Merge branch 'google:master' into magento-cosmicsting-xxe

doyensec · Sep 16, 2024 · 9756354 · 9756354
2 parents e9d93b2 + 4be9797
commit 9756354
Show file tree

Hide file tree

Showing 4 changed files with 17 additions and 16 deletions.
diff --git a/...tors/credentials/genericweakcredentialdetector/testers/ncrack/NcrackCredentialTester.java b/...tors/credentials/genericweakcredentialdetector/testers/ncrack/NcrackCredentialTester.java
@@ -16,11 +16,11 @@
 package com.google.tsunami.plugins.detectors.credentials.genericweakcredentialdetector.testers.ncrack;
 
 import static com.google.common.base.Preconditions.checkNotNull;
+import static com.google.common.collect.ImmutableSet.toImmutableSet;
 
-import com.google.common.collect.ArrayListMultimap;
 import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableMap;
-import com.google.common.collect.Multimap;
+import com.google.common.collect.ImmutableSet;
 import com.google.common.flogger.GoogleLogger;
 import com.google.errorprone.annotations.CanIgnoreReturnValue;
 import com.google.tsunami.common.command.CommandExecutionThreadPool;
@@ -116,7 +116,7 @@ public boolean canAccept(NetworkService networkService) {
 
   @Override
   public boolean batched() {
-    return true;
+    return false;
   }
 
   @Override
@@ -127,6 +127,11 @@ public ImmutableList<TestCredential> testValidCredentials(
       return ImmutableList.of();
     }
 
+    ImmutableSet<String> usernames =
+        credentials.stream().map(TestCredential::username).collect(toImmutableSet());
+    ImmutableSet<String> passwords =
+        credentials.stream().map(cred -> cred.password().orElse("")).collect(toImmutableSet());
+
     try {
       // We use a Provider here to get a new NcrackClient object because this function might be
       // called multiple times in the client code.
@@ -136,8 +141,8 @@ public ImmutableList<TestCredential> testValidCredentials(
               .withTimingTemplate(TimingTemplate.NORMAL)
               .withQuitCrackingAfterOneFound()
               .withNetworkEndpoint(networkService.getNetworkEndpoint())
-              .usingUsernamePasswordPair(
-                  generateTestCredentialsMapFromListOfCredentials(credentials))
+              .usingUsernameList(usernames)
+              .usingPasswordList(passwords)
               .onTargetService(getTargetService(networkService))
               .run(this.executor);
 
@@ -157,11 +162,4 @@ public ImmutableList<TestCredential> testValidCredentials(
   private static TargetService getTargetService(NetworkService networkService) {
     return SERVICE_MAP.get(NetworkServiceUtils.getServiceName(networkService));
   }
-
-  private static Multimap<String, String> generateTestCredentialsMapFromListOfCredentials(
-      List<TestCredential> credentials) {
-    Multimap<String, String> map = ArrayListMultimap.create();
-    credentials.forEach(c -> map.put(c.username(), c.password().orElse("")));
-    return map;
-  }
 }
diff --git a/...rs/credentials/genericweakcredentialdetector/testers/rstudio/RStudioCredentialTester.java b/...rs/credentials/genericweakcredentialdetector/testers/rstudio/RStudioCredentialTester.java
@@ -97,6 +97,11 @@ public boolean canAccept(NetworkService networkService) {
     if (canAcceptByNmapReport) {
       return true;
     }
+
+    if (!NetworkServiceUtils.isWebService(networkService)) {
+      return false;
+    }
+
     boolean canAcceptByCustomFingerprint = false;
     String url =
         NetworkServiceUtils.buildWebApplicationRootUrl(networkService) + "unsupported_browser.htm";
@@ -138,7 +143,6 @@ public ImmutableList<TestCredential> testValidCredentials(
       NetworkService networkService, List<TestCredential> credentials) {
 
     return credentials.stream()
-        .filter(unused -> NetworkServiceUtils.isWebService(networkService))
         .filter(cred -> isRStudioAccessible(networkService, cred))
         .findFirst()
         .map(ImmutableList::of)

diff --git a/...portscan/nmap/src/main/java/com/google/tsunami/plugins/portscan/nmap/NmapPortScanner.java b/...portscan/nmap/src/main/java/com/google/tsunami/plugins/portscan/nmap/NmapPortScanner.java
@@ -120,6 +120,7 @@ public PortScanningReport scan(ScanTarget scanTarget) {
           .withServiceAndVersionDetection()
           .withVersionDetectionIntensity(5)
           .withScript("banner")
+          .withScript("ssl-cert")
           .withScript("ssl-enum-ciphers")
           .withScript("http-methods", "http.useragent=" + httpClientCliOptions.userAgent)
           .withTimingTemplate(TimingTemplate.AGGRESSIVE)

diff --git a/...scan/nmap/src/test/java/com/google/tsunami/plugins/portscan/nmap/NmapPortScannerTest.java b/...scan/nmap/src/test/java/com/google/tsunami/plugins/portscan/nmap/NmapPortScannerTest.java
@@ -244,9 +244,7 @@ public void run_whenNmapRunHasScripts_returnsSslVersionsAndHttpMethods() throws
 
   @Test
   public void run_whenNmapRunHasScriptsButOptionsUnsupported_returnsHttpMethods() throws Exception {
-    doReturn(loadNmapRun("testdata/localhostHttpWithoutMethods.xml"))
-        .when(nmapClient)
-        .run(any());
+    doReturn(loadNmapRun("testdata/localhostHttpWithoutMethods.xml")).when(nmapClient).run(any());
     NetworkEndpoint networkEndpoint = NetworkEndpointUtils.forIp("127.0.0.1");
     assertThat(
             portScanner.scan(ScanTarget.newBuilder().setNetworkEndpoint(networkEndpoint).build()))