New tests messages format, also add call2action and url

stampery · Feb 7, 2017 · 114a81e · 114a81e
1 parent 98daa07
commit 114a81e
Showing 1 changed file with 101 additions and 59 deletions.
diff --git a/rsc/tests.json b/rsc/tests.json
@@ -4,147 +4,181 @@
 		"title": "MongoDB listens on a port different to default one",
 		"caption": "Using the default MongoDB port makes it too easy for potential attackers to locate and target your server.",
 		"severity": 2,
-		"message": ["Your server is listening on default port 27017. Please read this guide on how to change the listening port.",
+		"messages": ["Your server is listening on default port 27017.",
 			"Your server is listening in a non-obvious port. Well done."
-		]
+		],
+        "call2action": "Please read [[this guide on how to change the listening port]].",
+        "url": "https://medium.com/mongoaudit/how-to-change-mongodb-default-listening-port-27017-92e35f65670e"
 	}, {
 		"test_name": "2",
 		"title": "Server only accepts connections from whitelisted hosts / networks",
 		"caption": "Best practice is to only listen to incoming connections whose originating IP belongs to the applications or systems that are intended to use the database. This protects your server from denial-of-service attacks and some other vulnerabilities that may be present on other services running on the same device.",
 		"severity": 1,
-		"message": ["Your server does accept connections from unauthorized hosts. Read this guide on how to create whitelists and block unauthorized hosts.",
+		"messages": ["Your server does accept connections from unauthorized hosts.",
 			"Your server does not accept connections from unauthorized hosts. Well done."
 		],
-		"breaks": true
+		"breaks": true,
+        "call2action": "Please read [[this guide on how to create whitelists and block unauthorized hosts]].",
+        "url": "https://medium.com/mongoaudit/how-to-configure-allowed-hosts-firewall-whitelist-and-blacklist-in-mongodb-84434ed02d3a"
 	}, {
 		"test_name": "3",
 		"title": "MongoDB HTTP status interface is not accessible on port 28017",
 		"caption": "HTTP status interface should be disabled in production environments to prevent potential data exposure and vulnerability to attackers.",
 		"severity": 0,
-		"message": ["HTTP status interface is enabled. Please read this guide on how to disable MongoDB HTTP status interface.",
+		"messages": ["HTTP status interface is enabled.",
 			"HTTP status interface is disabled. Well done."
-		]
+		],
+        "call2action": "Please [[read this guide on how to disable MongoDB HTTP status interface]].",
+        "url": "https://medium.com/mongoaudit/how-to-disable-mongodb-http-status-interface-and-rest-api-63e9686cb965"
 	}, {
 		"test_name": "4",
 		"title": "MongoDB is not exposing its version number",
 		"caption": "Publicly exposing the version number makes it too easy for potential attackers to immediately exploit known vulnerabilities.",
 		"severity": 2,
-		"message": ["MongoDB version number is exposed. This could be solved using a reverse proxy.",
+		"messages": ["MongoDB version number is exposed. This could be solved by putting a reverse proxy between MongoDB and the Internet.",
 			"MongoDB is hiding its version number. Well done."
 		]
 	}, {
 		"test_name": "5",
 		"title": "MongoDB version is newer than 2.4",
 		"caption": "MongoDB versions equal and prior to 2.4 amass an alarming number of security issues that make them specially vulnerable to injection and denial of service attacks.",
 		"severity": 0,
-		"message": [
-			["You are running MongoDB version ", ", which is highly vulnerable. Please read this guide on how to upgrade to MongoDB's latest stable version and consider upgrading as soon as possible."],
+		"messages": [
+			["You are running MongoDB version ", ", which is highly vulnerable."],
 			["You are running MongoDB version ", ". Well done."]
