cerberauth · emmanuelgautier · Feb 28, 2024 · Feb 28, 2024
@@ -51,10 +51,29 @@ echo "eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.e30." | vulnapi scan openapi ./test/st
 The CLI provides detailed reports on any vulnerabilities detected during the scan. Below is an example of the output format:
 
 ```bash
-2024/02/12 16:09:30 [critical][JWT Alg None] http://localhost:8080/: JWT accepts none algorithm and does verify jwt.
-2024/02/12 16:09:30 [critical][JWT Alg None] http://localhost:8080/: JWT accepts none algorithm and does verify jwt.
-2024/02/12 16:09:30 [critical][JWT Alg None] http://localhost:8080/resources/ours: JWT accepts none algorithm and does verify jwt.
-2024/02/12 16:09:30 [critical][JWT Alg None] http://localhost:8080/resources/those: JWT accepts none algorithm and does verify jwt.
++------------+--------------------------------+--------------------------------+----------------------------+
+| RISK LEVEL |         VULNERABILITY          |          DESCRIPTION           |         OPERATION          |
++------------+--------------------------------+--------------------------------+----------------------------+
+| Critical   | JWT None Algorithm             | JWT with none algorithm is     | GET http://localhost:8080/ |
+|            |                                | accepted allowing to bypass    |                            |
+|            |                                | authentication.                |                            |
+| Low        | CSP Header is not set          | No Content Security Policy     | GET http://localhost:8080/ |
+|            |                                | (CSP) Header has been detected |                            |
+|            |                                | in HTTP Response.              |                            |
+| Low        | CORS Header is not set         | No CORS Header has been        | GET http://localhost:8080/ |
+|            |                                | detected in HTTP Response.     |                            |
+| Low        | HSTS Header is not set         | No HSTS Header has been        | GET http://localhost:8080/ |
+|            |                                | detected in HTTP Response.     |                            |
+| Low        | X-Content-Type-Options Header  | No X-Content-Type-Options      | GET http://localhost:8080/ |
+|            | is not set                     | Header has been detected in    |                            |
+|            |                                | HTTP Response.                 |                            |
+| Low        | X-Frame-Options Header is not  | No X-Frame-Options Header      | GET http://localhost:8080/ |
+|            | set                            | has been detected in HTTP      |                            |
+|            |                                | Response.                      |                            |
+| Low        | HTTP Trace Method enabled      | HTTP Trace method seems        | GET http://localhost:8080/ |
+|            |                                | enabled for this request.      |                            |
++------------+--------------------------------+--------------------------------+----------------------------+
+Warning: Critical vulnerabilities detected!
 ```
 
 In this example, each line represents a detected vulnerability, including the timestamp, severity level (critical), vulnerability type (JWT Alg None), affected endpoint (http://localhost:8080/), and a description of the vulnerability (JWT accepts none algorithm and does not verify JWT).

@@ -3,13 +3,9 @@
 import (
 	"log"
 	"net/http"
-	"os"
 	"strings"
 
 	"github.com/cerberauth/vulnapi/scan"
-	"github.com/common-nighthawk/go-figure"
-	"github.com/fatih/color"
-	"github.com/olekukonko/tablewriter"
 	"github.com/spf13/cobra"
 )
 
@@ -28,9 +24,6 @@
 		FParseErrWhitelist: cobra.FParseErrWhitelist{
 			UnknownFlags: true,
 		},
-		PreRun: func(cmd *cobra.Command, args []string) {
-			figure.NewColorFigure("VulnAPI", "", "cyan", true).Print()
-		},
 		Run: func(cmd *cobra.Command, args []string) {
 			url = args[0]
 
