What You Should Know About the Equifax Data Breach Settlement

Big-three credit bureau Equifax has reportedly agreed to pay at least $650 million to settle lawsuits stemming from a 2017 breach that let intruders steal personal and financial data on roughly 148 million Americans. Here’s a brief primer that attempts to break down what this settlement means for you, and what it says about the value of your identity.

Link: https://krebsonsecurity.com/2019/07/what-you-should-know-about-the-equifax-data-breach-settlement/

Git-Hound – Find Exposed Keys Across GitHub Using Code Search Keywords

A pattern-matching, batch-catching secret snatcher. This project is intended to be used for educational purposes.Git Hound makes it easy to find exposed API keys on GitHub using pattern matching, targetted querying, and a scoring system.Usageecho “tillsongalloway.com" | python git-hound.py or python git-hound.py –subdomain-file subdomains.txt We also offer a number of flags to target specific patterns (known service API keys), file names (.htpasswd, .env), and languages (python, javascript).Flags–subdomain-file – The file with the subdomains–output – The output file (default is stdout)–output-type – The output type (requires output flag to be set; default is flatfile)–all – Print all URLs, including ones with no pattern match. Otherwise, the scoring system will do the work.–regex-file – Supply a custom regex file–api-keys – Enable generic API key searching. This uses common API key patterns and Shannon entropy to find potential exposed API keys.–language-file – Supply a custom file with languages to search.–config-file – Custom config file (default is config.yml)–pages – Max pages to search (default is 100, the page maximum)–silent – Don’t print results to stdout (most reasonably used with –output).–no-antikeywords – Don’t attempt to filter out known mass scans–only-filtered – Only search filtered queries (languages, file extensions)SetupClone this repoUse a Python 3 environment (recommended: virtulenv or Conda)pip install -r requirements.txt (or pip3)Set up a config.yml file with GitHub credentials. See config.example.yml for an example. Accounts with 2FA are not currently supported.echo "tillsongalloway.com" | python git-hound.pyDownload Git-Hound

Link: http://www.kitploit.com/2019/07/git-hound-find-exposed-keys-across.html

GitGot – Semi-automated, Feedback-Driven Tool To Rapidly Search Through Troves Of Public Data On GitHub For Sensitive Secrets

GitGot is a semi-automated, feedback-driven tool to empower users to rapidly search through troves of public data on GitHub for sensitive secrets.How it WorksDuring search sessions, users will provide feedback to GitGot about search results to ignore, and GitGot prunes the set of results. Users can blacklist files by filename, repository name, username, or a fuzzy match of the file contents.Blacklists generated from previous sessions can be saved and reused against similar queries (e.g., example.com v.s. subdomain.example.com v.s. Example Org). Sessions can also be paused and resumed at any time.Read more about the semi-automated, human-in-the-loop design here: https://know.bishopfox.com/blog/going-semi-automated-in-an-automated-world-using-human-in-the-loop-workflows-to-improve-our-security-toolsInstall Instructions[1] Install the ssdeep dependency for fuzzy hashing.Ubuntu/Debian (or equivalent for your distro):apt-get install libfuzzy-dev ssdeepor, for Mac OSX:brew install ssdeepFor Windows or *nix distributions without the ssdeep package, please see the ssdeep installation instructions.[2] After installing ssdeep, install the Python dependencies using pip:pip3 install -r requirements.txtUsageGitHub requires a token for rate-limiting purposes. Create a GitHub API token with no permissions/no scope. This will be equivalent to public GitHub access, but it will allow access to use the GitHub Search API. Set this token at the top of gitgot.py as shown below:ACCESS_TOKEN = “"After adding the token, you are ready to go:# Query for the string "example.com" using the default RegEx list and logfile location (/logs/<query>.log)./gitgot.py -q example.com# Using GitHub advanced search syntax./gitgot.py -q "org:github cats"# Custom RegEx List and custom log files location./gitgot.py -q example.com -f checks/default.list -o example1.log# Recovery from existing session./gitgot.py -q example.com -r example.com.state# Using an existing session (w/blacklists) for a new query./gitgot.py -q "Example Org" -r example.com.stateQuery SyntaxGitGot queries are fed directly into the GitHub code search API, so check out GitHub’s documentation for more advanced query syntax.UI CommandsIgnore similar [c]ontent: Blacklists a fuzzy hash of the file contents to ignore future results that are similar to the selected fileIgnore [r]epo/[u]ser/[f]ilename: Ignores future results by blacklisting selected stringsSearch [/(mykeyword)]: Provides a custom regex expression with a capture group to searches on-the-fly (e.g., /(secretToken))[a]dd to Log: Add RegEx matches to log file, including all on-the-fly search results from search commandNext[<Enter>], [b]ack: Advances through search results, or returns to previous results[s]ave state: Saves the blacklists and progress in the search results from the session[q]uit: QuitDownload GitGot

