def test_url_is_not_404(self):
all_urls = set()
invalid = []
for vuln_id in DBVuln.get_all_db_ids():
db_vuln = DBVuln.from_id(vuln_id)
if db_vuln.wasc:
for wasc_id in db_vuln.wasc:
all_urls.add(db_vuln.get_wasc_url(wasc_id))
if db_vuln.cwe:
for cwe_id in db_vuln.cwe:
all_urls.add(db_vuln.get_cwe_url(cwe_id))
for _, _, link in db_vuln.get_owasp_top_10_references():
all_urls.add(link)
for reference in db_vuln.references:
all_urls.add(reference.url)
session = requests.Session()
for url in all_urls:
if self.url_is_404(session, url):
invalid.append(url)
self.assertEqual(invalid, [])
def test_url_is_not_404(self):
all_urls = set()
invalid = []
for vuln_id in DBVuln.get_all_db_ids():
db_vuln = DBVuln.from_id(vuln_id)
if db_vuln.wasc:
for wasc_id in db_vuln.wasc:
all_urls.add(db_vuln.get_wasc_url(wasc_id))
if db_vuln.cwe:
for cwe_id in db_vuln.cwe:
all_urls.add(db_vuln.get_cwe_url(cwe_id))
for _, _, link in db_vuln.get_owasp_top_10_references():
all_urls.add(link)
for reference in db_vuln.references:
all_urls.add(reference.url)
session = requests.Session()
for url in all_urls:
if self.url_is_404(session, url):
invalid.append(url)
self.assertEqual(invalid, [])
def test_from_file(self):
_file = os.path.join(DBVuln.DB_PATH, '123-spec-example.json')
dbv_1 = DBVuln.from_file(_file)
dbv_2 = DBVuln.from_id(123)
self.assertEqual(dbv_1, dbv_2)
self.assertEqual(dbv_1.db_file, _file)
def test_get_owasp_top_10_url(self):
dbv = DBVuln(**self.DEFAULT_KWARGS)
self.assertEqual(dbv.get_owasp_top_10_url(2010, 2),
'https://www.owasp.org/index.php/Top_10_2010-A2')
self.assertEqual(dbv.get_owasp_top_10_url(2013, 2),
'https://www.owasp.org/index.php/Top_10_2013-A2')
self.assertEqual(dbv.get_owasp_top_10_url(2033, 2), None)
def test_get_owasp_top_10_url(self):
dbv = DBVuln(**self.DEFAULT_KWARGS)
self.assertEqual(dbv.get_owasp_top_10_url(2010, 2),
'https://www.owasp.org/index.php/Top_10_2010-A2')
self.assertEqual(dbv.get_owasp_top_10_url(2013, 2),
'https://www.owasp.org/index.php/Top_10_2013-A2')
self.assertEqual(dbv.get_owasp_top_10_url(2033, 2), None)
def set_vulndb_id(self, vulndb_id):
if vulndb_id is None:
self._vulndb_id = None
return
if not DBVuln.is_valid_id(vulndb_id):
all_db_ids = DBVuln.get_all_db_ids()
msg = ('Invalid vulnerability DB id %s. There are %s entries in'
' the vulnerability database but none is the specified one.')
args = (vulndb_id, len(all_db_ids))
raise ValueError(msg % args)
self._vulndb_id = vulndb_id
def set_vulndb_id(self, vulndb_id):
if vulndb_id is None:
self._vulndb_id = None
return
if not DBVuln.is_valid_id(vulndb_id):
all_db_ids = DBVuln.get_all_db_ids()
msg = ('Invalid vulnerability DB id %s. There are %s entries in'
' the vulnerability database but none is the specified one.')
