From f8f41d1320b87ec31581000178a8dbad3c6be493 Mon Sep 17 00:00:00 2001 From: notshivansh Date: Wed, 4 Oct 2023 15:52:55 +0530 Subject: [PATCH 01/27] add error messages for failing test results and update summary if test failed --- .../akto/test_editor/execution/Executor.java | 17 +++++- .../src/main/java/com/akto/testing/Main.java | 41 +++++++++++++- .../java/com/akto/testing/TestExecutor.java | 55 +++++++++++++------ .../yaml_tests/SecurityTestTemplate.java | 5 ++ .../java/com/akto/dto/testing/TestResult.java | 5 +- 5 files changed, 101 insertions(+), 22 deletions(-) diff --git a/apps/testing/src/main/java/com/akto/test_editor/execution/Executor.java b/apps/testing/src/main/java/com/akto/test_editor/execution/Executor.java index 27b86f1c95..079d44f771 100644 --- a/apps/testing/src/main/java/com/akto/test_editor/execution/Executor.java +++ b/apps/testing/src/main/java/com/akto/test_editor/execution/Executor.java @@ -9,6 +9,7 @@ import com.akto.dto.test_editor.*; import com.akto.dto.testing.AuthMechanism; import com.akto.dto.testing.TestResult; +import com.akto.dto.testing.TestResult.TestError; import com.akto.dto.testing.TestingRunConfig; import com.akto.log.LoggerMaker; import com.akto.log.LoggerMaker.LogDb; @@ -18,6 +19,7 @@ import com.akto.utils.RedactSampleData; import java.util.ArrayList; +import java.util.Collections; import java.util.HashMap; import java.util.List; import java.util.Map; @@ -32,6 +34,7 @@ public List execute(ExecutorNode node, RawApi rawApi, Map execute(ExecutorNode node, RawApi rawApi, Map sampleRawApis = new ArrayList<>(); @@ -61,6 +67,7 @@ public List execute(ExecutorNode node, RawApi rawApi, Map execute(ExecutorNode node, RawApi rawApi, Map testingRunResults = TestingRunResultDao.instance.findAll( + Filters.eq(TestingRunResult.TEST_RUN_RESULT_SUMMARY_ID, summaryId) + ); + + if(testingRunResults == null){ + testingRunResults = new ArrayList<>(); + } + + Map totalCountIssues = TestExecutor.calculateCountIssues(testingRunResults); + + int totalApis = 0; + try { + totalApis = testingRun.getTestingEndpoints().returnApis().size(); + } catch (Exception e) { + totalApis = 0; + } + + Bson updates = Updates.combine( + Updates.set(TestingRunResultSummary.END_TIMESTAMP, Context.now()), + Updates.set(TestingRunResultSummary.STATE, State.COMPLETED), + Updates.set(TestingRunResultSummary.COUNT_ISSUES, totalCountIssues), + Updates.set(TestingRunResultSummary.TOTAL_APIS, totalApis), + Updates.set(TestingRunResultSummary.TEST_RESULTS_COUNT, testingRunResults.size()) + ); + + TestingRunResultSummariesDao.instance.updateOne( + Filters.eq(TestingRunResultSummary.ID, summaryId), updates); + } + } + loggerMaker.infoAndAddToDb("Tests completed in " + (Context.now() - start) + " seconds", LogDb.TESTING); }, "testing"); Thread.sleep(1000); diff --git a/apps/testing/src/main/java/com/akto/testing/TestExecutor.java b/apps/testing/src/main/java/com/akto/testing/TestExecutor.java index ff46f2e9e1..11ff1838f0 100644 --- a/apps/testing/src/main/java/com/akto/testing/TestExecutor.java +++ b/apps/testing/src/main/java/com/akto/testing/TestExecutor.java @@ -17,6 +17,7 @@ import com.akto.dto.test_editor.TestConfig; import com.akto.dto.testing.*; import com.akto.dto.testing.TestResult.Confidence; +import com.akto.dto.testing.TestResult.TestError; import com.akto.dto.testing.TestingRun.State; import com.akto.dto.type.RequestTemplate; import com.akto.dto.type.SingleTypeInfo; @@ -243,18 +244,7 @@ public void apiWiseInit(TestingRun testingRun, ObjectId summaryId) { loggerMaker.infoAndAddToDb("Finished adding issues", LogDb.TESTING); - Map totalCountIssues = new HashMap<>(); - totalCountIssues.put("HIGH", 0); - totalCountIssues.put("MEDIUM", 0); - totalCountIssues.put("LOW", 0); - - for (TestingRunResult testingRunResult: testingRunResults) { - if (testingRunResult.isVulnerable()) { - String severity = getSeverityFromTestingRunResult(testingRunResult).toString(); - int initialCount = totalCountIssues.get(severity); - totalCountIssues.put(severity, initialCount + 1); - } - } + Map totalCountIssues = calculateCountIssues(testingRunResults); TestingRunResultSummariesDao.instance.updateOne( Filters.eq("_id", summaryId), @@ -279,6 +269,26 @@ public static Severity getSeverityFromTestingRunResult(TestingRunResult testingR return severity; } + public static Map calculateCountIssues(List testingRunResults){ + Map totalCountIssues = new HashMap<>(); + totalCountIssues.put("HIGH", 0); + totalCountIssues.put("MEDIUM", 0); + totalCountIssues.put("LOW", 0); + + if(testingRunResults == null){ + return totalCountIssues; + } + + for (TestingRunResult testingRunResult : testingRunResults) { + if (testingRunResult.isVulnerable()) { + String severity = getSeverityFromTestingRunResult(testingRunResult).toString(); + int initialCount = totalCountIssues.get(severity); + totalCountIssues.put(severity, initialCount + 1); + } + } + return totalCountIssues; + } + public static String findHost(ApiInfo.ApiInfoKey apiInfoKey, Map> sampleMessagesMap, SampleMessageStore sampleMessageStore) throws URISyntaxException { List sampleMessages = sampleMessagesMap.get(apiInfoKey); if (sampleMessages == null || sampleMessagesMap.isEmpty()) return null; @@ -551,8 +561,19 @@ public boolean applyRunOnceCheck(ApiInfoKey apiInfoKey, TestConfig testConfig, C public TestingRunResult runTestNew(ApiInfo.ApiInfoKey apiInfoKey, ObjectId testRunId, TestingUtil testingUtil, ObjectId testRunResultSummaryId, TestConfig testConfig, TestingRunConfig testingRunConfig) { + String testSuperType = testConfig.getInfo().getCategory().getName(); + String testSubType = testConfig.getInfo().getSubCategory(); + List messages = testingUtil.getSampleMessages().get(apiInfoKey); - if (messages == null || messages.size() == 0) return null; + if (messages == null || messages.isEmpty()){ + List testResults = new ArrayList<>(); + testResults.add(new TestResult(null, null, Collections.singletonList(TestError.NO_PATH.getMessage()),0, false, Confidence.HIGH, null)); + return new TestingRunResult( + testRunId, apiInfoKey, testSuperType, testSubType ,testResults, + false,new ArrayList<>(),100,Context.now(), + Context.now(), testRunResultSummaryId + ); + } String message = messages.get(0); @@ -573,9 +594,6 @@ public TestingRunResult runTestNew(ApiInfo.ApiInfoKey apiInfoKey, ObjectId testR varMap.put("wordList_" + key, wordListsMap.get(key)); } - String testSuperType = testConfig.getInfo().getCategory().getName(); - String testSubType = testConfig.getInfo().getSubCategory(); - String testExecutionLogId = UUID.randomUUID().toString(); loggerMaker.infoAndAddToDb("triggering test run for apiInfoKey " + apiInfoKey + "test " + @@ -585,8 +603,9 @@ public TestingRunResult runTestNew(ApiInfo.ApiInfoKey apiInfoKey, ObjectId testR YamlTestTemplate yamlTestTemplate = new YamlTestTemplate(apiInfoKey,filterNode, validatorNode, executorNode, rawApi, varMap, auth, testingUtil.getAuthMechanism(), testExecutionLogId, testingRunConfig, customAuthTypes); List testResults = yamlTestTemplate.run(); - if (testResults == null || testResults.size() == 0) { - return null; + if (testResults == null || testResults.isEmpty()) { + testResults = new ArrayList<>(); + testResults.add(new TestResult(null, rawApi.getOriginalMessage(), Collections.singletonList(TestError.SOMETHING_WENT_WRONG.getMessage()), 0, false, TestResult.Confidence.HIGH, null)); } int endTime = Context.now(); diff --git a/apps/testing/src/main/java/com/akto/testing/yaml_tests/SecurityTestTemplate.java b/apps/testing/src/main/java/com/akto/testing/yaml_tests/SecurityTestTemplate.java index 1ce360da9a..87c51c9faf 100644 --- a/apps/testing/src/main/java/com/akto/testing/yaml_tests/SecurityTestTemplate.java +++ b/apps/testing/src/main/java/com/akto/testing/yaml_tests/SecurityTestTemplate.java @@ -8,6 +8,7 @@ import com.akto.dto.testing.AuthMechanism; import com.akto.dto.testing.TestResult; import com.akto.dto.testing.TestingRunConfig; +import com.akto.dto.testing.TestResult.TestError; import java.util.Collections; @@ -62,6 +63,10 @@ public List run() { return testResults; } List attempts = executor(); + if(attempts == null || attempts.isEmpty()){ + attempts = new ArrayList<>(); + attempts.add(new TestResult(null, rawApi.getOriginalMessage(), Collections.singletonList(TestError.EXECUTION_FAILED.getMessage()), 0, false, TestResult.Confidence.HIGH, null)); + } return attempts; } diff --git a/libs/dao/src/main/java/com/akto/dto/testing/TestResult.java b/libs/dao/src/main/java/com/akto/dto/testing/TestResult.java index 41c634bde8..7ba2dcf9e4 100644 --- a/libs/dao/src/main/java/com/akto/dto/testing/TestResult.java +++ b/libs/dao/src/main/java/com/akto/dto/testing/TestResult.java @@ -30,7 +30,10 @@ public enum TestError { FAILED_DOWNLOADING_PAYLOAD_FILES("Failed downloading payload files"), FAILED_BUILDING_NUCLEI_TEMPLATE("Failed building nuclei template"), FAILED_BUILDING_URL_WITH_DOMAIN("Failed building URL with domain"), - FAILED_REPLACING_VARIABLES_IN_NUCLEI_TEMPLATE("Failed replacing variables in nuclei template"); + FAILED_REPLACING_VARIABLES_IN_NUCLEI_TEMPLATE("Failed replacing variables in nuclei template"), + EXECUTION_FAILED("Test execution failed"), + INVALID_EXECUTION_BLOCK("Invalid test execution block in template"), + NO_API_REQUEST("No test requests created"); private final String message; From 78861d6db173c5eac0ebc6120574fbbbd769527b Mon Sep 17 00:00:00 2001 From: ayushaga14 Date: Wed, 11 Oct 2023 17:23:47 +0530 Subject: [PATCH 02/27] modify ll url --- .../src/main/java/com/akto/listener/RuntimeListener.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/dashboard/src/main/java/com/akto/listener/RuntimeListener.java b/apps/dashboard/src/main/java/com/akto/listener/RuntimeListener.java index f73d8104ba..3defbb6f10 100644 --- a/apps/dashboard/src/main/java/com/akto/listener/RuntimeListener.java +++ b/apps/dashboard/src/main/java/com/akto/listener/RuntimeListener.java @@ -238,7 +238,7 @@ public static void addLlmSampleData(int accountId) { } try { - String mockServiceUrl = "http://sampl-aktol-1exannwybqov-67928726.ap-south-1.elb.amazonaws.com:5000"; + String mockServiceUrl = "https://vuln-llm.akto.io:5000"; String data = convertStreamToString(InitializerListener.class.getResourceAsStream("/LlmSampleApiData.json")); JSONArray dataobject = new JSONArray(data); for (Object obj: dataobject) { From 7b6e022ec6e10278f9d5cb5398097c54683f41f8 Mon Sep 17 00:00:00 2001 From: ayushaga14 Date: Wed, 11 Oct 2023 17:40:46 +0530 Subject: [PATCH 03/27] remove port --- .../src/main/java/com/akto/listener/RuntimeListener.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/dashboard/src/main/java/com/akto/listener/RuntimeListener.java b/apps/dashboard/src/main/java/com/akto/listener/RuntimeListener.java index 3defbb6f10..3e6bc319b7 100644 --- a/apps/dashboard/src/main/java/com/akto/listener/RuntimeListener.java +++ b/apps/dashboard/src/main/java/com/akto/listener/RuntimeListener.java @@ -238,7 +238,7 @@ public static void addLlmSampleData(int accountId) { } try { - String mockServiceUrl = "https://vuln-llm.akto.io:5000"; + String mockServiceUrl = "https://vuln-llm.akto.io"; String data = convertStreamToString(InitializerListener.class.getResourceAsStream("/LlmSampleApiData.json")); JSONArray dataobject = new JSONArray(data); for (Object obj: dataobject) { From dfa63b43cbe3e75f7567c09b4be09317341a9027 Mon Sep 17 00:00:00 2001 From: Ark2307 Date: Wed, 11 Oct 2023 20:13:49 +0530 Subject: [PATCH 04/27] showing url in editor --- .../components/shared/customDiffEditor.js | 2 +- .../pages/test_editor/TestEditor.css | 8 ++++++ .../test_editor/components/SampleApi.jsx | 28 ++++++++++++------- 3 files changed, 27 insertions(+), 11 deletions(-) diff --git a/apps/dashboard/web/polaris_web/web/src/apps/dashboard/components/shared/customDiffEditor.js b/apps/dashboard/web/polaris_web/web/src/apps/dashboard/components/shared/customDiffEditor.js index 7ade628db8..037c4295ac 100644 --- a/apps/dashboard/web/polaris_web/web/src/apps/dashboard/components/shared/customDiffEditor.js +++ b/apps/dashboard/web/polaris_web/web/src/apps/dashboard/components/shared/customDiffEditor.js @@ -77,7 +77,7 @@ const transform = { if(!isNaN(key)){ ret.push(parsedJson[key]) }else{ - ret.push({key: parsedJson[key]}) + ret.push({[key]: parsedJson[key]}) } }) return JSON.stringify(ret, null, 2) diff --git a/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/test_editor/TestEditor.css b/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/test_editor/TestEditor.css index 2acef9d4e2..fde152df85 100644 --- a/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/test_editor/TestEditor.css +++ b/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/test_editor/TestEditor.css @@ -58,4 +58,12 @@ .editor-header .Polaris-Text--root{ max-width: 30vw; +} + +.req-resp-tabs .Polaris-LegacyTabs__Title{ + padding: 0 !important; +} + +.req-resp-tabs .Polaris-Box{ + border: none !important; } \ No newline at end of file diff --git a/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/test_editor/components/SampleApi.jsx b/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/test_editor/components/SampleApi.jsx index a14dbf993f..3b27255cf8 100644 --- a/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/test_editor/components/SampleApi.jsx +++ b/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/test_editor/components/SampleApi.jsx @@ -1,6 +1,5 @@ -import { Box, Button, Divider, Frame, HorizontalStack, LegacyTabs, Modal, VerticalStack} from "@shopify/polaris" -import { tokens } from "@shopify/polaris-tokens" -import { UpdateInventoryMajor, ChevronUpMinor } from "@shopify/polaris-icons" +import { Box, Button, Divider, Frame, HorizontalStack, LegacyTabs, Modal, Text, Tooltip} from "@shopify/polaris" +import {ChevronUpMinor } from "@shopify/polaris-icons" import { useEffect, useRef, useState } from "react"; @@ -122,12 +121,11 @@ const SampleApi = () => { const handleTabChange = (selectedTabIndex) => { setSelected(selectedTabIndex) - if (sampleData) { if (selectedTabIndex == 0) { - editorInstance.setValue(JSON.stringify(sampleData.requestJson["json"], null, 2)) + editorInstance.setValue(selectedApiEndpoint + '\n' + JSON.stringify(sampleData.requestJson["json"], null, 2)) } else { - editorInstance.setValue(JSON.stringify(sampleData.responseJson["json"], null, 2)) + editorInstance.setValue(selectedApiEndpoint + '\n' + JSON.stringify(sampleData.responseJson["json"], null, 2)) } } } @@ -167,7 +165,7 @@ const SampleApi = () => { setSampleData({ requestJson, responseJson }) if (editorInstance) { - editorInstance.setValue(JSON.stringify(requestJson["json"], null, 2)) + editorInstance.setValue(selectedApiEndpoint + '\n' + JSON.stringify(requestJson["json"], null, 2)) } setTimeout(()=> { setSampleDataList(sampleDataResponse.sampleDataList) @@ -254,9 +252,19 @@ const SampleApi = () => { return (
- - - +
+ +
+ + + +
From 3add0c7553bed8cf85675b349e1c3eece8be28ce Mon Sep 17 00:00:00 2001 From: Ark2307 Date: Wed, 11 Oct 2023 23:11:02 +0530 Subject: [PATCH 05/27] improving first line --- .../dashboard/pages/test_editor/components/SampleApi.jsx | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/test_editor/components/SampleApi.jsx b/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/test_editor/components/SampleApi.jsx index 3b27255cf8..fa53d79827 100644 --- a/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/test_editor/components/SampleApi.jsx +++ b/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/test_editor/components/SampleApi.jsx @@ -122,10 +122,11 @@ const SampleApi = () => { const handleTabChange = (selectedTabIndex) => { setSelected(selectedTabIndex) if (sampleData) { + if (selectedTabIndex == 0) { - editorInstance.setValue(selectedApiEndpoint + '\n' + JSON.stringify(sampleData.requestJson["json"], null, 2)) + editorInstance.setValue(sampleData?.requestJson["firstLine"] + '\n\n' + JSON.stringify(sampleData.requestJson["json"], null, 2)) } else { - editorInstance.setValue(selectedApiEndpoint + '\n' + JSON.stringify(sampleData.responseJson["json"], null, 2)) + editorInstance.setValue(sampleData?.responseJson["firstLine"] + '\n\n' + JSON.stringify(sampleData.responseJson["json"], null, 2)) } } } @@ -165,7 +166,7 @@ const SampleApi = () => { setSampleData({ requestJson, responseJson }) if (editorInstance) { - editorInstance.setValue(selectedApiEndpoint + '\n' + JSON.stringify(requestJson["json"], null, 2)) + editorInstance.setValue(requestJson["firstLine"] + '\n\n' + JSON.stringify(requestJson["json"], null, 2)) } setTimeout(()=> { setSampleDataList(sampleDataResponse.sampleDataList) From 0c016d06edeaa51174ac31d1180b23dc66fcb2b5 Mon Sep 17 00:00:00 2001 From: Ark2307 Date: Thu, 12 Oct 2023 11:18:34 +0530 Subject: [PATCH 06/27] fixed css --- .../web/src/apps/dashboard/pages/test_editor/TestEditor.css | 2 +- .../dashboard/pages/test_editor/components/SampleApi.jsx | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/test_editor/TestEditor.css b/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/test_editor/TestEditor.css index fde152df85..fadaf9e55b 100644 --- a/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/test_editor/TestEditor.css +++ b/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/test_editor/TestEditor.css @@ -61,7 +61,7 @@ } .req-resp-tabs .Polaris-LegacyTabs__Title{ - padding: 0 !important; + padding: 8px 0 !important; } .req-resp-tabs .Polaris-Box{ diff --git a/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/test_editor/components/SampleApi.jsx b/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/test_editor/components/SampleApi.jsx index fa53d79827..86c1c67e82 100644 --- a/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/test_editor/components/SampleApi.jsx +++ b/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/test_editor/components/SampleApi.jsx @@ -124,9 +124,9 @@ const SampleApi = () => { if (sampleData) { if (selectedTabIndex == 0) { - editorInstance.setValue(sampleData?.requestJson["firstLine"] + '\n\n' + JSON.stringify(sampleData.requestJson["json"], null, 2)) + editorInstance.setValue('\n' + sampleData?.requestJson["firstLine"] + '\n\n' + JSON.stringify(sampleData.requestJson["json"], null, 2)) } else { - editorInstance.setValue(sampleData?.responseJson["firstLine"] + '\n\n' + JSON.stringify(sampleData.responseJson["json"], null, 2)) + editorInstance.setValue('\n' + sampleData?.responseJson["firstLine"] + '\n\n' + JSON.stringify(sampleData.responseJson["json"], null, 2)) } } } @@ -166,7 +166,7 @@ const SampleApi = () => { setSampleData({ requestJson, responseJson }) if (editorInstance) { - editorInstance.setValue(requestJson["firstLine"] + '\n\n' + JSON.stringify(requestJson["json"], null, 2)) + editorInstance.setValue('\n' + requestJson["firstLine"] + '\n\n' + JSON.stringify(requestJson["json"], null, 2)) } setTimeout(()=> { setSampleDataList(sampleDataResponse.sampleDataList) From 0135e6b898fe6619a6aee08db1dd9ccfe1929548 Mon Sep 17 00:00:00 2001 From: Ark2307 Date: Fri, 13 Oct 2023 23:58:40 +0530 Subject: [PATCH 07/27] Burp fixed as of Old ui --- .../components/shared/DropdownSearch.jsx | 3 +- .../pages/quick_start/QuickStart.css | 10 ++ .../apps/dashboard/pages/quick_start/api.js | 18 +++ .../quick_start/components/BurpSource.jsx | 151 +++++++++++------- .../dashboard/pages/quick_start/transform.js | 1 + 5 files changed, 121 insertions(+), 62 deletions(-) diff --git a/apps/dashboard/web/polaris_web/web/src/apps/dashboard/components/shared/DropdownSearch.jsx b/apps/dashboard/web/polaris_web/web/src/apps/dashboard/components/shared/DropdownSearch.jsx index 373ba57eac..9a33d1d1a4 100644 --- a/apps/dashboard/web/polaris_web/web/src/apps/dashboard/components/shared/DropdownSearch.jsx +++ b/apps/dashboard/web/polaris_web/web/src/apps/dashboard/components/shared/DropdownSearch.jsx @@ -56,8 +56,9 @@ function DropdownSearch(props) { return; } const filterRegex = new RegExp(value, 'i'); + const searchKey = deselectedOptions[0].searchKey ? deselectedOptions[0].searchKey : "label" const resultOptions = deselectedOptions.filter((option) => - option.label.match(filterRegex), + option[searchKey].match(filterRegex) ); setOptions(resultOptions); setLoading(false); diff --git a/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/quick_start/QuickStart.css b/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/quick_start/QuickStart.css index ec9cf4f379..2b4c218085 100644 --- a/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/quick_start/QuickStart.css +++ b/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/quick_start/QuickStart.css @@ -69,4 +69,14 @@ .update-connections .Polaris-Page--divider{ padding-top: 20px !important; +} + +.overflow-text{ + text-overflow: ellipsis; + overflow-x: hidden; + white-space: nowrap; +} + +.right-card .Polaris-Scrollable{ + overflow-x: hidden; } \ No newline at end of file diff --git a/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/quick_start/api.js b/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/quick_start/api.js index a29a6e8b91..fe81939abd 100644 --- a/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/quick_start/api.js +++ b/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/quick_start/api.js @@ -67,6 +67,24 @@ const api = { method: 'post', data: {deploymentMethod} }) + }, + fetchBurpPluginDownloadLink() { + return request({ + url: '/api/fetchBurpPluginDownloadLink', + method: 'post', + data: {}, + }).then((resp) => { + return resp + }) + }, + fetchBurpCredentials() { + return request({ + url: '/api/fetchBurpCredentials', + method: 'post', + data: {}, + }).then((resp) => { + return resp + }) } } diff --git a/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/quick_start/components/BurpSource.jsx b/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/quick_start/components/BurpSource.jsx index 76ccb3d3ac..8e8ef63db2 100644 --- a/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/quick_start/components/BurpSource.jsx +++ b/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/quick_start/components/BurpSource.jsx @@ -1,77 +1,105 @@ -import { Button, ButtonGroup, HorizontalStack, Icon, Spinner, Text, VerticalStack } from '@shopify/polaris' -import React, { useState } from 'react' -import { StatusActiveMajor } from "@shopify/polaris-icons" +import { Box, Button, ButtonGroup, HorizontalStack, Text, VerticalStack } from '@shopify/polaris' +import React, { useEffect, useState } from 'react' import {useNavigate} from "react-router-dom" import api from '../api' -import func from '@/util/func' - +import func from "@/util/func" +import TooltipText from "../../../components/shared/TooltipText" + function BurpSource() { + const navigate = useNavigate() + const [burpGithubLink, setBurpGithubLink] = useState(""); + const [aktoIp, setAktoIp] = useState(""); + const [aktoToken, setAktoToken] = useState(""); + const [burpCollectionURL, setBurpCollectionURL] = useState("") + + const getGithubLink = async() => { + await api.fetchBurpPluginDownloadLink().then((resp) => { + if (resp && resp.burpGithubLink) { + setBurpGithubLink(resp?.burpGithubLink) + } + }) + } + + const getCredentials = async() => { + await api.fetchBurpCredentials().then((resp) => { + if (!resp) return + setAktoIp(resp?.host) + setAktoToken(resp?.apiToken?.key) + }) + } + + const downloadBurpJar = async() => { + let downloadTime = func.timeNow() + let showBurpPluginConnectedFlag = false - const [downloadInfo, setDownloadInfo] = useState(0) - const [initialData, setInitialData] = useState(0) - const [finalData, setFinalData] = useState(0) - - const downloadBurpExt = async() => { - setDownloadInfo(1) - await api.downloadBurpPluginJar().then((resp)=> { - let downloadTime = func.timeNow() - - const href = URL.createObjectURL(resp); - // create "a" HTML element with href to file & click - const link = document.createElement('a'); - link.href = href; - link.setAttribute('download', 'Akto.jar'); //or any other extension - document.body.appendChild(link); - link.click(); - // clean up "a" element & remove ObjectURL - document.body.removeChild(link); - URL.revokeObjectURL(href); - - setDownloadInfo(2) - setInitialData(1) - - let interval = setInterval(() => { - api.fetchBurpPluginInfo().then((response) => { - let lastBootupTimestamp = response.burpPluginInfo.lastBootupTimestamp + await api.downloadBurpPluginJar() + window.open(burpGithubLink) + + let interval = setInterval(() => { + api.fetchBurpPluginInfo().then((response) => { + let lastBootupTimestamp = response?.burpPluginInfo?.lastBootupTimestamp if (lastBootupTimestamp > downloadTime) { - setInitialData(2) - setFinalData(1) + if (showBurpPluginConnectedFlag) { + func.setToast(true, false, "Burp plugin connected") + } + showBurpPluginConnectedFlag = false if (response.burpPluginInfo.lastDataSentTimestamp > downloadTime) { clearInterval(interval) - setFinalData(2) + setBurpCollectionURL("/dashboard/observe/inventory") + func.setToast(true, false, "Data received from burp plugin") } } }) - }, 5000) - }) + }, 2000) + } - const navigate = useNavigate() - const DownloadTextComponent = ({param_value}) => { - switch(param_value){ - case 1: - return () - case 2: - return (
) - default: - return null - } + const copyText = (text,messageText) => { + navigator.clipboard.writeText(text) + func.setToast(true, false, `${messageText} is copied to clipboard.`) } const steps = [ { - text: "Download Akto's Burp extension.", - component:
