iriusrisk / bdd-security Goto Github PK

BDD Automated Security Tests for Web Applications

Home Page: http://www.continuumsecurity.net/bdd-intro.html

License: GNU Affero General Public License v3.0

Shell 1.71% Java 56.18% JavaScript 16.08% HTML 3.63% XSLT 10.81% Batchfile 0.10% Gherkin 11.28% Dockerfile 0.20%

bdd-security's Introduction

The Open Threat Modeling platform

IriusRisk Community Edition is a free version of IriusRisk that allows you to quickly create threat models of software and cloud architectures and then manage those threats and countermeasures throughout the rest of the SDLC, including:

Assigning a risk response: Accept, Mitigate or Expose
Apply a security standard, such as OWASP ASVS to derive the security requirements in one step
All threat models created in IriusRisk can be published as Templates that are visible to other users of the platform.

Getting Started

Register for a user account
Follow @IriusRisk for updates
Submit bugs and feature requests to github

Publishing Templates

One of the goals of the Community edition is to start sharing a common set of threat models for typical (or not) architectures. If you've modeled a system that you believe would benefit the wider Community please publish it as a Template! This will make it visible to other users of Community who will be able to import it into their own models. The submitted templates will go through a review process and if accepted, be published here on the github site in raw XML format so that non-community users can also take advantage of it.
NOTE: When you publish a model, it will be removed from the Product table, you'll need to create a new product and import your template into it, to work on it again.

Try our commercial edition for these extra features

Manage more than 1 application. The solution has been tested with 4000+ applications.
Customise the rules engine, component library and threat and countermeasure knowledge-bases.
Create custom questionnaires and data flow rules
See our website for more details

bdd-security's People

Stargazers

Watchers

Forkers

theappseclab gkini mhuckaby ignasas lordsaibat marcesher luisxiaomai ian-bartholomew dmettem tahersb rsoucy slietz deonthomas alexharriss rapidpanther lucabongiorni wflk moldobogdan kevinlowrie ovictor opexsw nbaars nghinv icarneiro nagyistge cybertarian jjediny ucugo jessingrass kramos haj hardiku mthlvt 403studios vuls-for-work zhtaoang mharris021 nsrikanth32 santapau maniacs-ops liushilive mohanreddyalavalla diksta ncoelle mahi0x00 girishmanyam jvermontcapone irfanahmadein gau1991 osterzel stephan1 boseabhishek inelemento sumansouravsg nitesculucian dougmorato antonini sorrel ssarasa murthysagi krisctl tnguyenviet webdizz nanda467 fjsnogueira wallenzhao2046 boycook yscia007 zeeshanny sangmai kainahrgang magnologan shreyanshp geechao open-sec milhcbt tnadrev mrgleam vijaycherupalli savithabs vinayasathyanarayana jeevarajendran devusaik2 chubbymaggie anandakumarirudhayaraj szagvozdin123 nicolasiltis maxdu92 automation-framework fortress-shell dickchan nebyu lukebond marianojabdala vikingbird doduytrung gresham-computing arjunreddyd alexmenguy bashashika

bdd-security's Issues

Create screencast for selenium IDE

Demonstrate how to use BDD-Security without the page object pattern, using selenium IDE instead.

Adding a RunApp script

@continuumsecurity
For our conversation few months ago, I came up with a script for scanning multiple stories at one time. However, we will need to tweak three main files: config.java, StoryRunnner.java, and BaseStoryRunner.java. I think i will be easier for you to make those changes because you built this framework. Please let me know your thoughts.

!/bin/sh

export ANT_OPTS=-Xmx500m

Exit when argument is less than 3

if [ $# -lt 3 ]
then
echo "runApp <CustomConfig.xml> story1 story2 ...."
exit
fi

cfg=$1
lfg=$2

numberOfStorie=expr $# - 2
echo "About to run $numberOfStorie stories with customConfig: $1 and LoginFlag: $2"

shift
shift
for str in "$@"
do
echo "Running Story - $str with $cfg and Login $lfg"
ant test -Dargs="$cfg $lfg -story $str"

done

Burp shows an "item is out of scope" error when performing scans

Define site/app scanning

Is there a way to tell bdd-security which is using owasp-zap not to scan the whole application/website

ex: Scan only http://mysite.com/thisapponly instead of http://mysite.com/

Exception when using story filtering and non-browser tests

Caused by: groovy.lang.MissingMethodException: No signature of method: java.lang.Boolean.minus() is applicable for argument types: (java.lang.Boolean) values: [false]
Possible solutions: find(), is(java.lang.Object), and(java.lang.Boolean), find(groovy.lang.Closure), any(), implies(java.lang.Boolean)
at org.codehaus.groovy.runtime.ScriptBytecodeAdapter.unwrap(ScriptBytecodeAdapter.java:55)
at org.codehaus.groovy.runtime.callsite.PojoMetaClassSite.call(PojoMetaClassSite.java:46)
at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCall(CallSiteArray.java:42)
at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:108)
at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:116)
at GroovyMatcher.match(script14387644395361717978511.groovy:4)

Spider Exception when sitemap.xml not found

Please apply the update in order to fix this issue. See link: zaproxy/zaproxy#2745

BaseUrl must end in a slash

Without the slash at the end ZAP doesn't recognise the URL as being part of the http history. Investigate best way to fix.

