Merge branch 'develop'

tijme · tijme · commit b0f5a859a146 · 2017-09-16T12:48:09.000+02:00
diff --git a/.semver b/.semver
@@ -1 +1 @@
-3.0.0
+3.0.1
diff --git a/README.rst b/README.rst
@@ -60,32 +60,40 @@ Usage
 
 ``acstis -c -siv -d "https://finnwea.com/"``
 
+**Trust the given certificate**
+
+``acstis -d "https://finnwea.com/some/page/?category=23" -tc "/Users/name/Desktop/cert.pem"``
+
 **All command line options**
 
 .. code:: text
 
    usage: acstis [-h] -d DOMAIN [-c] [-vp] [-av ANGULAR_VERSION] [-pmm] [-sos] [-soh] [-sot] [-siv] [-md MAX_DEPTH] [-mt MAX_THREADS]
 
    required arguments:
-       -d DOMAIN, --domain DOMAIN                              the domain to scan (e.g. finnwea.com)
+       -d DOMAIN, --domain DOMAIN                                             the domain to scan (e.g. finnwea.com)
 
    optional arguments:
-       -h, --help                                              show this help message and exit
-       -c, --crawl                                             use the crawler to scan all the entire domain
-       -vp, --verify-payload                                   use a javascript engine to verify if the payload was executed (otherwise false positives may occur)
-       -av ANGULAR_VERSION, --angular-version ANGULAR_VERSION  manually pass the angular version (e.g. 1.4.2) if the automatic check doesn't work
-       -pmm, --protocol-must-match                             (crawler option) only scan pages with the same protocol as the startpoint (e.g. only https)
-       -sos, --scan-other-subdomains                           (crawler option) also scan pages that have another subdomain than the startpoint
-       -soh, --scan-other-hostnames                            (crawler option) also scan pages that have another hostname than the startpoint
-       -sot, --scan-other-tlds                                 (crawler option) also scan pages that have another tld than the startpoint
-       -siv, --stop-if-vulnerable                              (crawler option) stop scanning if a vulnerability was found
-       -md MAX_DEPTH, --max-depth MAX_DEPTH                    (crawler option) the maximum search depth (default is unlimited)
-       -mt MAX_THREADS, --max-threads MAX_THREADS              (crawler option) the maximum amount of simultaneous threads to use (default is 8)
+       -h, --help                                                             show this help message and exit
+       -c, --crawl                                                            use the crawler to scan all the entire domain
+       -vp, --verify-payload                                                  use a javascript engine to verify if the payload was executed (otherwise false positives may occur)
+       -av ANGULAR_VERSION, --angular-version ANGULAR_VERSION                 manually pass the angular version (e.g. 1.4.2) if the automatic check doesn't work
+       -pmm, --protocol-must-match                                            (crawler option) only scan pages with the same protocol as the startpoint (e.g. only https)
+       -sos, --scan-other-subdomains                                          (crawler option) also scan pages that have another subdomain than the startpoint
+       -soh, --scan-other-hostnames                                           (crawler option) also scan pages that have another hostname than the startpoint
+       -sot, --scan-other-tlds                                                (crawler option) also scan pages that have another tld than the startpoint
+       -siv, --stop-if-vulnerable                                             (crawler option) stop scanning if a vulnerability was found
+       -md MAX_DEPTH, --max-depth MAX_DEPTH                                   (crawler option) the maximum search depth (default is unlimited)
+       -mt MAX_THREADS, --max-threads MAX_THREADS                             (crawler option) the maximum amount of simultaneous threads to use (default is 8)
+       -iic, --ignore-invalid-certificates                                    (crawler option) ignore invalid ssl certificates
+       -tc TRUSTED_CERTIFICATES, --trusted-certificates TRUSTED_CERTIFICATES  (crawler option) trust this CA_BUNDLE file (.pem) or directory with certificates
 
 **Authentication, Cookies, Headers, Proxies & Scope options**
 
 These options are not implemented in the command line interface of ACSTIS. Please download the `extended.py <https://github.com/tijme/angularjs-csti-scanner/blob/master/extended.py>`_ script and extend it with one or more of the following code snippets. You can paste these code snippets in the `main()` method of the `extended.py` script.
 
