/*
* private void Helper_GetVulnerabilities(XmlDocument s, string ipadress)
* {
* List<VulnerabilityFound> list_VulnerabilityFound;
* list_VulnerabilityFound = new List<VulnerabilityFound>();
*
* XmlNodeList nvtsNodes;
* nvtsNodes = s.SelectNodes("/openvas-report/nvts/nvt");
*
* Utils.Helper_Trace("XORCISM PROVIDER OPENVAS", string.Format("There are {0} nvts nodes to process", nvtsNodes.Count));
*
* foreach (XmlNode nvtNode in nvtsNodes)
* {
* string nvtId;
* nvtId = nvtNode.Attributes["oid"].InnerText;
*
* Utils.Helper_Trace("XORCISM PROVIDER OPENVAS", string.Format("Handling nvtid {0}", nvtId));
*
* string summary = nvtNode.SelectSingleNode("summary").InnerText;
* string risk = nvtNode.SelectSingleNode("risk").InnerText;
* string cve_Value = nvtNode.SelectSingleNode("cve_id").InnerText;
*
* Utils.Helper_Trace("XORCISM PROVIDER OPENVAS", string.Format(" Summary = [{0}]", summary));
* Utils.Helper_Trace("XORCISM PROVIDER OPENVAS", string.Format(" Risk = [{0}]", risk));
* Utils.Helper_Trace("XORCISM PROVIDER OPENVAS", string.Format(" CVE = [{0}]", cve_Value));
*
* VulnerabilityFound vulnerabilityFound;
* vulnerabilityFound = new VulnerabilityFound();
* vulnerabilityFound.InnerXml = nvtNode.InnerXml;
* vulnerabilityFound.Description = summary;
* vulnerabilityFound.Severity = risk;
* if (cve_Value.Trim().ToUpper() != "NOCVE")
* {
* string[] list_Cve_Value;
* list_Cve_Value = cve_Value.Split(new char[] { ',' });
*
* foreach (string cve in list_Cve_Value)
* {
* VulnerabilityFound.Item cve_Item;
* cve_Item = new VulnerabilityFound.Item();
* cve_Item.ID = "cve";
* cve_Item.Value = cve;
*
* vulnerabilityFound.ListItem.Add(cve_Item);
* }
* }
*
* string protocol = portNode.Attributes["protocol"].Value;
*
* int port = -1;
* if (portNode.Attributes["portid"] != null)
* port = Convert.ToInt32(portNode.Attributes["portid"].Value);
*
* Utils.Helper_Trace("XORCISM PROVIDER OPENVAS", string.Format("Processing port {0} protocol {1}", port, protocol));
*
* VulnerabilityEndPoint vulnerabilityEndPoint;
* vulnerabilityEndPoint = new VulnerabilityEndPoint();
* vulnerabilityEndPoint.IpAdress = m_target;
* vulnerabilityEndPoint.Protocol = protocol;
* vulnerabilityEndPoint.Port = port;
*
* foreach (XmlNode informationNode in portNode.SelectNodes("information"))
* {
* string nvtId = informationNode.SelectSingleNode("id").InnerText;
*
*
*
* VulnerabilityPersistor.Persist(vulnerabilityFound, vulnerabilityEndPoint, m_jobId, "OpenVas", m_model);
* }
* }
* }
*/
private List <VulnerabilityFound.Item> splitCVE(string s)
{
List <VulnerabilityFound.Item> r = new List <VulnerabilityFound.Item>();
string[] tab = s.Split(new char[] { ' ', '\n', '\r', 't' });
foreach (string n in tab)
{
VulnerabilityFound.Item item;
item = new VulnerabilityFound.Item();
item.ID = "cve";
item.Value = n;
r.Add(item);
}
return(r);
}
private List <VulnerabilityFound.Item> Helper_GetCVE(XmlNode reportItem)
{
List <VulnerabilityFound.Item> l = new List <VulnerabilityFound.Item>();
foreach (XmlNode child in reportItem.ChildNodes)
{
if (child.Name.ToUpper() == "cve".ToUpper())
{
VulnerabilityFound.Item item = new VulnerabilityFound.Item();
item.Value = child.InnerText;
item.ID = "cve";
l.Add(item);
}
}
return(l);
}
private List<VulnerabilityFound.Item> Helper_GetCVE(XmlNode node)
{
List<VulnerabilityFound.Item> l;
l = new List<VulnerabilityFound.Item>();
try
{
XmlNodeList nodes = node.ChildNodes;
foreach (XmlNode n in nodes)
{
if (n.Attributes["type"] != null)
{
VulnerabilityFound.Item item = new VulnerabilityFound.Item();
item.ID = n.Attributes["type"].InnerText;
item.Value = n.InnerText;
l.Add(item);
}
}
}
catch (Exception ex)
{
Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", string.Format("JobID:" + m_jobId + " Error in Helper_GetCVE : Exception = {0}", ex.Message));
}
return l;
}
private void Helper_GetVulnerabilities(XmlDocument s, string ipadress)
{
List <VulnerabilityFound> list_VulnerabilityFound;
list_VulnerabilityFound = new List <VulnerabilityFound>();
XmlNodeList portNodes;
portNodes = s.SelectNodes("/openvas-report/results/result/ports/port"); //Hardcoded
Utils.Helper_Trace("XORCISM PROVIDER OPENVAS", string.Format("There are {0} port nodes to process", portNodes.Count));
