This is a standalone application that allows you to scan Vaadin applications for vulnerabilities. Currently, common vulnerability scanners are not able to detect vulnerabilities in Vaadin applications. This tool acts as middleware between Vaadin and a vulnerability scanner and thus enables scanners to interact with Vaadin applications and detect vulnerabilities.
At the moment, the tool does only support scanning HTML forms which have to be manually selected. The tool is only compatible with Vaadin versions above 10.
Firstly, the user has to manually select the forms that should be scanned. For more details on this step see FormSelector. The selected forms with their elements are saved in a database. After selecting all forms, you can export pseudo urls as text file. For each form a url is created and for each form element a parameter is added to the url. The text file can be imported in a vulnerability scanner. The structure of the text file currently is optimized for OWASP ZAP. When executing an attack, the vulnerability scanner sends requests to the imported urls which point to PenTest4Vaadin. PenTest4Vaadin looks up the url in the database and retrieves the corresponding form. With the information from the database, PenTest4Vaadin is able to open the form site in a browser. The parameters that the scanner sents are read and injected in the form as values. Lastly, PenTest4Vaadin submits the form and returns the response to the vulnerability scanner. Since the vulnerability scanner performed a basic GET request, it is able to analyze the response to find vulnerabilities.
To run this application, Java JDK 8 or higher is required. Moreover, the location of the ChromeDriver must be set in the PATH variable.
This project is built with Maven and Spring Boot.
After downloading this project, you can run the application with the command mvn spring-boot:run. A server is opened on the port 8087.
Currently, it is not possible to change the port.
Firstly, go to the frontend which you can access on localhost:8087.
Then type the URL of the application that you want to scan in the field URL and click Start form selector.
With the form selector you can select the forms that you want to scan later (for more details see Form Selector). The elements that you can select are highlighted when you move your mouse over them. Click on the elements you want to add to a form. Selected elements are highlighted with a red border.
If you want, you can set the parameter name and the default value of selected elements.
In general, elements are not scanned or attacked if they have a default value.
To exclude an element, select the element and click on Exclude element.
Don't forget to select the submit button as well.
When you are finished, give the form a name and click on Save form.
Now you can select the elements of a new form.
If you need to record a route because there is no direct link to a form, click at the beginning on Record route. And don't forget to stop recording the route.
After you have selected all forms, you can close the Selenium browser. To view the newly saved forms, you have to refresh the frontend of PenTest4Vaadin. If you select a form, the associated elements are show. You can edit the elements if you need to.
The URLs can be exported as text file. Only the parameters that don't have a default value are exported. If you want to scan elements that have a default value, you have to append them manually to the URLs.
Afterwards, you can import the created text file in OWASP ZAP. As long as the scan helper is running, you can execute any action in OWASP ZAP (for more details see Scan helper.
You can also choose whether the scanner should use a headless browser or not. You can find this setting in the tab Scan Helper.
At the moment, only the following components are supported:
| Element | Standard value |
|---|---|
| vaadin-text-field | |
| vaadin-password-field | |
| vaadin-text-area | |
| vaadin-button | click |
| vaadin-checkbox | true |
| vaadin-combobox | 1 |
| vaadin-list-box | 0 |
| vaadin-radio-group | 0 |
The form selector can be used to select forms that should be scanned. The tool has two features.
Firstly, you can record a navigation route. Since Vaadin creates Single-Page-Applications it is possible that there isn't a direct link to a input form. This feature enables the user to save the "path" to the form. You can only start recording a route before you selected any input fields. While recording a route, you can select elements and the Vaadin events are executed as always. After stopping the recording, the route is added to every form that is selected on the final webpage.
Secondly, a user can select input forms. You have to select every input field of the form including the submit button to create a form. It is only possible to select supported elements which are highlighted on the page. After selecting all elements, you can give the form a name and save it. You can select as many forms on a page as you want.
The scan helper transforms requests to a custom URL into real actions on the website.
To archieve that, every URL is mapped to a form. After receiving a request, the form and all associated elements are loaded.
The scan helper opens the application in a browser and navigates to the requested form.
For every element the parameter or default value is loaded. This value is inserted in the form field using Javascript. Another action is used to dispatch a change Event.
Depending on the field type, different actions and events are executed. You can define your own actions if you are a developer (see Development).
In the image you can see the scan helper in action if a visible browser is chosen. The image shows a test application that is scanned with OWASP ZAP. You can see that the parameter values are injected into the form fields.
After processing all elements and submitting the form, the scan helper returns the source code of the page. Only the HTML-Body is returned because the head contains much code that isn't needed for vulnerability analysis. If an alert is shown, the response is slightly modified. By appending the text of the alert to the response, the probability that XSS flaws are recognized is increased.
Webcomponents are mapped to an action handler. Some components like vaadin-text-field and vaadin-password-field can be submitted using the same actions.
In this case both elements are mapped to the action input. If you want to add new webcomponents to an existing action handler, you can do that in the frontend tab HTML Elements.
For adding new action handlers, see Development.
The project can be devided into two parts: the Vaadin frontend and the REST backend with the scan functionality.
You can find Vaadin related classes in the folders scanhelper/views and scanhelper/presenter. The frontend makes also use of the entities in scanhelper/entities.
The project uses JPA and Hibernate to communicate with the database. You can find the repositories in the folder scanhelper/repositories.
The folder scanhelper/controllers contains the controllers that expose the REST endpoints for the form selector and the scanners.
The classes in the folder scanhelper/services provide the functionality to use a Selenium Browser for the form selector and scans.
In the folder src/test are some JUnit tests that ensure the application's functionality. Some Tests are using Mockito.
You can add new tests if you want.
The form selector script, named recorduseractions.js, is located in src/main/resources.
If you are using a webcomponent that isn't supported yet, you can implement a new action handler.
Action handlers extend the class scanhelper.services.elements.AbstractAction. The class has to implement two methods.
performAction(String input, JavascriptExecutor js): use the JavascriptExecutor to execute actions on the webpage e.g. filling out a textfield,inputis the value that can be inserted into the fieldString getName(): return a String that identifies a webcomponent
You have to add the annotation @Component to the new action handler because all action handlers are automatically loaded.
Save the class in the folder src/main/java/scanhelper/services/elements where you can also find examples.
All licenses of reused components can be found on the maven site
BSD 3-Clause License
Copyright (c) 2019, viadee IT-Unternehmensberatung AG All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
-
Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
-
Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
-
Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.