Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add new parser - Rapplex #10202

Merged
merged 11 commits into from
Aug 2, 2024
Merged

Add new parser - Rapplex #10202

Show file tree
Hide file tree
Changes from 9 commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
97a973e
Added Rapplex parser files
AlperenY-cs May 14, 2024
e3c488d
Ruff checks were made. Warnings fixed.
AlperenY-cs May 14, 2024
dd04163
Ruff checks were made on unittest parser. Warnings fixed.
AlperenY-cs May 14, 2024
bd754d6
Changed file loading process to use json.load instead of json.loads
AlperenY-cs May 15, 2024
e6ab56f
Dedupe_algo changed to hash_code. Performance improvements and fixes …
AlperenY-cs May 22, 2024
9d04ce8
Corrections were made in accordance with DRY principles.
AlperenY-cs May 22, 2024
1889619
html2text import fix
AlperenY-cs May 23, 2024
eb139ec
Added settings hash
AlperenY-cs Jun 6, 2024
7590a20
Checksum changed
AlperenY-cs Jun 6, 2024
f8f2516
Merge branch 'dev' of github.com:DefectDojo/django-DefectDojo into ra…
Maffooch Aug 2, 2024
68a57af
Correct ruff errors
Maffooch Aug 2, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 9 additions & 0 deletions docs/content/en/integrations/parsers/file/rapplex.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
---
title: "Rapplex Scan"
toc_hide: true
---
Import JSON report of [Rapplex - Web Application Security Scanner](https://rapplex.com)


### Sample Scan Data
Sample Rapplex scans can be found [here](https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/rapplex).
1 change: 1 addition & 0 deletions dojo/settings/.settings.dist.py.sha256sum
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
d73aa6171cebc58c16249684b86704bbe6bd97b542d1ca2477d3834d97ed00da
4 changes: 3 additions & 1 deletion dojo/settings/settings.dist.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1257,7 +1257,8 @@ def saml2_attrib_map_format(dict):
'Snyk Code Scan': ['vuln_id_from_tool', 'file_path'],
'Bearer CLI': ['title', 'severity'],
'Nancy Scan': ['title', 'vuln_id_from_tool'],
'Wiz Scan': ['title', 'description', 'severity']
'Wiz Scan': ['title', 'description', 'severity'],
'Rapplex Scan': ['title', 'endpoints', 'severity'],
}

# Override the hardcoded settings here via the env var
Expand Down Expand Up @@ -1474,6 +1475,7 @@ def saml2_attrib_map_format(dict):
'Nosey Parker Scan': DEDUPE_ALGO_UNIQUE_ID_FROM_TOOL_OR_HASH_CODE,
'Bearer CLI': DEDUPE_ALGO_HASH_CODE,
'Wiz Scan': DEDUPE_ALGO_HASH_CODE,
'Rapplex Scan': DEDUPE_ALGO_HASH_CODE,
}

# Override the hardcoded settings here via the env var
Expand Down
Empty file added dojo/tools/rapplex/__init__.py
View file
Open in desktop
Empty file.
75 changes: 75 additions & 0 deletions dojo/tools/rapplex/parser.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,75 @@
import json
from datetime import datetime

from html2text import html2text

from dojo.models import Endpoint, Finding


class RapplexParser:
"""
Rapplex - Web Application Security Scanner
"""
def get_scan_types(self):
return ["Rapplex Scan"]

def get_label_for_scan_types(self, scan_type):
return "Rapplex Scan"

def get_description_for_scan_types(self, scan_type):
return "Import Rapplex JSON report."

