Merge pull request #13 from tls-attacker/dev

merge dev to main
tls-attacker · Jan 24, 2024 · 789f876 · 789f876
2 parents 27b2aa0 + 88b43e5
commit 789f876
Show file tree

Hide file tree

Showing 5 changed files with 204 additions and 25 deletions.
diff --git a/backend/src/endpoints/UploadReportEndpoint.ts b/backend/src/endpoints/UploadReportEndpoint.ts
@@ -252,8 +252,8 @@ export namespace UploadReportEndpoint {
  "de.rub.nds.tlstest.suite.tests.both.tls13.rfc8446.RecordProtocol.sendEncryptedAppRecordWithNoNonZeroOctet": "8446-hKUhsUFCnx",
  "de.rub.nds.tlstest.suite.tests.both.tls13.rfc8446.RecordProtocol.checkMinimumRecordProtocolVersions": "8446-V3SF3rXAAW",
  "de.rub.nds.tlstest.suite.tests.both.tls13.statemachine.ClientServerStateMachine.sendEmptyRecordFinished": "XSM-tGmYudnsgE",
- "de.rub.nds.tlstest.suite.tests.client.tls12.SupportedCiphersuites.supportsMoreCiphersuitesThanAdvertised": "XXX-GFtKDMr9x7",
- "de.rub.nds.tlstest.suite.tests.client.tls12.SupportedCiphersuites.supportsLessCiphersuitesThanAdvertised": "XXX-DZsWLPbTuc",
+ "de.rub.nds.tlstest.suite.tests.client.tls12.SupportedCiphersuites.supportsMoreCiphersuitesThanAdvertised": "5246-GFtKDMr9x7",
+ "de.rub.nds.tlstest.suite.tests.client.tls12.SupportedCiphersuites.supportsLessCiphersuitesThanAdvertised": "5246-DZsWLPbTuc",
  "de.rub.nds.tlstest.suite.tests.client.tls12.rfc5246.AlertProtocol.closeNotify": "5246-DjYR2JiJKn",
  "de.rub.nds.tlstest.suite.tests.client.tls12.rfc5246.AlertProtocol.abortAfterFatalAlertServerHello": "5246-N8VwCXYaTF",
  "de.rub.nds.tlstest.suite.tests.client.tls12.rfc5246.AlertProtocol.abortAfterFatalAlertServerHelloDone": "5246-rcBco3YXw8",
@@ -311,8 +311,8 @@ export namespace UploadReportEndpoint {
  "de.rub.nds.tlstest.suite.tests.client.tls12.statemachine.StateMachine.sendResumptionMessageFlow": "XSM-SJ9mzNY9kZ",
  "de.rub.nds.tlstest.suite.tests.client.tls12.statemachine.StateMachine.beginWithFinished": "XSM-Rdcvemgd4h",
  "de.rub.nds.tlstest.suite.tests.client.tls12.statemachine.StateMachine.beginWithApplicationData": "XSM-Bv4mqPoKa4",
- "de.rub.nds.tlstest.suite.tests.client.tls13.SupportedCiphersuites.supportsMoreCipherSuitesThanAdvertised": "XXX-FnJguFLqcc",
- "de.rub.nds.tlstest.suite.tests.client.tls13.SupportedCiphersuites.supportsLessCipherSuitesThanAdvertised": "XXX-CFyJvy1SNZ",
+ "de.rub.nds.tlstest.suite.tests.client.tls13.SupportedCiphersuites.supportsMoreCipherSuitesThanAdvertised": "8446-FnJguFLqcc",
+ "de.rub.nds.tlstest.suite.tests.client.tls13.SupportedCiphersuites.supportsLessCipherSuitesThanAdvertised": "8446-CFyJvy1SNZ",
  "de.rub.nds.tlstest.suite.tests.client.tls13.rfc8446.Certificate.emptyCertificateMessage": "8446-vN4oMaYkC6",
  "de.rub.nds.tlstest.suite.tests.client.tls13.rfc8446.Certificate.emptyCertificateList": "8446-cM4fvnBMce",
  "de.rub.nds.tlstest.suite.tests.client.tls13.rfc8446.CertificateVerify.selectLegacyRSASignatureAlgorithm": "8446-oN7MGas4sq",

diff --git a/docker-compose-dev.yml b/docker-compose-dev.yml
@@ -0,0 +1,37 @@
+version: '3.7'
+
+volumes:
+ mongodb_DB:
+ mongodb_conf:
+
+networks: 
+ app:
+
+services:
+ mongo:
+ image: mongo:5.0.6
+ restart: always
+ volumes:
+ - mongodb_DB:/data/db
+ - mongodb_conf:/data/configdb
+ networks: 
+ - app
+
+ app:
+ # image: ghcr.io/tls-attacker/anvil-web
+ image: anvil-web
+ restart: always
+ environment:
+ - PRODUCTION=1
+ ports:
+ - 5001:5001
+ networks:
+ - app
+
+ worker:
+ # image: ghcr.io/tls-attacker/tlsanvil
+ image: tls-anvil
+ restart: always
+ networks:
+ - app
+ command: ["worker", "-controller", "app:5001", "-name", "Docker Compose bundeled Worker"]
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -18,8 +18,8 @@ services:
  - app
 
