fixup! Web security audit base pipeline

This commit is contained in:
wpetit 2019-04-29 16:46:17 +02:00
parent a61c9485c3
commit 36165719d4
4 changed files with 66 additions and 111 deletions

View File

@ -11,10 +11,7 @@ image-w3af:
interactive-w3af: interactive-w3af:
docker run \ docker run \
-it --rm \ -it --rm \
-e HTTP_PROXY=$(HTTP_PROXY) \ --net host \
-e HTTPS_PROXY=$(HTTPS_PROXY) \
-e http_proxy=$(http_proxy) \
-e https_proxy=$(https_proxy) \
-v "$(PWD)/resources/com/cadoles/w3af/audit.w3af.tmpl:/home/w3af/w3af/audit.w3af.tmpl:ro" \ -v "$(PWD)/resources/com/cadoles/w3af/audit.w3af.tmpl:/home/w3af/w3af/audit.w3af.tmpl:ro" \
jenkins-w3af:latest \ jenkins-w3af:latest \
/bin/sh /bin/sh

View File

@ -1,87 +0,0 @@
@Library("cadoles") _
pipeline {
agent {
label 'common'
}
parameters {
string(
name: 'packageName',
description: 'Nom du paquet à installer'
)
string(
name: 'packageVersion',
defaultValue: '',
description: 'Version du paquet à installer'
)
string(
name: 'packageRepository',
description: 'Dépôt de paquets à utiliser sur Vulcain'
)
string(
name: 'vmTemplate',
description: 'Template OpenNebula de la VM à utiliser pour le test d\'installation'
)
}
stages {
stage("Check parameters") {
steps {
script {
if (!params.url?.trim()) {
error("L'URL du paquet n'est pas définie !")
}
}
}
}
stage("Test URL") {
steps {
script {
def w3afImage = buildDockerImage()
def dockerArgs = """
"""
tamarinImage.inside(dockerArgs) {
sh './w3af_console '
}
}
}
}
}
post {
failure {
wrap([$class: 'BuildUser']) {
rocketSend (
avatar: 'https://jenkins.cadol.es/static/b5f67753/images/headshot.png',
message: """
Le test de sécurité sur l'URL `${params.url}` a échoué:
[Voir le job](${env.RUN_DISPLAY_URL})
@${env.BUILD_USER_ID ? env.BUILD_USER_ID : 'here'}
""".stripIndent(),
rawMessage: true
)
}
}
}
}
def buildDockerImage() {
dir ('.w3af') {
def dockerfile = libraryResource 'com/cadoles/w3af/Dockerfile'
writeFile file:'Dockerfile', text:dockerfile
def audit = libraryResource 'com/cadoles/w3af/audit.w3af'
writeFile file:'audit.w3af', text:audit
def safeJobName = URLDecoder.decode(env.JOB_NAME).toLowerCase().replace('/', '-').replace(' ', '-')
def imageTag = "${safeJobName}-${env.BUILD_ID}"
return docker.build("w3af:${imageTag}", ".")
}
}

