Merge tag 'white-v3.3' into white/master

Tag v3.3 white

.github/ISSUE_TEMPLATE/feature-request.md

@@ -0,0 +1,19 @@
+---
+name: Feature request
+about: Suggest an idea for this
+
+---
+
+**What's the problem this feature will solve?**
+<!-- What are you trying to do, that you are unable to achieve with faraday as it currently stands? -->
+
+**Describe the solution you'd like**
+<!-- Clear and concise description of what you want to happen. -->
+
+<!-- Provide examples of real world use cases that this would enable and how it solves the problem described above. -->
+
+**Alternative Solutions**
+<!-- different approach to solving this issue? Please elaborate here. -->
+
+**Additional context**
+<!-- Add any other context, links, etc. about the feature here. -->

.github/issue_template.md → .github/ISSUE_TEMPLATE/issue_template.md

@@ -1,3 +1,9 @@
+---
+name: Bug report
+about: Create a report an issue
+
+---
+
 Please search the [Wiki](https://github.com/infobyte/faraday/wiki) for a solution before posting a ticket. Use the <strong>“New Support Request”</strong> button to the right of the screen to submit a ticket for technical support.
 
 ## Issue Type

CHANGELOG/3.3/date.md

@@ -0,0 +1 @@
+Novemeber 14th, 2018

CHANGELOG/3.3/white.md

@@ -0,0 +1,17 @@
+ * Add workspace disable feature
+ * Add mac vendor to host and services
+ * Fix typos and add sorting in workspace name (workspace list view)
+ * Improve warning when you try to select hosts instead of services as targets of a Vulnerability Web
+ * Deleted old Nexpose plugin. Now Faraday uses Nexpose-Full.
+ * Update sqlmap plugin
+ * Add updated zap plugin
+ * Add hostnames to nessus plugin
+ * Python interpreter in SSLCheck plugin is not hardcoded anymore.
+ * Fix importer key error when some data from couchdb didn't contain the "type" key
+ * Fix AttributeError when importing vulns without exploitation from CouchDB
+ * Fix KeyError in importer.py. This issue occurred during the import of Vulnerability Templates
+ * Fix error when file config.xml doesn't exist as the moment of executing initdb
+ * Improve invalid credentials warning by indicating the user to run Faraday GTK with --login option
+ * Fix typos in VulnDB and add two new vulnerabilities (Default Credentials, Privilege Escalation)
+ * Improved tests performance with new versions of the Faker library
+ * `abort()` calls were checked and changed to `flask.abort()`

CHANGELOG/RELEASE.md

@@ -9,6 +9,26 @@ New features in the latest update
 =====================================
 
 
+3.3 [Novemeber 14th, 2018]:
+---
+ * Add workspace disable feature
+ * Add mac vendor to host and services
+ * Fix typos and add sorting in workspace name (workspace list view)
+ * Improve warning when you try to select hosts instead of services as targets of a Vulnerability Web
+ * Deleted old Nexpose plugin. Now Faraday uses Nexpose-Full.
+ * Update sqlmap plugin
+ * Add updated zap plugin
+ * Add hostnames to nessus plugin
+ * Python interpreter in SSLCheck plugin is not hardcoded anymore.
+ * Fix importer key error when some data from couchdb didn't contain the "type" key
+ * Fix AttributeError when importing vulns without exploitation from CouchDB
+ * Fix KeyError in importer.py. This issue occurred during the import of Vulnerability Templates
+ * Fix error when file config.xml doesn't exist as the moment of executing initdb
+ * Improve invalid credentials warning by indicating the user to run Faraday GTK with --login option
+ * Fix typos in VulnDB and add two new vulnerabilities (Default Credentials, Privilege Escalation)
+ * Improved tests performance with new versions of the Faker library
+ * `abort()` calls were checked and changed to `flask.abort()`
+
 3.2 [October 17th, 2018]:
 ---
  * Added logical operator AND to status report search

README.md

@@ -18,20 +18,20 @@ To read about the latest features check out the [release notes](https://github.c
 
 ## Getting Started!
 
-Check out our documentacion for datailed information on how to install Faraday in all of our supported platforms:
+Check out our documentation for detailed information on how to install Faraday in all of our supported platforms:
 
 ![Supported Os](https://raw.github.com/wiki/infobyte/faraday/images/platform/supported.png)
 
-To begin the instalation process check our out [First Step](https://raw.github.com/wiki/infobyte/faraday/First-steps) Wiki.
+To begin the installation process, check out our [Installation Wiki](https://github.com/infobyte/faraday/wiki/Installation-Community).
 
 ## New Features!
 All of Faraday's latest features and updates are always available on our [blog](http://blog.infobytesec.com/search/label/english).
-There are new entries every few weeks, don't forget to check out our amaizing new improvements on it's last entry!
+There are new entries every few weeks, don't forget to check out our amazing new improvements on it's last entry!
 