  app:
- # image: ghcr.io/tls-attacker/anvil-web
- image: anvil-web
+ image: ghcr.io/tls-attacker/anvil-web:v1.0.1
+ # image: anvil-web
  restart: always
  environment:
  - PRODUCTION=1
@@ -29,9 +29,11 @@ services:
  - app
 
  worker:
- # image: ghcr.io/tls-attacker/tlsanvil:web
- image: tls-anvil
+ image: ghcr.io/tls-attacker/tlsanvil:v1.2.7
+ # image: tls-anvil
  restart: always
  networks:
  - app
+ volumes:
+ - output
  command: ["worker", "-controller", "app:5001", "-name", "Docker Compose bundeled Worker"]
diff --git a/frontend/src/assets/metadata.json b/frontend/src/assets/metadata.json
@@ -1,16 +1,4 @@
 {
- "000-000-001": {
- "description": "Implementations that receive a KeyUpdate message prior to receiving a Finished message MUST terminate the connection with an \"unexpected_message\" alert.",
- "severityLevels": {
- "Handshake": 80,
- "Interoperability": 80,
- "Alert": 60
- },
- "rfc": {
- "number": 8446,
- "section": "4.6.3. Key and Initialization Vector Update"
- }
- },
  "XLF-7iivb12njd": {
  "description": "Send a Certificate Message with a modified length value (-1)",
  "severityLevels": {
@@ -1842,7 +1830,7 @@
  "sendEmptyRecordFinished"
  ]
  },
- "XXX-GFtKDMr9x7": {
+ "5246-GFtKDMr9x7": {
  "description": "The cipher suite list, passed from the client to the server in the ClientHello message, contains the combinations of cryptographic algorithms supported by the client in order of the client's preference (favorite choice first).",
  "severityLevels": {
  "Security": 80,
@@ -1860,7 +1848,7 @@
  "supportsMoreCiphersuitesThanAdvertised"
  ]
  },
- "XXX-DZsWLPbTuc": {
+ "5246-DZsWLPbTuc": {
  "description": "The cipher suite list, passed from the client to the server in the ClientHello message, contains the combinations of cryptographic algorithms supported by the client in order of the client's preference (favorite choice first).",
  "severityLevels": {
  "Handshake": 60,
@@ -2941,7 +2929,7 @@
  "beginWithApplicationData"
  ]
  },
- "XXX-FnJguFLqcc": {
+ "8446-FnJguFLqcc": {
  "description": "cipher_suites: A list of the symmetric cipher options supported by the client, specifically the record protection algorithm (including secret key length) and a hash to be used with HKDF, in descending order of client preference.",
  "severityLevels": {
  "Security": 80,
@@ -2959,7 +2947,7 @@
  "supportsMoreCipherSuitesThanAdvertised"
  ]
  },
- "XXX-CFyJvy1SNZ": {
+ "8446-CFyJvy1SNZ": {
  "description": "For this to work, implementations MUST correctly handle extensible fields:[...] A client sending a ClientHello MUST support all parameters advertised in it.",
  "severityLevels": {
  "Security": 80,
@@ -7792,5 +7780,150 @@
  "StateMachine",
  "sendClientHelloAfterFinishedHandshake"
  ]
+ },
+ "6347-GeZa64E0Nt": {
+ "description": "For each received record, the receiver MUST verify that the record contains a sequence number that does not duplicate the sequence number of any other record received during the life of this session.",
+ "severityLevels": {
+ "Handshake": 100,
+ "Interoperability": 100
+ },
+ "rfc": {
+ "number": 6347,
+ "section": "4.1.2.6. Anti-Replay"
+ },
+ "tags": [
+ "both",
+ "dtls12",
+ "rfc6347",
+ "AntiReplay",
+ "sequenceNumberNotDuplicated"
+ ]
+ },
+ "6347-rMf9lpA6G3": {
+ "description": "If the MAC validation fails, the receiver MUST discard the received record as invalid.",
+ "severityLevels": {
+ "Handshake": 100,
+ "Interoperability": 100
+ },
+ "rfc": {
+ "number": 6347,
+ "section": "4.1.2.6. Anti-Replay"
+ },
+ "tags": [
+ "both",
+ "dtls12",
+ "rfc6347",
+ "AntiReplay",
+ "invalidMAC"
+ ]
+ },
+ "6347-76Jna7IPv8": {
+ "description": "DTLS 1.2 and 1.0 clients MUST use the version solely to indicate packet formatting (which is the same in both DTLS 1.2 and 1.0) and not as part of version negotiation.",
+ "severityLevels": {
+ "Handshake": 100,
+ "Interoperability": 100
