def __init__(self,
fortify_url,
project_template=None,
application_name=None,
fortify_username=None,
fortify_password=None,
scan_name=None,
extension=None,
token=None):
self.ssc_server = fortify_url
self.project_template = project_template
self.application_name = application_name
self.user = fortify_username
self.password = fortify_password
self.fortify_version = scan_name
self.extension = extension
self.runenv = WebBreakerHelper.check_run_env()
self.token = token
if not token:
self.token = self.get_token()
if not self.token:
Logger.console.error(
"Unable to obtain a Fortify API token. Invalid Credentials")
raise ValueError("Unable to obtain a Fortify API token.")
def __init__(self, webinspect_setting, endpoint=None):
# Select an appropriate endpoint if none was provided.
if not endpoint:
config = WebInspectConfig()
lb = WebInspectJitScheduler(
endpoints=config.endpoints,
size_list=config.sizing,
size_needed=webinspect_setting['webinspect_scan_size'])
endpoint = lb.get_endpoint()
if not endpoint:
raise EnvironmentError(
"Scheduler found no available endpoints.")
self.url = endpoint
self.settings = webinspect_setting['webinspect_settings']
self.scan_name = webinspect_setting['webinspect_scan_name']
self.webinspect_upload_settings = webinspect_setting[
'webinspect_upload_settings']
self.webinspect_upload_policy = webinspect_setting[
'webinspect_upload_policy']
self.webinspect_upload_webmacros = webinspect_setting[
'webinspect_upload_webmacros']
self.scan_mode = webinspect_setting['webinspect_overrides_scan_mode']
self.scan_scope = webinspect_setting['webinspect_overrides_scan_scope']
self.login_macro = webinspect_setting[
'webinspect_overrides_login_macro']
self.scan_policy = webinspect_setting[
'webinspect_overrides_scan_policy']
self.scan_start = webinspect_setting['webinspect_overrides_scan_start']
self.start_urls = webinspect_setting['webinspect_overrides_start_urls']
self.workflow_macros = webinspect_setting['webinspect_workflow_macros']
self.allowed_hosts = webinspect_setting['webinspect_allowed_hosts']
self.scan_size = webinspect_setting['webinspect_scan_size']
self.runenv = WebBreakerHelper.check_run_env()
Logger.console.debug("url: {}".format(self.url))
Logger.console.debug("settings: {}".format(self.settings))
Logger.console.debug("scan_name: {}".format(self.scan_name))
Logger.console.debug("upload_settings: {}".format(
self.webinspect_upload_settings))
Logger.console.debug("upload_policy: {}".format(
self.webinspect_upload_policy))
Logger.console.debug("upload_webmacros: {}".format(
self.webinspect_upload_webmacros))
Logger.console.debug("workflow_macros: {}".format(
self.workflow_macros))
Logger.console.debug("allowed_hosts: {}".format(self.allowed_hosts))
Logger.console.debug("scan_mode: {}".format(self.scan_mode))
Logger.console.debug("scan_scope: {}".format(self.scan_scope))
Logger.console.debug("login_macro: {}".format(self.login_macro))
Logger.console.debug("scan_policy: {}".format(self.scan_policy))
Logger.console.debug("scan_start: {}".format(self.scan_start))
Logger.console.debug("start_urls: {}".format(self.start_urls))
def __init__(self, webinspect_setting):
Logger.app.debug("Starting webinespect client initialization")
config = WebInspectConfig()
lb = WebInspectJitScheduler(
endpoints=config.endpoints,
size_list=config.sizing,
size_needed=webinspect_setting['webinspect_scan_size'])
Logger.app.info("Querying WebInspect scan engines for availability.")
endpoint = lb.get_endpoint()
if not endpoint:
raise EnvironmentError("Scheduler found no available endpoints.")
