From bb81c5c43019e3e2c24065d6895798916dd0050b Mon Sep 17 00:00:00 2001 From: SOOS-JAlvarez Date: Tue, 15 Nov 2022 13:42:08 -0300 Subject: [PATCH 1/3] PA-7272 Added request/response headers to report --- Dockerfile | 15 +++++++-------- README.md | 2 +- VERSION.txt | 2 +- helpers/blindxss.py | 4 ++-- helpers/constants.py | 4 ++-- main.py | 28 ++++++++++++---------------- 6 files changed, 25 insertions(+), 30 deletions(-) diff --git a/Dockerfile b/Dockerfile index 55daf84..d92a2e2 100644 --- a/Dockerfile +++ b/Dockerfile @@ -7,14 +7,13 @@ COPY ./main.py ./requirements.txt ./VERSION.txt ./ COPY ./helpers helpers/ COPY ./hooks hooks/ COPY ./model model/ -COPY ./scripts/httpsender /home/zap/.ZAP_D/scripts/scripts/httpsender/ -RUN chmod 777 /home/zap/.ZAP_D/scripts/scripts/httpsender/ - -# Needed for reportRequestHeaders option, disabled until functionality is pulled into stable zap release -# COPY ./reports/traditional-json /zap/reports/traditional-json -# COPY ./reports/traditional-json-headers /zap/reports/traditional-json-headers -# RUN chmod -R 444 /zap/reports/traditional-json -# RUN chmod -R 444 /zap/reports/traditional-json-headers +COPY ./scripts/httpsender /home/zap/.ZAP/scripts/scripts/httpsender/ +RUN chmod 777 /home/zap/.ZAP/scripts/scripts/httpsender/ + +COPY ./reports/traditional-json /zap/reports/traditional-json +COPY ./reports/traditional-json-headers /zap/reports/traditional-json-headers +RUN chmod -R 444 /zap/reports/traditional-json +RUN chmod -R 444 /zap/reports/traditional-json-headers RUN pip3 install -r requirements.txt && mkdir /zap/wrk && cd /opt \ && wget -qO- -O geckodriver.tar.gz https://github.com/mozilla/geckodriver/releases/download/v0.30.0/geckodriver-v0.30.0-linux64.tar.gz \ diff --git a/README.md b/README.md index 6790653..4a5ca5b 100644 --- a/README.md +++ b/README.md @@ -69,7 +69,7 @@ The basic command to run a baseline scan would look like: | `--buildVersion` | None | Version of application build artifacts | | `--buildURI` | None | URI to CI build info | | `--operatingEnvironment` | None | Set Operating environment for information purposes only | -| `--reportRequestHeaders` | False | (Temporarily Unavailable) Include request/response headers data in report | +| `--reportRequestHeaders` | False | Include request/response headers data in report | | `--outputFormat` | None | Output format for vulnerabilities: only the value SARIF is available at the moment | | `--gpat` | None | GitHub Personal Authorization Token | | `--bearerToken` | None | Bearer token to authenticate | diff --git a/VERSION.txt b/VERSION.txt index 5b09c67..a970716 100644 --- a/VERSION.txt +++ b/VERSION.txt @@ -1 +1 @@ -1.0.14 +1.0.15 diff --git a/helpers/blindxss.py b/helpers/blindxss.py index dbf602c..6f7731f 100644 --- a/helpers/blindxss.py +++ b/helpers/blindxss.py @@ -21,14 +21,14 @@ def load(config: DASTConfig, zap): def replace_collector_uri(uri): - template_script_path = '/home/zap/.ZAP_D/scripts/scripts/active/blindxss.js' + template_script_path = '/home/zap/.ZAP/scripts/scripts/active/blindxss.js' file_data = read_file(file_path=template_script_path) file_data = file_data.replace('callbackdomain.com', uri) random_suffix = randint(1000, 9999) - script_path = f'/home/zap/.ZAP_D/scripts/scripts/active/bxxs_{random_suffix}.js' + script_path = f'/home/zap/.ZAP/scripts/scripts/active/bxxs_{random_suffix}.js' with open(script_path, 'w') as file: file.write(file_data) return script_path diff --git a/helpers/constants.py b/helpers/constants.py index 5aea7e1..821ff99 100644 --- a/helpers/constants.py +++ b/helpers/constants.py @@ -72,5 +72,5 @@ # ZAP SCRIPTS -ZAP_ACTIVE_SCAN_SCRIPTS_FOLDER_PATH = "/home/zap/.ZAP_D/scripts/scripts/active/" -ZAP_HTTP_SENDER_SCRIPTS_FOLDER_PATH = "/home/zap/.ZAP_D/scripts/scripts/httpsender/" +ZAP_ACTIVE_SCAN_SCRIPTS_FOLDER_PATH = "/home/zap/.ZAP/scripts/scripts/active/" +ZAP_HTTP_SENDER_SCRIPTS_FOLDER_PATH = "/home/zap/.ZAP/scripts/scripts/httpsender/" diff --git a/main.py