public CheckPasvJavaServerFacesViewState()
        {
            configpanel = new EnableCheckConfigPanel(this, "JavaServer Faces ViewState", "Reduce noise - enable only one ViewState finding per site.");
            configpanel.Init();

            CheckCategory    = WatcherCheckCategory.Java;
            LongName         = "JavaServer Faces - identify when ViewState data is insecure.";
            LongDescription  = "This check looks at JavaServer Faces values implemented in Apache MyFaces and Sun's Mojarra project, to detect when cryptographic protection has been disabled. If disabled, it's possible for attackers to tamper with the ViewState and create XSS attacks.";
            ShortName        = "JavaServer Faces ViewState vulnerable to tampering";
            ShortDescription = "The response at the following URL contains a ViewState value that has no cryptographic protections:\r\n\r\n";
            Reference        = "http://websecuritytool.codeplex.com/wikipage?title=Checks#java-myfaces-viewstate";
            Recommendation   = "Secure VIEWSTATE with a MAC specific to your environment.";
        }
        //[ThreadStatic] UtilityHtmlParser parser = new UtilityHtmlParser();

        public CheckPasvAspNetViewStateMac()
        {
            configpanel = new EnableCheckConfigPanel(this, "ASP.NET Viewstate", "Reduce noise - enable only one VIEWSTATE finding per site.");
            configpanel.Init();

            CheckCategory    = WatcherCheckCategory.AspNet;
            LongName         = "ASP.NET VIEWSTATE - identify when EnableViewStateMac setting has been disabled.";
            LongDescription  = "This check looks at ASP.NET VIEWSTATE values to detect when MAC protection has been disabled. If disabled, it's possible for attackers to tamper with the VIEWSTATE and create XSS attacks.  More information is available from the advisory at https://www.trustwave.com/spiderlabs/advisories/TWSL2010-001.txt. \r\n\r\n  Use the configuration option below to reduce output from this check.  When enabled, only one VIEWSTATE finding will be reported per site.  As soon as a single VIEWSTATE finding is identified, no further checking would be done for that domain/site.  When disabled however, the VIEWSTATE will be checked on every single page and page request, which could generate a lot of findings when VIEWSTATE is insecure site-wide.  Keeping this option disabled will produce more thorough results across a site.";
            ShortName        = "ASP.NET VIEWSTATE vulnerable to tampering";
            ShortDescription = "The response at the following URL contains a VIEWSTATE value that has MAC protections disabled:\r\n\r\n";
            Reference        = "http://websecuritytool.codeplex.com/wikipage?title=Checks#asp-net-viewstate-tampering";
            Recommendation   = "Secure VIEWSTATE with a MAC by setting EnableViewStateMac to true, which is on by default.";
        }
        public CheckPasvStrictTransportSecurity()
        {
            // Complies with ???
            StandardsCompliance =
                WatcherCheckStandardsCompliance.None;

            configpanel = new EnableCheckConfigPanel(this, "Strict-Transport-Security", "Enable this (the default) to only check once per unique domain name.  Otherwise checks will be performed on every response from the site.");
            configpanel.Init();

            CheckCategory    = WatcherCheckCategory.Header;
            LongName         = "SSL - Strict-Transport-Security.";
            LongDescription  = "Checks if an HTTPS site sets the Strict-Transport-Security HTTP header.";
            ShortName        = "Strict-Transport-Security";
            ShortDescription = "The HTTPS site did not set the Strict-Transport-Security HTTP header:\r\n\r\n";
            Reference        = "http://tools.ietf.org/html/draft-ietf-websec-strict-transport-sec-01";
            Recommendation   = "Websites wanting strong transport encryption protection should set the Strict-Transport-Security HTTP header.";
        }
Example #4
0
        public CheckPasvSSLCertValidation()
        {
            // Complies with OWASP ASVL 1 & 2 (DVR 10.5 & 10.6)
            StandardsCompliance =
                WatcherCheckStandardsCompliance.OwaspAppSecVerificationLevel1 |
                WatcherCheckStandardsCompliance.OwaspAppSecVerificationLevel2;

            configpanel = new EnableCheckConfigPanel(this, "SSL CRL Validation", "Enable full CRL validation of SSL Certificate Chains");
            configpanel.Init();

            CheckCategory    = WatcherCheckCategory.Ssl;
            LongName         = "SSL - Look for certificate validation issues.";
            LongDescription  = "This check validates SSL certificates and reports a finding when validation errors such as host name mis-match and expiration are found. If configured, this check will also attempt to walk the certificate chain and perform CRL revocation checking.";
            ShortName        = "SSL - SSL certificate validation";
            ShortDescription = "SSL issues were identified with host:\r\n\r\n";
            Reference        = "http://websecuritytool.codeplex.com/wikipage?title=Checks#ssl-certificate-validation";
            Recommendation   = "Websites should use SSL certificates that match their selected hostnames, and should be re-provisioned prior to expiration.";
        }