diff --git a/README.md b/README.md index a5c05bd49..fa23e6619 100644 --- a/README.md +++ b/README.md @@ -659,12 +659,13 @@ convert netsparker2hdf Translate a Netsparker XML results file into a iteration only works with Netsparker Enterprise Vulnerabilities Scan. USAGE - $ saf convert netsparker2hdf -i -o [-h] + $ saf convert netsparker2hdf -i -o [-h] [-w] FLAGS -h, --help Show CLI help. -i, --input= (required) Input Netsparker XML File -o, --output= (required) Output HDF JSON File + -w, --with-raw Include raw input file in HDF JSON file EXAMPLES $ saf convert netsparker2hdf -i netsparker_results.xml -o output-hdf-name.json diff --git a/src/commands/convert/netsparker2hdf.ts b/src/commands/convert/netsparker2hdf.ts index 57b76605b..bd7f7d17f 100644 --- a/src/commands/convert/netsparker2hdf.ts +++ b/src/commands/convert/netsparker2hdf.ts @@ -4,7 +4,7 @@ import {NetsparkerMapper as Mapper} from '@mitre/hdf-converters' import {checkInput, checkSuffix} from '../../utils/global' export default class Netsparker2HDF extends Command { - static usage = 'convert netsparker2hdf -i -o [-h]' + static usage = 'convert netsparker2hdf -i -o [-h] [-w]' static description = 'Translate a Netsparker XML results file into a Heimdall Data Format JSON file\nThe current iteration only works with Netsparker Enterprise Vulnerabilities Scan.' @@ -14,6 +14,7 @@ export default class Netsparker2HDF extends Command { help: Flags.help({char: 'h'}), input: Flags.string({char: 'i', required: true, description: 'Input Netsparker XML File'}), output: Flags.string({char: 'o', required: true, description: 'Output HDF JSON File'}), + 'with-raw': Flags.boolean({char: 'w', required: false, description: 'Include raw input file in HDF JSON file'}), } async run() { @@ -21,9 +22,9 @@ export default class Netsparker2HDF extends Command { // Check for correct input type const data = fs.readFileSync(flags.input, 'utf8') - checkInput({data: data, filename: flags.input}, 'netsparker', 'Netsparker XML results file') + checkInput({data, filename: flags.input}, 'netsparker', 'Netsparker XML results file') - const converter = new Mapper(data) + const converter = new Mapper(data, flags['with-raw']) fs.writeFileSync(checkSuffix(flags.output), JSON.stringify(converter.toHdf())) } } diff --git a/test/commands/convert/netsparker2hdf.test.ts b/test/commands/convert/netsparker2hdf.test.ts new file mode 100644 index 000000000..202b3fd7b --- /dev/null +++ b/test/commands/convert/netsparker2hdf.test.ts @@ -0,0 +1,31 @@ +import {expect, test} from '@oclif/test' +import tmp from 'tmp' +import path from 'path' +import fs from 'fs' +import {omitHDFChangingFields} from '../utils' + +describe('Test Netsparker', () => { + const tmpobj = tmp.dirSync({unsafeCleanup: true}) + + test + .stdout() + .command(['convert netsparker2hdf', '-i', path.resolve('./test/sample_data/netsparker/sample_input_report/sample-netsparker-invicti.xml'), '-o', `${tmpobj.name}/netsparkertest.json`]) + .it('hdf-converter output test', () => { + const test = JSON.parse(fs.readFileSync(`${tmpobj.name}/netsparkertest.json`, 'utf8')) + const sample = JSON.parse(fs.readFileSync(path.resolve('./test/sample_data/netsparker/netsparker-hdf.json'), 'utf8')) + expect(omitHDFChangingFields(test)).to.eql(omitHDFChangingFields(sample)) + }) +}) + +describe('Test Netsparker using withraw flag', () => { + const tmpobj = tmp.dirSync({unsafeCleanup: true}) + + test + .stdout() + .command(['convert netsparker2hdf', '-i', path.resolve('./test/sample_data/netsparker/sample_input_report/sample-netsparker-invicti.xml'), '-o', `${tmpobj.name}/netsparkertest.json`, '-w']) + .it('hdf-converter withraw output test', () => { + const test = JSON.parse(fs.readFileSync(`${tmpobj.name}/netsparkertest.json`, 'utf8')) + const sample = JSON.parse(fs.readFileSync(path.resolve('./test/sample_data/netsparker/netsparker-hdf-withraw.json'), 'utf8')) + expect(omitHDFChangingFields(test)).to.eql(omitHDFChangingFields(sample)) + }) +}) diff --git a/test/sample_data/netsparker/netsparker-hdf-withraw.json b/test/sample_data/netsparker/netsparker-hdf-withraw.json new file mode 100644 index 000000000..668dd3241 --- /dev/null +++ b/test/sample_data/netsparker/netsparker-hdf-withraw.json @@ -0,0 +1,327 @@ +{ + "platform": { + "name": "Heimdall Tools", + "release": "2.6.58", + "target_id": "https://foo.bar/" + }, + "version": "2.6.58", + "statistics": {}, + "profiles": [ + { + "name": "Invicti Enterprise Scan", + "title": "Invicti Enterprise Scan ID: 1eb9f18bfec849d2e438afb704b6a011 URL: https://foo.bar/", + "summary": "Invicti Enterprise Scan", + "supports": [], + "attributes": [], + "groups": [], + "status": "loaded", + "controls": [ + { + "tags": { + "cci": [ + "CCI-002450", + "CCI-000366" + ], + "nist": [ + "SC-13", + "CM-6" + ] + }, + "refs": [], + "source_location": {}, + "title": "Weak Ciphers Enabled", + "id": "e8b418ae-a532-4b43-5d9b-af9b04bbbca3", + "desc": "

Invicti Enterprise detected that weak ciphers are enabled during secure communication (SSL).

\n

You should allow only strong ciphers on your web server to protect secure communication with your visitors. 


Extra-information: {\"info\"=>{\"name\"=>\"List of Supported Weak Ciphers\",\"value\"=>\"TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003C), TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003D), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xC027), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xC028), TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009C), TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009D)\"}}
Classification: {\"owasp\"=>\"A6\",\"wasc\"=>\"4\",\"cwe\"=>\"327\",\"capec\"=>\"217\",\"pci32\"=>\"6.5.4\",\"hipaa\"=>\"\",\"owasppc\"=>\"\",\"iso27001\"=>\"A.14.1.3\",\"cvss\"=>{\"vector\"=>\"CVSS=>3.0/AV=>A/AC=>H/PR=>N/UI=>N/S=>U/C=>H/I=>H/A=>N\",\"score\"=>[{\"type\"=>\"Base\",\"value\"=>\"6.8\",\"severity\"=>\"Medium\"},{\"type\"=>\"Temporal\",\"value\"=>\"6.8\",\"severity\"=>\"Medium\"},{\"type\"=>\"Environmental\",\"value\"=>\"6.8\",\"severity\"=>\"Medium\"}]},\"cvss31\"=>{\"vector\"=>\"CVSS=>3.1/AV=>A/AC=>H/PR=>N/UI=>N/S=>U/C=>H/I=>H/A=>N\",\"score\"=>[{\"type\"=>\"Base\",\"value\"=>\"6.8\",\"severity\"=>\"Medium\"},{\"type\"=>\"Temporal\",\"value\"=>\"6.8\",\"severity\"=>\"Medium\"},{\"type\"=>\"Environmental\",\"value\"=>\"6.8\",\"severity\"=>\"Medium\"}]}}
Impact:
Attackers might decrypt SSL traffic between your server and your visitors.

