-
Notifications
You must be signed in to change notification settings - Fork 149
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #248 from secureCodeBox/scanner/acstis
New Scanner: AngularJS CSTI Scanner (closes #216)
- Loading branch information
Showing
21 changed files
with
760 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
.DS_Store | ||
|
||
parser/ | ||
scanner/ | ||
examples/ | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
apiVersion: v1 | ||
name: angularja-csti-scanner | ||
description: A Helm chart for the angularja csti scanner that integrates with the secureCodeBox. | ||
|
||
type: application | ||
# version - gets automatically set to the secureCodeBox release version when the helm charts gets published | ||
version: latest | ||
appVersion: 3.0.6 | ||
kubeVersion: ">=v1.11.0-0" | ||
|
||
keywords: | ||
- security | ||
- acstis | ||
- scanner | ||
- secureCodeBox | ||
home: https://docs.securecodebox.io/docs/scanners/angularja-csti-scanner | ||
icon: https://docs.securecodebox.io/img/integrationIcons/Acstis.svg | ||
sources: | ||
- https://github.com/secureCodeBox/secureCodeBox | ||
maintainers: | ||
- name: iteratec GmbH | ||
email: secureCodeBox@iteratec.com | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,149 @@ | ||
--- | ||
title: "Angularjs CSTI Scanner" | ||
category: "scanner" | ||
type: "Repository" | ||
state: "in progress" | ||
usecase: "Find AngularJS websites vulnerable to template injections" | ||
--- | ||
|
||
![acstis logo](https://rawgit.com/tijme/angularjs-csti-scanner/master/.github/logo.svg?pypi=png.from.svg) | ||
|
||
AngularJS Client-Side Template Injection Scanner (acstis) is a open source scanner for | ||
finding possible template injection vulnerabilities on websites using AngularJS. | ||
|
||
For more information visit the projects github site <https://github.com/tijme/angularjs-csti-scanner> | ||
|
||
## Deployment | ||
|
||
The gitleaks scanner can be deployed with helm: | ||
|
||
```bash | ||
helm upgrade --install acstis secureCodeBox/acstis | ||
``` | ||
|
||
## Scanner configuration | ||
|
||
The only mandatory parameter is: | ||
- `-d`: The url to scan (e.g. https://angularjs.org/). | ||
|
||
Optional arguments: | ||
|
||
```bash | ||
-c, --crawl use the crawler to scan all the entire domain | ||
-vp, --verify-payload use a javascript engine to verify if the payload was executed (otherwise false positives may occur) | ||
-av ANGULAR_VERSION, --angular-version ANGULAR_VERSION manually pass the angular version (e.g. 1.4.2) if the automatic check doesn't work | ||
-vrl VULNERABLE_REQUESTS_LOG, --vulnerable-requests-log VULNERABLE_REQUESTS_LOG log all vulnerable requests to this file (e.g. /var/logs/acstis.log or urls.log) | ||
-siv, --stop-if-vulnerable (crawler option) stop scanning if a vulnerability was found | ||
-pmm, --protocol-must-match (crawler option) only scan pages with the same protocol as the startpoint (e.g. only https) | ||
-sos, --scan-other-subdomains (crawler option) also scan pages that have another subdomain than the startpoint | ||
-soh, --scan-other-hostnames (crawler option) also scan pages that have another hostname than the startpoint | ||
-sot, --scan-other-tlds (crawler option) also scan pages that have another tld than the startpoint | ||
-md MAX_DEPTH, --max-depth MAX_DEPTH (crawler option) the maximum search depth (default is unlimited) | ||
-mt MAX_THREADS, --max-threads MAX_THREADS (crawler option) the maximum amount of simultaneous threads to use (default is 20) | ||
-iic, --ignore-invalid-certificates (crawler option) ignore invalid ssl certificates | ||
``` | ||
**Do not** override the option `-vrl` or `--vulnerable-requests-log`. It is already configured for automatic findings parsing. | ||
### Request configuration | ||
Because *acstis* does not provide provide command line arguments for configuring the sent requests, | ||
you have to mount a config map into the scan container on a specific location. Your additional config map should be | ||
mounted to `/acstis/config/acstis-config.py`. For example create a config map: | ||
```bash | ||
kubectl create configmap --from-file /path/to/my/acstis-config.py acstis-config | ||
``` | ||
And mount it into the container: | ||
```yaml | ||
volumes: | ||
- name: "acstis-config" | ||
configMap: | ||
name: "acstis-config" | ||
volumeMounts: | ||
- name: "acstis-config" | ||
mountPath: "/acstis/config/" | ||
``` | ||
#### Configuration options in *acstis-config.py* | ||
Add the following snippets to the *acstis-config.py* file to enable further options. | ||
The options are python code which will be injected into the *acstis* script before execution. | ||
**Basic Authentication** | ||
```text | ||