foreach (XmlNode portNode in portNodes)
{
string protocol = portNode.Attributes["protocol"].Value.ToUpper();
int port = -1;
if (portNode.Attributes["portid"] != null)
{
port = Convert.ToInt32(portNode.Attributes["portid"].Value);
}
Utils.Helper_Trace("XORCISM PROVIDER OPENVAS", string.Format("Processing port {0} protocol {1}", port, protocol));
VulnerabilityEndPoint vulnerabilityEndPoint;
vulnerabilityEndPoint = new VulnerabilityEndPoint();
vulnerabilityEndPoint.IpAdress = m_target;
vulnerabilityEndPoint.Protocol = protocol;
vulnerabilityEndPoint.Port = port;
XmlNode ServiceNode = portNode.SelectSingleNode("service");
vulnerabilityEndPoint.Service = ServiceNode.Attributes["name"].Value.ToUpper();
foreach (XmlNode informationNode in portNode.SelectNodes("information"))
{
string severity = informationNode.SelectSingleNode("severity").InnerText;
//<severity>Log Message</severity> : Information => should be ignored
//<severity>Security Note</severity>
//<severity>Security Warning</severity>
string nvtId = informationNode.SelectSingleNode("id").InnerText;
Utils.Helper_Trace("XORCISM PROVIDER OPENVAS", string.Format(" Handling nvtid {0}", nvtId));
XmlNode nvtNode;
nvtNode = s.SelectSingleNode("/openvas-report/nvts/nvt[@oid='" + nvtId + "']");
string title = nvtNode.SelectSingleNode("name").InnerText;
string summary = nvtNode.SelectSingleNode("summary").InnerText;
string risk = nvtNode.SelectSingleNode("risk").InnerText;
string cve_Value = nvtNode.SelectSingleNode("cve_id").InnerText;
string bid_Value = nvtNode.SelectSingleNode("bugtraq_id").InnerText;
Utils.Helper_Trace("XORCISM PROVIDER OPENVAS", string.Format(" Title = [{0}]", title));
Utils.Helper_Trace("XORCISM PROVIDER OPENVAS", string.Format(" Summary = [{0}]", summary));
Utils.Helper_Trace("XORCISM PROVIDER OPENVAS", string.Format(" Risk = [{0}]", risk));
Utils.Helper_Trace("XORCISM PROVIDER OPENVAS", string.Format(" CVE = [{0}]", cve_Value));
VulnerabilityFound vulnerabilityFound;
vulnerabilityFound = new VulnerabilityFound();
vulnerabilityFound.InnerXml = nvtNode.InnerXml;
vulnerabilityFound.Title = title;
vulnerabilityFound.Description = summary;
vulnerabilityFound.DetailedInformation = informationNode.SelectSingleNode("data").InnerText;
vulnerabilityFound.Consequence = informationNode.SelectSingleNode("data").InnerText;
//TODO: regex parse OWASP:OWASP-CM-006
//vulnerabilityFound.Severity = risk;
//Risk Could be:
//None, Unknown, Informational, Low, Medium, High
switch (risk)
{
case "None":
vulnerabilityFound.Severity = "1";
break;
case "Unknown":
vulnerabilityFound.Severity = "1";
break;
case "Informational":
vulnerabilityFound.Severity = "2";
break;
case "Low":
vulnerabilityFound.Severity = "3";
break;
case "Medium":
vulnerabilityFound.Severity = "4";
break;
case "High":
vulnerabilityFound.Severity = "5";
break;
}
if (cve_Value.Trim().ToUpper() != "NOCVE")
{
string[] list_Cve_Value;
list_Cve_Value = cve_Value.Split(new char[] { ',' });
foreach (string cve in list_Cve_Value)
{
VulnerabilityFound.Item cve_Item;
cve_Item = new VulnerabilityFound.Item();
cve_Item.ID = "cve";
cve_Item.Value = cve;
vulnerabilityFound.ListItem.Add(cve_Item);
}
}
if (bid_Value.Trim().ToUpper() != "NOBID")
{
string[] list_bid_Value;
list_bid_Value = bid_Value.Split(new char[] { ',' });
foreach (string bid in list_bid_Value)
{
VulnerabilityFound.Reference bid_Reference;
bid_Reference = new VulnerabilityFound.Reference();
bid_Reference.Source = "BID";
bid_Reference.Title = bid;
bid_Reference.Url = "http://www.securityfocus.com/bid/" + bid;
vulnerabilityFound.ListReference.Add(bid_Reference);
}
}
VulnerabilityPersistor.Persist(vulnerabilityFound, vulnerabilityEndPoint, m_jobId, "OpenVas", m_model);
}
}
}
public void parse()
{
Assembly a;
a = Assembly.GetExecutingAssembly();
Utils.Helper_Trace("XORCISM PROVIDER ACUNETIX", "Assembly location = " + a.Location);
// ============================================
// Parse the XML Document and populate the database
// ============================================
// Utils.Helper_Trace("XORCISM PROVIDER ACUNETIX", "data = " + m_data);
XmlDocument doc = new XmlDocument();
doc.LoadXml(m_data);
XORCISMEntities model;
model = new XORCISMEntities();