FirstSeenDate: 02/20/2023 05:03 PM
LastSeenDate: 05/05/2023 05:07 PM
Certainty: 100
Type: WeakCiphersDetected
Confirmed: True", + "descriptions": [ + { + "data": "", + "label": "check" + }, + { + "data": "Remedial-actions:
\n
    \n
  1. For Apache, you should modify the SSLCipherSuite directive in the httpd.conf.\n
    SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4
    \n
    2. \n
  2. Lighttpd:\n
    ssl.honor-cipher-order = \"enable\"\nssl.cipher-list = \"EECDH+AESGCM:EDH+AESGCM\"
    \n
    3. \n
  3. For Microsoft IIS, you should make some changes to the system registry. Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on your computer.

    a. Click Start, click Run, type regedt32 or type regedit, and then click OK.
    b. In Registry Editor, locate the following registry key: HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders
    c. Set \"Enabled\" DWORD to \"0x0\" for the following registry keys:
    \n
    SCHANNEL\\Ciphers\\DES 56/56
    SCHANNEL\\Ciphers\\RC4 64/128
    SCHANNEL\\Ciphers\\RC4 40/128
    SCHANNEL\\Ciphers\\RC2 56/128
    SCHANNEL\\Ciphers\\RC2 40/128
    SCHANNEL\\Ciphers\\NULL 
    SCHANNEL\\Hashes\\MD5
    \n
    4. \n
\n

Remedial-procedure:
Configure your web server to disallow using weak ciphers.
", + "label": "fix" + } + ], + "impact": 0.5, + "code": "{\n \"LookupId\": \"e8b418ae-a532-4b43-5d9b-af9b04bbbca3\",\n \"url\": \"https://foo.bar/\",\n \"type\": \"WeakCiphersDetected\",\n \"name\": \"Weak Ciphers Enabled\",\n \"severity\": \"Medium\",\n \"certainty\": \"100\",\n \"confirmed\": \"True\",\n \"state\": \"Present\",\n \"FirstSeenDate\": \"02/20/2023 05:03 PM\",\n \"LastSeenDate\": \"05/05/2023 05:07 PM\",\n \"classification\": {\n \"owasp\": \"A6\",\n \"wasc\": \"4\",\n \"cwe\": \"327\",\n \"capec\": \"217\",\n \"pci32\": \"6.5.4\",\n \"hipaa\": \"\",\n \"owasppc\": \"\",\n \"iso27001\": \"A.14.1.3\",\n \"cvss\": {\n \"vector\": \"CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N\",\n \"score\": [\n {\n \"type\": \"Base\",\n \"value\": \"6.8\",\n \"severity\": \"Medium\"\n },\n {\n \"type\": \"Temporal\",\n \"value\": \"6.8\",\n \"severity\": \"Medium\"\n },\n {\n \"type\": \"Environmental\",\n \"value\": \"6.8\",\n \"severity\": \"Medium\"\n }\n ]\n },\n \"cvss31\": {\n \"vector\": \"CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N\",\n \"score\": [\n {\n \"type\": \"Base\",\n \"value\": \"6.8\",\n \"severity\": \"Medium\"\n },\n {\n \"type\": \"Temporal\",\n \"value\": \"6.8\",\n \"severity\": \"Medium\"\n },\n {\n \"type\": \"Environmental\",\n \"value\": \"6.8\",\n \"severity\": \"Medium\"\n }\n ]\n }\n },\n \"http-request\": {\n \"method\": \"GET\",\n \"content\": \"[SSL Connection]\"\n },\n \"http-response\": {\n \"status-code\": \"200\",\n \"duration\": \"1\",\n \"content\": \"[SSL Connection]\"\n },\n \"extra-information\": {\n \"info\": {\n \"name\": \"List of Supported Weak Ciphers\",\n \"value\": \"TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003C), TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003D), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xC027), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xC028), TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009C), TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009D)\"\n }\n },\n \"description\": \"

Invicti Enterprise detected that weak ciphers are enabled during secure communication (SSL).

\\n

You should allow only strong ciphers on your web server to protect secure communication with your visitors. 

\",\n \"impact\": \"
Attackers might decrypt SSL traffic between your server and your visitors.
\",\n \"remedial-actions\": \"
\\n
    \\n
  1. For Apache, you should modify the SSLCipherSuite directive in the httpd.conf.\\n
    SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4
    \\n
    2. \\n
  2. Lighttpd:\\n
    ssl.honor-cipher-order = \\\"enable\\\"\\nssl.cipher-list = \\\"EECDH+AESGCM:EDH+AESGCM\\\"
    \\n
    3. \\n
  3. For Microsoft IIS, you should make some changes to the system registry. Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on your computer.

    a. Click Start, click Run, type regedt32 or type regedit, and then click OK.
    b. In Registry Editor, locate the following registry key: HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SecurityProviders
    c. Set \\\"Enabled\\\" DWORD to \\\"0x0\\\" for the following registry keys:
    \\n
    SCHANNEL\\\\Ciphers\\\\DES 56/56
    SCHANNEL\\\\Ciphers\\\\RC4 64/128
    SCHANNEL\\\\Ciphers\\\\RC4 40/128
    SCHANNEL\\\\Ciphers\\\\RC2 56/128
    SCHANNEL\\\\Ciphers\\\\RC2 40/128
    SCHANNEL\\\\Ciphers\\\\NULL 
    SCHANNEL\\\\Hashes\\\\MD5
    \\n
    4. \\n
\\n
\",\n \"exploitation-skills\": \"\",\n \"remedial-procedure\": \"
Configure your web server to disallow using weak ciphers.
\",\n \"remedy-references\": \"\",\n \"external-references\": \"\",\n \"proof-of-concept\": \"\",\n \"tags\": \"\"\n}", + "results": [ + { + "status": "failed", + "code_desc": "http-request : [SSL Connection]\nmethod : GET", + "message": "http-response : [SSL Connection]\nduration : 1\nstatus-code : 200", + "start_time": "05/05/2023 04:57 PM" + } + ] + }, + { + "tags": { + "cci": [ + "CCI-000213" + ], + "nist": [ + "AC-3" + ] + }, + "refs": [], + "source_location": {}, + "title": "HTTP Strict Transport Security (HSTS) Errors and Warnings", + "id": "9c3a51bf-6c1f-47c9-4646-afb704bb8fb0", + "desc": "

Invicti Enterprise detected errors during parsing of Strict-Transport-Security header.

\n\n\n\n\n\n\n\n\n
ErrorResolution
preload directive not presentSubmit domain for inclusion in browsers' HTTP Strict Transport Security (HSTS) preload list.
\n
Classification: {\"owasp\"=>\"A5\",\"wasc\"=>\"15\",\"cwe\"=>\"16\",\"capec\"=>\"\",\"pci32\"=>\"\",\"hipaa\"=>\"\",\"owasppc\"=>\"\",\"iso27001\"=>\"A.14.1.2\"}
Impact:

The HSTS Warning and Error may allow attackers to bypass HSTS, effectively allowing them to read and modify your communication with the website. 


FirstSeenDate: 05/05/2023 05:03 PM
LastSeenDate: 05/05/2023 05:03 PM
Certainty: 95
Type: HstsErrors
Confirmed: False", + "descriptions": [ + { + "data": "", + "label": "check" + }, + { + "data": "Remedial-procedure:

Ideally, after fixing the errors and warnings, you should consider adding your domain to the the HSTS preload list. This will ensure that browsers automatically connect your website by using HTTPS, actively preventing users from visiting your site using HTTP. Since this list is hardcoded in users' browsers, it will enable HSTS even before they visit your page for the first time, eliminating the need for Trust On First Use (TOFU) with its associated risks and disadvantages. Unless you fix the errors and warnings your website won't meet the conditions required to enter the browser's preload list.

\n

Browser vendors declared:

\n
    \n
  • Serve a valid certificate
    • \n
  • If you are listening on port 80, redirect all domains from HTTP to HTTPS on the same host. Serve all subdomains over HTTPS:
    • \n
      \n
    • In particular, you must support HTTPS for the www subdomain if a DNS record for that subdomain exists
      • \n
    \n
  • Serve an HSTS header on the base domain for HTTPS requests:
    • \n
      \n
    • The max-age must be at least 31536000 seconds (1 year)
      • \n
    • The includeSubDomains directive must be specified
      • \n
    • The preload directive must be specified
      • \n
    • If you are serving an additional redirect from your HTTPS site, that redirect must have the HSTS header (rather than the page it redirects to)
      • \n
    \n
", + "label": "fix" + } + ], + "impact": 0.5, + "code": "{\n \"LookupId\": \"9c3a51bf-6c1f-47c9-4646-afb704bb8fb0\",\n \"url\": \"https://foo.bar/\",\n \"type\": \"HstsErrors\",\n \"name\": \"HTTP Strict Transport Security (HSTS) Errors and Warnings\",\n \"severity\": \"Medium\",\n \"certainty\": \"95\",\n \"confirmed\": \"False\",\n \"state\": \"Present\",\n \"FirstSeenDate\": \"05/05/2023 05:03 PM\",\n \"LastSeenDate\": \"05/05/2023 05:03 PM\",\n \"classification\": {\n \"owasp\": \"A5\",\n \"wasc\": \"15\",\n \"cwe\": \"16\",\n \"capec\": \"\",\n \"pci32\": \"\",\n \"hipaa\": \"\",\n \"owasppc\": \"\",\n \"iso27001\": \"A.14.1.2\"\n },\n \"http-request\": {\n \"method\": \"GET\",\n \"content\": \"GET / HTTP/1.1\\nHost: mlrcommercial.vams-impl.cms.gov\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8\\nAccept-Language: en-us,en;q=0.5\\nCache-Control: no-cache\\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36\\n\\n\"\n },\n \"http-response\": {\n \"status-code\": \"403\",\n \"duration\": \"29.7532\",\n \"content\": \"HTTP/1.1 403 Forbidden\\nServer: \\nX-Powered-By: \\nConnection: keep-alive\\nX-AspNet-Version: \\nContent-Length: 1233\\nStrict-Transport-Security: max-age=31536000\\nContent-Type: text/html\\nDate: Tue, 28 Feb 2023 22:03:20 GMT\\n\\n\\n\\n\\n\\n403 - Forbidden: Access is denied.\\n\\n\\n\\n

Server Error

\\n
\\n
\\n

403 - Forbidden: Access is denied.