args = (vulndb_id, len(all_db_ids))
raise ValueError(msg % args)
self._vulndb_id = vulndb_id
def test_no_multiple_spaces(self):
invalid = []
for vuln_id in DBVuln.get_all_db_ids():
db_vuln = DBVuln.from_id(vuln_id)
if ' ' in db_vuln.fix_guidance:
invalid.append((db_vuln.db_file, 'fix_guidance'))
if ' ' in db_vuln.description:
invalid.append((db_vuln.db_file, 'description'))
self.assertEqual(invalid, [])
def test_no_multiple_spaces(self):
invalid = []
for vuln_id in DBVuln.get_all_db_ids():
db_vuln = DBVuln.from_id(vuln_id)
if ' ' in db_vuln.fix_guidance:
invalid.append((db_vuln.db_file, 'fix_guidance'))
if ' ' in db_vuln.description:
invalid.append((db_vuln.db_file, 'description'))
self.assertEqual(invalid, [])
def test_id_match(self):
invalid = []
for vuln_id in DBVuln.get_all_db_ids():
db_path_file = DBVuln.get_file_for_id(vuln_id)
json_data = json.loads(file(db_path_file).read())
json_id = json_data['id']
db_file = os.path.split(db_path_file)[1]
if not db_file.startswith('%s-' % json_id):
invalid.append(db_file)
self.assertEqual(invalid, [])
def test_id_match(self):
invalid = []
for vuln_id in DBVuln.get_all_db_ids():
db_path_file = DBVuln.get_file_for_id(vuln_id)
json_data = json.loads(file(db_path_file).read())
json_id = json_data['id']
db_file = os.path.split(db_path_file)[1]
if not db_file.startswith('%s-' % json_id):
invalid.append(db_file)
self.assertEqual(invalid, [])
def test_url_is_not_404(self):
all_urls = set()
invalid = []
for language, db_path_file, db_data in self.get_all_json():
cwe_list = db_data.get('cwe', [])
for cwe_id in cwe_list:
all_urls.add(DBVuln.get_cwe_url(cwe_id))
reference_list = db_data.get('references', [])
for reference in reference_list:
all_urls.add(reference['url'])
owasp_top_10 = db_data.get('owasp_top_10', {})
for version, risk_id_list in owasp_top_10.iteritems():
for risk_id in risk_id_list:
owasp_url = self.get_owasp_url(version, risk_id)
all_urls.add(owasp_url)
session = requests.Session()
for url in all_urls:
if self.url_is_404(session, url):
invalid.append(url)
self.assertEqual(invalid, [])
def test_from_file(self):
failed_json_files = []
for _fname in os.listdir(DBVuln.DB_PATH):
_file_path = os.path.join(DBVuln.DB_PATH, _fname)
try:
dbv = DBVuln.from_file(_file_path)
except:
failed_json_files.append(_fname)
continue
self.assertIsInstance(dbv.title, basestring)
self.assertIsInstance(dbv.description, basestring)
self.assertIsInstance(dbv.id, int)
self.assertIsInstance(dbv.severity, basestring)
self.assertIsInstance(dbv.wasc, (types.NoneType, list))
self.assertIsInstance(dbv.tags, (types.NoneType, list))
self.assertIsInstance(dbv.cwe, (types.NoneType, list))
self.assertIsInstance(dbv.owasp_top_10, (types.NoneType, dict))
self.assertIsInstance(dbv.fix, dict)
self.assertIsInstance(dbv.fix_effort, int)
self.assertIsInstance(dbv.fix_guidance, basestring)
for ref in dbv.references:
self.assertIsInstance(ref, Reference)
self.assertEqual(failed_json_files, [])
def test_from_id(self):
dbv = DBVuln.from_id(123)
_file = os.path.join(DBVuln.DB_PATH, DBVuln.DEFAULT_LANG,
'123-spec-example.json')
self.assertEqual(dbv.db_file, _file)
expected_references = [
Reference("http://foo.com/xss",
"First reference to XSS vulnerability"),
Reference("http://asp.net/xss", "How to fix XSS vulns in ASP.NET")
]
self.assertEqual(dbv.title, u'Cross-Site Scripting')
self.assertEqual(
dbv.description, u'A very long text explaining what a XSS'
u' vulnerability is')
self.assertEqual(dbv.id, MOCK_ID)
self.assertEqual(dbv.severity, MOCK_SEVERITY)
self.assertEqual(dbv.wasc, [u'0003'])
self.assertEqual(dbv.tags, [u'xss', u'client side'])
