fixup! Web security audit base pipeline
This commit is contained in:
parent
5b57e78e9e
commit
f1a2ff3b0c
1
Makefile
1
Makefile
|
@ -15,6 +15,7 @@ interactive-w3af:
|
||||||
-e HTTPS_PROXY=$(HTTPS_PROXY) \
|
-e HTTPS_PROXY=$(HTTPS_PROXY) \
|
||||||
-e http_proxy=$(http_proxy) \
|
-e http_proxy=$(http_proxy) \
|
||||||
-e https_proxy=$(https_proxy) \
|
-e https_proxy=$(https_proxy) \
|
||||||
|
-v "$(PWD)/resources/com/cadoles/w3af/audit.w3af.tmpl:/home/w3af/w3af/audit.w3af.tmpl:ro" \
|
||||||
jenkins-w3af:latest \
|
jenkins-w3af:latest \
|
||||||
/bin/sh
|
/bin/sh
|
||||||
|
|
||||||
|
|
File diff suppressed because one or more lines are too long
|
@ -1,3 +1,19 @@
|
||||||
|
FROM golang:1.11.4 as envtpl
|
||||||
|
|
||||||
|
ARG HTTP_PROXY=
|
||||||
|
ARG HTTPS_PROXY=
|
||||||
|
ARG http_proxy=
|
||||||
|
ARG https_proxy=
|
||||||
|
|
||||||
|
RUN apt-get update -y && apt-get install -y git
|
||||||
|
|
||||||
|
RUN git clone https://github.com/subfuzion/envtpl /src \
|
||||||
|
&& cd /src \
|
||||||
|
&& git checkout v1.0.0 \
|
||||||
|
&& CGO_ENABLED=0 GOOS=linux go build \
|
||||||
|
-ldflags "-X main.AppVersionMetadata=$(date -u +%s)" \
|
||||||
|
-a -installsuffix cgo -o ./bin/envtpl ./cmd/envtpl/.
|
||||||
|
|
||||||
FROM alpine:3.9
|
FROM alpine:3.9
|
||||||
|
|
||||||
ARG HTTP_PROXY=
|
ARG HTTP_PROXY=
|
||||||
|
@ -5,6 +21,8 @@ ARG HTTPS_PROXY=
|
||||||
ARG http_proxy=
|
ARG http_proxy=
|
||||||
ARG https_proxy=
|
ARG https_proxy=
|
||||||
|
|
||||||
|
COPY --from=envtpl /src/bin/envtpl /usr/local/bin/envtpl
|
||||||
|
|
||||||
RUN apk --no-cache add \
|
RUN apk --no-cache add \
|
||||||
build-base \
|
build-base \
|
||||||
git \
|
git \
|
||||||
|
@ -78,4 +96,6 @@ RUN git clone --depth=1 \
|
||||||
USER w3af
|
USER w3af
|
||||||
WORKDIR /home/w3af/w3af
|
WORKDIR /home/w3af/w3af
|
||||||
|
|
||||||
|
COPY audit.w3af.tmpl audit.w3af.tmpl
|
||||||
|
|
||||||
CMD ["./w3af_console"]
|
CMD ["./w3af_console"]
|
|
@ -1,65 +0,0 @@
|
||||||
# -----------------------------------------------------------------------------------------------------------
|
|
||||||
# W3AF AUDIT SCRIPT FOR WEB APPLICATION
|
|
||||||
# -----------------------------------------------------------------------------------------------------------
|
|
||||||
#Configure HTTP settings
|
|
||||||
http-settings
|
|
||||||
set timeout 30
|
|
||||||
back
|
|
||||||
#Configure scanner global behaviors
|
|
||||||
misc-settings
|
|
||||||
set max_discovery_time 20
|
|
||||||
set fuzz_cookies True
|
|
||||||
set fuzz_form_files True
|
|
||||||
set fuzz_url_parts True
|
|
||||||
set fuzz_url_filenames True
|
|
||||||
back
|
|
||||||
plugins
|
|
||||||
#Configure entry point (CRAWLING) scanner
|
|
||||||
crawl web_spider
|
|
||||||
crawl config web_spider
|
|
||||||
set only_forward False
|
|
||||||
set ignore_regex (?i)(logout|disconnect|signout|exit)+
|
|
||||||
back
|
|
||||||
#Configure vulnerability scanners
|
|
||||||
##Specify list of AUDIT plugins type to use
|
|
||||||
audit blind_sqli, buffer_overflow, cors_origin, csrf, eval, file_upload, ldapi, lfi, os_commanding, phishing_vector, redos, response_splitting, sqli, xpath, xss, xst
|
|
||||||
##Customize behavior of each audit plugin when needed
|
|
||||||
audit config file_upload
|
|
||||||
set extensions jsp,php,php2,php3,php4,php5,asp,aspx,pl,cfm,rb,py,sh,ksh,csh,bat,ps,exe