Link: http://feedproxy.google.com/~r/PentestTools/~3/a-tFgzEyrNg/gitgot-semi-automated-feedback-driven.html

0xsp-Mongoose – Privilege Escalation Enumeration Toolkit (ELF 64/32), Fast, Intelligent Enumeration With Web API Integration

Using 0xsp mongoose you will be able to scan a targeted operating system for any possible way for privilege escalation attacks, starting from collecting information stage until reporting information through 0xsp Web Application API.user will be able to scan different Linux os system at the same time with high performance, without spending time looking inside the terminal or text file for what is found, mongoose shorten this way by allowing you to send this information directly into web application friendly interface through easy API endpoint.project is divided into two sections server & agent .server has been coded with PHP(codeigniter) you need to install this application into your preferred environment, you can use it online or on your localhost. user is free to choice .also contribution to enhancing features are most welcomed.Agent has been coded as ELF with Lazarus Free Pascal will be released with (32, 64 bit) while executing Agent on targeted system with all required parameters. user is free to decide whether willing to communicate with Server App to store results and explore them easily . or he can also run this tool without Web API Connection.Agent Usagemake sure to give it executable permission chmod +x agent./agent -h (display help instructions)-k –check kernel for common used privilige escalations exploits. -u –Getting information about Users , groups , releated information.-c –check cronjobs. -n –Retrieve Network information,interfaces …etc.-w –Enumerate for Writeable Files , Dirs , SUID , -i –Search for Bash,python,Mysql,Vim..etc History files.-f –search for Senstive config files accessible & private stuff. -o –connect to 0xsp Web Application. -p –Show All process By running under Root,Check For Vulnerable Packages. -e –Kernel inspection Tool, it will help to search through tool databases for kernel vulnerabilities. -x –secret Key to authorize your connection with WebApp API (default is 0xsp). -a –Display README.Server Web App (must be like this : http://host/0xsp/ )make sure to have at least php 5.6 or aboverequires mysql 5.6make sure to add Web application on root path / with folder name 0xsp as [ http://localhost/0xsp/] , Agent will not connect to it in case not configured correctly . the agent will connect only as following case :./agent {SCAN OPTION} -o localhost -x secretkeyExamples With WebApi./agent -c -o localhost -x 0xsp { enumerate for CRON Tasks and Transfer results into Web Api} ./agent -e -o localhost -x 0xsp { intelligent Exploits Detector }./agent -c -e localhost -x 0sxp { will run two scans together and send found results directly }./agent -m -o -x 0xsp { RUN all Scans together and export it to Web API} Examples Without WebApi./agent -c -k -p { this will run 3 scans at the same time with out sending results into Web Api }Agent FeaturesHigh performance , stability , Output results Generated while executing no delaysAbility to execute most of functions with intelligent techniques .results are being sent to Quick Web APIException Handling .inbuilt Json Data set for publicly disclosed Exploits .Fast As MongooseDownload 0xsp-Mongoose

Link: http://feedproxy.google.com/~r/PentestTools/~3/I5pWurWr6Zw/0xsp-mongoose-privilege-escalation.html

Microsoft to Require Multi-Factor Authentication for Cloud Solution Providers

It might be difficult to fathom how this isn’t already mandatory, but Microsoft Corp. says it will soon force all Cloud Solution Providers (CSPs) that help companies manage their Microsoft Azure and Office365 accounts to use multi-factor authentication. The move comes amid a noticeable uptick in phishing and malware attacks targeting CSP employees and contractors.

