iriusrisk / bdd-security Goto Github PK
View Code? Open in Web Editor NEWBDD Automated Security Tests for Web Applications
Home Page: http://www.continuumsecurity.net/bdd-intro.html
License: GNU Affero General Public License v3.0
BDD Automated Security Tests for Web Applications
Home Page: http://www.continuumsecurity.net/bdd-intro.html
License: GNU Affero General Public License v3.0
Hi Continuum Security,
I've recently been looking at integrating a Nessus scanner into our Continuous Integration system. BDD-Security seems to be a great fit to accomplish this goal. I'm having trouble getting the Nessus Scan feature to work. For some reason the test skips the following steps:
a nessus version 6 server at https://localhost:8834
the scanning policy named bdd-policy
no severity: 2 or higher issues should be present
Here's my Cucumber test report:
14:40:28.672 [DEBUG] [TestEventLogger] Gradle Test Executor 1 STARTED
14:40:28.674 [QUIET] [system.out]
14:40:28.674 [DEBUG] [org.gradle.api.internal.tasks.testing.junit.JUnitTestClassProcessor] Executing test class net.continuumsecurity.junit.SecurityTest
14:40:28.678 [DEBUG] [TestEventLogger]
14:40:28.678 [DEBUG] [TestEventLogger] net.continuumsecurity.junit.SecurityTest STARTED
14:40:29.050 [DEBUG] [TestEventLogger]
14:40:29.051 [DEBUG] [TestEventLogger] net.continuumsecurity.junit.SecurityTest STANDARD_OUT
14:40:29.051 [DEBUG] [TestEventLogger] @nessus_scan @skip
14:40:29.052 [DEBUG] [TestEventLogger] Feature: Nessus Scan
14:40:29.052 [DEBUG] [TestEventLogger] Scan the hosts for known security vulnerabilities
14:40:29.053 [DEBUG] [TestEventLogger]
14:40:29.053 [DEBUG] [TestEventLogger] net.continuumsecurity.junit.SecurityTest > Scenario: The host systems should not expose known security vulnerabilities.classMethod STARTED
14:40:29.163 [DEBUG] [TestEventLogger]
14:40:29.163 [DEBUG] [TestEventLogger] net.continuumsecurity.junit.SecurityTest > Scenario: The host systems should not expose known security vulnerabilities.Given a nessus API client that accepts all hostnames in SSL certificates STARTED
14:40:29.168 [DEBUG] [TestEventLogger]
14:40:29.169 [DEBUG] [TestEventLogger] net.continuumsecurity.junit.SecurityTest > Scenario: The host systems should not expose known security vulnerabilities.Given a nessus API client that accepts all hostnames in SSL certificates PASSED
14:40:29.172 [DEBUG] [TestEventLogger]
14:40:29.173 [DEBUG] [TestEventLogger] net.continuumsecurity.junit.SecurityTest > Scenario: The host systems should not expose known security vulnerabilities.And a nessus version 6 server at https://localhost:8834 STARTED
14:40:29.173 [DEBUG] [TestEventLogger]
14:40:29.173 [DEBUG] [TestEventLogger] net.continuumsecurity.junit.SecurityTest > Scenario: The host systems should not expose known security vulnerabilities.And a nessus version 6 server at https://localhost:8834 SKIPPED
14:40:29.173 [DEBUG] [TestEventLogger]
14:40:29.173 [DEBUG] [TestEventLogger] net.continuumsecurity.junit.SecurityTest > Scenario: The host systems should not expose known security vulnerabilities.And the scanning policy named bdd-policy STARTED
14:40:29.174 [DEBUG] [TestEventLogger]
14:40:29.174 [DEBUG] [TestEventLogger] net.continuumsecurity.junit.SecurityTest > Scenario: The host systems should not expose known security vulnerabilities.And the scanning policy named bdd-policy SKIPPED
14:40:29.174 [DEBUG] [TestEventLogger]
14:40:29.174 [DEBUG] [TestEventLogger] net.continuumsecurity.junit.SecurityTest > Scenario: The host systems should not expose known security vulnerabilities.And the target host names STARTED
14:40:29.175 [DEBUG] [TestEventLogger]
14:40:29.175 [DEBUG] [TestEventLogger] net.continuumsecurity.junit.SecurityTest > Scenario: The host systems should not expose known security vulnerabilities.And the target host names SKIPPED
14:40:29.177 [DEBUG] [TestEventLogger]
14:40:29.177 [DEBUG] [TestEventLogger] net.continuumsecurity.junit.SecurityTest > Scenario: The host systems should not expose known security vulnerabilities.When the scanner is run with scan name bddscan STARTED
14:40:29.177 [DEBUG] [TestEventLogger]
14:40:29.177 [DEBUG] [TestEventLogger] net.continuumsecurity.junit.SecurityTest > Scenario: The host systems should not expose known security vulnerabilities.When the scanner is run with scan name bddscan SKIPPED
14:40:29.178 [DEBUG] [TestEventLogger]
14:40:29.178 [DEBUG] [TestEventLogger] net.continuumsecurity.junit.SecurityTest > Scenario: The host systems should not expose known security vulnerabilities.And the list of issues is stored STARTED
14:40:29.179 [DEBUG] [TestEventLogger]
14:40:29.179 [DEBUG] [TestEventLogger] net.continuumsecurity.junit.SecurityTest > Scenario: The host systems should not expose known security vulnerabilities.And the list of issues is stored SKIPPED
14:40:29.179 [DEBUG] [TestEventLogger]
14:40:29.180 [DEBUG] [TestEventLogger] net.continuumsecurity.junit.SecurityTest > Scenario: The host systems should not expose known security vulnerabilities.And the following nessus false positive are removed STARTED
14:40:29.180 [DEBUG] [TestEventLogger]
14:40:29.180 [DEBUG] [TestEventLogger] net.continuumsecurity.junit.SecurityTest > Scenario: The host systems should not expose known security vulnerabilities.And the following nessus false positive are removed SKIPPED
14:40:29.180 [DEBUG] [TestEventLogger]
14:40:29.180 [DEBUG] [TestEventLogger] net.continuumsecurity.junit.SecurityTest > Scenario: The host systems should not expose known security vulnerabilities.Then no severity: 2 or higher issues should be present STARTED
14:40:29.181 [DEBUG] [TestEventLogger]
14:40:29.181 [DEBUG] [TestEventLogger] net.continuumsecurity.junit.SecurityTest > Scenario: The host systems should not expose known security vulnerabilities.Then no severity: 2 or higher issues should be present SKIPPED
This appears to be a regex problem in NessusScanningSteps.java
@Given("a nessus version $version server at $nessusUrl")
public void createNessusClient(int version, String url) {
nessusUrl = url;
nessusVersion = version;
scanClient = ClientFactory.createScanClient(url, nessusVersion, ignoreHostNamesInSSLCert); }
I have replicated this issue from a fresh copy of the bdd-security repository. Any idea how I can make this work?
Regards,
Rob
Remove dependency on Selenium
Without the slash at the end ZAP doesn't recognise the URL as being part of the http history. Investigate best way to fix.
Need a fast way to debug WebApplication methods and JBehave steps. Groovy console is too slow to startup and run.
Potential candidate: http://code.google.com/p/cliche/downloads/list
Replaced by nessus and zap specific tables.
