🐛 fix Nonetype in Acunetix, #10370

[manuel-sommer]

In automated reports from Acunetix 360 to be imported into defect dojo. One vulnerability make the import crash due to no classification provided by Acunetix

#10370

[dryrunsecurity]

Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.

DryRun Security	Status	Findings
Configured Codepaths Analyzer	✅	0 findings
IDOR Analyzer	✅	0 findings
Sensitive Files Analyzer	✅	0 findings
AppSec Analyzer	✅	0 findings
Authn/Authz Analyzer	✅	0 findings
Secrets Analyzer	✅	0 findings

Note

🟢 Risk threshold not exceeded.

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy 🤖. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective.

Summary:

The provided code changes focus on improving the security and reliability of the application's vulnerability scanning and analysis capabilities. The changes include:

1. Adding a new test case to the TestAcunetixParser class to ensure the AcunetixParser can correctly handle a specific scenario (issue_10370) when parsing Acunetix scan results. This is an important change that helps improve the robustness of the vulnerability parsing functionality.

2. Modifying the parse_acunetix360_json.py file to handle cases where the "Classification" dictionary in the Acunetix 360 scan results may not contain the expected "Cwe" key. This change helps prevent exceptions and improves the error handling in the Dojo application.

3. Providing a JSON file containing the results of a security scan performed by Acunetix360 on the website "http://php.testsparker.com/". The scan identified a vulnerability related to a cookie not being marked as HttpOnly, which can lead to session hijacking vulnerabilities.

From an application security perspective, these changes are positive steps towards improving the security and reliability of the vulnerability scanning and analysis capabilities in the application. The new test case and the error handling improvements help ensure that the vulnerability parsing functionality is robust and can handle a variety of input scenarios. Additionally, the provided Acunetix360 scan results highlight a common security issue related to session management, which is an important consideration for enhancing the overall security posture of the application.

Files Changed:

1. unittests/tools/test_acunetix_parser.py: This file contains a new test case, test_parse_file_issue_10370, which is designed to test the AcunetixParser class's ability to handle a specific scenario (issue_10370) when parsing Acunetix scan results.

2. dojo/tools/acunetix/parse_acunetix360_json.py: The code in this file has been modified to handle cases where the "Classification" dictionary in the Acunetix 360 scan results may not contain the expected "Cwe" key, preventing exceptions and improving the error handling in the Dojo application.

3. unittests/scans/acunetix/issue_10370.json: This file contains the results of a security scan performed by Acunetix360 on the website "http://php.testsparker.com/", which identified a vulnerability related to a cookie not being marked as HttpOnly.

Powered by DryRun Security

[mtesauro]

Approved