@@ -54,52 +47,9 @@
 				log.Fatal(err)
 			}
 
-			reporter, _, err := scan.WithAllVulnsScans().WithAllBestPracticesScans().Execute()
-			if err != nil {
+			if reporter, _, err = scan.WithAllVulnsScans().WithAllBestPracticesScans().Execute(); err != nil {
 				log.Fatal(err)
 			}
-
-			var outputColor *color.Color
-			var outputMessage string
-			var outputStream *os.File
-			if !reporter.HasVulnerability() {
-				outputColor = color.New(color.FgGreen)
-				outputMessage = "Congratulations! No issues were found."
-				outputStream = os.Stdout
-			} else if reporter.HasHighRiskSeverityVulnerability() {
-				outputColor = color.New(color.FgRed)
-				outputMessage = "Warning: Critical vulnerabilities detected!"
-				outputStream = os.Stderr
-			} else {
-				outputColor = color.New(color.FgYellow)
-				outputMessage = "Advice: There are some low-risk issues. It's advised to take a look."
-				outputStream = os.Stderr
-			}
-
-			table := tablewriter.NewWriter(outputStream)
-			table.SetHeader([]string{"Risk Level", "Vulnerability", "Description"})
-
-			for _, v := range reporter.GetVulnerabilityReports() {
-				var lineColor int
-				if v.IsLowRiskSeverity() {
-					lineColor = tablewriter.BgBlueColor
-				} else if v.IsMediumRiskSeverity() {
-					lineColor = tablewriter.FgYellowColor
-				} else if v.IsHighRiskSeverity() {
-					lineColor = tablewriter.FgRedColor
-				}
-
-				table.Rich(
-					[]string{v.SeverityLevelString(), v.Name, v.Description},
-					[]tablewriter.Colors{
-						{tablewriter.Bold, lineColor},
-						{tablewriter.Normal, lineColor},
-						{tablewriter.Normal, tablewriter.FgWhiteColor}},
-				)
-			}
-
-			table.Render()
-			outputColor.Fprintln(outputStream, outputMessage)
 		},
 	}
 

@@ -43,20 +43,9 @@
 				log.Fatal(err)
 			}
 
-			rpr, _, err := scan.WithAllVulnsScans().WithAllBestPracticesScans().Execute()
-			if err != nil {
+			if reporter, _, err = scan.WithAllVulnsScans().WithAllBestPracticesScans().Execute(); err != nil {
 				log.Fatal(err)
 			}
-
-			for _, r := range rpr.GetVulnerabilityReports() {
-				log.Println(r)
-			}
-
-			if !rpr.HasVulnerability() {
-				log.Println("Congratulations! No vulnerability has been discovered!")
-			} else {
-				log.Fatalln("There is one or more vulnerabilies you should know.")
-			}
 		},
 	}
 

@@ -1,13 +1,85 @@
 package scan
 
 import (
+	"fmt"
+	"os"
+
+	"github.com/cerberauth/vulnapi/report"
+	"github.com/common-nighthawk/go-figure"
+	"github.com/fatih/color"
+	"github.com/olekukonko/tablewriter"
 	"github.com/spf13/cobra"
 )
 
+var reporter *report.Reporter
+
+func severityTableColor(v *report.VulnerabilityReport) int {
+	if v.IsLowRiskSeverity() {
+		return tablewriter.BgBlueColor
+	} else if v.IsMediumRiskSeverity() {
+		return tablewriter.FgYellowColor
+	} else if v.IsHighRiskSeverity() {
+		return tablewriter.FgRedColor
+	}
+
+	return tablewriter.BgWhiteColor
+}
+
 func NewScanCmd() (scanCmd *cobra.Command) {
 	scanCmd = &cobra.Command{
 		Use:   "scan [type]",
 		Short: "API Scan",
+		PersistentPreRun: func(cmd *cobra.Command, args []string) {
+			figure.NewColorFigure("VulnAPI", "", "cyan", true).Print()
+		},
+		PersistentPostRun: func(cmd *cobra.Command, args []string) {
+			if reporter == nil {
+				return
+			}
+
+			var outputColor *color.Color
+			var outputMessage string
+			var outputStream *os.File
+			if !reporter.HasVulnerability() {
+				outputColor = color.New(color.FgGreen)
+				outputMessage = "Congratulations! No issues were found."
+				outputStream = os.Stdout
+			} else if reporter.HasHighRiskSeverityVulnerability() {
+				outputColor = color.New(color.FgRed)
+				outputMessage = "Warning: Critical vulnerabilities detected!"
+				outputStream = os.Stderr
+			} else {
+				outputColor = color.New(color.FgYellow)
+				outputMessage = "Advice: There are some low-risk issues. It's advised to take a look."
+				outputStream = os.Stderr
+			}
+
+			headers := []string{"Risk Level", "Vulnerability", "Description"}
+			if cmd.Name() == "openapi" {
+				headers = append(headers, "Operation")
+			}
+
+			table := tablewriter.NewWriter(outputStream)
+			table.SetHeader(headers)
+
+			for _, v := range reporter.GetVulnerabilityReports() {
+				lineColor := severityTableColor(v)
+				row := []string{v.SeverityLevelString(), v.Name, v.Description}
+				if cmd.Name() == "openapi" {
+					row = append(row, fmt.Sprintf("%s %s", v.Operation.Method, v.Operation.Url))
+				}
+
+				tableColors := make([]tablewriter.Colors, len(headers))
+				for i := range tableColors {
+					tableColors[i] = tablewriter.Colors{tablewriter.Bold, lineColor}
+				}
+
+				table.Rich(row, tableColors)
+			}
+
+			table.Render()
+			outputColor.Fprintln(outputStream, outputMessage)
+		},
 	}
 	scanCmd.AddCommand(NewCURLScanCmd())
 	scanCmd.AddCommand(NewOpenAPIScanCmd())

