Merge branch 'main' into redirection-data-grab

intrigueio · Aug 28, 2021 · ec50c3d · ec50c3d
2 parents 98f5911 + 52f834d
commit ec50c3d
Show file tree

Hide file tree

Showing 66 changed files with 795 additions and 425 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -8,7 +8,16 @@ workflows:
     jobs:
       - build-intrigue-ident:
           context:
-              - Build Context (Low Security) 
+              - Build Context (Low Security)
+      - security-scan-intrigue-ident:
+          requires:
+            - build-intrigue-ident
+          context:
+              - SecurityTesting Context
+          filters:
+              branches:
+                only:
+                  - main
       - deploy-intrigue-ident:
           requires:
             - build-intrigue-ident
@@ -63,6 +72,18 @@ jobs:
                 }
               ]
             }
+  security-scan-intrigue-ident:
+    docker:
+      - image: circleci/ruby:2.7.2-browsers
+    steps:
+      - checkout
+      - run:
+          name: Run whitesource
+          command:  | 
+            bundle install
+            curl -LJO https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar
+            echo Unified Agent downloaded successfully
+            java -jar wss-unified-agent.jar -project intrigue-ident -d ./
   deploy-intrigue-ident:
     docker:
       - image: circleci/ruby:2.7.2

diff --git a/Gemfile.lock b/Gemfile.lock
@@ -8,7 +8,7 @@ GIT
 PATH
   remote: .
   specs:
-    intrigue-ident (5.1.5)
+    intrigue-ident (5.6.1)
       dnsruby
       mongo
       murmurhash3
@@ -21,22 +21,22 @@ GEM
   remote: https://rubygems.org/
   specs:
     bindata (2.4.10)
-    bson (4.12.0)
+    bson (4.12.1)
     coderay (1.1.3)
     diff-lcs (1.4.4)
-    dnsruby (1.61.5)
+    dnsruby (1.61.7)
       simpleidn (~> 0.1)
-    ethon (0.13.0)
+    ethon (0.14.0)
       ffi (>= 1.15.0)
-    ffi (1.15.0)
+    ffi (1.15.3)
     hitimes (1.3.1)
     json (2.5.1)
     method_source (1.0.0)
-    mini_portile2 (2.5.1)
+    mini_portile2 (2.5.3)
     mongo (2.14.0)
       bson (>= 4.8.2, < 5.0.0)
     murmurhash3 (0.1.6)
-    nokogiri (1.11.4)
+    nokogiri (1.11.7)
       mini_portile2 (~> 2.5.0)
       racc (~> 1.4)
     openssl (2.2.0)
@@ -46,7 +46,7 @@ GEM
       coderay (~> 1.1)
       method_source (~> 1.0)
     racc (1.5.2)
-    redis (4.2.5)
+    redis (4.3.1)
     rspec (3.10.0)
       rspec-core (~> 3.10.0)
       rspec-expectations (~> 3.10.0)
@@ -60,7 +60,7 @@ GEM
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.10.0)
     rspec-support (3.10.2)
-    ruby_smb (2.0.8)
+    ruby_smb (2.0.10)
       bindata
       openssl-ccm
       openssl-cmac
@@ -69,7 +69,7 @@ GEM
     rubyntlm (0.6.3)
     simpleidn (0.2.1)
       unf (~> 0.1.4)
-    slop (4.8.2)
+    slop (4.9.1)
     snmp (1.3.2)
     socketry (0.5.1)
       hitimes (~> 1.2)