Windows support

Verify that BDD-Security works on the MS windows platform. There may be cases of hard coded "/" in the code.

Replace groovy console with a Java command line shell

Need a fast way to debug WebApplication methods and JBehave steps. Groovy console is too slow to startup and run.
Potential candidate: http://code.google.com/p/cliche/downloads/list

build.xml minor bug

@continuumsecurity
I find out that there is no mkdir=reports.dir.latest after delete dir=reports.dir.latest in line 46. This issue causes some of my jobs to stop in the build flow.

Zaproxy Error: Data File size limit is reached

This is the error that keep showing during scan:

[ZAP-ActiveScanner-1] FATAL hsqldb.db.HSQLDB379AF3DEBD.ENGINE - data file reached maximum size /var/lib/jenkins/.ZAP/session/untitled1.data
[java] 106425634 [ZAP-ActiveScanner-1] ERROR org.zaproxy.zap.extension.ascan.ActiveScan - java.sql.SQLException: Data File size limit is reached
[java] org.parosproxy.paros.db.DatabaseException: java.sql.SQLException: Data File size limit is reached
[java] at org.parosproxy.paros.db.paros.ParosTableHistory.write(Unknown Source)
[java] at org.parosproxy.paros.model.HistoryReference.(Unknown Source)
[java] at org.zaproxy.zap.extension.ascan.ActiveScan.notifyNewMessage(Unknown Source)
[java] at org.parosproxy.paros.core.scanner.HostProcess.notifyNewMessage(Unknown Source)
[java] at org.parosproxy.paros.core.scanner.AbstractPlugin.sendAndReceive(Unknown Source)
[java] at org.parosproxy.paros.core.scanner.AbstractPlugin.sendAndReceive(Unknown Source)
[java] at org.parosproxy.paros.core.scanner.AbstractPlugin.sendAndReceive(Unknown Source)
[java] at org.zaproxy.zap.extension.ascanrules.TestCrossSiteScriptV2.performAttack(TestCrossSiteScriptV2.java:105)
[java] at org.zaproxy.zap.extension.ascanrules.TestCrossSiteScriptV2.scan(TestCrossSiteScriptV2.java:220)
[java] at org.parosproxy.paros.core.scanner.AbstractAppParamPlugin.scan(Unknown Source)
[java] at org.parosproxy.paros.core.scanner.AbstractAppParamPlugin.scanVariant(Unknown Source)
[java] at org.parosproxy.paros.core.scanner.AbstractAppParamPlugin.scan(Unknown Source)
[java] at org.parosproxy.paros.core.scanner.AbstractPlugin.run(Unknown Source)
[java] at java.lang.Thread.run(Thread.java:745)
[java] Caused by: java.sql.SQLException: Data File size limit is reached
[java] at org.hsqldb.jdbc.Util.sqlException(Unknown Source)
[java] at org.hsqldb.jdbc.Util.sqlException(Unknown Source)
[java] at org.hsqldb.jdbc.JDBCPreparedStatement.fetchResult(Unknown Source)
[java] at org.hsqldb.jdbc.JDBCPreparedStatement.executeUpdate(Unknown Source)
[java] at org.parosproxy.paros.db.paros.ParosTableHistory.write(Unknown Source)

Issues with getting the Nessus Scan feature to work

Hi Continuum Security,

I've recently been looking at integrating a Nessus scanner into our Continuous Integration system. BDD-Security seems to be a great fit to accomplish this goal. I'm having trouble getting the Nessus Scan feature to work. For some reason the test skips the following steps:

a nessus version 6 server at https://localhost:8834
the scanning policy named bdd-policy
no severity: 2 or higher issues should be present

Here's my Cucumber test report:

