withsecureopensource / mittn Goto Github PK
View Code? Open in Web Editor NEWMittn: Security test tool runner for test automation in CI
License: Apache License 2.0
Mittn: Security test tool runner for test automation in CI
License: Apache License 2.0
In the meantime, use sslyze 0.8 with tlschecker.
Hello, im having the next problem:
And a working Radamsa installation # ../../../../../../usr/local/lib/python2.7/dist-packages/mittn-0.0.0-py2.7.egg/mittn/httpfuzzer/steps.py:75 0.004s
Assertion Failed: Could not execute Radamsa from /home/sergio/Master/Auditoria/mittn-master/features/radamsa-master/bin: [Errno 13] Permission denied
I already gave chmod 777 permission to radamsa binary and full mittn folder
Some example strings in the httpfuzzer feature file, used for matching server responses, cause a lot of false positives if the server reflects back the strings in the static injections library. A good example of these is the string "SQL".
The example strings in the example feature files should be pared down so that they don't trigger when injected content is reflected back.
A request from a user was to output a log of activity using a logging framework, so the test tool run can be more closely monitored (also without an intervening proxy).
The documentation should be more explicit that Radamsa 0.4a is required. Radamsa's own docs use 0.3 and cursory reading may leave users to scratch their heads.
Writing collected fuzz valid cases to files for Radamsa sometimes fails with
File "/home/user/mittn/mittn/httpfuzzer/fuzzer.py", line 87, in get_fuzz
filehandle.write(bytearray(valid_string, "UTF-8"))
TypeError: encoding or errors without a string argument
It would be cool and awesome if this would support Robotframework somehow. http://robotframework.org/ is widely used acceptance test framework for testing. Especially it is widely used with Selenium2Library to test websites.
One of the original features I did not yet get to implement is a fuzzer for URL paths. Each part of a URL path could be fuzzed and injected.
A tool that checks the existence of HTTP headers from the server against a baseline.
When using httpfuzzer, currently the database only holds an indication whether one of the error strings in the feature file matched in the server response body. To make the false positive triage easier, the actual string that matched should be stored in the database as well.
It was reported that the scan timeout for headless-scanner doesn't work. In the case the scan takes ages, the test run will just take ages.
At the time of writing version 0.10 of sslyze is supported. Now 0.12 is released. Bump needed.
SSLyze version 0.11 introduced a backwards incompatible change to it's XML output which TLSChecker parses (https://github.com/nabla-c0d3/sslyze/releases). It also has an XML Schema now, so definitely implement that check.
Improving the dependency handling overall (issue #25) is also related, and could ease future maintenance. Also, maybe use sslyze tip-of-master instead of releases?
In the authentication template example, "cached_authenticator" is used for two different things: The cached Auth object, and self.cached_authenticator to hold e.g., a session token. To make it clearer, the latter should be renamed.
Received the following request:
it has a good read me, but not much information on how i can integrate it with jenkins or run it automatically with my test app.
something like this: http://www.continuumsecurity.net/bdd-getstarted.html will be great to get started.
It will be certainly helpful for the people who want to follow security tests with CI tools, and without a doubt Arachni is the one of the best dynamic application testing suite on the market available and free.
I would be pleasure for me to work with you in this project also.
Due to unknown reasons and missing tests, I noticed that the false positive checking in httpfuzzer's dbtools.py is completely broken.
This will be fixed properly as a part of #11.
Just a suggestion ;)
But it might help your uptake as ZAP is completely free.
Note we have a fully functional API which should meet all of your needs, and if it doesnt then we'll be very happy to enhance it :)
I'll be happy to provide any help and guidance you need.
If you dont have the time to implement this yourself then perhaps we could offer it as a student project, if you're willing to advise on the mittn side?
The requests library does not like all the fuzzer-generated URLs. This may result in a requests.exceptions.InvalidURL when sending a fuzzed GET request.
The solution would be to catch this exception and just skip that test case, or use something else than requests.
Beware: speedbumps ahead at least in the http fuzzer's http request implementation.
The headless scanner cannot handle all scan states.
It terminates on an abandoned state (to avoid false negatives, i.e., a scan that does nothing), but this also terminates if a scan hits a host that is outside target scope. Not a problem for simple scans, but probably makes any complex Selenium tests impossible.
It also does not understand "waiting" and "cancelled" states correctly.
Hence, the scan state logic needs to be fixed.
Currently there are only installation instructions under docs/. Using git subtree or docker to codify these dependencies would make testing, take-into-use and updating significantly easier than it is today.
Currently, the tool requires both sqlite and postgres to be installed (or at least their respective Python libraries). The code will be refactored to use a DB abstraction layer that should enable use of any major DB, and cut away a lot of code.
Failing tests are now reported as fairly non-standard JSON blobs. An alternative would be to use HAR, a semi-standard format form HTTP request/response data. This is a low priority need and would probably be implemented using https://github.com/msabramo/pyhar but only if someone actually needs it. If you do, comment below.
The BDD stuff is really mostly useless in the context of Mittn. For example, the use of Behave and Gherkin in the Burp scanning case is just syntactic sugar, which just makes you fat. BDD-Security (http://www.continuumsecurity.net/bdd-intro.html) is a more ideologically pure BDD-driven testing solution.
Many testers would just want to use whichever test runner they use now (e.g., nose) and see Mittn as a wrapper for test tools, with an interface that looks like the current Behave step library. Mittn should then be packaged to be installable with pip.
I see this is a fairly major pivot opportunity but it will also decrease dependencies and improve testability of the tool itself.
If anyone has opinions on how the tool should be:
please comment below.
Clean up the HTTP fuzzer for OSS release. Features:
Needs to be updated to do that for 0.8/0.9 output. Currently users just need to disable that check.
Some load balancers drop bodies that are too large. They just close the HTTP connection resulting in a HTTP protocol error. These cases are false positives and crop up randomly in fuzzing, so it should be possible to eliminate those.
Mittn needs a test framework. Also set up Travis.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.