diff --git a/checks/http/adobe.rb b/checks/http/adobe.rb
@@ -12,7 +12,7 @@ def generate_checks(url)
             {
               type: 'fingerprint',
               category: 'application',
-              tags: ['Application Server'],
+              tags: ['Development', 'Application Server'],
               vendor: 'Adobe',
               product: 'Coldfusion',
               website: 'https://coldfusion.adobe.com/',
@@ -32,7 +32,7 @@ def generate_checks(url)
             { # Coldfusion
               type: 'fingerprint',
               category: 'application',
-              tags: ['Application Server'],
+              tags: ['Development', 'Application Server'],
               vendor: 'Adobe',
               product: 'Coldfusion',
               website: 'https://coldfusion.adobe.com/',
@@ -54,7 +54,7 @@ def generate_checks(url)
             { # Coldfusion 6, 7
               type: 'fingerprint',
               category: 'application',
-              tags: ['Application Server'],
+              tags: ['Development', 'Application Server'],
               vendor: 'Adobe',
               references: [
                 'https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/coldfusion_version.rb'
@@ -82,7 +82,7 @@ def generate_checks(url)
             { # Coldfusion 10 ... this needs OR/AND ?
               type: 'fingerprint',
               category: 'application',
-              tags: ['Application Server'],
+              tags: ['Development', 'Application Server'],
               vendor: 'Adobe',
               product: 'Coldfusion',
               website: 'https://coldfusion.adobe.com/',
@@ -104,7 +104,7 @@ def generate_checks(url)
             { # Coldfusion 11 ... this needs OR/AND ?
               type: 'fingerprint',
               category: 'application',
-              tags: ['Application Server'],
+              tags: ['Development', 'Application Server'],
               vendor: 'Adobe',
               product: 'Coldfusion',
               website: 'https://coldfusion.adobe.com/',
@@ -127,7 +127,7 @@ def generate_checks(url)
             { # Generic check
               type: 'fingerprint',
               category: 'application',
-              tags: ['Application Server'],
+              tags: ['Development', 'Application Server'],
               vendor: 'Adobe',
               product: 'Coldfusion',
               website: 'https://coldfusion.adobe.com/',

diff --git a/checks/http/akamai.rb b/checks/http/akamai.rb
@@ -47,7 +47,7 @@ def generate_checks(url)
               type: 'fingerprint',
               category: 'service',
               vendor: 'Akamai',
-              tags: ['CDN', 'WAF'],
+              tags: ['CDN'],
               product: 'Akamai',
               website: 'https://www.akamai.com/',
               version: nil,

diff --git a/checks/http/amazon.rb b/checks/http/amazon.rb
@@ -34,8 +34,8 @@ def generate_checks(url)
               product: 'CloudFront',
               website: 'https://aws.amazon.com/cloudfront/',
               version: nil,
-              description: 'cloudfront equest could not be satisfied',
-              match_logic: :any,
+              description: 'cloudfront request could not be satisfied',
+              match_logic: :all,
               matches: [
                 {
                   match_type: :content_code,

diff --git a/checks/http/apache.rb b/checks/http/apache.rb
@@ -467,7 +467,7 @@ def generate_checks(url)
             {
               type: 'fingerprint',
               category: 'application',
-              tags: ['Application Server', 'Admin Panel'],
+              tags: ['Application Server'],
               vendor: 'Apache',
               product: 'Tomcat',
               website: 'https://tomcat.apache.org/',

diff --git a/checks/http/appdynamics.rb b/checks/http/appdynamics.rb
@@ -15,6 +15,10 @@ def generate_checks(url)
               description: 'AppDynamics - Cookies Match',
               match_logic: :any,
               matches: [
+                {
+                  match_type: :content_cookies,
+                  match_content: /ADRUM_BT=/,
+                },
                 {
                   match_type: :content_cookies,
                   match_content: /ADRUM_BTa=/,

diff --git a/checks/http/atlassian.rb b/checks/http/atlassian.rb
@@ -205,7 +205,7 @@ def generate_checks(url)
             {
               type: 'fingerprint',
               category: 'service',
-              tags: %w[SaaS Development SaaS],
+              tags: ['SaaS', 'Development'],
               vendor: 'Atlassian',
               product: 'Crowd',
               website: 'https://www.atlassian.com/software/crowd',

diff --git a/checks/http/auth0.rb b/checks/http/auth0.rb
@@ -8,7 +8,7 @@ def generate_checks(url)
       {
         type: "fingerprint",
         category: "service",
-        tags: ["IAM", "SaaS", "Security"],
+        tags: ["IAM", "MFA", "SaaS", "Security"],
         vendor: "Auth0",
         product: "Auth0",
         references: [],

diff --git a/checks/http/barracuda.rb b/checks/http/barracuda.rb
@@ -41,8 +41,8 @@ def generate_checks(url)
       },
       {
         type: "fingerprint",
-        category: "application",
-        tags: ["WAF"],
+        category: "service",
+        tags: ["WAF", "SaaS"],
         website: "https://www.barracuda.com/products/webapplicationfirewall",
         vendor: "Barracuda",
         product: "Email Security Gateway",

diff --git a/checks/http/base.rb b/checks/http/base.rb
@@ -26,25 +26,25 @@ def _uri_match(content, regex)
 