options.identity.auth = HTTPBasicAuth("username", "password") | ||
``` | ||
**Cookies** | ||
```text | ||
options.identity.cookies.set(name='tasty_cookie', value='yum', domain='finnwea.com', path='/cookies') | ||
options.identity.cookies.set(name='gross_cookie', value='blech', domain='finnwea.com', path='/elsewhere') | ||
``` | ||
**Headers** | ||
```text | ||
options.identity.headers.update({ | ||
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36", | ||
"Authorization": "Bearer ey3jafoe.2jefo..." | ||
}) | ||
``` | ||
**Proxies** | ||
```text | ||
options.identity.proxies = { | ||
# No authentication | ||
# 'http': 'http://host:port', | ||
# 'https': 'http://host:port', | ||
# Basic authentication | ||
# 'http': 'http://user:pass@host:port', | ||
# 'https': 'https://user:pass@host:port', | ||
# SOCKS | ||
'http': 'socks5://user:pass@host:port', | ||
'https': 'socks5://user:pass@host:port' | ||
} | ||
``` | ||
**Scope options** | ||
```text | ||
options.scope.protocol_must_match = False | ||
options.scope.subdomain_must_match = True | ||
options.scope.hostname_must_match = True | ||
options.scope.tld_must_match = True | ||
options.scope.max_depth = None | ||
options.scope.request_methods = [ | ||
Request.METHOD_GET, | ||
Request.METHOD_POST, | ||
Request.METHOD_PUT, | ||
Request.METHOD_DELETE, | ||
Request.METHOD_OPTIONS, | ||
Request.METHOD_HEAD | ||
] | ||
``` | ||
## Chart Configuration | ||
| Key | Type | Default | Description | | ||
|-----|------|---------|-------------| | ||
| image.repository | string | `"docker.io/securecodebox/scanner-acstis"` | Container Image to run the scan | | ||
| image.tag | string | `nil` | defaults to the charts version | | ||
| parseJob.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | | ||
| parserImage.repository | string | `"docker.io/securecodebox/parser-acstis"` | Parser image repository | | ||
| parserImage.tag | string | defaults to the charts version | Parser image tag | | ||
| scannerJob.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | | ||
| scannerJob.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) | | ||
| scannerJob.extraVolumeMounts | list | `[]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | | ||
| scannerJob.extraVolumes | list | `[]` | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | | ||
| scannerJob.resources | object | `{}` | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) | | ||
| scannerJob.securityContext | object | `{}` | Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) | | ||
| scannerJob.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,136 @@ | ||
--- | ||
title: "Angularjs CSTI Scanner" | ||
category: "scanner" | ||
type: "Repository" | ||
state: "in progress" | ||
usecase: "Find AngularJS websites vulnerable to template injections" | ||
--- | ||
|
||
![acstis logo](https://rawgit.com/tijme/angularjs-csti-scanner/master/.github/logo.svg?pypi=png.from.svg) | ||
|
||
AngularJS Client-Side Template Injection Scanner (acstis) is a open source scanner for | ||
finding possible template injection vulnerabilities on websites using AngularJS. | ||
|
||
For more information visit the projects github site <https://github.com/tijme/angularjs-csti-scanner> | ||
|
||
## Deployment | ||
|
||
The gitleaks scanner can be deployed with helm: | ||
|
||
```bash | ||
helm upgrade --install acstis secureCodeBox/acstis | ||
``` | ||
|
||
## Scanner configuration | ||
|
||
The only mandatory parameter is: | ||
- `-d`: The url to scan (e.g. https://angularjs.org/). | ||
|
||
Optional arguments: | ||
|
||
```bash | ||
-c, --crawl use the crawler to scan all the entire domain | ||
-vp, --verify-payload use a javascript engine to verify if the payload was executed (otherwise false positives may occur) | ||
-av ANGULAR_VERSION, --angular-version ANGULAR_VERSION manually pass the angular version (e.g. 1.4.2) if the automatic check doesn't work | ||
-vrl VULNERABLE_REQUESTS_LOG, --vulnerable-requests-log VULNERABLE_REQUESTS_LOG log all vulnerable requests to this file (e.g. /var/logs/acstis.log or urls.log) | ||
-siv, --stop-if-vulnerable (crawler option) stop scanning if a vulnerability was found | ||
-pmm, --protocol-must-match (crawler option) only scan pages with the same protocol as the startpoint (e.g. only https) | ||
-sos, --scan-other-subdomains (crawler option) also scan pages that have another subdomain than the startpoint | ||
-soh, --scan-other-hostnames (crawler option) also scan pages that have another hostname than the startpoint | ||
-sot, --scan-other-tlds (crawler option) also scan pages that have another tld than the startpoint | ||
-md MAX_DEPTH, --max-depth MAX_DEPTH (crawler option) the maximum search depth (default is unlimited) | ||
-mt MAX_THREADS, --max-threads MAX_THREADS (crawler option) the maximum amount of simultaneous threads to use (default is 20) | ||
-iic, --ignore-invalid-certificates (crawler option) ignore invalid ssl certificates | ||
``` | ||
|
||
**Do not** override the option `-vrl` or `--vulnerable-requests-log`. It is already configured for automatic findings parsing. | ||
|
||
### Request configuration | ||
|
||
Because *acstis* does not provide provide command line arguments for configuring the sent requests, | ||
you have to mount a config map into the scan container on a specific location. Your additional config map should be | ||
mounted to `/acstis/config/acstis-config.py`. For example create a config map: | ||
|
||
```bash | ||
kubectl create configmap --from-file /path/to/my/acstis-config.py acstis-config | ||
``` | ||
|
||
And mount it into the container: | ||
|
||
```yaml | ||
volumes: | ||
- name: "acstis-config" | ||
configMap: | ||
name: "acstis-config" | ||
volumeMounts: | ||
- name: "acstis-config" | ||
mountPath: "/acstis/config/" | ||
``` | ||
|
||
#### Configuration options in *acstis-config.py* | ||
|
||
Add the following snippets to the *acstis-config.py* file to enable further options. | ||
The options are python code which will be injected into the *acstis* script before execution. | ||
|
||
**Basic Authentication** | ||
```text | ||
options.identity.auth = HTTPBasicAuth("username", "password") | ||
``` | ||
|
||
**Cookies** | ||
```text | ||
options.identity.cookies.set(name='tasty_cookie', value='yum', domain='finnwea.com', path='/cookies') | ||
options.identity.cookies.set(name='gross_cookie', value='blech', domain='finnwea.com', path='/elsewhere') | ||
``` | ||
|
||
**Headers** | ||
```text | ||
options.identity.headers.update({ | ||
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36", | ||
"Authorization": "Bearer ey3jafoe.2jefo..." | ||
}) | ||
``` | ||
|
||
**Proxies** | ||
```text | ||
options.identity.proxies = { | ||
# No authentication | ||
# 'http': 'http://host:port', | ||
# 'https': 'http://host:port', | ||
|
||
# Basic authentication | ||
# 'http': 'http://user:pass@host:port', | ||
# 'https': 'https://user:pass@host:port', | ||
|
||
# SOCKS | ||
'http': 'socks5://user:pass@host:port', | ||
'https': 'socks5://user:pass@host:port' | ||
} | ||
``` | ||
|
||
**Scope options** | ||
```text | ||
options.scope.protocol_must_match = False | ||
|
||
options.scope.subdomain_must_match = True | ||
|
||
options.scope.hostname_must_match = True | ||
|
||
options.scope.tld_must_match = True | ||
|
||
options.scope.max_depth = None | ||
|
||
options.scope.request_methods = [ | ||
Request.METHOD_GET, | ||
Request.METHOD_POST, | ||
Request.METHOD_PUT, | ||
Request.METHOD_DELETE, | ||
Request.METHOD_OPTIONS, | ||
Request.METHOD_HEAD | ||
] | ||
``` | ||
|
||
## Chart Configuration | ||
|
||
{{ template "chart.valuesTable" . }} | ||
|
1 change: 1 addition & 0 deletions
1
scanners/angularjs-csti-scanner/examples/scan-single-url/README.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
This example scans a single URL. |
9 changes: 9 additions & 0 deletions
9
scanners/angularjs-csti-scanner/examples/scan-single-url/scan.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
apiVersion: "execution.securecodebox.io/v1" | ||
kind: Scan | ||
metadata: | ||
name: "scan-single-url" | ||
spec: | ||
scanType: "angularjs-csti-scanner" | ||
parameters: | ||
- "-d" | ||
- "https://example.com" |
15 changes: 15 additions & 0 deletions
15
scanners/angularjs-csti-scanner/examples/scan-website-with-options/README.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
To add some headers to the scanners requests create a file called *acstis-config.py* with the following content: | ||
|
||
```text | ||
options.identity.headers.update({ | ||
"Authorization": "Bearer <JWT>" | ||
}) | ||
``` | ||
|
||
Then create a config map from this file: | ||
|
||
```bash | ||
kubectl create configmap --from-file /path/to/my/acstis-config.py acstis-config | ||
``` | ||
|
||
After mounting the config map to the specified path you can execute your scan. |
20 changes: 20 additions & 0 deletions
20
scanners/angularjs-csti-scanner/examples/scan-website-with-options/scan.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
apiVersion: "execution.securecodebox.io/v1" | ||
kind: Scan | ||
metadata: | ||
name: "scan-website-with-jwt" | ||
spec: | ||
scanType: "angularjs-csti-scanner" | ||
parameters: | ||
- "-d" | ||
- "https://example.com" | ||
- "-c" | ||
# you should always specify a max depth when crawling | ||
- "-md" | ||
- "3" | ||
volumes: | ||
- name: "acstis-config" | ||
configMap: | ||
name: "acstis-config" | ||
volumeMounts: | ||
- name: "acstis-config" | ||
mountPath: "/acstis/config/" |
Oops, something went wrong.