DNS plugin: currently reviews if there is SPF entry

Signed-off-by: Miguel Angel Garcia <[email protected]>
zaproxy · Nov 5, 2023 · 74cfc78 · 74cfc78
1 parent c16fa91
commit 74cfc78
Show file tree

Hide file tree

Showing 17 changed files with 534 additions and 0 deletions.
diff --git a/addOns/spf/CHANGELOG.md b/addOns/spf/CHANGELOG.md
@@ -0,0 +1,10 @@
+# Changelog
+All notable changes to this add-on will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
+
+## Unreleased
+
+- First version.
+- Detection if SPF record is not present
+- Detection of more than one SPF record
diff --git a/addOns/spf/gradle.properties b/addOns/spf/gradle.properties
@@ -0,0 +1,2 @@
+version=0.0.1
+release=false
diff --git a/addOns/spf/spf.gradle.kts b/addOns/spf/spf.gradle.kts
@@ -0,0 +1,21 @@
+description = "Check SPF configuration"
+
+zapAddOn {
+    addOnName.set("SPF")
+
+    manifest {
+        author.set("ZAP Dev Team")
+    }
+}
+
+crowdin {
+    configuration {
+        val resourcesPath = "org/zaproxy/addon/${zapAddOn.addOnId.get()}/resources/"
+        tokens.put("%messagesPath%", resourcesPath)
+        tokens.put("%helpPath%", resourcesPath)
+    }
+}
+
+dependencies {
+    testImplementation(project(":testutils"))
+}
diff --git a/addOns/spf/src/main/java/org/zaproxy/addon/spf/DNSClient.java b/addOns/spf/src/main/java/org/zaproxy/addon/spf/DNSClient.java
@@ -0,0 +1,56 @@
+/*
+ * Zed Attack Proxy (ZAP) and its related class files.
+ *
+ * ZAP is an HTTP/HTTPS proxy for assessing web application security.
+ *
+ * Copyright 2023 The ZAP Development Team
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.zaproxy.addon.spf;
+
+import java.util.ArrayList;
+import java.util.Hashtable;
+import java.util.List;
+import javax.naming.NamingEnumeration;
+import javax.naming.directory.Attribute;
+import javax.naming.directory.Attributes;
+import javax.naming.directory.DirContext;
+import javax.naming.directory.InitialDirContext;
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+
+public class DNSClient {
+    private static final Logger LOGGER = LogManager.getLogger(DNSClient.class);
+
+    public List<String> getTxtRecord(String host) {
+        Hashtable<String, String> env = new Hashtable<String, String>();
+        env.put("java.naming.factory.initial", "com.sun.jndi.dns.DnsContextFactory");
+        ArrayList<String> result = new ArrayList<String>();
+
+        try {
+            DirContext dirContext = new InitialDirContext(env);
+            Attributes attrs = dirContext.getAttributes(host, new String[] {"TXT"});
+            Attribute attr = attrs.get("TXT");
+
+            NamingEnumeration<?> attrenum = attr.getAll();
+            while (attrenum.hasMore()) {
+                result.add(attrenum.next().toString());
+            }
+
+        } catch (javax.naming.NamingException e) {
+            LOGGER.debug("There was a problem getting the TXT record", e);
+        }
+        return result;
+    }
+}
diff --git a/addOns/spf/src/main/java/org/zaproxy/addon/spf/ExtensionSpfScanner.java b/addOns/spf/src/main/java/org/zaproxy/addon/spf/ExtensionSpfScanner.java
@@ -0,0 +1,47 @@
+/*
+ * Zed Attack Proxy (ZAP) and its related class files.
+ *
+ * ZAP is an HTTP/HTTPS proxy for assessing web application security.
+ *
+ * Copyright 2023 The ZAP Development Team
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.zaproxy.addon.spf;
+
+import org.parosproxy.paros.Constant;
+import org.parosproxy.paros.extension.ExtensionAdaptor;
+
+/** An ZAP extension which performs DNS operations to get information or vulnerabilities. */
+public class ExtensionSpfScanner extends ExtensionAdaptor {
+
+    // The name is public so that other extensions can access it
+    public static final String NAME = "ExtensionSpfScanner";
+
+    protected static final String PREFIX = "spfscanner";
+
+    public ExtensionSpfScanner() {
+        super(NAME);
+        setI18nPrefix(PREFIX);
+    }
+
+    @Override
+    public void init() {
+        super.init();
+    }
+
+    @Override
+    public String getDescription() {
+        return Constant.messages.getString(PREFIX + ".desc");
+    }
+}
diff --git a/addOns/spf/src/main/java/org/zaproxy/addon/spf/SPFCheckerTest.java b/addOns/spf/src/main/java/org/zaproxy/addon/spf/SPFCheckerTest.java
@@ -0,0 +1,55 @@
+/*
+ * Zed Attack Proxy (ZAP) and its related class files.
+ *
+ * ZAP is an HTTP/HTTPS proxy for assessing web application security.
+ *
+ * Copyright 2023 The ZAP Development Team
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.zaproxy.addon.spf;
+
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.is;
+import static org.hamcrest.Matchers.nullValue;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+
+import java.util.ArrayList;
+import org.junit.jupiter.api.Test;
+
+class SPFCheckerTest {
+
+    @Test
+    void noTxtRecordsFindsNoSPFRecord() throws TooManyRecords {
+        ArrayList<String> records = new ArrayList<String>();
+        SPFParser sut = new SPFParser(records);
+        assertThat(sut.hasSpfRecord(), is(nullValue()));
+    }
+
+    @Test
+    void txtRecordsWithoutSPFFindsNoSPFRecord() throws TooManyRecords {
+        ArrayList<String> records = new ArrayList<String>();
+        records.add("foo-verification=foo");
+        records.add("bar-verification=bar");
+        SPFParser sut = new SPFParser(records);
+        assertThat(sut.hasSpfRecord(), is(nullValue()));
+    }
+
+    @Test
+    void severalSPFRecordsRaiseAnException() {
