new: [zap] Early implementation of Zap

Signed-off-by: Romain Kieffer <[email protected]>

landing_page/templates/dashboard.html

@@ -66,8 +66,15 @@ <h3 class="text-primary-primary-blue">Tools proposed</h3>
       </a>
     </div>
     <div class="mt-3 row gap-4 flex-wrap">
-      <a  href="/iot-testing/" target="_blank"
-        class="cursor-pointer rounded-box-20 d-flex flex-1 align-items-start flex-column box-shadow multi-purpose-gray-200_border multi-purpose-gray-50_background-hover">
+      <a class="cursor-pointer rounded-box-20 d-flex flex-1 align-items-start flex-column box-shadow multi-purpose-gray-200_border multi-purpose-gray-50_background-hover" href={% url 'zap_test' %}>
+          <span class="background-icon primary-primary-blue_background mb-3">
+              <svg xmlns="http://www.w3.org/2000/svg" height="24px" viewBox="0 -960 960 960" width="24px" fill="#e8eaed"><path d="M480-80q-82 0-155-31.5t-127.5-86Q143-252 111.5-325T80-480q0-83 31.5-155.5t86-127Q252-817 325-848.5T480-880q83 0 155.5 31.5t127 86q54.5 54.5 86 127T880-480q0 82-31.5 155t-86 127.5q-54.5 54.5-127 86T480-80Zm0-82q26-36 45-75t31-83H404q12 44 31 83t45 75Zm-104-16q-18-33-31.5-68.5T322-320H204q29 50 72.5 87t99.5 55Zm208 0q56-18 99.5-55t72.5-87H638q-9 38-22.5 73.5T584-178ZM170-400h136q-3-20-4.5-39.5T300-480q0-21 1.5-40.5T306-560H170q-5 20-7.5 39.5T160-480q0 21 2.5 40.5T170-400Zm216 0h188q3-20 4.5-39.5T580-480q0-21-1.5-40.5T574-560H386q-3 20-4.5 39.5T380-480q0 21 1.5 40.5T386-400Zm268 0h136q5-20 7.5-39.5T800-480q0-21-2.5-40.5T790-560H654q3 20 4.5 39.5T660-480q0 21-1.5 40.5T654-400Zm-16-240h118q-29-50-72.5-87T584-782q18 33 31.5 68.5T638-640Zm-234 0h152q-12-44-31-83t-45-75q-26 36-45 75t-31 83Zm-200 0h118q9-38 22.5-73.5T376-782q-56 18-99.5 55T204-640Z"/></svg>
+          </span>
+        <span
+          class="font-size-20 fw-bold lh-sm text-blue-gradient mb-2">ZAP</span>
+        <span class="font-size-16 lh-sm text-muted">Assess the security of your website against known vulnerabilities.</span>
+      </a>
+      <a class="cursor-pointer rounded-box-20 d-flex flex-1 align-items-start flex-column box-shadow multi-purpose-gray-200_border multi-purpose-gray-50_background-hover">
           <span class="background-icon primary-primary-blue_background mb-3">
            <svg xmlns="http://www.w3.org/2000/svg" height="24px" viewBox="0 -960 960 960" width="24px" fill="#e8eaed"><path d="M221-240q42 0 71-29t29-71q0-24-11-47t-33-37l-36-24v-252q0-9-5.5-14.5T221-720q-9 0-14.5 5.5T201-700v252l-36 24q-22 15-33 37t-11 47q0 42 29 71t71 29Zm0 80q-75 0-127.5-52T41-340q0-48 22-86t58-62v-212q0-42 29-71t71-29q42 0 71 29t29 71v212q36 24 58 62t22 86q0 75-52.5 127.5T221-160Zm327-200q-48-33-78-85t-30-115q0-100 70-170t170-70q100 0 170 70t70 170q0 63-30 115t-78 85H548Zm28-80h212q27-24 39.5-54t12.5-66q0-66-47-113t-113-47q-66 0-113 47t-47 113q0 36 14.5 66t41.5 54Zm104 280q-24 0-42-18t-18-42h120q0 24-18 42t-42 18Zm-120-80v-80h240v80H560ZM221-340Zm459-240Z"/></svg>
           </span>

landing_page/templates/ldih_landing.html

@@ -2,22 +2,22 @@
 
 {% block content %}
 {% load static %}
-<main class="bg-light d-flex w-100 h-100 p-3 flex-column align-items-center text-center">
-    <img src="{% static 'img/logo-NC3_logos_LOGO_Threat_Platform.png' %}" height="200px">
-    <!--<h1><span style="color:#009fe3;">c</span><span style="color:#ec1e27;">3</span> Testing Platform</h1>-->
-    <section class="container">
-        <p class="lead">
-            The testing platform holds the tools and services that will help organisations to perform basic tests on
-            their most commonly exposed infrastructures, starting with email and web servers. More tools will be added
-            through time to increase the coverage of available tests.
-        </p>
-    </section>
-    <p class="lead">
-        <a href="/signup/{{ ldih_uuid }}" class="btn btn-lg btn-secondary fw-bold border-white" style="background-color:#009fe3;">Register now!</a>
-    </p>
-</main>
 
 <section class="container">
+  <main class="bg-light d-flex w-100 h-100 p-3 flex-column align-items-center text-center">
+      <img src="{% static 'img/logo-NC3_logos_LOGO_Threat_Platform.png' %}" height="200px">
+      <!--<h1><span style="color:#009fe3;">c</span><span style="color:#ec1e27;">3</span> Testing Platform</h1>-->
+      <section class="container">
+          <p class="lead">
+              The testing platform holds the tools and services that will help organisations to perform basic tests on
+              their most commonly exposed infrastructures, starting with email and web servers. More tools will be added
+              through time to increase the coverage of available tests.
+          </p>
+      </section>
+      <p class="lead">
+          <a href="/signup/{{ ldih_uuid }}" class="btn btn-lg btn-secondary fw-bold border-white" style="background-color:#009fe3;">Register now!</a>
+      </p>
+  </main>
     <div class="mt-5">
         <h3>Welcome to the nc3 Testing Platform!</h3>
         <div class="mb-5">

landing_page/urls.py

@@ -17,5 +17,5 @@
         ".well-known/security.txt",
         TemplateView.as_view(template_name="security.txt", content_type="text/plain"),
     ),
-    path("ldih/<ldih_uuid>", views.ldih, name='ldih')
+    path("ldih/uid=<ldih_uuid>", views.ldih, name='ldih')
 ]

templates/nav.html

@@ -1,7 +1,7 @@
 {% load static %}
 <div class="govbar" id="govbar">
 
-  <img class="govbar-logo" src="//cdn.public.lu/pictures/logos/gov/fr/gov-light.png"
+  <img class="govbar-logo" src="https://cdn.public.lu/pictures/logos/gov/fr/gov-light.png"
        alt="Le Gouvernement du Grand-Duché de Luxembourg">
 
 

testing/helpers.py

@@ -16,6 +16,8 @@
 import nmap3
 import pypandora
 import requests
+from django.http import HttpResponse
+from xhtml2pdf import pisa
 from Crypto.PublicKey import RSA
 from django.template.loader import render_to_string
 from weasyprint import CSS, HTML
@@ -26,6 +28,8 @@
 
 from .cipher_scoring import load_cipher_info
 
+from django.template.loader import get_template
+
 logger = logging.getLogger(__name__)
 
 
@@ -707,3 +711,14 @@ def get_pdf_report():
     ]
 
     return htmldoc.write_pdf(stylesheets=stylesheets)
+
+
+def generate_pdf(template_file, context):
+    template = get_template(template_file)
+    html = template.render(context)
+    result = BytesIO()
+    pdf = pisa.pisaDocument(BytesIO(html.replace('\u2019', "'").encode("ISO-8859-1")), result)
+    if not pdf.err:
+        return HttpResponse(result.getvalue(), content_type="application/pdf")
+    return None
+

testing/templates/check_zap.html

@@ -0,0 +1,41 @@
+{% extends "base.html" %}
+{% load static %}
+
+{% block content %}
+
+<main class="row p-3 flex-column align-items-center">
+  <div class="col-xl-5 col-lg-8 col-md-8 mb-2">
+      <div class="h-100 card border border-2 ">
+        <div class="card-body d-flex flex-column">
+          <h3 class="card-title">Zap Scanner</h3>
+          <p>
+            The website testing assesses the security of your website against known
+            vulnerabilities, then provides you recommendations to resolve each security
+            weakness identified
+          </p>
+          <form method="post">
+            {% csrf_token %}
+            {% if error %}
+            <span class="text-danger">{{ error }}</span>
+            {% endif %}
+            <div class="mb-3">
+              <label class="mb-1">
+                Enter your websites domain name:
+              </label>
+              <input class="form-control" type="text" placeholder="https://www.domain.lu"
+                     id="target" name="target"
+                     value="{{ form }}" required>
+            </div>
+            <input type="submit" value="Test" class="btn btn-secondary">
+          </form>
+        </div>
+          <div class="card-footer text-center text-muted">
+            <!-- TODO change href --><a
+          href="{% url 'knowledge_base'  %}#tests-email">About the test</a></div>
+      </div>
+    </div>
+
+  {% include "zap_report.html" %}
+</main>
+<br>
+{% endblock %}

testing/templates/zap_report.html

@@ -0,0 +1,25 @@
+{% load tags %}
+{% if alerts %}
+  <section class="col-lg-11 col-md-12 row my-5 border border-2 rounded p-4">
+    {% for alert in alerts %}
+      <div class="row">
+        <div class="col-lg-12 fs-1 fw-bold">
+          {% if alert.riskcode == "3" %}
+            <span class="background-icon mb-3" style="background-color: var(--redColor); font-size: 18px; vertical-align: middle">HIGH</span>
+          {% elif alert.riskcode == "2" %}
+            <span class="background-icon mb-3" style="background-color: var(--gradeBPlus); font-size: 18px; vertical-align: middle">MEDIUM</span>
+          {% elif alert.riskcode == "1" %}
+            <span class="background-icon mb-3" style="background-color: var(--gradeB); font-size: 18px; vertical-align: middle">LOW</span>
+          {% elif alert.riskcode == "0" %}
+            <span class="background-icon mb-3" style="background-color: var(--grey); font-size: 18px; vertical-align: middle">INFO</span>
+          {% endif %}
+          {{ alert.alert }}
+        </div>
+        <div class="col-lg-12 fs-4">
+          {{ alert.desc }}
+        </div>
+        <br>
+      </div>
+    {% endfor %}
+  </section>
+{% endif %}

testing/urls.py

@@ -4,6 +4,8 @@
 
 urlpatterns = [
     path("http-test/", views.http_test, name="http_test"),
+    path("zap-test/", views.zap_test, name="zap_test"),
+    # path("web-test/", views.web_test, name="web_test"),
     path("email-test/", views.email_test, name="email_test"),
     path("file-test/", views.file_test, name="file_test"),
     path("infra-test/", views.web_server_test, name="infra-test"),
@@ -16,8 +18,6 @@
     # path("web-test/", views.web_test, name="web_test"),
 
     # path("ipv6-test/", views.ipv6_test, name="ipv6_test"),
-
-
     # path("dmarc-reporter/", views.dmarc_reporter, name="dmarc-reporter"),
     # path(
     #     "dmarc-reporter/<str:domain>/<mailfrom>/<timestamp>/",

testing/views.py

@@ -3,19 +3,27 @@
 import re
 import socket
 import time
+import io
+
+import jinja2
+import xmltodict
+
 from typing import Any, Dict
 from urllib.parse import parse_qs, urlparse
 
-import xmltodict
+import zapv2
+from ipwhois import IPDefinedError, IPWhois
+from zapv2 import ZAPv2
+from reportlab.pdfgen import canvas
+
+from django.http import FileResponse
 from django.contrib import messages
 from django.contrib.auth.decorators import login_required
 from django.core.files.base import ContentFile
 from django.http import HttpResponse
 from django.shortcuts import redirect, render
 from django.views.decorators.csrf import csrf_exempt
 from django.views.decorators.http import require_http_methods
-from ipwhois import IPDefinedError, IPWhois
-from zapv2 import ZAPv2
 
 from testing_platform import settings
 
@@ -29,7 +37,11 @@
     ipv6_check,
     tls_version_check,
     web_server_check,
+    generate_pdf
 )
+
+from .zap import zap_scan
+
 from .models import DMARCRecord, DMARCReport, MailDomain
 
 
@@ -105,6 +117,32 @@ def http_test(request):
         return render(request, "check_website.html")
 
 
+def zap_test(request):
+    if request.method == "POST":
+        try:
+            nb_tests = int(request.COOKIES["nb_tests"])
+        except KeyError:
+            nb_tests = 0
+        if nb_tests == 3 and not request.user.is_authenticated:
+            messages.error(
+                request,
+                "You reached the maximum number of tests. Please create an account.",
+            )
+            return redirect("signup")
+        target = request.POST["target"]
+        api_key = settings.ZAP_API_KEY
+        json_report, html_report = zap_scan(target, api_key)
+        nb_tests += 1
+        context = json_report['site'][0]
+        response = render(request, "check_zap.html", context)
+        response.set_cookie("nb_tests", nb_tests)
+        print("wat")
+        return response
+        # return HttpResponse(html_report)
+    else:
+        return render(request, "check_zap.html")
+
+
 def web_test(request):
     # TODO check that for a new scan a new session is created an after
     #  getting the result it shall be closed
@@ -513,3 +551,27 @@ def dmarc_upload(request):
         return HttpResponse(status=200)
     else:
         return HttpResponse(status=401)
+
+
+def export_pdf(request, test):
+    # Create a file-like buffer to receive PDF data.
+    buffer = io.BytesIO()
+
+    # Create the PDF object, using the buffer as its "file."
+    p = canvas.Canvas(buffer)
+
+    # Draw things on the PDF. Here's where the PDF generation happens.
+    # See the ReportLab documentation for the full list of functionality.
+
+    # Close the PDF object cleanly, and we're done.
+    p.showPage()
+    p.save()
+
+    # FileResponse sets the Content-Disposition header so that browsers
+    # present the option to save the file.
+    buffer.seek(0)
+    return FileResponse(buffer, as_attachment=True, filename="hello.pdf")
+
+
+def pdf_from_template(request, test):
+    return HttpResponse(request)

testing_platform/settings.py

@@ -228,8 +228,8 @@
 IOT_API_PASSWORD = os.environ.get("IOT_API_PASSWORD", "")
 
 ONEKEY_API_URL = "https://app.eu.onekey.com/api"
-ONEKEY_API_EMAIL = os.environ.get("ONEKEY_API_EMAIL", "")
-ONEKEY_API_PASSWORD = os.environ.get("ONEKEY_API_PASSWORD", "")
+ONEKEY_API_EMAIL = os.environ.get("ONEKEY_API_EMAIL", "[email protected]")
+ONEKEY_API_PASSWORD = os.environ.get("ONEKEY_API_PASSWORD", "testing_platform_1key!")
 
 DMARC_API_KEY = os.environ.get("DMARC_API_KEY", "")
 
@@ -281,3 +281,5 @@
 if not DEBUG and SECRET_KEY == "secret":
     print("FATAL: the secret key in the config has not yet been configured. Quitting.")
     exit(-1)
+
+ZAP_API_KEY = '+#0@_1&r6w(7b_67)6*c$fbltsa10+oum5l$$ayvmb^)6u#tbj'