_title)
new_vuln_xml.set('severity', str(vulndata.f_severity))
new_vuln_xml.set('pci_sev', str(vulndata.f_pci_sev))
new_vuln_xml.set('cvss_score',
str(vulndata.f_cvss_score))
new_vuln_xml.set('cvss_metric', cvss_metrics(vulndata))
description = etree.SubElement(new_vuln_xml,
'description')
description.text = etree.CDATA(
unicode(
MARKMIN(vulndata.f_description).xml(),
'utf-8'))
solution = etree.SubElement(new_vuln_xml, 'solution')
solution.text = etree.CDATA(
unicode(
MARKMIN(vulndata.f_solution).xml(), 'utf-8'))
# find vulnerability references and add them
vuln_refs = db(db.t_vuln_references.f_vulndata_id ==
vulndata.id).select()
if len(vuln_refs) > 0:
refs_xml = etree.SubElement(
new_vuln_xml, 'references')
for ref_rec in vuln_refs:
record = db.t_vuln_refs[ref_rec.f_vuln_ref_id]
ref_xml = etree.SubElement(
refs_xml, 'reference')
ref_xml.set('source', record.f_source)
ref_xml.text = record.f_text.decode('utf-8')
# accounts
accounts = db(db.t_accounts.f_services_id == svc_rec.id).select()
if len(accounts) > 0:
accounts_xml = etree.SubElement(service_xml, 'accounts')
for acct_rec in accounts:
acct_xml = etree.SubElement(accounts_xml, 'account')
if acct_rec.f_username not in notin:
elem = etree.SubElement(acct_xml, 'username')
elem.text = acct_rec.f_username.decode('utf-8')
if acct_rec.f_fullname not in notin:
elem = etree.SubElement(acct_xml, 'fullname')
elem.text = acct_rec.f_fullname.decode('utf-8')
if acct_rec.f_password not in notin:
elem = etree.SubElement(acct_xml, 'password')
elem.text = acct_rec.f_password.decode('utf-8')
if acct_rec.f_hash1 not in notin:
elem = etree.SubElement(acct_xml, 'hash1')
elem.text = acct_rec.f_hash1
if acct_rec.f_hash1_type not in notin:
elem = etree.SubElement(acct_xml, 'hash1_type')
elem.text = acct_rec.f_hash1_type
if acct_rec.f_hash2 not in notin:
elem = etree.SubElement(acct_xml, 'hash2')
elem.text = acct_rec.f_hash2
if acct_rec.f_hash2_type not in notin:
elem = etree.SubElement(acct_xml, 'hash2_type')
elem.text = acct_rec.f_hash2_type
if acct_rec.f_uid not in notin:
elem = etree.SubElement(acct_xml, 'uid')
elem.text = acct_rec.f_uid
if acct_rec.f_gid not in notin:
elem = etree.SubElement(acct_xml, 'gid')
elem.text = acct_rec.f_gid
if acct_rec.f_level not in notin:
elem = etree.SubElement(acct_xml, 'level')
elem.text = acct_rec.f_level
if acct_rec.f_domain not in notin:
elem = etree.SubElement(acct_xml, 'domain')
elem.text = acct_rec.f_domain.decode('utf-8')
if acct_rec.f_description not in notin:
elem = etree.SubElement(acct_xml, 'description')
elem.text = acct_rec.f_description.decode('utf-8')
result = etree.tostring(kvasir_results_xml,
pretty_print=True,
encoding=unicode)
return result
def customer_xml():
"""
Generates an XML file suitable for Customer usage
"""
from lxml import etree
# grab the filter type and value if provided or from the session
if session.hostfilter is None:
f_type = request.vars.f_type or None
f_value = request.vars.f_value or None
else:
f_type = session.hostfilter[0]
f_value = session.hostfilter[1]
location_attribute = '{%s}noNameSpaceSchemaLocation' % "http://www.w3.org/2001/XMLSchema-instance"
kvasir_results_xml = etree.Element('KvasirResults', attrib={ location_attribute: 'kvasir.xsd', })
summary_xml = etree.SubElement(kvasir_results_xml, 'summary')
customer = etree.SubElement(summary_xml, 'customer')
customer.text = settings.customer or 'CUSTOMER NAME'
assessment = etree.SubElement(summary_xml, 'assessment')
assessment.set('type', settings.assessment_type)
start_date = etree.SubElement(assessment, 'start-date')
start_date.text = settings.start_date or 'START DATE'
end_date = etree.SubElement(assessment, 'end-date')
end_date.text = settings.end_date or 'END DATE'
hosts_xml = etree.SubElement(kvasir_results_xml, 'hosts')
os_xml = etree.SubElement(kvasir_results_xml, 'os_records')
vulns_xml = etree.SubElement(kvasir_results_xml, 'vulns')
# this is a little hack to ensure a record is either blank or None
# use it as "if variable not in notin:"
notin = [ None, '' ]
unknown_cpeid_counter = 0