, - textComponent: + text: "Download akto's burp extension", + component: , + }, + { + text: "Open Burp and add the downloaded jar file in extension tab." + }, + { + text: 'Once the plugin is loaded click on "options" tab inside the plugin.' }, { - text: "Open Burp and add the downloaded jar file in extension tab.", - textComponent: + text: "Copy the AKTO_IP and AKTO_TOKEN and paste in the options tab.", + component: ( + + + + AKTO_IP: + + + + AKTO_TOKEN: + + + + + ) }, { - text: "Start Burp proxy and browse any website. You will see traffic in 'Burp' collection in inventory.", - textComponent: , - component: finalData === 2 ? : null + text: "Start Burp proxy and browse any website.", + component: ( + + You will see traffic in + {burpCollectionURL.length > 0 ? : Burp} + collection. + + ) } ] @@ -83,6 +111,11 @@ function BurpSource() { navigate("/dashboard/settings/integrations/burp") } + useEffect(()=> { + getGithubLink() + getCredentials() + },[]) + return (
@@ -93,14 +126,10 @@ function BurpSource() { {steps.map((element,index) => ( - {index + 1}. - {element.text} - {element.textComponent} - - -
- {element.component} + {index + 1}. + {element?.text} + {element?.component} ))} diff --git a/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/quick_start/transform.js b/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/quick_start/transform.js index ec16e641bd..4e631617d2 100644 --- a/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/quick_start/transform.js +++ b/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/quick_start/transform.js @@ -696,6 +696,7 @@ const quickStartFunc = { id: index + 1, label: label, value: item.label, + searchKey: "value", } }) From a94f5098534f0e9e144bb8363ebf25fef605e195 Mon Sep 17 00:00:00 2001 From: Ark2307 Date: Sat, 14 Oct 2023 11:09:39 +0530 Subject: [PATCH 08/27] used cleaner approach --- .../src/apps/dashboard/components/shared/DropdownSearch.jsx | 4 ++-- .../dashboard/pages/quick_start/components/BurpSource.jsx | 1 - .../dashboard/pages/quick_start/components/NewConnection.jsx | 2 +- 3 files changed, 3 insertions(+), 4 deletions(-) diff --git a/apps/dashboard/web/polaris_web/web/src/apps/dashboard/components/shared/DropdownSearch.jsx b/apps/dashboard/web/polaris_web/web/src/apps/dashboard/components/shared/DropdownSearch.jsx index 9a33d1d1a4..5b18124b63 100644 --- a/apps/dashboard/web/polaris_web/web/src/apps/dashboard/components/shared/DropdownSearch.jsx +++ b/apps/dashboard/web/polaris_web/web/src/apps/dashboard/components/shared/DropdownSearch.jsx @@ -6,7 +6,7 @@ function DropdownSearch(props) { const id = props.id ? props.id : "dropdown-search" - const { disabled, label, placeholder, optionsList, setSelected, value , avatarIcon, preSelected, allowMultiple, itemName} = props + const { disabled, label, placeholder, optionsList, setSelected, value , avatarIcon, preSelected, allowMultiple, itemName, dropdownSearchKey} = props const deselectedOptions = optionsList const [selectedOptions, setSelectedOptions] = useState(preSelected ? preSelected : []); @@ -56,7 +56,7 @@ function DropdownSearch(props) { return; } const filterRegex = new RegExp(value, 'i'); - const searchKey = deselectedOptions[0].searchKey ? deselectedOptions[0].searchKey : "label" + const searchKey = dropdownSearchKey ? dropdownSearchKey : "label" const resultOptions = deselectedOptions.filter((option) => option[searchKey].match(filterRegex) ); diff --git a/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/quick_start/components/BurpSource.jsx b/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/quick_start/components/BurpSource.jsx index 8e8ef63db2..4edb61020b 100644 --- a/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/quick_start/components/BurpSource.jsx +++ b/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/quick_start/components/BurpSource.jsx @@ -3,7 +3,6 @@ import React, { useEffect, useState } from 'react' import {useNavigate} from "react-router-dom" import api from '../api' import func from "@/util/func" -import TooltipText from "../../../components/shared/TooltipText" function BurpSource() { const navigate = useNavigate() diff --git a/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/quick_start/components/NewConnection.jsx b/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/quick_start/components/NewConnection.jsx index 8cb8d5ca16..4291d4577f 100644 --- a/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/quick_start/components/NewConnection.jsx +++ b/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/quick_start/components/NewConnection.jsx @@ -106,7 +106,7 @@ function NewConnection() { const trafficScreenLabel = (
- setConnector(item)}/> + setConnector(item)} dropdownSearchKey="value"/> {connectors?.component}
From 190a09100157a503c7efab85d9c78e12de796fb0 Mon Sep 17 00:00:00 2001 From: Ark2307 Date: Sat, 14 Oct 2023 11:12:35 +0530 Subject: [PATCH 09/27] deleted unused variable --- .../web/src/apps/dashboard/pages/quick_start/transform.js | 1 - 1 file changed, 1 deletion(-) diff --git a/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/quick_start/transform.js b/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/quick_start/transform.js index 4e631617d2..ec16e641bd 100644 --- a/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/quick_start/transform.js +++ b/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/quick_start/transform.js @@ -696,7 +696,6 @@ const quickStartFunc = { id: index + 1, label: label, value: item.label, - searchKey: "value", } }) From 387462c9bc2ff32dd2a4271065468c0766a13d43 Mon Sep 17 00:00:00 2001 From: notshivansh Date: Sat, 14 Oct 2023 12:13:40 +0530 Subject: [PATCH 10/27] add log levels to testing cli --- .../main/java/com/akto/testing_cli/Main.java | 81 +++++++++++++++++-- .../akto/dto/testing/TestingRunResult.java | 5 +- 2 files changed, 76 insertions(+), 10 deletions(-) diff --git a/apps/testing-cli/src/main/java/com/akto/testing_cli/Main.java b/apps/testing-cli/src/main/java/com/akto/testing_cli/Main.java index b2d013adde..7ef74eedd0 100644 --- a/apps/testing-cli/src/main/java/com/akto/testing_cli/Main.java +++ b/apps/testing-cli/src/main/java/com/akto/testing_cli/Main.java @@ -80,6 +80,20 @@ public static T decode(Codec codec, Document doc){ return codec.decode(bsonReader, DecoderContext.builder().build()); } + public enum OUTPUT_LEVEL { + NONE, SUMMARY, DETAILED, DEBUG + } + + static String getSeverity(Map testConfigMap, TestingRunResult it) { + String severity = "HIGH"; + try { + severity = testConfigMap.get(it.getTestSubType()).getInfo().getSeverity(); + } catch (Exception e) { + severity = "HIGH"; + } + return severity; + } + public static void main(String[] args) { if (AKTO_DASHBOARD_URL == null || AKTO_DASHBOARD_URL.isEmpty() || AKTO_API_KEY == null @@ -337,17 +351,32 @@ public static void main(String[] args) { } } + Map> vulnerableTestToApiMap = new HashMap<>(); + for (TestingRunResult it : testingRunResults) { - String severity = "HIGH"; - try { - severity = testConfigMap.get(it.getTestSubType()).getInfo().getSeverity(); - } catch (Exception e){ - severity = "HIGH"; + String severity = getSeverity(testConfigMap, it); + + if(it.isVulnerable()){ + List tmp = vulnerableTestToApiMap.getOrDefault(it.getTestSubType(), new ArrayList<>()); + tmp.add(it.getApiInfoKey()); + vulnerableTestToApiMap.put(it.getTestSubType(), tmp); } String output = it.toConsoleString(severity); System.out.println(output); } + OUTPUT_LEVEL outputLevel = OUTPUT_LEVEL.SUMMARY; + + try { + outputLevel = OUTPUT_LEVEL.valueOf(System.getenv("OUTPUT_LEVEL")); + } catch (Exception e){ + logger.info("Using default output level: SUMMARY"); + } + + if(outputLevel.equals(OUTPUT_LEVEL.NONE)){ + return; + } + String fileDir = "../out/"; String filePath = fileDir + "output.txt"; @@ -363,9 +392,45 @@ public static void main(String[] args) { try (BufferedWriter writer = new BufferedWriter(new FileWriter(new File(filePath)))) { writer.write("Api collection: " + apiCollectionId + " " + apiCollection.getDisplayName() + "\n\n"); - for (TestingRunResult it : testingRunResults) { - String output = it.toOutputString() + "\n ------------------------------------ \n\n"; - writer.write(output); + + if (totalVulnerabilities > 0) { + writer.write("Vulnerabilities: \n"); + for (Map.Entry entry : severityMap.entrySet()) { + writer.write(entry.getKey() + ": " + entry.getValue() + "\n"); + } + writer.write("\n"); + + for (Map.Entry> entry : vulnerableTestToApiMap.entrySet()) { + TestConfig testConfig = testConfigMap.getOrDefault(entry.getKey(), null); + + writer.write("Test ID: " + entry.getKey() + "\n"); + + if(testConfig != null){ + writer.write("Test name: " + testConfig.getInfo().getName() + "\n"); + writer.write("Severity: " + testConfig.getInfo().getSeverity() + "\n"); + + if(!outputLevel.equals(OUTPUT_LEVEL.SUMMARY)){ + writer.write("Description: " + testConfig.getInfo().getDescription() + "\n"); + writer.write("Impact: " + testConfig.getInfo().getImpact() + "\n\n"); + } + + } + + writer.write("APIs affected: \n"); + for(ApiInfo.ApiInfoKey apiInfoKey: entry.getValue()){ + writer.write(apiInfoKey.getUrl() + " " + apiInfoKey.getMethod().toString() + "\n"); + } + writer.write("\n ********************* \n\n"); + } + } + + if(outputLevel.equals(OUTPUT_LEVEL.DEBUG)){ + writer.write("DEBUG result: \n"); + for (TestingRunResult it : testingRunResults) { + String severity = getSeverity(testConfigMap, it); + String output = it.toOutputString(severity) + "\n ------------------------------------ \n\n"; + writer.write(output); + } } System.out.println("Detailed result is written to output.txt"); } catch (Exception e) { diff --git a/libs/dao/src/main/java/com/akto/dto/testing/TestingRunResult.java b/libs/dao/src/main/java/com/akto/dto/testing/TestingRunResult.java index 8a9a7c6bfa..47bc59dfb3 100644 --- a/libs/dao/src/main/java/com/akto/dto/testing/TestingRunResult.java +++ b/libs/dao/src/main/java/com/akto/dto/testing/TestingRunResult.java @@ -191,11 +191,12 @@ public String toConsoleString(String severity) { "\n" + ColorConstants.RESET; } - public String toOutputString(){ + public String toOutputString(String severity){ StringBuilder bld = new StringBuilder(); bld.append("API: " + apiInfoKey.getUrl() + " " + apiInfoKey.getMethod().toString() + "\n"); - bld.append("Test: " + testSuperType + " " + testSubType + " " + "Vulnerable: " + vulnerable + "\n"); + bld.append("Test: " + testSuperType + " " + testSubType + " Vulnerable: " + vulnerable + + (vulnerable ? " Severity : " + severity : "") + "\n"); for (TestResult testResult : testResults) { Gson gson = new Gson(); Map json = gson.fromJson(testResult.getOriginalMessage(), new TypeToken>(){}.getType()); From 2b97d75f165a7393618d554cc7143a26f6eed03b Mon Sep 17 00:00:00 2001 From: notshivansh Date: Sat, 14 Oct 2023 22:31:54 +0530 Subject: [PATCH 11/27] add unit tests for cicd and scheduled tests and add more logs --- apps/dashboard/pom.xml | 6 + .../akto/action/testing/StartTestAction.java | 1 + .../action/testing/TestStartTestAction.java | 135 +++++++++++++++++- .../java/com/akto/testing/ApiExecutor.java | 5 + 4 files changed, 146 insertions(+), 1 deletion(-) diff --git a/apps/dashboard/pom.xml b/apps/dashboard/pom.xml index 7c25a66bc1..7524fb542c 100644 --- a/apps/dashboard/pom.xml +++ b/apps/dashboard/pom.xml @@ -215,6 +215,12 @@ mvc-auth-commons 1.9.5 + + org.mockito + mockito-core + 3.12.4 + test + src/main/java diff --git a/apps/dashboard/src/main/java/com/akto/action/testing/StartTestAction.java b/apps/dashboard/src/main/java/com/akto/action/testing/StartTestAction.java index e30754e777..0b0a84f9d8 100644 --- a/apps/dashboard/src/main/java/com/akto/action/testing/StartTestAction.java +++ b/apps/dashboard/src/main/java/com/akto/action/testing/StartTestAction.java @@ -200,6 +200,7 @@ public String startTest() { 0, localTestingRun.getId(), localTestingRun.getId().toHexString(), 0); summary.setState(TestingRun.State.SCHEDULED); if(metadata!=null){ + loggerMaker.infoAndAddToDb("CICD test triggered at " + Context.now(), LogDb.DASHBOARD); summary.setMetadata(metadata); } TestingRunResultSummariesDao.instance.insertOne(summary); diff --git a/apps/dashboard/src/test/java/com/akto/action/testing/TestStartTestAction.java b/apps/dashboard/src/test/java/com/akto/action/testing/TestStartTestAction.java index 5722832789..38b7bb9c24 100644 --- a/apps/dashboard/src/test/java/com/akto/action/testing/TestStartTestAction.java +++ b/apps/dashboard/src/test/java/com/akto/action/testing/TestStartTestAction.java @@ -1,22 +1,46 @@ package com.akto.action.testing; import com.akto.MongoBasedTest; +import com.akto.action.ApiTokenAction; +import com.akto.dao.AccountSettingsDao; +import com.akto.dao.ApiTokensDao; +import com.akto.dao.UsersDao; import com.akto.dao.context.Context; import com.akto.dao.testing.TestingRunDao; import com.akto.dao.testing.TestingRunResultSummariesDao; +import com.akto.dto.AccountSettings; import com.akto.dto.ApiInfo; +import com.akto.dto.ApiToken; +import com.akto.dto.User; +import com.akto.dto.UserAccountEntry; +import com.akto.dto.ApiToken.Utility; import com.akto.dto.testing.*; import com.akto.dto.testing.TestingRun.State; import com.akto.dto.type.URLMethods; +import com.akto.filter.UserDetailsFilter; +import com.akto.util.Constants; import com.mongodb.BasicDBObject; import com.mongodb.client.model.Filters; +import com.mongodb.client.model.Updates; +import com.opensymphony.xwork2.Action; + import org.bson.conversions.Bson; import org.bson.types.ObjectId; import org.junit.Test; +import java.io.IOException; import java.util.*; +import javax.servlet.FilterChain; +import javax.servlet.ServletException; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import javax.servlet.http.HttpSession; + import static org.junit.Assert.assertEquals; +import static org.mockito.Mockito.mock; +import static org.mockito.Mockito.verify; +import static org.mockito.Mockito.when; public class TestStartTestAction extends MongoBasedTest { @@ -108,7 +132,116 @@ public void testStartTest() { startTestAction.setTestingRunHexId(testingRunHexId); startTestAction.startTest(); - assertEquals(1,TestingRunDao.instance.findAll(new BasicDBObject()).size()); + List testingRuns = TestingRunDao.instance.findAll(new BasicDBObject()); + assertEquals(1,testingRuns.size()); + + testingRun = testingRuns.get(0); + assertEquals(State.SCHEDULED, testingRun.getState()); + + TestingRunDao.instance.updateOne(Constants.ID, new ObjectId(testingRunHexId), Updates.set(TestingRun.STATE, State.COMPLETED.toString())); + + int startTimestamp = Context.now() + 10000; + startTestAction.setStartTimestamp(startTimestamp); + + startTestAction.startTest(); + testingRun = TestingRunDao.instance.findOne(Constants.ID, new ObjectId(testingRunHexId)); + assertEquals(State.SCHEDULED, testingRun.getState()); + assertEquals(startTimestamp, testingRun.getScheduleTimestamp()); + + } + + @Test + public void testStartCICDTest() throws IOException, ServletException { + TestingRunDao.instance.getMCollection().drop(); + ApiTokensDao.instance.getMCollection().drop(); + UsersDao.instance.getMCollection().drop(); + AccountSettingsDao.instance.getMCollection().drop(); + TestingRunResultSummariesDao.instance.getMCollection().drop(); + + // create an CICD API token, mock a server request with it and check if it recognizes it. + + UserAccountEntry userAccountEntry = new UserAccountEntry(); + userAccountEntry.setAccountId(ACCOUNT_ID); + userAccountEntry.setDefault(true); + Map accountAccessMap = new HashMap<>(); + accountAccessMap.put(ACCOUNT_ID+"", userAccountEntry); + + User user = new User(); + user.setLogin("test@akto.io"); + user.setAccounts(accountAccessMap); + + UsersDao.instance.insertOne(user); + AccountSettings acc = new AccountSettings(); + acc.setDashboardVersion("test - test - test"); + acc.setId(ACCOUNT_ID); + AccountSettingsDao.instance.insertOne(acc); + + Map userSession = new HashMap<>(); + userSession.put("user",user); + + ApiTokenAction apiTokenAction = new ApiTokenAction(); + apiTokenAction.setSession(userSession); + apiTokenAction.setTokenUtility(Utility.CICD); + String res = apiTokenAction.addApiToken(); + + assertEquals(Action.SUCCESS.toUpperCase(), res); + + List apiTokens = apiTokenAction.getApiTokenList(); + assertEquals(1, apiTokens.size()); + + ApiToken apiToken = apiTokens.get(0); + assertEquals(Utility.CICD, apiToken.getUtility()); + + HttpServletRequest httpServletRequest = mock(HttpServletRequest.class); + HttpServletResponse httpServletResponse = mock(HttpServletResponse.class); + HttpSession httpSession = mock(HttpSession.class); + FilterChain filterChain = mock(FilterChain.class); + + when(httpServletRequest.getHeader("X-API-KEY")).thenReturn(apiToken.getKey()); + when(httpServletRequest.getRequestURI()).thenReturn("/api/startTest"); + when(httpServletRequest.getSession(true)).thenReturn(httpSession); + when(httpServletRequest.getSession()).thenReturn(httpSession); + when(httpSession.getAttribute("accountId")).thenReturn(ACCOUNT_ID); + + UserDetailsFilter userDetailsFilter = new UserDetailsFilter(); + userDetailsFilter.doFilter(httpServletRequest, httpServletResponse, + filterChain); + + // verify if cicd token is recognized. + verify(httpSession).setAttribute("utility", Utility.CICD.toString()); + verify(httpSession).setAttribute("accountId", String.valueOf(ACCOUNT_ID)); + + // check completion of filter chain + verify(filterChain).doFilter(httpServletRequest, httpServletResponse); + + CollectionWiseTestingEndpoints collectionWiseTestingEndpoints = new CollectionWiseTestingEndpoints(1000); + TestingRun testingRun = new TestingRun(Context.now(), "", collectionWiseTestingEndpoints, 0, + TestingRun.State.COMPLETED, 0, "test", ""); + TestingRunDao.instance.insertOne(testingRun); + String testingRunHexId = testingRun.getHexId(); + + assertEquals(1, TestingRunDao.instance.findAll(new BasicDBObject()).size()); + + // trigger startTest API with CICD session. + StartTestAction startTestAction = new StartTestAction(); + Map testSession = new HashMap<>(); + testSession.put("utility", Utility.CICD.toString()); + startTestAction.setSession(testSession); + startTestAction.setTestingRunHexId(testingRunHexId); + Map metadata = new HashMap<>(); + metadata.put("test", "test"); + startTestAction.setMetadata(metadata); + startTestAction.startTest(); + + assertEquals(1, TestingRunDao.instance.findAll(new BasicDBObject()).size()); + + List summariesFromDb = TestingRunResultSummariesDao.instance.findAll(new BasicDBObject()); + assertEquals(1, summariesFromDb.size()); + + TestingRunResultSummary summary = summariesFromDb.get(0); + + assertEquals(metadata, summary.getMetadata()); + } } diff --git a/apps/testing/src/main/java/com/akto/testing/ApiExecutor.java b/apps/testing/src/main/java/com/akto/testing/ApiExecutor.java index d3c4e1d9cb..1e6731fb7e 100644 --- a/apps/testing/src/main/java/com/akto/testing/ApiExecutor.java +++ b/apps/testing/src/main/java/com/akto/testing/ApiExecutor.java @@ -25,7 +25,12 @@ private static OriginalHttpResponse common(Request request, boolean followRedire Integer accountId = Context.accountId.get(); if (accountId != null) { + boolean rateLimitHit = true; while (RateLimitHandler.getInstance(accountId).shouldWait(request)) { + if(rateLimitHit){ + loggerMaker.infoAndAddToDb("Rate limit hit, sleeping", LogDb.TESTING); + } + rateLimitHit = false; Thread.sleep(1000); } } From 4846aaa34396c4b568af78c4a8b884dc217a2775 Mon Sep 17 00:00:00 2001 From: notshivansh Date: Mon, 16 Oct 2023 12:35:19 +0530 Subject: [PATCH 12/27] add support for enter key on create collection --- .../pages/observe/api_collections/ApiCollections.jsx | 4 ++-- apps/dashboard/web/polaris_web/web/src/util/func.js | 7 +++++++ 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/observe/api_collections/ApiCollections.jsx b/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/observe/api_collections/ApiCollections.jsx index 41626613a5..0648d2ffc7 100644 --- a/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/observe/api_collections/ApiCollections.jsx +++ b/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/observe/api_collections/ApiCollections.jsx @@ -153,7 +153,7 @@ function ApiCollections() { }} > - +
func.handleKeyPress(e, createNewCollection)}> - +
) diff --git a/apps/dashboard/web/polaris_web/web/src/util/func.js b/apps/dashboard/web/polaris_web/web/src/util/func.js index 8e902ff39a..7e818977cb 100644 --- a/apps/dashboard/web/polaris_web/web/src/util/func.js +++ b/apps/dashboard/web/polaris_web/web/src/util/func.js @@ -1067,6 +1067,13 @@ getSizeOfFile(bytes) { } return duration.trim(); }, + handleKeyPress (event, funcToCall) { + const enterKeyPressed = event.keyCode === 13; + if (enterKeyPressed) { + event.preventDefault(); + funcToCall(); + } + } } export default func \ No newline at end of file From 15d97a05bdbf79aab0d9e7702e8445535bf4aaa9 Mon Sep 17 00:00:00 2001 From: notshivansh Date: Mon, 16 Oct 2023 14:18:58 +0530 Subject: [PATCH 13/27] add statement for no vulnerabilities --- apps/testing-cli/src/main/java/com/akto/testing_cli/Main.java | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apps/testing-cli/src/main/java/com/akto/testing_cli/Main.java b/apps/testing-cli/src/main/java/com/akto/testing_cli/Main.java index 7ef74eedd0..26b11a973e 100644 --- a/apps/testing-cli/src/main/java/com/akto/testing_cli/Main.java +++ b/apps/testing-cli/src/main/java/com/akto/testing_cli/Main.java @@ -422,6 +422,8 @@ public static void main(String[] args) { } writer.write("\n ********************* \n\n"); } + } else { + writer.write("No vulnerabilities found \n\n"); } if(outputLevel.equals(OUTPUT_LEVEL.DEBUG)){ From d70f3462f36687f465d9815a33def0c7c001a8a8 Mon Sep 17 00:00:00 2001 From: Avneesh Hota Date: Tue, 17 Oct 2023 16:28:15 +0530 Subject: [PATCH 14/27] replace multiple differents vars --- .../execution/VariableResolver.java | 17 ++++--- .../execution/TestVariableResolver.java | 44 +++++++++++++++++++ 2 files changed, 52 insertions(+), 9 deletions(-) create mode 100644 apps/testing/src/test/java/com/akto/test_editor/execution/TestVariableResolver.java diff --git a/apps/testing/src/main/java/com/akto/test_editor/execution/VariableResolver.java b/apps/testing/src/main/java/com/akto/test_editor/execution/VariableResolver.java index 15906b8105..9fabbdfca9 100644 --- a/apps/testing/src/main/java/com/akto/test_editor/execution/VariableResolver.java +++ b/apps/testing/src/main/java/com/akto/test_editor/execution/VariableResolver.java @@ -26,26 +26,25 @@ public static String resolveExpression(Map varMap, String expres Pattern pattern = Pattern.compile("\\$\\{[^}]*\\}"); Matcher matcher = pattern.matcher(expression); - if (matcher.find()) { + while (matcher.find()) { try { String match = matcher.group(0); match = match.substring(2, match.length()); match = match.substring(0, match.length() - 1); Object val = getValue(varMap, match); String valString = val.toString(); - expression = expression.replaceAll("(\\$\\{[^}]*\\})", valString); + expression = expression.replaceFirst("(\\$\\{[^}]*\\})", valString); } catch (Exception e) { return expression; } + } + + Object val = getValue(varMap, expression); + if (val == null) { + return expression; } else { - Object val = getValue(varMap, expression); - if (val == null) { - return expression; - } else { - return val.toString(); - } + return val.toString(); } - return expression; } diff --git a/apps/testing/src/test/java/com/akto/test_editor/execution/TestVariableResolver.java b/apps/testing/src/test/java/com/akto/test_editor/execution/TestVariableResolver.java new file mode 100644 index 0000000000..eb94bf744f --- /dev/null +++ b/apps/testing/src/test/java/com/akto/test_editor/execution/TestVariableResolver.java @@ -0,0 +1,44 @@ +package com.akto.test_editor.execution; + +import org.junit.Test; + +import java.util.HashMap; +import java.util.Map; + +import static junit.framework.TestCase.assertEquals; + +public class TestVariableResolver { + + @Test + public void testResolveExpression() { + Map varMap = new HashMap<>(); + varMap.put("var1", "user1"); + varMap.put("var2", "user2"); + String result = VariableResolver.resolveExpression(varMap, "${var1}"); + assertEquals("user1", result); + result = VariableResolver.resolveExpression(varMap, "var1"); + assertEquals("user1", result); + + result = VariableResolver.resolveExpression(varMap, "${var1}!!!"); + assertEquals("user1!!!", result); + result = VariableResolver.resolveExpression(varMap, "var1!!!"); + assertEquals("var1!!!", result); + + result = VariableResolver.resolveExpression(varMap, "${var1}${var2}"); + assertEquals("user1user2", result); + result = VariableResolver.resolveExpression(varMap, "var1${var2}"); + assertEquals("var1user2", result); + + result = VariableResolver.resolveExpression(varMap, "${var1}&${var2}"); + assertEquals("user1&user2", result); + result = VariableResolver.resolveExpression(varMap, "var1&${var2}"); + assertEquals("var1&user2", result); + + result = VariableResolver.resolveExpression(varMap, "${var3}"); + assertEquals("${var3}", result); + + result = VariableResolver.resolveExpression(varMap, "${var1}${var1}"); + assertEquals("user1user1", result); + } + +} From 6736ee949c89e2189e2258634e09d055e6bc9ecb Mon Sep 17 00:00:00 2001 From: Avneesh Hota Date: Tue, 17 Oct 2023 16:31:52 +0530 Subject: [PATCH 15/27] added unit test --- .../com/akto/test_editor/execution/TestVariableResolver.java | 3 +++ 1 file changed, 3 