def get_findings(self, filename, test):
data = json.load(filename)
findings = []
severities = ["Information", "Low", "Medium", "High", "Critical"]

for severity in severities:
current_severity = data.get("Severities", {}).get(severity)
if not current_severity:
continue

main_issue_groups = current_severity.get("IssueGroups", [])
for main_issue_group in main_issue_groups:
issues = main_issue_group.get("Issues", [])

for issue in issues:
formatted_date = datetime.strptime(data.get("StartedDate", ""), "%d/%m/%Y %H:%M:%S").strftime("%Y-%m-%d")
severity_level = current_severity.get("Name", "")
title = issue.get("Title", "")
url = issue.get("Url", "")
req = issue.get("HttpRequest", "")
res = issue.get("HttpResponse", "")
issue_definition = main_issue_group.get("Definition", {})

cwe_val = None
for classification in issue_definition.get("Classifications", []):
if classification.get("Foundation") == "CWE":
cwe_val = classification.get("Value")
break

issue_sections = issue_definition.get("Sections", {})
ref = html2text(issue_sections.get("References", ""))
rem = issue_sections.get("Remediation", "")
sum = issue_sections.get("Summary", "")

finding = Finding(
title=title,
test=test,
severity=severity_level,
date=formatted_date,
description=sum,
mitigation=rem,
cwe=cwe_val,
references=ref,
active=True,
)

finding.unsaved_request = req
finding.unsaved_response = res

endpoint = Endpoint.from_uri(url)
finding.unsaved_endpoints.append(endpoint)

findings.append(finding)
return findings
685 changes: 685 additions & 0 deletions unittests/scans/rapplex/rapplex_many_vul.json
View file
Open in desktop

Large diffs are not rendered by default.

