Exemple #1
0
    def __init__(self,
                 fortify_url,
                 project_template=None,
                 application_name=None,
                 fortify_username=None,
                 fortify_password=None,
                 scan_name=None,
                 extension=None,
                 token=None):
        self.ssc_server = fortify_url
        self.project_template = project_template
        self.application_name = application_name
        self.user = fortify_username
        self.password = fortify_password
        self.fortify_version = scan_name
        self.extension = extension
        self.runenv = WebBreakerHelper.check_run_env()
        self.token = token
        if not token:
            self.token = self.get_token()

        if not self.token:
            Logger.console.error(
                "Unable to obtain a Fortify API token. Invalid Credentials")
            raise ValueError("Unable to obtain a Fortify API token.")
Exemple #2
0
    def __init__(self, webinspect_setting, endpoint=None):

        # Select an appropriate endpoint if none was provided.
        if not endpoint:
            config = WebInspectConfig()
            lb = WebInspectJitScheduler(
                endpoints=config.endpoints,
                size_list=config.sizing,
                size_needed=webinspect_setting['webinspect_scan_size'])
            endpoint = lb.get_endpoint()
            if not endpoint:
                raise EnvironmentError(
                    "Scheduler found no available endpoints.")

        self.url = endpoint
        self.settings = webinspect_setting['webinspect_settings']
        self.scan_name = webinspect_setting['webinspect_scan_name']
        self.webinspect_upload_settings = webinspect_setting[
            'webinspect_upload_settings']
        self.webinspect_upload_policy = webinspect_setting[
            'webinspect_upload_policy']
        self.webinspect_upload_webmacros = webinspect_setting[
            'webinspect_upload_webmacros']
        self.scan_mode = webinspect_setting['webinspect_overrides_scan_mode']
        self.scan_scope = webinspect_setting['webinspect_overrides_scan_scope']
        self.login_macro = webinspect_setting[
            'webinspect_overrides_login_macro']
        self.scan_policy = webinspect_setting[
            'webinspect_overrides_scan_policy']
        self.scan_start = webinspect_setting['webinspect_overrides_scan_start']
        self.start_urls = webinspect_setting['webinspect_overrides_start_urls']
        self.workflow_macros = webinspect_setting['webinspect_workflow_macros']
        self.allowed_hosts = webinspect_setting['webinspect_allowed_hosts']
        self.scan_size = webinspect_setting['webinspect_scan_size']
        self.runenv = WebBreakerHelper.check_run_env()

        Logger.console.debug("url: {}".format(self.url))
        Logger.console.debug("settings: {}".format(self.settings))
        Logger.console.debug("scan_name: {}".format(self.scan_name))
        Logger.console.debug("upload_settings: {}".format(
            self.webinspect_upload_settings))
        Logger.console.debug("upload_policy: {}".format(
            self.webinspect_upload_policy))
        Logger.console.debug("upload_webmacros: {}".format(
            self.webinspect_upload_webmacros))
        Logger.console.debug("workflow_macros: {}".format(
            self.workflow_macros))
        Logger.console.debug("allowed_hosts: {}".format(self.allowed_hosts))
        Logger.console.debug("scan_mode: {}".format(self.scan_mode))
        Logger.console.debug("scan_scope: {}".format(self.scan_scope))
        Logger.console.debug("login_macro: {}".format(self.login_macro))
        Logger.console.debug("scan_policy: {}".format(self.scan_policy))
        Logger.console.debug("scan_start: {}".format(self.scan_start))
        Logger.console.debug("start_urls: {}".format(self.start_urls))
Exemple #3
0
    def __init__(self, webinspect_setting):
        Logger.app.debug("Starting webinespect client initialization")

        config = WebInspectConfig()
        lb = WebInspectJitScheduler(
            endpoints=config.endpoints,
            size_list=config.sizing,
            size_needed=webinspect_setting['webinspect_scan_size'])
        Logger.app.info("Querying WebInspect scan engines for availability.")
        endpoint = lb.get_endpoint()
        if not endpoint:
            raise EnvironmentError("Scheduler found no available endpoints.")
        self.url = endpoint
        self.settings = webinspect_setting['webinspect_settings']
        self.scan_name = webinspect_setting['webinspect_scan_name']
        self.webinspect_upload_settings = webinspect_setting[
            'webinspect_upload_settings']
        self.webinspect_upload_policy = webinspect_setting[
            'webinspect_upload_policy']
        self.webinspect_upload_webmacros = webinspect_setting[
            'webinspect_upload_webmacros']
        self.scan_mode = webinspect_setting['webinspect_overrides_scan_mode']
        self.scan_scope = webinspect_setting['webinspect_overrides_scan_scope']
        self.login_macro = webinspect_setting[
            'webinspect_overrides_login_macro']
        self.scan_policy = webinspect_setting[
            'webinspect_overrides_scan_policy']
        self.scan_start = webinspect_setting['webinspect_overrides_scan_start']
        self.start_urls = webinspect_setting['webinspect_overrides_start_urls']
        self.workflow_macros = webinspect_setting['webinspect_workflow_macros']
        self.allowed_hosts = webinspect_setting['webinspect_allowed_hosts']
        self.scan_size = webinspect_setting['webinspect_scan_size']
        self.runenv = WebBreakerHelper.check_run_env()