-		]
+		],
+        "call2action": "Please read [[this guide on how to upgrade to MongoDB's latest stable version]] and consider upgrading as soon as possible.",
+        "url": "https://medium.com/mongoaudit/how-to-upgrade-mongodb-to-latest-stable-version-9607266834cf"
 	}, {
 		"test_name": "6",
 		"title": "TLS/SSL encryption is enabled",
 		"caption": "Enable TLS/SSL in-flight encryption to authenticate and encrypt connections between your MongoDB server and apps to avoid eavesdropping, tampering and “man in the middle” attacks.",
 		"severity": 0,
-		"message": ["TLS/SSL encryption is NOT enabled and your connections are unprotected from eavesdropping. Please read this guide on how to enable TLS/SSL encryption on MongoDB.",
+		"messages": ["TLS/SSL encryption is NOT enabled and your connections are unprotected from eavesdropping.",
 			"TLS/SSL enryption is enabled and your connections are safe from eavesdropping. Well done."
-		]
+		],
+        "call2action": "Please read [[this guide on how to enable TLS/SSL encryption on MongoDB]].",
+        "url": "https://medium.com/mongoaudit/how-to-enable-tls-ssl-on-mongodb-d973a92cefa6"
 	}, {
 		"test_name": "7",
 		"title": "authentication is enabled",
 		"caption": "Authentication requires that all clients provide valid credentials before they can connect to the server. All production servers MUST use authentication.",
 		"severity": 0,
-		"message": ["Authentication is NOT enabled. You are inviting everyone out there to enter your databases, seize everything and potentially ransom you for your data. Please read this guide on how to enable authentication on MongoDB.",
+		"messages": ["Authentication is NOT enabled. You are inviting everyone out there to enter your databases, seize everything and potentially ransom you for your data.",
 			"Authentication is enabled. Well done."
-		]
+		],
+        "call2action": "Please read [[this guide on how to enable authentication on MongoDB]]."
+        "url": "https://medium.com/mongoaudit/how-to-enable-authentication-on-mongodb-b9e8a924efac"
 	}, {
 		"test_name": "13",
 		"title": "vulnerable to security bug CVE-2015-7882 (December 01, 2015)",
 		"caption": "This bug allows unauthorized access to a MongoDB instance or cluster when using LDAP authentication.",
 		"severity": 0,
-		"message": [
-			["Your specific MongoDB version (", ") IS vulnerable to this bug. Please read this guide on how to upgrade to MongoDB's latest stable version and consider upgrading as soon as possible."], "Your server is not vulnerable to this bug. Well done."
-		]
+		"messages": [
+			["Your specific MongoDB version (", ") IS vulnerable to this bug."], "Your server is not vulnerable to this bug. Well done."
+		],
+        "call2action": "Please read [[this guide on how to upgrade to MongoDB's latest stable version]] and consider upgrading as soon as possible.",
+        "url": "https://medium.com/mongoaudit/how-to-upgrade-mongodb-to-latest-stable-version-9607266834cf"
 	}, {
 		"test_name": "14",
 		"title": "vulnerable to security bug CVE-2015-2705 (March 27, 2015)",
 		"caption": "This bug allows to remotely trigger a denial of service (crash) due to failure to check for a missing value.",
 		"severity": 0,
-		"message": [
-			["Your specific MongoDB version (", ") IS vulnerable to this bug. Please read this guide on how to upgrade to MongoDB's latest stable version and consider upgrading as soon as possible."], "Your server is not vulnerable to this bug. Well done."
-		]
+		"messages": [
+			["Your specific MongoDB version (", ") IS vulnerable to this bug."], "Your server is not vulnerable to this bug. Well done."
+		],
+        "call2action": "Please read [[this guide on how to upgrade to MongoDB's latest stable version]] and consider upgrading as soon as possible.",
+        "url": "https://medium.com/mongoaudit/how-to-upgrade-mongodb-to-latest-stable-version-9607266834cf"
 	}, {
 		"test_name": "15",
 		"title": "vulnerable to security bug CVE-2014-8964 (March 25, 2015)",
 		"caption": "This bug allows to remotely trigger a denial of service (crash) via a specially crafted regular expression.",
 		"severity": 0,
-		"message": [
-			["Your specific MongoDB version (", ") IS vulnerable to this bug. Please read this guide on how to upgrade to MongoDB's latest stable version and consider upgrading as soon as possible."], "Your server is not vulnerable to this bug. Well done."
-		]
+		"messages": [
+			["Your specific MongoDB version (", ") IS vulnerable to this bug."], "Your server is not vulnerable to this bug. Well done."
+		],
+        "call2action": "Please read [[this guide on how to upgrade to MongoDB's latest stable version]] and consider upgrading as soon as possible.",
+        "url": "https://medium.com/mongoaudit/how-to-upgrade-mongodb-to-latest-stable-version-9607266834cf"
 	}, {
 		"test_name": "16",
 		"title": "vulnerable to security bug CVE-2015-1609 (February 25, 2015)",
 		"caption": "This bug allows to a specially crafted, malformed BSON message to trigger an uncaught exception in the server, resulting in a loss of availability.",
 		"severity": 0,
-		"message": [
-			["Your specific MongoDB version (", ") IS vulnerable to this bug. Please read this guide on how to upgrade to MongoDB's latest stable version and consider upgrading as soon as possible."], "Your server is not vulnerable to this bug. Well done."
-		]
+		"messages": [
+			["Your specific MongoDB version (", ") IS vulnerable to this bug."], "Your server is not vulnerable to this bug. Well done."
+		],
+        "call2action": "Please read [[this guide on how to upgrade to MongoDB's latest stable version]] and consider upgrading as soon as possible.",
+        "url": "https://medium.com/mongoaudit/how-to-upgrade-mongodb-to-latest-stable-version-9607266834cf"
 	}, {
 		"test_name": "17",
 		"title": "vulnerable to security bug CVE-2014-3971 (June 17, 2014)",
 		"caption": "This bug allows to remotely trigger a crash when X.509 authentication is enabled.",
 		"severity": 0,
-		"message": [
-			["Your specific MongoDB version (", ") IS vulnerable to this bug. Please read this guide on how to upgrade to MongoDB's latest stable version and consider upgrading as soon as possible."], "Your server is not vulnerable to this bug. Well done."
-		]
+		"messages": [
+			["Your specific MongoDB version (", ") IS vulnerable to this bug."], "Your server is not vulnerable to this bug. Well done."
+		],
+        "call2action": "Please read [[this guide on how to upgrade to MongoDB's latest stable version]] and consider upgrading as soon as possible.",
+        "url": "https://medium.com/mongoaudit/how-to-upgrade-mongodb-to-latest-stable-version-9607266834cf"
 	}, {
 		"test_name": "18",
 		"title": "vulnerable to security bug CVE-2014-2917 (May 05, 2014)",
 		"caption": "This bug causes accidental information disclosure of user credentials.",
 		"severity": 0,
-		"message": [
-			["Your specific MongoDB version (", ") IS vulnerable to this bug. Please read this guide on how to upgrade to MongoDB's latest stable version and consider upgrading as soon as possible."], "Your server is not vulnerable to this bug. Well done."
-		]
+		"messages": [
+			["Your specific MongoDB version (", ") IS vulnerable to this bug."], "Your server is not vulnerable to this bug. Well done."
+		],
+        "call2action": "Please read [[this guide on how to upgrade to MongoDB's latest stable version]] and consider upgrading as soon as possible.",
+        "url": "https://medium.com/mongoaudit/how-to-upgrade-mongodb-to-latest-stable-version-9607266834cf"
 	}, {
 		"test_name": "19",
 		"title": "vulnerable to security bug CVE-2013-4650 (June 20, 2013)",
 		"caption": "This bug allows to improperly grant user system privileges on databases other than local.",
 		"severity": 0,
-		"message": [
-			["Your specific MongoDB version (", ") IS vulnerable to this bug. Please read this guide on how to upgrade to MongoDB's latest stable version and consider upgrading as soon as possible."], "Your server is not vulnerable to this bug. Well done."
-		]
+		"messages": [
+			["Your specific MongoDB version (", ") IS vulnerable to this bug."], "Your server is not vulnerable to this bug. Well done."
