From fab0023a02e749b3aa1671ccf0e405e0f5b32c42 Mon Sep 17 00:00:00 2001 From: Max Maass Date: Mon, 10 Jan 2022 16:29:40 +0100 Subject: [PATCH 1/5] Split ZAP cascadingrule into two rules Analogous to #920, this commit splits the cascading rule for ZAP into two: one for HTTP and one for HTTPS. This allows it to cover HTTP(S) services on nonstandard ports. This also requires adding the port as an extra parameter. Signed-off-by: Max Maass --- scanners/zap/cascading-rules/http.yaml | 4 ++-- scanners/zap/cascading-rules/https.yaml | 21 +++++++++++++++++++++ 2 files changed, 23 insertions(+), 2 deletions(-) create mode 100644 scanners/zap/cascading-rules/https.yaml diff --git a/scanners/zap/cascading-rules/http.yaml b/scanners/zap/cascading-rules/http.yaml index d85ac8b862..f0c25f880b 100644 --- a/scanners/zap/cascading-rules/http.yaml +++ b/scanners/zap/cascading-rules/http.yaml @@ -18,8 +18,8 @@ spec: state: open - category: "Open Port" attributes: - service: https + service: http-* state: open scanSpec: scanType: "zap-baseline-scan" - parameters: ["-t", "{{attributes.service}}://{{$.hostOrIP}}"] + parameters: ["-t", "http://{{$.hostOrIP}}:{{attributes.port}}"] diff --git a/scanners/zap/cascading-rules/https.yaml b/scanners/zap/cascading-rules/https.yaml new file mode 100644 index 0000000000..c4428b2c6e --- /dev/null +++ b/scanners/zap/cascading-rules/https.yaml @@ -0,0 +1,21 @@ +# SPDX-FileCopyrightText: 2021 iteratec GmbH +# +# SPDX-License-Identifier: Apache-2.0 + +apiVersion: "cascading.securecodebox.io/v1" +kind: CascadingRule +metadata: + name: "zap-https" + labels: + securecodebox.io/invasive: non-invasive + securecodebox.io/intensive: medium +spec: + matches: + anyOf: + - category: "Open Port" + attributes: + service: "https*" + state: open + scanSpec: + scanType: "zap-baseline-scan" + parameters: ["-t", "https://{{$.hostOrIP}}:{{attributes.port}}"] From fd9fa92824052122e50ba3c56f0296f04d7daeaa Mon Sep 17 00:00:00 2001 From: Max Maass Date: Mon, 10 Jan 2022 16:34:33 +0100 Subject: [PATCH 2/5] Update test cases to pass with current ZAP plugins Signed-off-by: Max Maass --- scanners/zap/integration-tests/zap.test.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scanners/zap/integration-tests/zap.test.js b/scanners/zap/integration-tests/zap.test.js index b679bff978..5ea36c2f14 100644 --- a/scanners/zap/integration-tests/zap.test.js +++ b/scanners/zap/integration-tests/zap.test.js @@ -17,9 +17,9 @@ test( expect(categories).toMatchInlineSnapshot(` Object { "Content Security Policy (CSP) Header Not Set": 1, + "Missing Anti-clickjacking Header": 1, "Server Leaks Version Information via \\"Server\\" HTTP Response Header Field": 1, "X-Content-Type-Options Header Missing": 1, - "X-Frame-Options Header Not Set": 1, } `); expect(severities).toMatchInlineSnapshot(` From 83eda93793725e280ecd0dbf2859d18ab7b08950 Mon Sep 17 00:00:00 2001 From: Max Maass Date: Mon, 10 Jan 2022 16:43:21 +0100 Subject: [PATCH 3/5] Split cascading rule for ZAP-advanced as well Signed-off-by: Max Maass --- .../zap-advanced/cascading-rules/http.yaml | 4 ++-- .../zap-advanced/cascading-rules/https.yaml | 21 +++++++++++++++++++ 2 files changed, 23 insertions(+), 2 deletions(-) create mode 100644 scanners/zap-advanced/cascading-rules/https.yaml diff --git a/scanners/zap-advanced/cascading-rules/http.yaml b/scanners/zap-advanced/cascading-rules/http.yaml index a4be6b8603..47fd83d3b6 100644 --- a/scanners/zap-advanced/cascading-rules/http.yaml +++ b/scanners/zap-advanced/cascading-rules/http.yaml @@ -18,8 +18,8 @@ spec: state: open - category: "Open Port" attributes: - service: https + service: "http-*" state: open scanSpec: scanType: "zap-advanced-scan" - parameters: ["-t", "{{attributes.service}}://{{$.hostOrIP}}"] + parameters: ["-t", "http://{{$.hostOrIP}}:{{attributes.port}}"] diff --git a/scanners/zap-advanced/cascading-rules/https.yaml b/scanners/zap-advanced/cascading-rules/https.yaml new file mode 100644 index 0000000000..f7f0a91902 --- /dev/null +++ b/scanners/zap-advanced/cascading-rules/https.yaml @@ -0,0 +1,21 @@ +# SPDX-FileCopyrightText: 2021 iteratec GmbH +# +# SPDX-License-Identifier: Apache-2.0 + +apiVersion: "cascading.securecodebox.io/v1" +kind: CascadingRule +metadata: + name: "zap-advanced-https" + labels: + securecodebox.io/invasive: non-invasive + securecodebox.io/intensive: medium +spec: + matches: + anyOf: + - category: "Open Port" + attributes: + service: "https*" + state: open + scanSpec: + scanType: "zap-advanced-scan" + parameters: ["-t", "https://{{$.hostOrIP}}:{{attributes.port}}"] From 993120299a9406eee714a0ffb511f0a04b33f339 Mon Sep 17 00:00:00 2001 From: Max Maass Date: Mon, 10 Jan 2022 16:46:24 +0100 Subject: [PATCH 4/5] Split cascading rules for screenshooter Signed-off-by: Max Maass --- .../screenshooter/cascading-rules/http.yaml | 4 ++-- .../screenshooter/cascading-rules/https.yaml | 21 +++++++++++++++++++ 2 files changed, 23 insertions(+), 2 deletions(-) create mode 100644 scanners/screenshooter/cascading-rules/https.yaml diff --git a/scanners/screenshooter/cascading-rules/http.yaml b/scanners/screenshooter/cascading-rules/http.yaml index cbb2283a45..823a289fe3 100644 --- a/scanners/screenshooter/cascading-rules/http.yaml +++ b/scanners/screenshooter/cascading-rules/http.yaml @@ -18,8 +18,8 @@ spec: state: open - category: "Open Port" attributes: - service: https + service: "http-*" state: open scanSpec: scanType: "screenshooter" - parameters: ["{{attributes.service}}://{{$.hostOrIP}}:{{attributes.port}}"] + parameters: ["http://{{$.hostOrIP}}:{{attributes.port}}"] diff --git a/scanners/screenshooter/cascading-rules/https.yaml b/scanners/screenshooter/cascading-rules/https.yaml new file mode 100644 index 0000000000..2104d3b928 --- /dev/null +++ b/scanners/screenshooter/cascading-rules/https.yaml @@ -0,0 +1,21 @@ +# SPDX-FileCopyrightText: 2021 iteratec GmbH +# +# SPDX-License-Identifier: Apache-2.0 + +apiVersion: "cascading.securecodebox.io/v1" +kind: CascadingRule +metadata: + name: "screenshooter-https" + labels: + securecodebox.io/invasive: non-invasive + securecodebox.io/intensive: light +spec: + matches: + anyOf: + - category: "Open Port" + attributes: + service: "https*" + state: open + scanSpec: + scanType: "screenshooter" + parameters: ["https://{{$.hostOrIP}}:{{attributes.port}}"] From 3c3d873a94fdeaf437db6476ff4ee7b099af9f9a Mon Sep 17 00:00:00 2001 From: Max Maass Date: Mon, 10 Jan 2022 16:46:37 +0100 Subject: [PATCH 5/5] Support alternative HTTP(s) ports for nikto Signed-off-by: Max Maass --- scanners/nikto/cascading-rules/http.yaml | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/scanners/nikto/cascading-rules/http.yaml b/scanners/nikto/cascading-rules/http.yaml index 2f1d630a54..b987131d59 100644 --- a/scanners/nikto/cascading-rules/http.yaml +++ b/scanners/nikto/cascading-rules/http.yaml @@ -14,11 +14,8 @@ spec: anyOf: - category: "Open Port" attributes: - service: http - state: open - - category: "Open Port" - attributes: - service: https + # Also matches https, but also alternative HTTP ports + service: "http*" state: open scanSpec: scanType: "nikto"