Skip to content
/ verifier Public

Automatically generate evidence for issues

License

MIT license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

NorthwaveSecurity/verifier

BranchesTags

Repository files navigation

Verifier

Automatically verify issues

Setup

Local

Requirements

  • python 3.10 or higher

  • nmap

  • dig

  • curl

Instructions

Make sure that python 3.10 or higher is installed (this application uses functools.cache).

pip install -e ".[default]"

or install only the base system:

pip install -e .

Copy config.sample.ini to config.ini or ~/.config/verifier.ini and edit the values.

Docker

Copy config.sample.ini to config.ini and edit the values.

Build the docker container:

make docker

Then run the container:

docker run --rm -it verifier --help
docker run --rm -it verifier verify ...

Nmap support

Install nmap, e.g.:

brew install nmap

SSLyze support

pip install -e ".[sslyze]"

Dradis support

pip install -e ".[dradis]"

In the [dradis] section in ~/.config/verifier.ini edit the values. Note that evidence_saver is set to dradis by default. This means that if the -s flag is passed, evidences are saved to Dradis. The parameter -p <dradis_project_id> is then required to indicate the project in which to save the issue.

Reporter support

For use with [Reporter](https://github.com/JJK96/reporter), the config file can be edited to set evidence_saver = issue-library. In that case, evidences are saved to the current report using the reporter library. It is required that verifier is run from the report directory.

Usage

CLI

verifier --help
verifier verify -i all -t example.com
verifier verify -i dns-cache-snoop -t 8.8.8.8
verifier verify -l nl -i dns-cache-snoop -t 8.8.8.8
verifier verify -i all-missing-headers -t example.com
verifier verify -i cors -t example.com -c request-response.txt
verifier verify -i all-missing-headers -t example.com -c request-response.txt
verifier verify -i x-xss-protection x-frame-options -t https://example.com
verifier verify -i x-xss-protection -t https://example.com -s dradis -p <dradis_project_id>
verifier verify -i x-xss-protection -t https://example.com -s issue-library

Export

verifier verify -x output.json -i x-xss-protection -t https://example.com -s dradis -p <dradis_project_id>

Import

verifier import output.json
verifier import output.json -s dradis -p <dradis_project_id>

Content

For some issues a file with content can be provided or is required, for example for cors. This file has the following format:

[key]
value
value continued
value continued
[key1]
value1
value1 continued
value1 continued

Example:

[request]
GET / HTTP/1.1
[response]
HTTP 200 OK
...

The variables are read into a dictionary which is accessible to the issues as self.content.

If no key is provided, the content is available under the key content.

Extra arguments

Extra arguments passed to verifier are sometimes passed to subcommands, this behaviour is issue-dependent. For example, for curl, the following works to add authentication to a curl command:

verifier verify -i curl -t google.com --basic -u test:test
#[Description]#
The following curl command shows that TODO.

bc.. $ curl --basic -u test:test https://google.com
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="https://www.google.com/">here</A>.
</BODY></HTML>


p. TODO.

Environment variables

COOKIE: The content of the cookies header that should be sent with requests. VERIFIER_CONFIG: An additional config file to use. This can be used for overriding the global config on a project-specific basis

Start test

The start_test script tests a set of standard issues and imports them into a given dradis project

Usage:

start_test --help
start_test -s dradis example.com -p <dradis_project_id>
start_test -s dradis -l nl example.com -p <dradis_project_id>

Export

start_test -x output.json example.com

Importing can be done using verifier.py.

Module

from verifier import verify
evidence_text = verify(<issues>, <target>, *args, **kwargs)

Dradis curl

Do a web request and print it in dradis issue format.

dradis_curl -h

Dradis support

pip install -e ".[dradis]"

Copy config.sample.ini to config.ini or ~/.config/verifier.ini and edit the values

Currently none of the included issues have Dradis support. To add this, add a _standard_issue_id attribute to the issue class like the following:

class Issue:
    ...
    _standard_issue_id = {
        # Number of the issue in Dradis Issue Library add-on
        "en": 1,
        "nl": 2,
    }

Extending

To create a new issue create a new file in the issues directory, this file should have content like the following:

from .base import add_issue, Issue, Evidence

class NewIssue(Issue):
    # This template is later converted to language-specific using self.template
    _template = {
        "en": "English template ...",
        "nl": "Dutch template ...",
    }
    _standard_issue_id = {
        # Number of the issue in Dradis Issue Library add-on
        "en": 1,
        "nl": 2,
    }

    def verify(self, host):
        ...
        yield Evidence(self.template.format(...))

add_issue('new-issue', NewIssue)

Then in issues/init.py add a line like the following:

from . import new_issue

Testing

make tests

or manually:

python -m unittest discover tests

About

Automatically generate evidence for issues

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages