search

tijme / angularjs-csti-scanner

Automated client-side template injection (sandbox escape/bypass) detection for AngularJS v1.x.
MIT License
291 stars 86 forks source link

Ignore Bad SSL Certs #10

Closed random-robbie closed 6 years ago

random-robbie commented 6 years ago

Can we get the scanner to ignore bad SSL certs?

Steps to reproduce the behavior

root@04df222c1069:/# acstis -c -siv -d "https://13.56.76.150/" -vp

  /$$$$$$   /$$$$$$   /$$$$$$  /$$$$$$$$ /$$$$$$  /$$$$$$
 /$$__  $$ /$$__  $$ /$$__  $$|__  $$__/|_  $$_/ /$$__  $$
| $$  \ $$| $$  \__/| $$  \__/   | $$     | $$  | $$  \__/
| $$$$$$$$| $$      |  $$$$$$    | $$     | $$  |  $$$$$$
| $$__  $$| $$       \____  $$   | $$     | $$   \____  $$
| $$  | $$| $$    $$ /$$  \ $$   | $$     | $$   /$$  \ $$
| $$  | $$|  $$$$$$/|  $$$$$$/   | $$    /$$$$$$|  $$$$$$/
|__/  |__/ \______/  \______/    |__/   |______/ \______/

Version 3.0.1 - Copyright 2017 Tijme Gommers <tijme@finnwea.com>

[INFO] Looking for AngularJS version using a headless browser.
[INFO] Waiting until DOM is completely loaded.
[ERROR] Couldn't determine the AngularJS version (`angular.version.full` threw an exception).
[ERROR] If you are certain this URL uses AngularJS, specify the version via the `--angular-version` argument.
root@04df222c1069:/#
tijme commented 6 years ago

You can ignore invalid SSL certificates using the command line arguments.

-iic, --ignore-invalid-certificates

You can also trust a given certfificate.

-tc TRUSTED_CERTIFICATES, --trusted-certificates TRUSTED_CERTIFICATES

random-robbie commented 6 years ago

any way to remove the warnings completely?

Capture.png

tijme commented 6 years ago

Yeah this is already deployed on the develop branch I think. However, it's a long time ago I worked on it, so I have to check if it's stable enough to merge it to the master.

tijme commented 6 years ago

I think if you update the nyawc dependency to 1.7.10 it might remove the warnings (see https://github.com/tijme/not-your-average-web-crawler/releases)