withsecureopensource / mittn Goto Github PK

Needs to be updated to do that for 0.8/0.9 output. Currently users just need to disable that check.

Currently there are only installation instructions under docs/. Using git subtree or docker to codify these dependencies would make testing, take-into-use and updating significantly easier than it is today.

A tool that checks the existence of HTTP headers from the server against a baseline.

Writing collected fuzz valid cases to files for Radamsa sometimes fails with

File "/home/user/mittn/mittn/httpfuzzer/fuzzer.py", line 87, in get_fuzz
filehandle.write(bytearray(valid_string, "UTF-8"))
TypeError: encoding or errors without a string argument

The documentation should be more explicit that Radamsa 0.4a is required. Radamsa's own docs use 0.3 and cursory reading may leave users to scratch their heads.

Due to unknown reasons and missing tests, I noticed that the false positive checking in httpfuzzer's dbtools.py is completely broken.

This will be fixed properly as a part of #11.

It would be cool and awesome if this would support Robotframework somehow. http://robotframework.org/ is widely used acceptance test framework for testing. Especially it is widely used with Selenium2Library to test websites.

It was reported that the scan timeout for headless-scanner doesn't work. In the case the scan takes ages, the test run will just take ages.

Just a suggestion ;)
But it might help your uptake as ZAP is completely free.
Note we have a fully functional API which should meet all of your needs, and if it doesnt then we'll be very happy to enhance it :)
I'll be happy to provide any help and guidance you need.
If you dont have the time to implement this yourself then perhaps we could offer it as a student project, if you're willing to advise on the mittn side?

Beware: speedbumps ahead at least in the http fuzzer's http request implementation.

Currently, the tool requires both sqlite and postgres to be installed (or at least their respective Python libraries). The code will be refactored to use a DB abstraction layer that should enable use of any major DB, and cut away a lot of code.

One of the original features I did not yet get to implement is a fuzzer for URL paths. Each part of a URL path could be fuzzed and injected.

Received the following request:

it has a good read me, but not much information on how i can integrate it with jenkins or run it automatically with my test app.
something like this: http://www.continuumsecurity.net/bdd-getstarted.html will be great to get started.

A request from a user was to output a log of activity using a logging framework, so the test tool run can be more closely monitored (also without an intervening proxy).

In the meantime, use sslyze 0.8 with tlschecker.

When using httpfuzzer, currently the database only holds an indication whether one of the error strings in the feature file matched in the server response body. To make the false positive triage easier, the actual string that matched should be stored in the database as well.

Hello, im having the next problem:

And a working Radamsa installation # ../../../../../../usr/local/lib/python2.7/dist-packages/mittn-0.0.0-py2.7.egg/mittn/httpfuzzer/steps.py:75 0.004s
Assertion Failed: Could not execute Radamsa from /home/sergio/Master/Auditoria/mittn-master/features/radamsa-master/bin: [Errno 13] Permission denied

I already gave chmod 777 permission to radamsa binary and full mittn folder

The requests library does not like all the fuzzer-generated URLs. This may result in a requests.exceptions.InvalidURL when sending a fuzzed GET request.

The solution would be to catch this exception and just skip that test case, or use something else than requests.

In the authentication template example, "cached_authenticator" is used for two different things: The cached Auth object, and self.cached_authenticator to hold e.g., a session token. To make it clearer, the latter should be renamed.

The headless scanner cannot handle all scan states.

It terminates on an abandoned state (to avoid false negatives, i.e., a scan that does nothing), but this also terminates if a scan hits a host that is outside target scope. Not a problem for simple scans, but probably makes any complex Selenium tests impossible.

It also does not understand "waiting" and "cancelled" states correctly.

Hence, the scan state logic needs to be fixed.

Clean up the HTTP fuzzer for OSS release. Features:

• Fuzz JSON and form submission parameters / values
• Fuzz URI path parts
• Static injection into JSON and form submission parameters / values
• Auto-relogin
• Valid case instrumentation

Some example strings in the httpfuzzer feature file, used for matching server responses, cause a lot of false positives if the server reflects back the strings in the static injections library. A good example of these is the string "SQL".

The example strings in the example feature files should be pared down so that they don't trigger when injected content is reflected back.

Some load balancers drop bodies that are too large. They just close the HTTP connection resulting in a HTTP protocol error. These cases are false positives and crop up randomly in fuzzing, so it should be possible to eliminate those.

The BDD stuff is really mostly useless in the context of Mittn. For example, the use of Behave and Gherkin in the Burp scanning case is just syntactic sugar, which just makes you fat. BDD-Security (http://www.continuumsecurity.net/bdd-intro.html) is a more ideologically pure BDD-driven testing solution.

Many testers would just want to use whichever test runner they use now (e.g., nose) and see Mittn as a wrapper for test tools, with an interface that looks like the current Behave step library. Mittn should then be packaged to be installable with pip.

I see this is a fairly major pivot opportunity but it will also decrease dependencies and improve testability of the tool itself.

If anyone has opinions on how the tool should be:

• packaged (remember there are non-free binary dependencies)
• configurable
• callable from unit/system tests,

please comment below.

At the time of writing version 0.10 of sslyze is supported. Now 0.12 is released. Bump needed.

SSLyze version 0.11 introduced a backwards incompatible change to it's XML output which TLSChecker parses (https://github.com/nabla-c0d3/sslyze/releases). It also has an XML Schema now, so definitely implement that check.

Improving the dependency handling overall (issue #25) is also related, and could ease future maintenance. Also, maybe use sslyze tip-of-master instead of releases?

Failing tests are now reported as fairly non-standard JSON blobs. An alternative would be to use HAR, a semi-standard format form HTTP request/response data. This is a low priority need and would probably be implemented using https://github.com/msabramo/pyhar but only if someone actually needs it. If you do, comment below.

Mittn needs a test framework. Also set up Travis.

It will be certainly helpful for the people who want to follow security tests with CI tools, and without a doubt Arachni is the one of the best dynamic application testing suite on the market available and free.

I would be pleasure for me to work with you in this project also.