Link: https://krebsonsecurity.com/2019/06/microsoft-to-require-multi-factor-authentication-for-cloud-solution-providers/

Vxscan – Comprehensive Scanning Tool

Python3 comprehensive scanning tool, mainly used for sensitive file detection (directory scanning and js leak interface), WAF/CDN identification, port scanning, fingerprint/service identification, operating system identification, weak password detection, POC scanning, SQL injection, winding Pass CDN, check the next station.Update2019.6.18Fixed the problem of fingerprint recognition iis website error, modified apps.jsonRemoved some third-party libraries and scripts that are prone to errorsScanning is completed if it flashes, it is because the program first detects dns parsing and ping operation.The first time you use Vxscan, fake_useragent will load the ua list of https://fake-useragent.herokuapp.com/browsers/0.1.11 here, and a load timeout error may occur.RequirementsPython version > 3.6requeststqdmpyfigletfake-useragentbeautifulsoup4geoip2tldextractpython-nmapgeoip2tldextractlxmlpymongovirustotal_pythonapt install libpq-dev nmapwget https://geolite.maxmind.com/download/geoip/database/GeoLite2-City.tar.gzAfter decompressing, put GeoLite2-City.mmdb inside to vxscan/db/GeoLite2-City.mmdbwget https://geolite.maxmind.com/download/geoip/database/GeoLite2-ASN.tar.gzAfter decompressing, put the GeoLite2-ASN.mmdb inside to vxscan/db/GeoLite2-ASN.mmdbpip3 install -r requirements.txtFeaturesGenerate a dictionary list using Cartesian product method, support custom dictionary listRandom UserAgent, XFF, X-Real-IPCustomize 404 page recognition, access random pages and then compare the similarities through difflib to identify custom 302 jumpsWhen scanning the directory, first detect the http port and add multiple http ports of one host to the scan target.Filter invalid Content-Type, invalid status?WAF/CDN detectionUse the socket to send packets to detect common ports and send different payload detection port service fingerprints.Hosts that encounter full port open (portspoof) automatically skipCall wappalyzer.json and WebEye to determine the website fingerprintIt is detected that the CDN or WAF website automatically skipsCall nmap to identify the operating system fingerprintCall weak password detection script based on port open (FTP/SSH/TELNET/Mysql/MSSQL…)Call POC scan based on fingerprint identification or port, or click on the open WEB port of IPAnalyze sensitive asset information (domain name, mailbox, apikey, password, etc.) in the js fileGrab website connections, test SQL injection, LFI, etc.Call some online interfaces to obtain information such as VT, www.yougetsignal.com and other websites, determine the real IP through VT pdns, and query the website by www.yougetsignal.com and api.hackertarget.com.Usagepython3 Vxscan.py -hoptional arguments: -h, –help show this help message and exit -u URL, –url URL Start scanning this url -u xxx.com -i INET, –inet INET cidr eg. or -f FILE, –file FILE read the url from the file -t THREADS, –threads THREADS Set scan thread, default 150 -e EXT, –ext EXT Set scan suffix, -e php,asp -w WORD, –word WORD Read the dict from the file 1. Scan a websitepython3 vxscan.py -u http://www.xxx.com/ 2. Scan a website from a file listpython3 vxscan.py -f hosts.txt3. cidr eg. or vxscan.py -i Set thread 100, combine only php suffix, use custom dictionarypython3 vxscan.py -u http://www.xxx.com -e php -t 100 -w ../dict.txtStructure/├─Vxscan.py main file├─db│ ├─apps.json Web fingerprint information│ ├─apps.txt Web fingerprint information (WEBEYE)│ ├─password.txt password├─report Report directory├─lib │ ├─common.py Determine CDN, port scan, POC scan, etc.│ ├─color.py Terminal color output│ ├─active.py Judge dns parsing and ping ip survival│ ├─save_html.py Generate html report│ ├─waf.py waf rules│ ├─osdetect.py Operating system version identification│ ├─random_header.py random header│ ├─scan_port.py PortScan│ ├─jsparse.py Grab the website js connection, analyze ip address, link, email, etc.