fixup! Web security audit base pipeline

This commit is contained in:
wpetit 2019-04-15 20:50:20 +02:00
parent 5b57e78e9e
commit f1a2ff3b0c
6 changed files with 776 additions and 84 deletions

View File

@ -15,6 +15,7 @@ interactive-w3af:
-e HTTPS_PROXY=$(HTTPS_PROXY) \ -e HTTPS_PROXY=$(HTTPS_PROXY) \
-e http_proxy=$(http_proxy) \ -e http_proxy=$(http_proxy) \
-e https_proxy=$(https_proxy) \ -e https_proxy=$(https_proxy) \
-v "$(PWD)/resources/com/cadoles/w3af/audit.w3af.tmpl:/home/w3af/w3af/audit.w3af.tmpl:ro" \
jenkins-w3af:latest \ jenkins-w3af:latest \
/bin/sh /bin/sh

606
reports/report.html Normal file

File diff suppressed because one or more lines are too long

View File

@ -1,3 +1,19 @@
FROM golang:1.11.4 as envtpl
ARG HTTP_PROXY=
ARG HTTPS_PROXY=
ARG http_proxy=
ARG https_proxy=
RUN apt-get update -y && apt-get install -y git
RUN git clone https://github.com/subfuzion/envtpl /src \
&& cd /src \
&& git checkout v1.0.0 \
&& CGO_ENABLED=0 GOOS=linux go build \
-ldflags "-X main.AppVersionMetadata=$(date -u +%s)" \
-a -installsuffix cgo -o ./bin/envtpl ./cmd/envtpl/.
FROM alpine:3.9 FROM alpine:3.9
ARG HTTP_PROXY= ARG HTTP_PROXY=
@ -5,6 +21,8 @@ ARG HTTPS_PROXY=
ARG http_proxy= ARG http_proxy=
ARG https_proxy= ARG https_proxy=
COPY --from=envtpl /src/bin/envtpl /usr/local/bin/envtpl
RUN apk --no-cache add \ RUN apk --no-cache add \
build-base \ build-base \
git \ git \
@ -78,4 +96,6 @@ RUN git clone --depth=1 \
USER w3af USER w3af
WORKDIR /home/w3af/w3af WORKDIR /home/w3af/w3af
COPY audit.w3af.tmpl audit.w3af.tmpl
CMD ["./w3af_console"] CMD ["./w3af_console"]

View File

@ -1,65 +0,0 @@
# -----------------------------------------------------------------------------------------------------------
# W3AF AUDIT SCRIPT FOR WEB APPLICATION
# -----------------------------------------------------------------------------------------------------------
#Configure HTTP settings
http-settings
set timeout 30
back
#Configure scanner global behaviors
misc-settings
set max_discovery_time 20
set fuzz_cookies True
set fuzz_form_files True
set fuzz_url_parts True
set fuzz_url_filenames True
back
plugins
#Configure entry point (CRAWLING) scanner
crawl web_spider
crawl config web_spider
set only_forward False
set ignore_regex (?i)(logout|disconnect|signout|exit)+
back
#Configure vulnerability scanners
##Specify list of AUDIT plugins type to use
audit blind_sqli, buffer_overflow, cors_origin, csrf, eval, file_upload, ldapi, lfi, os_commanding, phishing_vector, redos, response_splitting, sqli, xpath, xss, xst
##Customize behavior of each audit plugin when needed
audit config file_upload
set extensions jsp,php,php2,php3,php4,php5,asp,aspx,pl,cfm,rb,py,sh,ksh,csh,bat,ps,exe
back
##Specify list of GREP plugins type to use (grep plugin is a type of plugin that can find also vulnerabilities or informations disclosure)
grep analyze_cookies, click_jacking, code_disclosure, cross_domain_js, csp, directory_indexing, dom_xss, error_500, error_pages,
html_comments, objects, path_disclosure, private_ip, strange_headers, strange_http_codes, strange_parameters, strange_reason, url_session, xss_protection_header
##Specify list of INFRASTRUCTURE plugins type to use (infrastructure plugin is a type of plugin that can find informations disclosure)
infrastructure server_header, server_status, domain_dot, dot_net_errors
#Configure target authentication
auth detailed
auth config detailed
set username admin
set password password
set method POST
set auth_url http://pcdom/dvwa/login.php
set username_field user
set password_field pass
set check_url http://pcdom/dvwa/index.php
set check_string 'admin'
set data_format username=%U&password=%P&Login=Login
back
#Configure reporting in order to generate an HTML report
output console, html_file
output config html_file
set output_file /tmp/W3afReport.html
set verbose False
back
output config console
set verbose False
back
back
#Set target informations, do a cleanup and run the scan
target
set target http://pcdom/dvwa
set target_os windows
set target_framework php
back
cleanup
start

