Merge pull request #246 from psiinon/scan/wavsep

Scan wavsep

Author: thc202

.github/workflows/zap-vs-wavsep-live.yml

@@ -1,17 +1,61 @@
-name: ZAP vs Wavsep - Default
+name: ZAP vs Wavsep
 
 on: 
+# Enable once we've checked its working well
+#  schedule:
+#    - cron:  '40 3 * * 1' # 4:30 am every Monday
   workflow_dispatch:
 
 jobs:
   scan:
-    runs-on: [ubuntu-latest]
+    runs-on: ubuntu-latest
     steps:
-    - name: Start wavsep
-      run: docker run --rm -d -p 8080:8080 owaspvwad/wavsep &
-    - name: Start ZAP
-      run: docker run --rm -d -p 8090:8090 --network host ghcr.io/zaproxy/zaproxy:weekly zap-x.sh -daemon -host localhost -port 8090 -addonupdate -addoninstall domxss -config "api.addrs.addr.name=.*" -config api.addrs.addr.regex=true -config api.disablekey=true &
-    - name: Run ZAP API script
-      env:
-        GITHUB_TOKEN: ${{ secrets.ZAPBOT_TOKEN }}
-      run: docker run --rm --network host --env ZAPBOT_TOKEN=${{ secrets.ZAPBOT_TOKEN }} zaproxy/zap-testing ./zap-vs-wavsep-1.5.sh -e 61 -n wavsep-1.5-weekly-RBJ-M-M -t "Rel, Beta, DomXSS"
+    - name: Clone zap-mgmt-scripts and zaproxy-website
+      run: |
+        # Setup git details
+        export GITHUB_USER=zapbot
+        export GITHUB_TOKEN=${{ secrets.ZAPBOT_TOKEN }}
+        git config --global user.email "12745184+zapbot@users.noreply.github.com"
+        git config --global user.name $GITHUB_USER
+        git clone https://github.com/$GITHUB_USER/zap-mgmt-scripts.git
+
+        git clone https://github.com/$GITHUB_USER/zaproxy-website.git
+
+        # Update to the latest upstream
+        cd zaproxy-website
+        git remote set-url origin https://$GITHUB_USER:$GITHUB_TOKEN@github.com/$GITHUB_USER/zaproxy-website.git
+        git remote add upstream https://github.com/zaproxy/zaproxy-website.git
+        git checkout -B wavsep
+        git pull upstream main
+        git reset --hard upstream/main
+        git push --set-upstream origin wavsep --force
+
+    - name: Scan Wavsep
+      run: |
+        # start Wavsep
+        docker run --rm -it -p 8080:8080 -p 3306:3306 zaproxy/wavsep
+        
+        cd zap-mgmt-scripts/scans/wavsep
+        # Need to do this so the zap user in docker can write to the directory
+        mkdir res
+        chmod a+w res
+        docker run -v $(pwd):/zap/wrk/:rw --network host -t ghcr.io/zaproxy/zaproxy:nightly zap.sh -cmd -silent -autorun /zap/wrk/wavsep.yaml
+        cp res/*.yml ../../../zaproxy-website/site/data/scans/wavsep/
+
+    - name: Raise a PR on the website
+      run: |
+        cd zaproxy-website
+
+        # Update the index to be sure git is aware of changes
+        git update-index -q --refresh
+        ## If there are changes: comment, commit, PR
+        if ! git diff-index --quiet HEAD --; then
+
+          git add site/data/scans/wavsep/*
+          git commit -s -m "Updated WAVSEP Results"
+          git push origin
+
+          echo ${{ secrets.ZAPBOT_TOKEN }} | gh auth login --with-token
+          gh pr create --fill
+
+        fi