+**Please note:** if you use the ``extended.py`` file make sure you call ``python extended.py [your arguments]`` instead of ``acstis [your arguments]``.
+
 *Basic Authentication*
 
 .. code:: python
diff --git a/acstis/helpers/BrowserHelper.py b/acstis/helpers/BrowserHelper.py
@@ -149,24 +149,36 @@ def __proxies_to_service_args(proxies):
         Returns:
             list: The service args containing proxy details
 
+        Note:
+            The `ignore-ssl-errors` argument is also added because
+            all SSL checks are handled by Python's requests module.
+            Python's requests module is also able to allow certain
+            custom certificates (e.g. if a proxy is used).
+
         """
 
         service_args = []
 
         parsed = urlparse(list(proxies.values())[0])
 
+        # Proxy type
         if parsed.scheme.startswith("http"):
             service_args.append("--proxy-type=http")
         else:
             service_args.append("--proxy-type=" + parsed.scheme)
 
+        # Proxy
         host_and_port = parsed.netloc.split("@")[-1]
         service_args.append("--proxy=" + host_and_port)
 
+        # Proxy auth
         if len(parsed.netloc.split("@")) == 2:
             user_pass = parsed.netloc.split("@")[0]
             service_args.append("--proxy-auth=" + user_pass)
 
+        # Ignore SSL (please see note in this method).
+        service_args.append("--ignore-ssl-errors=true")
+
         return service_args
 
     @staticmethod
diff --git a/acstis_scripts/acstis_cli.py b/acstis_scripts/acstis_cli.py
@@ -40,7 +40,7 @@ def require_arguments():
 
     parser = argparse.ArgumentParser(
         prog=PackageHelper.get_alias(),
-        formatter_class=lambda prog: argparse.HelpFormatter(prog, max_help_position=160, width=160)
+        formatter_class=lambda prog: argparse.HelpFormatter(prog, max_help_position=180, width=180)
     )
 
     optional = parser._action_groups.pop()
@@ -50,14 +50,16 @@ def require_arguments():
 
     optional.add_argument("-c", "--crawl", help="use the crawler to scan all the entire domain", action="store_true")
     optional.add_argument("-vp", "--verify-payload", help="use a javascript engine to verify if the payload was executed (otherwise false positives may occur)", action="store_true")
-    optional.add_argument("-av", "--angular-version", help="manually pass the angular version (e.g. 1.4.2) if the automatic check doesn't work", type=str)
+    optional.add_argument("-av", "--angular-version", help="manually pass the angular version (e.g. 1.4.2) if the automatic check doesn't work", type=str, default=None)
     optional.add_argument("-siv", "--stop-if-vulnerable", help="(crawler option) stop scanning if a vulnerability was found", action="store_true")
     optional.add_argument("-pmm", "--protocol-must-match", help="(crawler option) only scan pages with the same protocol as the startpoint (e.g. only https)", action="store_true")
     optional.add_argument("-sos", "--scan-other-subdomains", help="(crawler option) also scan pages that have another subdomain than the startpoint", action="store_true")
     optional.add_argument("-soh", "--scan-other-hostnames", help="(crawler option) also scan pages that have another hostname than the startpoint", action="store_true")
     optional.add_argument("-sot", "--scan-other-tlds", help="(crawler option) also scan pages that have another tld than the startpoint", action="store_true")
     optional.add_argument("-md", "--max-depth", help="(crawler option) the maximum search depth (default is unlimited)", type=int)
     optional.add_argument("-mt", "--max-threads", help="(crawler option) the maximum amount of simultaneous threads to use (default is 8)", type=int, default=8)
+    optional.add_argument("-iic", "--ignore-invalid-certificates", help="(crawler option) ignore invalid ssl certificates", action="store_true")
+    optional.add_argument("-tc", "--trusted-certificates", help="(crawler option) trust this CA_BUNDLE file (.pem) or directory with certificates", type=str, default=None)
 
     parser._action_groups.append(optional)
     return parser.parse_args()
@@ -134,6 +136,8 @@ def main():
     options.scope.tld_must_match = not args.scan_other_tlds
     options.scope.max_depth = args.max_depth if args.crawl else 0
     options.performance.max_threads = args.max_threads
+    options.misc.verify_ssl_certificates = not args.ignore_invalid_certificates
+    options.misc.trusted_certificates = args.trusted_certificates
 
     driver = Driver(args, options)
     driver.start()
diff --git a/extended.py b/extended.py
@@ -46,6 +46,8 @@ def main():
     options.scope.tld_must_match = not args.scan_other_tlds
     options.scope.max_depth = args.max_depth if args.crawl else 0
     options.performance.max_threads = args.max_threads
+    options.misc.verify_ssl_certificates = not args.ignore_invalid_certificates
+    options.misc.trusted_certificates = args.trusted_certificates
 
     """ ########################################################## """
     """                                                            """
@@ -69,7 +71,7 @@ def require_arguments():
 
     parser = argparse.ArgumentParser(
         prog=PackageHelper.get_alias(),
-        formatter_class=lambda prog: argparse.HelpFormatter(prog, max_help_position=160, width=160)
+        formatter_class=lambda prog: argparse.HelpFormatter(prog, max_help_position=180, width=180)
     )
 
     optional = parser._action_groups.pop()
@@ -79,14 +81,16 @@ def require_arguments():
 
     optional.add_argument("-c", "--crawl", help="use the crawler to scan all the entire domain", action="store_true")
     optional.add_argument("-vp", "--verify-payload", help="use a javascript engine to verify if the payload was executed (otherwise false positives may occur)", action="store_true")
-    optional.add_argument("-av", "--angular-version", help="manually pass the angular version (e.g. 1.4.2) if the automatic check doesn't work", type=str)
+    optional.add_argument("-av", "--angular-version", help="manually pass the angular version (e.g. 1.4.2) if the automatic check doesn't work", type=str, default=None)
     optional.add_argument("-siv", "--stop-if-vulnerable", help="(crawler option) stop scanning if a vulnerability was found", action="store_true")
     optional.add_argument("-pmm", "--protocol-must-match", help="(crawler option) only scan pages with the same protocol as the startpoint (e.g. only https)", action="store_true")
     optional.add_argument("-sos", "--scan-other-subdomains", help="(crawler option) also scan pages that have another subdomain than the startpoint", action="store_true")
     optional.add_argument("-soh", "--scan-other-hostnames", help="(crawler option) also scan pages that have another hostname than the startpoint", action="store_true")
     optional.add_argument("-sot", "--scan-other-tlds", help="(crawler option) also scan pages that have another tld than the startpoint", action="store_true")
     optional.add_argument("-md", "--max-depth", help="(crawler option) the maximum search depth (default is unlimited)", type=int)
     optional.add_argument("-mt", "--max-threads", help="(crawler option) the maximum amount of simultaneous threads to use (default is 8)", type=int, default=8)
+    optional.add_argument("-iic", "--ignore-invalid-certificates", help="(crawler option) ignore invalid ssl certificates", action="store_true")
+    optional.add_argument("-tc", "--trusted-certificates", help="(crawler option) trust this CA_BUNDLE file (.pem) or directory with certificates", type=str, default=None)
 
     parser._action_groups.append(optional)
     return parser.parse_args()
diff --git a/requirements.txt b/requirements.txt
@@ -1,5 +1,5 @@
 colorlog==2.10.0
-nyawc==1.7.5
+nyawc==1.7.8
 requests==2.18.1
 requests_toolbelt==0.8.0
 selenium==3.4.3