self.assertEqual(dbv.cwe, [u'0003', u'0007'])
self.assertEqual(
dbv.owasp_top_10,
{
"2010": [1],
"2013": [2]
},
)
self.assertEqual(dbv.references, expected_references)
self.assertEqual(dbv.fix_effort, 50)
self.assertEqual(
dbv.fix_guidance, u'A very long text explaining how developers'
u' should prevent\nXSS vulnerabilities.\n')
def test_from_id(self):
dbv = DBVuln.from_id(123)
_file = os.path.join(DBVuln.DB_PATH, '123-spec-example.json')
self.assertEqual(dbv.db_file, _file)
expected_references = [Reference("http://foo.com/xss",
"First reference to XSS vulnerability"),
Reference("http://asp.net/xss",
"How to fix XSS vulns in ASP.NET")]
self.assertEqual(dbv.title, u'Cross-Site Scripting')
self.assertEqual(dbv.description, u'A very long description for'
u' Cross-Site Scripting')
self.assertEqual(dbv.id, MOCK_ID)
self.assertEqual(dbv.severity, MOCK_SEVERITY)
self.assertEqual(dbv.wasc, [u'0003'])
self.assertEqual(dbv.tags, [u'xss', u'client side'])
self.assertEqual(dbv.cwe, [u'0003', u'0007'])
self.assertEqual(dbv.owasp_top_10, {"2010": [1], "2013": [2]},)
self.assertEqual(dbv.fix, {u"guidance": u"A very long text explaining"
u" how to fix XSS"
u" vulnerabilities",
u"effort": 50})
self.assertEqual(dbv.references, expected_references)
self.assertEqual(dbv.fix_effort, 50)
self.assertEqual(dbv.fix_guidance, u"A very long text explaining"
u" how to fix XSS vulnerabilities")
def set_vulndb_id(self, vulndb_id):
if vulndb_id is None:
self._vulndb_id = None
return
if not DBVuln.is_valid_id(vulndb_id):
raise ValueError('Invalid vulnerability DB id: %s' % vulndb_id)
self._vulndb_id = vulndb_id
def set_vulndb_id(self, vulndb_id):
if vulndb_id is None:
self._vulndb_id = None
return
if not DBVuln.is_valid_id(vulndb_id):
raise ValueError('Invalid vulnerability DB id: %s' % vulndb_id)
self._vulndb_id = vulndb_id
def test_vulns_dict_points_to_existing_vulndb_data_id(self):
invalid = []
for vuln_name, _id in VULNS.iteritems():
if _id is None:
continue
if not DBVuln.is_valid_id(_id):
invalid.append((vuln_name, _id))
self.assertEqual(invalid, [])
def test_vulns_dict_points_to_existing_vulndb_data_id(self):
invalid = []
for vuln_name, _id in VULNS.iteritems():
if _id is None:
continue
if not DBVuln.is_valid_id(_id):
invalid.append((vuln_name, _id))
self.assertEqual(invalid, [])
def get_vuln_info_from_db(self):
"""
Read the vulnerability information from the vulndb
"""
if self._vulndb is not None:
return self._vulndb
if self._vulndb_id is not None:
self._vulndb = DBVuln.from_id(self._vulndb_id)
return self._vulndb
def get_vuln_info_from_db(self):
"""
Read the vulnerability information from the vulndb
"""
if self._vulndb is not None:
return self._vulndb
if self._vulndb_id is not None:
self._vulndb = DBVuln.from_id(self._vulndb_id)
return self._vulndb
def test_from_file(self):
failed_json_files = []
processed_files = []
for language in DBVuln.get_all_languages():
json_path = os.path.join(DBVuln.DB_PATH, language)
for _fname in os.listdir(json_path):
_file_path = os.path.join(json_path, _fname)
if os.path.isdir(_file_path):
continue
try:
DBVuln.LANG = language
dbv = DBVuln.from_file(_file_path)
except:
failed_json_files.append(_fname)
continue
processed_files.append(_fname)
self.assertIsInstance(dbv.title, basestring)
self.assertIsInstance(dbv.description, basestring)
self.assertIsInstance(dbv.id, int)
self.assertIsInstance(dbv.severity, basestring)
self.assertIsInstance(dbv.wasc, (type(None), list))
self.assertIsInstance(dbv.tags, (type(None), list))
self.assertIsInstance(dbv.cwe, (type(None), list))
self.assertIsInstance(dbv.owasp_top_10, (type(None), dict))