string query = "/ScanGroup/Scan"; //Hardcoded
XmlNode report;
report = doc.SelectSingleNode(query);
string ipAddress = string.Empty;
ipAddress = HelperGetChildInnerText(report, "StartURL"); //Hardcoded
if (ipAddress.Substring(ipAddress.Length - 1, 1) == "/")
{
ipAddress = ipAddress.Substring(0, ipAddress.Length - 1);
}
Utils.Helper_Trace("XORCISM PROVIDER ACUNETIX", string.Format("Handling host with IP {0}", ipAddress));
// ===============================================
// If necessary, creates an asset in the database
// ===============================================
//TODO
var myass = from ass in model.ASSET
where ass.ipaddressIPv4 == ipAddress //&& ass.AccountID == m_AccountID
select ass;
ASSET asset = myass.FirstOrDefault();
if (asset == null)
{
Utils.Helper_Trace("XORCISM PROVIDER ACUNETIX", "Creates a new entry in table ASSET for this IP");
asset = new ASSET();
//asset.AccountID = m_AccountID;
asset.AssetName = ipAddress;
asset.AssetDescription = ipAddress;
asset.ipaddressIPv4 = ipAddress;
asset.Enabled = true;
//asset.JobID = m_JobId;
model.ASSET.Add(asset);
model.SaveChanges();
}
else
{
Utils.Helper_Trace("XORCISM PROVIDER ACUNETIX", "This IP already corresponds to an existing asset");
}
Utils.Helper_Trace("XORCISM PROVIDER ACUNETIX", "Creating ASSETINSESSION reference");
ASSETSESSION assinsess = new ASSETSESSION();
assinsess.AssetID = asset.AssetID;
assinsess.SessionID = model.JOB.Single(x => x.JobID == m_JobId).SessionID;
model.ASSETSESSION.Add(assinsess);
model.SaveChanges();
Utils.Helper_Trace("XORCISM PROVIDER ACUNETIX", "Update JOB with ASSETINSESSIONID");
JOB daJob = model.JOB.Single(x => x.JobID == m_JobId);
daJob.AssetSessionID = assinsess.AssetSessionID;
model.SaveChanges();
Utils.Helper_Trace("XORCISM PROVIDER ACUNETIX", "VULNERABILITIES FOUND");
query = "/ScanGroup/Scan/ReportItems";
report = doc.SelectSingleNode(query);
foreach (XmlNode n in report.ChildNodes)
{
if (n.Name.ToUpper() == "ReportItem".ToUpper() && n.ChildNodes != null && n.ChildNodes.Count > 0)
{
//TODOs HARDCODED
VulnerabilityEndPoint vulnerabilityEndPoint = new VulnerabilityEndPoint();
vulnerabilityEndPoint.IpAdress = ipAddress;
vulnerabilityEndPoint.Protocol = "TCP"; // "http"; //https ... A VOIR
vulnerabilityEndPoint.Port = 80; //443 ... A VOIR
VulnerabilityFound vulnerabilityFound = new VulnerabilityFound();
//vulnerabilityFound.ListItem = Helper_GetCVE(n);
vulnerabilityFound.InnerXml = n.OuterXml;
//To eliminate VULNERABILITY (Value) duplicates:
/*
* string pattern = @"ReportItem id=""\d\d?\d?""";
* string s = Regex.Replace(n.OuterXml, pattern, "ReportItem id=\"0\"");
* vulnerabilityFound.InnerXml = s;
*/
string url = HelperGetChildInnerText(n, "Affects"); //Server
vulnerabilityFound.Url = url;
if (url.ToLower().Contains("https://"))
{
vulnerabilityEndPoint.Port = 443;
}
Utils.Helper_Trace("XORCISM PROVIDER ACUNETIX", string.Format("Url: {0}", url));
vulnerabilityFound.Type = HelperGetChildInnerText(n, "Type");
if (HelperGetChildInnerText(n, "IsFalsePositive") == "False")
{
vulnerabilityFound.IsFalsePositive = false;
}
else
{
vulnerabilityFound.IsFalsePositive = true;
}
vulnerabilityFound.Title = HelperGetChildInnerText(n, "Name");
//ModuleName
//Affects
vulnerabilityFound.Description = HelperGetChildInnerText(n, "Description");
//Extract the CVEs
List <VulnerabilityFound.Item> ListCVEs = new List <VulnerabilityFound.Item>();
//MatchCollection matches = Regex.Matches(HelperGetChildInnerText(n, "Description"), "CVE-[0-9][0-9][0-9][0-9]-[0-9][0-9][0-9][0-9]");
MatchCollection matches = Regex.Matches(HelperGetChildInnerText(n, "Description"), @"CVE-(19|20)\d\d-(0\d{3}|[1-9]\d{3,})"); //myRegexCVE
//https://cve.mitre.org/cve/identifiers/tech-guidance.html
foreach (Match match in matches)
{
Utils.Helper_Trace("XORCISM PROVIDER ACUNETIX", string.Format("CVE: {0}", match.Groups[1].Value));
VulnerabilityFound.Item item;
item = new VulnerabilityFound.Item();
item.ID = "cve";
item.Value = match.Groups[1].Value;
ListCVEs.Add(item);
}
string mySeverity = HelperGetChildInnerText(n, "Severity");
switch (mySeverity)
{
//HARDCODED
case "high":
mySeverity = "High";
break;
case "medium":
mySeverity = "Medium";
break;
case "low":
mySeverity = "Low";
break;
//case "info"
}
