Subversion Repositories vnag

Compare Revisions

Regard whitespace Rev 14 → Rev 15

/trunk/plugins/openbugbounty/OpenBugBountyCheck.class.php
1,25 → 1,25
<?php /* <ViaThinkSoftSignature>
Df9NfmFmHOn8nGetEQpngqn15a+ckYK/yw+2XGr9FP+WXDpB7WLwB+no6P2OcHzm3
ODFOZ5lZYUWnvFovCkuRtpjcFDiBvFM8hjdRXoGmLfGrUHpr8W10oVbuQtRbTPT0P
MsNYV5O+xkCkIsnryk6T6YFiL7zRKHCuj697tTbzVv0fYUGqW4S5rAU7PgJqyBZgr
8azwaT6q4Wof74EEVf4ol5R1uvI6q2zf36Lk7dIObehz189E2+GkXzAWAixbc+scl
CzQ3hhVOjZHL6XFz0dkTaUYaJW78A14agFK0lMVB4c9TDzgDYVL325FtkSOgeAduy
5XmIvC8MrOMqyCRPT2qqOlseSkXkrK9zkyy0Cj080Muu3TC6T0jYA0I/HdnlU2ryG
n2GQOyPPdTZByDSTijD5288KQ9xgWXuL9I3x7sslll2J3O9HPAkvVsXcn31B3JwAG
JqSd4J02jPVx24Vw7GQIQRcMmRnpU5PKInzfLq5QCsx9JBcOISl+RHzkMjZqaJveB
577GXCnxMWfnzYkmBR7PZLvDPr6Vu37Wl5SYSA49OBEAJ20Fen3Yk0IX6UdVPlvRM
EA1MgAvw9pHuHzV2fuAegDbRYeUVRzTYd+56Y3v1UcH5UKoML/OT/zi9VHfGKtglm
dUALn66c2bKGErATQ6h8mhYMEmszgU1O3va2XCP6GkQkctcCw1Cx4zbtZnCoE8mI0
siWLa+aLIVgRDdBqbR80a8WnBImZRKRP+ZTTSBQ5jDxHC/Vgr9YlNExNpA6BSW9mp
v56COWgRMDQH5qCd950fh8jRao5cuhhf75DvUGeai3bx7V3dqwPmieAOaFNUhV2CG
iZzUPowmQx0uqaQQx5wxdehxbZUXtMChO9fIA+xdECgeGHIgI+0p31e0SR9xrsZmY
+OpHlWRm/KbfM6EdNICh1W7hxAVQwyEhusqVU9jKiDtVzxadipfVw1ou+QT5SgANk
ZuwnTxIIs9R2QezRq2yydz45eKW2d5RXb4T77vE1YSPTVaVnAOScAqVrLQK79QX0J
sOP+47NGMfp9kUxInGV8UlzgYMBVZTT+ezIXmr6vwlg6Dj27OYReeminNoA/eku3L
Fyya17WUAd0vI4ByJsiRWRoJv6z2l1PDtOpwp0uZs57fqyUZJTUIEELdNPu89l10g
uK4tpsB4MHsWG9vGLy+1yvVbmD32kM5ZvHgMFktxXx1AzC3gAI52mQ3ljJOZ1LFX+
3q7nkMcN/HWolPFsRbsuc2rF7R6pQE4mkkVepoAlt+T6UFDnRykr7C+MRZ6k2upun
ESXhOqJcuyItT24eizoccENvAVhbGpZ2pfirheqZ0v+FlevvgASyNSUPk+tp/uWMx
mzaKKaKFfLfRIsTQTH2cX8a9JlHCc6jY10g8Ejq7bD4x0K3yVK7cy++q5gSLwMtR9
tdpLTt+r1f/OjfXplV0M16fpBZk8Ug2KCH0XcK1Aa4p8Ulw+jfEuw29h7oWXmOwhN
V6ThYMvpJzHjf5vW8e6uo+iT9lAHNmkA0eQ7oYarLO3uOUetRZBj9/njNJfhmHG1k
oSrJ0i7DSf9dbZQP+LOI6KGkx0sPbX424WszMbS/JZwRrEQK950h0jU9g4E73Vafi
bZEZT+9CDy2OhgmfpMubKFwehsNGm7ZJkN6uhH07kNqd9zgwSHnrP9g/Xdxerm+Bd
hF2UIt+FvnXsg1dP478YW1mN0pnvZN2DYTg1BCewgwqsJ7vTOzyxcMTKbDENfAddY
MeQMefZbxQs5IYajnciJXxYplVp7LiW8Nw5xsELchAZNkfOzrdFIOiCCpOKgA7NME
m6MBXDTQK9GxstugP0wO8e6tu7YYb8wrIOS/jtLmNsHMXwYD7sPIyUpXrs+fjtYCg
pKHWabY6pjEWesIYwQOSyaU7TOk0gxmNeYTw4IBTcnjkbG8tuzLTez4aJWJJUc0B5
IUJrldu2ftKu8cNguaRdcZnL9IPMl1bFwXAJgKBUGUJglQMIh1zdccsy1G7hphicK
6N2vWkF956yeJZYJN3qvPl+su1gSGmPxUZfJJuh1uG0WnjEAbQ5YcRKFmo+zkrsoR
j5NoqXH4ExP8an+Z2V6aBgWBG3HZXcI+df19GuRkJWFJ9OrCUJ5zlg6d2bNP9CE4o
xHnaRnoxWPGBSQZ+DScRXPcGP5IruYQohkvJGloszvid826BZkziUW22dydu+6Vw9
fWNgDe90sGQvHGragPTH6oZ2RLn5YK2RPPHV8kZvrvfbELICXybwUz5x3jNEamAhD
1DMrqse962LOMw3XHXog53+yH4eVOJe676M1eeAqGnx8onj3ibR1+G/1mO0xc5v8z
3MQfNFPFHQDKichstUX24uMAx7rOl5MzYEC9/DtdwTibj1VtnGKr6uXYlZKB5e/hB
3xqoyBGH4M7dPgJizCWRCM/P4DwIKUAjNJG7+0ZYFhehRhIHWM2Lg1ns9DkCU4YvI
0DDTmTiTEWikZFRBktB3y4JbZ+lNKSQKtguyKdLgNIcbYce3qkjMLkcsxsPR0apTY
hNWbXbBabOTvFNkKDz2jiA1DLxyNjMUYwhQTysRBsqO+YxFMKC1nRIiLhuYkfqTnH
r0dbbkLNFfoekQoR/18DnH4d04wz4s3OcDr++NTO1i5B+u6Q5bl7+ur34Zi9KZOcq
707rZuZ3BaDezP5G3rK1QcpMCM+jIdfxBxRfKWon3FsMqbqtD4vUM1xdK5EPRJE5S
Q==
</ViaThinkSoftSignature> */ ?>
<?php
29,7 → 29,7
* Developed by Daniel Marschall, ViaThinkSoft <www.viathinksoft.com>
* Licensed under the terms of the Apache 2.0 license
*
* Revision 2019-11-15
* Revision 2020-02-14
*/
 