     # matching helpers
     def _all_body_captures(content, regex)
-      return nil unless content["details"]["hidden_response_data"] &&
-        content["details"]["hidden_response_data"].match(regex)
+      return nil unless content["details"]["extended_response_body"] &&
+        content["details"]["extended_response_body"].match(regex)
 
-      match = content["details"]["hidden_response_data"].match(regex)
+      match = content["details"]["extended_response_body"].match(regex)
       return match.captures.map{|x|x.to_s.strip} if match
 
     nil
     end
 
     def _first_body_match(content, regex)
-      return nil unless content["details"]["hidden_response_data"] &&
-        content["details"]["hidden_response_data"].match(regex)
+      return nil unless content["details"]["extended_response_body"] &&
+        content["details"]["extended_response_body"].match(regex)
 
-    content["details"]["hidden_response_data"].match(regex)
+    content["details"]["extended_response_body"].match(regex)
     end
 
     def _first_body_capture(content, regex, filter=[])
-      return nil unless content["details"]["hidden_response_data"]
-      x = content["details"]["hidden_response_data"].match(regex)
+      return nil unless content["details"]["extended_response_body"]
+      x = content["details"]["extended_response_body"].match(regex)
       if x && x.captures && !x.captures.empty?
         x = x.captures.first.strip
         filter.each{|f| x.gsub!(f,"") }

diff --git a/checks/http/backdrop.rb → checks/http/basekit.rb b/checks/http/backdrop.rb → checks/http/basekit.rb
diff --git a/checks/http/centos.rb b/checks/http/centos.rb
@@ -27,7 +27,7 @@ def generate_checks(url)
             {
               type: 'fingerprint',
               category: 'application',
-              tags: ['Administrative', 'Login Panel'],
+              tags: ['Administrative', 'Management', 'Login Panel'],
               vendor: 'Centos',
               product: 'CentOS Web Panel',
               references: [],

diff --git a/checks/http/cerberus.rb b/checks/http/cerberus.rb
diff --git a/checks/http/communigate.rb b/checks/http/communigate.rb
@@ -1,37 +1,35 @@
 module Intrigue
-module Ident
-module Check
-class Communigate < Intrigue::Ident::Check::Base
-
-  def generate_checks(url)
-    [
-      {
-        type: "fingerprint",
-        vendor: "Stalker", # recently renamed to communigate systems inc
-        category: "application",
-        tags: ["COTS","Marketing"],
-        product:"CommuniGate",
-        website: "http://www.stalker.com/CommuniGatepro/",
-        description:"server header",
-        version: nil,
-        match_logic: :all,
-        matches: [
-          {
-            match_type: :content_headers,
-            match_content: /server: CommuniGatePro/,
-          }
-        ],
-        dynamic_version: lambda { |x|
-          _first_header_capture(x,/server: CommuniGatePro\/(.*)/i,)
-        },
-        hide: false,
-        paths: [ { path: "#{url}", follow_redirects: true } ], 
-        inference: true
-      }
-    ]
+  module Ident
+    module Check
+      class CommuniGate < Intrigue::Ident::Check::Base
+        def generate_checks(url)
+          [
+            {
+              type: 'fingerprint',
+              vendor: 'CommuniGate',
+              category: 'application',
+              tags: ['COTS', 'Marketing', 'Web Server'],
+              product: 'CommuniGate',
+              website: 'http://www.stalker.com/CommuniGatepro/',
+              description: 'CommuniGate Pro - Headers Match',
+              version: nil,
+              match_logic: :all,
+              matches: [
+                {
+                  match_type: :content_headers,
+                  match_content: /server: CommuniGatePro/
+                }
+              ],
+              dynamic_version: lambda { |x|
+                _first_header_capture(x, %r{server: CommuniGatePro/(\d+(\.\d+)*)}i)
+              },
+              hide: false,
+              paths: [{ path: url.to_s, follow_redirects: true }],
+              inference: true
+            }
+          ]
+        end
+      end
+    end
   end
-
-end
-end
-end
 end