View File

@ -2,7 +2,7 @@
# W3AF AUDIT SCRIPT FOR WEB APPLICATION # W3AF AUDIT SCRIPT FOR WEB APPLICATION
# ----------------------------------------------------------------------------------------------------------- # -----------------------------------------------------------------------------------------------------------
#Configure HTTP settings # Configure HTTP settings
http-settings http-settings
set timeout {{ default 10 .W3AF_TIMEOUT }} set timeout {{ default 10 .W3AF_TIMEOUT }}
{{ if .W3AF_BASIC_AUTH_USERNAME }} {{ if .W3AF_BASIC_AUTH_USERNAME }}
@ -14,7 +14,7 @@ set basic_auth_domain {{ .W3AF_BASIC_AUTH_DOMAIN }}
{{ end }} {{ end }}
back back
#Configure scanner global behaviors # Configure scanner global behaviors
misc-settings misc-settings
set max_discovery_time {{ default 10 .W3AF_MAX_DISCOVERY_TIME }} set max_discovery_time {{ default 10 .W3AF_MAX_DISCOVERY_TIME }}
set fuzz_cookies True set fuzz_cookies True
@ -29,8 +29,16 @@ back
plugins plugins
# Configure rfi plugin
audit rfi
audit config rfi
set listen_address "0.0.0.0"
set listen_port 44449
set use_w3af_site True
back
{{ if .W3AF_AUTH_FORM_URL }} {{ if .W3AF_AUTH_FORM_URL }}
#Configure target authentication # Configure target authentication
auth detailed auth detailed
auth config detailed auth config detailed
set username {{ .W3AF_AUTH_FORM_USERNAME }} set username {{ .W3AF_AUTH_FORM_USERNAME }}
@ -46,7 +54,7 @@ back
{{end}} {{end}}
#Configure reporting in order to generate an HTML report # Configure reporting in order to generate an HTML report
output console, html_file output console, html_file
output config html_file output config html_file
set output_file reports/report{{- if .W3AF_REPORT_SUFFIX -}}_{{- .W3AF_REPORT_SUFFIX -}}{{- end -}}.html set output_file reports/report{{- if .W3AF_REPORT_SUFFIX -}}_{{- .W3AF_REPORT_SUFFIX -}}{{- end -}}.html
@ -58,7 +66,7 @@ set verbose {{ default "False" .W3AF_VERBOSE }}
back back
back back
#Set target informations, do a cleanup and run the scan # Set target informations, do a cleanup and run the scan
target target
set target {{ .W3AF_TARGET_URL }} set target {{ .W3AF_TARGET_URL }}
set target_os {{ default "unix" .W3AF_TARGET_OS }} set target_os {{ default "unix" .W3AF_TARGET_OS }}

View File

@ -86,6 +86,7 @@ def call() {
-e W3AF_AUTH_FORM_USERNAME_FIELD='${params.authFormUsernameField}' -e W3AF_AUTH_FORM_USERNAME_FIELD='${params.authFormUsernameField}'
-e W3AF_AUTH_FORM_PASSWORD_FIELD='${params.authFormPasswordField}' -e W3AF_AUTH_FORM_PASSWORD_FIELD='${params.authFormPasswordField}'
""" """
w3afImage.inside(dockerArgs) { w3afImage.inside(dockerArgs) {
sh 'mkdir -p reports' sh 'mkdir -p reports'
sh 'rm -f reports/*' sh 'rm -f reports/*'
@ -95,6 +96,44 @@ def call() {
} }
} }
} }
stage("Check discovered vulnerabilities") {
steps {
script {
def totalMediumVulnerabilities = sh(
script: "grep 'MEDIUM' report.html | wc -l",
returnStdout: true
).toInteger()
def totalHighVulnerabilities = sh(
script: "grep 'HIGH' report.html | wc -l",
returnStdout: true
).toInteger()
if (totalHighVulnerabilities == 0 && totalMediumVulnerabilities == 0) {
return
}
wrap([$class: 'BuildUser']) {
rocketSend (
avatar: 'https://jenkins.cadol.es/static/b5f67753/images/headshot.png',
message: """
Des vulnérabilités ont é trouvées lors de l'audit de l'URL `${params.targetUrl}`:
- Criticité HAUTE: ${totalHighVulnerabilities} vulnérabilité(s) trouvée(s)
- Criticité MOYENNNE: ${totalMediumVulnerabilities} vulnérabilité(s) trouvée(s)
[Voir le job](${env.RUN_DISPLAY_URL})
@${env.BUILD_USER_ID ? env.BUILD_USER_ID : 'here'}
""".stripIndent(),
rawMessage: true
)
}
}
}
}
} }
post { post {
@ -108,21 +147,19 @@ def call() {
reportName: "Rapport d'audit" reportName: "Rapport d'audit"
] ]
} }
// failure { failure {
// wrap([$class: 'BuildUser']) { rocketSend (
// rocketSend ( avatar: 'https://jenkins.cadol.es/static/b5f67753/images/headshot.png',
// avatar: 'https://jenkins.cadol.es/static/b5f67753/images/headshot.png', message: """
// message: """ Le test de sécurité pour `${params.targetUrl}` a échoué:
// Le test de sécurité pour `${params.targetUrl}` a échoué:
// [Voir le job](${env.RUN_DISPLAY_URL}) [Voir le job](${env.RUN_DISPLAY_URL})
// @${env.BUILD_USER_ID ? env.BUILD_USER_ID : 'here'} @${env.BUILD_USER_ID ? env.BUILD_USER_ID : 'here'}
// """.stripIndent(), """.stripIndent(),
// rawMessage: true rawMessage: true
// ) )
// } }
// }
} }
} }