│ &#9500 ;─settings.py Setting│ ├─pyh.py Generate html│ ├─wappalyzer.py Fingerprint recognition script│ ├─sql_injection.py Grab the website connection and test the SQL injection script├─script │ ├─Poc.py Poc script│ ├─……├─requirements.txt├─logo.jpg├─error.logWaf/CDN list360360wzwsAnquanbaoArmorBaiduYunjiasuAWS WAFAdNovumAiree CDNArt of Defence HyperGuardArvanCloudBarracuda NGBeluga CDNBinarySECBlockDoSBluedon ISTCacheFly CDNChinaCache CDNCisco ACE XML GatewayCloudFlare CDNCloudfront CDNComodoCompStateDenyALL WAFDenyAllDistil FirewallDoSArrest Internet SecurityF5 BIG-IP APMF5 BIG-IP ASMF5-TrafficShieldFastly CDNFortiWebFortiWeb FirewallGoDaddyGreyWizard FirewallHuaweiCloudWAFHyperGuard FirewallIBM DataPowerISAServerImmunify360Imperva SecureSphereIncapsula CDNJiasuleKONAKeyCDNModSecurityNGENIX CDNNSFOCUSNaxsiNetContinuumNetContinuum WAFNeusoft SEnginxNewdefendPalo Alto FirewallPerimeterX FirewallPowerCDNProfenseQiniu CDNReblaze FirewallSDWAFSafe3SafedogSiteLock TrueShieldSonicWALLSonicWallSophos UTM FirewallStingraySucuriTeros WAFUsp-SecVarnishWallarmWatchGuardWebKnightWest263CDNYundunYunsuoZenEdge Firewallaesecurealiyunazion CDNcloudflare CDNdotDefenderlimelight CDNmaxcdn CDNmod_securityyunsuoOutputThe following is the AWVS scanner test website results[ { “testphp.vulnweb.com": { "WAF": "NoWAF", "Webinfo": { "apps": [ "Nginx", "PHP", "DreamWeaver", "php" ], "title": "Home of Acunetix Art", "server": "nginx/1.4.1", "pdns": [ " : 2019-06-09 02:05:52" ], "reverseip": [ "", "rs202995.rs.hosteurope.de", "testhtml5.vulnweb.com", "testphp.ingensec.ch", "testphp.ingensec.com", "testphp.ingensec.fr", "testphp.vulnweb.com", "vulnweb.com", "www.vulnweb.com" ] }, "Ports": [ "IMAPS:993", "ssh:22", "imap:143", "http:80", "Unknown:8880", "pop:110", "POP3:995", "smtp:25", "Unknown:8443", "SMTPS:465", "DNS:53", "ftp:21" ], "Ipaddr": "", "Address": "德国 ", "Vuln": [ "http://testphp.vulnweb.com | Home of Acunetix Art", "MySQL SQLi:http://testphp.vulnweb.com/search.php?test=query", "MySQL SQLi:http://testphp.vulnweb.com/artists.php?artist=1", "MySQL SQLi:http://testphp.vulnweb.com/listproducts.php?cat=2" ], "URLS": [ { "rsp_code": 200, "rsp_len": 12473, "title": "None", "contype": "xml", "url": "/.idea/workspace.xml" }, { "rsp_code": 200, "rsp_len": 1, "title": "None", "contype": "plain", "url": "/CVS/Root" }, { "rsp_code": 200, "rsp_len": 4732, "title": "search", "contype": "html", "url": "/search.php" }, { "rsp_code": 200, "rsp_len": 1, "title": "None", "contype": "plain", "url": "/CVS/Entries" }, { "rsp_code": 200, "rsp_len": 3265, "title": "Home of WASP Art", "contype": "plain", "url": "/index.bak" }, { "rsp_code": 200, "rsp_len": 143, "title": "None", "contype": "xml", "url": "/.idea/scopes/scope_settings.xml" }, { "rsp_code": 200, "rsp_len": 3265, "title": "Home of WASP Art", "contype": "zip", "url": "/index.zip" }, { "rsp_code": 200, "rsp_len": 275, " title": "None", "contype": "xml", "url": "/.idea/modules.xml" }, { "rsp_code": 200, "rsp_len": 5523, "title": "login page", "contype": "html", "url": "/login.php" }, { "rsp_code": 200, "rsp_len": 278, "title": "Index of /admin/", "contype": "html", "url": "/admin/" }, { "rsp_code": 200, "rsp_len": 224, "title": "None", "contype": "xml", "url": "/crossdomain.xml" }, { "rsp_code": 302, "rsp_len": 14, "title": "None", "contype": "html", "url": "/userinfo.php" }, { "rsp_code": 200, "rsp_len": 6, "title": "None", "contype": "plain", "url": "/.idea/.name" }, { "rsp_code": 200, "rsp_len": 4958, "title": "Home of Acunetix Art", "contype": "html", "url": "/index.php" } ] } }]NoteReference cnnetarmy Srchunter design ideasRefer to the weak password module of brut3k1t:Https://github.com/ex0dus-0x/brut3k1tFingerprint recognition mainly calls Wappalyzer and WebEye:https://github.com/b4ubles/python3-Wappalyzerhttps://github.com/zerokeeper/WebEyePoc referenced:BBscan scanner https://github.com/lijiejie/BBScanPOC-T https://github.com/Xyntax/POC-T/tree/2.0/scriptPerun https://github.com/WyAtu/PerunRefer to the anthx port scan, service judgment:https://raw.githubusercontent.com/AnthraX1/InsightScan/master/scanner.pyInjecting the crawler reference:DSSS https://github.com/stamparm/DSSSJs sensitive information regular extraction reference:https://github.com/nsonaniya2010/SubDomainizerWAF judges the use of waf00f and whatwaf judgment rules:https://github.com/EnableSecurity/wafw00fhttps://github.com/Ekultek/WhatWafDownload Vxscan

