Parsing json and cli output: info, warn and alerts

[tristanlatr]

Hello I'm helping with this Python wrapper for WPScan WPWatcher and I'de like your input on the way the wpscan output parsing is done.

When using --format cli, the script will consider every blank line as a message separator. Messages will be warning if match "| [!]" or "insecure", alert if match "[!] else info. "insecure" string match for warning is hard coded to trigger warning when WP version is outdated...

When using --format json, The script will parse "interesting_findings" (for infos), "main_theme", "version" and "plugins" fields of the json output for warnings outdated versions and alert if vulnerable.

Would it be relevant to add some other parsing feature to this ?

Check here to see parser code : https://github.com/tristanlatr/WPWatcher/blob/master/wpwatcher/parser.py

Thanks for your input !

[tristanlatr]

Here are some other ressources that I found about parsing wpscan json

• Generates a nice table output (Rust code) https://github.com/lukaspustina/wpscan-analyze Parser code: https://github.com/lukaspustina/wpscan-analyze/blob/master/src/analyze.rs
• Python parser (do not parse for vulnerable theme or outdated warnings) https://github.com/aaronweaver/AppSecPipeline/blob/master/tools/wpscan/parser.py
• Vulcan wpscan (Go) https://github.com/adevinta/vulcan-checks/blob/master/cmd/vulcan-wpscan/wpscan.go Great job listing all the fields, is the list complete ?
• Dradis ruby json Parser https://github.com/dradis/dradis-wpscan/blob/master/lib/dradis/plugins/wpscan/importer.rb : No warnings neither but probably the clearest code

Where can we find a list of all possible fields in the json output ?

Thanks

[erwanlr]

You can find all the fields for the JSON output in the views/json folders at:

• https://github.com/wpscanteam/CMSScanner/tree/master/app/views/json
• https://github.com/wpscanteam/wpscan/tree/master/app/views/json

The references field contains various fields: cve, exploitdb, url, metasploit, packetstorm, securityfocus and wpvulndb, which will be arrays of ids (except for the url field), ie:

"references": {
  "cve": [
    "2015-5535"
  ],
  "url": [
    "https://seclists.org/bugtraq/2015/Jul/139",
    "https://www.immuniweb.com/advisory/HTB23265"
  ],
  "wpvulndb": [
    "8120"
  ]
}

[tristanlatr]

Hi, thanks @erwanlr I've put together some Python code here to parse WPScan output with the new infos I got from different sources https://github.com/tristanlatr/WPWatcher/blob/master/wpwatcher/parser.py

[tristanlatr]

About CLI parsing, should "[i]" be considered as warning ?

[erwanlr]

No, this is a notice display, such as

[i] No Config Backups Found.

However, I just saw that valid credentials found are also displayed like a notice

[i] Valid Combinations Found:
 | Username: admin, Password: admin

So I've changed that (https://github.com/wpscanteam/wpscan/commit/6d381ab88ddcaf68a31b22055596bfe7a7f07537)

I would not recommend to parse the CLI output though, the JSON output was created for such purpose

[tristanlatr]

Thanks for your quick response. Another question about CLI formatting... I can't found the place where all critical_icon notice_icon warning_icon and info_icon are defined , can you help me with that ? I looks like warning_icon and critical_icon are the same [!], is that correct ? Thanks

[erwanlr]

*_icon are defined at https://github.com/wpscanteam/CMSScanner/blob/master/app/formatters/cli.rb

Yes, warning_icon and critical_icon are [!], with different colours

[tristanlatr]

Thanks that's great help ! Would it be reverent to use warning_icon when a WP version outdated too ? [+] WordPress version 5.1.1 identified (Insecure, released on 2019-03-13).