self.assertIsInstance(dbv.fix_effort, int)
self.assertIsInstance(dbv.fix_guidance, basestring)
for ref in dbv.references:
self.assertIsInstance(ref, Reference)
self.assertEqual(failed_json_files, [])
self.assertGreater(len(processed_files), 20)
def test_load_es_lang(self):
language = 'es'
_file = os.path.join(DBVuln.DB_PATH, language, '123-spec-example.json')
dbv_1 = DBVuln.from_file(_file, language=language)
dbv_2 = DBVuln.from_id(123, language=language)
self.assertEqual(dbv_1, dbv_2)
self.assertEqual(dbv_1.db_file, _file)
dbv = dbv_1
expected_references = [
Reference("http://foo.es/xss",
"Primera referencia a una vulnerabilidad de XSS"),
Reference("http://asp.net/xss", "Como arreglar XSS en .NET")
]
self.assertEqual(dbv.title, u'Cross-Site Scripting en ES')
self.assertEqual(dbv.description,
u'Un texto largo donde se explica que es un XSS')
self.assertEqual(dbv.id, MOCK_ID)
self.assertEqual(dbv.severity, MOCK_SEVERITY)
self.assertEqual(dbv.wasc, [u'0003'])
self.assertEqual(dbv.tags, [u'xss', u'client side'])
self.assertEqual(dbv.cwe, [u'0003', u'0007'])
self.assertEqual(
dbv.owasp_top_10,
{
"2010": [1],
"2013": [2]
},
)
self.assertEqual(dbv.references, expected_references)
self.assertEqual(dbv.fix_effort, 50)
self.assertEqual(
dbv.fix_guidance, u'Y otro texto largo donde se explica como'
u' arreglar vulnerabilidades de XSS')
def test_basic(self):
dbv = DBVuln(**self.DEFAULT_KWARGS)
self.assertEqual(dbv.title, MOCK_TITLE)
self.assertEqual(dbv.description, MOCK_DESC)
self.assertEqual(dbv.id, MOCK_ID)
self.assertEqual(dbv.severity, MOCK_SEVERITY)
self.assertEqual(dbv.wasc, MOCK_WASC)
self.assertEqual(dbv.tags, MOCK_TAGS)
self.assertEqual(dbv.cwe, MOCK_CWE)
self.assertEqual(dbv.owasp_top_10, MOCK_OWASP_TOP_10)
self.assertEqual(dbv.fix, MOCK_FIX)
self.assertEqual(dbv.references, MOCK_REFERENCES)
self.assertEqual(dbv.db_file, MOCK_DB_FILE)
def get_cwe_urls(self):
"""
:note: Call has_db_details before calling this, or you'll get exceptions
"""
for cwe_id in self.get_cwe_ids():
yield DBVuln.get_cwe_url(cwe_id)
def get_options(self):
"""
:return: A list of option objects for this plugin.
"""
ol = OptionList()
#
# Fuzzer parameters
#
d = 'Indicates if w3af plugins will use cookies as a fuzzable parameter'
opt = opt_factory('fuzz_cookies',
cf.cf.get('fuzz_cookies'),
d,
BOOL,
tabid='Fuzzer parameters')
ol.add(opt)
d = ('Indicates if w3af plugins will send payloads in the content of'
' multipart/post form files.')
h = ('If enabled, and multipart/post forms with files are found, w3af'
'will fill those file inputs with pseudo-files containing the'
'payloads required to identify vulnerabilities.')
opt = opt_factory('fuzz_form_files',
cf.cf.get('fuzz_form_files'),
d,
BOOL,
tabid='Fuzzer parameters',
help=h)
ol.add(opt)
d = (
'Indicates if w3af plugins will send fuzzed file names in order to'
' find vulnerabilities')
h = ('For example, if the discovered URL is http://test/filename.php,'
' and fuzz_url_filenames is enabled, w3af will request among'
' other things: http://test/file\'a\'a\'name.php in order to'
' find SQL injections. This type of vulns are getting more '
' common every day!')
opt = opt_factory('fuzz_url_filenames',
cf.cf.get('fuzz_url_filenames'),
d,
BOOL,
help=h,
tabid='Fuzzer parameters')
ol.add(opt)
desc = ('Indicates if w3af plugins will send fuzzed URL parts in order'
' to find vulnerabilities')
h = ('For example, if the discovered URL is http://test/foo/bar/123,'
' and fuzz_url_parts is enabled, w3af will request among other '
' things: http://test/bar/<script>alert(document.cookie)</script>'
' in order to find XSS.')
