Cadoles/Jenkins
Cadoles
/
Jenkins
19
0
Fork 0
Code Issues 3 Pull Requests Releases Wiki Activity

fixup! Web security audit base pipeline

This commit is contained in:
wpetit 2019-04-29 16:46:17 +02:00
parent a61c9485c3
commit 36165719d4
4 changed files with 66 additions and 111 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
Makefile
View File

@ -11,10 +11,7 @@ image-w3af:
interactive-w3af:
docker run \
-it --rm \
-e HTTP_PROXY=$(HTTP_PROXY) \
-e HTTPS_PROXY=$(HTTPS_PROXY) \
-e http_proxy=$(http_proxy) \
-e https_proxy=$(https_proxy) \
--net host \
-v "$(PWD)/resources/com/cadoles/w3af/audit.w3af.tmpl:/home/w3af/w3af/audit.w3af.tmpl:ro" \
jenkins-w3af:latest \
/bin/sh

87
pipelines/w3af-pentest.jenkinsfile
View File

@ -1,87 +0,0 @@
@Library("cadoles") _
pipeline {
agent {
label 'common'
}
parameters {
string(
name: 'packageName',
description: 'Nom du paquet à installer'
)
string(
name: 'packageVersion',
defaultValue: '',
description: 'Version du paquet à installer'
)
string(
name: 'packageRepository',
description: 'Dépôt de paquets à utiliser sur Vulcain'
)
string(
name: 'vmTemplate',
description: 'Template OpenNebula de la VM à utiliser pour le test d\'installation'
)
}
stages {
stage("Check parameters") {
steps {
script {
if (!params.url?.trim()) {
error("L'URL du paquet n'est pas définie !")
}
}
}
}
stage("Test URL") {
steps {
script {
def w3afImage = buildDockerImage()
def dockerArgs = """
"""
tamarinImage.inside(dockerArgs) {
sh './w3af_console '
}
}
}
}
}
post {
failure {
wrap([$class: 'BuildUser']) {
rocketSend (
avatar: 'https://jenkins.cadol.es/static/b5f67753/images/headshot.png',
message: """
Le test de sécurité sur l'URL `${params.url}` a échoué:
[Voir le job](${env.RUN_DISPLAY_URL})
@${env.BUILD_USER_ID ? env.BUILD_USER_ID : 'here'}
""".stripIndent(),
rawMessage: true
)
}
}
}
}
def buildDockerImage() {
dir ('.w3af') {
def dockerfile = libraryResource 'com/cadoles/w3af/Dockerfile'
writeFile file:'Dockerfile', text:dockerfile
def audit = libraryResource 'com/cadoles/w3af/audit.w3af'
writeFile file:'audit.w3af', text:audit
def safeJobName = URLDecoder.decode(env.JOB_NAME).toLowerCase().replace('/', '-').replace(' ', '-')
def imageTag = "${safeJobName}-${env.BUILD_ID}"
return docker.build("w3af:${imageTag}", ".")
}
}

18
resources/com/cadoles/w3af/audit.w3af.tmpl
View File

@ -2,7 +2,7 @@
# W3AF AUDIT SCRIPT FOR WEB APPLICATION
# -----------------------------------------------------------------------------------------------------------
#Configure HTTP settings
# Configure HTTP settings
http-settings
set timeout {{ default 10 .W3AF_TIMEOUT }}
{{ if .W3AF_BASIC_AUTH_USERNAME }}
@ -14,7 +14,7 @@ set basic_auth_domain {{ .W3AF_BASIC_AUTH_DOMAIN }}
{{ end }}
back
#Configure scanner global behaviors
# Configure scanner global behaviors
misc-settings
set max_discovery_time {{ default 10 .W3AF_MAX_DISCOVERY_TIME }}
set fuzz_cookies True
@ -29,8 +29,16 @@ back
plugins
# Configure rfi plugin
audit rfi
audit config rfi
set listen_address "0.0.0.0"
set listen_port 44449
set use_w3af_site True
back
{{ if .W3AF_AUTH_FORM_URL }}
#Configure target authentication
# Configure target authentication
auth detailed
auth config detailed
set username {{ .W3AF_AUTH_FORM_USERNAME }}
@ -46,7 +54,7 @@ back
{{end}}
#Configure reporting in order to generate an HTML report
# Configure reporting in order to generate an HTML report
output console, html_file
output config html_file
set output_file reports/report{{- if .W3AF_REPORT_SUFFIX -}}_{{- .W3AF_REPORT_SUFFIX -}}{{- end -}}.html
@ -58,7 +66,7 @@ set verbose {{ default "False" .W3AF_VERBOSE }}
back
back
#Set target informations, do a cleanup and run the scan
# Set target informations, do a cleanup and run the scan
target
set target {{ .W3AF_TARGET_URL }}
set target_os {{ default "unix" .W3AF_TARGET_OS }}

67
vars/audit.groovy
View File

@ -86,6 +86,7 @@ def call() {
-e W3AF_AUTH_FORM_USERNAME_FIELD='${params.authFormUsernameField}'
-e W3AF_AUTH_FORM_PASSWORD_FIELD='${params.authFormPasswordField}'
"""
w3afImage.inside(dockerArgs) {
sh 'mkdir -p reports'
sh 'rm -f reports/*'
@ -95,6 +96,44 @@ def call() {
}
}
}
stage("Check discovered vulnerabilities") {
steps {
script {
def totalMediumVulnerabilities = sh(
script: "grep 'MEDIUM' report.html | wc -l",
returnStdout: true
).toInteger()
def totalHighVulnerabilities = sh(
script: "grep 'HIGH' report.html | wc -l",
returnStdout: true
).toInteger()
if (totalHighVulnerabilities == 0 && totalMediumVulnerabilities == 0) {
return
}
wrap([$class: 'BuildUser']) {
rocketSend (
avatar: 'https://jenkins.cadol.es/static/b5f67753/images/headshot.png',
message: """
Des vulnérabilités ont é trouvées lors de l'audit de l'URL `${params.targetUrl}`:
- Criticité HAUTE: ${totalHighVulnerabilities} vulnérabilité(s) trouvée(s)
- Criticité MOYENNNE: ${totalMediumVulnerabilities} vulnérabilité(s) trouvée(s)
[Voir le job](${env.RUN_DISPLAY_URL})
@${env.BUILD_USER_ID ? env.BUILD_USER_ID : 'here'}
""".stripIndent(),
rawMessage: true
)
}
}
}
}
}
post {
@ -108,21 +147,19 @@ def call() {
reportName: "Rapport d'audit"
]
}
// failure {
// wrap([$class: 'BuildUser']) {
// rocketSend (
// avatar: 'https://jenkins.cadol.es/static/b5f67753/images/headshot.png',
// message: """
// Le test de sécurité pour `${params.targetUrl}` a échoué:
// [Voir le job](${env.RUN_DISPLAY_URL})
// @${env.BUILD_USER_ID ? env.BUILD_USER_ID : 'here'}
// """.stripIndent(),
// rawMessage: true
// )
// }
// }
failure {
rocketSend (
avatar: 'https://jenkins.cadol.es/static/b5f67753/images/headshot.png',
message: """
Le test de sécurité pour `${params.targetUrl}` a échoué:
[Voir le job](${env.RUN_DISPLAY_URL})
@${env.BUILD_USER_ID ? env.BUILD_USER_ID : 'here'}
""".stripIndent(),
rawMessage: true
)
}
}
}