Any idea why am I seeing this error.
net.continuumsecurity.proxy.ProxyException: org.zaproxy.clientapi.core.ClientApiException: java.net.ConnectException: Connection refused
at net.continuumsecurity.proxy.ZAProxyScanner.validateMinimumRequiredZapVersion(ZAProxyScanner.java:112)
at net.continuumsecurity.proxy.ZAProxyScanner.(ZAProxyScanner.java:54)
at net.continuumsecurity.steps.AppScanningSteps.getScanner(AppScanningSteps.java:81)
at net.continuumsecurity.steps.AppScanningSteps.disableAllScanners(AppScanningSteps.java:76)
at โฝ.And a scanner with all policies disabled(app_scan.feature:7)
Caused by: org.zaproxy.clientapi.core.ClientApiException: java.net.ConnectException: Connection refused
at org.zaproxy.clientapi.core.ClientApi.callApiDom(Unknown Source)
at org.zaproxy.clientapi.core.ClientApi.callApi(Unknown Source)
at org.zaproxy.clientapi.gen.Core.version(Unknown Source)
at net.continuumsecurity.proxy.ZAProxyScanner.validateMinimumRequiredZapVersion(ZAProxyScanner.java:101)
at net.continuumsecurity.proxy.ZAProxyScanner.(ZAProxyScanner.java:54)
at net.continuumsecurity.steps.AppScanningSteps.getScanner(AppScanningSteps.java:81)
at net.continuumsecurity.steps.AppScanningSteps.disableAllScanners(AppScanningSteps.java:76)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at cucumber.runtime.Utils$1.call(Utils.java:37)
at cucumber.runtime.Timeout.timeout(Timeout.java:13)
at cucumber.runtime.Utils.invoke(Utils.java:31)
at cucumber.runtime.java.JavaStepDefinition.execute(JavaStepDefinition.java:38)
at cucumber.runtime.StepDefinitionMatch.runStep(StepDefinitionMatch.java:37)
at cucumber.runtime.Runtime.runStep(Runtime.java:299)
at cucumber.runtime.model.StepContainer.runStep(StepContainer.java:44)
at cucumber.runtime.model.StepContainer.runSteps(StepContainer.java:39)
at cucumber.runtime.model.CucumberScenario.runBackground(CucumberScenario.java:59)
at cucumber.runtime.model.CucumberScenario.run(CucumberScenario.java:42)
at cucumber.runtime.junit.ExecutionUnitRunner.run(ExecutionUnitRunner.java:91)
at cucumber.runtime.junit.FeatureRunner.runChild(FeatureRunner.java:63)
at cucumber.runtime.junit.FeatureRunner.runChild(FeatureRunner.java:18)
at org.junit.runners.ParentRunner$3.run(ParentRunner.java:238)
at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:63)
at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:236)
at org.junit.runners.ParentRunner.access$000(ParentRunner.java:53)
at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:229)
at org.junit.runners.ParentRunner.run(ParentRunner.java:309)
at cucumber.runtime.junit.FeatureRunner.run(FeatureRunner.java:70)
at cucumber.api.junit.Cucumber.runChild(Cucumber.java:93)
at cucumber.api.junit.Cucumber.runChild(Cucumber.java:37)
at org.junit.runners.ParentRunner$3.run(ParentRunner.java:238)
at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:63)
at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:236)
at org.junit.runners.ParentRunner.access$000(ParentRunner.java:53)
at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:229)
at org.junit.internal.runners.statements.RunAfters.evaluate(RunAfters.java:27)
at org.junit.runners.ParentRunner.run(ParentRunner.java:309)
at cucumber.api.junit.Cucumber.run(Cucumber.java:98)
at org.gradle.api.internal.tasks.testing.junit.JUnitTestClassExecuter.runTestClass(JUnitTestClassExecuter.java:105)
at org.gradle.api.internal.tasks.testing.junit.JUnitTestClassExecuter.execute(JUnitTestClassExecuter.java:56)
at org.gradle.api.internal.tasks.testing.junit.JUnitTestClassProcessor.processTestClass(JUnitTestClassProcessor.java:64)
at org.gradle.api.internal.tasks.testing.SuiteTestClassProcessor.processTestClass(SuiteTestClassProcessor.java:50)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.gradle.messaging.dispatch.ReflectionDispatch.dispatch(ReflectionDispatch.java:35)
at org.gradle.messaging.dispatch.ReflectionDispatch.dispatch(ReflectionDispatch.java:24)
at org.gradle.messaging.dispatch.ContextClassLoaderDispatch.dispatch(ContextClassLoaderDispatch.java:32)
at org.gradle.messaging.dispatch.ProxyDispatchAdapter$DispatchingInvocationHandler.invoke(ProxyDispatchAdapter.java:93)
at com.sun.proxy.$Proxy2.processTestClass(Unknown Source)
at org.gradle.api.internal.tasks.testing.worker.TestWorker.processTestClass(TestWorker.java:106)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.gradle.messaging.dispatch.ReflectionDispatch.dispatch(ReflectionDispatch.java:35)
at org.gradle.messaging.dispatch.ReflectionDispatch.dispatch(ReflectionDispatch.java:24)
at org.gradle.messaging.remote.internal.hub.MessageHub$Handler.run(MessageHub.java:360)
at org.gradle.internal.concurrent.ExecutorPolicy$CatchAndRecordFailures.onExecute(ExecutorPolicy.java:54)
at org.gradle.internal.concurrent.StoppableExecutorImpl$1.run(StoppableExecutorImpl.java:40)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.net.ConnectException: Connection refused
at java.net.PlainSocketImpl.socketConnect(Native Method)
at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
at java.net.Socket.connect(Socket.java:589)
at java.net.Socket.connect(Socket.java:538)
at sun.net.NetworkClient.doConnect(NetworkClient.java:180)
at sun.net.www.http.HttpClient.openServer(HttpClient.java:432)
at sun.net.www.http.HttpClient$1.run(HttpClient.java:484)
at sun.net.www.http.HttpClient$1.run(HttpClient.java:482)
at java.security.AccessController.doPrivileged(Native Method)
at sun.net.www.http.HttpClient.privilegedOpenServer(HttpClient.java:481)
at sun.net.www.http.HttpClient.openServer(HttpClient.java:522)
at sun.net.www.http.HttpClient.(HttpClient.java:211)
at sun.net.www.http.HttpClient.New(HttpClient.java:308)
at sun.net.www.http.HttpClient.New(HttpClient.java:326)
at sun.net.www.protocol.http.HttpURLConnection.getNewHttpClient(HttpURLConnection.java:1169)
at sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1148)
at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:999)
at sun.net.www.protocol.http.HttpURLConnection.connect(HttpURLConnection.java:933)
at org.zaproxy.clientapi.core.ClientApi.getConnectionInputStream(Unknown Source)
... 67 more
Add a section to the existing config.xml file so that arbitrary ZAP config options can be passed through.
I have been trying to test a server that supports 2 way SSl with BDD-Security but it keeps throwing exceptions on each run. Is there a way to specify a custom CA root cert with BDD-Security?
@continuumsecurity
Http_header kept failing even though my application has all security headers configured.
java.lang.RuntimeException: No HTTP requests-responses recorded at net.continuumsecurity.steps.WebApplicationSteps.recordFirstHarEntry(WebApplicationSteps.java:513) at net.continuumsecurity.steps.WebApplicationSteps.accessSecureBaseUrlAndRecordHTTPResponse(WebApplicationSteps.java:543) at โฝ.When the following URLs are visited and their HTTP responses recorded(http_headers.feature:7)
Given a new browser or client instance......................................passed
When the following URLs are visited and their HTTP responses recorded.......failed
Then the X-Frame-Options header is either SAMEORIGIN or DENY................skipped
Caused by: groovy.lang.MissingMethodException: No signature of method: java.lang.Boolean.minus() is applicable for argument types: (java.lang.Boolean) values: [false]
Possible solutions: find(), is(java.lang.Object), and(java.lang.Boolean), find(groovy.lang.Closure), any(), implies(java.lang.Boolean)
at org.codehaus.groovy.runtime.ScriptBytecodeAdapter.unwrap(ScriptBytecodeAdapter.java:55)
at org.codehaus.groovy.runtime.callsite.PojoMetaClassSite.call(PojoMetaClassSite.java:46)
at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCall(CallSiteArray.java:42)
at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:108)
at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:116)
at GroovyMatcher.match(script14387644395361717978511.groovy:4)
Hello!