.github/workflows/zap-vs-wavsep-st-high.yml

@@ -0,0 +1,156 @@
+// Score ZAP against WAVSEP
+
+var DIR = "/zap/wrk/res/";
+var IGNORE_PATHS = [];
+
+// Polyfill for Nashorn c/o https://stackoverflow.com/questions/47543566/scriptengine-javascript-doesnt-support-includes
+if (!Array.prototype.includes) { 
+  Object.defineProperty(Array.prototype, 'includes', { 
+    value: function(valueToFind, fromIndex) { 
+      if (this == null) { 
+        throw new TypeError('\"this\" is null or not defined'); 
+      } 
+      var o = Object(this); 
+      var len = o.length >>> 0; 
+      if (len === 0) { return false; } 
+      var n = fromIndex | 0; 
+      var k = Math.max(n >= 0 ? n : len - Math.abs(n), 0); 
+      function sameValueZero(x, y) { return x === y || (typeof x === 'number' && typeof y === 'number' && isNaN(x) && isNaN(y)); } 
+      while (k < len) { if (sameValueZero(o[k], valueToFind)) { return true; } k++; } return false; 
+    } 
+   });
+}
+
+var totalUrls;
+var totalAlerts;
+
+var FileWriter = Java.type('java.io.FileWriter');
+var PrintWriter = Java.type('java.io.PrintWriter');
+
+root = org.parosproxy.paros.model.Model.getSingleton().
+       getSession().getSiteTree().getRoot();
+
+function nodeHasAlert(node, rules) {
+   var alerts = node.getAlerts();
+   for (var a in alerts) {
+       var pluginId = alerts.get(a).getPluginId();
+       if (rules.includes(pluginId)) {
+           return pluginId;
+       }
+   }
+   return null;
+}
+
+function listChildren(pw, node, type, rules) {
+   var j;
+   for (j=0;j<node.getChildCount();j++) {
+       var child = node.getChildAt(j);
+       if (child.getChildCount() == 0) {
+           var path = child.getHierarchicNodeName();
+           if (path.indexOf(type) > -1 && path.indexOf("Case") > -1) {
+             // All good
+           } else {
+             continue;
+           }
+           if (path.indexOf("POST") > -1 && child.getNodeName().startsWith("GET")) {
+             continue;
+           }
+           if (! IGNORE_PATHS.includes(path)) {
+             totalUrls++;
+             pw.println('- path: ' + path);
+             var pluginId = nodeHasAlert(child, rules);
+             // Following test is JS equiv of XOR
+             if (path.indexOf("FalsePositives") > 0 ? !pluginId : pluginId) {
+                 totalAlerts++;
+                 pw.println('  result: Pass');
+                 pw.println('  rule: ' + pluginId);
+             } else {
+                 pw.println('  result: FAIL');
+                 pw.println('  rule: ' + rules[0]);
+             }
+           }
+       } else {
+           listChildren(pw, child, type, rules);
+       }
+   }
+}
+
+function scoreChildren(file, name, type, rules) {
+   var YAML_FILE = DIR + "/" + file + ".yml";
+   var fw = new FileWriter(YAML_FILE);
+   var pw = new PrintWriter(fw);
+
+   pw.println('section: ' + name);
+   pw.println('url: ' + type);
+   pw.println('details:');
+
+   totalUrls = 0;
+   totalAlerts = 0;
+
+
+   listChildren(pw, root, type, rules);
+
+   pw.println('tests: ' + totalUrls);
+   pw.println('passes: ' + totalAlerts);
+   pw.println('fails: ' + (totalUrls - totalAlerts));
+   pw.println('score: ' + Math.round(totalAlerts * 100 / totalUrls) + '%');
+
+   pw.close();
+}
+
+scoreChildren("dom-xss-get-exp", "DOM XSS GET Experimental", "/DXSS-Detection-Evaluation-GET-Experimental/", [40026]);
+
+scoreChildren("lfi-get-200-err", "Local File Include GET 200 Error", "/LFI-Detection-Evaluation-GET-200Error/", [6]);
+scoreChildren("lfi-get-200-id", "Local File Include GET 200 Identical", "/LFI-Detection-Evaluation-GET-200Identical/", [6]);
+scoreChildren("lfi-get-200-valid", "Local File Include GET 200 Valid", "/LFI-Detection-Evaluation-GET-200Valid/", [6]);
+scoreChildren("lfi-get-302-redir", "Local File Include GET 302 Redirect", "/LFI-Detection-Evaluation-GET-302Redirect/", [6]);
+scoreChildren("lfi-get-400-err", "Local File Include GET 404 Error", "/LFI-Detection-Evaluation-GET-404Error/", [6]);
+scoreChildren("lfi-get-500-err", "Local File Include GET 500 Error", "/LFI-Detection-Evaluation-GET-500Error/", [6]);
+scoreChildren("lfi-post-200-err", "Local File Include POST 200 Error", "/LFI-Detection-Evaluation-POST-200Error/", [6]);
+scoreChildren("lfi-post-200-id", "Local File Include POST 200 Identical", "/LFI-Detection-Evaluation-POST-200Identical/", [6]);
+scoreChildren("lfi-post-200-valid", "Local File Include POST 200 Valid", "/LFI-Detection-Evaluation-POST-200Valid/", [6]);
+scoreChildren("lfi-post-302-redir", "Local File Include POST 302 Redirect", "/LFI-Detection-Evaluation-POST-302Redirect/", [6]);
+scoreChildren("lfi-post-404-err", "Local File Include POST 404 Error", "/LFI-Detection-Evaluation-POST-404Error/", [6]);
