search

tijme / angularjs-csti-scanner

Automated client-side template injection (sandbox escape/bypass) detection for AngularJS v1.x.
MIT License
291 stars 86 forks source link

Disabling Python's `urllib3` warnings in the scanner output #5

Closed jovyn closed 6 years ago

jovyn commented 6 years ago

While running ACSTIS today on the JS app hosted on heroku, I happen to get some warnings. Will this affect the scan (I am guessing no) is there a way we could ignore them in the acstis script.

I tried scanning other websites and I feel the scanner runs fine, Just that I am getting these warnings now. Somehow I did not get these errors the first time I tested this new version (Surprise !!)

_PS Angular-CSTI-Scanner\angularjs-csti-scanner-master> python .\extended.test.py -c -d "https://owaspjuiceshop221b.herokuapp.com/#/search" -tc "Burp_CA_Cert.pem"

Version 3.0.1 - Copyright 2017 Tijme Gommers tijme@finnwea.com

[INFO] Looking for AngularJS version using a headless browser. [INFO] Waiting until DOM is completely loaded. [INFO] Found AngularJS version 1.5.11. [INFO] Angular CSTI scanner started. [INFO] Scanning https://owaspjuiceshop221b.herokuapp.com/#/search C:\Python27\lib\site-packages\urllib3\connection.py:344: SubjectAltNameWarning: Certificate for owaspjuiceshop221b.herokuapp.com has no subjectAltName, falling back to check for a commonName for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.) SubjectAltNameWarning C:\Python27\lib\site-packages\urllib3\connection.py:344: SubjectAltNameWarning: Certificate for owaspjuiceshop221b.herokuapp.com has no subjectAltName, falling back to check for a commonName for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.) SubjectAltNameWarning C:\Python27\lib\site-packages\urllib3\connection.py:344: SubjectAltNameWarning: Certificate for owaspjuiceshop221b.herokuapp.com has no subjectAltName, falling back to check for a commonName for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.) SubjectAltNameWarning_

tijme commented 6 years ago

@jovyn Thank you for reporting this issue. I will make sure these warnings will only be visible if debug mode is enabled.

tijme commented 6 years ago

I just fixed this issue in the crawler develop tree. Issue #6 needs to be fixed in the crawler as well. I will release a new version of the crawler as soon as I fixed #6, then I'll update ACSTIS with the new version of the crawler.

tijme commented 6 years ago

@jovyn I fixed this issue on the develop branch by disabling urllib3 warnings in N.Y.A.W.C. Could you test if this works for you?

Update: I just tested this and it worked. I merged it to the master.