+		],
+        "call2action": "Please read [[this guide on how to upgrade to MongoDB's latest stable version]] and consider upgrading as soon as possible.",
+        "url": "https://medium.com/mongoaudit/how-to-upgrade-mongodb-to-latest-stable-version-9607266834cf"
 	}, {
 		"test_name": "20",
 		"title": "vulnerable to security bug CVE-2013-3969 (June 05, 2013)",
 		"caption": "This bug allows to remotely trigger a segmentation fault in the Javascript engine.",
 		"severity": 0,
-		"message": [
-			["Your specific MongoDB version (", ") IS vulnerable to this bug. Please read this guide on how to upgrade to MongoDB's latest stable version and consider upgrading as soon as possible."], "Your server is not vulnerable to this bug. Well done."
-		]
+		"messages": [
+			["Your specific MongoDB version (", ") IS vulnerable to this bug."], "Your server is not vulnerable to this bug. Well done."
+		],
+        "call2action": "Please read [[this guide on how to upgrade to MongoDB's latest stable version]] and consider upgrading as soon as possible.",
+        "url": "https://medium.com/mongoaudit/how-to-upgrade-mongodb-to-latest-stable-version-9607266834cf"
 	}, {
 		"test_name": "21",
 		"title": "vulnerable to security bug CVE-2012-6619 (March 06, 2014)",
 		"caption": "This bug allows remote authenticated users to cause a denial of service (crash) or read system memory via a crafted BSON object in the column name in an insert command, which triggers a buffer over-read.",
 		"severity": 0,
-		"message": [
-			["Your specific MongoDB version (", ") IS vulnerable to this bug. Please read this guide on how to upgrade to MongoDB's latest stable version and consider upgrading as soon as possible."], "Your server is not vulnerable to this bug. Well done."
-		]
+		"messages": [
+			["Your specific MongoDB version (", ") IS vulnerable to this bug."], "Your server is not vulnerable to this bug. Well done."
+		],
+        "call2action": "Please read [[this guide on how to upgrade to MongoDB's latest stable version]] and consider upgrading as soon as possible.",
+        "url": "https://medium.com/mongoaudit/how-to-upgrade-mongodb-to-latest-stable-version-9607266834cf"
 	}, {
 		"test_name": "22",
 		"title": "vulnerable to security bug CVE-2013-1892 (Oct 01, 2013)",
 		"caption": "This bug allows remote authenticated users to cause a denial of service (invalid memory access and server crash) or execute arbitrary code via a crafted memory address in the first argument.",
 		"severity": 0,
-		"message": [
-			["Your specific MongoDB version (", ") IS vulnerable to this bug. Please read this guide on how to upgrade to MongoDB's latest stable version and consider upgrading as soon as possible."], "Your server is not vulnerable to this bug. Well done."
-		]
+		"messages": [
+			["Your specific MongoDB version (", ") IS vulnerable to this bug."], "Your server is not vulnerable to this bug. Well done."
+		],
+        "call2action": "Please read [[this guide on how to upgrade to MongoDB's latest stable version]] and consider upgrading as soon as possible.",
+        "url": "https://medium.com/mongoaudit/how-to-upgrade-mongodb-to-latest-stable-version-9607266834cf"
 	}, {
 		"test_name": "23",
 		"title": "vulnerable to security bug CVE-2013-2132 (Aug 15, 2013)",
 		"caption": "This bug allows context-dependent attackers to cause a denial of service (NULL pointer dereference and crash) via vectors related to decoding of an \"invalid DBRef\".",
 		"severity": 0,
-		"message": [
-			["Your specific MongoDB version (", ") IS vulnerable to this bug. Please read this guide on how to upgrade to MongoDB's latest stable version and consider upgrading as soon as possible."], "Your server is not vulnerable to this bug. Well done."
-		]
+		"messages": [
+			["Your specific MongoDB version (", ") IS vulnerable to this bug."], "Your server is not vulnerable to this bug. Well done."