b/main.py index 388e183..301e6c8 100644 --- a/main.py +++ b/main.py @@ -242,11 +242,7 @@ def parse_configuration(self, configuration: Dict, target_url: str): elif key =="bearerToken": self.auth_bearer_token = value elif key == "reportRequestHeaders": - if str.lower(value) == "true": - self.report_request_headers = True - log("Argument 'reportRequestHeaders' is temporarily disabled, parameter will be ignored.") - else: - self.report_request_headers = False + self.report_request_headers = True if str.lower(value) == "true" else False elif key == "onFailure": self.on_failure = value elif key == "checkoutDir": @@ -865,9 +861,9 @@ def parse_args(self) -> None: ) parser.add_argument( "--reportRequestHeaders", - help="(Temporarily Unavailable) Include request/response headers data in report", + help="Include request/response headers data in report", type=str, - default="False", + default="True", required=False ) parser.add_argument( @@ -993,15 +989,15 @@ def run_analysis(self) -> None: exit_app(f"The scan mode {self.scan_mode} is invalid.") return None - # log(f"Copying report templates. Include request headers: {self.report_request_headers}", log_level=LogLevel.DEBUG) - # os.system("mkdir -p ~/.ZAP_D/reports") - # os.system("mkdir -p /root/.ZAP_D/reports") - # if self.report_request_headers is True: - # os.system("cp -R /zap/reports/traditional-json-headers ~/.ZAP_D/reports/traditional-json") - # os.system("cp -R /zap/reports/traditional-json-headers /root/.ZAP_D/reports/traditional-json") - # else: - # os.system("cp -R /zap/reports/traditional-json ~/.ZAP_D/reports/traditional-json") - # os.system("cp -R /zap/reports/traditional-json /root/.ZAP_D/reports/traditional-json") + log(f"Copying report templates. Include request headers: {self.report_request_headers}", log_level=LogLevel.DEBUG) + os.system("mkdir -p ~/.ZAP/reports") + os.system("mkdir -p /root/.ZAP/reports") + if self.report_request_headers is True: + os.system("cp -R /zap/reports/traditional-json-headers ~/.ZAP/reports/traditional-json") + os.system("cp -R /zap/reports/traditional-json-headers /root/.ZAP/reports/traditional-json") + else: + os.system("cp -R /zap/reports/traditional-json ~/.ZAP/reports/traditional-json") + os.system("cp -R /zap/reports/traditional-json /root/.ZAP/reports/traditional-json") command: str = scan_function() From b96ea9ba920d60cc9e5799a81aa908e2e192e629 Mon Sep 17 00:00:00 2001 From: SOOS-JAlvarez Date: Tue, 15 Nov 2022 13:47:30 -0300 Subject: [PATCH 2/3] removed old credentials --- tests/tests.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/tests.py b/tests/tests.py index 061bfb3..a1e8f63 100644 --- a/tests/tests.py +++ b/tests/tests.py @@ -3,8 +3,8 @@ import unittest SCAN_COMMAND = ["python3", "main.py"] -SOOS_CLIENT_ID_DEV = "c4337d37a91c0180875d901c0d8810ea44b1735ac4a00ca6c0afed13ae0ee48a" -SOOS_API_KEY_DEV = "N2FiNjM1YzItOGE0My00MGE1LWE0ZWMtODYxNTNlODViZGIx" +SOOS_CLIENT_ID_DEV = "" +SOOS_API_KEY_DEV = "" DEV_ENV = "https://dev-api.soos.io/api/" From 354fa5bbbccf7d300a89aeea5feaae908e7fc76b Mon Sep 17 00:00:00 2001 From: SOOS-JAlvarez Date: Tue, 15 Nov 2022 13:53:15 -0300 Subject: [PATCH 3/3] missed update default value on readme --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 4a5ca5b..ebe085a 100644 --- a/README.md +++ b/README.md @@ -69,7 +69,7 @@ The basic command to run a baseline scan would look like: | `--buildVersion` | None | Version of application build artifacts | | `--buildURI` | None | URI to CI build info | | `--operatingEnvironment` | None | Set Operating environment for information purposes only | -| `--reportRequestHeaders` | False | Include request/response headers data in report | +| `--reportRequestHeaders` | True | Include request/response headers data in report | | `--outputFormat` | None | Output format for vulnerabilities: only the value SARIF is available at the moment | | `--gpat` | None | GitHub Personal Authorization Token | | `--bearerToken` | None | Bearer token to authenticate |