14:40:28.672 [DEBUG] [TestEventLogger] Gradle Test Executor 1 STARTED
14:40:28.674 [QUIET] [system.out]
14:40:28.674 [DEBUG] [org.gradle.api.internal.tasks.testing.junit.JUnitTestClassProcessor] Executing test class net.continuumsecurity.junit.SecurityTest
14:40:28.678 [DEBUG] [TestEventLogger] 
14:40:28.678 [DEBUG] [TestEventLogger] net.continuumsecurity.junit.SecurityTest STARTED
14:40:29.050 [DEBUG] [TestEventLogger] 
14:40:29.051 [DEBUG] [TestEventLogger] net.continuumsecurity.junit.SecurityTest STANDARD_OUT
14:40:29.051 [DEBUG] [TestEventLogger]     @nessus_scan @skip
14:40:29.052 [DEBUG] [TestEventLogger]     Feature: Nessus Scan
14:40:29.052 [DEBUG] [TestEventLogger]       Scan the hosts for known security vulnerabilities
14:40:29.053 [DEBUG] [TestEventLogger] 
14:40:29.053 [DEBUG] [TestEventLogger] net.continuumsecurity.junit.SecurityTest > Scenario: The host systems should not expose known security vulnerabilities.classMethod STARTED
14:40:29.163 [DEBUG] [TestEventLogger] 
14:40:29.163 [DEBUG] [TestEventLogger] net.continuumsecurity.junit.SecurityTest > Scenario: The host systems should not expose known security vulnerabilities.Given a nessus API client that accepts all hostnames in SSL certificates STARTED
14:40:29.168 [DEBUG] [TestEventLogger] 
14:40:29.169 [DEBUG] [TestEventLogger] net.continuumsecurity.junit.SecurityTest > Scenario: The host systems should not expose known security vulnerabilities.Given a nessus API client that accepts all hostnames in SSL certificates                                                                                                                                                                                     PASSED
14:40:29.172 [DEBUG] [TestEventLogger] 
14:40:29.173 [DEBUG] [TestEventLogger] net.continuumsecurity.junit.SecurityTest > Scenario: The host systems should not expose known security vulnerabilities.And a nessus version 6 server at https://localhost:8834 STARTED
14:40:29.173 [DEBUG] [TestEventLogger] 
14:40:29.173 [DEBUG] [TestEventLogger] net.continuumsecurity.junit.SecurityTest > Scenario: The host systems should not expose known security vulnerabilities.And a nessus version 6 server at https://localhost:8834                                                                                                                                                                                                      SKIPPED
14:40:29.173 [DEBUG] [TestEventLogger] 
14:40:29.173 [DEBUG] [TestEventLogger] net.continuumsecurity.junit.SecurityTest > Scenario: The host systems should not expose known security vulnerabilities.And the scanning policy named bdd-policy STARTED
14:40:29.174 [DEBUG] [TestEventLogger] 
14:40:29.174 [DEBUG] [TestEventLogger] net.continuumsecurity.junit.SecurityTest > Scenario: The host systems should not expose known security vulnerabilities.And the scanning policy named bdd-policy SKIPPED
14:40:29.174 [DEBUG] [TestEventLogger] 
14:40:29.174 [DEBUG] [TestEventLogger] net.continuumsecurity.junit.SecurityTest > Scenario: The host systems should not expose known security vulnerabilities.And the target host names STARTED
14:40:29.175 [DEBUG] [TestEventLogger] 
14:40:29.175 [DEBUG] [TestEventLogger] net.continuumsecurity.junit.SecurityTest > Scenario: The host systems should not expose known security vulnerabilities.And the target host names SKIPPED
14:40:29.177 [DEBUG] [TestEventLogger] 
14:40:29.177 [DEBUG] [TestEventLogger] net.continuumsecurity.junit.SecurityTest > Scenario: The host systems should not expose known security vulnerabilities.When the scanner is run with scan name bddscan STARTED
14:40:29.177 [DEBUG] [TestEventLogger] 
14:40:29.177 [DEBUG] [TestEventLogger] net.continuumsecurity.junit.SecurityTest > Scenario: The host systems should not expose known security vulnerabilities.When the scanner is run with scan name bddscan SKIPPED
14:40:29.178 [DEBUG] [TestEventLogger] 
14:40:29.178 [DEBUG] [TestEventLogger] net.continuumsecurity.junit.SecurityTest > Scenario: The host systems should not expose known security vulnerabilities.And the list of issues is stored STARTED
14:40:29.179 [DEBUG] [TestEventLogger] 
14:40:29.179 [DEBUG] [TestEventLogger] net.continuumsecurity.junit.SecurityTest > Scenario: The host systems should not expose known security vulnerabilities.And the list of issues is stored SKIPPED
14:40:29.179 [DEBUG] [TestEventLogger] 
14:40:29.180 [DEBUG] [TestEventLogger] net.continuumsecurity.junit.SecurityTest > Scenario: The host systems should not expose known security vulnerabilities.And the following nessus false positive are removed STARTED
14:40:29.180 [DEBUG] [TestEventLogger] 
14:40:29.180 [DEBUG] [TestEventLogger] net.continuumsecurity.junit.SecurityTest > Scenario: The host systems should not expose known security vulnerabilities.And the following nessus false positive are removed                                                                                                                                                                                                          SKIPPED
14:40:29.180 [DEBUG] [TestEventLogger] 
14:40:29.180 [DEBUG] [TestEventLogger] net.continuumsecurity.junit.SecurityTest > Scenario: The host systems should not expose known security vulnerabilities.Then no severity: 2 or higher issues should be present STARTED
14:40:29.181 [DEBUG] [TestEventLogger] 
14:40:29.181 [DEBUG] [TestEventLogger] net.continuumsecurity.junit.SecurityTest > Scenario: The host systems should not expose known security vulnerabilities.Then no severity: 2 or higher issues should be present                                                                                                                                                                                                       SKIPPED

This appears to be a regex problem in NessusScanningSteps.java

@Given("a nessus version $version server at $nessusUrl")
public void createNessusClient(int version, String url) {
nessusUrl = url;
nessusVersion = version;
scanClient = ClientFactory.createScanClient(url, nessusVersion, ignoreHostNamesInSSLCert); }

I have replicated this issue from a fresh copy of the bdd-security repository. Any idea how I can make this work?