237 changes: 237 additions & 0 deletions unittests/scans/rapplex/rapplex_one_vul.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,237 @@
{
"ScanId": "a2azd6fe",
"Target": "http://testphp.vulnweb.com/",
"Description": null,
"CreatedDate": "05/03/2024 10:14:05",
"StartedDate": "05/03/2024 10:14:05",
"ScanTime": 30,
"ScanTimeAsStr": "30s",
"ScanPolicy": {
"Title": "Default",
"Scope": {
"CrawlDepth": 5,
"OnlySameOrigin": true,
"EnableParentPath": false,
"AllowSubDomain": false,
"BaseDomain": null,
"InScopeDomains": [],
"PreferMobileVersion": false,
"MobileDevice": null,
"MaximumLinks": 500,
"MaximumFilesPerFolder": 30,
"MaximumAttackToRecurringParam": 5
},
"SecurityChecks": "<div class=\"legend\">Q = Query String\r\nP = Post\r\nH = Header\r\nC = Cookie\r\nU = Url\r\nR = Url Rewrite\r\nE = Extra Parameter\r\n</div>Engine Q P H C U R E\r\n====================================================\r\nBackup Files [ ] [ ] [ ] [ ] [X] [ ] [ ]\r\nCORS Tests [ ] [ ] [X] [ ] [ ] [ ] [ ]\r\nDOM based XSS [ ] [ ] [ ] [ ] [X] [ ] [ ]\r\nFile Upload [ ] [X] [ ] [ ] [ ] [ ] [ ]\r\nOpen Redirect [X] [X] [ ] [ ] [ ] [X] [ ]\r\nShort (8.3) Files [ ] [ ] [ ] [ ] [X] [ ] [ ]\r\nCommand Injection [X] [X] [ ] [ ] [ ] [X] [ ]\r\nHeader Injection [X] [X] [ ] [ ] [ ] [X] [ ]\r\nFile Inclusion [X] [X] [ ] [ ] [ ] [X] [ ]\r\nCode Injection [X] [X] [ ] [ ] [ ] [X] [ ]\r\nSQL Injection [X] [X] [ ] [ ] [ ] [X] [ ]\r\nHTML Injection [X] [X] [ ] [ ] [ ] [X] [X]\r\n",
"EnabledAuthentication": false,
"Connection": {
"IsRateLimited": false,
"Rate": 100,
"Failure": "AutoRetry",
"MaxRetryCount": 3
}
},
"Fingerprinting": {
"IsEnabled": true,
"Groups": [
{
"Title": "Web Server",
"Items": [
{
"Title": "nginx",
"Value": 100
}
]
},
{
"Title": "Programming Language",
"Items": [
{
"Title": "PHP",
"Value": 100
}
]
},
{
"Title": "Operating System",
"Items": [
{
"Title": "Linux",
"Value": 100
}
]
},
{
"Title": "Database",
"Items": [
{
"Title": "MySQL",
"Value": 100
}
]
}
]
},
"Severities": {
"Information": {
"Name": "Information",
"IssueGroups": [],
"Total": 0
},
"Low": {
"Name": "Low",
"IssueGroups": [],
"Total": 0
},
"Medium": {
"Name": "Medium",
"IssueGroups": [],
"Total": 0
},
"High": {
"Name": "High",
"IssueGroups": [],
"Total": 0
},
"Critical": {
"Name": "Critical",
"IssueGroups": [
{
"gIndex": 0,
"Group": "SQL Injection",
"Severity": "Critical",
"Definition": {
"MarkdownContent": null,
"Title": "SQL Injection",
"Severity": "Critical",
"Sections": {
"Classification": "<p>PCI 3.2-6.5.1, OWASP 2013-A1, CWE 89, WASC 19</p>",
"Summary": "<p>SQL Injection is an attack technique used to exploit applications that construct SQL statements from user-supplied input. When successful, the attacker is able to change the logic of SQL statements executed against the database.</p>\n<p>With a successful attack, an attacker can gain:</p>\n<ul>\n<li><strong>Unauthorized access to an application</strong>: An attacker can successfully bypass an application's authentication mechanism to have illegitimate access to it.</li>\n<li><strong>Information disclosure</strong>: A SQL injection attack could lead to a complete data leakage from the database server.</li>\n<li><strong>Loss of data availability</strong>: An attacker can delete records from the database server.</li>\n<li><strong>Compromised data integrity</strong>: As SQL statements are also used to modify or add the record, an attacker can use SQL injection to modify or add data stored in a database. This would lead to compromised data integrity.</li>\n</ul>",
"Remediation": "<ul>\n<li>Whitelisting is the best practice to validate input against blacklisting whenever it is practicable.</li>\n<li>Do not create SQL queries with string concatenation. Instead use prepared statements or stored procedures.</li>\n</ul>",
"References": "<ul>\n<li><a href=\"http://projects.webappsec.org/SQL-Injection\">SQL Injection</a></li>\n<li><a href=\"https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet\">SQL Injection Prevention Cheat Sheet</a></li>\n<li><a href=\"http://cwe.mitre.org/data/definitions/89.html\">Improper Neutralization of Special Elements used in an SQL Command</a></li>\n<li><a href=\"https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\">CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H</a></li>\n</ul>"
},
"References": [
{
"Title": "SQL Injection",
"Link": "http://projects.webappsec.org/SQL-Injection"
},
{
"Title": "SQL Injection Prevention Cheat Sheet",
"Link": "https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet"