\\n

You do not have permission to view this directory or page using the credentials that you supplied.

\\n
\\n
\\n\\n\\n\"\n },\n \"description\": \"

Invicti Enterprise detected errors during parsing of Strict-Transport-Security header.

\\n\\n\\n\\n\\n\\n\\n\\n\\n
ErrorResolution
preload directive not presentSubmit domain for inclusion in browsers' HTTP Strict Transport Security (HSTS) preload list.
\\n\",\n \"impact\": \"

The HSTS Warning and Error may allow attackers to bypass HSTS, effectively allowing them to read and modify your communication with the website. 

\",\n \"remedial-actions\": \"\",\n \"exploitation-skills\": \"\",\n \"remedial-procedure\": \"

Ideally, after fixing the errors and warnings, you should consider adding your domain to the the HSTS preload list. This will ensure that browsers automatically connect your website by using HTTPS, actively preventing users from visiting your site using HTTP. Since this list is hardcoded in users' browsers, it will enable HSTS even before they visit your page for the first time, eliminating the need for Trust On First Use (TOFU) with its associated risks and disadvantages. Unless you fix the errors and warnings your website won't meet the conditions required to enter the browser's preload list.

\\n

Browser vendors declared:

\\n
    \\n
  • Serve a valid certificate
    • \\n
  • If you are listening on port 80, redirect all domains from HTTP to HTTPS on the same host. Serve all subdomains over HTTPS:
    • \\n
      \\n
    • In particular, you must support HTTPS for the www subdomain if a DNS record for that subdomain exists
      • \\n
    \\n
  • Serve an HSTS header on the base domain for HTTPS requests:
    • \\n
      \\n
    • The max-age must be at least 31536000 seconds (1 year)
      • \\n
    • The includeSubDomains directive must be specified
      • \\n
    • The preload directive must be specified
      • \\n
    • If you are serving an additional redirect from your HTTPS site, that redirect must have the HSTS header (rather than the page it redirects to)
      • \\n
    \\n
\",\n \"remedy-references\": \"\",\n \"external-references\": \"\",\n \"proof-of-concept\": \"\",\n \"tags\": \"\"\n}", + "results": [ + { + "status": "failed", + "code_desc": "http-request : GET / HTTP/1.1\nHost: mlrcommercial.vams-impl.cms.gov\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8\nAccept-Language: en-us,en;q=0.5\nCache-Control: no-cache\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36\n\n\nmethod : GET", + "message": "http-response : HTTP/1.1 403 Forbidden\nServer: \nX-Powered-By: \nConnection: keep-alive\nX-AspNet-Version: \nContent-Length: 1233\nStrict-Transport-Security: max-age=31536000\nContent-Type: text/html\nDate: Tue, 28 Feb 2023 22:03:20 GMT\n\n\n\n\n\n403 - Forbidden: Access is denied.\n\n\n\n

Server Error

\n
\n
\n

403 - Forbidden: Access is denied.

\n

You do not have permission to view this directory or page using the credentials that you supplied.

\n
\n
\n\n\n\nduration : 29.7532\nstatus-code : 403", + "start_time": "05/05/2023 04:57 PM" + } + ] + }, + { + "tags": { + "cci": [ + "CCI-001544", + "CCI-000183", + "CCI-002042", + "CCI-000213" + ], + "nist": [ + "IA-5", + "AC-3" + ] + }, + "refs": [], + "source_location": {}, + "title": "Missing X-Frame-Options Header", + "id": "8d8e6052-221d-41c4-8f1e-af9704473901", + "desc": "

Invicti Enterprise detected a missing X-Frame-Options header which means that this website could be at risk of a clickjacking attack.

\n

The X-Frame-Options HTTP header field indicates a policy that specifies whether the browser should render the transmitted resource within a frame or an iframe. Servers can declare this policy in the header of their HTTP responses to prevent clickjacking attacks, which ensures that their content is not embedded into other pages or frames.


Classification: {\"owasp\"=>\"A5\",\"wasc\"=>\"\",\"cwe\"=>\"693\",\"capec\"=>\"103\",\"pci32\"=>\"\",\"hipaa\"=>\"\",\"owasppc\"=>\"\",\"iso27001\"=>\"A.14.2.5\"}
Impact:
\n

Clickjacking is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on a framed page when they were intending to click on the top level page. Thus, the attacker is \"hijacking\" clicks meant for their page and routing them to other another page, most likely owned by another application, domain, or both.

\n

Using a similar technique, keystrokes can also be hijacked. With a carefully crafted combination of stylesheets, iframes, and text boxes, a user can be led to believe they are typing in the password to their email or bank account, but are instead typing into an invisible frame controlled by the attacker.

\n

FirstSeenDate: 01/27/2023 02:56 PM
LastSeenDate: 05/05/2023 05:02 PM
Certainty: 90
Type: MissingXFrameOptionsHeader
Confirmed: False", + "descriptions": [ + { + "data": "", + "label": "check" + }, + { + "data": "Remedial-procedure:
\n
    \n
  • Sending the proper X-Frame-Options in HTTP response headers that instruct the browser to not allow framing from other domains.\n
      \n
    • X-Frame-Options: DENY  It completely denies to be loaded in frame/iframe.
      • \n
    • X-Frame-Options: SAMEORIGIN It allows only if the site which wants to load has a same origin.
      • \n
    • X-Frame-Options: ALLOW-FROM URL It grants a specific URL to load itself in a iframe. However please pay attention to that, not all browsers support this.
      • \n
    \n
    • \n
  • Employing defensive code in the UI to ensure that the current frame is the most top level window.
    • \n
\n

Remedy-references: ", + "label": "fix" + } + ], + "impact": 0.3, + "code": "{\n \"LookupId\": \"8d8e6052-221d-41c4-8f1e-af9704473901\",\n \"url\": \"https://foo.bar/\",\n \"type\": \"MissingXFrameOptionsHeader\",\n \"name\": \"Missing X-Frame-Options Header\",\n \"severity\": \"Low\",\n \"certainty\": \"90\",\n \"confirmed\": \"False\",\n \"state\": \"Present\",\n \"FirstSeenDate\": \"01/27/2023 02:56 PM\",\n \"LastSeenDate\": \"05/05/2023 05:02 PM\",\n \"classification\": {\n \"owasp\": \"A5\",\n \"wasc\": \"\",\n \"cwe\": \"693\",\n \"capec\": \"103\",\n \"pci32\": \"\",\n \"hipaa\": \"\",\n \"owasppc\": \"\",\n \"iso27001\": \"A.14.2.5\"\n },\n \"http-request\": {\n \"method\": \"GET\",\n \"content\": \"GET / HTTP/1.1\\nHost: mlrcommercial.vams-impl.cms.gov\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8\\nAccept-Language: en-us,en;q=0.5\\nCache-Control: no-cache\\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36\\n\\n\"\n },\n \"http-response\": {\n \"status-code\": \"403\",\n \"duration\": \"99.0029\",\n \"content\": \"HTTP/1.1 403 Forbidden\\nServer: \\nX-Powered-By: \\nConnection: keep-alive\\nX-AspNet-Version: \\nContent-Length: 1233\\nStrict-Transport-Security: max-age=31536000\\nContent-Type: text/html\\nDate: Tue, 28 Feb 2023 22:02:09 GMT\\n\\n\\n\\n\\n\\n403 - Forbidden: Access is denied.\\n\\n\\n\\n

Server Error

\\n
\\n
\\n

403 - Forbidden: Access is denied.

\\n

You do not have permission to view this directory or page using the credentials that you supplied.

\\n
\\n
\\n\\n\\n\"\n },\n \"description\": \"

Invicti Enterprise detected a missing X-Frame-Options header which means that this website could be at risk of a clickjacking attack.

\\n

The X-Frame-Options HTTP header field indicates a policy that specifies whether the browser should render the transmitted resource within a frame or an iframe. Servers can declare this policy in the header of their HTTP responses to prevent clickjacking attacks, which ensures that their content is not embedded into other pages or frames.

\",\n \"impact\": \"
\\n

Clickjacking is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on a framed page when they were intending to click on the top level page. Thus, the attacker is \\\"hijacking\\\" clicks meant for their page and routing them to other another page, most likely owned by another application, domain, or both.