opt = opt_factory('fuzz_url_parts',
cf.cf.get('fuzz_url_parts'),
desc,
BOOL,
help=h,
tabid='Fuzzer parameters')
ol.add(opt)
desc = 'Indicates the extension to use when fuzzing file content'
opt = opt_factory('fuzzed_files_extension',
cf.cf.get('fuzzed_files_extension'),
desc,
STRING,
tabid='Fuzzer parameters')
ol.add(opt)
desc = 'A list with all fuzzable header names'
opt = opt_factory('fuzzable_headers',
cf.cf.get('fuzzable_headers'),
desc,
LIST,
tabid='Fuzzer parameters')
ol.add(opt)
d = ('Indicates what HTML form combo values w3af plugins will use:'
' all, tb, tmb, t, b')
h = (
'Indicates what HTML form combo values, e.g. select options values,'
' w3af plugins will use: all (All values), tb (only top and bottom'
' values), tmb (top, middle and bottom values), t (top values), b'
' (bottom values).')
options = ['tmb', 'all', 'tb', 't', 'b']
opt = opt_factory('form_fuzzing_mode',
options,
d,
COMBO,
help=h,
tabid='Fuzzer parameters')
ol.add(opt)
#
# Core parameters
#
desc = 'Stop scan after first unhandled exception'
h = ('This feature is only useful for developers that want their scan'
' to stop on the first exception that is raised by a plugin.'
' Users should leave this as False in order to get better'
' exception handling from w3af\'s core.')
opt = opt_factory('stop_on_first_exception',
cf.cf.get('stop_on_first_exception'),
desc,
BOOL,
help=h,
tabid='Core settings')
ol.add(opt)
desc = 'Maximum crawl time (minutes)'
h = ('Many users tend to enable numerous plugins without actually'
' knowing what they are and the potential time they will take'
' to run. By using this parameter, users will be able to set'
' the maximum amount of time the crawl phase will run.')
opt = opt_factory('max_discovery_time',
cf.cf.get('max_discovery_time'),
desc,
INT,
help=h,
tabid='Core settings')
ol.add(opt)
desc = 'Maximum scan time (minutes)'
h = ('Sets the maximum number of minutes for the scan to run. Use'
' zero to remove the limit.')
opt = opt_factory('max_scan_time',
cf.cf.get('max_scan_time'),
desc,
INT,
help=h,
tabid='Core settings')
ol.add(opt)
desc = 'Limit requests for each URL sub-path'
h = ('Limit how many requests are performed for each URL sub-path'
' during crawling. For example, if the application links to'
' three products: /product/1 /product/2 and /product/3, and'
' this variable is set to two, only the first two URLs:'
' /product/1 and /product/2 will be crawled.')
opt = opt_factory('path_max_variants',
cf.cf.get('path_max_variants'),
desc,
INT,
help=h,
tabid='Core settings')
ol.add(opt)
desc = 'Limit requests for each URL and parameter set'
h = ('Limit how many requests are performed for each URL and parameter'
' set. For example, if the application links to three products:'
' /product?id=1 , /product?id=2 and /product?id=3, and this'
' variable is set to two, only the first two URLs:'
' /product?id=1 and /product?id=2 will crawled.')
opt = opt_factory('params_max_variants',
cf.cf.get('params_max_variants'),
desc,
INT,
help=h,
tabid='Core settings')
ol.add(opt)
desc = 'Limit requests for similar forms'
h = ('Limit the number of HTTP requests to be sent to similar forms'
' during crawling. For example, if the application has multiple'
' HTML forms with the same parameters and different URLs set in'
' actions then only the configured number of forms are crawled.')
opt = opt_factory('max_equal_form_variants',
cf.cf.get('max_equal_form_variants'),
desc,
INT,
help=h,
tabid='Core settings')
ol.add(opt)
#
# Network parameters
#
desc = ('Local interface name to use when sniffing, doing reverse'
' connections, etc.')
opt = opt_factory('interface',
cf.cf.get('interface'),
desc,
STRING,
tabid='Network settings')
ol.add(opt)
desc = 'Local IP address to use when doing reverse connections'
opt = opt_factory('local_ip_address',
cf.cf.get('local_ip_address'),
desc,
STRING,
tabid='Network settings')
ol.add(opt)
#
# URL and form exclusions
#
desc = 'A comma separated list of URLs that w3af should ignore'
h = 'No HTTP requests will be sent to these URLs'
opt = opt_factory('non_targets',
cf.cf.get('non_targets'),
desc,
URL_LIST,
help=h,
tabid='Exclusions')
ol.add(opt)
desc = 'Filter forms to scan using form IDs'
h = ('Form IDs allow the user to specify which forms will be either'
' included of excluded in the scan. The form IDs identified by'
' w3af will be written to the log (when verbose is set to true)'
' and can be used to define this setting for new scans.\n\n'
'Find more about form IDs in the "Advanced use cases" section'
'of the w3af documentation.')
opt = opt_factory('form_id_list',
cf.cf.get('form_id_list'),
desc,
FORM_ID_LIST,
help=h,
tabid='Exclusions')
ol.add(opt)
desc = 'Define the form_id_list filter behaviour'
h = (
'Change this setting to "include" if only a very specific set of'
' forms needs to be scanned. If forms matching the form_id_list'
' parameters need to be excluded then set this value to "exclude".'