Link: http://feedproxy.google.com/~r/PentestTools/~3/0ZDcFApPJl8/vxscan-comprehensive-scanning-tool.html

Sliver – Implant Framework

Sliver is a general purpose cross-platform implant framework that supports C2 over Mutual-TLS, HTTP(S), and DNS. Implants are dynamically compiled with unique X.509 certificates signed by a per-instance certificate authority generated when you first run the binary.The server, client, and implant all support MacOS, Windows, and Linux (and possibly every Golang compiler target but we’ve not tested them all).FeaturesDynamic code generationCompile-time obfuscationLocal and remote process injectionAnti-anti-anti-forensicsSecure C2 over mTLS, HTTP(S), and DNSWindows process migrationWindows user token manipulationMultiplayer-modeProcedurally generated C2 over HTTP (work in progress)Let’s Encrypt integrationIn-memory .NET assembly executionDNS Canary Blue Team DetectionGetting StartedDownload the latest release and see the Sliver wiki for a quick tutorial on basic setup and usage. To get the very latest and greatest compile from source.Compile From SourceSee the wiki.Source CodeThe source code repo contains the following directories:assets/ – Static assets that are embedded into the server binary, generated by go-assets.shclient/ – Client code, the majority of this code is also used by the serverprotobuf/ – Protobuf codeserver/ – Server-side codesliver/ – Implant code, rendered by the server at runtimeutil/ – Utility functions that may be shared by the server and clientDownload Sliver

Link: http://www.kitploit.com/2019/06/sliver-implant-framework.html

Recsech – Tool For Doing Footprinting And Reconnaissance On The Target Web

Recsech is a tool for doing Footprinting and Reconnaissance on the target web. Recsech collects information such as DNS Information, Sub Domains, HoneySpot Detected, Subdomain takeovers, Reconnaissance On Github and much more you can see in Features in tools .Features in tools Name Release Release Date Auto request with Proxy yes 01/05/19 Find Email yes 01/05/19 HoneySpot Detected yes 01/05/19 Subdomain takeover yes 01/05/19 Check Technologies yes 01/05/19 Whois no N/A Crlf injection no N/A Header Security yes 01/05/19 Update Check yes 01/05/19 Port Scanner yes 02/05/19 Sort Domain By IP yes 02/05/19 WordPress audit no N/A Reconnaissance On Github yes 02/05/19 Language Selection yes 02/05/19 WAF yes 03/05/19 Requirements for using this toolWe need several requirements to use this tool to run smoothly.LinuxPHP 7.xPHP curlWindowsXAMP >= 7.3.5InstallationYou can download the latest tarball by clicking here or latest zipball by clicking here.Preferably, you can download sqlmap by cloning the Git repository:git clone –depth 1 https://github.com/radenvodka/Recsech.git RecsechRecsech Environment Windows (Command Prompt Windows)Download RecsechHow to install to Windows CLI :Extract all files in C: \WindowsEdit Files Recsech.bat , then set your PHP patch (if you have installed xampp on your C drive you don’t need to do this step)@echo offset PATH=%PATH%;C:\xampp\phptitle Recsech – Recon and Researchphp “C:\Windows\Recsech.php" %1Open cmd and do the Recsech command.UsageEnough to execute the command :php Recsech.php example.comor if it doesn’t work, use the command :php Recsech.php debugand don’t forget to ask at issue pageDownload Recsech