        Logger.app.debug("Completed webinspect client initialization")
        Logger.app.debug("url: {}".format(self.url))
        Logger.app.debug("settings: {}".format(self.settings))
        Logger.app.debug("scan_name: {}".format(self.scan_name))
        Logger.app.debug("upload_settings: {}".format(
            self.webinspect_upload_settings))
        Logger.app.debug("upload_policy: {}".format(
            self.webinspect_upload_policy))
        Logger.app.debug("upload_webmacros: {}".format(
            self.webinspect_upload_webmacros))
        Logger.app.debug("workflow_macros: {}".format(self.workflow_macros))
        Logger.app.debug("allowed_hosts: {}".format(self.allowed_hosts))
        Logger.app.debug("scan_mode: {}".format(self.scan_mode))
        Logger.app.debug("scan_scope: {}".format(self.scan_scope))
        Logger.app.debug("login_macro: {}".format(self.login_macro))
        Logger.app.debug("scan_policy: {}".format(self.scan_policy))
        Logger.app.debug("scan_start: {}".format(self.scan_start))
        Logger.app.debug("start_urls: {}".format(self.start_urls))
Exemple #4
0
try:
    import ConfigParser as configparser
except ImportError:  #Python3
    import configparser
import argparse
import os, sys
import random
import string
import re
import xml.etree.ElementTree as ET
from subprocess import CalledProcessError, check_output
from webbreaker.webbreakerlogger import Logger
from webbreaker.webbreakerhelper import WebBreakerHelper

runenv = WebBreakerHelper.check_run_env()

# TODO: Test on Python2
try:  # Python 2
    config = configparser.SafeConfigParser()
except NameError:  # Python 3
    config = configparser.ConfigParser()


class WebInspectEndpoint(object):
    def __init__(self, uri, size):
        self.uri = uri
        self.size = size


class WebInspectSize(object):
Exemple #5
0
from webbreaker.webinspectscanhelpers import scan_running
from webbreaker.webbreakerhelper import WebBreakerHelper

handle_scan_event = None
reporter = None


class Config(object):
    def __init__(self):
        self.debug = False


pass_config = click.make_pass_decorator(Config, ensure=True)


@click.group(help=WebBreakerHelper.help_description())
@pass_config
def cli(config):
    # Show something pretty to start
    f = Figlet(font='slant')
    Logger.console.info("\n\n{0}Version {1}\n".format(
        f.renderText('WebBreaker'), version))
    Logger.console.info("Logging to files: {}".format(Logger.app_logfile))


@cli.group(
    help=
    """WebInspect is dynamic application security testing software for assessing security of Web
applications and Web services.""")
@pass_config
def webinspect(config):
Exemple #6
0
    def set_config(self):
        # SSC URL exclude the /ssc context
        self.conf_get('fortify', 'ssc_url', 'https://fortify.example.com')

        # Default Fortify SSC Project Template per Application Version
        self.conf_get('fortify', 'project_template',
                      'Prioritized High Risk Issue Template')

        # Default Fortify SSC Application
        self.conf_get('fortify', 'application_name', 'WEBINSPECT')

        # Fortify SSC authentication execute, webbreaker admin credentials --fortify
        self.conf_get('fortify', 'username', '')
        self.conf_get('fortify', 'password', '')

        # ThreadFix URL and ThreadFix API Key')
        self.conf_get('threadfix', 'host',
                      'https://threadfix.example.com:8443/threadfix')
        self.conf_get('threadfix', 'api_key',
                      'ZfO0b7dotQZnXSgkMOEuQVoFIeDZwd8OEQE7XXX')

        # WebInspect load balancing, size of server is bound to CPU & memory available
        self.conf_get('webinspect', 'size_large', '2')
        self.conf_get('webinspect', 'size_medium', '1')
        self.conf_get('webinspect', 'default_size', 'size_large')

        # WebInspect server(s) RESTFul API endpoints
        self.conf_get('webinspect', 'server_01',
                      'https://webinspect-server-1.example.com:8083')
        self.conf_get('webinspect', 'endpoint_01',
                      '%(server_01)s|%(size_large)s')
        self.conf_get('webinspect', 'git_repo',
                      'https://github.com/webbreaker/webinspect.git')