# go through each host, adding the os, services and vulns accordingly
query = create_hostfilter_query([(f_type, f_value), False])
for host_rec in db(query).select():
host_xml = etree.SubElement(hosts_xml, 'host')
host_xml.set('ipv4', host_rec.f_ipv4)
host_xml.set('assetgroup', host_rec.f_asset_group)
if host_rec.f_ipv6:
host_xml.set('ipv6', host_rec.f_ipv6)
if host_rec.f_macaddr:
host_xml.set('macaddr', host_rec.f_macaddr)
if host_rec.f_hostname:
host_xml.set('hostname', host_rec.f_hostname.decode('utf-8'))
if host_rec.f_netbios_name:
host_xml.set('netbios', host_rec.f_netbios_name.decode('utf-8'))
# build the os information using the highest certainty record
highest = (0, None)
for os_rec in db(db.t_host_os_refs.f_hosts_id == host_rec.id).select():
if os_rec.f_certainty > highest[0]:
highest = (os_rec.f_certainty, os_rec)
if highest[0] > 0:
# add os element to the host
record = highest[1]
os = etree.SubElement(host_xml, 'os')
os.set('certainty', str(highest[0]))
if record.f_class not in notin:
os.set('class', record.f_class)
if record.f_family not in notin:
os.set('family', record.f_family)
# since some os records may not have a cpe id we'll mask them with
# using their title, replacing spaces with underscores
t_os_rec = db.t_os[record.f_os_id]
if t_os_rec.f_cpename in notin:
cpeid = t_os_rec.f_title.replace(' ', '_')
else:
cpeid = t_os_rec.f_cpename
os.set('id', cpeid)
# if the id isn't in os_records, add it
if len(os_xml.findall('.//os[@id="%s"]' % (os.get('id', None)))) < 1:
os_info_xml = etree.SubElement(os_xml, 'os')
os_rec = db.t_os[highest[1].f_os_id]
os_info_xml.set('id', cpeid)
os_info_xml.set('title', os_rec.f_title)
if os_rec.f_vendor not in notin:
vendor = etree.SubElement(os_info_xml, 'vendor')
vendor.text = os_rec.f_vendor
if os_rec.f_product not in notin:
product = etree.SubElement(os_info_xml, 'product')
product.text = os_rec.f_product
if os_rec.f_version not in notin:
version = etree.SubElement(os_info_xml, 'version')
version.text = os_rec.f_version
if os_rec.f_update not in notin:
update = etree.SubElement(os_info_xml, 'update')
update.text = os_rec.f_update
if os_rec.f_edition not in notin:
edition = etree.SubElement(os_info_xml, 'edition')
edition.text = os_rec.f_edition
if os_rec.f_language not in notin:
language = etree.SubElement(os_info_xml, 'language')
language.text = os_rec.f_language
# snmp strings
snmp_recs = db(db.t_snmp.f_hosts_id == host_rec.id).select()
if len(snmp_recs) > 0:
snmp_top_xml = etree.SubElement(hosts_xml, 'snmps')
for record in snmp_recs:
snmp_xml = etree.SubElement(snmp_top_xml, 'snmp')
if record.f_community not in notin:
snmp_xml.set('community', record.f_community.decode('utf-8'))
snmp_xml.set('version', record.f_version)
snmp_xml.set('access', record.f_access)
# netbios information
netb_record = db(db.t_netbios.f_hosts_id == host_rec.id).select().first() or None
if netb_record:
netbios_xml = etree.SubElement(hosts_xml, 'netbios')
if netb_record.f_type not in notin:
netbios_xml.set('type', netb_record.f_type)
if netb_record.f_domain not in notin:
netbios_xml.set('domain', netb_record.f_domain.decode('utf-8'))
if netb_record.f_lockout_limit not in notin:
netbios_xml.set('lockout_limit', str(netb_record.f_lockout_limit))
if netb_record.f_lockout_duration not in notin:
netbios_xml.set('lockout_duration', str(netb_record.f_lockout_duration))
if netb_record.f_advertised_names is not None:
adv_names_xml = etree.SubElement(netbios_xml, 'advertised_names')
for name in netb_record.f_advertised_names:
name_xml = etree.SubElement(adv_names_xml, 'name')
name.text = name.decode('utf-8')
# build the services and vulnerabilities
services_xml = etree.SubElement(host_xml, 'services')
for svc_rec in db(db.t_services.f_hosts_id == host_rec.id).select():
service_xml = etree.SubElement(services_xml, 'service')
service_xml.set('proto', svc_rec.f_proto)
service_xml.set('number', svc_rec.f_number)
if svc_rec.f_name not in notin:
name = etree.SubElement(service_xml, 'name')
name.text = svc_rec.f_name.decode('utf-8')