Link: http://feedproxy.google.com/~r/PentestTools/~3/fA2yZMgyywc/recsech-tool-for-doing-footprinting-and.html

Bandit – Tool Designed To Find Common Security Issues In Python Code

Bandit is a tool designed to find common security issues in Python code. To do this Bandit processes each file, builds an AST from it, and runs appropriate plugins against the AST nodes. Once Bandit has finished scanning all the files it generates a report.Bandit was originally developed within the OpenStack Security Project and later rehomed to PyCQA.InstallationBandit is distributed on PyPI. The best way to install it is with pip:Create a virtual environment (optional):virtualenv bandit-envInstall Bandit:pip install bandit# Or if you’re working with a Python 3 projectpip3 install banditRun Bandit:bandit -r path/to/your/codeBandit can also be installed from source. To do so, download the source tarball from PyPI, then install it:python setup.py install UsageExample usage across a code tree:bandit -r ~/your_repos/projectExample usage across the examples/ directory, showing three lines of context and only reporting on the high-severity issues:bandit examples/*.py -n 3 -lllBandit can be run with profiles. To run Bandit against the examples directory using only the plugins listed in the ShellInjection profile:bandit examples/*.py -p ShellInjectionBandit also supports passing lines of code to scan using standard input. To run Bandit with standard input:cat examples/imports.py | bandit -Usage:$ bandit -husage: bandit [-h] [-r] [-a {file,vuln}] [-n CONTEXT_LINES] [-c CONFIG_FILE] [-p PROFILE] [-t TESTS] [-s SKIPS] [-l] [-i] [-f {csv,custom,html,json,screen,txt,xml,yaml}] [–msg-template MSG_TEMPLATE] [-o [OUTPUT_FILE]] [-v] [-d] [-q] [–ignore-nosec] [-x EXCLUDED_PATHS] [-b BASELINE] [–ini INI_PATH] [–version] [targets [targets …]]Bandit – a Python source code security analyzerpositional arguments: targets source file(s) or directory(s) to be testedoptional arguments: -h, –help show this help message and exit -r, –recursive find and process files in subdirectories -a {file,vuln}, –aggregate {file,vuln} aggregate output by vulnerability (default) or by filename -n CONTEXT_LINES, –number CONTEXT_LINES maximum number of code lines to output for each issue -c CONFIG_FILE, –configfile CONFIG_FILE optional config file to use for selecting plugins and overriding defaults -p PROFILE, –profile PROFILE profile to use (defaults to executing all tests) -t TESTS, –tests TESTS comma-separated list of test IDs to run -s SKIPS, –skip SKIPS comma-separated list of test IDs to skip -l, –level report only issues of a given severity level or higher (-l for LOW, -ll for MEDIUM, -lll for HIGH) -i, –confidence report only issues of a given confidence level or higher (-i for LOW, -ii for MEDIUM, -iii for HIGH) -f {cs v,custom,html,json,screen,txt,xml,yaml}, –format {csv,custom,html,json,screen,txt,xml,yaml} specify output format –msg-template MSG_TEMPLATE specify output message template (only usable with –format custom), see CUSTOM FORMAT section for list of available values -o [OUTPUT_FILE], –output [OUTPUT_FILE] write report to filename -v, –verbose output extra information like excluded and included files -d, –debug turn on debug mode -q, –quiet, –silent only show output in the case of an error –ignore-nosec do not skip lines with # nosec comments -x EXCLUDED_PATHS, –exclude EXCLUDED_PATHS comma-separated list of paths (glob patterns supported) to exclude from scan (not e that these are in addition to the excluded paths provided in the config file) -b BASELINE, –baseline BASELINE path of a baseline report to compare against (only JSON-formatted files are accepted) –ini INI_PATH path to a .bandit file that supplies command line arguments –version show program’s version number and exitCUSTOM FORMATTING—————–Available tags: {abspath}, {relpath}, {line}, {test_id}, {severity}, {msg}, {confidence}, {range}Example usage: Default template: bandit -r examples/ –format custom –msg-template \ “{abspath}:{line}: {test_id}[bandit]: {severity}: {msg}" Provides same output as: bandit -r examples/ –format custom Tags can also be formatted in python string.format() style: ban dit -r examples/ –format custom –msg-template \ "{relpath:20.20s}: {line:03}: {test_id:^8}: DEFECT: {msg:>20}" See python documentation for more information about formatting style: https://docs.python.org/3.4/library/string.htmlThe