🐛 fix acunetix360 NoneType object #10435

[manuel-sommer]

#10435

[dryrunsecurity]

Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.

DryRun Security	Status	Findings
Server-Side Request Forgery Analyzer	✅	0 findings
Configured Codepaths Analyzer	✅	0 findings
IDOR Analyzer	✅	0 findings
Sensitive Files Analyzer	✅	0 findings
SQL Injection Analyzer	✅	0 findings
Authn/Authz Analyzer	✅	0 findings
Secrets Analyzer	✅	0 findings

Note

🟢 Risk threshold not exceeded.

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy 🤖. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective.

Summary:

The provided code changes focus on improving the reliability and accuracy of the Acunetix parser in the Defect Dojo application. The changes include the addition of new unit test cases to verify the parsing of different Acunetix scan output files, as well as updates to the parse_acunetix360_json.py module to handle null or missing values more gracefully and enhance the references for the identified findings.

These changes are a positive contribution to the application security functionality of the Defect Dojo project, as they help to ensure the reliability and accuracy of the Acunetix parser, which is a critical component of the vulnerability management process. By improving the handling of Acunetix scan data, the application is better equipped to accurately report and track the identified vulnerabilities, which is essential for effective security management.

Files Changed:

1. unittests/tools/test_acunetix_parser.py:

   • Added two new test cases to verify the parsing of Acunetix scan output files named "issue_10370.json" and "issue_10435.json".
   • These test cases ensure that the Acunetix parser correctly identifies the findings in the provided scan output files.

2. unittests/scans/acunetix/issue_10435.json:

   • This file appears to be an update to a JSON file containing the results of a security scan performed by Acunetix on a web application.
   • The scan report identifies a "MissingXFrameOptionsHeader" vulnerability, which indicates that the web application does not have the X-Frame-Options header set, potentially exposing it to clickjacking attacks.
   • The report provides details about the vulnerability, including the HTTP request and response, the URL where the vulnerability was found, and the overall severity (Low).

3. dojo/tools/acunetix/parse_acunetix360_json.py:

   • The code changes in this file improve the handling of null or missing values in the Acunetix 360 JSON data.
   • The changes include checking for null values in certain fields and setting the corresponding fields in the Finding object accordingly.
   • The code also enhances the references field of the Finding object by adding a link to the Acunetix 360 online issue detail page, providing more context and resources for the identified findings.

Powered by DryRun Security

[mtesauro]

Approved