secdec / adapt Goto Github PK

ADAPT is a tool that performs automated Penetration Testing for WebApps.

License: Apache License 2.0

Python 93.79% Shell 6.21%

python security vulnerability automation

adapt's Introduction

Summary

ADAPT is a tool that performs Automated Dynamic Application Penetration Testing for web applications. It is designed to increase accuracy, speed, and confidence in penetration testing efforts. ADAPT automatically tests for multiple industry standard OWASP Top 10 vulnerabilities, and outputs categorized findings based on these potential vulnerabilities. ADAPT also uses the functionality from OWASP ZAP to perform automated active and passive scans, and auto-spidering. Due to the flexible nature of the ADAPT tool, all of theses features and tests can be enabled or disabled from the configuration file. For more information on tests and configuration, please visit the ADAPT wiki.

How it Works

ADAPT uses Python to create an automated framework to use industry standard tools, such as OWASP ZAP and Nmap, to perform repeatable, well-designed procedures with anticipated results to create an easly understandable report listing vulnerabilities detected within the web application.

Automated Tests:

* OTG-IDENT-004 – Account Enumeration
* OTG-AUTHN-001 - Testing for Credentials Transported over an Encrypted Channel
* OTG-AUTHN-002 – Default Credentials
* OTG-AUTHN-003 - Testing for Weak lock out mechanism
* OTG-AUTHZ-001 – Directory Traversal
* OTG-CONFIG-002 - Test Application Platform Configuration
* OTG-CONFIG-006 – Test HTTP Methods
* OTG-CRYPST-001 - Testing for Weak SSL/TLS Ciphers, Insufficient Transport Layer Protection
* OTG-CRYPST-002 - Testing for Padding Oracle
* OTG-ERR-001 - Testing for Error Code
* OTG-ERR-002 – Testing for Stack Traces
* OTG-INFO-002 – Fingerprinting the Webserver
* OTG-INPVAL-001 - Testing for Reflected Cross site scripting
* OTG-INPVAL-002 - Testing for Stored Cross site scripting
* OTG-INPVAL-003 – HTTP Verb Tampering
* OTG-SESS-001 - Testing for Session Management Schema
* OTG-SESS-002 – Cookie Attributes

Installing the Plugin

Detailed install instructions.

For Developers & Contributors

ADAPT is an open source software that encourages community collaboration. Collaboration requires cloning the ADAPT repository from https://github.com/secdec/adapt. It is encouraged that a potential contributor clones ADAPT in a UNIX environment. Cloning in a windows environment may disturb the line endings if certain settings are configured such as autocrlf = true. To ensure that this does not occur when working in a Windows based environment locate your global git.config and disable autocrlf.

License

Licensed under the Apache-2.0 License.

adapt's People

Contributors

Stargazers

Watchers

adapt's Issues

install missing components

I downloaded "master.zip" as there is nothing in releases. So, Centos 7:

Installing for Linux:
Please do not press anything until the script is finished, go take a break
sudo apt-get update -y: DONE
sudo apt-get install python3-pip -y: DONE
sudo apt-get install python3-scipy -y: DONE
sudo apt-get install default-jre -y: DONE
sudo apt-get install nmap -y: DONE
sudo apt-get install docker.io -y: DONE
sudo apt-get install git -y: DONE
Checking for zap: FOUND
Checking for wig: NOT FOUND
Installing wig: ./install.sh: line 104: cd: wig: No such file or directory
python3: can't open file 'setup.py': [Errno 2] No such file or directory
FAILED

DONE
/home/auser
Checking paramiko: ./install.sh: line 119: cd: lib: No such file or directory
NOT FOUND
Installing paramiko dev: ./install.sh: line 125: cd: paramiko: No such file or directory
python3: can't open file 'setup.py': [Errno 2] No such file or directory
FAILED

DONE
/home/auser/adapt-master
Checking testssl: ./install.sh: line 140: cd: lib: No such file or directory
NOT FOUND
Installing testssl dev: DONE
Checking for SecLists: ./install.sh: line 153: cd: var: No such file or directory
NOT FOUND
Installing SecLists: ./install.sh: line 158: git: command not found
DONE
mkdir: cannot create directory ‘output’: Permission denied
sudo pip3 install --user python-nmap: DONE
sudo pip3 install --user python-owasp-zap-v2.4: DONE
sudo pip3 install --user beautifulsoup4: DONE
sudo pip3 install --user lxml: DONE
sudo pip3 install --user dicttoxml: DONE
sudo pip3 install --user progressbar2: DONE
sudo pip3 install --user pathlib: DONE
sudo pip3 install --user bcrypt: DONE
sudo pip3 install --user pynacl: DONE
touch: cannot touch './var/adapt_installed': Permission denied
ADAPT install: FINISHED

Internal Error from Zap

When trying to execute "python3 adapt.py", the program exists with the following error message:

failed during test_logins. Expected zap message, got: internal_error

Is this an error you recognize? In previous output, zap seems to initialize properly, so I have no idea what could be going wrong.