Regards,
Rob

Mutual SSl CA certs

I have been trying to test a server that supports 2 way SSl with BDD-Security but it keeps throwing exceptions on each run. Is there a way to specify a custom CA root cert with BDD-Security?

Exclude_URLs

@continuumsecurity

I am still testing these new functionalities and today I was testing to exclude some urls, but I got some errors. So, my question is what is the correct format for the excluded URLs? It is complaining about regex on line 110 in AppScanSteps.java.

113143 [ZAP-ProxyThread-108] WARN org.zaproxy.zap.extension.api.API - handleApiRequest error: Bad Format (bad_format) : regex
Bad Format (bad_format) : regex
at org.zaproxy.zap.extension.spider.SpiderAPI.handleApiAction(Unknown Source)
at org.zaproxy.zap.extension.api.API.handleApiRequest(Unknown Source)
at org.parosproxy.paros.core.proxy.ProxyThread.processHttp(Unknown Source)
at org.parosproxy.paros.core.proxy.ProxyThread.run(Unknown Source)
at java.lang.Thread.run(Thread.java:745)
[java] org.zaproxy.clientapi.core.ClientApiException: Bad Format (bad_format) : regex
[java] at org.zaproxy.clientapi.core.ApiResponseFactory.getResponse(Unknown Source)
[java] at org.zaproxy.clientapi.core.ClientApi.callApi(Unknown Source)
[java] at org.zaproxy.clientapi.gen.Spider.excludeFromScan(Unknown Source)
[java] at net.continuumsecurity.proxy.ZAProxyScanner.excludeFromSpider(ZAProxyScanner.java:303)
[java] at net.continuumsecurity.steps.AppScanningSteps.setExcludedRegex(AppScanningSteps.java:110)
[java] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
[java] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
[java] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
[java] at java.lang.reflect.Method.invoke(Method.java:606)
[java] at org.jbehave.core.steps.StepCreator$ParameterisedStep.perform(StepCreator.java:569)
[java] at org.jbehave.core.embedder.StoryRunner$FineSoFar.run(StoryRunner.java:533)
[java] at org.jbehave.core.embedder.StoryRunner.runStepsWhileKeepingState(StoryRunner.java:513)
[java] at org.jbehave.core.embedder.StoryRunner.runScenarioSteps(StoryRunner.java:477)
[java] at org.jbehave.core.embedder.StoryRunner.runCancellable(StoryRunner.java:308)
[java] at org.jbehave.core.embedder.StoryRunner.run(StoryRunner.java:220)
[java] at org.jbehave.core.embedder.StoryRunner.runGivenStories(StoryRunner.java:393)
[java] at org.jbehave.core.embedder.StoryRunner.runCancellable(StoryRunner.java:272)
[java] at org.jbehave.core.embedder.StoryRunner.run(StoryRunner.java:220)
[java] And the URL regular expressions listed in the file:
[java] |tables/exclude_urls.table|
[java] are excluded from the spider (FAILED)

Configure the embedded ZAP from the config.xml file.

Add a section to the existing config.xml file so that arbitrary ZAP config options can be passed through.

Add out of scope URLs to config file

error in xss_scan

I am getting "invalid port number" error after running id xss_scan in app_scan.story. Following is a snapshot of my terminal:-

[java] 18:22:45,636 DEBUG [net.continuumsecurity.steps.AppScanningSteps] - Scan is 0% complete.
[java] 18:22:47,645 DEBUG [net.continuumsecurity.steps.AppScanningSteps] - Scan is 0% complete.
[java] 67790 [ZAP-ActiveScanner-1] ERROR org.zaproxy.zap.extension.ascanrules.TestCrossSiteScriptV2 - invalid port number
[java] org.apache.commons.httpclient.URIException: invalid port number
[java] at org.apache.commons.httpclient.URI.parseAuthority(URI.java:2248)
[java] at org.apache.commons.httpclient.URI.parseUriReference(URI.java:1978)
[java] at org.apache.commons.httpclient.URI.(URI.java:167)
[java] at org.apache.commons.httpclient.URI.(URI.java:455)
[java] at org.parosproxy.paros.network.HttpSender.sendAndReceive(Unknown Source)
[java] at org.parosproxy.paros.core.scanner.AbstractPlugin.sendAndReceive(Unknown Source)
[java] at org.parosproxy.paros.core.scanner.AbstractPlugin.sendAndReceive(Unknown Source)
[java] at org.parosproxy.paros.core.scanner.AbstractPlugin.sendAndReceive(Unknown Source)
[java] at org.zaproxy.zap.extension.ascanrules.TestCrossSiteScriptV2.scan(TestCrossSiteScriptV2.java:127)
[java] at org.parosproxy.paros.core.scanner.AbstractAppParamPlugin.scan(Unknown Source)
[java] at org.parosproxy.paros.core.scanner.AbstractAppParamPlugin.scanVariant(Unknown Source)
[java] at org.parosproxy.paros.core.scanner.AbstractAppParamPlugin.scan(Unknown Source)
[java] at org.parosproxy.paros.core.scanner.AbstractPlugin.run(Unknown Source)
[java] at java.lang.Thread.run(Thread.java:745)

Please mention how to resolve this.