vulnerabilityFound.Severity = mySeverity;
Utils.Helper_Trace("XORCISM PROVIDER ACUNETIX", string.Format("Severity: {0}", mySeverity));
string DetailsAnalysis = HelperGetChildInnerText(n, "Details");
if (DetailsAnalysis.Contains("URL encoded GET"))
{
vulnerabilityFound.VulnerableParameterType = "GET"; //should be Querystring for Netsparker
var regex = new Regex(@"URL encoded GET input <b><font color=""dark"">(.*?)</font></b>");
var match = regex.Match(DetailsAnalysis);
if (match.Success)
{
Utils.Helper_Trace("XORCISM PROVIDER ACUNETIX", string.Format("VulnerableParameter: {0}", match.Groups[1].Value));
vulnerabilityFound.VulnerableParameter = match.Groups[1].Value;
regex = new Regex(@"was set to <b><font color=""dark"">(.*?)</font></b>");
match = regex.Match(DetailsAnalysis);
if (match.Success)
{
Utils.Helper_Trace("XORCISM PROVIDER ACUNETIX", string.Format("VulnerableParameterValue: {0}", match.Groups[1].Value));
vulnerabilityFound.VulnerableParameterValue = match.Groups[1].Value;
}
}
}
if (DetailsAnalysis.Contains("URL encoded POST"))
{
vulnerabilityFound.VulnerableParameterType = "POST"; //should be Post for Netsparker
var regex = new Regex(@"URL encoded POST input <b><font color=""dark"">(.*?)</font></b>");
var match = regex.Match(DetailsAnalysis);
if (match.Success)
{
Utils.Helper_Trace("XORCISM PROVIDER ACUNETIX", string.Format("VulnerableParameter: {0}", match.Groups[1].Value));
vulnerabilityFound.VulnerableParameter = match.Groups[1].Value;
regex = new Regex(@"was set to <b><font color=""dark"">(.*?)</font></b>");
match = regex.Match(DetailsAnalysis);
if (match.Success)
{
Utils.Helper_Trace("XORCISM PROVIDER ACUNETIX", string.Format("VulnerableParameterValue: {0}", match.Groups[1].Value));
vulnerabilityFound.VulnerableParameterValue = match.Groups[1].Value;
}
}
}
//vulnerabilityFound.VulnerableParameterType = HelperGetChildInnerText(n, "vulnerableparametertype");
//vulnerabilityFound.VulnerableParameter = HelperGetChildInnerText(n, "vulnerableparameter");
//in <Details>:
//URL encoded GET input <b><font color="dark">id</font></b> was set to <b><font color="dark">4-2+2*3-6</font></b>
//URL encoded GET input <b><font color="dark">id</font></b> was set to <b><font color="dark">1'</font></b><br/>Error message found: <pre wrap="virtual"><font color="blue">supplied argument is not a valid MySQL result</font></pre>
//URL encoded POST input <b><font color="dark">name</font></b> was set to <b><font color="dark">'"()&%1<ScRiPt >prompt(983150)</ScRiPt></font></b>
//vulnerabilityFound.VulnerableParameterValue = HelperGetChildInnerText(n, "vulnerableparametervalue");
List <VulnerabilityFound.Reference> ListReferences = new List <VulnerabilityFound.Reference>();
foreach (XmlNode nchild in n.ChildNodes)
{
if (nchild.Name.ToUpper() == "TechnicalDetails".ToUpper() && nchild.ChildNodes != null && nchild.ChildNodes.Count > 0)
{
//rawrequest
vulnerabilityFound.rawrequest = HelperGetChildInnerText(nchild, "Request");
//rawresponse
vulnerabilityFound.rawresponse = HelperGetChildInnerText(nchild, "Response");
}
if (nchild.Name.ToUpper() == "References".ToUpper() && nchild.ChildNodes != null && nchild.ChildNodes.Count > 0)
{
foreach (XmlNode reference in nchild)
{
/*
* REFERENCE myReference = new REFERENCE();
* myReference.Source = HelperGetChildInnerText(reference, "Database");
* myReference.Url = HelperGetChildInnerText(reference, "URL");
*
* model.AddToREFERENCE(myReference);
*/
VulnerabilityFound.Reference refvuln = new VulnerabilityFound.Reference();
refvuln.Title = HelperGetChildInnerText(reference, "Database");
string refurl = HelperGetChildInnerText(reference, "URL").ToLower();
refvuln.Url = refurl;
refvuln.Source = HelperGetChildInnerText(reference, "Database");
//Try to harmonise the Source with the other imports (ie: exploits)
//HARDCODED
//TODO: Use a Common Function
if (refurl.Contains("/bugtraq/"))
{
refvuln.Source = "BUGTRAQ";
}
if (refurl.Contains("marc.theaimsgroup.com/?l=bugtraq"))
{
refvuln.Source = "BUGTRAQ";
}
if (refurl.Contains("securityfocus.com/bid"))
{
refvuln.Source = "BID";
}
if (refurl.Contains("osvdb.org/"))
{
refvuln.Source = "OSVDB";
}
if (refurl.Contains("xforce.iss.net/"))
{
refvuln.Source = "XF";
}
if (refurl.Contains("www.iss.net/"))