Here's the entire output for completeness' sake:

'adapt_main [INFO] : Loading config file'
'adapt_main [INFO] : Checking command line args'
'adapt_main [INFO] : Final config setup...'
Valid service username:
Valid service password:
'adapt_main [INFO] : ... Done'
'adapt_main [INFO] : Test bed setup starting...'
'adapt_main [INFO] : Test bed setup done'
'adapt_main [INFO] : http://localhost:8080'
'adapt_main [INFO] : Initializing zap'
'zap_interface [INFO] : open zap daemon /opt/ZAP_2.7.0/zap.sh'
'zap_interface [INFO] : Waiting for zap startup... '
[==============================================================================================] 100%
'zap_interface [INFO] : DONE'
'zap_interface [INFO] : Connecting to zap... '
'zap_interface [INFO] : Opening url'
'zap_interface [INFO] : Excluded path: /logout.php'
'zap_interface [INFO] : Excluded path: /logout'
/opt/adapt/login_format.py:88: UserWarning: No parser was explicitly specified, so I'm using the best available HTML parser for this system ("lxml"). This usually isn't a problem, but if you run this code on another system, or in a different virtual environment, it may use a different parser and behave differently.

The code that caused this warning is on line 88 of the file /opt/adapt/login_format.py. To get rid of this warning, pass the additional argument 'features="lxml"' to the BeautifulSoup constructor.

  s = soup(dvwa_get.text)
'zap_interface [INFO] : Authentication failed: list index out of range'
'zap_interface [INFO] : Finished setup'
'adapt_main [INFO] : Zap initialized'
'adapt_main [INFO] : Checking for authorization availability...'
'adapt_main [INFO] : Zap spider starting...'
'zap_interface [INFO] : Spider start'
'zap_interface [INFO] : ADAPT Context'
'zap_interface [INFO] : scanid: 0'
[==============================================================================================] 100%
'zap_interface [INFO] : Spider done'
'adapt_main [INFO] : DONE'
'adapt_main [INFO] : Zap pscan starting... '
'zap_interface [INFO] : Pscan start'
'zap_interface [INFO] : This could take a while. Please be patient.'
[==============================================================================================] 100%
'zap_interface [INFO] : Pscan done'
'adapt_main [INFO] : DONE'
'adapt_main [INFO] : Zap ascan starting...'
'zap_interface [INFO] : Ascan start'
[==============================================================================================] 100%
'zap_interface [INFO] : Ascan done'
'adapt_main [INFO] : DONE'
'adapt_main [INFO] : Pulling results from zap'
'adapt_main [INFO] : Initializing owasp suite'
'owasp_suite [INFO] : Finished setup'
'adapt_main [INFO] : Owasp initialized'
'adapt_main [INFO] : Running suite'
'owasp_suite [INFO] : Nmap Starting'
'owasp_suite [INFO] : Nmap finished'
'owasp_suite [INFO] : Owasp starting'
'owasp_suite [INFO] : Invoking test: config_002...'
'owasp_suite [INFO] : Invoking test: crypst_001...'
'owasp_suite [INFO] : Invoking test: crypst_002...'
'owasp_suite [INFO] : Invoking test: err_001...'
'owasp_suite [INFO] : Invoking test: err_002...'
[=                                                                                             ] 100%
'owasp_suite [INFO] : Invoking test: info_002...'
'owasp_suite [INFO] : Invoking test: inpval_001...'
'owasp_suite [INFO] : Invoking test: inpval_002...'
'owasp_suite [INFO] : Invoking test: inpval_003...'
Traceback (most recent call last):
  File "adapt.py", line 318, in <module>
    main()
  File "adapt.py", line 303, in main
    pentester.run()
  File "adapt.py", line 71, in run
    return self.start_penetration_testing()
  File "adapt.py", line 132, in start_penetration_testing
    self.owasp_results = owasp.run()
  File "/opt/adapt/src/owasp_suite.py", line 134, in run
    int_res = internal()
  File "/opt/adapt/src/owasp_suite.py", line 452, in inpval_003
    resp = self.zap.send_request( req )
  File "/opt/adapt/src/zap_interface.py", line 95, in send_request
    raise Exception("Request {} failed during test_logins. Expected zap message, got: {}".format(request, resp))
Exception: Request PUT http://localhost:8080/ HTTP/1.0

 failed during test_logins. Expected zap message, got: internal_error

numpy.ufunc

Helllo, after install without problem
launched with p3, i got this error:

Cannot import module: numpy.ufunc size changed, may indicate binary incompatibility. Expected 216 from C header, got 192 from PyObject. Quitting...

Any hint?
-------run on kali linux latest version and updated python
Thanks

error

Console interface

Hi dear,
you can use Maryam for the user interface. If you use Maryam, your program will a framework like Metasploit.
If you wanted, please ask how to work.
http://github.com/saeeddhqan/maryam

Can't run install.sh file

Trying to install an .sh file but this error keeps returning:

I've also tried using things like ./install_seq.sh and similar.

