Error Server 500 Acunetix Parser

[zfirered]

Bug description Error while upload acunetix xml file this is the sample when i'am upload it and the server error 500 happen

Deployment method (select with an X)

• [ ] Kubernetes
• [X] Docker
• [ ] setup.bash / legacy-setup.bash

Sample scan files (optional) 20200228_XML_http_www_itsecgamescom.zip

[valentijnscholten]

do you have logs? which version/branch are you running?

[zfirered]

all version has this bud and not yet fixed

[valentijnscholten]

What error do you see in the logs? In the provided sample file every tag has it's data inside a CDATA element, not sure if this is normal?

[zfirered]

[zfirered]

if acunetix found this, Slow HTTP Denial of Service Attack, then dojo won't import properly always Error Server 500

[jrsfaisal]

I got some issues about acunetix. I'm try import XML from acunetix 10.5, but i got 500 Error. This is for docker log.

nginx_1         | 2020/03/04 16:41:33 [warn] 6#6: *2 a client request body is buffered to a temporary file /var/cache/nginx/client_temp/0000000004, client: 172.18.0.1, server: , request: "POST /product/8/import_scan_results HTTP/1.1", host: "localhost:8080", referrer: "http://localhost:8080/product/8/import_scan_results"
uwsgi_1         | Internal Server Error: /product/8/import_scan_results
uwsgi_1         | Traceback (most recent call last):
uwsgi_1         |   File "/usr/local/lib/python3.5/site-packages/django/core/handlers/exception.py", line 34, in inner
uwsgi_1         |     response = get_response(request)
uwsgi_1         |   File "/usr/local/lib/python3.5/site-packages/django/core/handlers/base.py", line 115, in _get_response
uwsgi_1         |     response = self.process_exception_by_middleware(e, request)
uwsgi_1         |   File "/usr/local/lib/python3.5/site-packages/django/core/handlers/base.py", line 113, in _get_response
uwsgi_1         |     response = wrapped_callback(request, *callback_args, **callback_kwargs)
uwsgi_1         |   File "/usr/local/lib/python3.5/site-packages/django/contrib/auth/decorators.py", line 21, in _wrapped_view
uwsgi_1         |     return view_func(request, *args, **kwargs)
uwsgi_1         |   File "./dojo/product/views.py", line 413, in import_scan_results_prod
uwsgi_1         |     return import_scan_results(request, pid=pid)
uwsgi_1         |   File "/usr/local/lib/python3.5/site-packages/django/contrib/auth/decorators.py", line 21, in _wrapped_view
uwsgi_1         |     return view_func(request, *args, **kwargs)
uwsgi_1         |   File "./dojo/engagement/views.py", line 523, in import_scan_results
uwsgi_1         |     parser = import_parser_factory(file, t, active, verified)
uwsgi_1         |   File "./dojo/tools/factory.py", line 142, in import_parser_factory
uwsgi_1         |     parser = AcunetixScannerParser(file, test)
uwsgi_1         |   File "./dojo/tools/acunetix/parser.py", line 17, in __init__
uwsgi_1         |     acunetix_defectdojo_findings = get_defectdojo_findings(xml_output)
uwsgi_1         |   File "./dojo/tools/acunetix/parser_helper.py", line 175, in get_defectdojo_findings
uwsgi_1         |     cwe = report_item['CWEId']
uwsgi_1         | KeyError: 'CWEId'
uwsgi_1         | [pid: 1|app: 0|req: 24/24] 172.18.0.1 () {60 vars in 1365 bytes} [Wed Mar  4 16:41:33 2020] POST /product/8/import_scan_results => generated 27 bytes in 77 msecs (HTTP/1.1 500) 4 headers in 126 bytes (1 switches on core 0)
nginx_1         | 172.18.0.1 - - [04/Mar/2020:16:41:33 +0000] "POST /product/8/import_scan_results HTTP/1.1" 500 27 "http://localhost:8080/product/8/import_scan_results" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36" "-"

[zfirered]

is there any update regarding this one?

[zfirered]

gaesss??

[valentijnscholten]

which version/branch are you running?

exact commit needed

[zfirered]

which version/branch are you running?

exact commit needed

ALL VERSION has this problem... i test it...

[valentijnscholten]

The reason why we're asking is because a stacktrace shows filenames and linenumbers and it's much easier for us to find out what is going on when we have the exact commit that goed with the stacktrace (which you provded as a screenshot). We are volunteers and ask you to provide some basic information. Even if it might not make a big change in this particular case, you probably get a lot less people interested in looking at if you only provide half of the information

[zfirered]

well im sorry for that, but all version (build number) had this issue, you can try your self, i have attachment

[steeve85]

I opened a PR that should fix this issue https://github.com/DefectDojo/django-DefectDojo/pull/2185

[valentijnscholten]

Should be fixed, please reopen when needed.

[zfirered]

hey thanks for fix!

here another problem

Line 9476 is:

emails was set to 1 ˤˢ%2527%2522

Error message found:

A Database Error Occurred

]]>

[zfirered]

also can you make more detail for acunetix? example if i got findings about directory listing had 3 affected items list so you can add actualy 3 list not count as 1 finding

[zfirered]

Should be fixed, please reopen when needed.

Please Re Open

[steeve85]

@zfirered Can you please Open a new issue with the error details and the file you are trying to import (if possible)? I will take a look to fix it. If the file contains some private data, please provide a sample file with the similar "email" that breaks the parser. Thanks

[LeonardoNve]

Same problem here, last version of DD (cloned today) 20200504_XML_192_168_0_1.zip

:

An example of the acunetix file I´m uploading attached.

[zfirered]

Same problem here, last version of DD (cloned today) 20200504_XML_192_168_0_1.zip

:

An example of the acunetix file I´m uploading attached.

Which version do you have? i'm able to import this without any problem

[LeonardoNve]

@zfirered

Version: v. 1.5.4 ( release mode ) Installed on Kali linux 2019.4 with Docker deployment. Installed from github yesterday some minutes before my post.

Thanks.

[valentijnscholten]

The fixes are only on the dev branch and 1.6 branch