View File

@ -0,0 +1,72 @@
# -----------------------------------------------------------------------------------------------------------
# W3AF AUDIT SCRIPT FOR WEB APPLICATION
# -----------------------------------------------------------------------------------------------------------
#Configure HTTP settings
http-settings
set timeout {{ default 10 .W3AF_TIMEOUT }}
{{ if .W3AF_BASIC_AUTH_USERNAME }}
set basic_auth_user {{ .W3AF_BASIC_AUTH_USERNAME }}
set basic_auth_passwd {{ .W3AF_BASIC_AUTH_PASSWORD }}
{{if .W3AF_BASIC_AUTH_DOMAIN }}
set basic_auth_domain {{ .W3AF_BASIC_AUTH_DOMAIN }}
{{end}}
{{ end }}
back
#Configure scanner global behaviors
misc-settings
set max_discovery_time {{ default 10 .W3AF_MAX_DISCOVERY_TIME }}
set fuzz_cookies True
set fuzz_form_files True
set fuzz_url_parts True
set fuzz_url_filenames True
back
profiles
use {{ default "audit_high_risk" .W3AF_PROFILE }}
back
plugins
{{ if .W3AF_AUTH_FORM_URL }}
#Configure target authentication
auth detailed
auth config detailed
set username {{ .W3AF_AUTH_FORM_USERNAME }}
set password {{ .W3AF_AUTH_FORM_PASSWORD }}
set method POST
set auth_url {{ .W3AF_AUTH_FORM_URL }}
set username_field {{ default "username" .W3AF_AUTH_FORM_USERNAME_FIELD }}
set password_field {{ default "password" .W3AF_AUTH_FORM_PASSWORD_FIELD }}
set data_format {{ default "username=%U&password=%P" .W3AF_AUTH_FORM_DATA_FORMAT }}
set check_url {{ .W3AF_AUTH_FORM_CHECK_URL }}
set check_string '{{- default "connected" .W3AF_AUTH_FORM_CHECK_STRING -}}'
back
{{end}}
#Configure reporting in order to generate an HTML report
output console, html_file
output config html_file
set output_file reports/report{{- if .W3AF_REPORT_SUFFIX -}}_{{- .W3AF_REPORT_SUFFIX -}}{{- end -}}.html
set verbose {{ default "False" .W3AF_VERBOSE }}
back
output config console
set verbose {{ default "False" .W3AF_VERBOSE }}
back
back
#Set target informations, do a cleanup and run the scan
target
set target {{ .W3AF_TARGET_URL }}
set target_os {{ default "unix" .W3AF_TARGET_OS }}
set target_framework {{ default "unknown" .W3AF_TARGET_FRAMEWORK }}
back
back
cleanup
start
exit