Also, when simply typing install_seq.sh there's another error:

Someone suggested dos2unix but I can't get it to download on my computer and I don't know if there's another solution?

Problems with installer.sh

Hello, and first of all, thank you for undertaking this project - It's a nice idea which I expect will be quite valuable in security testing.

I had a few problems during the install that I guess would be pretty easy for you to fix. You can see the relevant output lines from installer.sh below:

Checking paramiko: NOT FOUND
Installing paramiko dev: ./install.sh: line 125: cd: paramiko: No such file or directory
python3: can't open file 'setup.py': [Errno 2] No such file or directory
FAILED

Checking testssl: ./install.sh: line 140: cd: lib: No such file or directory
NOT FOUND

Installing SecLists: fatal: could not create work tree dir 'SecLists': Permission denied

mkdir: cannot create directory ‘output’: Permission denied

The system I ran this on was Ubuntu 18.04 64-bit.

I'm now going to edit the installer script to hopefully fix these issues without breaking anything. I'll let you know how it goes!

Error in execution (Novice User)

Please help me

Warning: Nashorn engine is planned to be removed from a future JDK release
Warning: Nashorn engine is planned to be removed from a future JDK release
'zap_interface [INFO] : DONE'
'zap_interface [INFO] : Connecting to zap... '
'zap_interface [INFO] : Opening url'
'zap_interface [INFO] : Excluded path: /logout.php'
'zap_interface [INFO] : Excluded path: /logout'
('zap_interface [INFO] : Authentication failed: '
"HTTPConnectionPool(host='localhost', port=80): Max retries exceeded with "
'url: /login.php (Caused by '
"NewConnectionError('<urllib3.connection.HTTPConnection object at "
'0x7f39dacac510>: Failed to establish a new connection: [Errno 111] '
"Connection refused'))")
'zap_interface [INFO] : Finished setup'
'adapt_main [INFO] : Zap initialized'
'adapt_main [INFO] : Checking for authorization availability...'
'adapt_main [INFO] : Zap spider starting...'
'zap_interface [INFO] : Spider start'
'zap_interface [INFO] : ADAPT Context'
'zap_interface [INFO] : scanid: url_not_in_context'
recent call last):
File "adapt.py", line 318, in
main()
File "adapt.py", line 303, in main
pentester.run()
File "adapt.py", line 71, in run
return self.start_penetration_testing()
File "adapt.py", line 94, in start_penetration_testing
zapper.spider()
File "/home/xxx/adapt/src/zap_interface.py", line 205, in spider
scan_progress = int(self.zap.spider.status(scanid))
ValueError: invalid literal for int() with base 10: 'does_not_exist'

Can't excute install.sh

I've tried: sudo ./install.sh
and I got: ./install.sh: command not found
then I tried: sudo python3 adapt.py
and I got this error message:

It seems that you have not run the installer script.
We will now run that briefly before continuing.
Traceback (most recent call last):
  File "adapt.py", line 37, in <module>
    subprocess.call(["./install.sh"])
  File "/usr/lib/python3.5/subprocess.py", line 557, in call
    with Popen(*popenargs, **kwargs) as p:
  File "/usr/lib/python3.5/subprocess.py", line 947, in __init__
    restore_signals, start_new_session)
  File "/usr/lib/python3.5/subprocess.py", line 1551, in _execute_child
    raise child_exception_type(errno_num, err_msg)
PermissionError: [Errno 13] Permission denied

OWAS-Suite crypst_001 crash

The OWASP test for crypst_001 fails with this error message:

File "adapt.py", line 318, in
main()
File "adapt.py", line 303, in main
pentester.run()
File "adapt.py", line 71, in run
return self.start_penetration_testing()
File "adapt.py", line 132, in start_penetration_testing
self.owasp_results = owasp.run()
File "/home/lehmanndom/adapt-master/src/owasp_suite.py", line 134, in run
int_res = internal()
File "/home/lehmanndom/adapt-master/src/owasp_suite.py", line 571, in crypst_001
for i in testssl_results["scanResult"][0]["protocols"]:
KeyError: 'protocols'

When turning only this test off, everything works fine.
Running Python 3.6.8

Kaan albatu

ModuleNotFoundError: No module named 'zapv2'

python3 adapt.py

It seems that you have not run the installer script.
We will now run that briefly before continuing.
This script should no longer be run as root
Traceback (most recent call last):
File "adapt.py", line 47, in
from zap_interface import AdaptZap
File "/opt/github/adapt/src/zap_interface.py", line 23, in
from zapv2 import ZAPv2
ModuleNotFoundError: No module named 'zapv2'
root@K0walski:/opt/github/adapt# pip3 install zapv2
Collecting zapv2
Could not install packages due to an EnvironmentError: 404 Client Error: Not Found for url: https://pypi.org/simple/zapv2/