Merge pull request #126 from nrathaus/more_ssl_fixes

Fix `ssl_verify` and `https` detection
OWASP · Jul 29, 2024 · 849c742 · 849c742
2 parents e848821 + 434df27
commit 849c742
Show file tree

Hide file tree

Showing 6 changed files with 31 additions and 2 deletions.
diff --git a/src/offat/__main__.py b/src/offat/__main__.py
@@ -167,6 +167,7 @@ def start():
         test_data_config=test_data_config,
         proxies=args.proxies_list,
         capture_failed=args.capture_failed,
+        ssl_verify=args.ssl_verify,
     )
 
 

diff --git a/src/offat/api/jobs.py b/src/offat/api/jobs.py
@@ -22,6 +22,7 @@ def scan_api(body_data: CreateScanSchema, ssl_verify: bool = True):
             proxies=body_data.proxies,
             capture_failed=body_data.capture_failed,
             remove_unused_data=body_data.remove_unused_data,
+            ssl_verify=ssl_verify,
         )
         return results
     except Exception as e:

diff --git a/src/offat/tester/handler.py b/src/offat/tester/handler.py
@@ -27,6 +27,7 @@ def generate_and_run_tests(
     test_data_config: dict | None = None,
     capture_failed: bool = False,
     remove_unused_data: bool = True,
+    ssl_verify: bool = True,
 ):
     """
     Generates and runs tests for the provided OAS/Swagger file.
@@ -56,7 +57,7 @@ def generate_and_run_tests(
     Returns:
         A list of test results.
     """
-    if not is_host_up(openapi_parser=api_parser):
+    if not is_host_up(openapi_parser=api_parser, ssl_verify=ssl_verify):
         logger.error(
             'Stopping tests due to unavailability of host: %s', api_parser.host
         )

diff --git a/src/offat/tester/tester_utils.py b/src/offat/tester/tester_utils.py
@@ -32,14 +32,20 @@ def is_host_up(openapi_parser: SwaggerParser | OpenAPIv3Parser, ssl_verify: bool
             logger.warning('Invalid host: %s', openapi_parser.host)
             return False
 
+    if openapi_parser.http_scheme == 'https':
+        use_ssl = True
+
     host = host.split('/')[0]
 
     match port:
         case 443:
             use_ssl = True
             proto = http_client.HTTPSConnection
         case _:
-            proto = http_client.HTTPConnection
+            if use_ssl:
+                proto = http_client.HTTPSConnection
+            else:
+                proto = http_client.HTTPConnection
 
     logger.info('Checking whether host %s:%s is available', host, port)
     try:

diff --git a/src/offat/tests/self_signed/__init__.py b/src/offat/tests/self_signed/__init__.py
diff --git a/src/offat/tests/self_signed/self_signed_server_tester.py b/src/offat/tests/self_signed/self_signed_server_tester.py
@@ -0,0 +1,20 @@
+#!/usr/bin/python3
+
+# Generate a cert:
+# openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365
+
+import http.server
+import ssl
+
+
+class SimpleHTTPRequestHandler(http.server.SimpleHTTPRequestHandler):
+    pass
+
+
+httpd = http.server.HTTPServer(("localhost", 4443), SimpleHTTPRequestHandler)
+httpd.socket = ssl.wrap_socket(
+    httpd.socket, keyfile="key.pem", certfile="cert.pem", server_side=True
+)
+
+print("Serving on https://localhost:4443")
+httpd.serve_forever()