        # API authentication set to true execute, webbreaker admin credentials --webinspect
        self.conf_get('webinspect', 'authenticate', 'false')
        self.conf_get('webinspect', 'username', '')
        self.conf_get('webinspect', 'password', '')

        # Built-in WebInspect policies, other policies may be appended
        self.conf_get('webinspect_policy', 'aggressivesqlinjection',
                      '032b1266-294d-42e9-b5f0-2a4239b23941')
        self.conf_get('webinspect_policy', 'allchecks',
                      '08cd4862-6334-4b0e-abf5-cb7685d0cde7')
        self.conf_get('webinspect_policy', 'apachestruts',
                      '786eebac-f962-444c-8c59-7bf08a6640fd')
        self.conf_get('webinspect_policy', 'application',
                      '8761116c-ad40-438a-934c-677cd6d03afb')
        self.conf_get('webinspect_policy', 'assault',
                      '0a614b23-31fa-49a6-a16c-8117932345d8')
        self.conf_get('webinspect_policy', 'blank',
                      'adb11ba6-b4b5-45a6-aac7-1f7d4852a2f6')
        self.conf_get('webinspect_policy', 'criticalsandhighs',
                      '7235cf62-ee1a-4045-88f8-898c1735856f')
        self.conf_get('webinspect_policy', 'crosssitescripting',
                      '49cb3995-b3bc-4c44-8aee-2e77c9285038')
        self.conf_get('webinspect_policy', 'development',
                      '9378c6fa-63ec-4332-8539-c4670317e0a6')
        self.conf_get('webinspect_policy', 'mobile',
                      'be20c7a7-8fdd-4bed-beb7-cd035464bfd0')
        self.conf_get('webinspect_policy', 'nosqlandnode.js',
                      'a2c788cc-a3a9-4007-93cf-e371339b2aa9')
        self.conf_get('webinspect_policy', 'opensslheartbleed',
                      '5078b547-8623-499d-bdb4-c668ced7693c')
        self.conf_get('webinspect_policy',
                      'owasptop10applicationsecurityrisks2013',
                      '48cab8a0-669e-438a-9f91-d26bc9a24435')
        self.conf_get('webinspect_policy',
                      'owasptop10applicationsecurityrisks2007',
                      'ece17001-da82-459a-a163-901549c37b6d')
        self.conf_get('webinspect_policy',
                      'owasptop10applicationsecurityrisks2010',
                      '8a7152d5-2637-41e0-8b14-1330828bb3b1')
        self.conf_get('webinspect_policy', 'passivescan',
                      '40bf42fb-86d5-4355-8177-4b679ef87518')
        self.conf_get('webinspect_policy', 'platform',
                      'f9ae1fc1-3aba-4559-b243-79e1a98fd456')
        self.conf_get('webinspect_policy', 'privilegeescalation',
                      'bab6348e-2a23-4a56-9427-2febb44a7ac4')
        self.conf_get('webinspect_policy', 'qa',
                      '5b4d7223-a30f-43a1-af30-0cf0e5cfd8ed')
        self.conf_get('webinspect_policy', 'quick',
                      'e30efb2a-24b0-4a7b-b256-440ab57fe751')
        self.conf_get('webinspect_policy', 'safe',
                      'def6a5b3-d785-40bc-b63b-6b441b315bf0')
        self.conf_get('webinspect_policy', 'soap',
                      'a7eb86b8-c3fb-4e88-bc59-5253887ea5b1')
        self.conf_get('webinspect_policy', 'sqlinjection',
                      '6df62f30-4d47-40ec-b3a7-dad80d33f613')
        self.conf_get('webinspect_policy', 'standard',
                      'cb72a7c2-9207-4ee7-94d0-edd14a47c15c')
        self.conf_get('webinspect_policy', 'transportlayersecurity',
                      '0fa627de-3f1c-4640-a7d3-154e96cda93c')

        # GIT personal access token for webbreaker agent
        self.conf_get('git', 'token',
                      '43eb3ddb7152bbecXXabcee04859ee73eaa1XXXX')

        # smnp email host, port and email addresses required for email functionality.
        self.conf_get('emailer', 'smtp_host', 'smtp.example.com')
        self.conf_get('emailer', 'smtp_port', '25')
        self.conf_get('emailer', 'from_address',
                      '*****@*****.**')
        self.conf_get('emailer', 'to_address',
                      '*****@*****.**')
        self.conf_get('emailer', 'default_to_address', '')
        self.conf_get('emailer', 'chatroom', '')
        self.conf_get('emailer', 'email_template',
                      WebBreakerHelper().email_template_config())