|
|
||||||
back
|
|
||||||
##Specify list of GREP plugins type to use (grep plugin is a type of plugin that can find also vulnerabilities or informations disclosure)
|
|
||||||
grep analyze_cookies, click_jacking, code_disclosure, cross_domain_js, csp, directory_indexing, dom_xss, error_500, error_pages,
|
|
||||||
html_comments, objects, path_disclosure, private_ip, strange_headers, strange_http_codes, strange_parameters, strange_reason, url_session, xss_protection_header
|
|
||||||
##Specify list of INFRASTRUCTURE plugins type to use (infrastructure plugin is a type of plugin that can find informations disclosure)
|
|
||||||
infrastructure server_header, server_status, domain_dot, dot_net_errors
|
|
||||||
#Configure target authentication
|
|
||||||
auth detailed
|
|
||||||
auth config detailed
|
|
||||||
set username admin
|
|
||||||
set password password
|
|
||||||
set method POST
|
|
||||||
set auth_url http://pcdom/dvwa/login.php
|
|
||||||
set username_field user
|
|
||||||
set password_field pass
|
|
||||||
set check_url http://pcdom/dvwa/index.php
|
|
||||||
set check_string 'admin'
|
|
||||||
set data_format username=%U&password=%P&Login=Login
|
|
||||||
back
|
|
||||||
#Configure reporting in order to generate an HTML report
|
|
||||||
output console, html_file
|
|
||||||
output config html_file
|
|
||||||
set output_file /tmp/W3afReport.html
|
|
||||||
set verbose False
|
|
||||||
back
|
|
||||||
output config console
|
|
||||||
set verbose False
|
|
||||||
back
|
|
||||||
back
|
|
||||||
#Set target informations, do a cleanup and run the scan
|
|
||||||
target
|
|
||||||
set target http://pcdom/dvwa
|
|
||||||
set target_os windows
|
|
||||||
set target_framework php
|
|
||||||
back
|
|
||||||
cleanup
|
|
||||||
start
|
|
|
@ -0,0 +1,72 @@
|
||||||
|
# -----------------------------------------------------------------------------------------------------------
|
||||||
|
# W3AF AUDIT SCRIPT FOR WEB APPLICATION
|
||||||
|
# -----------------------------------------------------------------------------------------------------------
|
||||||
|
|
||||||
|
#Configure HTTP settings
|
||||||
|
http-settings
|
||||||
|
set timeout {{ default 10 .W3AF_TIMEOUT }}
|
||||||
|
{{ if .W3AF_BASIC_AUTH_USERNAME }}
|
||||||
|
set basic_auth_user {{ .W3AF_BASIC_AUTH_USERNAME }}
|
||||||
|
set basic_auth_passwd {{ .W3AF_BASIC_AUTH_PASSWORD }}
|
||||||
|
{{if .W3AF_BASIC_AUTH_DOMAIN }}
|
||||||
|
set basic_auth_domain {{ .W3AF_BASIC_AUTH_DOMAIN }}
|
||||||
|
{{end}}
|
||||||
|
{{ end }}
|
||||||
|
back
|
||||||
|
|
||||||
|
#Configure scanner global behaviors
|
||||||
|
misc-settings
|
||||||
|
set max_discovery_time {{ default 10 .W3AF_MAX_DISCOVERY_TIME }}
|
||||||
|
set fuzz_cookies True
|
||||||
|
set fuzz_form_files True
|
||||||
|
set fuzz_url_parts True
|
||||||
|
set fuzz_url_filenames True
|
||||||
|
back
|
||||||
|
|
||||||
|
profiles
|
||||||
|
use {{ default "audit_high_risk" .W3AF_PROFILE }}
|
||||||
|
back
|
||||||
|
|
||||||
|
plugins
|
||||||
|
|
||||||
|
{{ if .W3AF_AUTH_FORM_URL }}
|
||||||
|
#Configure target authentication
|
||||||
|
auth detailed
|
||||||
|
auth config detailed
|
||||||
|
set username {{ .W3AF_AUTH_FORM_USERNAME }}
|
||||||
|
set password {{ .W3AF_AUTH_FORM_PASSWORD }}
|
||||||
|
set method POST
|
||||||
|