+scoreChildren("lfi-post-500-err", "Local File Include POST 500 Error", "/LFI-Detection-Evaluation-POST-500Error/", [6]);
+scoreChildren("lfi-get-fp", "Local File Include GET False Positives ", "/LFI-FalsePositives-GET/", [6]);
+
+scoreChildren("rfi-get-200-err", "Remote File Include GET 200 Error", "/RFI-Detection-Evaluation-GET-200Error/", [7]);
+scoreChildren("rfi-get-200-id", "Remote File Include GET 200 Identical", "/RFI-Detection-Evaluation-GET-200Identical/", [7]);
+scoreChildren("rfi-get-200-valid", "Remote File Include GET 200 Valid", "/RFI-Detection-Evaluation-GET-200Valid/", [7]);
+scoreChildren("rfi-get-302-redir", "Remote File Include GET 302 Redirect", "/RFI-Detection-Evaluation-GET-302Redirect/", [7]);
+scoreChildren("rfi-get-404-err", "Remote File Include GET 404 Error", "/RFI-Detection-Evaluation-GET-404Error/", [7]);
+scoreChildren("rfi-get-500-err", "Remote File Include GET 500 Error", "/RFI-Detection-Evaluation-GET-500Error/", [7]);
+scoreChildren("rfi-post-200-err", "Remote File Include POST 200 Error", "/RFI-Detection-Evaluation-POST-200Error/", [7]);
+scoreChildren("rfi-post-200-id", "Remote File Include POST 200 Identical", "/RFI-Detection-Evaluation-POST-200Identical/", [7]);
+scoreChildren("rfi-post-200-valid", "Remote File Include POST 200 Valid", "/RFI-Detection-Evaluation-POST-200Valid/", [7]);
+scoreChildren("rfi-post-302-redir", "Remote File Include POST 302 Redirect", "/RFI-Detection-Evaluation-POST-302Redirect/", [7]);
+scoreChildren("rfi-post-400-err", "Remote File Include POST 404 Error", "/RFI-Detection-Evaluation-POST-404Error/", [7]);
+scoreChildren("rfi-post-402-err", "Remote File Include POST 500 Error", "/RFI-Detection-Evaluation-POST-500Error/", [7]);
+scoreChildren("rfi-get-fp", "Remote File Include GET False Positives", "/RFI-FalsePositives-GET/", [7]);
+
+scoreChildren("rxss-cookie-exp", "Reflected XSS Cookie Experimental", "/RXSS-Detection-Evaluation-COOKIE-Experimental/", [40012]);
+scoreChildren("rxss-get", "Reflected XSS GET", "/RXSS-Detection-Evaluation-GET/", [40012]);
+scoreChildren("rxss-get-exp", "Reflected XSS GET Experimental", "/RXSS-Detection-Evaluation-GET-Experimental/", [40012]);
+scoreChildren("rxss-post", "Reflected XSS POST", "/RXSS-Detection-Evaluation-POST/", [40012]);
+scoreChildren("rxss-post-exp", "Reflected XSS POST Experimental", "/RXSS-Detection-Evaluation-POST-Experimental/", [40012]);
+scoreChildren("rxss-fps", "Reflected XSS GET False Positives", "/RXSS-FalsePositives-GET/", [40012]);
+
+scoreChildren("sqli-get-200-err", "SQL Injection GET 200 Error", "/SInjection-Detection-Evaluation-GET-200Error/", [40018]);
+scoreChildren("sqli-get-200-err-exp", "SQL Injection GET 200 Error Experimental", "/SInjection-Detection-Evaluation-GET-200Error-Experimental/", [40018]);
+scoreChildren("sqli-get-200-id", "SQL Injection GET 200 Identical", "/SInjection-Detection-Evaluation-GET-200Identical/", [40018]);
+scoreChildren("sqli-get-200-valid", "SQL Injection GET 200 Valid", "/SInjection-Detection-Evaluation-GET-200Valid/", [40018]);
+scoreChildren("sqli-get-500-err", "SQL Injection GET 500 Error", "/SInjection-Detection-Evaluation-GET-500Error/", [40018]);
+scoreChildren("sqli-post-200-err", "SQL Injection POST 200 Error", "/SInjection-Detection-Evaluation-POST-200Error/", [40018]);
+scoreChildren("sqli-post-200-err-exp", "SQL Injection POST 200 Error Experimental", "/SInjection-Detection-Evaluation-POST-200Error-Experimental/", [40018]);
+scoreChildren("sqli-post-200-id", "SQL Injection POST 200 Identical", "/SInjection-Detection-Evaluation-POST-200Identical/", [40018]);
+scoreChildren("sqli-post-200-valid", "SQL Injection POST 200 Valid", "/SInjection-Detection-Evaluation-POST-200Valid/", [40018]);
+scoreChildren("sqli-post-500-err", "SQL Injection POST 500 Error", "/SInjection-Detection-Evaluation-POST-500Error/", [40018]);
+scoreChildren("sqli-get-fp", "SQL Injection GET False Positives", "/SInjection-FalsePositives-GET/", [40018]);
+
+scoreChildren("redir-get-302", "Unvalidated Redirect GET 200", "/Redirect-Detection-Evaluation-GET-302Redirect/", [20019]);
+scoreChildren("redir-post-302", "Unvalidated Redirect POST 302", "/Redirect-Detection-Evaluation-POST-302Redirect/", [20019]);
+scoreChildren("redir-get-fp", "Unvalidated Redirect GET False Positives", "/Redirect-FalsePositives-GET/", [20019]);
+scoreChildren("redir-get-200-valid", "Unvalidated Redirect GET 200 Valid", "/Redirect-JavaScript-Detection-Evaluation-GET-200Valid/", [20019]);
+scoreChildren("redir-post-200-valid", "Unvalidated Redirect POST 200 Valid", "/Redirect-JavaScript-Detection-Evaluation-POST-200Valid/", [20019]);
+
+print('Done');