Connection refused

Any idea why am I seeing this error.

net.continuumsecurity.proxy.ProxyException: org.zaproxy.clientapi.core.ClientApiException: java.net.ConnectException: Connection refused
at net.continuumsecurity.proxy.ZAProxyScanner.validateMinimumRequiredZapVersion(ZAProxyScanner.java:112)
at net.continuumsecurity.proxy.ZAProxyScanner.(ZAProxyScanner.java:54)
at net.continuumsecurity.steps.AppScanningSteps.getScanner(AppScanningSteps.java:81)
at net.continuumsecurity.steps.AppScanningSteps.disableAllScanners(AppScanningSteps.java:76)
at ✽.And a scanner with all policies disabled(app_scan.feature:7)
Caused by: org.zaproxy.clientapi.core.ClientApiException: java.net.ConnectException: Connection refused
at org.zaproxy.clientapi.core.ClientApi.callApiDom(Unknown Source)
at org.zaproxy.clientapi.core.ClientApi.callApi(Unknown Source)
at org.zaproxy.clientapi.gen.Core.version(Unknown Source)
at net.continuumsecurity.proxy.ZAProxyScanner.validateMinimumRequiredZapVersion(ZAProxyScanner.java:101)
at net.continuumsecurity.proxy.ZAProxyScanner.(ZAProxyScanner.java:54)
at net.continuumsecurity.steps.AppScanningSteps.getScanner(AppScanningSteps.java:81)
at net.continuumsecurity.steps.AppScanningSteps.disableAllScanners(AppScanningSteps.java:76)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at cucumber.runtime.Utils$1.call(Utils.java:37)
at cucumber.runtime.Timeout.timeout(Timeout.java:13)
at cucumber.runtime.Utils.invoke(Utils.java:31)
at cucumber.runtime.java.JavaStepDefinition.execute(JavaStepDefinition.java:38)
at cucumber.runtime.StepDefinitionMatch.runStep(StepDefinitionMatch.java:37)
at cucumber.runtime.Runtime.runStep(Runtime.java:299)
at cucumber.runtime.model.StepContainer.runStep(StepContainer.java:44)
at cucumber.runtime.model.StepContainer.runSteps(StepContainer.java:39)
at cucumber.runtime.model.CucumberScenario.runBackground(CucumberScenario.java:59)
at cucumber.runtime.model.CucumberScenario.run(CucumberScenario.java:42)
at cucumber.runtime.junit.ExecutionUnitRunner.run(ExecutionUnitRunner.java:91)
at cucumber.runtime.junit.FeatureRunner.runChild(FeatureRunner.java:63)
at cucumber.runtime.junit.FeatureRunner.runChild(FeatureRunner.java:18)
at org.junit.runners.ParentRunner$3.run(ParentRunner.java:238)
at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:63)
at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:236)
at org.junit.runners.ParentRunner.access$000(ParentRunner.java:53)
at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:229)
at org.junit.runners.ParentRunner.run(ParentRunner.java:309)
at cucumber.runtime.junit.FeatureRunner.run(FeatureRunner.java:70)
at cucumber.api.junit.Cucumber.runChild(Cucumber.java:93)
at cucumber.api.junit.Cucumber.runChild(Cucumber.java:37)
at org.junit.runners.ParentRunner$3.run(ParentRunner.java:238)
at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:63)
at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:236)
at org.junit.runners.ParentRunner.access$000(ParentRunner.java:53)
at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:229)
at org.junit.internal.runners.statements.RunAfters.evaluate(RunAfters.java:27)
at org.junit.runners.ParentRunner.run(ParentRunner.java:309)
at cucumber.api.junit.Cucumber.run(Cucumber.java:98)
at org.gradle.api.internal.tasks.testing.junit.JUnitTestClassExecuter.runTestClass(JUnitTestClassExecuter.java:105)
at org.gradle.api.internal.tasks.testing.junit.JUnitTestClassExecuter.execute(JUnitTestClassExecuter.java:56)
at org.gradle.api.internal.tasks.testing.junit.JUnitTestClassProcessor.processTestClass(JUnitTestClassProcessor.java:64)
at org.gradle.api.internal.tasks.testing.SuiteTestClassProcessor.processTestClass(SuiteTestClassProcessor.java:50)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.gradle.messaging.dispatch.ReflectionDispatch.dispatch(ReflectionDispatch.java:35)
at org.gradle.messaging.dispatch.ReflectionDispatch.dispatch(ReflectionDispatch.java:24)
at org.gradle.messaging.dispatch.ContextClassLoaderDispatch.dispatch(ContextClassLoaderDispatch.java:32)
at org.gradle.messaging.dispatch.ProxyDispatchAdapter$DispatchingInvocationHandler.invoke(ProxyDispatchAdapter.java:93)
at com.sun.proxy.$Proxy2.processTestClass(Unknown Source)
at org.gradle.api.internal.tasks.testing.worker.TestWorker.processTestClass(TestWorker.java:106)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.gradle.messaging.dispatch.ReflectionDispatch.dispatch(ReflectionDispatch.java:35)
at org.gradle.messaging.dispatch.ReflectionDispatch.dispatch(ReflectionDispatch.java:24)
at org.gradle.messaging.remote.internal.hub.MessageHub$Handler.run(MessageHub.java:360)
at org.gradle.internal.concurrent.ExecutorPolicy$CatchAndRecordFailures.onExecute(ExecutorPolicy.java:54)
at org.gradle.internal.concurrent.StoppableExecutorImpl$1.run(StoppableExecutorImpl.java:40)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.net.ConnectException: Connection refused
at java.net.PlainSocketImpl.socketConnect(Native Method)
at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
at java.net.Socket.connect(Socket.java:589)
at java.net.Socket.connect(Socket.java:538)
at sun.net.NetworkClient.doConnect(NetworkClient.java:180)
at sun.net.www.http.HttpClient.openServer(HttpClient.java:432)
at sun.net.www.http.HttpClient$1.run(HttpClient.java:484)
at sun.net.www.http.HttpClient$1.run(HttpClient.java:482)
at java.security.AccessController.doPrivileged(Native Method)
at sun.net.www.http.HttpClient.privilegedOpenServer(HttpClient.java:481)
at sun.net.www.http.HttpClient.openServer(HttpClient.java:522)
at sun.net.www.http.HttpClient.(HttpClient.java:211)
at sun.net.www.http.HttpClient.New(HttpClient.java:308)
at sun.net.www.http.HttpClient.New(HttpClient.java:326)
at sun.net.www.protocol.http.HttpURLConnection.getNewHttpClient(HttpURLConnection.java:1169)
at sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1148)
at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:999)
at sun.net.www.protocol.http.HttpURLConnection.connect(HttpURLConnection.java:933)
at org.zaproxy.clientapi.core.ClientApi.getConnectionInputStream(Unknown Source)
... 67 more