{
refvuln.Source = "XF";
}
if (refurl.Contains("www.ciac.org/"))
{
refvuln.Source = "CIAC";
}
if (refurl.Contains("ciac.llnl.gov/"))
{
refvuln.Source = "CIAC";
}
if (refurl.Contains("www.cert.org/"))
{
refvuln.Source = "CERT";
}
if (refurl.Contains("sunsolve.sun.org/"))
{
refvuln.Source = "SUN";
}
if (refurl.Contains("sunsolve.sun.com/"))
{
refvuln.Source = "SUN";
}
if (refurl.Contains("patches.sgi.com/"))
{
refvuln.Source = "SGI";
}
if (refurl.Contains("microsoft.com/default.aspx?scid=kb"))
{
refvuln.Source = "MSKB";
}
if (refurl.Contains("ftp.sco.com/"))
{
refvuln.Source = "SCO";
}
if (refurl.Contains("www.trustix.org/"))
{
refvuln.Source = "TRUSTIX";
}
if (refurl.Contains("ftp.freebsd.org/"))
{
refvuln.Source = "FREEBSD";
}
if (refurl.Contains("www.secunia.com/"))
{
refvuln.Source = "SECUNIA";
}
if (refurl.Contains("www.vupen.com/"))
{
refvuln.Source = "VUPEN";
}
if (refurl.Contains("www.securitytracker.com/"))
{
refvuln.Source = "SECTRACK";
}
if (refurl.Contains("www.redhat.com/"))
{
refvuln.Source = "REDHAT";
}
if (refurl.Contains("www.exploit-db.com/"))
{
refvuln.Source = "EXPLOIT-DB";
}
if (refurl.Contains("www.milw0rm.com/"))
{
refvuln.Source = "MILW0RM";
}
if (refurl.Contains("www.microsoft.com/"))
{
refvuln.Source = "MS";
}
if (refurl.Contains("seclists.org/fulldisclosure"))
{
refvuln.Source = "FULLDISC";
}
ListReferences.Add(refvuln);
}
}
}
vulnerabilityFound.ListReference = ListReferences;
vulnerabilityFound.ListItem = ListCVEs;
vulnerabilityFound.Result = HelperGetChildInnerText(n, "Details");
vulnerabilityFound.Consequence = HelperGetChildInnerText(n, "Impact");
vulnerabilityFound.Solution = HelperGetChildInnerText(n, "Recommendation");
//DetailedInformation
vulnerabilityFound.DetailedInformation = HelperGetChildInnerText(n, "DetailedInformation");
//TODO
bool PatchUpgrade = false;
string MSPatch = "";
int etat = VulnerabilityPersistor.Persist(vulnerabilityFound, vulnerabilityEndPoint, m_JobId, "acunetix", model);
if (etat == -1)
{
Utils.Helper_Trace("XORCISM PROVIDER ACUNETIX", string.Format("CANNOT IMPORT THIS ASSET !!!! "));
}
}
}
}
public void parse()
{
Assembly a;
a = Assembly.GetExecutingAssembly();
Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", "Assembly location = " + a.Location);
XmlDocument doc = new XmlDocument();
#region HackCenzic
/*
string filename;
filename = @"C:\Cenzic_webscan.xml"; //Hardcoded
doc.Load(filename);
Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", string.Format("HackFile should be located at : " + filename));
*/
#endregion
// ============================================
// Parse the XML Document and populate the database
// ============================================
string protocol = string.Empty;
//int port = -1;
string service = string.Empty;
//bool PatchUpgrade = false;
//string title;
//string MSPatch = "";
//string Solution;
m_data = m_data.Replace("Configurable format #", "Configurable"); //Hardcoded
Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", string.Format("m_data = {0}", m_data));
try
{
Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", "Loading the XML document");
doc.LoadXml(m_data);
}
catch (Exception ex)
{
Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", string.Format("Exception = {0} / {1}", ex.Message, ex.InnerException == null ? "" : ex.InnerException.Message));
}
XORCISMEntities model;
model = new XORCISMEntities();
string query = "/AssessmentRunData/SmartAttacks/SmartAttacksData"; //Hardcoded
XmlNodeList report;
report = null;
try
{
report = doc.SelectNodes(query);
}
catch (Exception ex)
{
Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", string.Format("Error SelectNodes({0}) : Exception = {1}", query, ex.Message));
return;
}
//We should retrieve the target for an import
string m_target = string.Empty;
string patterntoken = "<Url>(.*?)</Url>";
MatchCollection matchesurl = Regex.Matches(m_data, patterntoken);
foreach (Match match in matchesurl)
{
m_target = match.Value.Replace("<Url>", "").Replace("</Url>", "");
//Console.WriteLine(mytoken);
Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", "target: " + m_target);
}
int myPort = 80;
if (m_target.Contains("https://"))
{
myPort = 443;
}
