Giters

devopstf / gauntlt-zap

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Gauntlt with ZAP and Arachni for Docker

This repo is intended for hosting a handful of scripts for security testing based on James Wickett's security testing class, and dockerized owasp-zap for CI/CD by Stephen Donner

How it works

The Gauntlt container is purposely made to get started with security testing with Gauntlt.

  • Arachni, nikto, dirb, sqlmap, nmap, owasp-zap (zap-cli, and zapr are included) are installed inside the container as a basic set of attacking tools
  • Gauntlt is installed and is set as the entrypoint
  • You can run make path for including gauntlt-dockerand other scripts into your path
  • Gauntlt is based on Aruba extension for Cucumber framework; hence yo can define your attacks using Gherkin syntax for your scenarios (i.e. using Given, When, Then, clauses)
  • You can find sample attacks from James Wicketts's classes included into the attacks folder.

You can also run your attacks using Arachni or ZAP outside Gauntlt.

There are two ad-hoc scripts for doing that you can use and modify:

  • zap-docker <target-url>
  • arachni-docker <target-url>

Setup

  1. Clone this repo
git clone https://github.com/devopstf/gauntlt-zap
  1. Build the docker container
$ cd /path/to/cloned/repo/gauntlt-docker
$ make build
  1. Copy binary stub to your $PATH (like /usr/local/bin)
$ make path
  1. Test it out,
$ gauntlt-docker --help
  1. Set your target URL into the config file for Cucumber, located at config/cucumber.yml, using the following command:
$ gauntlt-target <target-url>
  1. Launch your attack,
gauntl-docker path/to/your/file.attack

You can get interactive access to the container (with current path bind mounted to /working) to individually test attack tools installed

$ make interactive

Test Application

You can use Gruyere, the cheese web application from Google Code Labs for testing purposes: you can either set it up online, or using a docker image through the makefile provided:

$ cd /path/to/cloned/repo/gauntlt-docker
$ make get-gruyere
$ make gruyere-start

Once you're done, you can simply kill the application instance issuing this command:

$ make gruyere-kill

About

Languages

Language:Shell 58.1%Language:Dockerfile 29.2%Language:Makefile 12.8%