)
form_id_actions = [EXCLUDE, INCLUDE]
tmp_list = form_id_actions[:]
tmp_list.remove(cf.cf.get('form_id_action'))
tmp_list.insert(0, cf.cf.get('form_id_action'))
opt = opt_factory('form_id_action',
tmp_list,
desc,
COMBO,
help=h,
tabid='Exclusions')
ol.add(opt)
#
# Metasploit
#
desc = ('Full path of Metasploit framework binary directory (%s in '
'most linux installs)' % cf.cf.get('msf_location'))
opt = opt_factory('msf_location',
cf.cf.get('msf_location'),
desc,
STRING,
tabid='Metasploit')
ol.add(opt)
#
# Language options
#
d = 'Set the language to use when reading from the vulnerability database'
h = (
'The vulnerability database stores descriptions, fix guidance, tags,'
' references and much more about each vulnerability the scanner can'
' identify. The database supports translations, so this information'
' can be in many languages. Use this setting to choose the language'
' in which the information will be displayed and stored in reports.'
)
options = DBVuln.get_all_languages()
opt = opt_factory('vulndb_language',
options,
d,
COMBO,
help=h,
tabid='Language')
ol.add(opt)
return ol
def get_options(self):
"""
:return: A list of option objects for this plugin.
"""
ol = OptionList()
#
# Fuzzer parameters
#
d = 'Indicates if w3af plugins will use cookies as a fuzzable parameter'
opt = opt_factory('fuzz_cookies', cf.cf.get('fuzz_cookies'), d, BOOL,
tabid='Fuzzer parameters')
ol.add(opt)
d = ('Indicates if w3af plugins will send payloads in the content of'
' multipart/post form files.')
h = ('If enabled, and multipart/post forms with files are found, w3af'
'will fill those file inputs with pseudo-files containing the'
'payloads required to identify vulnerabilities.')
opt = opt_factory('fuzz_form_files', cf.cf.get('fuzz_form_files'), d,
BOOL, tabid='Fuzzer parameters', help=h)
ol.add(opt)
d = ('Indicates if w3af plugins will send fuzzed file names in order to'
' find vulnerabilities')
h = ('For example, if the discovered URL is http://test/filename.php,'
' and fuzz_url_filenames is enabled, w3af will request among'
' other things: http://test/file\'a\'a\'name.php in order to'
' find SQL injections. This type of vulns are getting more '
' common every day!')
opt = opt_factory('fuzz_url_filenames', cf.cf.get('fuzz_url_filenames'),
d, BOOL, help=h, tabid='Fuzzer parameters')
ol.add(opt)
desc = ('Indicates if w3af plugins will send fuzzed URL parts in order'
' to find vulnerabilities')
h = ('For example, if the discovered URL is http://test/foo/bar/123,'
' and fuzz_url_parts is enabled, w3af will request among other '
' things: http://test/bar/<script>alert(document.cookie)</script>'
' in order to find XSS.')
opt = opt_factory('fuzz_url_parts', cf.cf.get('fuzz_url_parts'), desc,
BOOL, help=h, tabid='Fuzzer parameters')
ol.add(opt)
desc = 'Indicates the extension to use when fuzzing file content'
opt = opt_factory('fuzzed_files_extension',
cf.cf.get('fuzzed_files_extension'), desc, STRING,
tabid='Fuzzer parameters')
ol.add(opt)
desc = 'A list with all fuzzable header names'
opt = opt_factory('fuzzable_headers', cf.cf.get('fuzzable_headers'),
desc, LIST, tabid='Fuzzer parameters')
ol.add(opt)
d = ('Indicates what HTML form combo values w3af plugins will use:'
' all, tb, tmb, t, b')
h = ('Indicates what HTML form combo values, e.g. select options values,'
' w3af plugins will use: all (All values), tb (only top and bottom'
' values), tmb (top, middle and bottom values), t (top values), b'
' (bottom values).')
options = ['tmb', 'all', 'tb', 't', 'b']
opt = opt_factory('form_fuzzing_mode', options, d, COMBO, help=h,
tabid='Fuzzer parameters')
ol.add(opt)
#
# Core parameters
#
desc = 'Stop scan after first unhandled exception'
h = ('This feature is only useful for developers that want their scan'
' to stop on the first exception that is raised by a plugin.'