insertions(+) diff --git a/apps/testing/src/test/java/com/akto/test_editor/execution/TestVariableResolver.java b/apps/testing/src/test/java/com/akto/test_editor/execution/TestVariableResolver.java index eb94bf744f..edc6aac402 100644 --- a/apps/testing/src/test/java/com/akto/test_editor/execution/TestVariableResolver.java +++ b/apps/testing/src/test/java/com/akto/test_editor/execution/TestVariableResolver.java @@ -39,6 +39,9 @@ public void testResolveExpression() { result = VariableResolver.resolveExpression(varMap, "${var1}${var1}"); assertEquals("user1user1", result); + + result = VariableResolver.resolveExpression(varMap, "akto"); + assertEquals("akto", result); } } From 9ac967b4733baa43eff1dd77e62271d6a6d3cbd4 Mon Sep 17 00:00:00 2001 From: notshivansh Date: Wed, 18 Oct 2023 13:59:23 +0530 Subject: [PATCH 16/27] add code for cve support --- .../action/testing_issues/IssuesAction.java | 1 + .../components/editor_config/keywords.js | 2 +- .../pages/testing/ExportHtml/ExportHtml.jsx | 87 +------- .../TestRunResultPage/TestRunResultPage.jsx | 10 +- .../apps/dashboard/pages/testing/transform.js | 209 +++++++++++++----- .../src/apps/dashboard/tools/TextEditor.vue | 2 +- .../testing/components/PDFExportHTML.vue | 14 ++ .../testing/components/TestResultsDialog.vue | 21 +- .../java/com/akto/dto/test_editor/Info.java | 13 +- 9 files changed, 215 insertions(+), 144 deletions(-) diff --git a/apps/dashboard/src/main/java/com/akto/action/testing_issues/IssuesAction.java b/apps/dashboard/src/main/java/com/akto/action/testing_issues/IssuesAction.java index fe8aab3ec7..a7b3b59f9f 100644 --- a/apps/dashboard/src/main/java/com/akto/action/testing_issues/IssuesAction.java +++ b/apps/dashboard/src/main/java/com/akto/action/testing_issues/IssuesAction.java @@ -197,6 +197,7 @@ public static BasicDBObject createSubcategoriesInfoObj(TestConfig testConfig) { infoObj.put("testName", info.getName()); infoObj.put("references", info.getReferences()); infoObj.put("cwe", info.getCwe()); + infoObj.put("cve", info.getCve()); infoObj.put("name", testConfig.getId()); infoObj.put("_name", testConfig.getId()); infoObj.put("content", testConfig.getContent()); diff --git a/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/test_editor/components/editor_config/keywords.js b/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/test_editor/components/editor_config/keywords.js index 61e6bb94cb..4b6271e482 100644 --- a/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/test_editor/components/editor_config/keywords.js +++ b/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/test_editor/components/editor_config/keywords.js @@ -12,7 +12,7 @@ const keywords = [ "api_selection_filters", "execute", "type", "auth", "validate", "authenticated", "private_variable_context", "param_context", "endpoint_in_traffic_context", "sample_request_payload", "sample_response_payload", "sample_request_headers", "sample_response_headers", - "test_request_payload", "test_response_payload", "test_request_headers", "test_response_headers", "cwe" + "test_request_payload", "test_response_payload", "test_request_headers", "test_response_headers", "cwe", "cve" ] export default keywords \ No newline at end of file diff --git a/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/testing/ExportHtml/ExportHtml.jsx b/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/testing/ExportHtml/ExportHtml.jsx index 5f69572f69..7b30503376 100644 --- a/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/testing/ExportHtml/ExportHtml.jsx +++ b/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/testing/ExportHtml/ExportHtml.jsx @@ -4,7 +4,7 @@ import issuesApi from '../../issues/api'; import api from '../api'; import PersistStore from '../../../../main/PersistStore'; import { Avatar, Box, Button,Frame, HorizontalGrid, HorizontalStack, LegacyCard, Text, TopBar, VerticalStack, Icon, Badge, List, Link } from '@shopify/polaris' -import {FlagMajor, CollectionsMajor, ResourcesMajor, InfoMinor, CreditCardSecureMajor} from "@shopify/polaris-icons" +import {FlagMajor, CollectionsMajor, ResourcesMajor, InfoMinor, CreditCardSecureMajor, FraudProtectMajor} from "@shopify/polaris-icons" import func from '@/util/func' import './styles.css' import transform from '../transform'; @@ -34,6 +34,11 @@ function ExportHtml() { title: "CWE", content: "" }, + { + icon: FraudProtectMajor, + title: "CVE", + content: "" + }, { icon: ResourcesMajor, title: "References", @@ -183,85 +188,7 @@ function ExportHtml() { } const fillContent = (item) => { - let filledSection = [] - moreInfoSections.forEach((section) => { - let sectionLocal = {} - sectionLocal.icon = section.icon - sectionLocal.title = section.title - switch(section.title) { - case "Description": - sectionLocal.content = ( - - {replaceTags(item.category.issueDetails, item.category.vulnerableTestingRunResults) || "No impact found"} - - ) - break; - case "Impact": - sectionLocal.content = ( - - {item.category.issueImpact || "No impact found"} - - ) - break; - case "Tags": - sectionLocal.content = ( - - { - item?.category?.issueTags?.map((tag, index) => { - return ( - {tag} - ) - }) - } - - ) - - break; - case "CWE": - sectionLocal.content = ( - - { - transform.tagList(item?.category?.cwe, true) - } - - ) - break; - case "References": - sectionLocal.content = ( - - { - item?.category?.references?.map((reference) => { - return ( - - - - {reference} - - - - ) - }) - } - - ) - break; - } - filledSection.push(sectionLocal) - }) - return filledSection - } - - const replaceTags = (details, vulnerableRequests) => { - let percentageMatch = 0; - vulnerableRequests?.forEach((request) => { - let testRun = request['testResults'] - testRun?.forEach((runResult) => { - if (percentageMatch < runResult.percentageMatch) { - percentageMatch = runResult.percentageMatch - } - }) - }) - return details.replace(/{{percentageMatch}}/g, func.prettifyShort(percentageMatch)) + return transform.fillMoreInformation(item.category, moreInfoSections); } diff --git a/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/testing/TestRunResultPage/TestRunResultPage.jsx b/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/testing/TestRunResultPage/TestRunResultPage.jsx index 6bca26bcbc..a14a195040 100644 --- a/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/testing/TestRunResultPage/TestRunResultPage.jsx +++ b/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/testing/TestRunResultPage/TestRunResultPage.jsx @@ -7,7 +7,8 @@ import { CollectionsMajor, FlagMajor, CreditCardSecureMajor, - MarketingMajor} from '@shopify/polaris-icons'; + MarketingMajor, + FraudProtectMajor} from '@shopify/polaris-icons'; import { Text, Button, @@ -83,6 +84,11 @@ let moreInfoSections = [ title: "CWE", content: "" }, + { + icon: FraudProtectMajor, + title: "CVE", + content: "" + }, { icon: MarketingMajor, title: "API endpoints affected", @@ -185,7 +191,7 @@ function TestRunResultPage(props) { await api.fetchAffectedEndpoints(runIssues.id).then((resp1) => { runIssuesArr = resp1['similarlyAffectedIssues']; }) - setInfoState(transform.fillMoreInformation(runIssues, runIssuesArr,subCategoryMap, moreInfoSections)) + setInfoState(transform.fillMoreInformation(subCategoryMap[runIssues?.id?.testSubCategory],moreInfoSections, runIssuesArr)) } else { setIssueDetails(...[{}]); } diff --git a/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/testing/transform.js b/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/testing/transform.js index b0e7a4c866..b5e45e78e9 100644 --- a/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/testing/transform.js +++ b/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/testing/transform.js @@ -99,17 +99,32 @@ function checkTestFailure(summaryState, testRunState){ return false; } +function getCweLink(item){ + let linkUrl = "" + let cwe = item.split("-") + if(cwe[1]){ + linkUrl = `https://cwe.mitre.org/data/definitions/${cwe[1]}.html` + } + return linkUrl; +} + +function getCveLink(item){ + return `https://nvd.nist.gov/vuln/detail/${item}` +} + const transform = { - tagList : (list, cweLink) => { + tagList : (list, linkType) => { let ret = list?.map((tag, index) => { let linkUrl = "" - if(cweLink){ - let cwe = tag.split("-") - if(cwe[1]){ - linkUrl = `https://cwe.mitre.org/data/definitions/${cwe[1]}.html` - } + switch(linkType){ + case "CWE": + linkUrl = getCweLink(tag) + break; + case "CVE": + linkUrl = getCveLink(tag) + break; } return ( @@ -214,6 +229,8 @@ const transform = { obj['nextUrl'] = "/dashboard/testing/"+ hexId + "/result/" + data.hexId; obj['cwe'] = subCategoryMap[data.testSubType]?.cwe ? subCategoryMap[data.testSubType]?.cwe : [] obj['cweDisplay'] = minimizeTagList(obj['cwe']) + obj['cve'] = subCategoryMap[data.testSubType]?.cve ? subCategoryMap[data.testSubType]?.cve : [] + obj['cveDisplay'] = minimizeTagList(obj['cve']) return obj; }, prepareTestRunResults : (hexId, testingRunResults, subCategoryMap, subCategoryFromSourceConfigMap) => { @@ -256,58 +273,140 @@ const transform = { } return [] }, - fillMoreInformation(runIssues, runIssuesArr, subCategoryMap, moreInfoSections){ - moreInfoSections[0].content = ( - - {subCategoryMap[runIssues.id?.testSubCategory]?.issueImpact || "No impact found"} - - ) - moreInfoSections[1].content = ( - - { - transform.tagList(subCategoryMap[runIssues.id.testSubCategory]?.issueTags) + + replaceTags(details, vulnerableRequests) { + let percentageMatch = 0; + vulnerableRequests?.forEach((request) => { + let testRun = request['testResults'] + testRun?.forEach((runResult) => { + if (percentageMatch < runResult.percentageMatch) { + percentageMatch = runResult.percentageMatch + } + }) + }) + return details.replace(/{{percentageMatch}}/g, func.prettifyShort(percentageMatch)) + }, + + fillMoreInformation(category, moreInfoSections, affectedEndpoints) { + + let filledSection = [] + moreInfoSections.forEach((section) => { + let sectionLocal = {} + sectionLocal.icon = section.icon + sectionLocal.title = section.title + switch (section.title) { + case "Description": + + if(category?.issueDetails == null || category?.issueDetails == undefined){ + return; + } + + sectionLocal.content = ( + + {transform.replaceTags(category?.issueDetails, category?.vulnerableTestingRunResults) || "No impact found"} + + ) + break; + case "Impact": + + if(category?.issueImpact == null || category?.issueImpact == undefined){ + return; } - - ) - moreInfoSections[2].content = ( - - { - transform.tagList(subCategoryMap[runIssues.id.testSubCategory]?.cwe, true) + + sectionLocal.content = ( + + {category?.issueImpact || "No impact found"} + + ) + break; + case "Tags": + if (category?.issueTags == null || category?.issueTags == undefined || category?.issueTags.length == 0) { + return; } - - ) - moreInfoSections[4].content = ( - - { - subCategoryMap[runIssues.id?.testSubCategory]?.references?.map((reference) => { - return ( - - - - {reference} - - - - ) - }) + + sectionLocal.content = ( + + { + transform.tagList(category?.issueTags) + } + + ) + + break; + case "CWE": + if (category?.cwe == null || category?.cwe == undefined || category?.cwe.length == 0) { + return; } - - ) - moreInfoSections[3].content = ( - - { - runIssuesArr?.map((item, index) => { - return ( - - - {item.id.apiInfoKey.method} {item.id.apiInfoKey.url} - - ) - }) - } - - ) - return moreInfoSections; + sectionLocal.content = ( + + { + transform.tagList(category?.cwe, "CWE") + } + + ) + break; + case "CVE": + if (category?.cve == null || category?.cve == undefined || category?.cve.length == 0) { + return; + } + sectionLocal.content = ( + + { + transform.tagList(category?.cve, "CVE") + } + + ) + break; + case "References": + + if (category?.references == null || category?.references == undefined || category?.references.length == 0) { + return; + } + + sectionLocal.content = ( + + { + category?.references?.map((reference) => { + return ( + + + + {reference} + + + + ) + }) + } + + ) + break; + case "API endpoints affected": + + if (affectedEndpoints == null || affectedEndpoints == undefined || affectedEndpoints.length == 0) { + return; + } + + sectionLocal.content = ( + + { + affectedEndpoints?.map((item, index) => { + return ( + + + {item.id.apiInfoKey.method} {item.id.apiInfoKey.url} + + ) + }) + } + + ) + break; + } + filledSection.push(sectionLocal) + }) + + return filledSection; }, filterContainsConditions(conditions, operator) { //operator is string as 'OR' or 'AND' diff --git a/apps/dashboard/web/src/apps/dashboard/tools/TextEditor.vue b/apps/dashboard/web/src/apps/dashboard/tools/TextEditor.vue index 83927bf7c4..4931f4b7a0 100644 --- a/apps/dashboard/web/src/apps/dashboard/tools/TextEditor.vue +++ b/apps/dashboard/web/src/apps/dashboard/tools/TextEditor.vue @@ -330,7 +330,7 @@ export default { "api_selection_filters", "execute", "type", "auth", "validate", "authenticated", "private_variable_context", "param_context", "endpoint_in_traffic_context", "sample_request_payload", "sample_response_payload", "sample_request_headers", "sample_response_headers", - "test_request_payload", "test_response_payload", "test_request_headers", "test_response_headers", "cwe" + "test_request_payload", "test_response_payload", "test_request_headers", "test_response_headers", "cwe", "cve" ], textEditor: null, testCategories: [], diff --git a/apps/dashboard/web/src/apps/dashboard/views/testing/components/PDFExportHTML.vue b/apps/dashboard/web/src/apps/dashboard/views/testing/components/PDFExportHTML.vue index 50bc1f3edb..89363d47f8 100644 --- a/apps/dashboard/web/src/apps/dashboard/views/testing/components/PDFExportHTML.vue +++ b/apps/dashboard/web/src/apps/dashboard/views/testing/components/PDFExportHTML.vue @@ -76,6 +76,20 @@ + + + CVE + + + + {{ chipItem }} + + +
diff --git a/apps/dashboard/web/src/apps/dashboard/views/testing/components/TestResultsDialog.vue b/apps/dashboard/web/src/apps/dashboard/views/testing/components/TestResultsDialog.vue index 36fe681636..1d0f401f01 100644 --- a/apps/dashboard/web/src/apps/dashboard/views/testing/components/TestResultsDialog.vue +++ b/apps/dashboard/web/src/apps/dashboard/views/testing/components/TestResultsDialog.vue @@ -40,7 +40,13 @@ +
@@ -190,14 +196,21 @@ export default { return highlightPaths }, - goToCwePage(item){ + getCweLink(item){ let cwe = item.split("-") if(cwe[1]){ cwe = cwe[1] } else { - return; + return ""; } - return window.open(`https://cwe.mitre.org/data/definitions/${cwe}.html`, "_blank") + return `https://cwe.mitre.org/data/definitions/${cwe}.html` + }, + getCveLink(item){ + console.log(item); + return `https://nvd.nist.gov/vuln/detail/${item}` + }, + goToPage(link){ + return window.open(link, "_blank") } }, watch: { diff --git a/libs/dao/src/main/java/com/akto/dto/test_editor/Info.java b/libs/dao/src/main/java/com/akto/dto/test_editor/Info.java index 974504a882..3ba78bc8f6 100644 --- a/libs/dao/src/main/java/com/akto/dto/test_editor/Info.java +++ b/libs/dao/src/main/java/com/akto/dto/test_editor/Info.java @@ -24,8 +24,10 @@ public class Info { private List cwe; + private List cve; + public Info(String name, String description, String details, String impact, Category category, String subCategory, - String severity, List tags, List references, List cwe) { + String severity, List tags, List references, List cwe, List cve) { this.name = name; this.description = description; this.details = details; @@ -36,6 +38,7 @@ public Info(String name, String description, String details, String impact, Cate this.tags = tags; this.references = references; this.cwe = cwe; + this.cve = cve; } public Info() { } @@ -120,4 +123,12 @@ public void setCwe(List cwe) { this.cwe = cwe; } + public List getCve() { + return cve; + } + + public void setCve(List cve) { + this.cve = cve; + } + } From 345f4c536ee817d401e0fa9a0692d8091bafef84 Mon Sep 17 00:00:00 2001 From: arjun Date: Thu, 19 Oct 2023 23:28:38 +0530 Subject: [PATCH 17/27] CVEs added to templates --- .../inbuilt_test_yaml_files/AbusingCRLFInHeaders.yaml | 3 +++ .../main/resources/inbuilt_test_yaml_files/AddUserId.yaml | 2 ++ .../AirflowConfigurationExposure.yaml | 2 ++ .../inbuilt_test_yaml_files/AmazonDockerConfig.yaml | 2 ++ .../main/resources/inbuilt_test_yaml_files/ApacheConfig.yaml | 2 ++ .../main/resources/inbuilt_test_yaml_files/AppendXSS.yaml | 4 ++++ .../inbuilt_test_yaml_files/BOLAByChangingAuthToken.yaml | 2 ++ .../src/main/resources/inbuilt_test_yaml_files/BasicXSS.yaml | 3 +++ .../inbuilt_test_yaml_files/BypassCaptchaRemovingCookie.yaml | 3 +++ .../inbuilt_test_yaml_files/BypassCaptchaUsingHeader.yaml | 3 +++ .../CORSMisconfigurationInvalidOrigin.yaml | 3 +++ .../CORSMisconfigurationWhitelistOrigin.yaml | 2 ++ .../resources/inbuilt_test_yaml_files/CSRFLoginAttack.yaml | 3 +++ .../main/resources/inbuilt_test_yaml_files/CgiPrintEnv.yaml | 2 ++ .../CommandInjectionByAddingQueryParams.yaml | 3 +++ .../main/resources/inbuilt_test_yaml_files/ConfigJson.yaml | 3 +++ .../main/resources/inbuilt_test_yaml_files/ConfigRuby.yaml | 2 ++ .../inbuilt_test_yaml_files/ConfigurationListing.yaml | 3 +++ .../inbuilt_test_yaml_files/ContentTypeHeaderMissing.yaml | 3 +++ .../inbuilt_test_yaml_files/CookieMisconfiguration.yaml | 3 +++ .../inbuilt_test_yaml_files/DefaultLoginCredentials.yml | 3 +++ .../DescriptiveErrorMessageInvalidPayloads.yaml | 3 +++ .../resources/inbuilt_test_yaml_files/DjangoUrlExposed.yaml | 2 ++ .../inbuilt_test_yaml_files/DockerComposeConfig.yaml | 2 ++ .../inbuilt_test_yaml_files/FetchSensitiveFilesViaSSRF.yaml | 2 ++ .../inbuilt_test_yaml_files/FirebaseConfigExposure.yaml | 3 +++ .../inbuilt_test_yaml_files/FirebaseUnauthenticated.yaml | 3 +++ .../inbuilt_test_yaml_files/FlaskDebugModeEnabled.yaml | 2 ++ .../inbuilt_test_yaml_files/FtpCredentialsExposure.yaml | 3 +++ .../main/resources/inbuilt_test_yaml_files/GitConfig.yaml | 2 ++ .../inbuilt_test_yaml_files/GitConfigNginxoffbyslash.yaml | 3 +++ .../inbuilt_test_yaml_files/GitCredentialsDisclosure.yaml | 2 ++ .../inbuilt_test_yaml_files/GithubWorkflowsDisclosure.yaml | 3 +++ .../GraphqlDevelopmentConsoleExposed.yaml | 2 ++ .../GraphqlFieldSuggestionEnabled.yaml | 2 ++ .../inbuilt_test_yaml_files/GraphqlIntrospectionEnabled.yaml | 2 ++ .../GraphqlTypeIntrospectionAllowed.yaml | 2 ++ .../resources/inbuilt_test_yaml_files/HeadMethodTest.yaml | 2 ++ .../inbuilt_test_yaml_files/HeaderReflectedInInvalidUrl.yaml | 4 +++- .../inbuilt_test_yaml_files/HttpResponseSplitting.yaml | 2 ++ .../resources/inbuilt_test_yaml_files/InvalidFileInput.yaml | 2 ++ .../main/resources/inbuilt_test_yaml_files/JwtAddJku.yaml | 2 ++ .../inbuilt_test_yaml_files/JwtInvalidSignature.yaml | 3 +++ .../main/resources/inbuilt_test_yaml_files/JwtNoneAlgo.yaml | 5 ++++- .../inbuilt_test_yaml_files/KernelOpenCommandInjection.yaml | 3 +++ .../KubernetesKustomizationDisclosure.yaml | 2 ++ .../resources/inbuilt_test_yaml_files/LFIAddingNewParam.yaml | 3 +++ .../resources/inbuilt_test_yaml_files/LFIInParameter.yaml | 2 ++ .../main/resources/inbuilt_test_yaml_files/LFIInPath.yaml | 2 ++ .../inbuilt_test_yaml_files/LaravelDebugModeEnabled.yaml | 2 ++ .../main/resources/inbuilt_test_yaml_files/LaravelEnv.yaml | 2 ++ .../inbuilt_test_yaml_files/MassAssignmentChangeAccount.yaml | 3 +++ .../inbuilt_test_yaml_files/MassAssignmentChangeAdmin.yaml | 3 +++ .../inbuilt_test_yaml_files/MassAssignmentChangeRole.yaml | 3 +++ .../MassAssignmentCreateAdminUser.yaml | 3 +++ .../inbuilt_test_yaml_files/MisconfiguredDocker.yaml | 3 +++ .../main/resources/inbuilt_test_yaml_files/MsmtpConfig.yaml | 2 ++ .../inbuilt_test_yaml_files/MustContainResponseHeaders.yaml | 3 +++ .../main/resources/inbuilt_test_yaml_files/NginxConfig.yaml | 3 +++ .../inbuilt_test_yaml_files/NginxDefaultPageEnabled.yaml | 2 ++ .../inbuilt_test_yaml_files/NginxServerVersionDisclosed.yaml | 2 ++ .../inbuilt_test_yaml_files/NginxStatusVisible.yaml | 3 +++ .../src/main/resources/inbuilt_test_yaml_files/NoAuth.yaml | 2 ++ .../resources/inbuilt_test_yaml_files/OldApiVersion.yaml | 2 ++ .../main/resources/inbuilt_test_yaml_files/OpenRedirect.yaml | 3 +++ .../OpenRedirectHostHeaderInjection.yaml | 3 +++ .../inbuilt_test_yaml_files/OpenRedirectInPath.yaml | 2 ++ .../OpenRedirectSubdomainWhitelist.yaml | 2 ++ .../inbuilt_test_yaml_files/OracleEbsCredentials.yaml | 3 +++ .../src/main/resources/inbuilt_test_yaml_files/PageDos.yaml | 3 +++ .../inbuilt_test_yaml_files/ParameterPollution.yaml | 2 ++ .../resources/inbuilt_test_yaml_files/ParametersConfig.yaml | 4 +++- .../inbuilt_test_yaml_files/PortScanningViaSSRF.yaml | 3 +++ .../inbuilt_test_yaml_files/RailsDebugModeEnabled.yaml | 2 ++ .../inbuilt_test_yaml_files/RailsDefaultHomepageEnabled.yaml | 2 ++ .../resources/inbuilt_test_yaml_files/RandomMethodTest.yaml | 3 +++ .../main/resources/inbuilt_test_yaml_files/RedisConfig.yaml | 3 +++ .../main/resources/inbuilt_test_yaml_files/RemoveCSRF.yaml | 3 +++ .../resources/inbuilt_test_yaml_files/RemoveCaptcha.yaml | 2 ++ .../main/resources/inbuilt_test_yaml_files/ReplaceCSRF.yaml | 3 +++ .../resources/inbuilt_test_yaml_files/ReplayCaptcha.yaml | 3 +++ .../inbuilt_test_yaml_files/RobomongoCredential.yaml | 3 +++ .../SSRFOnAWSMetaEndpointAbusingEnclosedAlphanumerics.yaml | 3 +++ .../inbuilt_test_yaml_files/SSRFOnAwsMetaEndpoint.yaml | 2 ++ .../resources/inbuilt_test_yaml_files/SSRFOnCSVUpload.yaml | 2 ++ .../main/resources/inbuilt_test_yaml_files/SSRFOnFiles.yaml | 3 +++ .../resources/inbuilt_test_yaml_files/SSRFOnImageUpload.yaml | 2 ++ .../resources/inbuilt_test_yaml_files/SSRFOnLocalhost.yaml | 2 ++ .../inbuilt_test_yaml_files/SSRFOnLocalhostDNSPinning.yaml | 2 ++ .../inbuilt_test_yaml_files/SSRFOnLocalhostEncoded.yaml | 2 ++ .../resources/inbuilt_test_yaml_files/SSRFOnPDFUpload.yaml | 2 ++ .../resources/inbuilt_test_yaml_files/SSRFOnXMLUpload.yaml | 2 ++ .../inbuilt_test_yaml_files/SSTIInFlaskAndJinja.yaml | 3 +++ .../resources/inbuilt_test_yaml_files/SSTIInFreemarker.yaml | 3 +++ .../main/resources/inbuilt_test_yaml_files/SSTIInTwig.yaml | 3 +++ .../resources/inbuilt_test_yaml_files/ServerPrivateKeys.yaml | 3 +++ .../inbuilt_test_yaml_files/ServerVersionExposedInvalid.yaml | 2 ++ .../inbuilt_test_yaml_files/ServerVersionExposedValid.yaml | 2 ++ .../resources/inbuilt_test_yaml_files/SessionFixation.yaml | 3 +++ .../inbuilt_test_yaml_files/SftpConfigExposure.yaml | 2 ++ .../inbuilt_test_yaml_files/SonarqubePublicProjects.yaml | 2 ++ .../SpringBootBeansActuatorExposed.yaml | 3 +++ .../SpringBootConfigPropsActuatorExposed.yaml | 3 +++ .../SpringBootEnvActuatorExposed.yaml | 3 +++ .../SpringBootHttpTraceActuatorExposed.yaml | 3 +++ .../SpringBootThreadDumpActuatorExposed.yaml | 3 +++ .../resources/inbuilt_test_yaml_files/SshAuthorizedKeys.yaml | 3 +++ .../resources/inbuilt_test_yaml_files/SshKnownHosts.yaml | 2 ++ .../inbuilt_test_yaml_files/TextInjectionViaInvalidUrls.yaml | 3 +++ .../resources/inbuilt_test_yaml_files/TraceMethodTest.yaml | 3 +++ .../resources/inbuilt_test_yaml_files/TrackMethodTest.yaml | 2 ++ .../inbuilt_test_yaml_files/UnauthenticatedMongoExpress.yaml | 3 +++ .../inbuilt_test_yaml_files/UnwantedResponseHeaders.yaml | 4 ++++ .../resources/inbuilt_test_yaml_files/WpconfigAwsKeys.yaml | 3 +++ .../main/resources/inbuilt_test_yaml_files/XSSInPath.yaml | 2 ++ .../resources/inbuilt_test_yaml_files/XSSViaFilename.yaml | 3 +++ 116 files changed, 298 insertions(+), 3 deletions(-) diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/AbusingCRLFInHeaders.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/AbusingCRLFInHeaders.yaml index d341aea33a..56b0339ab7 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/AbusingCRLFInHeaders.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/AbusingCRLFInHeaders.yaml @@ -24,6 +24,9 @@ info: - CWE-93 - CWE-74 - CWE-20 + cve: + - CVE-2020-15693 + - CVE-2023-0040 api_selection_filters: query_param: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/AddUserId.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/AddUserId.yaml index 9183922eb9..f03515a02a 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/AddUserId.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/AddUserId.yaml @@ -28,6 +28,8 @@ info: - CWE-639 - CWE-284 - CWE-285 + cve: + - CVE-2022-34621 auth: authenticated: true diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/AirflowConfigurationExposure.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/AirflowConfigurationExposure.yaml index a62fd6c5d1..f9564ce42e 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/AirflowConfigurationExposure.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/AirflowConfigurationExposure.yaml @@ -18,6 +18,8 @@ info: cwe: - CWE-200 - CWE-213 + cve: + - CVE-2023-35005 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/AmazonDockerConfig.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/AmazonDockerConfig.yaml index e97a30c606..6a130f5efd 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/AmazonDockerConfig.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/AmazonDockerConfig.yaml @@ -16,6 +16,8 @@ info: cwe: - CWE-200 - CWE-213 + cve: + - CVE-2020-14329 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ApacheConfig.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ApacheConfig.yaml index e8e1b29a88..db17034c57 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ApacheConfig.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ApacheConfig.yaml @@ -16,6 +16,8 @@ info: cwe: - CWE-200 - CWE-213 + cve: + - CVE-2018-10245 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/AppendXSS.