declare(ticks=1);
36,6 → 36,7
 
class OpenBugBountyCheck extends VNag {
protected $argDomain = null;
protected $argPrivateAPI = null;
 
public function __construct() {
parent::__construct();
43,14 → 44,15
$this->registerExpectedStandardArguments('Vvht');
 
$this->getHelpManager()->setPluginName('check_openbugbounty');
$this->getHelpManager()->setVersion('1.0');
$this->getHelpManager()->setVersion('1.1');
$this->getHelpManager()->setShortDescription('This plugin checks if a domain has unfixed vulnerabilities listed at OpenBugBounty.org.');
$this->getHelpManager()->setCopyright('Copyright (C) 2011-$CURYEAR$ Daniel Marschall, ViaThinkSoft.');
$this->getHelpManager()->setSyntax('$SCRIPTNAME$ [-d <directory>]');
$this->getHelpManager()->setSyntax('$SCRIPTNAME$ [-d <SingleDomain[,SingleDomain,[...]]> | -d <DomainListFile> | -p <PrivateApiUrl> ]');
$this->getHelpManager()->setFootNotes('If you encounter bugs, please contact ViaThinkSoft at www.viathinksoft.com');
 
// Individual (non-standard) arguments:
$this->addExpectedArgument($this->argDomain = new VNagArgument('d', 'domain', VNagArgument::VALUE_REQUIRED, 'domainOrFile', 'Domain(s) or subdomain(s), separated by comma, to be checked or a file containing domain names.'));
$this->addExpectedArgument($this->argPrivateAPI = new VNagArgument('p', 'privateapi', VNagArgument::VALUE_REQUIRED, 'privateApiUrl', 'A link to your private API (https://www.openbugbounty.org/api/2/...../). Cannot be used together with argument \'-d\'.'));
}
 
protected function get_cache_dir() {
103,14 → 105,84
return array($fixed, $unfixed);
}
 
function get_privateapi_data($url, $max_cache_time = 3600) { // TODO: make cache time configurable via config
$url = strtolower($url);
$cache_file = $this->get_cache_dir() . '/' . md5($url);
 
if (file_exists($cache_file) && (time()-filemtime($cache_file) < $max_cache_time)) {
$cont = file_get_contents($cache_file);
} else {
$cont = file_get_contents($url);
file_put_contents($cache_file, $cont);
}
 
$ary = @json_decode($cont,true);
if (!$ary) throw new Exception("This is probably not a correct Private API URL, or the service is down (JSON Decode failed)");
return $ary;
}
 
protected function cbRun($optional_args=array()) {
$domain = $this->argDomain->getValue();
if (empty($domain)) {
throw new Exception("Please specify a domain or subdomain.");
$privateapi = $this->argPrivateAPI->getValue();
 
if (empty($domain) && empty($privateapi)) {
throw new Exception("Please specify a domain or subdomain, a list of domains, or a private API Url.");
}
 
if (file_exists($domain)) {
// Possibility 1: File containing a list of domains
if (!empty($domain) && !empty($privateapi)) {
throw new Exception("You can either use argument '-d' or '-p', but not both.");
}
 
if (!empty($privateapi)) {
// Possibility 1: Private API (showing all bugs for all of your domains, with detailled information)
// https://www.openbugbounty.org/api/2/.../
 