+ },
+ "rfc": {
+ "number": 6347,
+ "section": "4.2.1. Denial-of-Service Countermeasures"
+ },
+ "tags": [
+ "server",
+ "dtls12",
+ "rfc6347",
+ "DoS",
+ "negotiateDtls12viaRecordHeader"
+ ]
+ },
+ "6347-tT9LA2Ba7T": {
+ "description": "When responding to a HelloVerifyRequest, the client MUST use the same parameter values (version, random, session_id, cipher_suites, compression_method) as it did in the original ClientHello.",
+ "addToSecondRfcRef" : "4.2.1. Denial-of-Service Countermeasures -- The client MUST retransmit the ClientHello with the cookie added.",
+ "severityLevels": {
+ "Handshake": 100,
+ "Interoperability": 100
+ },
+ "rfc": {
+ "number": 6347,
+ "section": "4.2.1. Denial-of-Service Countermeasures"
+ },
+ "tags": [
+ "client",
+ "dtls12",
+ "rfc6347",
+ "DoS",
+ "responseToHelloVerifyRequest"
+ ]
+ },
+ "6347-z0AiXbV3Y6": {
+ "description": "The server MUST use the same version number in the HelloVerifyRequest that it would use when sending a ServerHello.",
+ "severityLevels": {
+ "Handshake": 100,
+ "Interoperability": 100
+ },
+ "rfc": {
+ "number": 6347,
+ "section": "4.2.1. Denial-of-Service Countermeasures"
+ },
+ "tags": [
+ "server",
+ "dtls12",
+ "rfc6347",
+ "DoS",
+ "sameVersionNumberServerHello"
+ ]
+ },
+ "6347-5R0A5tlkOm": {
+ "description": "In order to avoid sequence number duplication in case of multiple HelloVerifyRequests, the server MUST use the record sequence number in the ClientHello as the record sequence number in the HelloVerifyRequest.",
+ "severityLevels": {
+ "Handshake": 100,
+ "Interoperability": 100
+ },
+ "rfc": {
+ "number": 6347,
+ "section": "4.2.1. Denial-of-Service Countermeasures"
+ },
+ "tags": [
+ "server",
+ "dtls12",
+ "rfc6347",
+ "DoS",
+ "clientSequenceNumberInHelloVerifyRequest"
+ ]
+ },
+ "6347-56hL9Blfzp": {
+ "description": "In order to avoid sequence number duplication in case of multiple cookie exchanges, the server MUST use the record sequence number in the ClientHello as the record sequence number in its initial ServerHello.",
+ "severityLevels": {
+ "Handshake": 100,
+ "Interoperability": 100
+ },
+ "rfc": {
+ "number": 6347,
+ "section": "4.2.1. Denial-of-Service Countermeasures"
+ },
+ "tags": [
+ "server",
+ "dtls12",
+ "rfc6347",
+ "DoS",
+ "sequenceNumberFromClientHelloInServerHello"
+ ]
+ },
+ "6347-g65TNbT3uV": {
+ "description": "The server then verifies the cookie and proceeds with the handshake only if it is valid.",
+ "severityLevels": {
+ "Handshake": 100,
+ "Interoperability": 100
+ },
+ "rfc": {
+ "number": 6347,
+ "section": "4.2.1. Denial-of-Service Countermeasures"
+ },
+ "tags": [
+ "server",
+ "dtls12",
+ "rfc6347",
+ "DoS",
+ "invalidClientHelloCookie"
+ ]
  }
-}
+}
diff --git a/readme.md b/readme.md
@@ -5,6 +5,10 @@ Anvil Web is a web interface for [Anvil Projects](https://github.com/tls-attacke
 Currently Anvil Web supports only the following application specific implementations of Anvil Core:
  - [TLS-Anvil](https://github.com/tls-attacker/TLS-Anvil)
 
+## Quick Start
+To run quickly run Anvil-Web to analyze a report or start a test, download the `docker-compose.yml` file from the root of this project and run `docker compose up -d`.
+After that you should be able to go to http://localhost:5001/ to see the web interface.
+
 ## Building
 ### Docker (recommanded)
 This project is easiest built by using the supplied Dockerfile.
@@ -37,6 +41,9 @@ docker compose up -d
 ```
 After starting, the web interface is acessible via http://localhost:5001/
 
+The normal compose file grabs the pre-built image from our registry. If you want to run your locally built image use `docker-compose-dev.yml`.
+You can comment out or delete the worker client if you don't need that functionallity.
+
 ### Docker
 Anvil Web needs a mongodb database to run.
 The create the database using docker you can use the commands