\\n

Using a similar technique, keystrokes can also be hijacked. With a carefully crafted combination of stylesheets, iframes, and text boxes, a user can be led to believe they are typing in the password to their email or bank account, but are instead typing into an invisible frame controlled by the attacker.

\\n
\",\n \"remedial-actions\": \"\",\n \"exploitation-skills\": \"\",\n \"remedial-procedure\": \"
\\n
    \\n
  • Sending the proper X-Frame-Options in HTTP response headers that instruct the browser to not allow framing from other domains.\\n
      \\n
    • X-Frame-Options: DENY  It completely denies to be loaded in frame/iframe.
      • \\n
    • X-Frame-Options: SAMEORIGIN It allows only if the site which wants to load has a same origin.
      • \\n
    • X-Frame-Options: ALLOW-FROM URL It grants a specific URL to load itself in a iframe. However please pay attention to that, not all browsers support this.
      • \\n
    \\n
    • \\n
  • Employing defensive code in the UI to ensure that the current frame is the most top level window.
    • \\n
\\n
\",\n \"remedy-references\": \"\",\n \"external-references\": \"\",\n \"proof-of-concept\": \"\",\n \"tags\": \"\"\n}", + "results": [ + { + "status": "failed", + "code_desc": "http-request : GET / HTTP/1.1\nHost: mlrcommercial.vams-impl.cms.gov\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8\nAccept-Language: en-us,en;q=0.5\nCache-Control: no-cache\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36\n\n\nmethod : GET", + "message": "http-response : HTTP/1.1 403 Forbidden\nServer: \nX-Powered-By: \nConnection: keep-alive\nX-AspNet-Version: \nContent-Length: 1233\nStrict-Transport-Security: max-age=31536000\nContent-Type: text/html\nDate: Tue, 28 Feb 2023 22:02:09 GMT\n\n\n\n\n\n403 - Forbidden: Access is denied.\n\n\n\n

Server Error

\n
\n
\n

403 - Forbidden: Access is denied.

\n

You do not have permission to view this directory or page using the credentials that you supplied.

\n
\n
\n\n\n\nduration : 99.0029\nstatus-code : 403", + "start_time": "05/05/2023 04:57 PM" + } + ] + } + ], + "sha256": "9a1c0ac5f7a0638d083de24b1e302ba86fd2de972fc877de953e9367d96f8500" + } + ], + "passthrough": { + "auxiliary_data": [ + { + "name": "Netsparker", + "data": { + "netsparker-enterprise": { + "target": {} + } + } + } + ], + "raw": { + "invicti-enterprise": { + "target": { + "scan-id": "1eb9f18bfec849d2e438afb704b6a011", + "url": "https://foo.bar/", + "initiated": "05/05/2023 04:57 PM", + "duration": "00:10:08.2111365" + }, + "vulnerabilities": { + "vulnerability": [ + { + "LookupId": "e8b418ae-a532-4b43-5d9b-af9b04bbbca3", + "url": "https://foo.bar/", + "type": "WeakCiphersDetected", + "name": "Weak Ciphers Enabled", + "severity": "Medium", + "certainty": "100", + "confirmed": "True", + "state": "Present", + "FirstSeenDate": "02/20/2023 05:03 PM", + "LastSeenDate": "05/05/2023 05:07 PM", + "classification": { + "owasp": "A6", + "wasc": "4", + "cwe": "327", + "capec": "217", + "pci32": "6.5.4", + "hipaa": "", + "owasppc": "", + "iso27001": "A.14.1.3", + "cvss": { + "vector": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", + "score": [ + { + "type": "Base", + "value": "6.8", + "severity": "Medium" + }, + { + "type": "Temporal", + "value": "6.8", + "severity": "Medium" + }, + { + "type": "Environmental", + "value": "6.8", + "severity": "Medium" + } + ] + }, + "cvss31": { + "vector": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", + "score": [ + { + "type": "Base", + "value": "6.8", + "severity": "Medium" + }, + { + "type": "Temporal", + "value": "6.8", + "severity": "Medium" + }, + { + "type": "Environmental", + "value": "6.8", + "severity": "Medium" + } + ] + } + }, + "http-request": { + "method": "GET", + "content": "[SSL Connection]" + }, + "http-response": { + "status-code": "200", + "duration": "1", + "content": "[SSL Connection]" + }, + "extra-information": { + "info": { + "name": "List of Supported Weak Ciphers", + "value": "TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003C), TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003D), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xC027), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xC028), TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009C), TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009D)" + } + }, + "description": "

Invicti Enterprise detected that weak ciphers are enabled during secure communication (SSL).

\n

You should allow only strong ciphers on your web server to protect secure communication with your visitors. 

", + "impact": "
Attackers might decrypt SSL traffic between your server and your visitors.
", + "remedial-actions": "
\n
    \n
  1. For Apache, you should modify the SSLCipherSuite directive in the httpd.conf.\n
    SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4
    \n
    2. \n
  2. Lighttpd:\n
    ssl.honor-cipher-order = \"enable\"\nssl.cipher-list = \"EECDH+AESGCM:EDH+AESGCM\"
    \n
    3. \n
  3. For Microsoft IIS, you should make some changes to the system registry. Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on your computer.

    a. Click Start, click Run, type regedt32 or type regedit, and then click OK.
    b. In Registry Editor, locate the following registry key: HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders
    c. Set \"Enabled\" DWORD to \"0x0\" for the following registry keys:
    \n
    SCHANNEL\\Ciphers\\DES 56/56
    SCHANNEL\\Ciphers\\RC4 64/128
    SCHANNEL\\Ciphers\\RC4 40/128
    SCHANNEL\\Ciphers\\RC2 56/128
    SCHANNEL\\Ciphers\\RC2 40/128
    SCHANNEL\\Ciphers\\NULL 
    SCHANNEL\\Hashes\\MD5
    \n
    4. \n
\n
", + "exploitation-skills": "", + "remedial-procedure": "
Configure your web server to disallow using weak ciphers.
", + "remedy-references": "", + "external-references": "", + "proof-of-concept": "", + "tags": "" + }, + { + "LookupId": "9c3a51bf-6c1f-47c9-4646-afb704bb8fb0", + "url": "https://foo.bar/", + "type": "HstsErrors", + "name": "HTTP Strict Transport Security (HSTS) Errors and Warnings", + "severity": "Medium", + "certainty": "95", + "confirmed": "False", + "state": "Present", + "FirstSeenDate": "05/05/2023 05:03 PM", + "LastSeenDate": "05/05/2023 05:03 PM", + "classification": { + "owasp": "A5", + "wasc": "15", + "cwe": "16", + "capec": "", + "pci32": "", + "hipaa": "", + "owasppc": "", + "iso27001": "A.14.1.2" + }, + "http-request": { + "method": "GET", + "content": "GET / HTTP/1.1\nHost: mlrcommercial.vams-impl.cms.gov\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8\nAccept-Language: en-us,en;q=0.5\nCache-Control: no-cache\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36\n\n" + }, + "http-response": { + "status-code": "403", + "duration": "29.7532", + "content": "HTTP/1.1 403 Forbidden\nServer: \nX-Powered-By: \nConnection: keep-alive\nX-AspNet-Version: \nContent-Length: 1233\nStrict-Transport-Security: max-age=31536000\nContent-Type: text/html\nDate: Tue, 28 Feb 2023 22:03:20 GMT\n\n\n\n\n\n403 - Forbidden: Access is denied.\n\n\n\n

Server Error

\n
\n
\n

403 - Forbidden: Access is denied.

\n

You do not have permission to view this directory or page using the credentials that you supplied.

\n
\n
\n\n\n" + }, + "description": "

Invicti Enterprise detected errors during parsing of Strict-Transport-Security header.

\n\n\n\n\n\n\n\n\n
ErrorResolution
preload directive not presentSubmit domain for inclusion in browsers' HTTP Strict Transport Security (HSTS) preload list.
\n", + "impact": "

The HSTS Warning and Error may allow attackers to bypass HSTS, effectively allowing them to read and modify your communication with the website. 

", + "remedial-actions": "", + "exploitation-skills": "", + "remedial-procedure": "

Ideally, after fixing the errors and warnings, you should consider adding your domain to the the HSTS preload list. This will ensure that browsers automatically connect your website by using HTTPS, actively preventing users from visiting your site using HTTP. Since this list is hardcoded in users' browsers, it will enable HSTS even before they visit your page for the first time, eliminating the need for Trust On First Use (TOFU) with its associated risks and disadvantages. Unless you fix the errors and warnings your website won't meet the conditions required to enter the browser's preload list.

\n

Browser vendors declared:

\n
    \n
  • Serve a valid certificate
    • \n
  • If you are listening on port 80, redirect all domains from HTTP to HTTPS on the same host. Serve all subdomains over HTTPS:
    • \n
      \n
    • In particular, you must support HTTPS for the www subdomain if a DNS record for that subdomain exists
      • \n
    \n
  • Serve an HSTS header on the base domain for HTTPS requests:
    • \n
      \n
    • The max-age must be at least 31536000 seconds (1 year)
      • \n
    • The includeSubDomains directive must be specified
      • \n
    • The preload directive must be specified
      • \n
    • If you are serving an additional redirect from your HTTPS site, that redirect must have the HSTS header (rather than the page it redirects to)
      • \n
    \n
", + "remedy-references": "", + "external-references": "", + "proof-of-concept": "", + "tags": "" + }, + { + "LookupId": "8d8e6052-221d-41c4-8f1e-af9704473901", + "url": "https://foo.bar/", + "type": "MissingXFrameOptionsHeader", + "name": "Missing X-Frame-Options Header", + "severity": "Low", + "certainty": "90", + "confirmed": "False", + "state": "Present", + "FirstSeenDate": "01/27/2023 02:56 PM", + "LastSeenDate": "05/05/2023 05:02 PM", + "classification": { + "owasp": "A5", + "wasc": "", + "cwe": "693", + "capec": "103", + "pci32": "", + "hipaa": "", + "owasppc": "", + "iso27001": "A.14.2.5" + }, + "http-request": { + "method": "GET", + "content": "GET / HTTP/1.1\nHost: mlrcommercial.vams-impl.cms.gov\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8\nAccept-Language: en-us,en;q=0.5\nCache-Control: no-cache\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36\n\n" + }, + "http-response": { + "status-code": "403", + "duration": "99.0029", + "content": "HTTP/1.1 403 Forbidden\nServer: \nX-Powered-By: \nConnection: keep-alive\nX-AspNet-Version: \nContent-Length: 1233\nStrict-Transport-Security: max-age=31536000\nContent-Type: text/html\nDate: Tue, 28 Feb 2023 22:02:09 GMT\n\n\n\n\n\n403 - Forbidden: Access is denied.\n\n\n\n

Server Error

\n
\n
\n

403 - Forbidden: Access is denied.

\n

You do not have permission to view this directory or page using the credentials that you supplied.

\n
\n
\n\n\n" + }, + "description": "

Invicti Enterprise detected a missing X-Frame-Options header which means that this website could be at risk of a clickjacking attack.

\n

The X-Frame-Options HTTP header field indicates a policy that specifies whether the browser should render the transmitted resource within a frame or an iframe. Servers can declare this policy in the header of their HTTP responses to prevent clickjacking attacks, which ensures that their content is not embedded into other pages or frames.

", + "impact": "
\n

Clickjacking is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on a framed page when they were intending to click on the top level page. Thus, the attacker is \"hijacking\" clicks meant for their page and routing them to other another page, most likely owned by another application, domain, or both.

\n

Using a similar technique, keystrokes can also be hijacked. With a carefully crafted combination of stylesheets, iframes, and text boxes, a user can be led to believe they are typing in the password to their email or bank account, but are instead typing into an invisible frame controlled by the attacker.

\n
", + "remedial-actions": "", + "exploitation-skills": "", + "remedial-procedure": "
\n
    \n
  • Sending the proper X-Frame-Options in HTTP response headers that instruct the browser to not allow framing from other domains.\n
      \n
    • X-Frame-Options: DENY  It completely denies to be loaded in frame/iframe.
      • \n
    • X-Frame-Options: SAMEORIGIN It allows only if the site which wants to load has a same origin.
      • \n
    • X-Frame-Options: ALLOW-FROM URL It grants a specific URL to load itself in a iframe. However please pay attention to that, not all browsers support this.
      • \n
    \n
    • \n
  • Employing defensive code in the UI to ensure that the current frame is the most top level window.
    • \n
\n
", + "remedy-references": "", + "external-references": "", + "proof-of-concept": "", + "tags": "" + } + ] + }, + "generated": "03/07/2023 03:15 PM" + } + } + } +} \ No newline at end of file diff --git a/test/sample_data/netsparker/netsparker-hdf.json b/test/sample_data/netsparker/netsparker-hdf.json new file mode 100644 index 000000000..e9e2eac4c --- /dev/null +++ b/test/sample_data/netsparker/netsparker-hdf.json @@ -0,0 +1,146 @@ +{ + "platform": { + "name": "Heimdall Tools", + "release": "2.6.58", + "target_id": "https://foo.bar/" + }, + "version": "2.6.58", + "statistics": {}, + "profiles": [ + { + "name": "Invicti Enterprise Scan", + "title": "Invicti Enterprise Scan ID: 1eb9f18bfec849d2e438afb704b6a011 URL: https://foo.bar/", + "summary": "Invicti Enterprise Scan", + "supports": [], + "attributes": [], + "groups": [], + "status": "loaded", + "controls": [ + { + "tags": { + "cci": [ + "CCI-002450", + "CCI-000366" + ], + "nist": [ + "SC-13", + "CM-6" + ] + }, + "refs": [], + "source_location": {}, + "title": "Weak Ciphers Enabled", + "id": "e8b418ae-a532-4b43-5d9b-af9b04bbbca3", + "desc": "

Invicti Enterprise detected that weak ciphers are enabled during secure communication (SSL).

\n

You should allow only strong ciphers on your web server to protect secure communication with your visitors. 


Extra-information: {\"info\"=>{\"name\"=>\"List of Supported Weak Ciphers\",\"value\"=>\"TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003C), TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003D), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xC027), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xC028), TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009C), TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009D)\"}}
Classification: {\"owasp\"=>\"A6\",\"wasc\"=>\"4\",\"cwe\"=>\"327\",\"capec\"=>\"217\",\"pci32\"=>\"6.5.4\",\"hipaa\"=>\"\",\"owasppc\"=>\"\",\"iso27001\"=>\"A.14.1.3\",\"cvss\"=>{\"vector\"=>\"CVSS=>3.0/AV=>A/AC=>H/PR=>N/UI=>N/S=>U/C=>H/I=>H/A=>N\",\"score\"=>[{\"type\"=>\"Base\",\"value\"=>\"6.8\",\"severity\"=>\"Medium\"},{\"type\"=>\"Temporal\",\"value\"=>\"6.8\",\"severity\"=>\"Medium\"},{\"type\"=>\"Environmental\",\"value\"=>\"6.8\",\"severity\"=>\"Medium\"}]},\"cvss31\"=>{\"vector\"=>\"CVSS=>3.1/AV=>A/AC=>H/PR=>N/UI=>N/S=>U/C=>H/I=>H/A=>N\",\"score\"=>[{\"type\"=>\"Base\",\"value\"=>\"6.8\",\"severity\"=>\"Medium\"},{\"type\"=>\"Temporal\",\"value\"=>\"6.8\",\"severity\"=>\"Medium\"},{\"type\"=>\"Environmental\",\"value\"=>\"6.8\",\"severity\"=>\"Medium\"}]}}
Impact:
Attackers might decrypt SSL traffic between your server and your visitors.

FirstSeenDate: 02/20/2023 05:03 PM
LastSeenDate: 05/05/2023 05:07 PM
Certainty: 100
Type: WeakCiphersDetected
Confirmed: True", + "descriptions": [ + { + "data": "", + "label": "check" + }, + { + "data": "Remedial-actions:
\n
    \n
  1. For Apache, you should modify the SSLCipherSuite directive in the httpd.conf.\n
    SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4
    \n
    2. \n
  2. Lighttpd:\n
    ssl.honor-cipher-order = \"enable\"\nssl.cipher-list = \"EECDH+AESGCM:EDH+AESGCM\"
    \n
    3. \n
  3. For Microsoft IIS, you should make some changes to the system registry. Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on your computer.

    a. Click Start, click Run, type regedt32 or type regedit, and then click OK.
    b. In Registry Editor, locate the following registry key: HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders
    c. Set \"Enabled\" DWORD to \"0x0\" for the following registry keys:
    \n
    SCHANNEL\\Ciphers\\DES 56/56
    SCHANNEL\\Ciphers\\RC4 64/128
    SCHANNEL\\Ciphers\\RC4 40/128
    SCHANNEL\\Ciphers\\RC2 56/128
    SCHANNEL\\Ciphers\\RC2 40/128
    SCHANNEL\\Ciphers\\NULL 
    SCHANNEL\\Hashes\\MD5
    \n
    4. \n
\n

Remedial-procedure:
Configure your web server to disallow using weak ciphers.
", + "label": "fix" + } + ], + "impact": 0.5, + "code": "{\n \"LookupId\": \"e8b418ae-a532-4b43-5d9b-af9b04bbbca3\",\n \"url\": \"https://foo.bar/\",\n \"type\": \"WeakCiphersDetected\",\n \"name\": \"Weak Ciphers Enabled\",\n \"severity\": \"Medium\",\n \"certainty\": \"100\",\n \"confirmed\": \"True\",\n \"state\": \"Present\",\n \"FirstSeenDate\": \"02/20/2023 05:03 PM\",\n \"LastSeenDate\": \"05/05/2023 05:07 PM\",\n \"classification\": {\n \"owasp\": \"A6\",\n \"wasc\": \"4\",\n \"cwe\": \"327\",\n \"capec\": \"217\",\n \"pci32\": \"6.5.4\",\n \"hipaa\": \"\",\n \"owasppc\": \"\",\n \"iso27001\": \"A.14.1.3\",\n \"cvss\": {\n \"vector\": \"CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N\",\n \"score\": [\n {\n \"type\": \"Base\",\n \"value\": \"6.8\",\n \"severity\": \"Medium\"\n },\n {\n \"type\": \"Temporal\",\n \"value\": \"6.8\",\n \"severity\": \"Medium\"\n },\n {\n \"type\": \"Environmental\",\n \"value\": \"6.8\",\n \"severity\": \"Medium\"\n }\n ]\n },\n \"cvss31\": {\n \"vector\": \"CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N\",\n \"score\": [\n {\n \"type\": \"Base\",\n \"value\": \"6.8\",\n \"severity\": \"Medium\"\n },\n {\n \"type\": \"Temporal\",\n \"value\": \"6.8\",\n \"severity\": \"Medium\"\n },\n {\n \"type\": \"Environmental\",\n \"value\": \"6.8\",\n \"severity\": \"Medium\"\n }\n ]\n }\n },\n \"http-request\": {\n \"method\": \"GET\",\n \"content\": \"[SSL Connection]\"\n },\n \"http-response\": {\n \"status-code\": \"200\",\n \"duration\": \"1\",\n \"content\": \"[SSL Connection]\"\n },\n \"extra-information\": {\n \"info\": {\n \"name\": \"List of Supported Weak Ciphers\",\n \"value\": \"TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003C), TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003D), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xC027), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xC028), TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009C), TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009D)\"\n }\n },\n \"description\": \"

Invicti Enterprise detected that weak ciphers are enabled during secure communication (SSL).

\\n

You should allow only strong ciphers on your web server to protect secure communication with your visitors. 

\",\n \"impact\": \"
Attackers might decrypt SSL traffic between your server and your visitors.
\",\n \"remedial-actions\": \"
\\n
    \\n
  1. For Apache, you should modify the SSLCipherSuite directive in the httpd.conf.\\n
    SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4
    \\n
    2. \\n
  2. Lighttpd:\\n
    ssl.honor-cipher-order = \\\"enable\\\"\\nssl.cipher-list = \\\"EECDH+AESGCM:EDH+AESGCM\\\"
    \\n
    3. \\n
  3. For Microsoft IIS, you should make some changes to the system registry. Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on your computer.

    a. Click Start, click Run, type regedt32 or type regedit, and then click OK.
    b. In Registry Editor, locate the following registry key: HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SecurityProviders
    c. Set \\\"Enabled\\\" DWORD to \\\"0x0\\\" for the following registry keys:
    \\n
    SCHANNEL\\\\Ciphers\\\\DES 56/56
    SCHANNEL\\\\Ciphers\\\\RC4 64/128
    SCHANNEL\\\\Ciphers\\\\RC4 40/128
    SCHANNEL\\\\Ciphers\\\\RC2 56/128
    SCHANNEL\\\\Ciphers\\\\RC2 40/128
    SCHANNEL\\\\Ciphers\\\\NULL 
    SCHANNEL\\\\Hashes\\\\MD5
    \\n
    4. \\n
\\n
\",\n \"exploitation-skills\": \"\",\n \"remedial-procedure\": \"
Configure your web server to disallow using weak ciphers.
\",\n \"remedy-references\": \"\",\n \"external-references\": \"\",\n \"proof-of-concept\": \"\",\n \"tags\": \"\"\n}", + "results": [ + { + "status": "failed", + "code_desc": "http-request : [SSL Connection]\nmethod : GET", + "message": "http-response : [SSL Connection]\nduration : 1\nstatus-code : 200", + "start_time": "05/05/2023 04:57 PM" + } + ] + }, + { + "tags": { + "cci": [ + "CCI-000213" + ], + "nist": [ + "AC-3" + ] + }, + "refs": [], + "source_location": {}, + "title": "HTTP Strict Transport Security (HSTS) Errors and Warnings", + "id": "9c3a51bf-6c1f-47c9-4646-afb704bb8fb0", + "desc": "

Invicti Enterprise detected errors during parsing of Strict-Transport-Security header.

\n\n\n\n\n\n\n\n\n
ErrorResolution
preload directive not presentSubmit domain for inclusion in browsers' HTTP Strict Transport Security (HSTS) preload list.
\n
Classification: {\"owasp\"=>\"A5\",\"wasc\"=>\"15\",\"cwe\"=>\"16\",\"capec\"=>\"\",\"pci32\"=>\"\",\"hipaa\"=>\"\",\"owasppc\"=>\"\",\"iso27001\"=>\"A.14.1.2\"}
Impact:

The HSTS Warning and Error may allow attackers to bypass HSTS, effectively allowing them to read and modify your communication with the website. 


FirstSeenDate: 05/05/2023 05:03 PM
LastSeenDate: 05/05/2023 05:03 PM
Certainty: 95
Type: HstsErrors
Confirmed: False", + "descriptions": [ + { + "data": "", + "label": "check" + }, + { + "data": "Remedial-procedure:

Ideally, after fixing the errors and warnings, you should consider adding your domain to the the HSTS preload list. This will ensure that browsers automatically connect your website by using HTTPS, actively preventing users from visiting your site using HTTP. Since this list is hardcoded in users' browsers, it will enable HSTS even before they visit your page for the first time, eliminating the need for Trust On First Use (TOFU) with its associated risks and disadvantages. Unless you fix the errors and warnings your website won't meet the conditions required to enter the browser's preload list.

\n

Browser vendors declared:

\n
    \n
  • Serve a valid certificate
    • \n
  • If you are listening on port 80, redirect all domains from HTTP to HTTPS on the same host. Serve all subdomains over HTTPS:
    • \n
      \n
    • In particular, you must support HTTPS for the www subdomain if a DNS record for that subdomain exists
      • \n
    \n
  • Serve an HSTS header on the base domain for HTTPS requests:
    • \n
      \n
    • The max-age must be at least 31536000 seconds (1 year)
      • \n
    • The includeSubDomains directive must be specified
      • \n
    • The preload directive must be specified
      • \n
    • If you are serving an additional redirect from your HTTPS site, that redirect must have the HSTS header (rather than the page it redirects to)
      • \n
    \n
", + "label": "fix" + } + ], + "impact": 0.5, + "code": "{\n \"LookupId\": \"9c3a51bf-6c1f-47c9-4646-afb704bb8fb0\",\n \"url\": \"https://foo.bar/\",\n \"type\": \"HstsErrors\",\n \"name\": \"HTTP Strict Transport Security (HSTS) Errors and Warnings\",\n \"severity\": \"Medium\",\n \"certainty\": \"95\",\n \"confirmed\": \"False\",\n \"state\": \"Present\",\n \"FirstSeenDate\": \"05/05/2023 05:03 PM\",\n \"LastSeenDate\": \"05/05/2023 05:03 PM\",\n \"classification\": {\n \"owasp\": \"A5\",\n \"wasc\": \"15\",\n \"cwe\": \"16\",\n \"capec\": \"\",\n \"pci32\": \"\",\n \"hipaa\": \"\",\n \"owasppc\": \"\",\n \"iso27001\": \"A.14.1.2\"\n },\n \"http-request\": {\n \"method\": \"GET\",\n \"content\": \"GET / HTTP/1.1\\nHost: mlrcommercial.vams-impl.cms.gov\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8\\nAccept-Language: en-us,en;q=0.5\\nCache-Control: no-cache\\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36\\n\\n\"\n },\n \"http-response\": {\n \"status-code\": \"403\",\n \"duration\": \"29.7532\",\n \"content\": \"HTTP/1.1 403 Forbidden\\nServer: \\nX-Powered-By: \\nConnection: keep-alive\\nX-AspNet-Version: \\nContent-Length: 1233\\nStrict-Transport-Security: max-age=31536000\\nContent-Type: text/html\\nDate: Tue, 28 Feb 2023 22:03:20 GMT\\n\\n\\n\\n\\n\\n403 - Forbidden: Access is denied.\\n\\n\\n\\n

Server Error

\\n
\\n
\\n

403 - Forbidden: Access is denied.

\\n

You do not have permission to view this directory or page using the credentials that you supplied.

\\n
\\n
\\n\\n\\n\"\n },\n \"description\": \"

Invicti Enterprise detected errors during parsing of Strict-Transport-Security header.

\\n\\n\\n\\n\\n\\n\\n\\n\\n
ErrorResolution
preload directive not presentSubmit domain for inclusion in browsers' HTTP Strict Transport Security (HSTS) preload list.
\\n\",\n \"impact\": \"

The HSTS Warning and Error may allow attackers to bypass HSTS, effectively allowing them to read and modify your communication with the website. 

\",\n \"remedial-actions\": \"\",\n \"exploitation-skills\": \"\",\n \"remedial-procedure\": \"

Ideally, after fixing the errors and warnings, you should consider adding your domain to the the HSTS preload list. This will ensure that browsers automatically connect your website by using HTTPS, actively preventing users from visiting your site using HTTP. Since this list is hardcoded in users' browsers, it will enable HSTS even before they visit your page for the first time, eliminating the need for Trust On First Use (TOFU) with its associated risks and disadvantages. Unless you fix the errors and warnings your website won't meet the conditions required to enter the browser's preload list.

\\n

Browser vendors declared:

\\n
    \\n
  • Serve a valid certificate
    • \\n
  • If you are listening on port 80, redirect all domains from HTTP to HTTPS on the same host. Serve all subdomains over HTTPS:
    • \\n
      \\n
    • In particular, you must support HTTPS for the www subdomain if a DNS record for that subdomain exists
      • \\n
    \\n
  • Serve an HSTS header on the base domain for HTTPS requests:
    • \\n
      \\n
    • The max-age must be at least 31536000 seconds (1 year)
      • \\n
    • The includeSubDomains directive must be specified
      • \\n
    • The preload directive must be specified
      • \\n
    • If you are serving an additional redirect from your HTTPS site, that redirect must have the HSTS header (rather than the page it redirects to)
      • \\n
    \\n
\",\n \"remedy-references\": \"\",\n \"external-references\": \"\",\n \"proof-of-concept\": \"\",\n \"tags\": \"\"\n}", + "results": [ + { + "status": "failed", + "code_desc": "http-request : GET / HTTP/1.1\nHost: mlrcommercial.vams-impl.cms.gov\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8\nAccept-Language: en-us,en;q=0.5\nCache-Control: no-cache\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36\n\n\nmethod : GET", + "message": "http-response : HTTP/1.1 403 Forbidden\nServer: \nX-Powered-By: \nConnection: keep-alive\nX-AspNet-Version: \nContent-Length: 1233\nStrict-Transport-Security: max-age=31536000\nContent-Type: text/html\nDate: Tue, 28 Feb 2023 22:03:20 GMT\n\n\n\n\n\n403 - Forbidden: Access is denied.\n\n\n\n

Server Error

\n
\n
\n

403 - Forbidden: Access is denied.

\n

You do not have permission to view this directory or page using the credentials that you supplied.

\n
\n
\n\n\n\nduration : 29.7532\nstatus-code : 403", + "start_time": "05/05/2023 04:57 PM" + } + ] + }, + { + "tags": { + "cci": [ + "CCI-001544", + "CCI-000183", + "CCI-002042", + "CCI-000213" + ], + "nist": [ + "IA-5", + "AC-3" + ] + }, + "refs": [], + "source_location": {}, + "title": "Missing X-Frame-Options Header", + "id": "8d8e6052-221d-41c4-8f1e-af9704473901", + "desc": "

Invicti Enterprise detected a missing X-Frame-Options header which means that this website could be at risk of a clickjacking attack.

\n

The X-Frame-Options HTTP header field indicates a policy that specifies whether the browser should render the transmitted resource within a frame or an iframe. Servers can declare this policy in the header of their HTTP responses to prevent clickjacking attacks, which ensures that their content is not embedded into other pages or frames.


Classification: {\"owasp\"=>\"A5\",\"wasc\"=>\"\",\"cwe\"=>\"693\",\"capec\"=>\"103\",\"pci32\"=>\"\",\"hipaa\"=>\"\",\"owasppc\"=>\"\",\"iso27001\"=>\"A.14.2.5\"}
Impact:
\n

Clickjacking is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on a framed page when they were intending to click on the top level page. Thus, the attacker is \"hijacking\" clicks meant for their page and routing them to other another page, most likely owned by another application, domain, or both.

\n

Using a similar technique, keystrokes can also be hijacked. With a carefully crafted combination of stylesheets, iframes, and text boxes, a user can be led to believe they are typing in the password to their email or bank account, but are instead typing into an invisible frame controlled by the attacker.

\n

FirstSeenDate: 01/27/2023 02:56 PM
LastSeenDate: 05/05/2023 05:02 PM
Certainty: 90
Type: MissingXFrameOptionsHeader
Confirmed: False", + "descriptions": [ + { + "data": "", + "label": "check" + }, + { + "data": "Remedial-procedure:
\n
    \n
  • Sending the proper X-Frame-Options in HTTP response headers that instruct the browser to not allow framing from other domains.\n
      \n
    • X-Frame-Options: DENY  It completely denies to be loaded in frame/iframe.
      • \n
    • X-Frame-Options: SAMEORIGIN It allows only if the site which wants to load has a same origin.
      • \n
    • X-Frame-Options: ALLOW-FROM URL It grants a specific URL to load itself in a iframe. However please pay attention to that, not all browsers support this.
      • \n
    \n
    • \n
  • Employing defensive code in the UI to ensure that the current frame is the most top level window.
    • \n
\n

Remedy-references: ", + "label": "fix" + } + ], + "impact": 0.3, + "code": "{\n \"LookupId\": \"8d8e6052-221d-41c4-8f1e-af9704473901\",\n \"url\": \"https://foo.bar/\",\n \"type\": \"MissingXFrameOptionsHeader\",\n \"name\": \"Missing X-Frame-Options Header\",\n \"severity\": \"Low\",\n \"certainty\": \"90\",\n \"confirmed\": \"False\",\n \"state\": \"Present\",\n \"FirstSeenDate\": \"01/27/2023 02:56 PM\",\n \"LastSeenDate\": \"05/05/2023 05:02 PM\",\n \"classification\": {\n \"owasp\": \"A5\",\n \"wasc\": \"\",\n \"cwe\": \"693\",\n \"capec\": \"103\",\n \"pci32\": \"\",\n \"hipaa\": \"\",\n \"owasppc\": \"\",\n \"iso27001\": \"A.14.2.5\"\n },\n \"http-request\": {\n \"method\": \"GET\",\n \"content\": \"GET / HTTP/1.1\\nHost: mlrcommercial.vams-impl.cms.gov\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8\\nAccept-Language: en-us,en;q=0.5\\nCache-Control: no-cache\\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36\\n\\n\"\n },\n \"http-response\": {\n \"status-code\": \"403\",\n \"duration\": \"99.0029\",\n \"content\": \"HTTP/1.1 403 Forbidden\\nServer: \\nX-Powered-By: \\nConnection: keep-alive\\nX-AspNet-Version: \\nContent-Length: 1233\\nStrict-Transport-Security: max-age=31536000\\nContent-Type: text/html\\nDate: Tue, 28 Feb 2023 22:02:09 GMT\\n\\n\\n\\n\\n\\n403 - Forbidden: Access is denied.\\n\\n\\n\\n

Server Error

\\n
\\n
\\n

403 - Forbidden: Access is denied.

\\n

You do not have permission to view this directory or page using the credentials that you supplied.

\\n
\\n
\\n\\n\\n\"\n },\n \"description\": \"

Invicti Enterprise detected a missing X-Frame-Options header which means that this website could be at risk of a clickjacking attack.

\\n

The X-Frame-Options HTTP header field indicates a policy that specifies whether the browser should render the transmitted resource within a frame or an iframe. Servers can declare this policy in the header of their HTTP responses to prevent clickjacking attacks, which ensures that their content is not embedded into other pages or frames.

\",\n \"impact\": \"
\\n

Clickjacking is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on a framed page when they were intending to click on the top level page. Thus, the attacker is \\\"hijacking\\\" clicks meant for their page and routing them to other another page, most likely owned by another application, domain, or both.

\\n

Using a similar technique, keystrokes can also be hijacked. With a carefully crafted combination of stylesheets, iframes, and text boxes, a user can be led to believe they are typing in the password to their email or bank account, but are instead typing into an invisible frame controlled by the attacker.

