search

minvws / nl-kat-coordination

OpenKAT scans networks, finds vulnerabilities and creates accessible reports. It integrates the most widely used network tools and scanning software into a modular framework, accesses external databases such as shodan, and combines the information from all these sources into clear reports. It also includes lots of cat hair.
https://openkat.nl
European Union Public License 1.2
126 stars 57 forks source link

Findings are not always accurate when certain 'boefjes' are turned off. #2661

Open jordy-kennisnet opened 7 months ago

jordy-kennisnet commented 7 months ago

Describe the bug Findings are not always accurate when certain 'boefjes' are turned off. An example of this is 'KAT-NO-CERTIFICATE' @ https://mispo.es:443 @ 134.209.85.72 when boefje 'SSLCertificate' is turned off.

To Reproduce Steps to reproduce the behavior:

  1. Check if 'boefje' 'SSLCertificates' is turned off.
  2. Scan a domain and check the list of findings. 'KAT-NO-CERTIFICATE' @ should be listed.
  3. Turn on 'boefje' 'SSLCertificates' and ensure it has run at least once.
  4. Check the list of findings again. 'KAT-NO-CERTIFICATE' @ should no longer be there.

N.B. The page of the finding will not exist anymore. You will receive a 404 error. This could also be beter?

Expected behavior OpenKAT should not only look at the available evidence, but also at the status of the 'boefjes'. There are different possibilities:

  1. Nuance the finding. In the case of the example: the finding is unknown; scanning for the presence of a certificate has not occurred. Most informative.
  2. Do not make a finding when a required 'boefje' is turned off. Less informative.

In this case, it should not only look at the 'boefjes' itself, but also at its output. There may be multiple 'boefjes' for the same output.

OpenKAT version 1.14.2

underdarknl commented 7 months ago

This is because wee see the KAT-NO-CERTIFICATE finding as a compliancy finding. This means that if we have no cert on file, we assume it to not be there. I think we should make sure to include the required plugins in the reports when these findings are listed in there.

I do agree we could add some nuance to these findings. Currently Bits cannot know which plugins are enabled, nor can they know of a given plugin has successfully completed all required tasks on a given datapoint unless we start to introduce inverse datapoints into the graph. Eg, we did not find a cert here, but did expect one when running these plugins.

zcrt commented 7 months ago

This is because wee see the KAT-NO-CERTIFICATE finding as a compliancy finding. This means that if we have no cert on file, we assume it to not be there.

Doesn't this contradict the open-world approach KAT currently takes?

If there is no explicit knowledge available about any given object, it cannot be conclusively determined that the object therefore does not exist, or the state that it occupies.