self.url = endpoint
self.settings = webinspect_setting['webinspect_settings']
self.scan_name = webinspect_setting['webinspect_scan_name']
self.webinspect_upload_settings = webinspect_setting[
'webinspect_upload_settings']
self.webinspect_upload_policy = webinspect_setting[
'webinspect_upload_policy']
self.webinspect_upload_webmacros = webinspect_setting[
'webinspect_upload_webmacros']
self.scan_mode = webinspect_setting['webinspect_overrides_scan_mode']
self.scan_scope = webinspect_setting['webinspect_overrides_scan_scope']
self.login_macro = webinspect_setting[
'webinspect_overrides_login_macro']
self.scan_policy = webinspect_setting[
'webinspect_overrides_scan_policy']
self.scan_start = webinspect_setting['webinspect_overrides_scan_start']
self.start_urls = webinspect_setting['webinspect_overrides_start_urls']
self.workflow_macros = webinspect_setting['webinspect_workflow_macros']
self.allowed_hosts = webinspect_setting['webinspect_allowed_hosts']
self.scan_size = webinspect_setting['webinspect_scan_size']
self.runenv = WebBreakerHelper.check_run_env()
Logger.app.debug("Completed webinspect client initialization")
Logger.app.debug("url: {}".format(self.url))
Logger.app.debug("settings: {}".format(self.settings))
Logger.app.debug("scan_name: {}".format(self.scan_name))
Logger.app.debug("upload_settings: {}".format(
self.webinspect_upload_settings))
Logger.app.debug("upload_policy: {}".format(
self.webinspect_upload_policy))
Logger.app.debug("upload_webmacros: {}".format(
self.webinspect_upload_webmacros))
Logger.app.debug("workflow_macros: {}".format(self.workflow_macros))
Logger.app.debug("allowed_hosts: {}".format(self.allowed_hosts))
Logger.app.debug("scan_mode: {}".format(self.scan_mode))
Logger.app.debug("scan_scope: {}".format(self.scan_scope))
Logger.app.debug("login_macro: {}".format(self.login_macro))
Logger.app.debug("scan_policy: {}".format(self.scan_policy))
Logger.app.debug("scan_start: {}".format(self.scan_start))
Logger.app.debug("start_urls: {}".format(self.start_urls))
try:
import ConfigParser as configparser
except ImportError: #Python3
import configparser
import argparse
import os, sys
import random
import string
import re
import xml.etree.ElementTree as ET
from subprocess import CalledProcessError, check_output
from webbreaker.webbreakerlogger import Logger
from webbreaker.webbreakerhelper import WebBreakerHelper
runenv = WebBreakerHelper.check_run_env()
# TODO: Test on Python2
try: # Python 2
config = configparser.SafeConfigParser()
except NameError: # Python 3
config = configparser.ConfigParser()
class WebInspectEndpoint(object):
def __init__(self, uri, size):
self.uri = uri
self.size = size
class WebInspectSize(object):
from webbreaker.webinspectscanhelpers import scan_running
from webbreaker.webbreakerhelper import WebBreakerHelper
handle_scan_event = None
reporter = None
class Config(object):
def __init__(self):
self.debug = False
pass_config = click.make_pass_decorator(Config, ensure=True)
@click.group(help=WebBreakerHelper.help_description())
@pass_config
def cli(config):
# Show something pretty to start
f = Figlet(font='slant')
Logger.console.info("\n\n{0}Version {1}\n".format(
f.renderText('WebBreaker'), version))
Logger.console.info("Logging to files: {}".format(Logger.app_logfile))
@cli.group(
help=
"""WebInspect is dynamic application security testing software for assessing security of Web
applications and Web services.""")
@pass_config
def webinspect(config):
def set_config(self):
# SSC URL exclude the /ssc context
self.conf_get('fortify', 'ssc_url', 'https://fortify.example.com')
# Default Fortify SSC Project Template per Application Version
self.conf_get('fortify', 'project_template',
'Prioritized High Risk Issue Template')
# Default Fortify SSC Application
self.conf_get('fortify', 'application_name', 'WEBINSPECT')
# Fortify SSC authentication execute, webbreaker admin credentials --fortify
self.conf_get('fortify', 'username', '')
self.conf_get('fortify', 'password', '')