Following the "Getting started" Guide runs on an error

Hello!

After listening the great talk at AppSec 2014 I tried the Getting Started guide. Unfortunately I run into an error (see stacktace below).
Copying the current ropeytasks-0.1.war from iriusrisk/RopeyTasks@fe72509 did not solve the problem.
I could fix this by building my own version of RopeyTasks and replacing the existing one .

Stacktrace of the error:

➜  bdd-security git:(develop) ant demo.run
Buildfile: .../bdd-security/build.xml

demo.run:

ropey.run:
     [java] 2014-08-08 05:44:27.458:INFO:omjr.Runner:Runner
     [java] 2014-08-08 05:44:27.458:WARN:omjr.Runner:No tx manager found
     [java] 2014-08-08 05:44:27.533:INFO:omjr.Runner:Deploying file:.../bdd-security/src/test/resources/ropeytasks-0.1.war @ /
     [java] 2014-08-08 05:44:27.565:INFO:oejs.Server:jetty-8.y.z-SNAPSHOT
     [java] 2014-08-08 05:44:27.628:INFO:oejw.WebInfConfiguration:Extract jar:file:.../bdd-security/src/test/resources/ropeytasks-0.1.war!/ to /private/var/folders/ch/rdgfdhv54wqdhkmr5jvxhnjw0000gp/T/jetty-0.0.0.0-9090-ropeytasks-0.1.war-_-any-/webapp
     [java] 2014-08-08 05:44:30.536:INFO:oejpw.PlusConfiguration:No Transaction manager found - if your webapp requires one, please configure one.
     [java] 2014-08-08 05:44:35.463:INFO:/:No Spring WebApplicationInitializer types detected on classpath
     [java] 2014-08-08 05:44:37.215:INFO:/:Initializing Spring root WebApplicationContext
     [java] 2014-08-08 05:44:39,034 [main] ERROR context.ContextLoader  - Context initialization failed
     [java] org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'pluginManager' defined in ServletContext resource [/WEB-INF/applicationContext.xml]: Invocation of init method failed; nested exception is java.lang.NullPointerException: Cannot invoke method getAt() on null object
     [java]     at org.eclipse.jetty.server.handler.ContextHandler.callContextInitialized(ContextHandler.java:782)
     [java]     at org.eclipse.jetty.servlet.ServletContextHandler.callContextInitialized(ServletContextHandler.java:424)
     [java]     at org.eclipse.jetty.server.handler.ContextHandler.startContext(ContextHandler.java:774)
     [java] 2014-08-08 05:44:39.047:WARN:oejw.WebAppContext:Failed startup of context o.e.j.w.WebAppContext{/,file:/private/var/folders/ch/rdgfdhv54wqdhkmr5jvxhnjw0000gp/T/jetty-0.0.0.0-9090-ropeytasks-0.1.war-_-any-/webapp/},file:.../bdd-security/src/test/resources/ropeytasks-0.1.war
     [java] org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'pluginManager' defined in ServletContext resource [/WEB-INF/applicationContext.xml]: Invocation of init method failed; nested exception is java.lang.NullPointerException: Cannot invoke method getAt() on null object
     [java]     at org.eclipse.jetty.server.handler.ContextHandler.callContextInitialized(ContextHandler.java:782)
     [java]     at org.eclipse.jetty.servlet.ServletContextHandler.callContextInitialized(ServletContextHandler.java:424)
     [java]     at org.eclipse.jetty.server.handler.ContextHandler.startContext(ContextHandler.java:774)
     [java]     at org.eclipse.jetty.servlet.ServletContextHandler.startContext(ServletContextHandler.java:249)
     [java]     at org.eclipse.jetty.webapp.WebAppContext.startContext(WebAppContext.java:1242)
     [java]     at org.eclipse.jetty.server.handler.ContextHandler.doStart(ContextHandler.java:717)
     [java]     at org.eclipse.jetty.webapp.WebAppContext.doStart(WebAppContext.java:494)
     [java]     at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:64)
     [java]     at org.eclipse.jetty.server.handler.HandlerCollection.doStart(HandlerCollection.java:229)
     [java]     at org.eclipse.jetty.server.handler.ContextHandlerCollection.doStart(ContextHandlerCollection.java:172)
     [java]     at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:64)
     [java]     at org.eclipse.jetty.server.handler.HandlerCollection.doStart(HandlerCollection.java:229)
     [java]     at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:64)
     [java]     at org.eclipse.jetty.server.handler.HandlerWrapper.doStart(HandlerWrapper.java:95)
     [java]     at org.eclipse.jetty.server.Server.doStart(Server.java:282)
     [java]     at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:64)
     [java] Caused by:
     [java] java.lang.NullPointerException: Cannot invoke method getAt() on null object
     [java]     at org.eclipse.jetty.server.handler.ContextHandler.callContextInitialized(ContextHandler.java:782)
     [java]     at org.eclipse.jetty.servlet.ServletContextHandler.callContextInitialized(ServletContextHandler.java:424)
     [java]     at org.eclipse.jetty.server.handler.ContextHandler.startContext(ContextHandler.java:774)
     [java]     at org.eclipse.jetty.servlet.ServletContextHandler.startContext(ServletContextHandler.java:249)
     [java]     at org.eclipse.jetty.webapp.WebAppContext.startContext(WebAppContext.java:1242)
     [java]     at org.eclipse.jetty.server.handler.ContextHandler.doStart(ContextHandler.java:717)
     [java]     at org.eclipse.jetty.servlet.ServletContextHandler.startContext(ServletContextHandler.java:249)
     [java]     at org.eclipse.jetty.webapp.WebAppContext.startContext(WebAppContext.java:1242)
     [java]     at org.eclipse.jetty.server.handler.ContextHandler.doStart(ContextHandler.java:717)
     [java]     at org.eclipse.jetty.webapp.WebAppContext.doStart(WebAppContext.java:494)
     [java]     at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:64)
     [java]     at org.eclipse.jetty.server.handler.HandlerCollection.doStart(HandlerCollection.java:229)
     [java]     at org.eclipse.jetty.server.handler.ContextHandlerCollection.doStart(ContextHandlerCollection.java:172)
     [java]     at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:64)
     [java]     at org.eclipse.jetty.server.handler.HandlerCollection.doStart(HandlerCollection.java:229)
     [java]     at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:64)