\\n
\",\n \"remedial-actions\": \"\",\n \"exploitation-skills\": \"\",\n \"remedial-procedure\": \"
\\n
    \\n
  • Sending the proper X-Frame-Options in HTTP response headers that instruct the browser to not allow framing from other domains.\\n
      \\n
    • X-Frame-Options: DENY  It completely denies to be loaded in frame/iframe.
      • \\n
    • X-Frame-Options: SAMEORIGIN It allows only if the site which wants to load has a same origin.
      • \\n
    • X-Frame-Options: ALLOW-FROM URL It grants a specific URL to load itself in a iframe. However please pay attention to that, not all browsers support this.
      • \\n
    \\n
    • \\n
  • Employing defensive code in the UI to ensure that the current frame is the most top level window.
    • \\n
\\n
\",\n \"remedy-references\": \"\",\n \"external-references\": \"\",\n \"proof-of-concept\": \"\",\n \"tags\": \"\"\n}", + "results": [ + { + "status": "failed", + "code_desc": "http-request : GET / HTTP/1.1\nHost: mlrcommercial.vams-impl.cms.gov\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8\nAccept-Language: en-us,en;q=0.5\nCache-Control: no-cache\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36\n\n\nmethod : GET", + "message": "http-response : HTTP/1.1 403 Forbidden\nServer: \nX-Powered-By: \nConnection: keep-alive\nX-AspNet-Version: \nContent-Length: 1233\nStrict-Transport-Security: max-age=31536000\nContent-Type: text/html\nDate: Tue, 28 Feb 2023 22:02:09 GMT\n\n\n\n\n\n403 - Forbidden: Access is denied.\n\n\n\n

Server Error

\n
\n
\n

403 - Forbidden: Access is denied.

\n

You do not have permission to view this directory or page using the credentials that you supplied.

\n
\n
\n\n\n\nduration : 99.0029\nstatus-code : 403", + "start_time": "05/05/2023 04:57 PM" + } + ] + } + ], + "sha256": "9a1c0ac5f7a0638d083de24b1e302ba86fd2de972fc877de953e9367d96f8500" + } + ], + "passthrough": { + "auxiliary_data": [ + { + "name": "Netsparker", + "data": { + "netsparker-enterprise": { + "target": {} + } + } + } + ] + } +} \ No newline at end of file diff --git a/test/sample_data/netsparker/sample_input_report/sample-netsparker-invicti.xml b/test/sample_data/netsparker/sample_input_report/sample-netsparker-invicti.xml new file mode 100644 index 000000000..422bd44ac --- /dev/null +++ b/test/sample_data/netsparker/sample_input_report/sample-netsparker-invicti.xml @@ -0,0 +1,338 @@ + + + + 1eb9f18bfec849d2e438afb704b6a011 + https://foo.bar/ + 05/05/2023 04:57 PM + 00:10:08.2111365 + + + + e8b418ae-a532-4b43-5d9b-af9b04bbbca3 + https://foo.bar/ + WeakCiphersDetected + Weak Ciphers Enabled + Medium + 100 + True + Present + 02/20/2023 05:03 PM + 05/05/2023 05:07 PM + + A6 + 4 + 327 + 217 + 6.5.4 + + + A.14.1.3 + + + + CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N + + + Base + 6.8 + Medium + + + Temporal + 6.8 + Medium + + + Environmental + 6.8 + Medium + + + + + + + + CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N + + + Base + 6.8 + Medium + + + Temporal + 6.8 + Medium + + + Environmental + 6.8 + Medium + + + + + + GET + + + + 200 + 1 + + + + + + + Invicti Enterprise detected that weak ciphers are enabled during secure communication (SSL).

+

You should allow only strong ciphers on your web server to protect secure communication with your visitors. 

]]> + Attackers might decrypt SSL traffic between your server and your visitors.]]> + +
    +
  1. For Apache, you should modify the SSLCipherSuite directive in the httpd.conf. +
    SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4
    +
    2. +
  2. Lighttpd: +
    ssl.honor-cipher-order = "enable"
+ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM"
    +
    3. +
  3. For Microsoft IIS, you should make some changes to the system registry. Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on your computer.

    a. Click Start, click Run, type regedt32 or type regedit, and then click OK.
    b. In Registry Editor, locate the following registry key: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders
    c. Set "Enabled" DWORD to "0x0" for the following registry keys:
     +
    SCHANNEL\Ciphers\DES 56/56
    SCHANNEL\Ciphers\RC4 64/128
    SCHANNEL\Ciphers\RC4 40/128
    SCHANNEL\Ciphers\RC2 56/128
    SCHANNEL\Ciphers\RC2 40/128
    SCHANNEL\Ciphers\NULL 
    SCHANNEL\Hashes\MD5
    +
    4. +
+]]> + + Configure your web server to disallow using weak ciphers.]]> + + ]]> + + + + + 9c3a51bf-6c1f-47c9-4646-afb704bb8fb0 + https://foo.bar/ + HstsErrors + HTTP Strict Transport Security (HSTS) Errors and Warnings + Medium + 95 + False + Present + 05/05/2023 05:03 PM + 05/05/2023 05:03 PM + + A5 + 15 + 16 + + + + + A.14.1.2 + + + + + + + + GET + + + + 403 + 29.7532 + + + + +403 - Forbidden: Access is denied. + + + + +
+
+

403 - Forbidden: Access is denied.

+

You do not have permission to view this directory or page using the credentials that you supplied.

+
+
+ + +]]> + + + Invicti Enterprise detected errors during parsing of Strict-Transport-Security header.

+ + + + + + + + +
ErrorResolution
preload directive not presentSubmit domain for inclusion in browsers' HTTP Strict Transport Security (HSTS) preload list.
+]]> + The HSTS Warning and Error may allow attackers to bypass HSTS, effectively allowing them to read and modify your communication with the website. 

]]> + + + Ideally, after fixing the errors and warnings, you should consider adding your domain to the the HSTS preload list. This will ensure that browsers automatically connect your website by using HTTPS, actively preventing users from visiting your site using HTTP. Since this list is hardcoded in users' browsers, it will enable HSTS even before they visit your page for the first time, eliminating the need for Trust On First Use (TOFU) with its associated risks and disadvantages. Unless you fix the errors and warnings your website won't meet the conditions required to enter the browser's preload list.

+

Browser vendors declared:

+
    +
  • Serve a valid certificate
    • +
  • If you are listening on port 80, redirect all domains from HTTP to HTTPS on the same host. Serve all subdomains over HTTPS:
    • +
      +
    • In particular, you must support HTTPS for the www subdomain if a DNS record for that subdomain exists
      • +
    +
  • Serve an HSTS header on the base domain for HTTPS requests:
    • +
      +
    • The max-age must be at least 31536000 seconds (1 year)
      • +
    • The includeSubDomains directive must be specified
      • +
    • The preload directive must be specified
      • +
    • If you are serving an additional redirect from your HTTPS site, that redirect must have the HSTS header (rather than the page it redirects to)
      • +
    +
]]> + + ]]> + + + + + 8d8e6052-221d-41c4-8f1e-af9704473901 + https://foo.bar/ + MissingXFrameOptionsHeader + Missing X-Frame-Options Header + Low + 90 + False + Present + 01/27/2023 02:56 PM + 05/05/2023 05:02 PM + + A5 + + 693 + 103 + + + + A.14.2.5 + + + + + + + + GET + + + + 403 + 99.0029 + + + + +403 - Forbidden: Access is denied. + + + + +
+
+

403 - Forbidden: Access is denied.

+

You do not have permission to view this directory or page using the credentials that you supplied.

+
+
+ + +]]> + + + Invicti Enterprise detected a missing X-Frame-Options header which means that this website could be at risk of a clickjacking attack.

+

The X-Frame-Options HTTP header field indicates a policy that specifies whether the browser should render the transmitted resource within a frame or an iframe. Servers can declare this policy in the header of their HTTP responses to prevent clickjacking attacks, which ensures that their content is not embedded into other pages or frames.

]]> + +

Clickjacking is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on a framed page when they were intending to click on the top level page. Thus, the attacker is "hijacking" clicks meant for their page and routing them to other another page, most likely owned by another application, domain, or both.

+

Using a similar technique, keystrokes can also be hijacked. With a carefully crafted combination of stylesheets, iframes, and text boxes, a user can be led to believe they are typing in the password to their email or bank account, but are instead typing into an invisible frame controlled by the attacker.

+]]> + + + +
    +
  • Sending the proper X-Frame-Options in HTTP response headers that instruct the browser to not allow framing from other domains. +
      +
    • X-Frame-Options: DENY  It completely denies to be loaded in frame/iframe.
      • +
    • X-Frame-Options: SAMEORIGIN It allows only if the site which wants to load has a same origin.
      • +
    • X-Frame-Options: ALLOW-FROM URL It grants a specific URL to load itself in a iframe. However please pay attention to that, not all browsers support this.
      • +
    +
    • +
  • Employing defensive code in the UI to ensure that the current frame is the most top level window.
    • +
+]]> + ]]> + ]]> + + + + +