+        ArrayList<String> records = new ArrayList<String>();
+        records.add("v=spf1 -all");
+        records.add("v=spf1 -all");
+        assertThrows(TooManyRecords.class, () -> new SPFParser(records));
+    }
+}
diff --git a/addOns/spf/src/main/java/org/zaproxy/addon/spf/SPFParser.java b/addOns/spf/src/main/java/org/zaproxy/addon/spf/SPFParser.java
@@ -0,0 +1,43 @@
+/*
+ * Zed Attack Proxy (ZAP) and its related class files.
+ *
+ * ZAP is an HTTP/HTTPS proxy for assessing web application security.
+ *
+ * Copyright 2023 The ZAP Development Team
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.zaproxy.addon.spf;
+
+import java.util.List;
+
+public class SPFParser {
+
+    private String record = null;
+
+    public SPFParser(List<String> txtRecord) throws TooManyRecords {
+        for (String entry : txtRecord) {
+            if (!entry.startsWith("v=spf1 ")) {
+                continue;
+            }
+            if (record != null) {
+                throw new TooManyRecords();
+            }
+            record = entry;
+        }
+    }
+
+    public boolean hasSpfRecord() {
+        return record != null;
+    }
+}
diff --git a/addOns/spf/src/main/java/org/zaproxy/addon/spf/SpfScanner.java b/addOns/spf/src/main/java/org/zaproxy/addon/spf/SpfScanner.java
@@ -0,0 +1,147 @@
+/*
+ * Zed Attack Proxy (ZAP) and its related class files.
+ *
+ * ZAP is an HTTP/HTTPS proxy for assessing web application security.
+ *
+ * Copyright 2023 The ZAP Development Team
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.zaproxy.addon.spf;
+
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
+import org.apache.commons.httpclient.URIException;
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+import org.parosproxy.paros.Constant;
+import org.parosproxy.paros.core.scanner.AbstractAppPlugin;
+import org.parosproxy.paros.core.scanner.Alert;
+import org.parosproxy.paros.core.scanner.Category;
+import org.parosproxy.paros.network.HttpMessage;
+
+public class SpfScanner extends AbstractAppPlugin {
+    private static final int id = 90040; // assigned on ZAPROXY repository
+    private static final Logger LOGGER = LogManager.getLogger(SpfScanner.class);
+    private static final String MESSAGE_PREFIX = "spfscanner.";
+    private volatile boolean enabled = true;
+    private static List<String> reviewedDomains = new ArrayList<String>();
+
+    private String getConstantString(String key) {
+        return Constant.messages.getString(MESSAGE_PREFIX + key);
+    }
+
+    private String getHigherSubdomain(String host) {
+        String[] hostarray = host.split("\\.");
+        if (hostarray.length < 2) {
+            return null;
+        }
+        return String.join(".", Arrays.copyOfRange(hostarray, 1, hostarray.length));
+    }
+
+    @Override
+    public void scan() {
+        final HttpMessage originalMsg = getBaseMsg();
+        try {
+            String host = originalMsg.getRequestHeader().getURI().getHost();
+            DNSClient dns = new DNSClient();
+            SPFParser spf = findValidSpfRecord(host, dns);
+            if (spf == null) {
+                newAlert()
+                	.setMessage(getBaseMsg())
+                    .setRisk(Alert.RISK_INFO)
+                    .setConfidence(Alert.CONFIDENCE_MEDIUM)
+                    .setDescription(getConstantString("nospfrecord.description"))
+                    .raise();
+            }
+        } catch (URIException e) {
+            LOGGER.debug("There was a problem getting the TXT records", e);
+        } catch (TooManyRecords e) {
+            newAlert()
+            	.setMessage(getBaseMsg())
+                .setRisk(Alert.RISK_INFO)
+                .setConfidence(Alert.CONFIDENCE_MEDIUM)
+                .setDescription(getConstantString("toomanyspfrecords.description"))
+                .raise();
+        }
+    }
+
+    private SPFParser findValidSpfRecord(String host, DNSClient dns) throws TooManyRecords {
+        SPFParser spf = null;
+        while (host != null) {
+            if (hasBeenAlreadyAnalyzed(host)) {
+                return null;
+            }
+            markAsAnalyzed(host);
+            spf = new SPFParser(dns.getTxtRecord(host));
+            if (spf.hasSpfRecord()) {
+                break;
+            }
+            host = getHigherSubdomain(host);
+        }
+        return spf;
+    }
+
+    private void markAsAnalyzed(String host) {
+        reviewedDomains.add(host);
+    }
+
+    private boolean hasBeenAlreadyAnalyzed(String host) {
+        return reviewedDomains.contains(host);
+    }
+
+    @Override
+    public void setEnabled(boolean enabled) {
+        this.enabled = enabled;
+        if (enabled == false) {
+            // Reset the scanner
+            reviewedDomains.clear();
+        }
+    }
+
+    @Override
+    public boolean isEnabled() {
+        return enabled;
+    }
+
+    @Override
+    public int getId() {
+        return id;
+    }
+
+    @Override
+    public int getCategory() {
+        return Category.MISC;
+    }
+
+    @Override
+    public String getName() {
+        return getConstantString("scanner");
+    }
+
+    @Override
+    public String getDescription() {
+        return getConstantString("description");
+    }
+
+    @Override
+    public String getSolution() {
+        return getConstantString("solution");
+    }
+
+    @Override
+    public String getReference() {
+        return getConstantString("reference");
+    }
+}