//Check if we have a custom port, ex: http://10.20.30.40:8080/test
string strTargetTest = m_target;
strTargetTest = strTargetTest.Replace("http://", "");
strTargetTest = strTargetTest.Replace("https://", "");
try
{
if (strTargetTest.Contains(":"))
{
char[] splitter = { ':' };
string[] strSplit = strTargetTest.Split(splitter);
strTargetTest = strSplit[1];
if (strTargetTest.Contains("/"))
{
strSplit = strTargetTest.Split(new Char[] { '/' });
strTargetTest = strSplit[0];
}
try
{
myPort = Convert.ToInt32(strTargetTest);
}
catch (FormatException e)
{
Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", strTargetTest + " is not a sequence of digits.");
}
Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", string.Format("Custom Port:{0}", strTargetTest));
}
else
{
if (strTargetTest.Contains("/"))
{
string[] strSplit = strTargetTest.Split(new Char[] { '/' });
strTargetTest = strSplit[0];
if (m_target.Contains("https://"))
{
m_target = "https://" + strTargetTest;
}
if (m_target.Contains("http://"))
{
m_target = "http://" + strTargetTest;
}
}
}
}
catch (Exception ex)
{
Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", string.Format("Error in strTargetTest : Exception = {0}", ex.Message));
}
Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", "the m_target=" + m_target);
// ===============================================
// If necessary, creates an asset in the database
// ===============================================
//TODO
var myass = from ass in model.ASSET
where ass.ipaddressIPv4 == m_target //&& ass.AccountID == m_AccountID
select ass;
ASSET asset = myass.FirstOrDefault();
if (asset == null)
{
Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", "Creates a new entry in table ASSET for this IP");
asset = new ASSET();
//asset.AccountID = m_AccountID;
asset.AssetName = m_target;
asset.AssetDescription = m_target;
asset.ipaddressIPv4 = m_target;
asset.Enabled = true;
//asset.JobID = m_jobId;
model.ASSET.Add(asset);
model.SaveChanges();
}
else
{
Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", "This IP already corresponds to an existing asset");
}
int m_assetId = asset.AssetID;
int m_sessionId = (int)model.JOB.Single(x => x.JobID == m_jobId).SessionID;
Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", "Creating ASSETINSESSION reference");
ASSETSESSION assinsess = new ASSETSESSION();
assinsess.AssetID = asset.AssetID;
assinsess.SessionID = m_sessionId; // model.JOB.Single(x => x.JobID == m_jobId).SessionID;
model.ASSETSESSION.Add(assinsess);
model.SaveChanges();
Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", "Update JOB with ASSETINSESSIONID");
JOB daJob = model.JOB.Single(x => x.JobID == m_jobId);
daJob.AssetSessionID = assinsess.AssetSessionID;
model.SaveChanges();
VulnerabilityEndPoint vulnerabilityEndPoint = new VulnerabilityEndPoint();
vulnerabilityEndPoint.IpAdress = m_target;
vulnerabilityEndPoint.Protocol = "TCP"; // "http";
vulnerabilityEndPoint.Port = myPort;
vulnerabilityEndPoint.Service = "WWW";
int myEndpointID = 0;
var testEndpoint = from e in model.ENDPOINT
where e.AssetID == m_assetId && e.SessionID == m_sessionId
select e;
if (testEndpoint.Count() == 0)
{
ENDPOINT newEndpoint = new ENDPOINT();
newEndpoint.AssetID = m_assetId;
newEndpoint.SessionID = m_sessionId;
newEndpoint.ProtocolName = "TCP"; // "http";
newEndpoint.PortNumber = myPort;
newEndpoint.Service = "WWW";
model.ENDPOINT.Add(newEndpoint);
model.SaveChanges();
myEndpointID = newEndpoint.EndPointID;
}
else
{
myEndpointID = testEndpoint.FirstOrDefault().EndPointID;
}
Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", string.Format("myEndpointID:{0}", myEndpointID));
Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", string.Format("JobID:" + m_jobId + " Found {0} SmartAttacks to parse", report.Count));
foreach (XmlNode reportHost in report)
{
// ==================================
// Handle every SmartAttacksData tag
// ==================================
string myInnerXml = string.Empty;
string myTitle = string.Empty;
string myDescription = string.Empty;
string myConsequence = string.Empty;
string myResult = string.Empty;
string mySolution = string.Empty;
string myCVE = string.Empty;
MatchCollection myCVEs;
string myPCI = string.Empty;