After listening the great talk at AppSec 2014 I tried the Getting Started guide. Unfortunately I run into an error (see stacktace below).
Copying the current ropeytasks-0.1.war from iriusrisk/RopeyTasks@fe72509 did not solve the problem.
I could fix this by building my own version of RopeyTasks and replacing the existing one .
Stacktrace of the error:
โ bdd-security git:(develop) ant demo.run
Buildfile: .../bdd-security/build.xml
demo.run:
ropey.run:
[java] 2014-08-08 05:44:27.458:INFO:omjr.Runner:Runner
[java] 2014-08-08 05:44:27.458:WARN:omjr.Runner:No tx manager found
[java] 2014-08-08 05:44:27.533:INFO:omjr.Runner:Deploying file:.../bdd-security/src/test/resources/ropeytasks-0.1.war @ /
[java] 2014-08-08 05:44:27.565:INFO:oejs.Server:jetty-8.y.z-SNAPSHOT
[java] 2014-08-08 05:44:27.628:INFO:oejw.WebInfConfiguration:Extract jar:file:.../bdd-security/src/test/resources/ropeytasks-0.1.war!/ to /private/var/folders/ch/rdgfdhv54wqdhkmr5jvxhnjw0000gp/T/jetty-0.0.0.0-9090-ropeytasks-0.1.war-_-any-/webapp
[java] 2014-08-08 05:44:30.536:INFO:oejpw.PlusConfiguration:No Transaction manager found - if your webapp requires one, please configure one.
[java] 2014-08-08 05:44:35.463:INFO:/:No Spring WebApplicationInitializer types detected on classpath
[java] 2014-08-08 05:44:37.215:INFO:/:Initializing Spring root WebApplicationContext
[java] 2014-08-08 05:44:39,034 [main] ERROR context.ContextLoader - Context initialization failed
[java] org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'pluginManager' defined in ServletContext resource [/WEB-INF/applicationContext.xml]: Invocation of init method failed; nested exception is java.lang.NullPointerException: Cannot invoke method getAt() on null object
[java] at org.eclipse.jetty.server.handler.ContextHandler.callContextInitialized(ContextHandler.java:782)
[java] at org.eclipse.jetty.servlet.ServletContextHandler.callContextInitialized(ServletContextHandler.java:424)
[java] at org.eclipse.jetty.server.handler.ContextHandler.startContext(ContextHandler.java:774)
[java] 2014-08-08 05:44:39.047:WARN:oejw.WebAppContext:Failed startup of context o.e.j.w.WebAppContext{/,file:/private/var/folders/ch/rdgfdhv54wqdhkmr5jvxhnjw0000gp/T/jetty-0.0.0.0-9090-ropeytasks-0.1.war-_-any-/webapp/},file:.../bdd-security/src/test/resources/ropeytasks-0.1.war
[java] org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'pluginManager' defined in ServletContext resource [/WEB-INF/applicationContext.xml]: Invocation of init method failed; nested exception is java.lang.NullPointerException: Cannot invoke method getAt() on null object
[java] at org.eclipse.jetty.server.handler.ContextHandler.callContextInitialized(ContextHandler.java:782)
[java] at org.eclipse.jetty.servlet.ServletContextHandler.callContextInitialized(ServletContextHandler.java:424)
[java] at org.eclipse.jetty.server.handler.ContextHandler.startContext(ContextHandler.java:774)
[java] at org.eclipse.jetty.servlet.ServletContextHandler.startContext(ServletContextHandler.java:249)
[java] at org.eclipse.jetty.webapp.WebAppContext.startContext(WebAppContext.java:1242)
[java] at org.eclipse.jetty.server.handler.ContextHandler.doStart(ContextHandler.java:717)
[java] at org.eclipse.jetty.webapp.WebAppContext.doStart(WebAppContext.java:494)
[java] at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:64)
[java] at org.eclipse.jetty.server.handler.HandlerCollection.doStart(HandlerCollection.java:229)
[java] at org.eclipse.jetty.server.handler.ContextHandlerCollection.doStart(ContextHandlerCollection.java:172)
[java] at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:64)
[java] at org.eclipse.jetty.server.handler.HandlerCollection.doStart(HandlerCollection.java:229)
[java] at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:64)
[java] at org.eclipse.jetty.server.handler.HandlerWrapper.doStart(HandlerWrapper.java:95)
[java] at org.eclipse.jetty.server.Server.doStart(Server.java:282)
[java] at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:64)
[java] Caused by:
[java] java.lang.NullPointerException: Cannot invoke method getAt() on null object
[java] at org.eclipse.jetty.server.handler.ContextHandler.callContextInitialized(ContextHandler.java:782)
[java] at org.eclipse.jetty.servlet.ServletContextHandler.callContextInitialized(ServletContextHandler.java:424)
[java] at org.eclipse.jetty.server.handler.ContextHandler.startContext(ContextHandler.java:774)
[java] at org.eclipse.jetty.servlet.ServletContextHandler.startContext(ServletContextHandler.java:249)
[java] at org.eclipse.jetty.webapp.WebAppContext.startContext(WebAppContext.java:1242)
[java] at org.eclipse.jetty.server.handler.ContextHandler.doStart(ContextHandler.java:717)
[java] at org.eclipse.jetty.servlet.ServletContextHandler.startContext(ServletContextHandler.java:249)
[java] at org.eclipse.jetty.webapp.WebAppContext.startContext(WebAppContext.java:1242)
[java] at org.eclipse.jetty.server.handler.ContextHandler.doStart(ContextHandler.java:717)
[java] at org.eclipse.jetty.webapp.WebAppContext.doStart(WebAppContext.java:494)
[java] at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:64)
[java] at org.eclipse.jetty.server.handler.HandlerCollection.doStart(HandlerCollection.java:229)
[java] at org.eclipse.jetty.server.handler.ContextHandlerCollection.doStart(ContextHandlerCollection.java:172)
[java] at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:64)
[java] at org.eclipse.jetty.server.handler.HandlerCollection.doStart(HandlerCollection.java:229)
[java] at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:64)
[java] at org.eclipse.jetty.server.handler.HandlerWrapper.doStart(HandlerWrapper.java:95)
[java] at org.eclipse.jetty.server.Server.doStart(Server.java:282)
[java] at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:64)
[java] 2014-08-08 05:44:39.048:WARN:oejsh.RequestLogHandler:!RequestLog
[java] at org.eclipse.jetty.webapp.WebAppContext.doStart(WebAppContext.java:494)
[java] at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:64)
[java] at org.eclipse.jetty.server.handler.HandlerCollection.doStart(HandlerCollection.java:229)
[java] at org.eclipse.jetty.server.handler.ContextHandlerCollection.doStart(ContextHandlerCollection.java:172)
[java] at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:64)
[java] at org.eclipse.jetty.server.handler.HandlerCollection.doStart(HandlerCollection.java:229)
[java] at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:64)
[java] at org.eclipse.jetty.server.handler.HandlerWrapper.doStart(HandlerWrapper.java:95)
[java] at org.eclipse.jetty.server.Server.doStart(Server.java:282)