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/AppendXSS.yaml index 7439d816fa..1610595208 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/AppendXSS.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/AppendXSS.yaml @@ -21,6 +21,10 @@ info: - "https://hackerone.com/reports/840759" cwe: - CWE-79 + cve: + - CVE-2015-1159 + - CVE-2023-24737 + - CVE-2020-25495 api_selection_filters: method: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/BOLAByChangingAuthToken.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/BOLAByChangingAuthToken.yaml index 0fdddbb559..1e54705636 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/BOLAByChangingAuthToken.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/BOLAByChangingAuthToken.yaml @@ -32,6 +32,8 @@ info: - CWE-284 - CWE-285 - CWE-639 + cve: + - CVE-2023-39349 auth: authenticated: true diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/BasicXSS.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/BasicXSS.yaml index 88e676c2fb..48320b3373 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/BasicXSS.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/BasicXSS.yaml @@ -20,6 +20,9 @@ info: - "https://owasp.org/www-community/attacks/xss/" cwe: - CWE-79 + cve: + - CVE-2022-34196 + - CVE-2023-44764 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/BypassCaptchaRemovingCookie.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/BypassCaptchaRemovingCookie.yaml index fc9e74388a..f78b3ab81b 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/BypassCaptchaRemovingCookie.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/BypassCaptchaRemovingCookie.yaml @@ -19,6 +19,9 @@ info: references: cwe: - CWE-307 + cve: + - CVE-2023-0085 + - CVE-2021-37417 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/BypassCaptchaUsingHeader.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/BypassCaptchaUsingHeader.yaml index 1cd5c54eb8..b1941989a8 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/BypassCaptchaUsingHeader.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/BypassCaptchaUsingHeader.yaml @@ -20,6 +20,9 @@ info: - "https://hackerone.com/reports/210417" cwe: - CWE-287 + cve: + - CVE-2022-39955 + - CVE-2023-0085 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/CORSMisconfigurationInvalidOrigin.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/CORSMisconfigurationInvalidOrigin.yaml index 0523a9f4a1..2377296956 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/CORSMisconfigurationInvalidOrigin.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/CORSMisconfigurationInvalidOrigin.yaml @@ -24,6 +24,9 @@ info: - "https://crashtest-security.com/cors-misconfiguration/" cwe: - CWE-16 + cve: + - CVE-2021-27786 + - CVE-2021-26991 auth: authenticated: true diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/CORSMisconfigurationWhitelistOrigin.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/CORSMisconfigurationWhitelistOrigin.yaml index b4af904478..02cb20967e 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/CORSMisconfigurationWhitelistOrigin.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/CORSMisconfigurationWhitelistOrigin.yaml @@ -23,6 +23,8 @@ info: - "https://crashtest-security.com/cors-misconfiguration/" cwe: - CWE-16 + cve: + - CVE-2021-27786 auth: authenticated: true diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/CSRFLoginAttack.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/CSRFLoginAttack.yaml index 838cdba9a1..255c020849 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/CSRFLoginAttack.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/CSRFLoginAttack.yaml @@ -23,6 +23,9 @@ info: - "https://www.invicti.com/web-vulnerability-scanner/vulnerabilities/cross-site-request-forgery-in-login-form-invicti/" cwe: - CWE-352 + cve: + - CVE-2023-33212 + - CVE-2023-42270 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/CgiPrintEnv.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/CgiPrintEnv.yaml index 5841473a47..7e3121ed54 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/CgiPrintEnv.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/CgiPrintEnv.yaml @@ -15,6 +15,8 @@ info: - https://www.acunetix.com/vulnerabilities/web/test-cgi-script-leaking-environment-variables/ cwe: - CWE-16 + cve: + - CVE-2023-22897 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/CommandInjectionByAddingQueryParams.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/CommandInjectionByAddingQueryParams.yaml index 7cb93b2f8a..d3f2fcdf30 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/CommandInjectionByAddingQueryParams.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/CommandInjectionByAddingQueryParams.yaml @@ -21,6 +21,9 @@ info: - "https://twitter.com/trbughunters/status/1283133356922884096" cwe: - CWE-77 + cve: + - CVE-2023-25826 + - CVE-2023-41031 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ConfigJson.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ConfigJson.yaml index 527776a077..2894021caf 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ConfigJson.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ConfigJson.yaml @@ -16,6 +16,9 @@ info: cwe: - CWE-200 - CWE-213 + cve: + - CVE-2021-31567 + - CVE-2023-35005 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ConfigRuby.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ConfigRuby.yaml index 0bfdacac6f..aba7d85308 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ConfigRuby.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ConfigRuby.yaml @@ -16,6 +16,8 @@ info: - https://www.acunetix.com/vulnerabilities/web/ruby-on-rails-database-configuration-file/ cwe: - CWE-538 + cve: + - CVE-2019-5418 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ConfigurationListing.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ConfigurationListing.yaml index 97368833f3..09e15f96f3 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ConfigurationListing.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ConfigurationListing.yaml @@ -15,6 +15,9 @@ info: - https://www.exploit-db.com/ghdb/7014 cwe: - CWE-16 + cve: + - CVE-2021-1126 + - CVE-2021-33214 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ContentTypeHeaderMissing.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ContentTypeHeaderMissing.yaml index 8c2d1ead21..fd41930845 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ContentTypeHeaderMissing.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ContentTypeHeaderMissing.yaml @@ -28,6 +28,9 @@ info: - "https://cwe.mitre.org/data/definitions/639.html" cwe: - CWE-16 + cve: + - CVE-2023-38199 + - CVE-2023-26130 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/CookieMisconfiguration.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/CookieMisconfiguration.yaml index f2ad85ba3b..0c6e5f174f 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/CookieMisconfiguration.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/CookieMisconfiguration.yaml @@ -19,6 +19,9 @@ info: - "https://hackerone.com/reports/58679" cwe: - CWE-16 + cve: + - CVE-2023-4654 + - CVE-2023-28708 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/DefaultLoginCredentials.yml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/DefaultLoginCredentials.yml index 1c540f58c9..a75a9a6f60 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/DefaultLoginCredentials.yml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/DefaultLoginCredentials.yml @@ -25,6 +25,9 @@ info: - "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/" cwe: - CWE-1392 + cve: + - CVE-2023-41878 + - CVE-2023-37755 wordLists: usernames: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/DescriptiveErrorMessageInvalidPayloads.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/DescriptiveErrorMessageInvalidPayloads.yaml index c351fcf86a..f064b69244 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/DescriptiveErrorMessageInvalidPayloads.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/DescriptiveErrorMessageInvalidPayloads.yaml @@ -20,6 +20,9 @@ info: - "https://owasp.org/www-community/Improper_Error_Handling" cwe: - CWE-209 + cve: + - CVE-2020-11883 + - CVE-2020-15652 api_selection_filters: method: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/DjangoUrlExposed.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/DjangoUrlExposed.yaml index a26d73a629..db5a84fd34 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/DjangoUrlExposed.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/DjangoUrlExposed.yaml @@ -24,6 +24,8 @@ info: - "https://hackerone.com/reports/1033423" cwe: - CWE-16 + cve: + - CVE-2017-12794 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/DockerComposeConfig.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/DockerComposeConfig.yaml index 65b6619475..7afe668612 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/DockerComposeConfig.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/DockerComposeConfig.yaml @@ -16,6 +16,8 @@ info: - https://secapps.com/vulndb/docker-compose-exposure cwe: - CWE-16 + cve: + - CVE-2023-37273 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/FetchSensitiveFilesViaSSRF.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/FetchSensitiveFilesViaSSRF.yaml index 5d18935634..d5499069c8 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/FetchSensitiveFilesViaSSRF.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/FetchSensitiveFilesViaSSRF.yaml @@ -26,6 +26,8 @@ info: - "https://www.cobalt.io/blog/from-ssrf-to-port-scanner" cwe: - CWE-918 + cve: + - CVE-2023-27163 api_selection_filters: or: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/FirebaseConfigExposure.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/FirebaseConfigExposure.yaml index 75da4d9732..bcaa80650b 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/FirebaseConfigExposure.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/FirebaseConfigExposure.yaml @@ -15,6 +15,9 @@ info: - https://github.com/firebase/firebaseui-web/blob/master/demo/public/sample-config.js cwe: - CWE-16 + cve: + - CVE-2020-7765 + - CVE-2021-46743 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/FirebaseUnauthenticated.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/FirebaseUnauthenticated.yaml index c2a540d5b6..fbf37552bb 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/FirebaseUnauthenticated.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/FirebaseUnauthenticated.yaml @@ -20,6 +20,9 @@ info: - "http://ghostlulz.com/google-exposed-firebase-database/" cwe: - CWE-16 + cve: + - CVE-2020-7765 + - CVE-2021-46743 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/FlaskDebugModeEnabled.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/FlaskDebugModeEnabled.yaml index 5fce26995e..285d58af44 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/FlaskDebugModeEnabled.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/FlaskDebugModeEnabled.yaml @@ -28,6 +28,8 @@ info: - "http://ghostlulz.com/flask-rce-debug-mode/" cwe: - CWE-16 + cve: + - CVE-2015-5306 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/FtpCredentialsExposure.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/FtpCredentialsExposure.yaml index 73064deab1..e114f36aa9 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/FtpCredentialsExposure.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/FtpCredentialsExposure.yaml @@ -16,6 +16,9 @@ info: cwe: - CWE-200 - CWE-213 + cve: + - CVE-2023-2061 + - CVE-2018-18371 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GitConfig.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GitConfig.yaml index 4152bf4a6a..96643281e7 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GitConfig.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GitConfig.yaml @@ -15,6 +15,8 @@ info: - https://pentester.land/blog/source-code-disclosure-via-exposed-git-folder/ cwe: - CWE-16 + cve: + - CVE-2023-29007 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GitConfigNginxoffbyslash.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GitConfigNginxoffbyslash.yaml index 009dc2e5e4..ef332fd62a 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GitConfigNginxoffbyslash.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GitConfigNginxoffbyslash.yaml @@ -17,6 +17,9 @@ info: - https://github.com/PortSwigger/nginx-alias-traversal/blob/master/off-by-slash.py cwe: - CWE-16 + cve: + - CVE-2021-23017 + api_selection_filters: response_code: gte: 200 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GitCredentialsDisclosure.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GitCredentialsDisclosure.yaml index b187ec1acd..6fd0257c98 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GitCredentialsDisclosure.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GitCredentialsDisclosure.yaml @@ -16,6 +16,8 @@ info: cwe: - CWE-200 - CWE-213 + cve: + - CVE-2020-5260 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GithubWorkflowsDisclosure.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GithubWorkflowsDisclosure.yaml index 02448faaf4..5b631299d6 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GithubWorkflowsDisclosure.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GithubWorkflowsDisclosure.yaml @@ -15,6 +15,9 @@ info: - https://github.com/detectify/ugly-duckling/blob/master/modules/crowdsourced/github-workflows-disclosure.json cwe: - CWE-16 + cve: + - CVE-2023-34111 + - CVE-2022-46258 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GraphqlDevelopmentConsoleExposed.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GraphqlDevelopmentConsoleExposed.yaml index 26b8b49476..984608c6f9 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GraphqlDevelopmentConsoleExposed.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GraphqlDevelopmentConsoleExposed.yaml @@ -27,6 +27,8 @@ info: - "https://0xn3va.gitbook.io/cheat-sheets/web-application/graphql-vulnerabilities" cwe: - CWE-16 + cve: + - CVE-2021-41248 api_selection_filters: url: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GraphqlFieldSuggestionEnabled.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GraphqlFieldSuggestionEnabled.yaml index 6ffd3c989e..133d47d974 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GraphqlFieldSuggestionEnabled.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GraphqlFieldSuggestionEnabled.yaml @@ -24,6 +24,8 @@ info: - "https://0xn3va.gitbook.io/cheat-sheets/web-application/graphql-vulnerabilities" cwe: - CWE-16 + cve: + - CVE-2023-5192 api_selection_filters: url: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GraphqlIntrospectionEnabled.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GraphqlIntrospectionEnabled.yaml index 1c898e5949..b7a980263e 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GraphqlIntrospectionEnabled.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GraphqlIntrospectionEnabled.yaml @@ -26,6 +26,8 @@ info: - "https://www.apollographql.com/blog/graphql/security/why-you-should-disable-graphql-introspection-in-production/" cwe: - CWE-16 + cve: + - CVE-2023-5192 api_selection_filters: url: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GraphqlTypeIntrospectionAllowed.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GraphqlTypeIntrospectionAllowed.yaml index 2d2b25cd11..f16f568795 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GraphqlTypeIntrospectionAllowed.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GraphqlTypeIntrospectionAllowed.yaml @@ -25,6 +25,8 @@ info: - "https://www.apollographql.com/blog/graphql/security/why-you-should-disable-graphql-introspection-in-production/" cwe: - CWE-16 + cve: + - CVE-2021-41248 api_selection_filters: url: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/HeadMethodTest.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/HeadMethodTest.yaml index 624f37b9f5..edbec8cbcd 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/HeadMethodTest.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/HeadMethodTest.yaml @@ -35,6 +35,8 @@ info: - "https://cwe.mitre.org/data/definitions/639.html" cwe: - CWE-16 + cve: + - CVE-2022-45956 auth: authenticated: true diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/HeaderReflectedInInvalidUrl.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/HeaderReflectedInInvalidUrl.yaml index b47a79b64f..7b9d5d51e0 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/HeaderReflectedInInvalidUrl.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/HeaderReflectedInInvalidUrl.yaml @@ -19,7 +19,9 @@ info: references: - "https://hackerone.com/reports/792998" cwe: - - "CWE-16" + - CWE-16 + cve: + - CVE-2022-37724 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/HttpResponseSplitting.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/HttpResponseSplitting.yaml index 7179d16c99..1f452600ae 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/HttpResponseSplitting.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/HttpResponseSplitting.yaml @@ -21,6 +21,8 @@ info: - "https://www.invicti.com/blog/web-security/crlf-http-header/" cwe: - CWE-93 + cve: + - CVE-2023-41834 api_selection_filters: query_param: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/InvalidFileInput.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/InvalidFileInput.yaml index 1809512235..479c8a77ef 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/InvalidFileInput.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/InvalidFileInput.yaml @@ -27,6 +27,8 @@ info: cwe: - CWE-728 - CWE-388 + cve: + - CVE-2020-10097 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/JwtAddJku.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/JwtAddJku.yaml index d09a252e30..ab37b27a90 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/JwtAddJku.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/JwtAddJku.yaml @@ -29,6 +29,8 @@ info: - "https://portswigger.net/web-security/jwt/lab-jwt-authentication-bypass-via-jku-header-injection" cwe: - CWE-287 + cve: + - CVE-2018-0114 auth: authenticated: true diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/JwtInvalidSignature.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/JwtInvalidSignature.yaml index 97923cb9aa..dfdccf89c0 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/JwtInvalidSignature.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/JwtInvalidSignature.yaml @@ -27,6 +27,9 @@ info: - "https://portswigger.net/kb/issues/00200900_jwt-signature-not-verified#:~:text=Description%3A%20JWT%20signature%20not%20verified&text=However%2C%20some%20servers%20fail%20to,privileges%20or%20impersonate%20other%20users." cwe: - CWE-287 + cve: + - CVE-2022-25898 + - CVE-2021-29455 auth: authenticated: true diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/JwtNoneAlgo.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/JwtNoneAlgo.yaml index 43825f03df..ac10724845 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/JwtNoneAlgo.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/JwtNoneAlgo.yaml @@ -25,7 +25,10 @@ info: - "https://redhuntlabs.com/a-practical-guide-to-attack-jwt-json-web-token" - "https://portswigger.net/kb/issues/00200901_jwt-none-algorithm-supported" cwe: - - CWE-287 + - CWE-287 + cve: + - CVE-2022-23540 + - CVE-2015-9235 auth: authenticated: true diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/KernelOpenCommandInjection.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/KernelOpenCommandInjection.yaml index a33484aedb..9c749b3512 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/KernelOpenCommandInjection.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/KernelOpenCommandInjection.yaml @@ -19,6 +19,9 @@ info: - HackerOne top 10 cwe: - CWE-77 + cve: + - CVE-2021-31799 + api_selection_filters: or: - request_payload: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/KubernetesKustomizationDisclosure.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/KubernetesKustomizationDisclosure.yaml index bb2d366cb6..7be9ec26b0 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/KubernetesKustomizationDisclosure.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/KubernetesKustomizationDisclosure.yaml @@ -15,6 +15,8 @@ info: - https://github.com/detectify/ugly-duckling/blob/master/modules/crowdsourced/kubernetes-kustomization-disclosure.json cwe: - CWE-16 + cve: + - CVE-2021-41254 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/LFIAddingNewParam.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/LFIAddingNewParam.yaml index 2e238bce01..507ec4b97c 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/LFIAddingNewParam.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/LFIAddingNewParam.yaml @@ -21,6 +21,9 @@ info: - "https://raw.githubusercontent.com/emadshanab/LFI-Payload-List/master/LFI%20payloads.txt" cwe: - CWE-98 + cve: + - CVE-2021-39433 + - CVE-2023-22973 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/LFIInParameter.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/LFIInParameter.yaml index 7c932fbd02..22e10a4bcf 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/LFIInParameter.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/LFIInParameter.yaml @@ -21,6 +21,8 @@ info: - "https://raw.githubusercontent.com/emadshanab/LFI-Payload-List/master/LFI%20payloads.txt" cwe: - CWE-98 + cve: + - CVE-2022-29597 api_selection_filters: or: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/LFIInPath.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/LFIInPath.yaml index 1661bd0039..30d54cc9d0 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/LFIInPath.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/LFIInPath.yaml @@ -21,6 +21,8 @@ info: - "https://raw.githubusercontent.com/emadshanab/LFI-Payload-List/master/LFI%20payloads.txt" cwe: - CWE-98 + cve: + - CVE-2023-2453 api_selection_filters: url: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/LaravelDebugModeEnabled.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/LaravelDebugModeEnabled.yaml index 221b353a7b..f20c4bbdf0 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/LaravelDebugModeEnabled.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/LaravelDebugModeEnabled.yaml @@ -28,6 +28,8 @@ info: - "https://laravel.com/docs/10.x/deployment#debug-mode" cwe: - CWE-16 + cve: + - CVE-2021-3129 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/LaravelEnv.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/LaravelEnv.yaml index 665fe3a58f..d855a79880 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/LaravelEnv.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/LaravelEnv.yaml @@ -16,6 +16,8 @@ info: - https://stackoverflow.com/questions/38331397/how-to-protect-env-file-in-laravel cwe: - CWE-16 + cve: + - CVE-2017-16894 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/MassAssignmentChangeAccount.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/MassAssignmentChangeAccount.yaml index 7541168d48..b541f076e7 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/MassAssignmentChangeAccount.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/MassAssignmentChangeAccount.yaml @@ -26,6 +26,9 @@ info: - "https://github.com/OWASP/API-Security/blob/master/2019/en/src/0xa6-mass-assignment.md" cwe: - CWE-915 + cve: + - CVE-2023-32079 + - CVE-2023-42768 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/MassAssignmentChangeAdmin.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/MassAssignmentChangeAdmin.yaml index 9045ed126c..9e5dc000b8 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/MassAssignmentChangeAdmin.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/MassAssignmentChangeAdmin.yaml @@ -26,6 +26,9 @@ info: - "https://github.com/OWASP/API-Security/blob/master/2019/en/src/0xa6-mass-assignment.md" cwe: - CWE-915 + cve: + - CVE-2023-32079 + - CVE-2023-42768 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/MassAssignmentChangeRole.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/MassAssignmentChangeRole.yaml index 6f472c8de5..f1e89a23e6 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/MassAssignmentChangeRole.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/MassAssignmentChangeRole.yaml @@ -26,6 +26,9 @@ info: - "https://github.com/OWASP/API-Security/blob/master/2019/en/src/0xa6-mass-assignment.md" cwe: - CWE-915 + cve: + - CVE-2023-32079 + - CVE-2023-42768 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/MassAssignmentCreateAdminUser.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/MassAssignmentCreateAdminUser.yaml index 4fd3cd087a..7e4a7aa39e 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/MassAssignmentCreateAdminUser.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/MassAssignmentCreateAdminUser.yaml @@ -26,6 +26,9 @@ info: - "https://github.com/OWASP/API-Security/blob/master/2019/en/src/0xa6-mass-assignment.md" cwe: - CWE-915 + cve: + - CVE-2023-32079 + - CVE-2023-42768 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/MisconfiguredDocker.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/MisconfiguredDocker.yaml index 3ae8094931..a2923bb09a 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/MisconfiguredDocker.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/MisconfiguredDocker.yaml @@ -15,6 +15,9 @@ info: - https://madhuakula.com/content/attacking-and-auditing-docker-containers-using-opensource/attacking-docker-containers/misconfiguration.html cwe: - CWE-16 + cve: + - CVE-2021-41092 + - CVE-2023-5165 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/MsmtpConfig.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/MsmtpConfig.yaml index 257630d297..c429f5a5b9 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/MsmtpConfig.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/MsmtpConfig.yaml @@ -15,6 +15,8 @@ info: - https://wiki.archlinux.org/title/Msmtp cwe: - CWE-16 + cve: + - CVE-2019-8337 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/MustContainResponseHeaders.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/MustContainResponseHeaders.yaml index 381a852ce5..18ed0054fa 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/MustContainResponseHeaders.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/MustContainResponseHeaders.yaml @@ -27,6 +27,9 @@ info: - "https://www.invicti.com/white-papers/whitepaper-http-security-headers" cwe: - CWE-16 + cve: + - CVE-2022-41915 + - CVE-2022-37436 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/NginxConfig.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/NginxConfig.yaml index da91b0e985..e21dcd1a12 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/NginxConfig.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/NginxConfig.yaml @@ -15,6 +15,9 @@ info: - https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/nginx cwe: - CWE-16 + cve: + - CVE-2020-11959 + api_selection_filters: response_code: gte: 200 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/NginxDefaultPageEnabled.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/NginxDefaultPageEnabled.yaml index 2b8fa9dda7..eb77c5d518 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/NginxDefaultPageEnabled.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/NginxDefaultPageEnabled.yaml @@ -25,6 +25,8 @@ info: - "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/" cwe: - CWE-16 + cve: + - CVE-2013-0337 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/NginxServerVersionDisclosed.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/NginxServerVersionDisclosed.yaml index 091587cc83..5b74383440 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/NginxServerVersionDisclosed.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/NginxServerVersionDisclosed.yaml @@ -25,6 +25,8 @@ info: - "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/" cwe: - CWE-16 + cve: + - CVE-2017-7529 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/NginxStatusVisible.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/NginxStatusVisible.yaml index d677bb3ef2..dd0fed34dd 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/NginxStatusVisible.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/NginxStatusVisible.yaml @@ -21,6 +21,9 @@ info: - "https://www.acunetix.com/vulnerabilities/web/unrestricted-access-to-nginx-status-module/" cwe: - CWE-16 + cve: + - CVE-2022-41741 + - CVE-2019-20372 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/NoAuth.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/NoAuth.yaml index 75b42bb581..6113f17848 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/NoAuth.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/NoAuth.yaml @@ -25,6 +25,8 @@ info: - "https://cwe.mitre.org/data/definitions/798.html" cwe: - CWE-287 + cve: + - CVE-2023-22501 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/OldApiVersion.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/OldApiVersion.yaml index 80e32349ae..9ba59b1f5e 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/OldApiVersion.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/OldApiVersion.yaml @@ -31,6 +31,8 @@ info: - "https://cwe.mitre.org/data/definitions/639.html" cwe: - CWE-937 + cve: + - CVE-2022-31690 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/OpenRedirect.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/OpenRedirect.yaml index 092a8e82a7..e1d4efb795 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/OpenRedirect.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/OpenRedirect.yaml @@ -22,6 +22,9 @@ info: cwe: - CWE-601 - CWE-610 + cve: + - CVE-2023-45909 + - CVE-2022-46683 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/OpenRedirectHostHeaderInjection.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/OpenRedirectHostHeaderInjection.yaml index f12ffacdce..d4b8845069 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/OpenRedirectHostHeaderInjection.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/OpenRedirectHostHeaderInjection.yaml @@ -23,6 +23,9 @@ info: cwe: - CWE-601 - CWE-610 + cve: + - CVE-2023-24044 + - CVE-2022-23237 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/OpenRedirectInPath.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/OpenRedirectInPath.yaml index a8ce69e654..8462021cc3 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/OpenRedirectInPath.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/OpenRedirectInPath.yaml @@ -23,6 +23,8 @@ info: cwe: - CWE-601 - CWE-610 + cve: + - CVE-2021-28861 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/OpenRedirectSubdomainWhitelist.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/OpenRedirectSubdomainWhitelist.yaml index 6d78794976..1b45b317e1 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/OpenRedirectSubdomainWhitelist.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/OpenRedirectSubdomainWhitelist.yaml @@ -22,6 +22,8 @@ info: cwe: - CWE-601 - CWE-610 + cve: + - CVE-2021-21291 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/OracleEbsCredentials.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/OracleEbsCredentials.yaml index 5e745731b6..2069d4b060 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/OracleEbsCredentials.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/OracleEbsCredentials.yaml @@ -17,6 +17,9 @@ info: - http://www.davidlitchfield.com/AssessingOraclee-BusinessSuite11i.pdf cwe: - CWE-16 + cve: + - CVE-2023-21849 + - CVE-2023-21847 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/PageDos.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/PageDos.yaml index b8d2056f42..86bff2a6f8 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/PageDos.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/PageDos.yaml @@ -18,6 +18,9 @@ info: - "https://github.com/OWASP/API-Security/blob/master/2019/en/src/0xa4-lack-of-resources-and-rate-limiting.md#scenario-2" cwe: - CWE-400 + cve: + - CVE-2023-4647 + - CVE-2023-38254 api_selection_filters: query_param: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ParameterPollution.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ParameterPollution.yaml index 3161cae808..cf54b230ad 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ParameterPollution.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ParameterPollution.yaml @@ -26,6 +26,8 @@ info: cwe: - CWE-88 - CWE-235 + cve: + - CVE-2019-13143 auth: authenticated: true diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ParametersConfig.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ParametersConfig.yaml index c4566038bd..e3ebe87fa6 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ParametersConfig.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ParametersConfig.yaml @@ -14,7 +14,9 @@ info: references: - https://www.exploit-db.com/ghdb/5986 cwe: - - CWE-16 + - CWE-16 + cve: + - CVE-2015-4050 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/PortScanningViaSSRF.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/PortScanningViaSSRF.yaml index 4ddb1c5089..306af484a2 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/PortScanningViaSSRF.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/PortScanningViaSSRF.yaml @@ -26,6 +26,9 @@ info: - "https://www.cobalt.io/blog/from-ssrf-to-port-scanner" cwe: - CWE-918 + cve: + - CVE-2023-26492 + - CVE-2023-45152 api_selection_filters: or: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RailsDebugModeEnabled.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RailsDebugModeEnabled.yaml index 02fd7cc3a4..75f5c58659 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RailsDebugModeEnabled.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RailsDebugModeEnabled.yaml @@ -28,6 +28,8 @@ info: - "https://beaglesecurity.com/blog/vulnerability/rails-debug-mode-enabled.html" cwe: - CWE-16 + cve: + - CVE-2019-5420 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RailsDefaultHomepageEnabled.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RailsDefaultHomepageEnabled.yaml index 4ec1071c36..a41904b6ec 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RailsDefaultHomepageEnabled.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RailsDefaultHomepageEnabled.yaml @@ -26,6 +26,8 @@ info: - "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/" cwe: - CWE-16 + cve: + - CVE-2019-5418 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RandomMethodTest.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RandomMethodTest.yaml index 2a8afab483..dac0785014 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RandomMethodTest.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RandomMethodTest.yaml @@ -32,6 +32,9 @@ info: - "https://capec.mitre.org/data/definitions/274.html" cwe: - CWE-274 + cve: + - CVE-2020-35239 + - CVE-2018-19908 auth: authenticated: true diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RedisConfig.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RedisConfig.yaml index 5868ac47a5..6a1f1f4622 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RedisConfig.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RedisConfig.yaml @@ -15,6 +15,9 @@ info: - https://redis.io/docs/manual/config/ cwe: - CWE-16 + cve: + - CVE-2023-36824 + - CVE-2022-0543 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RemoveCSRF.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RemoveCSRF.yaml index 97f9b57df2..a0ffdf40f6 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RemoveCSRF.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RemoveCSRF.yaml @@ -24,6 +24,9 @@ info: - "https://owasp.org/www-community/attacks/csrf" cwe: - CWE-352 + cve: + - CVE-2023-41942 + - CVE-2022-26180 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RemoveCaptcha.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RemoveCaptcha.yaml index 450327e5e5..183b24f433 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RemoveCaptcha.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RemoveCaptcha.yaml @@ -20,6 +20,8 @@ info: - "https://hackerone.com/reports/124173" cwe: - CWE-287 + cve: + - CVE-2021-37417 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ReplaceCSRF.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ReplaceCSRF.yaml index 2cd8ea832d..9c8319f5b6 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ReplaceCSRF.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ReplaceCSRF.yaml @@ -24,6 +24,9 @@ info: - "https://owasp.org/www-community/attacks/csrf" cwe: - CWE-352 + cve: + - CVE-2023-27495 + - CVE-2020-27379 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ReplayCaptcha.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ReplayCaptcha.yaml index f4afe86fe9..acdf9e7d5d 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ReplayCaptcha.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ReplayCaptcha.yaml @@ -19,6 +19,9 @@ info: - "https://hackerone.com/reports/223324" cwe: - CWE-287 + cve: + - CVE-2021-29047 + - CVE-2022-34983 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RobomongoCredential.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RobomongoCredential.yaml index 3d955a989b..64167c378d 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RobomongoCredential.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RobomongoCredential.yaml @@ -15,6 +15,9 @@ info: - https://web.cystack.net/vulnerability/cystack.remote.robomongo_cred_disclosure cwe: - CWE-16 + cve: + - CVE-2023-4009 + - CVE-2021-32039 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSRFOnAWSMetaEndpointAbusingEnclosedAlphanumerics.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSRFOnAWSMetaEndpointAbusingEnclosedAlphanumerics.yaml index 89fd3b91ec..49bdc2df25 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSRFOnAWSMetaEndpointAbusingEnclosedAlphanumerics.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSRFOnAWSMetaEndpointAbusingEnclosedAlphanumerics.yaml @@ -26,6 +26,9 @@ info: - "https://github.com/cujanovic/SSRF-Testing/tree/master#abusing-enclosed-alphanumerics" cwe: - CWE-918 + cve: + - CVE-2022-4725 + api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSRFOnAwsMetaEndpoint.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSRFOnAwsMetaEndpoint.yaml index 6b655bc3f3..b4038debbc 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSRFOnAwsMetaEndpoint.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSRFOnAwsMetaEndpoint.yaml @@ -25,6 +25,8 @@ info: - "https://www.akto.io/blog/how-to-prevent-server-side-request-forgery-ssrf-as-a-developer" cwe: - CWE-918 + cve: + - CVE-2022-4725 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSRFOnCSVUpload.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSRFOnCSVUpload.yaml index 27226df45b..63de15e456 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSRFOnCSVUpload.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSRFOnCSVUpload.yaml @@ -25,6 +25,8 @@ info: - "https://www.akto.io/blog/how-to-prevent-server-side-request-forgery-ssrf-as-a-developer" cwe: - CWE-918 + cve: + - CVE-2022-4725 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSRFOnFiles.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSRFOnFiles.yaml index 709bc47073..10e0de40bc 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSRFOnFiles.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSRFOnFiles.yaml @@ -25,6 +25,9 @@ info: - "https://www.akto.io/blog/how-to-prevent-server-side-request-forgery-ssrf-as-a-developer" cwe: - CWE-918 + cve: + - CVE-2022-4725 + api_selection_filters: response_code: and: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSRFOnImageUpload.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSRFOnImageUpload.yaml index 7943232a78..4322b045e1 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSRFOnImageUpload.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSRFOnImageUpload.yaml @@ -25,6 +25,8 @@ info: - "https://www.akto.io/blog/how-to-prevent-server-side-request-forgery-ssrf-as-a-developer" cwe: - CWE-918 + cve: + - CVE-2022-4725 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSRFOnLocalhost.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSRFOnLocalhost.yaml index 1d3c737d98..812ab62eea 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSRFOnLocalhost.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSRFOnLocalhost.yaml @@ -22,6 +22,8 @@ info: - HackerOne top 10 cwe: - CWE-918 + cve: + - CVE-2022-4725 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSRFOnLocalhostDNSPinning.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSRFOnLocalhostDNSPinning.yaml index 934437cd91..0837444872 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSRFOnLocalhostDNSPinning.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSRFOnLocalhostDNSPinning.yaml @@ -22,6 +22,8 @@ info: - HackerOne top 10 cwe: - CWE-918 + cve: + - CVE-2022-4725 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSRFOnLocalhostEncoded.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSRFOnLocalhostEncoded.yaml index e3c94d0364..19d5d1cff1 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSRFOnLocalhostEncoded.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSRFOnLocalhostEncoded.yaml @@ -22,6 +22,8 @@ info: - HackerOne top 10 cwe: - CWE-918 + cve: + - CVE-2022-4725 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSRFOnPDFUpload.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSRFOnPDFUpload.yaml index 84d17a024a..3063953dd3 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSRFOnPDFUpload.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSRFOnPDFUpload.yaml @@ -24,6 +24,8 @@ info: - "https://github.com/cujanovic/SSRF-Testing#htaccess---redirect-test-for-various-cases" cwe: - CWE-918 + cve: + - CVE-2022-4725 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSRFOnXMLUpload.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSRFOnXMLUpload.yaml index c7e26f5203..bbe1af070c 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSRFOnXMLUpload.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSRFOnXMLUpload.yaml @@ -24,6 +24,8 @@ info: - "https://github.com/cujanovic/SSRF-Testing#htaccess---redirect-test-for-various-cases" cwe: - CWE-918 + cve: + - CVE-2022-4725 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSTIInFlaskAndJinja.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSTIInFlaskAndJinja.yaml index 69bc89ace8..fbc58cf132 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSTIInFlaskAndJinja.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSTIInFlaskAndJinja.yaml @@ -20,6 +20,9 @@ info: - "https://www.cobalt.io/blog/a-pentesters-guide-to-server-side-template-injection-ssti" cwe: - CWE-1336 + cve: + - CVE-2019-8341 + - CVE-2022-34625 api_selection_filters: or: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSTIInFreemarker.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSTIInFreemarker.yaml index 7d8ccc4d57..c8f41b8172 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSTIInFreemarker.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSTIInFreemarker.yaml @@ -20,6 +20,9 @@ info: - "https://www.cobalt.io/blog/a-pentesters-guide-to-server-side-template-injection-ssti" cwe: - CWE-1336 + cve: + - CVE-2022-24442 + - CVE-2021-25770 api_selection_filters: or: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSTIInTwig.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSTIInTwig.yaml index 4573505a1b..dfcb50119b 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSTIInTwig.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSTIInTwig.yaml @@ -20,6 +20,9 @@ info: - "https://www.cobalt.io/blog/a-pentesters-guide-to-server-side-template-injection-ssti" cwe: - CWE-1336 + cve: + - CVE-2018-13818 + - CVE-2023-34448 api_selection_filters: or: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ServerPrivateKeys.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ServerPrivateKeys.yaml index 2be014f277..b1c8b6827d 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ServerPrivateKeys.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ServerPrivateKeys.yaml @@ -17,6 +17,9 @@ info: cwe: - CWE-200 - CWE-213 + cve: + - CVE-2022-22424 + - CVE-2022-23529 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ServerVersionExposedInvalid.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ServerVersionExposedInvalid.yaml index 6adbdcd8ca..471d8d0301 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ServerVersionExposedInvalid.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ServerVersionExposedInvalid.yaml @@ -29,6 +29,8 @@ info: - "https://github.com/ASRG/asrg.io/issues/200" cwe: - CWE-209 + cve: + - CVE-2017-4013 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ServerVersionExposedValid.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ServerVersionExposedValid.yaml index 737ec96be8..4bbe28838c 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ServerVersionExposedValid.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ServerVersionExposedValid.yaml @@ -29,6 +29,8 @@ info: - "https://github.com/ASRG/asrg.io/issues/200" cwe: - CWE-209 + cve: + - CVE-2020-14183 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SessionFixation.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SessionFixation.yaml index 1c83c15049..9b9d3f7fd6 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SessionFixation.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SessionFixation.yaml @@ -20,6 +20,9 @@ info: - "https://hackerone.com/reports/2421" cwe: - CWE-384 + cve: + - CVE-2021-35046 + - CVE-2021-46279 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SftpConfigExposure.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SftpConfigExposure.yaml index d0c5a85bdb..cb642d621b 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SftpConfigExposure.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SftpConfigExposure.yaml @@ -17,6 +17,8 @@ info: - https://codexns.io/products/sftp_for_sublime/settings cwe: - CWE-16 + cve: + - CVE-2023-38951 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SonarqubePublicProjects.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SonarqubePublicProjects.yaml index 38f9d8ddeb..2eb0325c6f 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SonarqubePublicProjects.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SonarqubePublicProjects.yaml @@ -15,6 +15,8 @@ info: - https://next.sonarqube.com/sonarqube/web_api/api/components/suggestions?internal=true cwe: - CWE-16 + cve: + - CVE-2020-28002 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SpringBootBeansActuatorExposed.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SpringBootBeansActuatorExposed.yaml index af35ea43fc..7b8806bab7 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SpringBootBeansActuatorExposed.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SpringBootBeansActuatorExposed.yaml @@ -26,6 +26,9 @@ info: - "https://docs.spring.io/spring-boot/docs/current/reference/html/actuator.html" cwe: - CWE-16 + cve: + - CVE-2021-21234 + - CVE-2023-29986 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SpringBootConfigPropsActuatorExposed.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SpringBootConfigPropsActuatorExposed.yaml index 678f7dbba6..75c2738e4f 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SpringBootConfigPropsActuatorExposed.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SpringBootConfigPropsActuatorExposed.yaml @@ -27,6 +27,9 @@ info: - "https://docs.spring.io/spring-boot/docs/current/reference/html/actuator.html" cwe: - CWE-16 + cve: + - CVE-2021-21234 + - CVE-2023-29986 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SpringBootEnvActuatorExposed.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SpringBootEnvActuatorExposed.yaml index 2643e78618..e4f1a294b3 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SpringBootEnvActuatorExposed.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SpringBootEnvActuatorExposed.yaml @@ -27,6 +27,9 @@ info: - "https://docs.spring.io/spring-boot/docs/current/reference/html/actuator.html" cwe: - CWE-16 + cve: + - CVE-2021-21234 + - CVE-2023-29986 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SpringBootHttpTraceActuatorExposed.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SpringBootHttpTraceActuatorExposed.yaml index 82338fef0d..ed52f8f0c5 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SpringBootHttpTraceActuatorExposed.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SpringBootHttpTraceActuatorExposed.yaml @@ -28,6 +28,9 @@ info: - "https://docs.spring.io/spring-boot/docs/current/reference/html/actuator.html" cwe: - CWE-16 + cve: + - CVE-2021-21234 + - CVE-2023-29986 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SpringBootThreadDumpActuatorExposed.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SpringBootThreadDumpActuatorExposed.yaml index 50637c1e45..818d678830 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SpringBootThreadDumpActuatorExposed.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SpringBootThreadDumpActuatorExposed.yaml @@ -28,6 +28,9 @@ info: - "https://docs.spring.io/spring-boot/docs/current/reference/html/actuator.html" cwe: - CWE-16 + cve: + - CVE-2021-21234 + - CVE-2023-29986 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SshAuthorizedKeys.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SshAuthorizedKeys.yaml index c0d924b75e..eadd66d43d 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SshAuthorizedKeys.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SshAuthorizedKeys.yaml @@ -15,6 +15,9 @@ info: - https://www.ssh.com/academy/ssh/authorized-key cwe: - CWE-16 + cve: + - CVE-2023-43619 + - CVE-2022-29154 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SshKnownHosts.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SshKnownHosts.yaml index 5aaf20232d..d06786477e 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SshKnownHosts.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SshKnownHosts.yaml @@ -15,6 +15,8 @@ info: - https://datacadamia.com/ssh/known_hosts cwe: - CWE-16 + cve: + - CVE-2005-2666 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/TextInjectionViaInvalidUrls.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/TextInjectionViaInvalidUrls.yaml index 57c6af53d6..6f74771242 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/TextInjectionViaInvalidUrls.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/TextInjectionViaInvalidUrls.yaml @@ -21,6 +21,9 @@ info: - "https://infosecwriteups.com/text-based-injection-content-spoofing-96e9eb1615d8" cwe: - CWE-345 + cve: + - CVE-2019-1680 + - CVE-2022-42889 api_selection_filters: url: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/TraceMethodTest.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/TraceMethodTest.yaml index c7c4232331..adb974a3d9 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/TraceMethodTest.