Skip to content

SECURITY.md

Latest commit

 

History

History
144 lines (115 loc) · 5.29 KB

SECURITY.md

File metadata and controls

144 lines (115 loc) · 5.29 KB

Security Improvements & Hardening

This document outlines the security improvements made to the Web Vulnerability Scanner.

Security Fixes Applied

1. CRITICAL: Command Injection Prevention

  • Issue: URL parameter passed directly to subprocess without sanitization
  • Fix: Added -- separator to prevent URL from being interpreted as wget options
  • Location: mirror.py:148
  • Impact: Prevents arbitrary command execution via malicious URLs

2. CRITICAL: SSRF (Server-Side Request Forgery) Protection

  • Issue: Scanner could be tricked into accessing internal networks
  • Fix: Implemented is_safe_url() validation that blocks:
    • Private IP ranges (10.x.x.x, 192.168.x.x, 172.16-31.x.x)
    • Localhost (127.0.0.1, ::1)
    • Link-local and reserved IPs
    • Non-HTTP/HTTPS protocols
  • Location: mirror.py:26-57
  • Impact: Prevents scanner from being used to attack internal infrastructure

3. HIGH: Path Traversal Prevention

  • Issue: Malicious URLs could write files outside intended directory
  • Fix: Implemented path sanitization with:
    • Removal of .. components
    • Path normalization
    • Real path verification to ensure files stay within output directory
  • Location: mirror.py:262-276
  • Impact: Prevents writing files to arbitrary locations on filesystem

4. HIGH: Secure File Permissions

  • Issue: Downloaded files created with default (potentially insecure) permissions
  • Fix:
    • Output directory created with 0750 permissions
    • Individual files set to 0640 permissions
  • Location: mirror.py:114, 312
  • Impact: Prevents unauthorized users from reading potentially sensitive data

5. MEDIUM: Binary File Handling

  • Issue: Scanner tried to write all responses as text, causing crashes on binary files
  • Fix: Added binary content detection and appropriate file handling
  • Location: mirror.py:282-309
  • Impact: Prevents crashes and data corruption

6. MEDIUM: Crawl Limits

  • Issue: No limits on crawling could lead to resource exhaustion
  • Fix: Added configurable limits:
    • max_pages: Maximum pages to crawl (default: 1000)
    • max_depth: Maximum crawl depth (default: 10)
    • rate_limit: Delay between requests (default: 0.5s)
  • Location: mirror.py:13-24, 167
  • Impact: Prevents memory exhaustion and server overload

7. MEDIUM: Input Validation

  • Issue: No validation of URL formats or directory paths
  • Fix: Added validation for:
    • URL format (must be http:// or https://)
    • Directory existence
    • Configuration file JSON validity
  • Location: main.py:25-35, 55-70
  • Impact: Provides clear error messages and prevents crashes

Additional Improvements

Code Quality

  1. Fixed Missing Import: Added import re to mirror.py (line 4)
  2. Fixed Method Signatures: Corrected analyze() signatures in broken_authentication.py and idor.py
  3. Fixed Context Checks: Corrected list-in-list comparison bugs in xss_vulnerabilities.py
  4. Fixed Link Parsing: Properly handles both href and src attributes

Error Handling

  1. Improved error messages throughout
  2. Proper exit codes on failures
  3. Better handling of missing dependencies (wget)
  4. JSON parse error handling in config loading

Configuration

  1. Created scanner_config.json for default settings
  2. Created requirements.txt for Python dependencies
  3. Created .gitignore to prevent credential leaks

Security Best Practices

For Users

  1. Never commit credentials:

    • Use auth_config.json for credentials (excluded in .gitignore)
    • Never commit auth_config.json to version control

  2. Validate scan targets:

    • Only scan websites you have permission to test
    • Verify URLs before scanning
    • Be aware of rate limits

  3. Secure output files:

    • Review output reports for sensitive data before sharing
    • Store reports securely (0640 permissions)
    • Delete reports when no longer needed

  4. Network safety:

    • SSRF protection blocks internal networks by default
    • Do not disable safety checks
    • Run scanner in isolated environments when possible

For Developers

  1. Adding new features:

    • Always validate user input
    • Use parameterized queries/commands
    • Avoid shell=True in subprocess calls
    • Sanitize file paths

  2. Plugin development:

    • Plugins are loaded dynamically from detections/
    • Only add trusted plugins
    • Review plugin code for security issues

  3. Dependencies:

    • Keep dependencies updated
    • Review security advisories for used libraries
    • Pin dependency versions in requirements.txt

Known Limitations

  1. Dynamic Analysis: Scanner performs static analysis only
  2. JavaScript Rendering: Does not execute JavaScript (no headless browser)
  3. OAuth/MFA: Complex authentication flows not supported
  4. Rate Limiting: Basic implementation; may need tuning for some sites

Reporting Security Issues

If you discover a security vulnerability, please report it responsibly:

  1. Do not open a public issue
  2. Contact the maintainer directly
  3. Provide detailed reproduction steps
  4. Allow time for fixes before public disclosure

Security Audit History

  • 2025-01-XX: Comprehensive security audit completed
    • 21 issues identified and fixed
    • 3 critical, 3 high, 7 medium, 4 low, 4 code quality
    • All issues resolved