[java] at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:64)
[java] Caused by: java.lang.NullPointerException: Cannot invoke method getAt() on null object
[java] ... 16 more
[java] 2014-08-08 05:44:39,038 [main] ERROR context.GrailsContextLoader - Error initializing the application: Error creating bean with name 'pluginManager' defined in ServletContext resource [/WEB-INF/applicationContext.xml]: Invocation of init method failed; nested exception is java.lang.NullPointerException: Cannot invoke method getAt() on null object
[java] org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'pluginManager' defined in ServletContext resource [/WEB-INF/applicationContext.xml]: Invocation of init method failed; nested exception is java.lang.NullPointerException: Cannot invoke method getAt() on null object
[java] at org.eclipse.jetty.server.handler.ContextHandler.callContextInitialized(ContextHandler.java:782)
[java] at org.eclipse.jetty.servlet.ServletContextHandler.callContextInitialized(ServletContextHandler.java:424)
[java] at org.eclipse.jetty.server.handler.ContextHandler.startContext(ContextHandler.java:774)
[java] at org.eclipse.jetty.servlet.ServletContextHandler.startContext(ServletContextHandler.java:249)
[java] at org.eclipse.jetty.webapp.WebAppContext.startContext(WebAppContext.java:1242)
[java] at org.eclipse.jetty.server.handler.ContextHandler.doStart(ContextHandler.java:717)
[java] at org.eclipse.jetty.webapp.WebAppContext.doStart(WebAppContext.java:494)
[java] at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:64)
[java] at org.eclipse.jetty.server.handler.HandlerCollection.doStart(HandlerCollection.java:229)
[java] at org.eclipse.jetty.server.handler.ContextHandlerCollection.doStart(ContextHandlerCollection.java:172)
[java] at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:64)
[java] at org.eclipse.jetty.server.handler.HandlerCollection.doStart(HandlerCollection.java:229)
[java] at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:64)
[java] at org.eclipse.jetty.server.handler.HandlerWrapper.doStart(HandlerWrapper.java:95)
[java] at org.eclipse.jetty.server.Server.doStart(Server.java:282)
[java] at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:64)
[java] Caused by: java.lang.NullPointerException: Cannot invoke method getAt() on null object
[java] ... 16 more
[java] 2014-08-08 05:44:39,040 [main] ERROR context.GrailsContextLoader - Error initializing Grails: Error creating bean with name 'pluginManager' defined in ServletContext resource [/WEB-INF/applicationContext.xml]: Invocation of init method failed; nested exception is java.lang.NullPointerException: Cannot invoke method getAt() on null object
[java] org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'pluginManager' defined in ServletContext resource [/WEB-INF/applicationContext.xml]: Invocation of init method failed; nested exception is java.lang.NullPointerException: Cannot invoke method getAt() on null object
[java] at org.eclipse.jetty.server.handler.ContextHandler.callContextInitialized(ContextHandler.java:782)
[java] at org.eclipse.jetty.servlet.ServletContextHandler.callContextInitialized(ServletContextHandler.java:424)
[java] at org.eclipse.jetty.server.handler.ContextHandler.startContext(ContextHandler.java:774)
[java] at org.eclipse.jetty.servlet.ServletContextHandler.startContext(ServletContextHandler.java:249)
[java] at org.eclipse.jetty.webapp.WebAppContext.startContext(WebAppContext.java:1242)
[java] at org.eclipse.jetty.server.handler.ContextHandler.doStart(ContextHandler.java:717)
[java] at org.eclipse.jetty.webapp.WebAppContext.doStart(WebAppContext.java:494)
[java] at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:64)
[java] at org.eclipse.jetty.server.handler.HandlerCollection.doStart(HandlerCollection.java:229)
[java] at org.eclipse.jetty.server.handler.ContextHandlerCollection.doStart(ContextHandlerCollection.java:172)
[java] at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:64)
[java] at org.eclipse.jetty.server.handler.HandlerCollection.doStart(HandlerCollection.java:229)
[java] at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:64)
[java] at org.eclipse.jetty.server.handler.HandlerWrapper.doStart(HandlerWrapper.java:95)
[java] at org.eclipse.jetty.server.Server.doStart(Server.java:282)
[java] at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:64)
[java] Caused by: java.lang.NullPointerException: Cannot invoke method getAt() on null object
[java] ... 16 more
[java] 2014-08-08 05:44:39.157:INFO:oejs.AbstractConnector:Started [email protected]:9090
clean:
makedir:
[mkdir] Created dir: .../bdd-security/target/classes
compile:
^C%
@continuumsecurity
I got some error while performing ant resolve in build.xml:208:
/var/lib/jenkins/workspace/bdd-sec-lamin-test/lib/ivy not found
@continuumsecurity, I think the following need to be removed as well
case "source-code-disclosure":
scannerIds = "42,10045,20017";
break;
case "shell-shock":
scannerIds = "10048";
break;
case "remote-code-execution":
scannerIds = "20018";
break;
case "ldap-injection":
scannerIds = "40015";
break;
case "xpath-injection":
scannerIds = "90021";
break;
case "xml-external-entity":
scannerIds = "90023";
break;
case "padding-oracle":
scannerIds = "90024";
break;
case "el-injection":
scannerIds = "90025";
break;
case "insecure-http-methods":
scannerIds = "90028";
break;
case "parameter-pollution":
scannerIds = "20014";
@continuumsecurity
For our conversation few months ago, I came up with a script for scanning multiple stories at one time. However, we will need to tweak three main files: config.java, StoryRunnner.java, and BaseStoryRunner.java. I think i will be easier for you to make those changes because you built this framework. Please let me know your thoughts.
export ANT_OPTS=-Xmx500m
if [ $# -lt 3 ]
then
echo "runApp <CustomConfig.xml> story1 story2 ...."
exit
fi
cfg=$1
lfg=$2
numberOfStorie=expr $# - 2
echo "About to run $numberOfStorie stories with customConfig: $1 and LoginFlag: $2"
shift
shift
for str in "$@"
do
echo "Running Story - $str with $cfg and Login $lfg"
ant test -Dargs="$cfg $lfg -story $str"
done
Is there any plan to update zap 2.4.0 to the latest greatest version 2.4.1 which took care many bugs?
Hey Stephen,
as you know, I've been taking a closer look at BDD-Security recently and am loving it.
After getting the authentication and some other features to work well, I've been playing around with the authorisation feature and have problems getting it to work.
A clip from the cucumber test pretty report looks like this.