following tests were discovered and loaded:———————————————– B101 assert_used B102 exec_used B103 set_bad_file_permissions B104 hardcoded_bind_all_interfaces B105 hardcoded_password_string B106 hardcoded_password_funcarg B107 hardcoded_password_default B108 hardcoded_tmp_directory B110 try_except_pass B112 try_except_continue B201 flask_debug_true B301 pickle B302 marshal B303 md5 B304 ciphers B305 cipher_modes B306 mktemp_q B307 eval B308 mark_safe B309 httpsconnection B310 urllib_urlopen B311 random B312 telnetli b B313 xml_bad_cElementTree B314 xml_bad_ElementTree B315 xml_bad_expatreader B316 xml_bad_expatbuilder B317 xml_bad_sax B318 xml_bad_minidom B319 xml_bad_pulldom B320 xml_bad_etree B321 ftplib B322 input B323 unverified_context B324 hashlib_new_insecure_functions B325 tempnam B401 import_telnetlib B402 import_ftplib B403 import_pickle B404 import_subprocess B405 import_xml_etree B406 import_xml_sax B407 import_xml_expat B408 import_xml_minidom B409 import_xml_pulldom B410 import_lxml B411 import_xmlrpclib B412 import_httpoxy B413 import_pycrypto B501 request_with_no_cert_validation B502 ssl_with_bad_version B503 ssl_with_bad_defaults B504 ssl_with_no_version B505 weak_cryptographic_key B506 yaml_load B507 ssh_no_host_key_verification B601 paramiko_ calls B602 subprocess_popen_with_shell_equals_true B603 subprocess_without_shell_equals_true B604 any_other_function_with_shell_equals_true B605 start_process_with_a_shell B606 start_process_with_no_shell B607 start_process_with_partial_path B608 hardcoded_sql_expressions B609 linux_commands_wildcard_injection B610 django_extra_used B611 django_rawsql_used B701 jinja2_autoescape_false B702 use_of_mako_templates B703 django_mark_safe BaselineBandit allows specifying the path of a baseline report to compare against using the base line argument (i.e. -b BASELINE or –baseline BASELINE).bandit -b BASELINEThis is useful for ignoring known vulnerabilities that you believe are non-issues (e.g. a cleartext password in a unit test). To generate a baseline report simply run Bandit with the output format set to json (only JSON-formatted files are accepted as a baseline) and output file path specified:bandit -f json -o PATH_TO_OUTPUT_FILE Version control integrationUse pre-commit. Once you have it installed, add this to the .pre-commit-config.yaml in your repository (be sure to update rev to point to a real git tag/revision!):repos:- repo: https://github.com/PyCQA/bandit rev: ” # Update me! hooks: – id: banditThen run pre-commit install and you’re ready to go. ConfigurationAn optional config file may be supplied and may include:lists of tests which should or shouldn’t be runexclude_dirs – sections of the path, that if matched, will be excluded from scanning (glob patterns supported)overridden plugin settings – may provide different settings for some plugins Per Project Command Line ArgsProjects may include a .bandit file that specifies command line arguments that should be supplied for that project. The currently supported arguments are:targets: comma separated list of target dirs/files to run bandit onexclude: comma separated list of excluded pathsskips: comma separated list of tests to skiptests: comma separated list of tests to runTo use this, put a .bandit file in your project’s directory. For example:[bandit]exclude: /test[bandit]tests: B101,B102,B301 ExclusionsIn the event that a line of code triggers a Bandit issue, but that the line has been reviewed and the issue is a false positive or acceptable for some other reason, the line can be marked with a # nosec and any results associated with it will not be reported.For example, although this line may cause Bandit to report a potential security issue, it will not be reported:self.process = subprocess.Popen(‘/bin/echo’, shell=True) # nosec Vulnerability TestsVulnerability tests or "plugins" are defined in files in the plugins directory.Tests are written in Python and are autodiscovered from the plugins directory. Each test can examine one or more type of Python statements. Tests are marked with the types of Python statements they examine (for example: function call, string, import, etc).Tests are executed by the BanditNodeVisitor object as it visits each node in the AST.Test results are maintained in the BanditResultStore and aggregated for output at the completion of a test run. Writing TestsTo write a test:Identify a vulnerability