View File

@ -8,8 +8,44 @@ def call() {
parameters { parameters {
string( string(
name: 'url', name: 'targetUrl',
description: 'URL d\'entrée pour l\'audit' description: 'URL cible pour l\'audit'
)
string(
name: 'basicAuthUsername',
description: "Nom d'utilisateur pour l'authentication 'Basic Auth' (si besoin)"
)
password(
name: 'basicAuthPassword',
description: "Mot de passe pour l'authentication 'Basic Auth' (si besoin)"
)
string(
name: 'basicAuthDomain',
description: "Nom de domaine pour l'authentication 'Basic Auth' (si besoin)"
)
string(
name: 'authFormUrl',
description: "URL du formulaire d'authentication (si besoin)"
)
string(
name: 'authFormUsername',
description: "Nom d'utilisateur du formulaire d'authentication (si besoin)"
)
password(
name: 'authFormPassword',
description: "Mot de passe du formulaire d'authentication (si besoin)"
)
string(
name: 'authFormCheckUrl',
description: "URL de vérification de la réussite de l'authentication (si besoin)"
)
string(
name: 'authFormCheckString',
description: "Chaine de caractères à rechercher pour vérifier la réussite de l'authentication (si besoin)"
)
string(
name: 'authFormDataFormat',
description: "Patron de formatage des données POST du formulaire d'authentification (si besoin). Exemple: username=%U&password=%P"
) )
} }
@ -19,7 +55,7 @@ def call() {
steps { steps {
script { script {
if (!params.url?.trim()) { if (!params.url?.trim()) {
error("L'URL du paquet n'est pas définie !") error("L'URL cible n'est pas définie !")
} }
} }
} }
@ -30,22 +66,44 @@ def call() {
script { script {
def w3afImage = buildDockerImage() def w3afImage = buildDockerImage()
def dockerArgs = """ def dockerArgs = """
-e W3AF_TARGET='${params.targetUrl}'
-e W3AF_BASIC_AUTH_USERNAME='${params.basicAuthUsername}'
-e W3AF_BASIC_AUTH_PASSWORD='${params.basicAuthPassword}'
-e W3AF_BASIC_AUTH_DOMAIN='${params.basicAuthDomain}'
-e W3AF_AUTH_FORM_URL='${params.authFormUrl}'
-e W3AF_AUTH_FORM_USERNAME='${params.authFormUsername}'
-e W3AF_AUTH_FORM_PASSWORD='${params.authFormPassword}'
-e W3AF_AUTH_FORM_CHECK_URL='${params.authFormCheckUrl}'
-e W3AF_AUTH_FORM_CHECK_STRING='${params.authFormCheckString}'
-e W3AF_AUTH_FORM_DATA_FORMAT='${params.authFormDataFormat}'
""" """
w3afImage.inside(dockerArgs) { w3afImage.inside(dockerArgs) {
sh './w3af_console ' sh 'mkdir reports'
sh 'envtpl -o audit.w3af audit.w3af.tmpl'
sh './w3af_console -y -n -s audit.w3af'
} }
} }
} }
} }
} }
// post { post {
// failure { always {
publishHTML target: [
allowMissing: true,
alwaysLinkToLastBuild: false,
keepAll: true,
reportDir: 'reports',
reportFiles: 'report.html',
reportName: "Rapport d'audit"
]
}
failure {
// wrap([$class: 'BuildUser']) { // wrap([$class: 'BuildUser']) {
// rocketSend ( // rocketSend (
// avatar: 'https://jenkins.cadol.es/static/b5f67753/images/headshot.png', // avatar: 'https://jenkins.cadol.es/static/b5f67753/images/headshot.png',
// message: """ // message: """
// Le test de sécurité pour `${params.url}` a échoué: // Le test de sécurité pour `${params.targetUrl}` a échoué:
// [Voir le job](${env.RUN_DISPLAY_URL}) // [Voir le job](${env.RUN_DISPLAY_URL})
@ -54,8 +112,8 @@ def call() {
// rawMessage: true // rawMessage: true
// ) // )
// } // }
// } }
// } }
} }
} }