From 6cd4cb98ae34eacbfe00371f4515d029ff626637 Mon Sep 17 00:00:00 2001 From: Manuel Sommer Date: Thu, 7 Nov 2024 10:05:50 +0100 Subject: [PATCH 1/4] :bug: fix Acunetix date #11206 --- dojo/tools/acunetix/parse_acunetix360_json.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dojo/tools/acunetix/parse_acunetix360_json.py b/dojo/tools/acunetix/parse_acunetix360_json.py index 082bf889a6c..3465fca31d1 100644 --- a/dojo/tools/acunetix/parse_acunetix360_json.py +++ b/dojo/tools/acunetix/parse_acunetix360_json.py @@ -96,7 +96,7 @@ def get_findings(self, filename, test): finding.unsaved_req_resp = [{"req": request, "resp": response}] finding.unsaved_endpoints = [Endpoint.from_uri(url)] if item.get("FirstSeenDate"): - parseddate = parser.parse(item["FirstSeenDate"]) + parseddate = parser.parse(item["FirstSeenDate"], dayfirst=True) finding.date = parseddate if dupe_key in dupes: find = dupes[dupe_key] From 96eab260fd637f7fc895f151469046c12c9370d2 Mon Sep 17 00:00:00 2001 From: Manuel Sommer Date: Thu, 7 Nov 2024 10:54:42 +0100 Subject: [PATCH 2/4] fix --- dojo/tools/acunetix/parse_acunetix360_json.py | 2 +- dojo/tools/acunetix/parse_acunetix_xml.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/dojo/tools/acunetix/parse_acunetix360_json.py b/dojo/tools/acunetix/parse_acunetix360_json.py index 3465fca31d1..9d688ebc9a7 100644 --- a/dojo/tools/acunetix/parse_acunetix360_json.py +++ b/dojo/tools/acunetix/parse_acunetix360_json.py @@ -15,7 +15,7 @@ def get_findings(self, filename, test): dupes = {} data = json.load(filename) dupes = {} - scan_date = parser.parse(data["Generated"]) + scan_date = parser.parse(data["Generated"], dayfirst=True) text_maker = html2text.HTML2Text() text_maker.body_width = 0 for item in data["Vulnerabilities"]: diff --git a/dojo/tools/acunetix/parse_acunetix_xml.py b/dojo/tools/acunetix/parse_acunetix_xml.py index eb1e64d16a4..fa4163c1a98 100644 --- a/dojo/tools/acunetix/parse_acunetix_xml.py +++ b/dojo/tools/acunetix/parse_acunetix_xml.py @@ -26,7 +26,7 @@ def get_findings(self, filename, test): # get report date if scan.findtext("StartTime") and "" != scan.findtext("StartTime"): report_date = dateutil.parser.parse( - scan.findtext("StartTime"), + scan.findtext("StartTime"), dayfirst=True ).date() for item in scan.findall("ReportItems/ReportItem"): finding = Finding( From e4421274f91027c3b33e64b00ad3b33c1b24fd8a Mon Sep 17 00:00:00 2001 From: Manuel Sommer Date: Thu, 7 Nov 2024 10:56:35 +0100 Subject: [PATCH 3/4] ruff --- dojo/tools/acunetix/parse_acunetix_xml.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dojo/tools/acunetix/parse_acunetix_xml.py b/dojo/tools/acunetix/parse_acunetix_xml.py index fa4163c1a98..c744903b2ed 100644 --- a/dojo/tools/acunetix/parse_acunetix_xml.py +++ b/dojo/tools/acunetix/parse_acunetix_xml.py @@ -26,7 +26,7 @@ def get_findings(self, filename, test): # get report date if scan.findtext("StartTime") and "" != scan.findtext("StartTime"): report_date = dateutil.parser.parse( - scan.findtext("StartTime"), dayfirst=True + scan.findtext("StartTime"), dayfirst=True, ).date() for item in scan.findall("ReportItems/ReportItem"): finding = Finding( From c06f28369325d821260d7b27a54196a33d56b1ea Mon Sep 17 00:00:00 2001 From: Manuel Sommer Date: Thu, 7 Nov 2024 19:31:18 +0100 Subject: [PATCH 4/4] add unittest --- unittests/scans/acunetix/issue_11206.json | 57 +++++++++++++++++++++++ unittests/tools/test_acunetix_parser.py | 9 ++++ 2 files changed, 66 insertions(+) create mode 100644 unittests/scans/acunetix/issue_11206.json diff --git a/unittests/scans/acunetix/issue_11206.json b/unittests/scans/acunetix/issue_11206.json new file mode 100644 index 00000000000..829c2083aed --- /dev/null +++ b/unittests/scans/acunetix/issue_11206.json @@ -0,0 +1,57 @@ +{ + "Generated": "25/06/2021 09:59 AM", + "Target": { + "Duration": "00:00:41.3968969", + "Initiated": "25/06/2021 09:53 AM", + "ScanId": "663eb6e88d9e4f4d9e00ad52017aa66d", + "Url": "http://php.testsparker.com/" + }, + "Vulnerabilities": [ + { + "Certainty": 100, + "Classification": null, + "Confirmed": true, + "Description": "