to build a test for, and create a new file in examples/ that contains one or more cases of that vulnerability.Consider the vulnerability you’re testing for, mark the function with one or more of the appropriate decorators: – @checks(‘Call’) – @checks(‘Import’, ‘ImportFrom’) – @checks(‘Str’)Create a new Python source file to contain your test, you can reference existing tests for examples.The function that you create should take a parameter "context" which is an instance of the context class you can query for information about the current element being examined. You can also get the raw AST node for more advanced use cases. Please see the context.py file for more.Extend your Bandit configuration file as needed to support your new test.Execute Bandit against the test file you defined in examples/ and ensure that it detects the vulnerability. Consider variations on how this vulnerability might present itself and extend the example file and the test function accordingly. Extending BanditBandit allows users to write and register extensions for checks and formatters. Bandit will load plugins from two entry-points:bandit.formattersbandit.pluginsFormatters need to accept 4 things:result_store: An instance of bandit.core.BanditResultStorefile_list: The list of files which were inspected in the scopescores: The scores awarded to each file in the scopeexcluded_files: The list of files that were excluded from the scopePlugins tend to take advantage of the bandit.checks decorator which allows the author to register a check for a particular type of AST node. For example@bandit.checks(‘Call’)def prohibit_unsafe_deserialization(context): if ‘unsafe_load’ in context.call_function_name_qual: return bandit.Issue( severity=bandit.HIGH, confidence=bandit.HIGH, text="Unsafe deserialization detected." )To register your plugin, you have two options:If you’re using setuptools directly, add something like the following to your setup call: # If you have an imaginary bson formatter in the bandit_bson module# and a function called `formatter`.entry_points={‘bandit.formatters’: [‘bson = bandit_bson:formatter’]}# Or a check for using mako templates in bandit_mako thatentry_points={‘bandit.plugins’: [‘mako = bandit_mako’]}If you’re using pbr, add something like the following to your setup.cfg file: [entry_points]bandit.formatters = bson = bandit_bson:formatterbandit.plugins = mako = bandit_mako ContributingContributions to Bandit are always welcome!The best way to get started with Bandit is to grab the source:git clone https://github.com/PyCQA/bandit.gitYou can test any changes with tox:pip install toxtox -e pep8tox -e py27tox -e py35tox -e docstox -e coverPlease make PR requests using your own branch, and not master:git checkout -b mychangegit push origin mychange Reporting BugsBugs should be reported on github. To file a bug against Bandit, visit: https://github.com/PyCQA/bandit/issues Under Which Version of Python Should I Install Bandit?The answer to this question depends on the project(s) you will be running Bandit against. If your project is only compatible with Python 2.7, you should install Bandit to run under Python 2.7. If your project is only compatible with Python 3.5, then use 3.5 respectively. If your project supports both, you could run Bandit with both versions but you don’t have to.Bandit uses the ast module from Python’s standard library in order to analyze your Python code. The ast module is only able to parse Python code that is valid in the version of the interpreter from which it is imported. In other words, if you try to use Python 2.7’s ast module to parse code written for 3.5 that uses, for example, yield from with asyncio, then you’ll have syntax errors that will prevent Bandit from working properly. Alternatively, if you are relying on 2.7’s octal notation of 0777 then you’ll have a syntax error if you run Bandit on 3.x. ReferencesBandit docs: https://bandit.readthedocs.io/en/latest/Python AST module documentation: https://docs.python.org/2/library/ast.htmlGreen Tree Snakes – the missing Python AST docs: https://greentreesnakes.readthedocs.org/en/latest/Documentation of the various types of AST nodes that Bandit currently covers or could be extended to cover: https://greentreesnakes.readthedocs.org/en/latest/nodes.htmlDownload Bandit

Link: http://feedproxy.google.com/~r/PentestTools/~3/wb0Wk6QXXFo/bandit-tool-designed-to-find-common.html