string myMessage = string.Empty;
foreach (XmlNode n in reportHost.ChildNodes)
{
//SmartAttackInfo
//ReportItems
XmlNodeList Childs = n.ChildNodes;
Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", string.Format("Coucou 1"));
try
{
if (n.Name == "SmartAttackInfo")
{
myInnerXml = n.OuterXml;
myTitle = HelperGetChildInnerText(n, "SmartAttackName");
Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", string.Format("JobID:" + m_jobId + " Found SmartAttackName:{0}", myTitle));
Regex myRegex = new Regex("PCI [0-9].[0-9].[0-9]");
myPCI = myRegex.Match(myTitle).ToString();
if (myPCI != "")
{
Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", "PCI=" + myPCI);
}
//Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", string.Format("myInnerXml:{0}", myInnerXml));
//Hardcoded
myDescription = HelperGetChildInnerText(n, "Description");
myConsequence = HelperGetChildInnerText(n, "HowItWorks");
myResult = HelperGetChildInnerText(n, "Impact");
mySolution = HelperGetChildInnerText(n, "Remediation");
}
}
catch (Exception ex)
{
Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", string.Format("JobID:" + m_jobId + " Error in SmartAttackInfo : Exception = {0}", ex.Message));
}
if (n.Name == "ReportItems")
{
Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", string.Format("Coucou 2"));
foreach (XmlNode x in n.ChildNodes)
{
//HARDCODED
//ReportItem
foreach (XmlNode ReportItem in x.ChildNodes)
{
myMessage = "";
if (ReportItem.Name == "ReportItemType")
{
//Pass
if (ReportItem.InnerText == "Information")
{
try
{
//TODO
/*
Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", string.Format("Information"));
INFORMATION newInformation = new INFORMATION();
//newInformation.InnerXml
newInformation.Title = myTitle;
newInformation.Description = myDescription;
newInformation.Consequence = myConsequence;
newInformation.Result = myResult;
newInformation.Solution = mySolution;
newInformation.Severity = HelperGetChildInnerText(x, "Severity");
newInformation.HarmScore = int.Parse(HelperGetChildInnerText(x, "HarmScore"));
myMessage = HelperGetChildInnerText(x, "Message");
newInformation.Message = myMessage;
//TODO A FAIRE
//Matching avec les références
//http://www.securityfocus.com/bid/43140/info
//http://www.securityfocus.com/bid/43140/solution
newInformation.Url = HelperGetChildInnerText(x, "Url");
newInformation.rawrequest = HelperGetChildInnerText(x, "HttpRequest");
newInformation.rawresponse = HelperGetChildInnerText(x, "HttpResponse");
if (myPCI != "")
{
newInformation.PCI_FLAG = true;
}
newInformation.JobID = m_jobId;
newInformation.EndPointID = myEndpointID;
model.AddToINFORMATION(newInformation);
model.SaveChanges();
*/
}
catch (Exception ex)
{
Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", string.Format("JobID:" + m_jobId + " Error in Information : Exception = {0}. {1}", ex.Message, ex.InnerException));
}
}
if (ReportItem.InnerText == "Warning")
{
try
{
Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", string.Format("Warning"));
VulnerabilityFound vulnerabilityFound = new VulnerabilityFound();
vulnerabilityFound.InnerXml = myInnerXml;
vulnerabilityFound.Title = myTitle;
Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", string.Format("Adding SmartAttackName:{0}", myTitle));
vulnerabilityFound.Description = myDescription;
vulnerabilityFound.Consequence = myConsequence;
vulnerabilityFound.Result = myResult;
vulnerabilityFound.Solution = mySolution;
if (myPCI != "")
{
vulnerabilityFound.PCI_FLAG = true;
}
//ReportItemCreateDate
vulnerabilityFound.Severity = HelperGetChildInnerText(x, "Severity");
//Low, Medium, High
//Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", string.Format("WARNING Severity:{0}", HelperGetChildInnerText(x, "Severity")));
vulnerabilityFound.HarmScore = int.Parse(HelperGetChildInnerText(x, "HarmScore"));
//Count
myMessage=HelperGetChildInnerText(x, "Message");
//vulnerabilityFound.Message = myMessage; //not exact because same VULNERABILITY will have various Messages
vulnerabilityFound.rawresponse = myMessage;
//Regex objNaturalPattern = new Regex("CVE-[0-9][0-9][0-9][0-9]-[0-9][0-9][0-9][0-9]");
Regex myRegexCVE = new Regex(@"CVE-(19|20)\d\d-(0\d{3}|[1-9]\d{3,})"); //TODO: Update this?