@@ -6,7 +6,7 @@ import (
 	"github.com/cerberauth/vulnapi/internal/auth"
 )
 
-type Operations []Operation
+type Operations []*Operation
 
 func (o Operations) Len() int      { return len(o) }
 func (o Operations) Swap(i, j int) { o[i], o[j] = o[j], o[i] }
@@ -27,21 +27,23 @@ type Operation struct {
 	SecuritySchemes []auth.SecurityScheme
 }
 
-func NewOperation(url, method string, headers *http.Header, cookies []http.Cookie, securitySchemes []auth.SecurityScheme) Operation {
+func NewOperation(url, method string, headers *http.Header, cookies []http.Cookie, securitySchemes []auth.SecurityScheme) *Operation {
 	if len(securitySchemes) == 0 {
 		securitySchemes = []auth.SecurityScheme{auth.NewNoAuthSecurityScheme()}
 	}
 
-	return Operation{
+	operation := Operation{
 		Url:             url,
 		Method:          method,
 		Headers:         headers,
 		Cookies:         cookies,
 		SecuritySchemes: securitySchemes,
 	}
+
+	return &operation
 }
 
-func (o Operation) Clone() Operation {
+func (o *Operation) Clone() *Operation {
 	clonedHeaders := make(http.Header)
 	if o.Headers != nil {
 		clonedHeaders = o.Headers.Clone()

@@ -1,14 +1,15 @@
-package request
+package scan
 
 import (
 	"fmt"
 
 	"github.com/cerberauth/vulnapi/internal/auth"
+	"github.com/cerberauth/vulnapi/internal/request"
 	"github.com/cerberauth/vulnapi/report"
 )
 
-func ScanURL(operation *Operation, securityScheme *auth.SecurityScheme) (*report.VulnerabilityScanAttempt, error) {
-	req, err := NewRequest(operation.Method, operation.Url, nil)
+func ScanURL(operation *request.Operation, securityScheme *auth.SecurityScheme) (*report.VulnerabilityScanAttempt, error) {
+	req, err := request.NewRequest(operation.Method, operation.Url, nil)
 	if err != nil {
 		return nil, fmt.Errorf("request with url %s has an unexpected error", err)
 	} else {

@@ -2,13 +2,16 @@ package report
 
 import (
 	"fmt"
+
+	"github.com/cerberauth/vulnapi/internal/request"
 )
 
 type VulnerabilityReport struct {
 	SeverityLevel float64 // https://nvd.nist.gov/vuln-metrics/cvss
 	Name          string
 	Description   string
-	Url           string
+
+	Operation *request.Operation
 }
 
 func (vr *VulnerabilityReport) IsLowRiskSeverity() bool {
@@ -24,7 +27,7 @@ func (vr *VulnerabilityReport) IsHighRiskSeverity() bool {
 }
 
 func (vr *VulnerabilityReport) String() string {
-	return fmt.Sprintf("[%s][%s] %s: %s", vr.SeverityLevelString(), vr.Name, vr.Url, vr.Description)
+	return fmt.Sprintf("[%s][%s] %s %s: %s", vr.SeverityLevelString(), vr.Name, vr.Operation.Method, vr.Operation.Url, vr.Description)
 }
 
 func (vr *VulnerabilityReport) SeverityLevelString() string {

@@ -3,6 +3,7 @@ package report_test
 import (
 	"testing"
 
+	"github.com/cerberauth/vulnapi/internal/request"
 	"github.com/cerberauth/vulnapi/report"
 	"github.com/stretchr/testify/assert"
 )
@@ -27,9 +28,13 @@ func TestVulnerabilityReport_String(t *testing.T) {
 		SeverityLevel: 7.5,
 		Name:          "Test Vulnerability",
 		Description:   "This is a test vulnerability",
-		Url:           "https://example.com/vulnerability",
+
+		Operation: &request.Operation{
+			Method: "GET",
+			Url:    "https://example.com/vulnerability",
+		},
 	}
-	expected := "[High][Test Vulnerability] https://example.com/vulnerability: This is a test vulnerability"
+	expected := "[High][Test Vulnerability] GET https://example.com/vulnerability: This is a test vulnerability"
 	assert.Equal(t, expected, vr.String())
 }
 func TestVulnerabilityReport_SeverityLevelString(t *testing.T) {