     [java]     at org.eclipse.jetty.server.handler.HandlerWrapper.doStart(HandlerWrapper.java:95)
     [java]     at org.eclipse.jetty.server.Server.doStart(Server.java:282)
     [java]     at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:64)
     [java] 2014-08-08 05:44:39.048:WARN:oejsh.RequestLogHandler:!RequestLog
     [java]     at org.eclipse.jetty.webapp.WebAppContext.doStart(WebAppContext.java:494)
     [java]     at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:64)
     [java]     at org.eclipse.jetty.server.handler.HandlerCollection.doStart(HandlerCollection.java:229)
     [java]     at org.eclipse.jetty.server.handler.ContextHandlerCollection.doStart(ContextHandlerCollection.java:172)
     [java]     at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:64)
     [java]     at org.eclipse.jetty.server.handler.HandlerCollection.doStart(HandlerCollection.java:229)
     [java]     at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:64)
     [java]     at org.eclipse.jetty.server.handler.HandlerWrapper.doStart(HandlerWrapper.java:95)
     [java]     at org.eclipse.jetty.server.Server.doStart(Server.java:282)
     [java]     at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:64)
     [java] Caused by: java.lang.NullPointerException: Cannot invoke method getAt() on null object
     [java]     ... 16 more
     [java] 2014-08-08 05:44:39,038 [main] ERROR context.GrailsContextLoader  - Error initializing the application: Error creating bean with name 'pluginManager' defined in ServletContext resource [/WEB-INF/applicationContext.xml]: Invocation of init method failed; nested exception is java.lang.NullPointerException: Cannot invoke method getAt() on null object
     [java] org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'pluginManager' defined in ServletContext resource [/WEB-INF/applicationContext.xml]: Invocation of init method failed; nested exception is java.lang.NullPointerException: Cannot invoke method getAt() on null object
     [java]     at org.eclipse.jetty.server.handler.ContextHandler.callContextInitialized(ContextHandler.java:782)
     [java]     at org.eclipse.jetty.servlet.ServletContextHandler.callContextInitialized(ServletContextHandler.java:424)
     [java]     at org.eclipse.jetty.server.handler.ContextHandler.startContext(ContextHandler.java:774)
     [java]     at org.eclipse.jetty.servlet.ServletContextHandler.startContext(ServletContextHandler.java:249)
     [java]     at org.eclipse.jetty.webapp.WebAppContext.startContext(WebAppContext.java:1242)
     [java]     at org.eclipse.jetty.server.handler.ContextHandler.doStart(ContextHandler.java:717)
     [java]     at org.eclipse.jetty.webapp.WebAppContext.doStart(WebAppContext.java:494)
     [java]     at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:64)
     [java]     at org.eclipse.jetty.server.handler.HandlerCollection.doStart(HandlerCollection.java:229)
     [java]     at org.eclipse.jetty.server.handler.ContextHandlerCollection.doStart(ContextHandlerCollection.java:172)
     [java]     at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:64)
     [java]     at org.eclipse.jetty.server.handler.HandlerCollection.doStart(HandlerCollection.java:229)
     [java]     at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:64)
     [java]     at org.eclipse.jetty.server.handler.HandlerWrapper.doStart(HandlerWrapper.java:95)
     [java]     at org.eclipse.jetty.server.Server.doStart(Server.java:282)
     [java]     at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:64)
     [java] Caused by: java.lang.NullPointerException: Cannot invoke method getAt() on null object
     [java]     ... 16 more
     [java] 2014-08-08 05:44:39,040 [main] ERROR context.GrailsContextLoader  - Error initializing Grails: Error creating bean with name 'pluginManager' defined in ServletContext resource [/WEB-INF/applicationContext.xml]: Invocation of init method failed; nested exception is java.lang.NullPointerException: Cannot invoke method getAt() on null object
     [java] org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'pluginManager' defined in ServletContext resource [/WEB-INF/applicationContext.xml]: Invocation of init method failed; nested exception is java.lang.NullPointerException: Cannot invoke method getAt() on null object
     [java]     at org.eclipse.jetty.server.handler.ContextHandler.callContextInitialized(ContextHandler.java:782)
     [java]     at org.eclipse.jetty.servlet.ServletContextHandler.callContextInitialized(ServletContextHandler.java:424)
     [java]     at org.eclipse.jetty.server.handler.ContextHandler.startContext(ContextHandler.java:774)
     [java]     at org.eclipse.jetty.servlet.ServletContextHandler.startContext(ServletContextHandler.java:249)
     [java]     at org.eclipse.jetty.webapp.WebAppContext.startContext(WebAppContext.java:1242)
     [java]     at org.eclipse.jetty.server.handler.ContextHandler.doStart(ContextHandler.java:717)
     [java]     at org.eclipse.jetty.webapp.WebAppContext.doStart(WebAppContext.java:494)
     [java]     at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:64)
     [java]     at org.eclipse.jetty.server.handler.HandlerCollection.doStart(HandlerCollection.java:229)
     [java]     at org.eclipse.jetty.server.handler.ContextHandlerCollection.doStart(ContextHandlerCollection.java:172)
     [java]     at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:64)
     [java]     at org.eclipse.jetty.server.handler.HandlerCollection.doStart(HandlerCollection.java:229)
     [java]     at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:64)
     [java]     at org.eclipse.jetty.server.handler.HandlerWrapper.doStart(HandlerWrapper.java:95)
     [java]     at org.eclipse.jetty.server.Server.doStart(Server.java:282)
     [java]     at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:64)
     [java] Caused by: java.lang.NullPointerException: Cannot invoke method getAt() on null object
     [java]     ... 16 more
     [java] 2014-08-08 05:44:39.157:INFO:oejs.AbstractConnector:Started [email protected]:9090