 
 ## Plugins list
 
-You feed data to Faraday from your favorite tools through Plugins. Right now there are more than [60+ supported tools](https://github.com/infobyte/faraday/wiki/Plugin-List), among which you will find:
+You feed data to Faraday from your favorite tools through Plugins. Right now there are more than [70+ supported tools](https://github.com/infobyte/faraday/wiki/Plugin-List), among which you will find:
 
 ![](https://raw.github.com/wiki/infobyte/faraday/images/plugins/Plugins.png)
 

RELEASE.md

@@ -9,6 +9,26 @@ New features in the latest update
 =====================================
 
 
+3.3 [Novemeber 14th, 2018]:
+---
+ * Add workspace disable feature
+ * Add mac vendor to host and services
+ * Fix typos and add sorting in workspace name (workspace list view)
+ * Improve warning when you try to select hosts instead of services as targets of a Vulnerability Web
+ * Deleted old Nexpose plugin. Now Faraday uses Nexpose-Full.
+ * Update sqlmap plugin
+ * Add updated zap plugin
+ * Add hostnames to nessus plugin
+ * Python interpreter in SSLCheck plugin is not hardcoded anymore.
+ * Fix importer key error when some data from couchdb didn't contain the "type" key
+ * Fix AttributeError when importing vulns without exploitation from CouchDB
+ * Fix KeyError in importer.py. This issue occurred during the import of Vulnerability Templates
+ * Fix error when file config.xml doesn't exist as the moment of executing initdb
+ * Improve invalid credentials warning by indicating the user to run Faraday GTK with --login option
+ * Fix typos in VulnDB and add two new vulnerabilities (Default Credentials, Privilege Escalation)
+ * Improved tests performance with new versions of the Faker library
+ * `abort()` calls were checked and changed to `flask.abort()`
+
 3.2 [October 17th, 2018]:
 ---
  * Added logical operator AND to status report search

VERSION

@@ -1 +1 @@
-3.2
+3.3

bin/screenshot_server.py

@@ -31,7 +31,7 @@ def screenshot(path, protocol, ip, port):
     except Exception:
         print("Coudn't connect")
     finally:
-        driver.quit
+        driver.quit()
 
     return 0
 
@@ -42,7 +42,6 @@ def main(workspace='', args=None, parser=None):
     parsed_args = parser.parse_args(args)
 
     protocols = parsed_args.protocol.split(",")
-    print(protocols)
     path = parsed_args.path
 
     for protocol in protocols:

config/configuration.py

@@ -6,6 +6,8 @@
 '''
 import os
 import json
+import shutil
+
 
 try:
     import xml.etree.cElementTree as ET
@@ -14,6 +16,7 @@
     import xml.etree.ElementTree as ET
     from xml.etree.ElementTree import Element, ElementTree
 
+
 the_config = None
 
 CONST_API_CON_INFO = "api_con_info"
@@ -645,6 +648,12 @@ def saveConfig(self, xml_file="~/.faraday/config/user.xml"):
 def getInstanceConfiguration():
     global the_config
     if the_config is None:
+        config_dir = os.path.expanduser("~/.faraday/config")
+        if not os.path.exists(config_dir):
+            os.mkdir(config_dir)
+        faraday_user_config = os.path.expanduser("~/.faraday/config/user.xml")
+        if not os.path.isfile(faraday_user_config):
+            shutil.copy(DEFAULT_XML, faraday_user_config)
         if os.path.exists(os.path.expanduser("~/.faraday/config/user.xml")):
             the_config = Configuration(os.path.expanduser("~/.faraday/config/user.xml"))
         else:

data/cwe.csv

@@ -2847,3 +2847,5 @@ https://www.owasp.org/index.php/Testing_for_MySQL#Read_from_a_File",high,
 ,EN-Cifrado Debil (SSL weak ciphers),"El host remoto es compatible con el uso de sistemas de cifrado SSL que ofrecen ya sea cifrado debil o sin cifrado en absoluto.
 Esta vulnerabilidad afecta Server.
 ",Vuelva a configurar la aplicacion afectada para evitar el uso de cifrados debiles.,medium,
+,EN-Privilege Escalation,"This happens when an attacker has already done reconnaissance and successfully compromised a system by gaining access to a low-level account. In this phase, an attacker wants to have a strong grip on the system and seeks ways to heighten the privileges, either to study the system further or perform an attack.","Change passwords of administrative accounts regularly and enforce strong password policy (e.g. ensure that local administrator accounts have complex, unique passwords across all systems).",medium,https://www.owasp.org/index.php/Testing_for_Privilege_escalation_(OTG-AUTHZ-003) 
+,EN-Default Credentials,"It was detected that the system has default credentials to access the administration console. These credentials can be obtained from internet sites, for example: technology forums, system manuals, among others.",It is recommended to change all system passwords by default and adapt them to a secure password policy. It is also recommended that all default system accounts be renamed and their passwords changed.,critical,https://www.owasp.org/index.php/Testing_for_default_credentials_(OTG-AUTHN-002)

data/cwe_en.csv

@@ -2494,3 +2494,5 @@ More information http://breachattack.com/",unclassified,
 ",Prevent this information from being displayed to the user,low,
 ,ASP.NET MAC disabled,"By default, the serialized value is signed by the server to prevent tampering by the user; however, this behavior can be disabled by setting the Page.EnableViewStateMac property to false. If this is done, then an attacker can modify the contents of the ViewState and cause arbitrary data to be deserialized and processed by the server. If the ViewState contains any items that are critical to the server's processing of the request, then this may result in a security exposure.
 ",Set the Page.EnableViewStateMac property to true on any pages where the ViewState is not currently signed.,low,
+,Privilege Escalation,"This happens when an attacker has already done reconnaissance and successfully compromised a system by gaining access to a low-level account. In this phase, an attacker wants to have a strong grip on the system and seeks ways to heighten the privileges, either to study the system further or perform an attack.","Change passwords of administrative accounts regularly and enforce strong password policy (e.g. ensure that local administrator accounts have complex, unique passwords across all systems).",medium,https://www.owasp.org/index.php/Testing_for_Privilege_escalation_(OTG-AUTHZ-003)
+,Default Credentials,"It was detected that the system has default credentials to access the administration console. These credentials can be obtained from internet sites, for example: technology forums, system manuals, among others.",It is recommended to change all system passwords by default and adapt them to a secure password policy. It is also recommended that all default system accounts be renamed and their passwords changed.,critical,https://www.owasp.org/index.php/Testing_for_default_credentials_(OTG-AUTHN-002)