' Users should leave this as False in order to get better'
' exception handling from w3af\'s core.')
opt = opt_factory('stop_on_first_exception',
cf.cf.get('stop_on_first_exception'),
desc, BOOL, help=h, tabid='Core settings')
ol.add(opt)
desc = 'Maximum crawl time (minutes)'
h = ('Many users tend to enable numerous plugins without actually'
' knowing what they are and the potential time they will take'
' to run. By using this parameter, users will be able to set'
' the maximum amount of time the crawl phase will run.')
opt = opt_factory('max_discovery_time', cf.cf.get('max_discovery_time'),
desc, INT, help=h, tabid='Core settings')
ol.add(opt)
desc = 'Limit requests for each URL sub-path'
h = ('Limit how many requests are performed for each URL sub-path'
' during crawling. For example, if the application links to'
' three products: /product/1 /product/2 and /product/3, and'
' this variable is set to two, only the first two URLs:'
' /product/1 and /product/2 will be crawled.')
opt = opt_factory('path_max_variants',
cf.cf.get('path_max_variants'),
desc, INT, help=h, tabid='Core settings')
ol.add(opt)
desc = 'Limit requests for each URL and parameter set'
h = ('Limit how many requests are performed for each URL and parameter'
' set. For example, if the application links to three products:'
' /product?id=1 , /product?id=2 and /product?id=3, and this'
' variable is set to two, only the first two URLs:'
' /product?id=1 and /product?id=2 will crawled.')
opt = opt_factory('params_max_variants',
cf.cf.get('params_max_variants'),
desc, INT, help=h, tabid='Core settings')
ol.add(opt)
desc = 'Limit requests for similar forms'
h = ('Limit the number of HTTP requests to be sent to similar forms'
' during crawling. For example, if the application has multiple'
' HTML forms with the same parameters and different URLs set in'
' actions then only the configured number of forms are crawled.')
opt = opt_factory('max_equal_form_variants',
cf.cf.get('max_equal_form_variants'),
desc, INT, help=h, tabid='Core settings')
ol.add(opt)
#
# Network parameters
#
desc = ('Local interface name to use when sniffing, doing reverse'
' connections, etc.')
opt = opt_factory('interface', cf.cf.get('interface'), desc,
STRING, tabid='Network settings')
ol.add(opt)
desc = 'Local IP address to use when doing reverse connections'
opt = opt_factory('local_ip_address', cf.cf.get('local_ip_address'),
desc, STRING, tabid='Network settings')
ol.add(opt)
#
# URL and form exclusions
#
desc = 'A comma separated list of URLs that w3af should ignore'
h = 'No HTTP requests will be sent to these URLs'
opt = opt_factory('non_targets', cf.cf.get('non_targets'), desc,
URL_LIST, help=h, tabid='Exclusions')
ol.add(opt)
desc = 'Filter forms to scan using form IDs'
h = ('Form IDs allow the user to specify which forms will be either'
' included of excluded in the scan. The form IDs identified by'
' w3af will be written to the log (when verbose is set to true)'
' and can be used to define this setting for new scans.\n\n'
'Find more about form IDs in the "Advanced use cases" section'
'of the w3af documentation.')
opt = opt_factory('form_id_list', cf.cf.get('form_id_list'), desc,
FORM_ID_LIST, help=h, tabid='Exclusions')
ol.add(opt)
desc = 'Define the form_id_list filter behaviour'
h = ('Change this setting to "include" if only a very specific set of'
' forms needs to be scanned. If forms matching the form_id_list'
' parameters need to be excluded then set this value to "exclude".')