},
{
"Title": "Improper Neutralization of Special Elements used in an SQL Command",
"Link": "http://cwe.mitre.org/data/definitions/89.html"
},
{
"Title": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"Link": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
}
],
"Classifications": [
{
"Foundation": "PCI",
"Version": "3.2",
"Value": "6.5.1",
"Formatted": "PCI 3.2-6.5.1"
},
{
"Foundation": "OWASP",
"Version": "2013",
"Value": "A1",
"Formatted": "OWASP 2013-A1"
},
{
"Foundation": "CWE",
"Version": "",
"Value": "89",
"Formatted": "CWE 89"
},
{
"Foundation": "WASC",
"Version": "",
"Value": "19",
"Formatted": "WASC 19"
}
]
},
"Issues": [
{
"vIndex": 61,
"Title": "SQL Injection",
"Severity": "Critical",
"Url": "http://testphp.vulnweb.com/listproducts.php?cat=1",
"Path": "/listproducts.php?cat=1",
"Html": null,
"IsR2Visible": true,
"HttpRequest": "GET /listproducts.php?cat=1%20AND%20GTID_SUBSET(CONCAT(0x3a%2c0x35714C314E6A33633731306E)%2c6148) HTTP/1.1\nCache-Control: no-cache\nAccept-Encoding: gzip, deflate\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\nAccept-Language: en-us,en;q=0.5\nAccept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\nUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5\nReferer: http://testphp.vulnweb.com/categories.php\nHost: testphp.vulnweb.com\n\n",
"HttpResponse": "HTTP/1.1 200 OK\nConnection: keep-alive\nDate: Fri, 03 May 2024 07:18:31 GMT\nTransfer-Encoding: chunked\nServer: nginx/1.19.0\nX-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1\nContent-Encoding: gzip\nContent-Type: text/html; charset=UTF-8\n\r\n\r\n<ellipsis>...</ellipsis>\r\neBeginEditable name=&quot;content_rgn&quot; --&gt;\n&lt;div id=&quot;content&quot;&gt;\n\tError: Malformed GTID set specification &#39;:<mark>5qL1Nj3c710n</mark>&#39;.\nWarning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in /hj/var/www/lis\r\n<ellipsis>...</ellipsis>\r\n",
"ResponseTime": null,
"Active": true,
"Exploitable": true,
"Payload": "1 AND GTID_SUBSET(CONCAT(0x3a,0x35714C314E6A33633731306E),6148)",
"InjectionPoint": {
"Name": "cat",
"Type": "QueryString"
},
"CommentGroups": [
{
"Name": "Proof",
"Items": [
{
"Title": "Database Type",
"Text": "MySQL",
"Note": null
},
{
"Title": "Database Version",
"Text": "8.0.22-0ubuntu0.20.04.2",
"Note": null
},
{
"Title": "Tables",
"Text": "artists (adesc,aname,artist_id)\r\ncarts (cart_id,item,price)\r\ncateg (cat_id,cdesc,cname)\r\nfeatured (feature_text,pic_id)\r\nguestbook (mesaj,sender,senttime)\r\npictures (a_id,cat_id,img,pic_id,plong,price,pshort,title)\r\nproducts (description,id,name,price,rewritename)\r\nusers (address,cart,cc,email,name,pass,phone,uname)\r\n",
"Note": null
}
]
},
{
"Name": "WAF",
"Items": [
{
"Title": "Cloudflare",
"Text": "Rule name: SQL Injection - Rapplex\r\n\r\nRule: http.request.query eq 1 AND GTID_SUBSET(CONCAT(0x3a,0x35714C314E6A33633731306E),6148)\r\n\r\nAction: Block",
"Note": "This rule can be imported via Cloudflare dashboard."
},
{
"Title": "TR7",
"Text": "Etkinlik durumu: Devrede\r\nAçıklama: 89277915 - Rapplex Ruleset\r\nRegex: 1\\ AND\\ GTID_SUBSET\\(CONCAT\\(0x3a,0x35714C314E6A33633731306E\\),6148\\)\r\nRisk ölçeği: Kritik\r\n\r\nSaldırı alanı;\r\n- Path\r\n- Query\r\n- Header\r\n- From\r\n- JSON\r\n- XML\r\n- RAW",
"Note": "This rule can be imported with TR7 dashboard."
},
{
"Title": "F5 BIG-IP",
"Text": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<vulnerabilities>\r\n <vulnerability>\r\n <attack_type>SQL-Injection</attack_type>\r\n <name>SQL Injection</name>\r\n <url><![CDATA[http://testphp.vulnweb.com/listproducts.php?cat=1]]></url>\r\n <parameter><![CDATA[cat]]></parameter>\r\n <threat>Critical</threat>\r\n <severity>Critical</severity>\r\n </vulnerability>\r\n</vulnerabilities>",
"Note": ""
},
{
"Title": "FortiWeb",
"Text": "config waf custom-protection-rule\r\n edit Rapplex - SQL Injection\r\n set type Request\r\n set action alert_deny\r\n set severity High\r\n config meet-condition\r\n edit <Fill with unique value>\r\n set request-target REQUEST_URI\r\n set pattern 1 AND GTID_SUBSET(CONCAT(0x3a,0x35714C314E6A33633731306E),6148)\r\n next\r\n end\r\n next\r\nend",
"Note": "This rule is compatible with FortiWeb 7.4.0+"
},
{
"Title": "ModSecurity",
"Text": "SecRule REQUEST_URI '1 AND GTID_SUBSET(CONCAT(0x3a,0x35714C314E6A33633731306E),6148)' 'id: <Fill with unique id value>', t:none, deny, log, msg:'SQL Injection - Rapplex'",
"Note": ""
}
]
}
],
"Comment": null
}
]
}
],
"Total": 1
}
}
}

Loading