Hello, we tried to build a testbed for testing the functionality of the tsunami-scanner.
We loaded Ubuntu 20.04.1 LTS on a VMware, where we installed the tsunami-security-scanner according to the instructions (Quick Start from tsunami-scanner-read-me page). We then deployed different docker containers on a server with images for the Jupyter notebook, Wordpress, and Jenkins.
docker run --name unauthenticated-jupyter-notebook -p 8888:8888 -d jupyter/base-notebook start-notebook.sh --NotebookApp.token=''
docker run -p 8443:8080 -p 50000:50000 jenkins
docker-compose up # with attached docker file
All systems were configured in a vulnerable state and should be recognized.
The scan for the jupyter notebook runs without any problems but when we scanned the wordpress or the jenkins we get an error message.
The important console output logline from the error message for Wordpress and Jenkins read as follows:
Sep 17, 2020 1:57:40 PM com.google.tsunami.plugin.PluginExecutorImpl buildFailedResult
WARNUNG: Plugin '/Tsunami Team ([email protected])/VULN_DETECTION/WordPressInstallPageDetector/0.1' failed.
Sep. 16, 2020 3:14:50 NACHM. com.google.tsunami.plugin.PluginExecutorImpl buildFailedResult
WARNUNG: Plugin '/Tsunami Team ([email protected])/VULN_DETECTION/JenkinsExposedUiDetector/0.1' failed.
Then we tried to debug the code from WordPressInstallPageDetector.java
and JenkinsExposedUiDetector.java
by adding additional log lines and exception handling to pinpoint the problem. Here's the example for the Wordpress plugin:
private static boolean responseHasSetupForm(String responseBody) {
logger.atInfo().log("[WP] trying to determine if responseHasSetupForm");
try {
logger.atInfo().log("[WP] getting installationForm");
logger.atInfo().log("[WP] responseBody: "+ responseBody);
Elements installationForm = Jsoup.parse(responseBody).select("form#setup");
logger.atInfo().log("[WP] got installationForm object. Checking if empty");
if (installationForm.isEmpty()) {
logger.atInfo().log("WordPress has already been installed.");
return false;
} else {
logger.atInfo().log("Found unfinished WordPress installation!");
return true;
}
}
catch(Exception e){
logger.atInfo().log("[WP] an exception got thrown in responseHasSetupForm");
logger.atInfo().log("[WP] " + e.getMessage());
throw e;
}
}
The last logline that we could get from the Wordpress code was in the responseHasSetupForm
method right before the Jsoup.parse
.
Neither the following line, nor the exception were logged, hence we conclude that this is a hard crash of Jsoup
, at which point we stopped debugging. The exact same behavior was seen in the Jenkins plugin.
The Java version that we had used was:
openjdk version "1.8.0_265"
OpenJDK Runtime Environment (build 1.8.0_265-8u265-b01-0ubuntu2~20.04-b01)
OpenJDK 64-Bit Server VM (build 25.265-b01, mixed mode)
composefile.txt
scannoutput.txt
JSONoutput.log