For some reason it skips
14:22:02.159 [DEBUG] [TestEventLogger] net.continuumsecurity.junit.SecurityTest > | viewJacksInfo | [email protected] | yankeessuck | Jack Mannin |.And the login page STARTED
14:22:02.163 [DEBUG] [TestEventLogger]
14:22:02.163 [DEBUG] [TestEventLogger] net.continuumsecurity.junit.SecurityTest > | viewJacksInfo | [email protected] | yankeessuck | Jack Mannin |.And the login page PASSED
14:22:02.168 [DEBUG] [TestEventLogger]
14:22:02.168 [DEBUG] [TestEventLogger] net.continuumsecurity.junit.SecurityTest > | viewJacksInfo | [email protected] | yankeessuck | Jack Mannin |.And the username [email protected] STARTED
14:22:02.169 [DEBUG] [TestEventLogger]
14:22:02.169 [DEBUG] [TestEventLogger] net.continuumsecurity.junit.SecurityTest > | viewJacksInfo | [email protected] | yankeessuck | Jack Mannin |.And the username [email protected] SKIPPED
14:22:02.171 [DEBUG] [TestEventLogger]
14:22:02.171 [DEBUG] [TestEventLogger] net.continuumsecurity.junit.SecurityTest > | viewJacksInfo | [email protected] | yankeessuck | Jack Mannin |.And the password yankeessuck STARTED
14:22:02.176 [DEBUG] [TestEventLogger]
14:22:02.176 [DEBUG] [TestEventLogger] net.continuumsecurity.junit.SecurityTest > | viewJacksInfo | [email protected] | yankeessuck | Jack Mannin |.And the password yankeessuck SKIPPED
14:22:02.180 [DEBUG] [TestEventLogger]
14:22:02.180 [DEBUG] [TestEventLogger] net.continuumsecurity.junit.SecurityTest > | viewJacksInfo | [email protected] | yankeessuck | Jack Mannin |.When the user logs in STARTED
14:22:02.181 [DEBUG] [TestEventLogger]
14:22:02.181 [DEBUG] [TestEventLogger] net.continuumsecurity.junit.SecurityTest > | viewJacksInfo | [email protected] | yankeessuck | Jack Mannin |.When the user logs in SKIPPED
The authorisation.feature file can be seen below. I'm testing BDD-Security on RailsGoat currently.
authorisation.feature.feature.txt
Finally, my current RailsGoatApplication.java file is attached below:
RailsGoatApplication.java.txt
Looking at the line And the username it doesn't seem to have an according WebApplicationSteps.java mapping. There is one for @given but not for @and. I've even tried mix and matching the keywords, but without success.
@Given("^the username (\\s+)$")
public void setUsernameFromExamples(String username) {
World.getInstance().getUserPassCredentials().setUsername(username);
}
Any idea what needs to be done to make it work?
Thanks,
Stefan
I am still testing these new functionalities and today I was testing to exclude some urls, but I got some errors. So, my question is what is the correct format for the excluded URLs? It is complaining about regex on line 110 in AppScanSteps.java.
113143 [ZAP-ProxyThread-108] WARN org.zaproxy.zap.extension.api.API - handleApiRequest error: Bad Format (bad_format) : regex
Bad Format (bad_format) : regex
at org.zaproxy.zap.extension.spider.SpiderAPI.handleApiAction(Unknown Source)
at org.zaproxy.zap.extension.api.API.handleApiRequest(Unknown Source)
at org.parosproxy.paros.core.proxy.ProxyThread.processHttp(Unknown Source)
at org.parosproxy.paros.core.proxy.ProxyThread.run(Unknown Source)
at java.lang.Thread.run(Thread.java:745)
[java] org.zaproxy.clientapi.core.ClientApiException: Bad Format (bad_format) : regex
[java] at org.zaproxy.clientapi.core.ApiResponseFactory.getResponse(Unknown Source)
[java] at org.zaproxy.clientapi.core.ClientApi.callApi(Unknown Source)
[java] at org.zaproxy.clientapi.gen.Spider.excludeFromScan(Unknown Source)
[java] at net.continuumsecurity.proxy.ZAProxyScanner.excludeFromSpider(ZAProxyScanner.java:303)
[java] at net.continuumsecurity.steps.AppScanningSteps.setExcludedRegex(AppScanningSteps.java:110)
[java] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
[java] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
[java] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
[java] at java.lang.reflect.Method.invoke(Method.java:606)
[java] at org.jbehave.core.steps.StepCreator$ParameterisedStep.perform(StepCreator.java:569)
[java] at org.jbehave.core.embedder.StoryRunner$FineSoFar.run(StoryRunner.java:533)
[java] at org.jbehave.core.embedder.StoryRunner.runStepsWhileKeepingState(StoryRunner.java:513)
[java] at org.jbehave.core.embedder.StoryRunner.runScenarioSteps(StoryRunner.java:477)
[java] at org.jbehave.core.embedder.StoryRunner.runCancellable(StoryRunner.java:308)
[java] at org.jbehave.core.embedder.StoryRunner.run(StoryRunner.java:220)
[java] at org.jbehave.core.embedder.StoryRunner.runGivenStories(StoryRunner.java:393)
[java] at org.jbehave.core.embedder.StoryRunner.runCancellable(StoryRunner.java:272)
[java] at org.jbehave.core.embedder.StoryRunner.run(StoryRunner.java:220)
[java] And the URL regular expressions listed in the file:
[java] |tables/exclude_urls.table|
[java] are excluded from the spider (FAILED)
I am getting "invalid port number" error after running id xss_scan in app_scan.story. Following is a snapshot of my terminal:-
[java] 18:22:45,636 DEBUG [net.continuumsecurity.steps.AppScanningSteps] - Scan is 0% complete.
[java] 18:22:47,645 DEBUG [net.continuumsecurity.steps.AppScanningSteps] - Scan is 0% complete.
[java] 67790 [ZAP-ActiveScanner-1] ERROR org.zaproxy.zap.extension.ascanrules.TestCrossSiteScriptV2 - invalid port number
[java] org.apache.commons.httpclient.URIException: invalid port number
[java] at org.apache.commons.httpclient.URI.parseAuthority(URI.java:2248)
[java] at org.apache.commons.httpclient.URI.parseUriReference(URI.java:1978)
[java] at org.apache.commons.httpclient.URI.(URI.java:167)
[java] at org.apache.commons.httpclient.URI.(URI.java:455)
[java] at org.parosproxy.paros.network.HttpSender.sendAndReceive(Unknown Source)
[java] at org.parosproxy.paros.core.scanner.AbstractPlugin.sendAndReceive(Unknown Source)
[java] at org.parosproxy.paros.core.scanner.AbstractPlugin.sendAndReceive(Unknown Source)
[java] at org.parosproxy.paros.core.scanner.AbstractPlugin.sendAndReceive(Unknown Source)
[java] at org.zaproxy.zap.extension.ascanrules.TestCrossSiteScriptV2.scan(TestCrossSiteScriptV2.java:127)
[java] at org.parosproxy.paros.core.scanner.AbstractAppParamPlugin.scan(Unknown Source)
[java] at org.parosproxy.paros.core.scanner.AbstractAppParamPlugin.scanVariant(Unknown Source)
[java] at org.parosproxy.paros.core.scanner.AbstractAppParamPlugin.scan(Unknown Source)
[java] at org.parosproxy.paros.core.scanner.AbstractPlugin.run(Unknown Source)
[java] at java.lang.Thread.run(Thread.java:745)
Please mention how to resolve this.
@continuumsecurity
I know zap has a fuzzing functionality on the UI (fuzzer) but I cannot see it on the API. So I was think about including a fuzzing tool such as wfuzz. Your thoughs!