//https://cve.mitre.org/cve/identifiers/tech-guidance.html
/*
myCVE = objNaturalPattern.Match(myMessage).ToString();
if (myCVE != "")
{
Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", "CVE=" + myCVE);
}
*/
List<VulnerabilityFound.Item> l;
l = new List<VulnerabilityFound.Item>();
myCVEs = myRegexCVE.Matches(myMessage);
foreach (Match match in myCVEs)
{
foreach (Capture capture in match.Captures)
{
Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", string.Format("Index={0}, CVE={1}", capture.Index, capture.Value));
VulnerabilityFound.Item item;
item = new VulnerabilityFound.Item();
item.Value = capture.Value;
item.ID = "cve";
l.Add(item);
}
}
vulnerabilityFound.ListItem = l;
vulnerabilityFound.Url = HelperGetChildInnerText(x, "Url");
Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", string.Format("Url={0}", HelperGetChildInnerText(x, "Url")));
vulnerabilityFound.rawrequest = HelperGetChildInnerText(x, "HttpRequest");
//vulnerabilityFound.rawresponse = HelperGetChildInnerText(x, "HttpResponse");
//StructuredData
//*** Compliances? voir en bas
//http://www.cenzic.com/downloads/Cenzic_CWE.pdf
int VulnID = VulnerabilityPersistor.Persist(vulnerabilityFound, vulnerabilityEndPoint, m_jobId, "cenzic", model);
}
catch (Exception ex)
{
Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", string.Format("JobID:" + m_jobId + " Error in Warning : Exception = {0}. {1}", ex.Message, ex.InnerException));
}
}
if (ReportItem.InnerText == "Vulnerable")
{
try
{
Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", string.Format("Vulnerable"));
VulnerabilityFound vulnerabilityFound = new VulnerabilityFound();
vulnerabilityFound.InnerXml = myInnerXml;
vulnerabilityFound.Title = myTitle;
Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", string.Format("Adding SmartAttackName:{0}", myTitle));
vulnerabilityFound.Description = myDescription;
vulnerabilityFound.Consequence = myConsequence;
vulnerabilityFound.Result = myResult;
vulnerabilityFound.Solution = mySolution;
//ReportItemCreateDate
vulnerabilityFound.Severity = HelperGetChildInnerText(x, "Severity");
//Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", string.Format("VULNERABLE Severity:{0}", HelperGetChildInnerText(x, "Severity")));
vulnerabilityFound.HarmScore = int.Parse(HelperGetChildInnerText(x, "HarmScore"));
//Count
myMessage = HelperGetChildInnerText(x, "Message");
//vulnerabilityFound.Message = myMessage;
vulnerabilityFound.rawresponse = myMessage;
//Regex objNaturalPattern = new Regex("CVE-[0-9][0-9][0-9][0-9]-[0-9][0-9][0-9][0-9]");
Regex myRegexCVE = new Regex(@"CVE-(19|20)\d\d-(0\d{3}|[1-9]\d{3,})");
//https://cve.mitre.org/cve/identifiers/tech-guidance.html
/*
myCVE = objNaturalPattern.Match(myMessage).ToString();
if (myCVE != "")
{
Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", "CVE=" + myCVE);
}
*/
List<VulnerabilityFound.Item> l;
l = new List<VulnerabilityFound.Item>();
myCVEs = myRegexCVE.Matches(myMessage);
foreach (Match match in myCVEs)
{
foreach (Capture capture in match.Captures)
{
Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", string.Format("Index={0}, CVE={1}", capture.Index, capture.Value));
VulnerabilityFound.Item item;
item = new VulnerabilityFound.Item();
item.Value = capture.Value;
item.ID = "cve";
l.Add(item);
}
}
vulnerabilityFound.ListItem = l;
vulnerabilityFound.Url = HelperGetChildInnerText(x, "Url");
Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", string.Format("Url={0}", HelperGetChildInnerText(x, "Url")));
vulnerabilityFound.rawrequest = HelperGetChildInnerText(x, "HttpRequest");
//vulnerabilityFound.rawresponse = HelperGetChildInnerText(x, "HttpResponse");
//StructuredData
if (myPCI != "")
{
//TODO
/*
vulnerabilityFound.PCI_FLAG = true;
int VulnID = VulnerabilityPersistor.Persist(vulnerabilityFound, vulnerabilityEndPoint, m_jobId, "cenzic", model);
List<int> myIds = new List<int>();
var id = from o in model.COMPLIANCECATEG
where o.Title == myTitle &&
o.COMPLIANCE.Title == "PCIDSS"
select o.ComplianceCategID;
int Id = id.FirstOrDefault();
myIds.Add(Id);
List<int> Compliances = new List<int>();
Compliances = myIds;
Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", string.Format("Vulnerability persisted , VulnID = {0} & Compliance count = {1}", VulnID, Compliances.Count));
var V = from tmpVuln in model.VULNERABILITYFOUND
where tmpVuln.VulnerabilityFoundID == VulnID
select tmpVuln;
VULNERABILITYFOUND VF = V.FirstOrDefault();
foreach (int i in Compliances)
{
Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", string.Format("Categorie Compliance => ", i));
var C = from Comp in model.COMPLIANCECATEG
where Comp.ComplianceCategID == i
select Comp;
COMPLIANCECATEG myCompliance = new COMPLIANCECATEG();
myCompliance = C.FirstOrDefault();
VF.COMPLIANCECATEG.Add(myCompliance);
model.SaveChanges();
Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", "Mapping Compliance-Vulnerability Added");
}
*/
}
else
{
int VulnID = VulnerabilityPersistor.Persist(vulnerabilityFound, vulnerabilityEndPoint, m_jobId, "cenzic", model);
}
}
catch (Exception ex)
{
Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", string.Format("Error in Vulnerable : Exception = {0}. {1}", ex.Message, ex.InnerException));
}
}
}
}
}
}
}
}
}