set auth_url {{ .W3AF_AUTH_FORM_URL }}
|
||||||
|
set username_field {{ default "username" .W3AF_AUTH_FORM_USERNAME_FIELD }}
|
||||||
|
set password_field {{ default "password" .W3AF_AUTH_FORM_PASSWORD_FIELD }}
|
||||||
|
set data_format {{ default "username=%U&password=%P" .W3AF_AUTH_FORM_DATA_FORMAT }}
|
||||||
|
set check_url {{ .W3AF_AUTH_FORM_CHECK_URL }}
|
||||||
|
set check_string '{{- default "connected" .W3AF_AUTH_FORM_CHECK_STRING -}}'
|
||||||
|
back
|
||||||
|
{{end}}
|
||||||
|
|
||||||
|
|
||||||
|
#Configure reporting in order to generate an HTML report
|
||||||
|
output console, html_file
|
||||||
|
output config html_file
|
||||||
|
set output_file reports/report{{- if .W3AF_REPORT_SUFFIX -}}_{{- .W3AF_REPORT_SUFFIX -}}{{- end -}}.html
|
||||||
|
set verbose {{ default "False" .W3AF_VERBOSE }}
|
||||||
|
back
|
||||||
|
|
||||||
|
output config console
|
||||||
|
set verbose {{ default "False" .W3AF_VERBOSE }}
|
||||||
|
back
|
||||||
|
back
|
||||||
|
|
||||||
|
#Set target informations, do a cleanup and run the scan
|
||||||
|
target
|
||||||
|
set target {{ .W3AF_TARGET_URL }}
|
||||||
|
set target_os {{ default "unix" .W3AF_TARGET_OS }}
|
||||||
|
set target_framework {{ default "unknown" .W3AF_TARGET_FRAMEWORK }}
|
||||||
|
back
|
||||||
|
|
||||||
|
back
|
||||||
|
|
||||||
|
cleanup
|
||||||
|
start
|
||||||
|
exit
|
|
@ -8,8 +8,44 @@ def call() {
|
||||||
|
|
||||||
parameters {
|
parameters {
|
||||||
string(
|
string(
|
||||||
name: 'url',
|
name: 'targetUrl',
|
||||||
description: 'URL d\'entrée pour l\'audit'
|
description: 'URL cible pour l\'audit'
|
||||||
|
)
|
||||||
|
string(
|
||||||
|
name: 'basicAuthUsername',
|
||||||
|
description: "Nom d'utilisateur pour l'authentication 'Basic Auth' (si besoin)"
|
||||||
|
)
|
||||||
|
password(
|
||||||
|
name: 'basicAuthPassword',
|
||||||
|
description: "Mot de passe pour l'authentication 'Basic Auth' (si besoin)"
|
||||||
|
)
|
||||||
|
string(
|
||||||
|
name: 'basicAuthDomain',
|
||||||
|
description: "Nom de domaine pour l'authentication 'Basic Auth' (si besoin)"
|
||||||
|
)
|
||||||
|
string(
|
||||||
|
name: 'authFormUrl',
|
||||||
|
description: "URL du formulaire d'authentication (si besoin)"
|
||||||
|
)
|
||||||
|
string(
|
||||||
|
name: 'authFormUsername',
|
||||||
|
description: "Nom d'utilisateur du formulaire d'authentication (si besoin)"
|
||||||
|
)
|
||||||
|
password(
|
||||||
|
name: 'authFormPassword',
|
||||||
|
description: "Mot de passe du formulaire d'authentication (si besoin)"
|
||||||
|
)
|
||||||
|
string(
|
||||||
|
name: 'authFormCheckUrl',
|
||||||
|
description: "URL de vérification de la réussite de l'authentication (si besoin)"
|
||||||
|
)
|
||||||
|
string(
|
||||||
|
name: 'authFormCheckString',
|
||||||
|
description: "Chaine de caractères à rechercher pour vérifier la réussite de l'authentication (si besoin)"
|
||||||
|
)
|
||||||
|
string(
|
||||||
|
name: 'authFormDataFormat',
|
||||||
|
description: "Patron de formatage des données POST du formulaire d'authentification (si besoin). Exemple: username=%U&password=%P"
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -19,7 +55,7 @@ def call() {
|
||||||
steps {
|
steps {
|
||||||
script {
|
script {
|
||||||
if (!params.url?.trim()) {
|
if (!params.url?.trim()) {
|
||||||
error("L'URL du paquet n'est pas définie !")