Please apply the update in order to fix this issue. See link: zaproxy/zaproxy#2745
Lately I noticed the following error when bdd-security is running especially against a huge app/site
10802624 [ZAP-ActiveScanner-1] WARN org.zaproxy.zap.extension.ascanrules.TestPathTraversal - Error scanning parameters for Path Traversal: Read timed out
[java] java.net.SocketTimeoutException: Read timed out
[java] at java.net.SocketInputStream.socketRead0(Native Method)
[java] at java.net.SocketInputStream.read(SocketInputStream.java:152)
[java] at java.net.SocketInputStream.read(SocketInputStream.java:122)
[java] at java.io.BufferedInputStream.fill(BufferedInputStream.java:235)
[java] at java.io.BufferedInputStream.read(BufferedInputStream.java:254)
[java] at org.apache.commons.httpclient.HttpParser.readRawLine(HttpParser.java:78)
[java] at org.apache.commons.httpclient.HttpParser.readLine(HttpParser.java:106)
[java] at org.apache.commons.httpclient.HttpConnection.readLine(HttpConnection.java:1116)
[java] at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.readLine(MultiThreadedHttpConnectionManager.java:1413)
[java] at org.apache.commons.httpclient.HttpMethodBase.readStatusLine(Unknown Source)
[java] at org.zaproxy.zap.ZapGetMethod.readResponse(Unknown Source)
[java] at org.apache.commons.httpclient.HttpMethodBase.execute(Unknown Source)
[java] at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(Unknown Source)
[java] at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(Unknown Source)
[java] at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
[java] at org.parosproxy.paros.network.HttpSender.executeMethod(Unknown Source)
[java] at org.parosproxy.paros.network.HttpSender.runMethod(Unknown Source)
[java] at org.parosproxy.paros.network.HttpSender.send(Unknown Source)
[java] at org.parosproxy.paros.network.HttpSender.sendAuthenticated(Unknown Source)
[java] at org.parosproxy.paros.network.HttpSender.sendAndReceive(Unknown Source)
[java] at org.parosproxy.paros.core.scanner.AbstractPlugin.sendAndReceive(Unknown Source)
[java] at org.parosproxy.paros.core.scanner.AbstractPlugin.sendAndReceive(Unknown Source)
[java] at org.parosproxy.paros.core.scanner.AbstractPlugin.sendAndReceive(Unknown Source)
[java] at org.zaproxy.zap.extension.ascanrules.TestPathTraversal.scan(TestPathTraversal.java:323)
[java] at org.parosproxy.paros.core.scanner.AbstractAppParamPlugin.scan(Unknown Source)
[java] at org.parosproxy.paros.core.scanner.AbstractAppParamPlugin.scanVariant(Unknown Source)
[java] at org.parosproxy.paros.core.scanner.AbstractAppParamPlugin.scan(Unknown Source)
[java] at org.parosproxy.paros.core.scanner.AbstractPlugin.run(Unknown Source)
[java] at java.lang.Thread.run(Thread.java:745)
@continuumsecurity, I am testing junit.run for your late fix, but it kept hanging at the following point:
junit] Running net.continuumsecurity.jbehave.JUnitStoryRunner
@continuumsecurity
Nessus_scan story is missing:
And the nessus username blablah and the password blablah
Hello, i changed the baseUrl to access to my application http://localhost://Forum/ and then tried to run basic ZAP scanning: with the command below
./runstory.sh app_scan
but an error is shown in the jBehave report :
Scenario: Navigate and spider the application and find vulnerabilities through passive scanning
Meta:
@pre navigate
Given a new browser or client instance
And a new scanning session
And the passive scanner is enabled
And the page flow described in the method: navigate is run through the proxy
And the URL regular expressions listed in the file:
tables/exclude_urls.table
are excluded from the spider
And the spider is configured for a maximum depth of 10
And the spider is configured for 1000 maximum children
And the spider is configured for 10 concurrent threads
And the following URLs are spidered:
url
baseUrl
(FAILED)
net.continuumsecurity.proxy.ProxyException: org.zaproxy.clientapi.core.ClientApiException: N''existe pas (does_not_exist) : Default Context
And the spider status reaches 100% complete (NOT PERFORMED)
And the following false positives are removed:
tables/zap.false_positives.table
(NOT PERFORMED)
And the XML report is written to the file passive.xml (NOT PERFORMED)
Then no Medium or higher risk vulnerabilities should be present (NOT PERFORMED)
net.continuumsecurity.proxy.ProxyException: org.zaproxy.clientapi.core.ClientApiException: N''existe pas (does_not_exist) : Default Context
at net.continuumsecurity.proxy.ZAProxyScanner.spider(ZAProxyScanner.java:322)
at net.continuumsecurity.steps.AppScanningSteps.spider(AppScanningSteps.java:145)
at net.continuumsecurity.steps.AppScanningSteps.spiderUrls(AppScanningSteps.java:117)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at org.jbehave.core.steps.StepCreator$ParameterisedStep.perform(StepCreator.java:569)
at org.jbehave.core.embedder.StoryRunner$FineSoFar.run(StoryRunner.java:533)
at org.jbehave.core.embedder.StoryRunner.runStepsWhileKeepingState(StoryRunner.java:513)
at org.jbehave.core.embedder.StoryRunner.runScenarioSteps(StoryRunner.java:477)
at org.jbehave.core.embedder.StoryRunner.runCancellable(StoryRunner.java:308)
at org.jbehave.core.embedder.StoryRunner.run(StoryRunner.java:220)
at org.jbehave.core.embedder.StoryRunner.runGivenStories(StoryRunner.java:393)
at org.jbehave.core.embedder.StoryRunner.runCancellable(StoryRunner.java:272)
at org.jbehave.core.embedder.StoryRunner.run(StoryRunner.java:220)
at org.jbehave.core.embedder.StoryRunner.run(StoryRunner.java:181)
at org.jbehave.core.embedder.StoryManager$EnqueuedStory.call(StoryManager.java:235)
at org.jbehave.core.embedder.StoryManager$EnqueuedStory.call(StoryManager.java:207)
at java.util.concurrent.FutureTask.run(FutureTask.java:262)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)
Caused by: org.zaproxy.clientapi.core.ClientApiException: N''existe pas (does_not_exist) : Default Context
at org.zaproxy.clientapi.core.ApiResponseFactory.getResponse(Unknown Source)
at org.zaproxy.clientapi.core.ClientApi.callApi(Unknown Source)
at org.zaproxy.clientapi.gen.Spider.scan(Unknown Source)
at net.continuumsecurity.proxy.ZAProxyScanner.spider(ZAProxyScanner.java:319)
... 22 more
This relates to the cukesecure branch, not the master branch of BDD-Security.
Currently, the framework reads the config.xml file and loads the Java class define in the tag: e.g.:
<class>net.continuumsecurity.examples.ropeytasks.RopeyTasksApplication</class>
This class then implements interfaces like ILogin, ILogout etc that are used during the testing process. But since this is a Java class the user needs to compile it and then run the framework. For users who would like a more dynamic approach, it would be easier to supply a groovy script at runtime which can be provided external to the framework. In the future, this will allow us to dockerize the whole framework and then provide the groovy script as a parameter to docker.
Steps required for this:
This means that the user should be able to run ./gradle -Dtest.single=AuthenticationTest -DAppDefinition=/home/somewhere/AppDefinition.groovy
The rest of the framework should work as it does now.
I have this error when I'm trying to use ZAP scan
6385 [ZAP-daemon] INFO org.zaproxy.zap.control.ExtensionFactory - Loading extensions
[java] Dec 09, 2015 3:38:57 AM net.continuumsecurity.Config getProxyHost
[java] WARNING: Error starting embedded ZAP
[java] java.lang.RuntimeException: Unable to connect to ZAP's proxy after 15000 milliseconds.
