Skip to content

New Scanner: AngularJS CSTI Scanner (closes #216)#248

Merged
J12934 merged 15 commits intomainfrom
scanner/acstis
Mar 8, 2021
Merged

New Scanner: AngularJS CSTI Scanner (closes #216)#248
J12934 merged 15 commits intomainfrom
scanner/acstis

Conversation

@paulschmelzer
Copy link
Copy Markdown
Contributor

@paulschmelzer paulschmelzer commented Dec 14, 2020
edited by nigthknight
Loading

Integrates the AngluarJS Client-Side Template Injection Scanner.

Because the scanner provides some request option by extending a python startup script, I had to inject these options before the script is started. Therefore the user might provide a config map with a config file containing the request options according to the README.

If you like to test the vulnerabiltity run the following app:
sudo docker run --rm -ti -p 127.0.0.1:5000:5000 blabla1337/owasp-skf-lab:csti
Because acstis can't determine the AngularJS version you have to add the flag -av 1.5.0 to the scanner. It is very strange that the scanner can not guess the version because it is very obvioulsy imported in the sites HTML.

closes #248

@paulschmelzer paulschmelzer added the scanner Implement or update a security scanner label Dec 14, 2020
@paulschmelzer paulschmelzer requested a review from J12934 December 14, 2020 14:53
@paulschmelzer paulschmelzer linked an issue Dec 14, 2020 that may be closed by this pull request
🚓 Integrate a new Angular Client-Side Template Injection Scanner #216
Closed
8 tasks
@paulschmelzer paulschmelzer marked this pull request as ready for review December 21, 2020 12:46
@nigthknight
Add Newline To Make GitHub Happy
0856d49 
Signed-off-by: Yannik Fuhrmeister <yannik.fuhrmeister@iteratec.com>
@nigthknight
Pin Angular-CSTI Scanner To Version 3.0.6
9567947 
Signed-off-by: Yannik Fuhrmeister <yannik.fuhrmeister@iteratec.com>
nigthknight
nigthknight reviewed Feb 1, 2021
View reviewed changes
Copy link
Copy Markdown
Member

@nigthknight nigthknight left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great to me but I have one question. Why is it necessary to save the acstis-script.py in the secureCodeBox repository?

J12934 and others added 7 commits February 3, 2021 08:59
@J12934 @nigthknight
Ensure that kubeaudit is build with the intended version
263e413
@nigthknight
Merge branch 'main' into scanner/acstis
b30606f
@nigthknight
Add Angularjs-csti-scanner to CI
9490dea 
Signed-off-by: Yannik Fuhrmeister <yannik.fuhrmeister@iteratec.com>
@nigthknight
Add Angular-csti-scanner Image Build To CI
2a7164a 
Signed-off-by: Yannik Fuhrmeister <yannik.fuhrmeister@iteratec.com>
@nigthknight
Fix Image Build for Angularjs-csti-scanner
ef7e45c 
Signed-off-by: Yannik Fuhrmeister <yannik.fuhrmeister@iteratec.com>
@nigthknight
Pin Angularjs-csti-scanner Version in appVersion
ae62cb1 
Signed-off-by: Yannik Fuhrmeister <yannik.fuhrmeister@iteratec.com>
@nigthknight
Default to appVersion for Angularjs-csti-scanner
6e1bad4 
Signed-off-by: Yannik Fuhrmeister <yannik.fuhrmeister@iteratec.com>
@nigthknight nigthknight enabled auto-merge March 8, 2021 09:00
@J12934 J12934 disabled auto-merge March 8, 2021 16:02
@J12934 J12934 merged commit fab01bd into main Mar 8, 2021
@J12934 J12934 deleted the scanner/acstis branch March 8, 2021 16:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nigthknight nigthknight nigthknight approved these changes

@J12934 J12934 Awaiting requested review from J12934

Assignees

@paulschmelzer paulschmelzer

Labels

scanner Implement or update a security scanner

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

🚓 Integrate a new Angular Client-Side Template Injection Scanner

3 participants

@paulschmelzer @nigthknight @J12934