+		],
+        "call2action": "Please read [[this guide on how to upgrade to MongoDB's latest stable version]] and consider upgrading as soon as possible.",
+        "url": "https://medium.com/mongoaudit/how-to-upgrade-mongodb-to-latest-stable-version-9607266834cf"
 	}],
 
 
@@ -153,7 +187,7 @@
 		"title": "authentication credentials are valid",
 		"caption": "To continue running the tests, the provided credentials must be valid.",
 		"severity": 0,
-		"message": ["Invalid authentication credentials. Can not continue with the tests. Please provide valid credentials.",
+		"messages": ["Invalid authentication credentials. Can not continue with the tests. Please provide valid credentials.",
 			"Provided authentication credentials are valid. Testing will continue."
 		],
 		"breaks": false
@@ -162,36 +196,44 @@
 		"title": "SCRAM-SHA-1 authentication method is enabled",
 		"caption": "SCRAM-SHA-1 is more secure than the previously-used MONGODB-CR authentication method, given that it provides a tunable work factor, per-user random salts, stronger hashes (SHA-1 rather than MD5), and bidirectional authentication.",
 		"severity": 0,
-		"message": [
-			"SCRAM-SHA-1 is NOT enabled. Please read this guide on how to use SCRAM-SHA1 as the default authentication method in MongoDB.",
+		"messages": [
+			"SCRAM-SHA-1 is NOT enabled.",
 			"SCRAM-SHA-1 is enabled and being used. Well done."
-		]
+		],
+        "call2action": "Please read [[this guide on how to use SCRAM-SHA1 as the default authentication method in MongoDB]].",
+        "url": "https://medium.com/mongoaudit/how-to-use-scram-sha1-as-authentication-method-in-mongodb-580f7251168"
 	}, {
 		"test_name": "9",
 		"title": "server-side Javascript is forbidden",
 		"caption": "Running Javascript inside queries makes MongoDB powerful but also vulnerable to injection and denial-of-service attacks. Javascript should be always disabled unless it is strictly needed by your application.",
 		"severity": 0,
-		"message": ["Usage of Javascript IS allowed inside queries, which is potentially harmful. Please read this guide on how to disable server-side Javascript.",
+		"messages": ["Usage of Javascript IS allowed inside queries, which is potentially harmful.",
 			"Usage of Javascript is not allowed inside queries. Well done."
-		]
+		],
+        "call2action": "Please read [[this guide on how to disable server-side Javascript]].",
+        "url": "https://medium.com/mongoaudit/how-to-disable-server-side-javascript-on-mongodb-a099fc0b8f75"
 	}, {
 		"test_name": "10",
 		"title": "roles granted to the provided user only permit CRUD operations",
 		"caption": "Your user should only be allowed to perform CRUD (Create, Replace, Update and Delete) operations. Granting database administration roles such as “dbAdmin”, “dbOwner” or “userAdmin” is a huge risk for data integrity.",
 		"severity": 0,
-		"message": [
-			["The permissions contained in your user's role set ", " are way too high. Please read this guide on roles and permissions best practices."],
+		"messages": [
+			["The permissions contained in your user's role set ", " are way too high."],
 			["The permissions contained in your user's role set  ", " are sensible. Well done."],
 			["", ""]
-		]
+		],
+        "call2action": "Please read [[this guide on roles and permissions best practices]].",
+        "url": "https://medium.com/mongoaudit/mongodb-user-credentials-best-practices"
 	}, {
 		"test_name": "11",
 		"title": "the provided user has permissions over a single database",
 		"caption": "",
 		"severity": 0,
-		"message": [
-			["The provided user has permissions over ", " databases. Please read this guide on roles and permissions best practices."],
+		"messages": [
+			["The provided user has permissions over ", " databases."],
 			["The provided user only has permissions over “", "“ database. Well done."]
-		]
+		],
+        "call2action": "Please read [[this guide on roles and permissions best practices]].",
+        "url": "https://medium.com/mongoaudit/mongodb-user-credentials-best-practices"
 	}]
 }