[java] at net.continuumsecurity.scanner.ZapManager.waitForSuccessfulConnectionToZap(ZapManager.java:98)
[java] at net.continuumsecurity.scanner.ZapManager.startZAP(ZapManager.java:62)
[java] at net.continuumsecurity.Config.getProxyHost(Config.java:193)
[java] at net.continuumsecurity.web.drivers.DriverFactory.createProxyCapabilities(DriverFactory.java:164)
[java] at net.continuumsecurity.web.drivers.DriverFactory.createProxyDriver(DriverFactory.java:119)
[java] at net.continuumsecurity.web.drivers.DriverFactory.findOrCreate(DriverFactory.java:95)
[java] at net.continuumsecurity.web.drivers.DriverFactory.getDriver(DriverFactory.java:64)
[java] at net.continuumsecurity.web.drivers.DriverFactory.getProxyDriver(DriverFactory.java:54)
[java] at net.continuumsecurity.web.WebApplication.enableHttpLoggingClient(WebApplication.java:92)
[java] at net.continuumsecurity.steps.WebApplicationSteps.enableLoggingDriver(WebApplicationSteps.java:239)
[java] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
[java] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
[java] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
[java] at java.lang.reflect.Method.invoke(Method.java:497)
[java] at org.jbehave.core.steps.StepCreator$ParameterisedStep.perform(StepCreator.java:569)
[java] at org.jbehave.core.embedder.StoryRunner$FineSoFar.run(StoryRunner.java:533)
[java] at org.jbehave.core.embedder.StoryRunner.runStepsWhileKeepingState(StoryRunner.java:513)
[java] at org.jbehave.core.embedder.StoryRunner.runScenarioSteps(StoryRunner.java:477)
[java] at org.jbehave.core.embedder.StoryRunner.runCancellable(StoryRunner.java:308)
[java] at org.jbehave.core.embedder.StoryRunner.run(StoryRunner.java:220)
[java] at org.jbehave.core.embedder.StoryRunner.run(StoryRunner.java:181)
[java] at org.jbehave.core.embedder.StoryManager$EnqueuedStory.call(StoryManager.java:235)
[java] at org.jbehave.core.embedder.StoryManager$EnqueuedStory.call(StoryManager.java:207)
[java] at java.util.concurrent.FutureTask.run(FutureTask.java:266)
[java] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
[java] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
[java] at java.lang.Thread.run(Thread.java:745)
[java] Dec 09, 2015 3:38:57 AM net.continuumsecurity.scanner.ZapManager startZAP
[java] INFO: ZAP already started.
[java] Dec 09, 2015 3:38:57 AM net.continuumsecurity.Config getDefaultDriverPath
[java] INFO: No path to the defaultDriver specified in config.xml, using auto-detection.
[java] Dec 09, 2015 3:38:57 AM net.continuumsecurity.Config getDefaultDriverPath
[java] INFO: Using driver at: drivers\chromedriver.exe
[java] Starting ChromeDriver 2.20.353145 (343b531d31eeb933ec778dbcf7081628a1396067) on port 1694
[java] Only local connections are allowed.
I am thinking about way we could dockerize bed-security framework.
Hi can anybody help me with the below error.
when i run through gradlew i am facing the below errors.
1.
net.continuumsecurity.proxy.ProxyException
Caused by: org.zaproxy.clientapi.core.ClientApiException
Caused by: java.net.ConnectException
2.
at org.hsqldb.jdbc.Util.sqlException(Unknown Source)
at org.hsqldb.jdbc.Util.sqlException(Unknown Source)
at org.hsqldb.jdbc.JDBCConnection.(Unknown Source)
at org.hsqldb.jdbc.JDBCDriver.getConnection(Unknown Source)
at org.hsqldb.jdbc.JDBCDriver.connect(Unknown Source)
at java.sql.DriverManager.getConnection(Unknown Source)
at java.sql.DriverManager.getConnection(Unknown Source)
at org.parosproxy.paros.db.paros.ParosDatabaseServer.start(Unknown Sourc
e)
at org.parosproxy.paros.db.paros.ParosDatabaseServer.(Unknown Sour
ce)
at org.parosproxy.paros.db.paros.ParosDatabase.open(Unknown Source)
at org.parosproxy.paros.model.Model.createAndOpenUntitledDb(Unknown Sour
ce)
at org.parosproxy.paros.model.Model.init(Unknown Source)
at org.zaproxy.zap.ZapBootstrap.initModel(Unknown Source)
at org.zaproxy.zap.DaemonBootstrap.start(Unknown Source)
at org.zaproxy.zap.ZAP.main(Unknown Source)
Caused by: org.hsqldb.HsqlException: Database lock acquisition failure: lockFile
: org.hsqldb.persist.LockFile@a803b7c5[file =C:\Users\xxxx\Downloads\bdd-secu
rity-master\bdd-security-master\zap\tmp\session\untitled1.lck, exists=true, lock
ed=false, valid=false, ] method: checkHeartbeat read: 2016-06-14 10:18:56 heartb
eat - read: -875 ms.
at org.hsqldb.error.Error.error(Unknown Source)
at org.hsqldb.error.Error.errorn Source)
at org.hsqldb.persist.LockFile.newLockFileLock(Unknown Source)
at org.hsqldb.persist.Logger.acquireLock(Unknown Source)
at org.hsqldb.persist.Logger.openPersistence(Unknown Source)
at org.hsqldb.Database.reopen(Unknown Source)
at org.hsqldb.Database.open(Unknown Source)
at org.hsqldb.DatabaseManager.getDatabase(Unknown Source)
at org.hsqldb.DatabaseManager.newSession(Unknown Source)
The below is the cofig.xml is there anything wrong that i am doing over here, please confirm
<!-- The settings in this file are for the demo ropey-tasks vulnerable web app available at: https://github.com/stephendv/RopeyTasks,
which is included in the bdd-security framework for demo purposes. -->
<!-- The web driver to use, can be either Firefox, Chrome or HtmlUnit. Optionally specify path to the driver (required for linux)
Some drivers require a path to the platform specific driver binary, for example chrome needs chromedriver. If these values are not specified, we'll use HtmlUnit
<defaultDriver>firefox</defaultDriver>
<defaultDriver path="src/test/resources/drivers/chromedriver-mac">firefox</defaultDriver> -->
<!-- Base URL of the application to test -->
<baseUrl>myapplication URL/</baseUrl>
<!-- A Java class to hold the Selenium steps to test the application in depth. Optionally required for in-depth authn/z and session management testing. -->
<class>net.continuumsecurity.examples.ropeytasks.RopeyTasksApplication</class>
<sslyze>
<path>/opt/sslyze/sslyze_cli.py</path>
<option>--regular</option>
</sslyze>
<!-- Optional names of the session ID cookies for session management testing. -->
<sessionIds>
<name>JSESSIONID</name>
</sessionIds>
<!-- the default user to use when logging in to the app -->
<defaultUsername>username</defaultUsername>
<defaultPassword>password</defaultPassword>
<scanner>
<ignoreUrl>.*logout.*</ignoreUrl>
<spiderUrl>baseUrl</spiderUrl>
</scanner>
<!-- An upstream proxy through which all HTTP traffic must pass before hitting the target
application under test. The framework will configure both the WebDriver instance and ZAP to use this proxy. Note that non-HTTP traffic will not use this proxy. -->
<upstreamProxy>
<host></host>
<port></port>
</upstreamProxy>
<incorrectPassword>SDFsdfwjx1</incorrectPassword>
<incorrectUsername>bobbles</incorrectUsername>
<!-- Optional login credentials for the Nessus server, the server location is specified in the nessus_scan.story file -->
<nessus>
<username>continuum</username>
<password>continuum</password>
</nessus>
<!-- Optional location of a running OWASP ZAP instance. Either an external- already running ZAP instance must be specified here, or the zapPath must be specified to launch ZAP
<proxy>
<host></host>
<port></port>
<api></api>
</proxy>-->
<zapPath>zap/zap.bat</zapPath>
@continuumsecurity, I got the following error when running the latest bed-sec.
test/src/main/java/net/continuumsecurity/steps/AppScanningSteps.java:92: error: cannot find symbol
byte[] xmlReport = scanner.getXmlReport();
@continuumsecurity
I find out that there is no mkdir=reports.dir.latest after delete dir=reports.dir.latest in line 46. This issue causes some of my jobs to stop in the build flow.