form_id_actions = [EXCLUDE, INCLUDE]
tmp_list = form_id_actions[:]
tmp_list.remove(cf.cf.get('form_id_action'))
tmp_list.insert(0, cf.cf.get('form_id_action'))
opt = opt_factory('form_id_action', tmp_list, desc,
COMBO, help=h, tabid='Exclusions')
ol.add(opt)
#
# Metasploit
#
desc = ('Full path of Metasploit framework binary directory (%s in '
'most linux installs)' % cf.cf.get('msf_location'))
opt = opt_factory('msf_location', cf.cf.get('msf_location'),
desc, STRING, tabid='Metasploit')
ol.add(opt)
#
# Language options
#
d = 'Set the language to use when reading from the vulnerability database'
h = ('The vulnerability database stores descriptions, fix guidance, tags,'
' references and much more about each vulnerability the scanner can'
' identify. The database supports translations, so this information'
' can be in many languages. Use this setting to choose the language'
' in which the information will be displayed and stored in reports.')
options = DBVuln.get_all_languages()
opt = opt_factory('vulndb_language', options, d, COMBO, help=h,
tabid='Language')
ol.add(opt)
return ol
def get_cwe_urls(self):
"""
:note: Call has_db_details before calling this, or you'll get exceptions
"""
for cwe_id in self.get_cwe_ids():
yield DBVuln.get_cwe_url(cwe_id)
def test_get_cwe_url(self):
dbv = DBVuln(**self.DEFAULT_KWARGS)
self.assertEqual(dbv.get_cwe_url(89),
'https://cwe.mitre.org/data/definitions/89.html')
def test_get_wasc_url(self):
dbv = DBVuln(**self.DEFAULT_KWARGS)
self.assertEqual(dbv.get_wasc_url(3),
'http://projects.webappsec.org/w/page/13246946/Integer%20Overflows')
def test_long_lines(self):
dbv = DBVuln.from_id(124)
self.assertEqual(dbv.description, u'A very long description for'
u' Cross-Site Scripting')
print i['uuid'], "-", i['id']
url = "https://127.0.0.1:8834/scans/" + str(i['id'])
sonuc = requests.get(url=url, headers=header, verify=False)
print sonuc.json()
print "zafiyetler"
for i in sonuc.json()['vulnerabilities']:
print i['plugin_name']
print i
print "===="
for i in sonuc.json()['vulnerabilities']:
pluginName = i['plugin_name']
IPler = sonuc.json()['info']['targets']
if "SQL" in pluginName:
from vulndb import DBVuln
veritabaniID = DBVuln.from_id(42)
rapor = "Tanim:" + str(veritabaniID.title) + "\n"
rapor += "IP:" + str(IPler) + "\n"
rapor += "Aciklama" + str(veritabaniID.description) + "\n"
dosya = open("rapor.txt", "a")
dosya.write(rapor)
dosya.close()
try:
print "Taranan IPler:", sonuc.json()['info']['targets']
publicIP = sozluk[str(sonuc.json()['info']['targets'])]
url = "https://api.shodan.io/shodan/host/" + str(
publicIP) + "?key=SLs2hD4d6Si43BPpEclUdsmDbA6ZNV70"
sonuc = requests.get(url=url, verify=False)
except:
pass
def test_long_lines_with_new_line(self):
dbv = DBVuln.from_id(125)
self.assertEqual(dbv.description, u'Start line 1\n'
u' Start line 2\n')
###
# Name: VulnDB_Json_serpico
# Description: Script to Parse VulnDB to Serpico Vulnerability Findings
# Author: SAINTz
# Twitter: @__SAINTz__
# Version: 0.1 - 17 August 2018
# License: GNU/GPL
##
import json
from vulndb import DBVuln
DB_IDs = DBVuln.get_all_db_ids()
export_json = []
for x in DB_IDs:
dbv = DBVuln.from_id(x)
data_tmp = {
"affected_hosts": "null",
"affected_users": 10,
"approved": "true",
"damage": 10,
"discoverability": 10,
"dread_total": 0,
"effort": "Planned",
"exploitability": 10,
"id": dbv.id,
"overview": "<paragraph>" + dbv.description + "</paragraph>",
"poc": "<paragraph></paragraph>",
"references": dbv.references,
"remediation": "<paragraph>" + dbv.fix_guidance + "</paragraph>",
def test_get_cwe_url(self):
dbv = DBVuln(**self.DEFAULT_KWARGS)
self.assertEqual(dbv.get_cwe_url(89),
'https://cwe.mitre.org/data/definitions/89.html')
def test_get_wasc_url(self):
dbv = DBVuln(**self.DEFAULT_KWARGS)
self.assertEqual(
dbv.get_wasc_url(3),
'http://projects.webappsec.org/w/page/13246946/Integer%20Overflows'
)
