Thanks to visit codestin.com
Credit goes to github.com

Skip to content

immuniweb json parser #12179

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Apr 9, 2025
Merged

immuniweb json parser #12179

merged 4 commits into from
Apr 9, 2025

Conversation

valentijnscholten
Copy link
Member

@valentijnscholten valentijnscholten commented Apr 6, 2025
edited
Loading

Fixes #12166

2025-04-06 19_25_29-Test _ DefectDojo 2025-04-06 19_25_11-View Finding _ DefectDojo

@valentijnscholten valentijnscholten added this to the 2.45.1 milestone Apr 6, 2025
@valentijnscholten valentijnscholten changed the title immuniweb json: domains immuniweb json parser Apr 7, 2025
@valentijnscholten valentijnscholten marked this pull request as ready for review April 7, 2025 16:49
@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Apr 7, 2025

DryRun Security Summary

ImmuniWeb security scan result parsing implementation revealed multiple security vulnerabilities including potential information exposure, input validation weaknesses, sensitive data leakage, and network security risks in test data and parsing methods.

Expand for full summary

Summary: Multiple files were updated to add JSON parsing support for ImmuniWeb security scan results, including documentation, parser implementation, test files, and a sample scan JSON file.

Security Findings:

  1. Potential Information Exposure

    • JSON parsing method dumps entire item details into finding descriptions
    • Exposed internal/test domain names and IP addresses in test data
    • Leaked credentials example in test JSON file

  2. Input Validation Concerns

    • Limited validation of JSON input structure
    • Relies on presence of specific keys without robust error handling

  3. Endpoint Creation Risks

    • Automatically prepends "https://" without verification
    • Exposed potentially sensitive network details in test data

  4. Sensitive Data in Test Scenarios

    • 187 stolen credentials in sample JSON
    • Leaked credentials from multiple domains
    • Exposed email and password combinations

  5. Network Security Weaknesses (in test data)

    • Missing DNS configuration records (DKIM, DMARC, SPF)
    • Publicly accessible .git repository
    • SSL/TLS encryption issues
    • Open HTTP and HTTPS ports
    • Untrusted SSL certificates

  6. Credential Handling

    • Test cases include checks to prevent raw password exposure in descriptions

View PR in the DryRun Dashboard.

@valentijnscholten
Copy link
Member Author

There are some open questions in #12166 but it looks we don't have more details about this format. The PR still is a good start and we can improve over time if more feedback comes in.

@Maffooch Maffooch requested review from dogboat and hblankenship April 7, 2025 22:02
mtesauro
mtesauro approved these changes Apr 8, 2025
View reviewed changes
Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@Maffooch Maffooch merged commit 8f0a4a9 into DefectDojo:bugfix Apr 9, 2025
78 checks passed
@valentijnscholten
Copy link
Member Author

This new format looks more like a new type of scan, but it's fine to start with the changes in this PR and then take it from there.

Maffooch pushed a commit that referenced this pull request Apr 21, 2025
@valentijnscholten @Maffooch
immuniweb json parser (#12179)
063c6b1 
* immuniweb json: domains

* immuniweb json

* immuniweb json

* immuniweb json
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mtesauro mtesauro mtesauro approved these changes

@dogboat dogboat dogboat approved these changes

@hblankenship hblankenship hblankenship approved these changes

@Maffooch Maffooch Maffooch approved these changes

Assignees
No one assigned
Labels
docs parser unittests
Projects
None yet
Milestone
2.45.1
Development

Successfully merging this pull request may close these issues.
5 participants
@valentijnscholten @mtesauro @dogboat @hblankenship @Maffooch