# ThreadFix URL and ThreadFix API Key')
self.conf_get('threadfix', 'host',
'https://threadfix.example.com:8443/threadfix')
self.conf_get('threadfix', 'api_key',
'ZfO0b7dotQZnXSgkMOEuQVoFIeDZwd8OEQE7XXX')
# WebInspect load balancing, size of server is bound to CPU & memory available
self.conf_get('webinspect', 'size_large', '2')
self.conf_get('webinspect', 'size_medium', '1')
self.conf_get('webinspect', 'default_size', 'size_large')
# WebInspect server(s) RESTFul API endpoints
self.conf_get('webinspect', 'server_01',
'https://webinspect-server-1.example.com:8083')
self.conf_get('webinspect', 'endpoint_01',
'%(server_01)s|%(size_large)s')
self.conf_get('webinspect', 'git_repo',
'https://github.com/webbreaker/webinspect.git')
# API authentication set to true execute, webbreaker admin credentials --webinspect
self.conf_get('webinspect', 'authenticate', 'false')
self.conf_get('webinspect', 'username', '')
self.conf_get('webinspect', 'password', '')
# Built-in WebInspect policies, other policies may be appended
self.conf_get('webinspect_policy', 'aggressivesqlinjection',
'032b1266-294d-42e9-b5f0-2a4239b23941')
self.conf_get('webinspect_policy', 'allchecks',
'08cd4862-6334-4b0e-abf5-cb7685d0cde7')
self.conf_get('webinspect_policy', 'apachestruts',
'786eebac-f962-444c-8c59-7bf08a6640fd')
self.conf_get('webinspect_policy', 'application',
'8761116c-ad40-438a-934c-677cd6d03afb')
self.conf_get('webinspect_policy', 'assault',
'0a614b23-31fa-49a6-a16c-8117932345d8')
self.conf_get('webinspect_policy', 'blank',
'adb11ba6-b4b5-45a6-aac7-1f7d4852a2f6')
self.conf_get('webinspect_policy', 'criticalsandhighs',
'7235cf62-ee1a-4045-88f8-898c1735856f')
self.conf_get('webinspect_policy', 'crosssitescripting',
'49cb3995-b3bc-4c44-8aee-2e77c9285038')
self.conf_get('webinspect_policy', 'development',
'9378c6fa-63ec-4332-8539-c4670317e0a6')
self.conf_get('webinspect_policy', 'mobile',
'be20c7a7-8fdd-4bed-beb7-cd035464bfd0')
self.conf_get('webinspect_policy', 'nosqlandnode.js',
'a2c788cc-a3a9-4007-93cf-e371339b2aa9')
self.conf_get('webinspect_policy', 'opensslheartbleed',
'5078b547-8623-499d-bdb4-c668ced7693c')
self.conf_get('webinspect_policy',
'owasptop10applicationsecurityrisks2013',
'48cab8a0-669e-438a-9f91-d26bc9a24435')
self.conf_get('webinspect_policy',
'owasptop10applicationsecurityrisks2007',
'ece17001-da82-459a-a163-901549c37b6d')
self.conf_get('webinspect_policy',
'owasptop10applicationsecurityrisks2010',
'8a7152d5-2637-41e0-8b14-1330828bb3b1')
self.conf_get('webinspect_policy', 'passivescan',
'40bf42fb-86d5-4355-8177-4b679ef87518')
self.conf_get('webinspect_policy', 'platform',
'f9ae1fc1-3aba-4559-b243-79e1a98fd456')
self.conf_get('webinspect_policy', 'privilegeescalation',
'bab6348e-2a23-4a56-9427-2febb44a7ac4')
self.conf_get('webinspect_policy', 'qa',
'5b4d7223-a30f-43a1-af30-0cf0e5cfd8ed')
self.conf_get('webinspect_policy', 'quick',
'e30efb2a-24b0-4a7b-b256-440ab57fe751')
self.conf_get('webinspect_policy', 'safe',
'def6a5b3-d785-40bc-b63b-6b441b315bf0')
self.conf_get('webinspect_policy', 'soap',
'a7eb86b8-c3fb-4e88-bc59-5253887ea5b1')
self.conf_get('webinspect_policy', 'sqlinjection',
'6df62f30-4d47-40ec-b3a7-dad80d33f613')
self.conf_get('webinspect_policy', 'standard',
'cb72a7c2-9207-4ee7-94d0-edd14a47c15c')
self.conf_get('webinspect_policy', 'transportlayersecurity',
'0fa627de-3f1c-4640-a7d3-154e96cda93c')
# GIT personal access token for webbreaker agent
self.conf_get('git', 'token',
'43eb3ddb7152bbecXXabcee04859ee73eaa1XXXX')
# smnp email host, port and email addresses required for email functionality.
self.conf_get('emailer', 'smtp_host', 'smtp.example.com')
self.conf_get('emailer', 'smtp_port', '25')
self.conf_get('emailer', 'from_address',
'*****@*****.**')
self.conf_get('emailer', 'to_address',
'*****@*****.**')
self.conf_get('emailer', 'default_to_address', '')
self.conf_get('emailer', 'chatroom', '')
self.conf_get('emailer', 'email_template',
WebBreakerHelper().email_template_config())