$sum_fixed = 0;
$sum_unfixed_pending = 0;
$sum_unfixed_disclosed = 0;
 
$this->setStatus(VNag::STATUS_OK);
 
$ary = $this->get_privateapi_data($privateapi);
foreach ($ary as $id => $data) {
/*
[Vulnerability Reported] => 21 September, 2017 05:13
[Vulnerability Verified] => 21 September, 2017 05:14
[Scheduled Public Disclosure] => 21 October, 2017 05:13
[Path Status] => Patched
[Vulnerability Fixed] => 7 August, 2018 21:47
[Report Url] => https://openbugbounty.org/reports/.../
[Host] => ...
[Researcher] => https://openbugbounty.org/researchers/.../
*/
 
if (empty($data['Vulnerability Reported'])) throw new Exception("This is probably not a correct Private API URL, or the service is down (Missing fields in structure)");
 
$status = isset($data['Patch Status']) ? $data['Patch Status'] : $data['Path Status']; // sic! There is a typo in their API (reported, but not fixed)
 
if ($status == 'Patched') {
$sum_fixed++;
} else {
$disclosure = $data['Scheduled Public Disclosure'];
$time = strtotime(str_replace(',', '', $disclosure));
$domain = $data['Host'];
$submission = $data['Report Url'];
if (time() > $time) {
$sum_unfixed_disclosed++;
$this->addVerboseMessage("Disclosed unfixed issue found at $domain: $submission (disclosure: $disclosure)", VNag::VERBOSITY_SUMMARY);
$this->setStatus(VNag::STATUS_CRITICAL);
} else {
$sum_unfixed_pending++;
$this->addVerboseMessage("Undisclosed unfixed issue found at $domain: $submission (disclosure: $disclosure)", VNag::VERBOSITY_SUMMARY);
$this->setStatus(VNag::STATUS_WARNING);
}
}
}
 
$this->setHeadline("$sum_fixed fixed, $sum_unfixed_pending unfixed (pending) and $sum_unfixed_disclosed unfixed (disclosed) issues found at your domains", true);
 
} else if (file_exists($domain)) {
// Possibility 2: File containing a list of domains
$domains = file($domain);
$sum_fixed = 0;
$sum_unfixed = 0;
129,7 → 201,7
if ($sum_unfixed > 0) $this->setStatus(VNag::STATUS_WARNING); // TODO: Critical, when some bugs are disclosed
$this->setHeadline("$sum_fixed fixed and $sum_unfixed unfixed issues found at $count domains", true);
} else if (strpos($domain, ',') !== false) {
// Possibility 2: Domains separated with comma
// Possibility 3: Domains separated with comma
$domains = explode(',', $domain);
$sum_fixed = 0;
$sum_unfixed = 0;
145,7 → 217,7
if ($sum_unfixed > 0) $this->setStatus(VNag::STATUS_WARNING); // TODO: Critical, when some bugs are disclosed
$this->setHeadline("$sum_fixed fixed and $sum_unfixed unfixed issues found at $count domains", true);
} else {
// Possibility 3: Single domain
// Possibility 4: Single domain
list($fixed, $unfixed) = $this->num_open_bugs($domain);
if ($unfixed == 0) $this->setStatus(VNag::STATUS_OK);
if ($unfixed > 0) $this->setStatus(VNag::STATUS_WARNING); // TODO: Critical, when bug is disclosed
/trunk/plugins/openbugbounty/icinga2.conf
4,7 → 4,7
// Developed by Daniel Marschall, ViaThinkSoft <www.viathinksoft.com>
// Licensed under the terms of the Apache 2.0 license
//
// Revision 2019-11-13
// Revision 2020-02-14
 
object CheckCommand "vnag_openbugbounty" {
command = [ "/daten/vnag/plugins/openbugbounty/check_openbugbounty" ]
13,8 → 13,13
"-d" = {
value = "$vnag_openbugbounty_domain$"
description = "Domain(s) or subdomain(s), separated by comma, to be checked or a file containing the domain names"
required = true
required = false // Note: either "-d" or "-p" is required
}
"-p" = {
value = "$vnag_openbugbounty_privateapi$"
description = "Private API URL (cannot be used together with domain-argument)"
required = false // Note: either "-d" or "-p" is required
}
"-v" = {
set_if = "$vnag_openbugbounty_verbose$"
description = "When checking multiple domains, also show details about domains which have 0 unfixed issues."
32,3 → 37,11
// }
// assign where host.name == NodeName
// }
// apply Service "example_websites_openbugbounty" {
// import "generic-service"
// check_command = "vnag_openbugbounty"
// vars = {
// vnag_openbugbounty_privateapi = "https://www.openbugbounty.org/api/2/.../"
// }
// assign where host.name == NodeName
// }