I've no idea why.
@continuumsecurity,
Is ant junit.run working on your end? I cannot get it to work. I only use behave.run command.
Whenever i run the "id scan_xss" in app_scan.story from terminal, instead of getting the status of which XSS attacks worked and for which field, i am getting a number of outputs in my terminal as follows:
X-Frame-Options Header Not Set
[java] URL: [ some url in the website scanned ]
[java] Parameter:
[java] CWE-ID: 0
[java] WASC-ID: 0
I want to know how to see the list of all xss scripts that are working and where and also, if and how can we set for which fields, xss attacks should be tried.
Add OWASP Top Ten and OWASP ASVS tags to the scenarios
Hello,
when running ant demo.run
behind our corporate web-proxy the site www.cloudflarechallenge.com is not reachable (which is not the issue here). I get several "java.net.ConnectException"s and "java.net.SocketException"s and then the ant command hangs. Here the last lines of the console:
[java] (ssl.story)
[java] Meta:
[java] @story ssl
[java]
[java] Narrative:
[java] In order to protect my data transmitted over the network
[java] As a user
[java] I want to verify that good SSL practices have been implemented and known weaknesses have been avoided
[java]
[java] Meta: @story ssl
[java] Scenario: Disable SSL deflate compression in order to mitigate the risk of the CRIME attack
[java] Meta:
[java] @id ssl_crime
[java]
[java] could not connect to www.cloudflarechallenge.com/107.170.194.215:443: java.net.ConnectException: Operation timed out
[java] could not connect to www.cloudflarechallenge.com/107.170.194.215:443: java.net.ConnectException: Operation timed out
[java] could not connect to www.cloudflarechallenge.com/107.170.194.215:443: java.net.SocketException: Network is unreachable
[java] could not connect to www.cloudflarechallenge.com/107.170.194.215:443: java.net.SocketException: Network is unreachable
[java] No SSL/TLS server at www.cloudflarechallenge.com/107.170.194.215:443
[java] could not connect to www.cloudflarechallenge.com/107.170.194.215:443: java.net.SocketException: Network is unreachable
After these lines nothing else happens (I let it run for 4h).
Environment:
Mac OS 10.10
java version "1.7.0_71"
Java(TM) SE Runtime Environment (build 1.7.0_71-b14)
Java HotSpot(TM) 64-Bit Server VM (build 24.71-b01, mixed mode)
and
Mac OS 10.10
java version "1.8.0_25"
Java(TM) SE Runtime Environment (build 1.8.0_25-b17)
Java HotSpot(TM) 64-Bit Server VM (build 25.25-b02, mixed mode)
and
Windows 7 64Bit (German)
java version "1.7.0_71"
Java(TM) SE Runtime Environment (build 1.7.0_71-b14)
Java HotSpot(TM) 64-Bit Server VM (build 24.71-b01, mixed mode)
This is the error that keep showing during scan:
[ZAP-ActiveScanner-1] FATAL hsqldb.db.HSQLDB379AF3DEBD.ENGINE - data file reached maximum size /var/lib/jenkins/.ZAP/session/untitled1.data
[java] 106425634 [ZAP-ActiveScanner-1] ERROR org.zaproxy.zap.extension.ascan.ActiveScan - java.sql.SQLException: Data File size limit is reached
[java] org.parosproxy.paros.db.DatabaseException: java.sql.SQLException: Data File size limit is reached
[java] at org.parosproxy.paros.db.paros.ParosTableHistory.write(Unknown Source)
[java] at org.parosproxy.paros.model.HistoryReference.(Unknown Source)
[java] at org.zaproxy.zap.extension.ascan.ActiveScan.notifyNewMessage(Unknown Source)
[java] at org.parosproxy.paros.core.scanner.HostProcess.notifyNewMessage(Unknown Source)
[java] at org.parosproxy.paros.core.scanner.AbstractPlugin.sendAndReceive(Unknown Source)
[java] at org.parosproxy.paros.core.scanner.AbstractPlugin.sendAndReceive(Unknown Source)
[java] at org.parosproxy.paros.core.scanner.AbstractPlugin.sendAndReceive(Unknown Source)
[java] at org.zaproxy.zap.extension.ascanrules.TestCrossSiteScriptV2.performAttack(TestCrossSiteScriptV2.java:105)
[java] at org.zaproxy.zap.extension.ascanrules.TestCrossSiteScriptV2.scan(TestCrossSiteScriptV2.java:220)
[java] at org.parosproxy.paros.core.scanner.AbstractAppParamPlugin.scan(Unknown Source)
[java] at org.parosproxy.paros.core.scanner.AbstractAppParamPlugin.scanVariant(Unknown Source)
[java] at org.parosproxy.paros.core.scanner.AbstractAppParamPlugin.scan(Unknown Source)
[java] at org.parosproxy.paros.core.scanner.AbstractPlugin.run(Unknown Source)
[java] at java.lang.Thread.run(Thread.java:745)
[java] Caused by: java.sql.SQLException: Data File size limit is reached
[java] at org.hsqldb.jdbc.Util.sqlException(Unknown Source)
[java] at org.hsqldb.jdbc.Util.sqlException(Unknown Source)
[java] at org.hsqldb.jdbc.JDBCPreparedStatement.fetchResult(Unknown Source)
[java] at org.hsqldb.jdbc.JDBCPreparedStatement.executeUpdate(Unknown Source)
[java] at org.parosproxy.paros.db.paros.ParosTableHistory.write(Unknown Source)
Demonstrate how to use BDD-Security without the page object pattern, using selenium IDE instead.
Is there a way to tell bdd-security which is using owasp-zap not to scan the whole application/website
ex: Scan only http://mysite.com/thisapponly instead of http://mysite.com/
I was thinking about way we could map OWASP Application Security Verification Standards to BDD-Security security requirements in each story.
https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project
@continuumsecurity
Unable to resolve dependency with the following class:
net.continuumsecurity.scanner.PortResult
The code shows error in import statement itself. I could not find this java file in github also. How to resolve this?
A lot of files have execute permission when pulled from github. A few suggestions to fix (via bash).
for f in $(find . -type f -executable -regextype posix-extended -iregex '.+?.((java)|(jar)|(xml)|(js)|(ftl)|(css)|(properties)|(jpg)|(jpeg)|(png)|(gif)|(sample)|(story)|(txt)|(md))'); do chmod -x "$f"; done
for f in $(find . -type f -name '.DS_Store'); do rm $f; done
After the clean-up, this more or less looks like the set of things that needs to be executable.
find . -type f -executable
./console.sh
./drivers/chromedriver-linux32
./drivers/chromedriver-linux64
./drivers/chromedriver-mac
./drivers/chromedriver.exe
./runconfig.sh
./runscenario.sh
./runstory.sh
./zap/zap.sh
Verify that BDD-Security works on the MS windows platform. There may be cases of hard coded "/" in the code.
i installed bdd-security and try to configure it to work with my php web application, but there was a lot of errors when BUILD , such as selenium (import org.openqa.selenium.WebElement; and so many ones ..) jbehave (import org.jbehave.core.annotations.*; ...) , htmlunit with selenium ...
what shall i do ?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.