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/TraceMethodTest.yaml @@ -24,6 +24,9 @@ info: - "https://hackerone.com/reports/109054" cwe: - CWE-274 + cve: + - CVE-2022-38115 + - CVE-2018-11039 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/TrackMethodTest.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/TrackMethodTest.yaml index f9cd534767..dca25972d9 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/TrackMethodTest.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/TrackMethodTest.yaml @@ -24,6 +24,8 @@ info: - "https://hackerone.com/reports/83837" cwe: - CWE-274 + cve: + - CVE-2021-35233 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/UnauthenticatedMongoExpress.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/UnauthenticatedMongoExpress.yaml index 01fc128cd6..0edfc7fa38 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/UnauthenticatedMongoExpress.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/UnauthenticatedMongoExpress.yaml @@ -15,6 +15,9 @@ info: - https://www.exploit-db.com/ghdb/5684 cwe: - CWE-16 + cve: + - CVE-2020-7925 + - CVE-2021-21422 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/UnwantedResponseHeaders.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/UnwantedResponseHeaders.yaml index 32e8b52221..ea2d32027e 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/UnwantedResponseHeaders.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/UnwantedResponseHeaders.yaml @@ -24,6 +24,10 @@ info: - "https://blog.yeswehack.com/yeswerhackers/http-header-exploitation/" cwe: - CWE-16 + cve: + - CVE-2022-3215 + - CVE-2020-5247 + - CVE-2023-38039 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/WpconfigAwsKeys.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/WpconfigAwsKeys.yaml index fcbdf82ce5..1f14cc36bb 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/WpconfigAwsKeys.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/WpconfigAwsKeys.yaml @@ -16,6 +16,9 @@ info: cwe: - CWE-200 - CWE-213 + cve: + - CVE-2022-31159 + - CVE-2022-2582 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/XSSInPath.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/XSSInPath.yaml index d32f81632a..e372adbb87 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/XSSInPath.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/XSSInPath.yaml @@ -21,6 +21,8 @@ info: - "https://www.codegrazer.com/blog/7-reflected-xss.html" cwe: - CWE-79 + cve: + - CVE-2021-35976 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/XSSViaFilename.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/XSSViaFilename.yaml index 810472147c..d93b8c5128 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/XSSViaFilename.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/XSSViaFilename.yaml @@ -21,6 +21,9 @@ info: - "https://infosecwriteups.com/all-about-file-upload-xss-c72c797aaba3" cwe: - CWE-79 + cve: + - CVE-2023-43309 + - CVE-2021-38143 api_selection_filters: and: From 81685ba546e48a73da1aeeca386c5d5fcdf9822a Mon Sep 17 00:00:00 2001 From: Adarsh Jha <132337675+adarsh-jha-dev@users.noreply.github.com> Date: Fri, 20 Oct 2023 10:21:46 +0530 Subject: [PATCH 18/27] Update CONTRIBUTING.md --- CONTRIBUTING.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index e4f7434c5f..6bfd068f08 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -36,7 +36,7 @@ If you find a bug or have an idea for a new feature, please open an issue on Git ## License -By contributing to this project, you agree that your contributions will be licensed under the [LICENSE](LICENSE) file. +By contributing to this project, you agree that your contributions will be licensed under the [LICENSE](https://github.com/akto-api-security/akto/blob/master/LICENSE.md) file. ## Contact From c804e48ff6dd0d87d023a7874b7fea109c687e87 Mon Sep 17 00:00:00 2001 From: ayushaga14 Date: Thu, 26 Oct 2023 12:44:19 +0530 Subject: [PATCH 19/27] modify day_of_month to month --- apps/dashboard/src/main/java/com/akto/action/LoginAction.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/dashboard/src/main/java/com/akto/action/LoginAction.java b/apps/dashboard/src/main/java/com/akto/action/LoginAction.java index d62165e8d4..a2d42ee8f0 100644 --- a/apps/dashboard/src/main/java/com/akto/action/LoginAction.java +++ b/apps/dashboard/src/main/java/com/akto/action/LoginAction.java @@ -120,7 +120,7 @@ public static String loginUser(User user, HttpServletResponse servletResponse, b claims, "Akto", "refreshToken", - Calendar.DAY_OF_MONTH, + Calendar.MONTH, 6 ); From 84ee899fcb53e041ae38ade7a30c24b0f43e5a8a Mon Sep 17 00:00:00 2001 From: notshivansh Date: Thu, 26 Oct 2023 12:57:20 +0530 Subject: [PATCH 20/27] add test errors card --- .../testing/TestRunResultPage/TestRunResultPage.jsx | 13 +++++++++++++ .../src/apps/dashboard/pages/testing/transform.js | 1 + 2 files changed, 14 insertions(+) diff --git a/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/testing/TestRunResultPage/TestRunResultPage.jsx b/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/testing/TestRunResultPage/TestRunResultPage.jsx index 6bca26bcbc..959729e17c 100644 --- a/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/testing/TestRunResultPage/TestRunResultPage.jsx +++ b/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/testing/TestRunResultPage/TestRunResultPage.jsx @@ -211,6 +211,18 @@ function TestRunResultPage(props) { fetchData(); }, [subCategoryMap, subCategoryFromSourceConfigMap, props]) + const testErrorComponent = ( + + { + selectedTestRunResult?.errors?.map((error, i) => { + return ( + {error} + ) + }) + } + + ) + const components = loading ? [] : [ issueDetails.id && @@ -220,6 +232,7 @@ function TestRunResultPage(props) { , + ( selectedTestRunResult.errors && selectedTestRunResult.errors.length > 0 ) ? testErrorComponent : <>, selectedTestRunResult.testResults && (res.errors && res.errors.length > 0)).map((res) => res.errors.join(", ")) obj['singleTypeInfos'] = data['singleTypeInfos'] || [] obj['vulnerable'] = data['vulnerable'] || false obj['nextUrl'] = "/dashboard/testing/"+ hexId + "/result/" + data.hexId; From c5848b9f9c5b3e85a49da6888decf000f46dbbee Mon Sep 17 00:00:00 2001 From: arjun Date: Thu, 26 Oct 2023 13:43:39 +0530 Subject: [PATCH 21/27] CWEs updated --- .../inbuilt_test_yaml_files/AbusingCRLFInHeaders.yaml | 1 + .../CORSMisconfigurationInvalidOrigin.yaml | 2 +- .../CORSMisconfigurationWhitelistOrigin.yaml | 2 +- .../inbuilt_test_yaml_files/ConfigurationListing.yaml | 2 +- .../inbuilt_test_yaml_files/ContentTypeHeaderMissing.yaml | 3 ++- .../inbuilt_test_yaml_files/CookieMisconfiguration.yaml | 4 +++- .../main/resources/inbuilt_test_yaml_files/DebugVars.yaml | 3 ++- .../inbuilt_test_yaml_files/DefaultLoginCredentials.yml | 1 + .../DescriptiveErrorMessageInvalidPayloads.yaml | 1 + .../resources/inbuilt_test_yaml_files/DjangoUrlExposed.yaml | 3 ++- .../inbuilt_test_yaml_files/DockerComposeConfig.yaml | 3 +++ .../inbuilt_test_yaml_files/DockerfileHiddenDisclosure.yaml | 2 ++ .../resources/inbuilt_test_yaml_files/EsmtprcConfig.yaml | 2 ++ .../inbuilt_test_yaml_files/ExpressStackTraceEnabled.yaml | 2 +- .../inbuilt_test_yaml_files/FirebaseConfigExposure.yaml | 1 + .../inbuilt_test_yaml_files/FirebaseUnauthenticated.yaml | 1 + .../inbuilt_test_yaml_files/FlaskDebugModeEnabled.yaml | 2 ++ .../inbuilt_test_yaml_files/FtpCredentialsExposure.yaml | 2 +- .../inbuilt_test_yaml_files/GitConfigNginxoffbyslash.yaml | 2 +- .../inbuilt_test_yaml_files/GitCredentialsDisclosure.yaml | 3 +-- .../inbuilt_test_yaml_files/GithubWorkflowsDisclosure.yaml | 1 + .../inbuilt_test_yaml_files/GraphqlDebugModeEnabled.yaml | 1 + .../GraphqlDevelopmentConsoleExposed.yaml | 1 + .../GraphqlFieldSuggestionEnabled.yaml | 1 + .../inbuilt_test_yaml_files/GraphqlIntrospectionEnabled.yaml | 1 + .../GraphqlTypeIntrospectionAllowed.yaml | 1 + .../resources/inbuilt_test_yaml_files/HeadMethodTest.yaml | 2 +- .../inbuilt_test_yaml_files/HeaderReflectedInInvalidUrl.yaml | 1 + .../inbuilt_test_yaml_files/HttpResponseSplitting.yaml | 1 + .../resources/inbuilt_test_yaml_files/InvalidFileInput.yaml | 5 +++-- .../inbuilt_test_yaml_files/JWTSigningInClientSide.yaml | 1 + .../main/resources/inbuilt_test_yaml_files/JwtAddJku.yaml | 1 + .../inbuilt_test_yaml_files/JwtInvalidSignature.yaml | 1 + .../main/resources/inbuilt_test_yaml_files/JwtNoneAlgo.yaml | 1 + .../inbuilt_test_yaml_files/KernelOpenCommandInjection.yaml | 2 +- .../KubernetesKustomizationDisclosure.yaml | 1 + .../resources/inbuilt_test_yaml_files/LFIAddingNewParam.yaml | 1 + .../resources/inbuilt_test_yaml_files/LFIInParameter.yaml | 1 + .../main/resources/inbuilt_test_yaml_files/LFIInPath.yaml | 1 + .../inbuilt_test_yaml_files/LaravelDebugModeEnabled.yaml | 2 +- .../main/resources/inbuilt_test_yaml_files/LaravelEnv.yaml | 1 + .../inbuilt_test_yaml_files/LaravelTelescopeEnabled.yaml | 1 + .../inbuilt_test_yaml_files/MustContainResponseHeaders.yaml | 2 +- .../main/resources/inbuilt_test_yaml_files/NginxConfig.yaml | 1 + .../inbuilt_test_yaml_files/NginxDefaultPageEnabled.yaml | 1 + .../inbuilt_test_yaml_files/NginxServerVersionDisclosed.yaml | 1 + .../inbuilt_test_yaml_files/NginxStatusVisible.yaml | 1 + .../src/main/resources/inbuilt_test_yaml_files/NoAuth.yaml | 1 + .../resources/inbuilt_test_yaml_files/OldApiVersion.yaml | 2 ++ .../inbuilt_test_yaml_files/OracleEbsCredentials.yaml | 1 + .../resources/inbuilt_test_yaml_files/ParametersConfig.yaml | 1 + .../resources/inbuilt_test_yaml_files/PrometheusMetrics.yaml | 1 + .../inbuilt_test_yaml_files/RailsDebugModeEnabled.yaml | 2 +- .../inbuilt_test_yaml_files/RailsDefaultHomepageEnabled.yaml | 1 + .../resources/inbuilt_test_yaml_files/RandomMethodTest.yaml | 4 +++- .../main/resources/inbuilt_test_yaml_files/RedisConfig.yaml | 1 + .../resources/inbuilt_test_yaml_files/RemoveCaptcha.yaml | 1 + .../resources/inbuilt_test_yaml_files/ReplayCaptcha.yaml | 1 + .../inbuilt_test_yaml_files/RobomongoCredential.yaml | 1 + .../inbuilt_test_yaml_files/SSTIInFlaskAndJinja.yaml | 1 + .../resources/inbuilt_test_yaml_files/SSTIInFreemarker.yaml | 1 + .../main/resources/inbuilt_test_yaml_files/SSTIInTwig.yaml | 1 + .../inbuilt_test_yaml_files/SftpConfigExposure.yaml | 1 + .../inbuilt_test_yaml_files/SonarqubePublicProjects.yaml | 1 + .../SpringBootBeansActuatorExposed.yaml | 1 + .../SpringBootConfigPropsActuatorExposed.yaml | 1 + .../SpringBootEnvActuatorExposed.yaml | 1 + .../SpringBootHttpTraceActuatorExposed.yaml | 1 + .../SpringBootThreadDumpActuatorExposed.yaml | 1 + .../resources/inbuilt_test_yaml_files/SshAuthorizedKeys.yaml | 1 + .../resources/inbuilt_test_yaml_files/SshKnownHosts.yaml | 1 + .../inbuilt_test_yaml_files/StrutsDebugModeEnabled.yaml | 2 +- .../inbuilt_test_yaml_files/StrutsOgnlConsoleEnabled.yaml | 2 +- .../inbuilt_test_yaml_files/TextInjectionViaInvalidUrls.yaml | 2 +- .../resources/inbuilt_test_yaml_files/TraceMethodTest.yaml | 2 +- .../resources/inbuilt_test_yaml_files/TrackMethodTest.yaml | 2 +- .../inbuilt_test_yaml_files/UnauthenticatedMongoExpress.yaml | 2 +- .../inbuilt_test_yaml_files/UnwantedResponseHeaders.yaml | 1 + .../main/resources/inbuilt_test_yaml_files/WgetrcConfig.yaml | 1 + 79 files changed, 94 insertions(+), 26 deletions(-) diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/AbusingCRLFInHeaders.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/AbusingCRLFInHeaders.yaml index 56b0339ab7..bf32b55e8b 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/AbusingCRLFInHeaders.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/AbusingCRLFInHeaders.yaml @@ -24,6 +24,7 @@ info: - CWE-93 - CWE-74 - CWE-20 + - CWE-113 cve: - CVE-2020-15693 - CVE-2023-0040 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/CORSMisconfigurationInvalidOrigin.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/CORSMisconfigurationInvalidOrigin.yaml index 2377296956..e6a16b1d13 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/CORSMisconfigurationInvalidOrigin.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/CORSMisconfigurationInvalidOrigin.yaml @@ -23,7 +23,7 @@ info: references: - "https://crashtest-security.com/cors-misconfiguration/" cwe: - - CWE-16 + - CWE-942 cve: - CVE-2021-27786 - CVE-2021-26991 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/CORSMisconfigurationWhitelistOrigin.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/CORSMisconfigurationWhitelistOrigin.yaml index 02cb20967e..3c58e06899 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/CORSMisconfigurationWhitelistOrigin.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/CORSMisconfigurationWhitelistOrigin.yaml @@ -22,7 +22,7 @@ info: references: - "https://crashtest-security.com/cors-misconfiguration/" cwe: - - CWE-16 + - CWE-942 cve: - CVE-2021-27786 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ConfigurationListing.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ConfigurationListing.yaml index 09e15f96f3..9cbb14d6e6 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ConfigurationListing.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ConfigurationListing.yaml @@ -14,7 +14,7 @@ info: references: - https://www.exploit-db.com/ghdb/7014 cwe: - - CWE-16 + - CWE-548 cve: - CVE-2021-1126 - CVE-2021-33214 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ContentTypeHeaderMissing.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ContentTypeHeaderMissing.yaml index fd41930845..0722e92dde 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ContentTypeHeaderMissing.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ContentTypeHeaderMissing.yaml @@ -27,7 +27,8 @@ info: - "https://cwe.mitre.org/data/definitions/285.html" - "https://cwe.mitre.org/data/definitions/639.html" cwe: - - CWE-16 + - CWE-116 + - CWE-430 cve: - CVE-2023-38199 - CVE-2023-26130 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/CookieMisconfiguration.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/CookieMisconfiguration.yaml index 0c6e5f174f..ca79c25db7 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/CookieMisconfiguration.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/CookieMisconfiguration.yaml @@ -18,7 +18,9 @@ info: references: - "https://hackerone.com/reports/58679" cwe: - - CWE-16 + - CWE-614 + - CWE-1004 + - CWE-315 cve: - CVE-2023-4654 - CVE-2023-28708 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/DebugVars.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/DebugVars.yaml index cc67c0ac8d..e4767aef0c 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/DebugVars.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/DebugVars.yaml @@ -14,7 +14,8 @@ info: references: - https://hackerone.com/reports/1650035 cwe: - - CWE-16 + - CWE-200 + - CWE-538 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/DefaultLoginCredentials.yml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/DefaultLoginCredentials.yml index a75a9a6f60..17607acae1 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/DefaultLoginCredentials.yml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/DefaultLoginCredentials.yml @@ -25,6 +25,7 @@ info: - "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/" cwe: - CWE-1392 + - CWE-521 cve: - CVE-2023-41878 - CVE-2023-37755 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/DescriptiveErrorMessageInvalidPayloads.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/DescriptiveErrorMessageInvalidPayloads.yaml index f064b69244..7afe67d964 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/DescriptiveErrorMessageInvalidPayloads.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/DescriptiveErrorMessageInvalidPayloads.yaml @@ -20,6 +20,7 @@ info: - "https://owasp.org/www-community/Improper_Error_Handling" cwe: - CWE-209 + - CWE-200 cve: - CVE-2020-11883 - CVE-2020-15652 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/DjangoUrlExposed.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/DjangoUrlExposed.yaml index db5a84fd34..cf30a49b35 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/DjangoUrlExposed.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/DjangoUrlExposed.yaml @@ -23,7 +23,8 @@ info: - "https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/08-Testing_for_Error_Handling/01-Testing_For_Improper_Error_Handling" - "https://hackerone.com/reports/1033423" cwe: - - CWE-16 + - CWE-215 + - CWE-489 cve: - CVE-2017-12794 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/DockerComposeConfig.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/DockerComposeConfig.yaml index 7afe668612..a021855cfa 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/DockerComposeConfig.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/DockerComposeConfig.yaml @@ -16,6 +16,9 @@ info: - https://secapps.com/vulndb/docker-compose-exposure cwe: - CWE-16 + - CWE-530 + - CWE-538 + - CWE-552 cve: - CVE-2023-37273 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/DockerfileHiddenDisclosure.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/DockerfileHiddenDisclosure.yaml index a6bdbc0e10..bb490ff207 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/DockerfileHiddenDisclosure.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/DockerfileHiddenDisclosure.yaml @@ -15,6 +15,8 @@ info: - https://github.com/detectify/ugly-duckling/blob/master/modules/crowdsourced/dockerfile-hidden-disclosure.json cwe: - CWE-16 + - CWE-200 + - CWE-552 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/EsmtprcConfig.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/EsmtprcConfig.yaml index 21fd976a6c..86cd33c67b 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/EsmtprcConfig.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/EsmtprcConfig.yaml @@ -15,6 +15,8 @@ info: - https://linux.die.net/man/5/esmtprc cwe: - CWE-16 + - CWE-200 + - CWE-538 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ExpressStackTraceEnabled.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ExpressStackTraceEnabled.yaml index ec95bc0c35..8060c8302a 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ExpressStackTraceEnabled.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ExpressStackTraceEnabled.yaml @@ -23,7 +23,7 @@ info: references: - "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/" cwe: - - CWE-16 + - CWE-209 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/FirebaseConfigExposure.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/FirebaseConfigExposure.yaml index bcaa80650b..30fb6626e0 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/FirebaseConfigExposure.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/FirebaseConfigExposure.yaml @@ -15,6 +15,7 @@ info: - https://github.com/firebase/firebaseui-web/blob/master/demo/public/sample-config.js cwe: - CWE-16 + - CWE-200 cve: - CVE-2020-7765 - CVE-2021-46743 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/FirebaseUnauthenticated.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/FirebaseUnauthenticated.yaml index fbf37552bb..387ffdbb80 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/FirebaseUnauthenticated.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/FirebaseUnauthenticated.yaml @@ -20,6 +20,7 @@ info: - "http://ghostlulz.com/google-exposed-firebase-database/" cwe: - CWE-16 + - CWE-200 cve: - CVE-2020-7765 - CVE-2021-46743 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/FlaskDebugModeEnabled.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/FlaskDebugModeEnabled.yaml index 285d58af44..590ad92a81 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/FlaskDebugModeEnabled.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/FlaskDebugModeEnabled.yaml @@ -28,6 +28,8 @@ info: - "http://ghostlulz.com/flask-rce-debug-mode/" cwe: - CWE-16 + - CWE-11 + - CWE-215 cve: - CVE-2015-5306 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/FtpCredentialsExposure.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/FtpCredentialsExposure.yaml index e114f36aa9..901c9e716b 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/FtpCredentialsExposure.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/FtpCredentialsExposure.yaml @@ -15,7 +15,7 @@ info: - https://www.acunetix.com/vulnerabilities/web/sftp-ftp-credentials-exposure/ cwe: - CWE-200 - - CWE-213 + - CWE-256 cve: - CVE-2023-2061 - CVE-2018-18371 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GitConfigNginxoffbyslash.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GitConfigNginxoffbyslash.yaml index ef332fd62a..26c522f294 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GitConfigNginxoffbyslash.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GitConfigNginxoffbyslash.yaml @@ -16,7 +16,7 @@ info: - https://twitter.com/Random_Robbie/status/1262676628167110656 - https://github.com/PortSwigger/nginx-alias-traversal/blob/master/off-by-slash.py cwe: - - CWE-16 + - CWE-22 cve: - CVE-2021-23017 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GitCredentialsDisclosure.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GitCredentialsDisclosure.yaml index 6fd0257c98..38096a241f 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GitCredentialsDisclosure.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GitCredentialsDisclosure.yaml @@ -14,8 +14,7 @@ info: references: - https://github.com/detectify/ugly-duckling/blob/master/modules/crowdsourced/git-credentials-disclosure.json cwe: - - CWE-200 - - CWE-213 + - CWE-256 cve: - CVE-2020-5260 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GithubWorkflowsDisclosure.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GithubWorkflowsDisclosure.yaml index 5b631299d6..64a68292b4 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GithubWorkflowsDisclosure.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GithubWorkflowsDisclosure.yaml @@ -15,6 +15,7 @@ info: - https://github.com/detectify/ugly-duckling/blob/master/modules/crowdsourced/github-workflows-disclosure.json cwe: - CWE-16 + - CWE-200 cve: - CVE-2023-34111 - CVE-2022-46258 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GraphqlDebugModeEnabled.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GraphqlDebugModeEnabled.yaml index e748048fe6..98fd23531d 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GraphqlDebugModeEnabled.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GraphqlDebugModeEnabled.yaml @@ -30,6 +30,7 @@ info: - "https://0xn3va.gitbook.io/cheat-sheets/web-application/graphql-vulnerabilities" cwe: - CWE-16 + - CWE-200 api_selection_filters: url: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GraphqlDevelopmentConsoleExposed.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GraphqlDevelopmentConsoleExposed.yaml index 984608c6f9..6dbcaac1f3 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GraphqlDevelopmentConsoleExposed.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GraphqlDevelopmentConsoleExposed.yaml @@ -27,6 +27,7 @@ info: - "https://0xn3va.gitbook.io/cheat-sheets/web-application/graphql-vulnerabilities" cwe: - CWE-16 + - CWE-200 cve: - CVE-2021-41248 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GraphqlFieldSuggestionEnabled.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GraphqlFieldSuggestionEnabled.yaml index 133d47d974..2b9062aea6 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GraphqlFieldSuggestionEnabled.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GraphqlFieldSuggestionEnabled.yaml @@ -24,6 +24,7 @@ info: - "https://0xn3va.gitbook.io/cheat-sheets/web-application/graphql-vulnerabilities" cwe: - CWE-16 + - CWE-200 cve: - CVE-2023-5192 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GraphqlIntrospectionEnabled.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GraphqlIntrospectionEnabled.yaml index b7a980263e..db2f73d23c 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GraphqlIntrospectionEnabled.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GraphqlIntrospectionEnabled.yaml @@ -26,6 +26,7 @@ info: - "https://www.apollographql.com/blog/graphql/security/why-you-should-disable-graphql-introspection-in-production/" cwe: - CWE-16 + - CWE-200 cve: - CVE-2023-5192 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GraphqlTypeIntrospectionAllowed.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GraphqlTypeIntrospectionAllowed.yaml index f16f568795..a2c4af8af5 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GraphqlTypeIntrospectionAllowed.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GraphqlTypeIntrospectionAllowed.yaml @@ -25,6 +25,7 @@ info: - "https://www.apollographql.com/blog/graphql/security/why-you-should-disable-graphql-introspection-in-production/" cwe: - CWE-16 + - CWE-200 cve: - CVE-2021-41248 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/HeadMethodTest.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/HeadMethodTest.yaml index edbec8cbcd..8933149431 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/HeadMethodTest.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/HeadMethodTest.yaml @@ -34,7 +34,7 @@ info: - "https://cwe.mitre.org/data/definitions/285.html" - "https://cwe.mitre.org/data/definitions/639.html" cwe: - - CWE-16 + - CWE-284 cve: - CVE-2022-45956 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/HeaderReflectedInInvalidUrl.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/HeaderReflectedInInvalidUrl.yaml index 7b9d5d51e0..5400750c95 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/HeaderReflectedInInvalidUrl.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/HeaderReflectedInInvalidUrl.yaml @@ -19,6 +19,7 @@ info: references: - "https://hackerone.com/reports/792998" cwe: + - CWE-113 - CWE-16 cve: - CVE-2022-37724 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/HttpResponseSplitting.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/HttpResponseSplitting.yaml index 1f452600ae..3dc90628f8 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/HttpResponseSplitting.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/HttpResponseSplitting.yaml @@ -21,6 +21,7 @@ info: - "https://www.invicti.com/blog/web-security/crlf-http-header/" cwe: - CWE-93 + - CWE-113 cve: - CVE-2023-41834 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/InvalidFileInput.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/InvalidFileInput.yaml index 479c8a77ef..7ae9d7befd 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/InvalidFileInput.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/InvalidFileInput.yaml @@ -25,8 +25,9 @@ info: - "https://owasp.org/www-community/Improper_Error_Handling" - "https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/08-Testing_for_Error_Handling/01-Testing_For_Improper_Error_Handling" cwe: - - CWE-728 - - CWE-388 + - CWE-209 + - CWE-200 + - CWE-22 cve: - CVE-2020-10097 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/JWTSigningInClientSide.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/JWTSigningInClientSide.yaml index bbbe10562f..f8f57928b6 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/JWTSigningInClientSide.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/JWTSigningInClientSide.yaml @@ -20,6 +20,7 @@ info: - "https://hackerone.com/reports/638635" cwe: - CWE-287 + - CWE-347 api_selection_filters: response_payload: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/JwtAddJku.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/JwtAddJku.yaml index ab37b27a90..6baf07ec79 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/JwtAddJku.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/JwtAddJku.yaml @@ -29,6 +29,7 @@ info: - "https://portswigger.net/web-security/jwt/lab-jwt-authentication-bypass-via-jku-header-injection" cwe: - CWE-287 + - CWE-295 cve: - CVE-2018-0114 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/JwtInvalidSignature.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/JwtInvalidSignature.yaml index dfdccf89c0..34b84d1979 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/JwtInvalidSignature.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/JwtInvalidSignature.yaml @@ -27,6 +27,7 @@ info: - "https://portswigger.net/kb/issues/00200900_jwt-signature-not-verified#:~:text=Description%3A%20JWT%20signature%20not%20verified&text=However%2C%20some%20servers%20fail%20to,privileges%20or%20impersonate%20other%20users." cwe: - CWE-287 + - CWE-295 cve: - CVE-2022-25898 - CVE-2021-29455 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/JwtNoneAlgo.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/JwtNoneAlgo.yaml index ac10724845..d090fdac57 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/JwtNoneAlgo.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/JwtNoneAlgo.yaml @@ -26,6 +26,7 @@ info: - "https://portswigger.net/kb/issues/00200901_jwt-none-algorithm-supported" cwe: - CWE-287 + - CWE-347 cve: - CVE-2022-23540 - CVE-2015-9235 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/KernelOpenCommandInjection.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/KernelOpenCommandInjection.yaml index 9c749b3512..65ba614b1c 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/KernelOpenCommandInjection.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/KernelOpenCommandInjection.yaml @@ -18,7 +18,7 @@ info: - OWASP top 10 - HackerOne top 10 cwe: - - CWE-77 + - CWE-78 cve: - CVE-2021-31799 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/KubernetesKustomizationDisclosure.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/KubernetesKustomizationDisclosure.yaml index 7be9ec26b0..6e02efc49f 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/KubernetesKustomizationDisclosure.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/KubernetesKustomizationDisclosure.yaml @@ -15,6 +15,7 @@ info: - https://github.com/detectify/ugly-duckling/blob/master/modules/crowdsourced/kubernetes-kustomization-disclosure.json cwe: - CWE-16 + - CWE-200 cve: - CVE-2021-41254 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/LFIAddingNewParam.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/LFIAddingNewParam.yaml index 507ec4b97c..c5a5a2cda9 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/LFIAddingNewParam.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/LFIAddingNewParam.yaml @@ -21,6 +21,7 @@ info: - "https://raw.githubusercontent.com/emadshanab/LFI-Payload-List/master/LFI%20payloads.txt" cwe: - CWE-98 + - CWE-22 cve: - CVE-2021-39433 - CVE-2023-22973 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/LFIInParameter.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/LFIInParameter.yaml index 22e10a4bcf..63d72761c7 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/LFIInParameter.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/LFIInParameter.yaml @@ -21,6 +21,7 @@ info: - "https://raw.githubusercontent.com/emadshanab/LFI-Payload-List/master/LFI%20payloads.txt" cwe: - CWE-98 + - CWE-22 cve: - CVE-2022-29597 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/LFIInPath.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/LFIInPath.yaml index 30d54cc9d0..c914a348c9 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/LFIInPath.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/LFIInPath.yaml @@ -21,6 +21,7 @@ info: - "https://raw.githubusercontent.com/emadshanab/LFI-Payload-List/master/LFI%20payloads.txt" cwe: - CWE-98 + - CWE-22 cve: - CVE-2023-2453 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/LaravelDebugModeEnabled.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/LaravelDebugModeEnabled.yaml index f20c4bbdf0..32412afb7e 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/LaravelDebugModeEnabled.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/LaravelDebugModeEnabled.yaml @@ -27,7 +27,7 @@ info: - "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/" - "https://laravel.com/docs/10.x/deployment#debug-mode" cwe: - - CWE-16 + - CWE-215 cve: - CVE-2021-3129 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/LaravelEnv.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/LaravelEnv.yaml index d855a79880..9008f9b9d8 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/LaravelEnv.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/LaravelEnv.yaml @@ -15,6 +15,7 @@ info: - https://laravel.com/docs/master/configuration#environment-configuration - https://stackoverflow.com/questions/38331397/how-to-protect-env-file-in-laravel cwe: + - CWE-200 - CWE-16 cve: - CVE-2017-16894 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/LaravelTelescopeEnabled.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/LaravelTelescopeEnabled.yaml index 0737c6cd0d..827fb2c2a3 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/LaravelTelescopeEnabled.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/LaravelTelescopeEnabled.yaml @@ -28,6 +28,7 @@ info: - "https://laravel.com/docs/10.x/telescope" cwe: - CWE-16 + - CWE-215 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/MustContainResponseHeaders.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/MustContainResponseHeaders.yaml index 18ed0054fa..6921fb9772 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/MustContainResponseHeaders.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/MustContainResponseHeaders.yaml @@ -26,7 +26,7 @@ info: - "https://www.keycdn.com/blog/http-security-headers" - "https://www.invicti.com/white-papers/whitepaper-http-security-headers" cwe: - - CWE-16 + - CWE-693 cve: - CVE-2022-41915 - CVE-2022-37436 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/NginxConfig.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/NginxConfig.yaml index e21dcd1a12..e63cacaf7f 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/NginxConfig.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/NginxConfig.yaml @@ -15,6 +15,7 @@ info: - https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/nginx cwe: - CWE-16 + - CWE-200 cve: - CVE-2020-11959 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/NginxDefaultPageEnabled.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/NginxDefaultPageEnabled.yaml index eb77c5d518..d0cb1da8ba 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/NginxDefaultPageEnabled.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/NginxDefaultPageEnabled.yaml @@ -25,6 +25,7 @@ info: - "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/" cwe: - CWE-16 + - CWE-276 cve: - CVE-2013-0337 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/NginxServerVersionDisclosed.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/NginxServerVersionDisclosed.yaml index 5b74383440..d4396e2651 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/NginxServerVersionDisclosed.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/NginxServerVersionDisclosed.yaml @@ -25,6 +25,7 @@ info: - "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/" cwe: - CWE-16 + - CWE-200 cve: - CVE-2017-7529 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/NginxStatusVisible.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/NginxStatusVisible.yaml index dd0fed34dd..361990f884 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/NginxStatusVisible.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/NginxStatusVisible.yaml @@ -21,6 +21,7 @@ info: - "https://www.acunetix.com/vulnerabilities/web/unrestricted-access-to-nginx-status-module/" cwe: - CWE-16 + - CWE-200 cve: - CVE-2022-41741 - CVE-2019-20372 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/NoAuth.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/NoAuth.yaml index 6113f17848..2219c5ec2f 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/NoAuth.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/NoAuth.yaml @@ -25,6 +25,7 @@ info: - "https://cwe.mitre.org/data/definitions/798.html" cwe: - CWE-287 + - CWE-306 cve: - CVE-2023-22501 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/OldApiVersion.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/OldApiVersion.yaml index 9ba59b1f5e..1576bbf077 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/OldApiVersion.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/OldApiVersion.yaml @@ -31,6 +31,8 @@ info: - "https://cwe.mitre.org/data/definitions/639.html" cwe: - CWE-937 + - CWE-285 + - CWE-862 cve: - CVE-2022-31690 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/OracleEbsCredentials.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/OracleEbsCredentials.yaml index 2069d4b060..412b5ad781 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/OracleEbsCredentials.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/OracleEbsCredentials.yaml @@ -17,6 +17,7 @@ info: - http://www.davidlitchfield.com/AssessingOraclee-BusinessSuite11i.pdf cwe: - CWE-16 + - CWE-200 cve: - CVE-2023-21849 - CVE-2023-21847 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ParametersConfig.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ParametersConfig.yaml index e3ebe87fa6..0b1e982bf9 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ParametersConfig.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ParametersConfig.yaml @@ -15,6 +15,7 @@ info: - https://www.exploit-db.com/ghdb/5986 cwe: - CWE-16 + - CWE-200 cve: - CVE-2015-4050 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/PrometheusMetrics.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/PrometheusMetrics.yaml index aed63c6dcb..7723f706e8 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/PrometheusMetrics.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/PrometheusMetrics.yaml @@ -16,6 +16,7 @@ info: - https://hackerone.com/reports/1026196 cwe: - CWE-16 + - CWE-200 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RailsDebugModeEnabled.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RailsDebugModeEnabled.yaml index 75f5c58659..319bbce287 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RailsDebugModeEnabled.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RailsDebugModeEnabled.yaml @@ -27,7 +27,7 @@ info: - "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/" - "https://beaglesecurity.com/blog/vulnerability/rails-debug-mode-enabled.html" cwe: - - CWE-16 + - CWE-215 cve: - CVE-2019-5420 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RailsDefaultHomepageEnabled.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RailsDefaultHomepageEnabled.yaml index a41904b6ec..a2711c9ed6 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RailsDefaultHomepageEnabled.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RailsDefaultHomepageEnabled.yaml @@ -26,6 +26,7 @@ info: - "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/" cwe: - CWE-16 + - CWE-276 cve: - CVE-2019-5418 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RandomMethodTest.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RandomMethodTest.yaml index dac0785014..28cf733c70 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RandomMethodTest.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RandomMethodTest.yaml @@ -31,7 +31,9 @@ info: - "https://web.archive.org/web/20081116154150/http://www.aspectsecurity.com/documents/Bypassing_VBAAC_with_HTTP_Verb_Tampering.pdf" - "https://capec.mitre.org/data/definitions/274.html" cwe: - - CWE-274 + - CWE-288 + - CWE-287 + - CWE-285 cve: - CVE-2020-35239 - CVE-2018-19908 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RedisConfig.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RedisConfig.yaml index 6a1f1f4622..f16193e80c 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RedisConfig.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RedisConfig.yaml @@ -15,6 +15,7 @@ info: - https://redis.io/docs/manual/config/ cwe: - CWE-16 + - CWE-200 cve: - CVE-2023-36824 - CVE-2022-0543 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RemoveCaptcha.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RemoveCaptcha.yaml index 183b24f433..4db363a924 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RemoveCaptcha.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RemoveCaptcha.yaml @@ -20,6 +20,7 @@ info: - "https://hackerone.com/reports/124173" cwe: - CWE-287 + - CWE-294 cve: - CVE-2021-37417 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ReplayCaptcha.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ReplayCaptcha.yaml index acdf9e7d5d..b3e6a9cdd6 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ReplayCaptcha.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ReplayCaptcha.yaml @@ -19,6 +19,7 @@ info: - "https://hackerone.com/reports/223324" cwe: - CWE-287 + - CWE-294 cve: - CVE-2021-29047 - CVE-2022-34983 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RobomongoCredential.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RobomongoCredential.yaml index 64167c378d..b8372d90c6 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RobomongoCredential.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RobomongoCredential.yaml @@ -15,6 +15,7 @@ info: - https://web.cystack.net/vulnerability/cystack.remote.robomongo_cred_disclosure cwe: - CWE-16 + - CWE-200 cve: - CVE-2023-4009 - CVE-2021-32039 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSTIInFlaskAndJinja.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSTIInFlaskAndJinja.yaml index fbc58cf132..bad31d4d8f 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSTIInFlaskAndJinja.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSTIInFlaskAndJinja.yaml @@ -20,6 +20,7 @@ info: - "https://www.cobalt.io/blog/a-pentesters-guide-to-server-side-template-injection-ssti" cwe: - CWE-1336 + - CWE-94 cve: - CVE-2019-8341 - CVE-2022-34625 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSTIInFreemarker.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSTIInFreemarker.yaml index c8f41b8172..0aa75b536e 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSTIInFreemarker.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSTIInFreemarker.yaml @@ -20,6 +20,7 @@ info: - "https://www.cobalt.io/blog/a-pentesters-guide-to-server-side-template-injection-ssti" cwe: - CWE-1336 + - CWE-94 cve: - CVE-2022-24442 - CVE-2021-25770 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSTIInTwig.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSTIInTwig.yaml index dfcb50119b..802acfeb1b 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSTIInTwig.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSTIInTwig.yaml @@ -20,6 +20,7 @@ info: - "https://www.cobalt.io/blog/a-pentesters-guide-to-server-side-template-injection-ssti" cwe: - CWE-1336 + - CWE-94 cve: - CVE-2018-13818 - CVE-2023-34448 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SftpConfigExposure.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SftpConfigExposure.yaml index cb642d621b..2d2468f313 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SftpConfigExposure.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SftpConfigExposure.yaml @@ -17,6 +17,7 @@ info: - https://codexns.io/products/sftp_for_sublime/settings cwe: - CWE-16 + - CWE-200 cve: - CVE-2023-38951 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SonarqubePublicProjects.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SonarqubePublicProjects.yaml index 2eb0325c6f..04e9d7a16b 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SonarqubePublicProjects.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SonarqubePublicProjects.yaml @@ -15,6 +15,7 @@ info: - https://next.sonarqube.com/sonarqube/web_api/api/components/suggestions?internal=true cwe: - CWE-16 + - CWE-200 cve: - CVE-2020-28002 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SpringBootBeansActuatorExposed.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SpringBootBeansActuatorExposed.yaml index 7b8806bab7..5e90fb92ae 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SpringBootBeansActuatorExposed.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SpringBootBeansActuatorExposed.yaml @@ -26,6 +26,7 @@ info: - "https://docs.spring.io/spring-boot/docs/current/reference/html/actuator.html" cwe: - CWE-16 + - CWE-200 cve: - CVE-2021-21234 - CVE-2023-29986 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SpringBootConfigPropsActuatorExposed.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SpringBootConfigPropsActuatorExposed.yaml index 75c2738e4f..19017fff3a 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SpringBootConfigPropsActuatorExposed.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SpringBootConfigPropsActuatorExposed.yaml @@ -27,6 +27,7 @@ info: - "https://docs.spring.io/spring-boot/docs/current/reference/html/actuator.html" cwe: - CWE-16 + - CWE-200 cve: - CVE-2021-21234 - CVE-2023-29986 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SpringBootEnvActuatorExposed.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SpringBootEnvActuatorExposed.yaml index e4f1a294b3..a891493074 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SpringBootEnvActuatorExposed.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SpringBootEnvActuatorExposed.yaml @@ -27,6 +27,7 @@ info: - "https://docs.spring.io/spring-boot/docs/current/reference/html/actuator.html" cwe: - CWE-16 + - CWE-200 cve: - CVE-2021-21234 - CVE-2023-29986 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SpringBootHttpTraceActuatorExposed.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SpringBootHttpTraceActuatorExposed.yaml index ed52f8f0c5..55a91eedbe 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SpringBootHttpTraceActuatorExposed.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SpringBootHttpTraceActuatorExposed.yaml @@ -28,6 +28,7 @@ info: - "https://docs.spring.io/spring-boot/docs/current/reference/html/actuator.html" cwe: - CWE-16 + - CWE-200 cve: - CVE-2021-21234 - CVE-2023-29986 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SpringBootThreadDumpActuatorExposed.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SpringBootThreadDumpActuatorExposed.yaml index 818d678830..395e90ab71 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SpringBootThreadDumpActuatorExposed.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SpringBootThreadDumpActuatorExposed.yaml @@ -28,6 +28,7 @@ info: - "https://docs.spring.io/spring-boot/docs/current/reference/html/actuator.html" cwe: - CWE-16 + - CWE-200 cve: - CVE-2021-21234 - CVE-2023-29986 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SshAuthorizedKeys.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SshAuthorizedKeys.yaml index eadd66d43d..43d57d6c10 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SshAuthorizedKeys.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SshAuthorizedKeys.yaml @@ -15,6 +15,7 @@ info: - https://www.ssh.com/academy/ssh/authorized-key cwe: - CWE-16 + - CWE-200 cve: - CVE-2023-43619 - CVE-2022-29154 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SshKnownHosts.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SshKnownHosts.yaml index d06786477e..cc9641e74e 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SshKnownHosts.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SshKnownHosts.yaml @@ -15,6 +15,7 @@ info: - https://datacadamia.com/ssh/known_hosts cwe: - CWE-16 + - CWE-200 cve: - CVE-2005-2666 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/StrutsDebugModeEnabled.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/StrutsDebugModeEnabled.yaml index 0f03a1d63d..f3c72b3ad3 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/StrutsDebugModeEnabled.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/StrutsDebugModeEnabled.yaml @@ -26,7 +26,7 @@ info: - "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/" - "https://struts.apache.org/core-developers/development-mode" cwe: - - CWE-16 + - CWE-215 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/StrutsOgnlConsoleEnabled.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/StrutsOgnlConsoleEnabled.yaml index c9234390e7..270a784418 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/StrutsOgnlConsoleEnabled.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/StrutsOgnlConsoleEnabled.yaml @@ -26,7 +26,7 @@ info: - "https://struts.apache.org/core-developers/development-mode" - "https://nvd.nist.gov/vuln/detail/CVE-2020-17530" cwe: - - CWE-16 + - CWE-215 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/TextInjectionViaInvalidUrls.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/TextInjectionViaInvalidUrls.yaml index 6f74771242..c4557d59ef 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/TextInjectionViaInvalidUrls.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/TextInjectionViaInvalidUrls.yaml @@ -20,7 +20,7 @@ info: - "https://owasp.org/www-community/attacks/Content_Spoofing" - "https://infosecwriteups.com/text-based-injection-content-spoofing-96e9eb1615d8" cwe: - - CWE-345 + - CWE-74 cve: - CVE-2019-1680 - CVE-2022-42889 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/TraceMethodTest.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/TraceMethodTest.yaml index adb974a3d9..8edb74aa26 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/TraceMethodTest.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/TraceMethodTest.yaml @@ -23,7 +23,7 @@ info: - "https://www.onwebsecurity.com/security/unsafe-http-methods.html" - "https://hackerone.com/reports/109054" cwe: - - CWE-274 + - CWE-16 cve: - CVE-2022-38115 - CVE-2018-11039 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/TrackMethodTest.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/TrackMethodTest.yaml index dca25972d9..11e20c1c57 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/TrackMethodTest.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/TrackMethodTest.yaml @@ -23,7 +23,7 @@ info: - "https://www.onwebsecurity.com/security/unsafe-http-methods.html" - "https://hackerone.com/reports/83837" cwe: - - CWE-274 + - CWE-16 cve: - CVE-2021-35233 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/UnauthenticatedMongoExpress.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/UnauthenticatedMongoExpress.yaml index 0edfc7fa38..f7d32fe8e9 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/UnauthenticatedMongoExpress.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/UnauthenticatedMongoExpress.yaml @@ -14,7 +14,7 @@ info: references: - https://www.exploit-db.com/ghdb/5684 cwe: - - CWE-16 + - CWE-306 cve: - CVE-2020-7925 - CVE-2021-21422 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/UnwantedResponseHeaders.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/UnwantedResponseHeaders.yaml index ea2d32027e..cdfe1dcaaf 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/UnwantedResponseHeaders.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/UnwantedResponseHeaders.yaml @@ -23,6 +23,7 @@ info: - "https://portswigger.net/web-security/host-header/exploiting" - "https://blog.yeswehack.com/yeswerhackers/http-header-exploitation/" cwe: + - CWE-200 - CWE-16 cve: - CVE-2022-3215 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/WgetrcConfig.