if svc_rec.f_banner not in notin:
banner = etree.SubElement(service_xml, 'banner')
banner.text = svc_rec.f_banner.decode('utf-8')
# service configuration records
svc_info_recs = db(db.t_service_info.f_services_id == svc_rec.id).select()
if len(svc_info_recs) > 0:
config_xml = etree.SubElement(service_xml, 'configuration')
for info_rec in svc_info_recs:
rec_xml = etree.SubElement(config_xml, 'config')
if info_rec.f_name not in notin:
rec_xml.set('name', info_rec.f_name)
if info_rec.f_text not in notin:
rec_xml.text = info_rec.f_text.decode('utf-8')
# vulnerabilities
svc_vuln_recs = db(db.t_service_vulns.f_services_id == svc_rec.id).select()
if len(svc_vuln_recs) > 0:
svc_vulns_xml = etree.SubElement(service_xml, 'vulns')
for vuln_rec in svc_vuln_recs:
vuln_xml = etree.SubElement(svc_vulns_xml, 'vuln')
vuln_xml.set('status', vuln_rec.f_status)
vuln_xml.set('id', db.t_vulndata[vuln_rec.f_vulndata_id].f_vulnid)
proof = etree.SubElement(vuln_xml, 'proof')
proof.text = etree.CDATA(unicode(MARKMIN(vuln_rec.f_proof).xml(), 'utf-8'))
# search for the nexpose id in vulns_xml
if len(vuln_xml.findall('.//vuln[@id="%s"]' % vuln_xml.get('id', None))) < 1:
new_vuln_xml = etree.SubElement(vulns_xml, 'vuln')
vulndata = db.t_vulndata[vuln_rec.f_vulndata_id]
new_vuln_xml.set('id', vulndata.f_vulnid)
new_vuln_xml.set('title', vulndata.f_title)
new_vuln_xml.set('severity', str(vulndata.f_severity))
new_vuln_xml.set('pci_sev', str(vulndata.f_pci_sev))
new_vuln_xml.set('cvss_score', str(vulndata.f_cvss_score))
new_vuln_xml.set('cvss_metric', cvss_metrics(vulndata))
description = etree.SubElement(new_vuln_xml, 'description')
description.text = etree.CDATA(unicode(MARKMIN(vulndata.f_description).xml(), 'utf-8'))
solution = etree.SubElement(new_vuln_xml, 'solution')
solution.text = etree.CDATA(unicode(MARKMIN(vulndata.f_solution).xml(), 'utf-8'))
# find vulnerability references and add them
vuln_refs = db(db.t_vuln_references.f_vulndata_id == vulndata.id).select()
if len(vuln_refs) > 0:
refs_xml = etree.SubElement(new_vuln_xml, 'references')
for ref_rec in vuln_refs:
record = db.t_vuln_refs[ref_rec.f_vuln_ref_id]
ref_xml = etree.SubElement(refs_xml, 'reference')
ref_xml.set('source', record.f_source)
ref_xml.text = record.f_text.decode('utf-8')
# accounts
accounts = db(db.t_accounts.f_services_id == svc_rec.id).select()
if len(accounts) > 0:
accounts_xml = etree.SubElement(service_xml, 'accounts')
for acct_rec in accounts:
acct_xml = etree.SubElement(accounts_xml, 'account')
if acct_rec.f_username not in notin:
elem = etree.SubElement(acct_xml, 'username')
elem.text = acct_rec.f_username.decode('utf-8')
if acct_rec.f_fullname not in notin:
elem = etree.SubElement(acct_xml, 'fullname')
elem.text = acct_rec.f_fullname.decode('utf-8')
if acct_rec.f_password not in notin:
elem = etree.SubElement(acct_xml, 'password')
elem.text = acct_rec.f_password.decode('utf-8')
if acct_rec.f_hash1 not in notin:
elem = etree.SubElement(acct_xml, 'hash1')
elem.text = acct_rec.f_hash1
if acct_rec.f_hash1_type not in notin:
elem = etree.SubElement(acct_xml, 'hash1_type')
elem.text = acct_rec.f_hash1_type
if acct_rec.f_hash2 not in notin:
elem = etree.SubElement(acct_xml, 'hash2')
elem.text = acct_rec.f_hash2
if acct_rec.f_hash2_type not in notin:
elem = etree.SubElement(acct_xml, 'hash2_type')
elem.text = acct_rec.f_hash2_type
if acct_rec.f_uid not in notin:
elem = etree.SubElement(acct_xml, 'uid')
elem.text = acct_rec.f_uid
if acct_rec.f_gid not in notin:
elem = etree.SubElement(acct_xml, 'gid')
elem.text = acct_rec.f_gid
if acct_rec.f_level not in notin:
elem = etree.SubElement(acct_xml, 'level')
elem.text = acct_rec.f_level
if acct_rec.f_domain not in notin:
elem = etree.SubElement(acct_xml, 'domain')
elem.text = acct_rec.f_domain.decode('utf-8')
if acct_rec.f_description not in notin:
elem = etree.SubElement(acct_xml, 'description')
elem.text = acct_rec.f_description.decode('utf-8')
result = etree.tostring(kvasir_results_xml, pretty_print=True, encoding=unicode)
return result
