JSONDecodeError when using sslyze 4.0.4
d-steffan opened this issue Β· comments
faraday-cli: 1.0.2
sslyze: 4.0.4
The checked webserver exists and calling sslyze without faraday-cli returns valid results. The JSON at /usr/bin/faraday-cli/None is saved and contains valid data.
faraday-cli sslyze 127.0.0.1:8834
π» Processing Sslyze JSON command
<sslyze stuff>
Wrote JSON output to "/usr/bin/faraday-cli/None".
EXCEPTION of type 'JSONDecodeError' occurred with message: 'Expecting value: line 2 column 2 (char 2)'
The first few lines (head) of the JSON file are:
{
"server_connectivity_errors": [],
"server_scan_results": [
{
"scan_commands": [
"certificate_info",
"elliptic_curves",
"heartbleed",
"openssl_ccs_injection",
"robot",
In case the char used for indentation is the problem, heres the hexdump of head:
00000000: 7b0a 2020 2020 2273 6572 7665 725f 636f {. "server_co
00000010: 6e6e 6563 7469 7669 7479 5f65 7272 6f72 nnectivity_error
00000020: 7322 3a20 5b5d 2c0a 2020 2020 2273 6572 s": [],. "ser
00000030: 7665 725f 7363 616e 5f72 6573 756c 7473 ver_scan_results
00000040: 223a 205b 0a20 2020 2020 2020 207b 0a20 ": [. {.
00000050: 2020 2020 2020 2020 2020 2022 7363 616e "scan
00000060: 5f63 6f6d 6d61 6e64 7322 3a20 5b0a 2020 _commands": [.
00000070: 2020 2020 2020 2020 2020 2020 2020 2263 "c
00000080: 6572 7469 6669 6361 7465 5f69 6e66 6f22 ertificate_info"
00000090: 2c0a 2020 2020 2020 2020 2020 2020 2020 ,.
000000a0: 2020 2265 6c6c 6970 7469 635f 6375 7276 "elliptic_curv
000000b0: 6573 222c 0a20 2020 2020 2020 2020 2020 es",.
000000c0: 2020 2020 2022 6865 6172 7462 6c65 6564 "heartbleed
000000d0: 222c 0a20 2020 2020 2020 2020 2020 2020 ",.
000000e0: 2020 2022 6f70 656e 7373 6c5f 6363 735f "openssl_ccs_
000000f0: 696e 6a65 6374 696f 6e22 2c0a 2020 2020 injection",.
00000100: 2020 2020 2020 2020 2020 2020 2272 6f62 "rob
00000110: 6f74 222c 0a ot",.
You executed a sslyze command and that generated the error and created a file called "/usr/bin/faraday-cli/None"??
Can you send us the full command (change the domain or other sensitive information)?
if i process_report it also fails unless i change the extension to .json:
[ws:testcli]> process_report /usr/bin/faraday-cli/None
β Failed to detect report: /usr/bin/faraday-cli/None
[ws:testcli]> shell mv /usr/bin/faraday-cli/None /usr/bin/faraday-cli/None.json
[ws:testcli]> process_report /usr/bin/faraday-cli/None.json
π Processing Sslyze JSON report
β¬ Sending data to workspace: testcli
β Done
unfortunately setting the json_out in sslyze doesn't work for faraday, it always exports the file as "None"
You executed a sslyze command and that generated the error and created a file called "/usr/bin/faraday-cli/None"??
Can you send us the full command (change the domain or other sensitive information)?
the full command is in my first comment:
faraday-cli sslyze 127.0.0.1:8834
[ws:testcli]> sslyze 127.0.0.1:8834 --json_out=/tmp/sslyze-report.json
π» Processing Sslyze JSON command
CHECKING HOST(S) AVAILABILITY
-----------------------------
127.0.0.1:8834 => 127.0.0.1
<sslyze stuff>
SCAN COMPLETED IN 12.14 S
-------------------------
Wrote JSON output to "/usr/bin/faraday-cli/None".
EXCEPTION of type 'JSONDecodeError' occurred with message: 'Expecting value: line 2 column 2 (char 2)'
seems like faraday-cli overwrites --json_out ?
[ws:testcli]> sslyze 127.0.0.1:8834 --json_out=/tmp/sslyze-report.json π» Processing Sslyze JSON command CHECKING HOST(S) AVAILABILITY ----------------------------- 127.0.0.1:8834 => 127.0.0.1 <sslyze stuff> SCAN COMPLETED IN 12.14 S ------------------------- Wrote JSON output to "/usr/bin/faraday-cli/None". EXCEPTION of type 'JSONDecodeError' occurred with message: 'Expecting value: line 2 column 2 (char 2)'
seems like faraday-cli overwrites --json_out ?
Yes, the plugins generally modifiy the commands to send the output files to a specific place.
So the output can be parsed after.
Les me see the issue here, its probably a bug in the sslyze plugin and not the cli
@d-steffan Yes the bug is in the plugin.
Here is a way to debug, with faraday-plugin you can test a command and see the modified command without executing it.
faraday-plugins process-command -dr "sslyze 127.0.0.1:8834"
Command: sslyze --json_out None 127.0.0.1:8834
Look how it changes the command but is sets None as the output.
For a workaround run the command manually and us process_report like you did in the example.
I will open an issue in faraday-plugins.
Thanks
Alright, thanks for the quick response and have a nice day!
@d-steffan I have fixed the issue, run
pip install -U faraday-plugins