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/WgetrcConfig.yaml index fff2298b92..3748e247e1 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/WgetrcConfig.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/WgetrcConfig.yaml @@ -15,6 +15,7 @@ info: - https://ubuntu.com/security/notices/USN-982-1 cwe: - CWE-16 + - CWE-200 api_selection_filters: response_code: From d47a803f7715b56cfe477a7e38f83d6d289f819d Mon Sep 17 00:00:00 2001 From: notshivansh Date: Thu, 26 Oct 2023 15:06:49 +0530 Subject: [PATCH 22/27] refractor PR --- .../akto/test_editor/execution/Executor.java | 6 ++- .../src/main/java/com/akto/testing/Main.java | 41 +------------------ .../java/com/akto/testing/TestExecutor.java | 33 ++++++--------- 3 files changed, 18 insertions(+), 62 deletions(-) diff --git a/apps/testing/src/main/java/com/akto/test_editor/execution/Executor.java b/apps/testing/src/main/java/com/akto/test_editor/execution/Executor.java index 079d44f771..361ddb2aa6 100644 --- a/apps/testing/src/main/java/com/akto/test_editor/execution/Executor.java +++ b/apps/testing/src/main/java/com/akto/test_editor/execution/Executor.java @@ -32,9 +32,11 @@ public List execute(ExecutorNode node, RawApi rawApi, Map customAuthTypes) { List result = new ArrayList<>(); + TestResult invalidExecutionResult = new TestResult(null, rawApi.getOriginalMessage(), Collections.singletonList(TestError.INVALID_EXECUTION_BLOCK.getMessage()), 0, false, TestResult.Confidence.HIGH, null); + if (node.getChildNodes().size() < 2) { loggerMaker.errorAndAddToDb("executor child nodes is less than 2, returning empty execution result " + logId, LogDb.TESTING); - result.add(new TestResult(null, rawApi.getOriginalMessage(), Collections.singletonList(TestError.INVALID_EXECUTION_BLOCK.getMessage()), 0, false, TestResult.Confidence.HIGH, null)); + result.add(invalidExecutionResult); return result; } ExecutorNode reqNodes = node.getChildNodes().get(1); @@ -42,7 +44,7 @@ public List execute(ExecutorNode node, RawApi rawApi, Map testingRunResults = TestingRunResultDao.instance.findAll( - Filters.eq(TestingRunResult.TEST_RUN_RESULT_SUMMARY_ID, summaryId) - ); - - if(testingRunResults == null){ - testingRunResults = new ArrayList<>(); - } - - Map totalCountIssues = TestExecutor.calculateCountIssues(testingRunResults); - - int totalApis = 0; - try { - totalApis = testingRun.getTestingEndpoints().returnApis().size(); - } catch (Exception e) { - totalApis = 0; - } - - Bson updates = Updates.combine( - Updates.set(TestingRunResultSummary.END_TIMESTAMP, Context.now()), - Updates.set(TestingRunResultSummary.STATE, State.COMPLETED), - Updates.set(TestingRunResultSummary.COUNT_ISSUES, totalCountIssues), - Updates.set(TestingRunResultSummary.TOTAL_APIS, totalApis), - Updates.set(TestingRunResultSummary.TEST_RESULTS_COUNT, testingRunResults.size()) - ); - - TestingRunResultSummariesDao.instance.updateOne( - Filters.eq(TestingRunResultSummary.ID, summaryId), updates); - } - } - loggerMaker.infoAndAddToDb("Tests completed in " + (Context.now() - start) + " seconds", LogDb.TESTING); }, "testing"); Thread.sleep(1000); diff --git a/apps/testing/src/main/java/com/akto/testing/TestExecutor.java b/apps/testing/src/main/java/com/akto/testing/TestExecutor.java index 11ff1838f0..85600d93d8 100644 --- a/apps/testing/src/main/java/com/akto/testing/TestExecutor.java +++ b/apps/testing/src/main/java/com/akto/testing/TestExecutor.java @@ -244,7 +244,18 @@ public void apiWiseInit(TestingRun testingRun, ObjectId summaryId) { loggerMaker.infoAndAddToDb("Finished adding issues", LogDb.TESTING); - Map totalCountIssues = calculateCountIssues(testingRunResults); + Map totalCountIssues = new HashMap<>(); + totalCountIssues.put("HIGH", 0); + totalCountIssues.put("MEDIUM", 0); + totalCountIssues.put("LOW", 0); + + for (TestingRunResult testingRunResult: testingRunResults) { + if (testingRunResult.isVulnerable()) { + String severity = getSeverityFromTestingRunResult(testingRunResult).toString(); + int initialCount = totalCountIssues.get(severity); + totalCountIssues.put(severity, initialCount + 1); + } + } TestingRunResultSummariesDao.instance.updateOne( Filters.eq("_id", summaryId), @@ -269,26 +280,6 @@ public static Severity getSeverityFromTestingRunResult(TestingRunResult testingR return severity; } - public static Map calculateCountIssues(List testingRunResults){ - Map totalCountIssues = new HashMap<>(); - totalCountIssues.put("HIGH", 0); - totalCountIssues.put("MEDIUM", 0); - totalCountIssues.put("LOW", 0); - - if(testingRunResults == null){ - return totalCountIssues; - } - - for (TestingRunResult testingRunResult : testingRunResults) { - if (testingRunResult.isVulnerable()) { - String severity = getSeverityFromTestingRunResult(testingRunResult).toString(); - int initialCount = totalCountIssues.get(severity); - totalCountIssues.put(severity, initialCount + 1); - } - } - return totalCountIssues; - } - public static String findHost(ApiInfo.ApiInfoKey apiInfoKey, Map> sampleMessagesMap, SampleMessageStore sampleMessageStore) throws URISyntaxException { List sampleMessages = sampleMessagesMap.get(apiInfoKey); if (sampleMessages == null || sampleMessagesMap.isEmpty()) return null; From af277f7d55ee154599a6237551aded54dbd93c8c Mon Sep 17 00:00:00 2001 From: notshivansh Date: Fri, 27 Oct 2023 00:38:52 +0530 Subject: [PATCH 23/27] remove filling testing results array an d extract summary update outside --- .../src/main/java/com/akto/testing/Main.java | 60 ++++++++++++++++++- .../java/com/akto/testing/TestExecutor.java | 39 ++---------- .../akto/dao/testing/TestingRunResultDao.java | 15 +++-- 3 files changed, 73 insertions(+), 41 deletions(-) diff --git a/apps/testing/src/main/java/com/akto/testing/Main.java b/apps/testing/src/main/java/com/akto/testing/Main.java index e1f58381b4..e0663c2ce4 100644 --- a/apps/testing/src/main/java/com/akto/testing/Main.java +++ b/apps/testing/src/main/java/com/akto/testing/Main.java @@ -11,6 +11,7 @@ import com.akto.dto.Account; import com.akto.dto.AccountSettings; import com.akto.dto.testing.TestingRun; +import com.akto.dto.testing.TestingRun.State; import com.akto.dto.testing.TestingRunConfig; import com.akto.dto.testing.TestingRunResult; import com.akto.dto.testing.TestingRunResultSummary; @@ -25,6 +26,7 @@ import com.akto.util.EmailAccountName; import com.mongodb.ConnectionString; import com.mongodb.client.model.Filters; +import com.mongodb.client.model.Projections; import com.mongodb.client.model.Updates; import org.bson.conversions.Bson; import org.bson.types.ObjectId; @@ -140,6 +142,7 @@ public static void main(String[] args) throws InterruptedException { } + ObjectId summaryId = null; try { long timestamp = testingRun.getId().getTimestamp(); long seconds = Context.now() - timestamp; @@ -173,7 +176,7 @@ public static void main(String[] args) throws InterruptedException { TestingRunResultSummariesDao.instance.updateOne(Filters.eq(TestingRunResultSummary.ID, testingRunResultSummary.getId()), Updates.set(TestingRunResultSummary.STATE, TestingRun.State.FAILED)); } } - ObjectId summaryId = createTRRSummaryIfAbsent(testingRun, start); + summaryId = createTRRSummaryIfAbsent(testingRun, start); TestExecutor testExecutor = new TestExecutor(); testExecutor.init(testingRun, summaryId); raiseMixpanelEvent(summaryId, testingRun); @@ -197,6 +200,61 @@ public static void main(String[] args) throws InterruptedException { Filters.eq("_id", testingRun.getId()), completedUpdate ); + if(summaryId != null && testingRun.getTestIdConfig() != 1){ + + long testingRunResultsCount = TestingRunResultDao.instance.count(Filters.eq(TestingRunResult.TEST_RUN_RESULT_SUMMARY_ID, summaryId)); + + TestingRunResultSummariesDao.instance.updateOne( + Filters.eq("_id", summaryId), + Updates.set(TestingRunResultSummary.TEST_RESULTS_COUNT, testingRunResultsCount)); + + loggerMaker.infoAndAddToDb("Finished adding issues", LogDb.TESTING); + + Map totalCountIssues = new HashMap<>(); + totalCountIssues.put("HIGH", 0); + totalCountIssues.put("MEDIUM", 0); + totalCountIssues.put("LOW", 0); + + int skip = 0; + int limit = 1000; + boolean fetchMore = false; + do { + fetchMore = false; + List testingRunResults = TestingRunResultDao.instance + .fetchLatestTestingRunResult( + Filters.and( + Filters.eq(TestingRunResult.TEST_RUN_RESULT_SUMMARY_ID, summaryId), + Filters.eq(TestingRunResult.VULNERABLE, true)), + limit, + skip, + Projections.include( + TestingRunResult.TEST_RESULTS)); + + loggerMaker.infoAndAddToDb("Reading " + testingRunResults.size() + " vulnerable testingRunResults", LogDb.TESTING); + + for (TestingRunResult testingRunResult : testingRunResults) { + String severity = TestExecutor.getSeverityFromTestingRunResult(testingRunResult).toString(); + int initialCount = totalCountIssues.get(severity); + totalCountIssues.put(severity, initialCount + 1); + } + + if (testingRunResults.size() == limit) { + skip += limit; + fetchMore = true; + } + + } while (fetchMore); + + TestingRunResultSummariesDao.instance.getMCollection().findOneAndUpdate( + Filters.eq("_id", summaryId), + Updates.combine( + Updates.set(TestingRunResultSummary.END_TIMESTAMP, Context.now()), + Updates.set(TestingRunResultSummary.STATE, State.COMPLETED), + Updates.set(TestingRunResultSummary.COUNT_ISSUES, totalCountIssues))); + + loggerMaker.infoAndAddToDb("Finished updating TestingRunResultSummariesDao", LogDb.TESTING); + } + loggerMaker.infoAndAddToDb("Tests completed in " + (Context.now() - start) + " seconds", LogDb.TESTING); }, "testing"); Thread.sleep(1000); diff --git a/apps/testing/src/main/java/com/akto/testing/TestExecutor.java b/apps/testing/src/main/java/com/akto/testing/TestExecutor.java index ff46f2e9e1..02a115e4e7 100644 --- a/apps/testing/src/main/java/com/akto/testing/TestExecutor.java +++ b/apps/testing/src/main/java/com/akto/testing/TestExecutor.java @@ -222,51 +222,20 @@ public void apiWiseInit(TestingRun testingRun, ObjectId summaryId) { loggerMaker.infoAndAddToDb("Finished testing", LogDb.TESTING); - List testingRunResults = new ArrayList<>(); + int totalResults = 0; for (Future> future: futureTestingRunResults) { if (!future.isDone()) continue; try { if (!future.get().isEmpty()) { - testingRunResults.addAll(future.get()); + int resultSize = future.get().size(); + totalResults += resultSize; } } catch (InterruptedException | ExecutionException e) { loggerMaker.errorAndAddToDb("Error while after running test : " + e, LogDb.TESTING); } } - loggerMaker.infoAndAddToDb("Finished adding " + testingRunResults.size() + " testingRunResults", LogDb.TESTING); - - TestingRunResultSummariesDao.instance.updateOne( - Filters.eq("_id", summaryId), - Updates.set(TestingRunResultSummary.TEST_RESULTS_COUNT, testingRunResults.size()) - ); - - loggerMaker.infoAndAddToDb("Finished adding issues", LogDb.TESTING); - - Map totalCountIssues = new HashMap<>(); - totalCountIssues.put("HIGH", 0); - totalCountIssues.put("MEDIUM", 0); - totalCountIssues.put("LOW", 0); - - for (TestingRunResult testingRunResult: testingRunResults) { - if (testingRunResult.isVulnerable()) { - String severity = getSeverityFromTestingRunResult(testingRunResult).toString(); - int initialCount = totalCountIssues.get(severity); - totalCountIssues.put(severity, initialCount + 1); - } - } - - TestingRunResultSummariesDao.instance.updateOne( - Filters.eq("_id", summaryId), - Updates.combine( - Updates.set(TestingRunResultSummary.END_TIMESTAMP, Context.now()), - Updates.set(TestingRunResultSummary.STATE, State.COMPLETED), - Updates.set(TestingRunResultSummary.COUNT_ISSUES, totalCountIssues) - ) - ); - - loggerMaker.infoAndAddToDb("Finished updating TestingRunResultSummariesDao", LogDb.TESTING); - + loggerMaker.infoAndAddToDb("Finished adding " + totalResults + " testingRunResults", LogDb.TESTING); } public static Severity getSeverityFromTestingRunResult(TestingRunResult testingRunResult){ diff --git a/libs/dao/src/main/java/com/akto/dao/testing/TestingRunResultDao.java b/libs/dao/src/main/java/com/akto/dao/testing/TestingRunResultDao.java index 26e83157e5..65990ecf12 100644 --- a/libs/dao/src/main/java/com/akto/dao/testing/TestingRunResultDao.java +++ b/libs/dao/src/main/java/com/akto/dao/testing/TestingRunResultDao.java @@ -47,9 +47,7 @@ public List fetchLatestTestingRunResult(Bson filters) { } public List fetchLatestTestingRunResult(Bson filters, int limit) { - MongoCursor cursor = instance.getMCollection().find(filters) - .projection( - Projections.include( + Bson projections = Projections.include( TestingRunResult.TEST_RUN_ID, TestingRunResult.API_INFO_KEY, TestingRunResult.TEST_SUPER_TYPE, @@ -59,9 +57,16 @@ public List fetchLatestTestingRunResult(Bson filters, int limi TestingRunResult.START_TIMESTAMP, TestingRunResult.END_TIMESTAMP, TestingRunResult.TEST_RUN_RESULT_SUMMARY_ID - ) - ) + ); + + return fetchLatestTestingRunResult(filters, limit, 0, projections); + } + + public List fetchLatestTestingRunResult(Bson filters, int limit, int skip, Bson projections) { + MongoCursor cursor = instance.getMCollection().find(filters) + .projection(projections) .sort(Sorts.descending("_id")) + .skip(skip) .limit(limit) .cursor(); List testingRunResults = new ArrayList<>(); From 3ad9be97d564d1f53a71670881296380000caa47 Mon Sep 17 00:00:00 2001 From: notshivansh Date: Fri, 27 Oct 2023 12:09:10 +0530 Subject: [PATCH 24/27] refractor --- .../src/main/java/com/akto/testing/Main.java | 53 +---------------- .../java/com/akto/testing/TestExecutor.java | 59 +++++++++++++++++++ 2 files changed, 60 insertions(+), 52 deletions(-) diff --git a/apps/testing/src/main/java/com/akto/testing/Main.java b/apps/testing/src/main/java/com/akto/testing/Main.java index e0663c2ce4..45386d20c7 100644 --- a/apps/testing/src/main/java/com/akto/testing/Main.java +++ b/apps/testing/src/main/java/com/akto/testing/Main.java @@ -201,58 +201,7 @@ public static void main(String[] args) throws InterruptedException { ); if(summaryId != null && testingRun.getTestIdConfig() != 1){ - - long testingRunResultsCount = TestingRunResultDao.instance.count(Filters.eq(TestingRunResult.TEST_RUN_RESULT_SUMMARY_ID, summaryId)); - - TestingRunResultSummariesDao.instance.updateOne( - Filters.eq("_id", summaryId), - Updates.set(TestingRunResultSummary.TEST_RESULTS_COUNT, testingRunResultsCount)); - - loggerMaker.infoAndAddToDb("Finished adding issues", LogDb.TESTING); - - Map totalCountIssues = new HashMap<>(); - totalCountIssues.put("HIGH", 0); - totalCountIssues.put("MEDIUM", 0); - totalCountIssues.put("LOW", 0); - - int skip = 0; - int limit = 1000; - boolean fetchMore = false; - do { - fetchMore = false; - List testingRunResults = TestingRunResultDao.instance - .fetchLatestTestingRunResult( - Filters.and( - Filters.eq(TestingRunResult.TEST_RUN_RESULT_SUMMARY_ID, summaryId), - Filters.eq(TestingRunResult.VULNERABLE, true)), - limit, - skip, - Projections.include( - TestingRunResult.TEST_RESULTS)); - - loggerMaker.infoAndAddToDb("Reading " + testingRunResults.size() + " vulnerable testingRunResults", LogDb.TESTING); - - for (TestingRunResult testingRunResult : testingRunResults) { - String severity = TestExecutor.getSeverityFromTestingRunResult(testingRunResult).toString(); - int initialCount = totalCountIssues.get(severity); - totalCountIssues.put(severity, initialCount + 1); - } - - if (testingRunResults.size() == limit) { - skip += limit; - fetchMore = true; - } - - } while (fetchMore); - - TestingRunResultSummariesDao.instance.getMCollection().findOneAndUpdate( - Filters.eq("_id", summaryId), - Updates.combine( - Updates.set(TestingRunResultSummary.END_TIMESTAMP, Context.now()), - Updates.set(TestingRunResultSummary.STATE, State.COMPLETED), - Updates.set(TestingRunResultSummary.COUNT_ISSUES, totalCountIssues))); - - loggerMaker.infoAndAddToDb("Finished updating TestingRunResultSummariesDao", LogDb.TESTING); + TestExecutor.updateTestSummary(summaryId); } loggerMaker.infoAndAddToDb("Tests completed in " + (Context.now() - start) + " seconds", LogDb.TESTING); diff --git a/apps/testing/src/main/java/com/akto/testing/TestExecutor.java b/apps/testing/src/main/java/com/akto/testing/TestExecutor.java index 02a115e4e7..d074a1e8f9 100644 --- a/apps/testing/src/main/java/com/akto/testing/TestExecutor.java +++ b/apps/testing/src/main/java/com/akto/testing/TestExecutor.java @@ -28,6 +28,7 @@ import com.akto.store.TestingUtil; import com.akto.testing.yaml_tests.YamlTestTemplate; import com.akto.testing_issues.TestingIssuesHandler; +import com.akto.util.Constants; import com.akto.util.JSONUtils; import com.akto.util.enums.GlobalEnums.Severity; import com.akto.util.enums.LoginFlowEnums; @@ -35,6 +36,7 @@ import com.google.gson.Gson; import com.mongodb.BasicDBObject; import com.mongodb.client.model.Filters; +import com.mongodb.client.model.Projections; import com.mongodb.client.model.Updates; import org.bson.types.ObjectId; import org.json.JSONObject; @@ -238,6 +240,63 @@ public void apiWiseInit(TestingRun testingRun, ObjectId summaryId) { loggerMaker.infoAndAddToDb("Finished adding " + totalResults + " testingRunResults", LogDb.TESTING); } + public static void updateTestSummary(ObjectId summaryId){ + + long testingRunResultsCount = TestingRunResultDao.instance + .count(Filters.eq(TestingRunResult.TEST_RUN_RESULT_SUMMARY_ID, summaryId)); + + TestingRunResultSummariesDao.instance.updateOne( + Filters.eq(Constants.ID, summaryId), + Updates.set(TestingRunResultSummary.TEST_RESULTS_COUNT, testingRunResultsCount)); + + loggerMaker.infoAndAddToDb("Finished updating results count", LogDb.TESTING); + + Map totalCountIssues = new HashMap<>(); + totalCountIssues.put(Severity.HIGH.toString(), 0); + totalCountIssues.put(Severity.MEDIUM.toString(), 0); + totalCountIssues.put(Severity.LOW.toString(), 0); + + int skip = 0; + int limit = 1000; + boolean fetchMore = false; + do { + fetchMore = false; + List testingRunResults = TestingRunResultDao.instance + .fetchLatestTestingRunResult( + Filters.and( + Filters.eq(TestingRunResult.TEST_RUN_RESULT_SUMMARY_ID, summaryId), + Filters.eq(TestingRunResult.VULNERABLE, true)), + limit, + skip, + Projections.include( + TestingRunResult.TEST_RESULTS)); + + loggerMaker.infoAndAddToDb("Reading " + testingRunResults.size() + " vulnerable testingRunResults", + LogDb.TESTING); + + for (TestingRunResult testingRunResult : testingRunResults) { + String severity = getSeverityFromTestingRunResult(testingRunResult).toString(); + int initialCount = totalCountIssues.get(severity); + totalCountIssues.put(severity, initialCount + 1); + } + + if (testingRunResults.size() == limit) { + skip += limit; + fetchMore = true; + } + + } while (fetchMore); + + TestingRunResultSummariesDao.instance.getMCollection().findOneAndUpdate( + Filters.eq(Constants.ID, summaryId), + Updates.combine( + Updates.set(TestingRunResultSummary.END_TIMESTAMP, Context.now()), + Updates.set(TestingRunResultSummary.STATE, State.COMPLETED), + Updates.set(TestingRunResultSummary.COUNT_ISSUES, totalCountIssues))); + + loggerMaker.infoAndAddToDb("Finished updating TestingRunResultSummariesDao", LogDb.TESTING); + } + public static Severity getSeverityFromTestingRunResult(TestingRunResult testingRunResult){ Severity severity = Severity.HIGH; try { From bdaa0d6acd2390539f3011d5a71d35034558fcda Mon Sep 17 00:00:00 2001 From: notshivansh Date: Fri, 27 Oct 2023 12:12:23 +0530 Subject: [PATCH 25/27] fix update --- apps/testing/src/main/java/com/akto/testing/TestExecutor.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/testing/src/main/java/com/akto/testing/TestExecutor.java b/apps/testing/src/main/java/com/akto/testing/TestExecutor.java index d074a1e8f9..ca7c57a117 100644 --- a/apps/testing/src/main/java/com/akto/testing/TestExecutor.java +++ b/apps/testing/src/main/java/com/akto/testing/TestExecutor.java @@ -245,7 +245,7 @@ public static void updateTestSummary(ObjectId summaryId){ long testingRunResultsCount = TestingRunResultDao.instance .count(Filters.eq(TestingRunResult.TEST_RUN_RESULT_SUMMARY_ID, summaryId)); - TestingRunResultSummariesDao.instance.updateOne( + TestingRunResultSummariesDao.instance.getMCollection().findOneAndUpdate( Filters.eq(Constants.ID, summaryId), Updates.set(TestingRunResultSummary.TEST_RESULTS_COUNT, testingRunResultsCount)); From d15365c525bd34c0811ffe37841a8df9e0a7e3c8 Mon Sep 17 00:00:00 2001 From: Ark2307 Date: Sat, 28 Oct 2023 11:29:04 +0530 Subject: [PATCH 26/27] added badge in test editor for total count of categories --- .../components/TestEditorFileExplorer.jsx | 26 ++++++++++++++----- 1 file changed, 20 insertions(+), 6 deletions(-) diff --git a/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/test_editor/components/TestEditorFileExplorer.jsx b/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/test_editor/components/TestEditorFileExplorer.jsx index 6b05767edf..01630a57ee 100644 --- a/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/test_editor/components/TestEditorFileExplorer.jsx +++ b/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/test_editor/components/TestEditorFileExplorer.jsx @@ -1,7 +1,7 @@ import { useEffect, useState } from "react" import { useNavigate } from "react-router-dom" -import { Box, Button, HorizontalStack, Icon, Navigation, Text, TextField, Tooltip, VerticalStack } from "@shopify/polaris" +import { Badge, Box, Button, HorizontalStack, Icon, Navigation, Text, TextField, Tooltip, VerticalStack } from "@shopify/polaris" import {ChevronDownMinor, ChevronRightMinor, SearchMinor, CirclePlusMinor} from "@shopify/polaris-icons" import TestEditorStore from "../testEditorStore" @@ -22,6 +22,7 @@ const TestEditorFileExplorer = ({addCustomTest}) => { const [searchText, setSearchText] = useState('') const [showCustom, setShowCustom] = useState(false) const [showAkto, setShowAkto] = useState(false) + const [count, setCount] = useState({"CUSTOM" : testObj.totalCustomTests, "Akto": testObj.totalAktoTests}) const navigate = useNavigate() @@ -83,6 +84,11 @@ const TestEditorFileExplorer = ({addCustomTest}) => { } } + setCount({ + Akto: aktoTotal, + CUSTOM: customTotal + }) + cloneObj.totalCustomTests = customTotal cloneObj.totalAktoTests = aktoTotal return cloneObj @@ -172,6 +178,9 @@ const TestEditorFileExplorer = ({addCustomTest}) => { Custom +
+ {count.CUSTOM.toString()} +
{/* addCustomTest(e)}> */} @@ -181,11 +190,16 @@ const TestEditorFileExplorer = ({addCustomTest}) => { {showAkto ? : null} From c19e2b469c83869b9884fff082c3ade83dc2caf1 Mon Sep 17 00:00:00 2001 From: Ark2307 Date: Sat, 28 Oct 2023 11:45:00 +0530 Subject: [PATCH 27/27] Fixed for case when custom test is added --- .../components/TestEditorFileExplorer.jsx | 19 ++++++------------- .../dashboard/pages/test_editor/transform.js | 5 ++++- 2 files changed, 10 insertions(+), 14 deletions(-) diff --git a/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/test_editor/components/TestEditorFileExplorer.jsx b/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/test_editor/components/TestEditorFileExplorer.jsx index 01630a57ee..a6a4c328cb 100644 --- a/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/test_editor/components/TestEditorFileExplorer.jsx +++ b/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/test_editor/components/TestEditorFileExplorer.jsx @@ -17,12 +17,11 @@ const TestEditorFileExplorer = ({addCustomTest}) => { const setSelectedTest = TestEditorStore(state => state.setSelectedTest) const [selectedCategory, setSelectedCategory] = useState('none') - const [customItems, setCustomItems] = useState([]) - const [aktoItems, setAktoItems] = useState([]) + const [customItems, setCustomItems] = useState({items: [] , count : 0}) + const [aktoItems, setAktoItems] = useState({items: [] , count : 0}) const [searchText, setSearchText] = useState('') const [showCustom, setShowCustom] = useState(false) const [showAkto, setShowAkto] = useState(false) - const [count, setCount] = useState({"CUSTOM" : testObj.totalCustomTests, "Akto": testObj.totalAktoTests}) const navigate = useNavigate() @@ -84,11 +83,6 @@ const TestEditorFileExplorer = ({addCustomTest}) => { } } - setCount({ - Akto: aktoTotal, - CUSTOM: customTotal - }) - cloneObj.totalCustomTests = customTotal cloneObj.totalAktoTests = aktoTotal return cloneObj @@ -154,7 +148,6 @@ const TestEditorFileExplorer = ({addCustomTest}) => { })) return arr } - return (
@@ -179,14 +172,14 @@ const TestEditorFileExplorer = ({addCustomTest}) => { Custom
- {count.CUSTOM.toString()} + {customItems.count.toString()}
{/* addCustomTest(e)}> */} - {showCustom ? : null} + {showCustom ? : null} - {showAkto ? : null} + {showAkto ? : null} diff --git a/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/test_editor/transform.js b/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/test_editor/transform.js index 5fbae5f9a7..ae455bd2ed 100644 --- a/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/test_editor/transform.js +++ b/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/test_editor/transform.js @@ -57,6 +57,7 @@ const convertFunc = { getNavigationItems(testObj,param,selectedFunc){ let arr = [] + let count = 0; if(param === 'CUSTOM'){ for(const key in testObj?.customTests){ if(testObj.customTests.hasOwnProperty(key)){ @@ -86,6 +87,7 @@ const convertFunc = { } } } + count = testObj?.totalCustomTests; }else{ for(const key in testObj?.aktoTests){ if(testObj.aktoTests.hasOwnProperty(key)){ @@ -115,8 +117,9 @@ const convertFunc = { } } } + count = testObj?.totalAktoTests; } - return arr + return {items: arr, count: count} }, mapVulnerableRequests(vulnerableRequests){