Acunetix360 identified a cookie not marked as HTTPOnly.

\n

HTTPOnly cookies cannot be read by client-side scripts, therefore marking a cookie as HTTPOnly can provide an additional layer of protection against cross-site scripting attacks.

", + "ExploitationSkills": "", + "ExternalReferences": "
", + "ExtraInformation": [ + { + "Name": "Identified Cookie(s)", + "Value": "PHPSESSID" + }, + { + "Name": "Cookie Source", + "Value": "HTTP Header" + }, + { + "Name": "Page Type", + "Value": "Login" + } + ], + "FirstSeenDate": "12/06/2021 12:30 PM", + "HttpRequest": { + "Content": "GET /auth/login.php HTTP/1.1\r\nHost: php.testsparker.com\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8\r\nAccept-Language: en-us,en;q=0.5\r\nCache-Control: no-cache\r\nReferer: http://php.testsparker.com/auth/\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36\r\nX-Scanner: Acunetix360\r\n\r\n", + "Method": "GET", + "Parameters": [] + }, + "HttpResponse": { + "Content": "HTTP/1.1 200 OK\r\nSet-Cookie: PHPSESSID=e52a07f0fe53c0294ae211bc4481332d; path=/\r\nServer: Apache/2.2.8 (Win32) PHP/5.2.6\r\nContent-Length: 3061\r\nX-Powered-By: PHP/5.2.6\r\nPragma: no-cache\r\nExpires: Thu, 19 Nov 1981 08:52:00 GMT\n\n\n", + "Duration": 41.4849, + "StatusCode": 200 + }, + "LookupId": "735f4503-e9eb-4b4c-4306-ad49020a4c4b", + "Impact": "
During a cross-site scripting attack, an attacker might easily access cookies and hijack the victim's session.
", + "KnownVulnerabilities": [], + "LastSeenDate": "25/06/2021 01:52 AM", + "Name": "Cookie Not Marked as HttpOnly", + "ProofOfConcept": "", + "RemedialActions": "
\n
    \n
  1. See the remedy for solution.
    2. \n
  2. Consider marking all of the cookies used by the application as HTTPOnly. (After these changes javascript code will not be able to read cookies.)
    3. \n
\n
", + "RemedialProcedure": "
Mark the cookie as HTTPOnly. This will be an extra layer of defense against XSS. However this is not a silver bullet and will not protect the system against cross-site scripting attacks. An attacker can use a tool such as XSS Tunnel to bypass HTTPOnly protection.
", + "RemedyReferences": "", + "Severity": "Medium", + "State": "Present", + "Type": "CookieNotMarkedAsHttpOnly", + "Url": "http://php.testsparker.com/auth/login.php" + } + ] +} \ No newline at end of file diff --git a/unittests/tools/test_acunetix_parser.py b/unittests/tools/test_acunetix_parser.py index 47969cdeeab..fe0deb95e63 100644 --- a/unittests/tools/test_acunetix_parser.py +++ b/unittests/tools/test_acunetix_parser.py @@ -335,3 +335,12 @@ def test_parse_file_issue_10435(self): parser = AcunetixParser() findings = parser.get_findings(testfile, Test()) self.assertEqual(1, len(findings)) + + def test_parse_file_issue_11206(self): + with open("unittests/scans/acunetix/issue_11206.json", encoding="utf-8") as testfile: + parser = AcunetixParser() + findings = parser.get_findings(testfile, Test()) + self.assertEqual(1, len(findings)) + with self.subTest(i=0): + finding = findings[0] + self.assertEqual(finding.date, date(2021, 6, 12, 12, 30))