|
error("L'URL cible n'est pas définie !")
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -30,22 +66,44 @@ def call() {
|
||||||
script {
|
script {
|
||||||
def w3afImage = buildDockerImage()
|
def w3afImage = buildDockerImage()
|
||||||
def dockerArgs = """
|
def dockerArgs = """
|
||||||
|
-e W3AF_TARGET='${params.targetUrl}'
|
||||||
|
-e W3AF_BASIC_AUTH_USERNAME='${params.basicAuthUsername}'
|
||||||
|
-e W3AF_BASIC_AUTH_PASSWORD='${params.basicAuthPassword}'
|
||||||
|
-e W3AF_BASIC_AUTH_DOMAIN='${params.basicAuthDomain}'
|
||||||
|
-e W3AF_AUTH_FORM_URL='${params.authFormUrl}'
|
||||||
|
-e W3AF_AUTH_FORM_USERNAME='${params.authFormUsername}'
|
||||||
|
-e W3AF_AUTH_FORM_PASSWORD='${params.authFormPassword}'
|
||||||
|
-e W3AF_AUTH_FORM_CHECK_URL='${params.authFormCheckUrl}'
|
||||||
|
-e W3AF_AUTH_FORM_CHECK_STRING='${params.authFormCheckString}'
|
||||||
|
-e W3AF_AUTH_FORM_DATA_FORMAT='${params.authFormDataFormat}'
|
||||||
"""
|
"""
|
||||||
w3afImage.inside(dockerArgs) {
|
w3afImage.inside(dockerArgs) {
|
||||||
sh './w3af_console '
|
sh 'mkdir reports'
|
||||||
|
sh 'envtpl -o audit.w3af audit.w3af.tmpl'
|
||||||
|
sh './w3af_console -y -n -s audit.w3af'
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// post {
|
post {
|
||||||
// failure {
|
always {
|
||||||
|
publishHTML target: [
|
||||||
|
allowMissing: true,
|
||||||
|
alwaysLinkToLastBuild: false,
|
||||||
|
keepAll: true,
|
||||||
|
reportDir: 'reports',
|
||||||
|
reportFiles: 'report.html',
|
||||||
|
reportName: "Rapport d'audit"
|
||||||
|
]
|
||||||
|
}
|
||||||
|
failure {
|
||||||
// wrap([$class: 'BuildUser']) {
|
// wrap([$class: 'BuildUser']) {
|
||||||
// rocketSend (
|
// rocketSend (
|
||||||
// avatar: 'https://jenkins.cadol.es/static/b5f67753/images/headshot.png',
|
// avatar: 'https://jenkins.cadol.es/static/b5f67753/images/headshot.png',
|
||||||
// message: """
|
// message: """
|
||||||
// Le test de sécurité pour `${params.url}` a échoué:
|
// Le test de sécurité pour `${params.targetUrl}` a échoué:
|
||||||
|
|
||||||
// [Voir le job](${env.RUN_DISPLAY_URL})
|
// [Voir le job](${env.RUN_DISPLAY_URL})
|
||||||
|
|
||||||
|
@ -54,8 +112,8 @@ def call() {
|
||||||
// rawMessage: true
|
// rawMessage: true
|
||||||
// )
|
// )
|
||||||
// }
|
// }
|
||||||
// }
|
}
|
||||||
// }
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue