Add a typo3 security vulnerability scanner

[rseedorff]

🚓 New Scanner implementation request

Is your feature request related to a problem

As a security analyst i would like to use the secureCodeBox to check my external attack surface. Especially CMS systems like Wordpress or Typo3 are common systems that may introduce new vulnerabilites on a regular basis.

The BlogPost of @JavanXD https://javan.de/securing-typo3-cms-new-security-scanner/ also motivates this topic.

Describe the solution you'd like

Since the secureCodeBox already supports the Wordpress scanner WPScan it would be great to also add at least one Typo3 scanner. There are two candidates (referring to the blog post):

• https://github.com/JavanXD/Typo3AccessChecker – Check if Typo3 security guidelines are followed.
• https://github.com/whoot/Typo3Scan – Typo3 Enumerator: Enumerates extensions to gain information about outdated and

Describe alternatives you've considered

Additional context

• https://javan.de/securing-typo3-cms-new-security-scanner/
• https://github.com/JavanXD/Typo3AccessChecker – Check if Typo3 security guidelines are followed.
• https://github.com/whoot/Typo3Scan – Typo3 Enumerator: Enumerates extensions to gain information about outdated and vulnerable extensions.

Steps to implement a new scanner

Hint: A general guide how to implement a new SCB scanner is documented here

• Create a new folder with the name of the scanner here
• Add a README.gotmpl and give a brief overview of the scanner and its configuration options.
• Add a HelmChart and document all configuration options.
• Implement a new scanner specific scan-type.yaml
• Implement a new scanner specific parse-definition.yaml
• Add (optional) some cascading-rules.yaml like documented here
• Add (optional) a Dockerfile for the scanner if there is no existing one publicly available on dockerHub
• Use the parser-SDK to implement a new findings parser (currently based on NodeJS)
• Add unit tests with at minimum 80% test coverage
• Add some example scan.yaml and finding.yaml files in the example folder
• Implement a new integration or E2E test for the hook here

[J12934]

Followup Tasks (still open):

• Intergration Tests against local vuln / outdated typo3 docker image
• Cascading Rule to trigger when whatweb / nmap with service detection / nikto detects a typo3 instance to automatically start a typo3scan test against the identified instance.