clean:

makedir:
    [mkdir] Created dir: .../bdd-security/target/classes

compile:
^C%

No Existing Zap Policies

@continuumsecurity, I think the following need to be removed as well

case "source-code-disclosure":
scannerIds = "42,10045,20017";
break;
case "shell-shock":
scannerIds = "10048";
break;
case "remote-code-execution":
scannerIds = "20018";
break;
case "ldap-injection":
scannerIds = "40015";
break;
case "xpath-injection":
scannerIds = "90021";
break;
case "xml-external-entity":
scannerIds = "90023";
break;
case "padding-oracle":
scannerIds = "90024";
break;
case "el-injection":
scannerIds = "90025";
break;
case "insecure-http-methods":
scannerIds = "90028";
break;
case "parameter-pollution":
scannerIds = "20014";

Update Zap proxy

@continuumsecurity

Is there any plan to update zap 2.4.0 to the latest greatest version 2.4.1 which took care many bugs?

Fuzzing Functionality into the framework.

@continuumsecurity
I know zap has a fuzzing functionality on the UI (fuzzer) but I cannot see it on the API. So I was think about including a fuzzing tool such as wfuzz. Your thoughs!

OWASP Application Security Validation Mapped to BDD-Security Security Requirements

I was thinking about way we could map OWASP Application Security Verification Standards to BDD-Security security requirements in each story.

https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project

how to see the output of scan_xss

Whenever i run the "id scan_xss" in app_scan.story from terminal, instead of getting the status of which XSS attacks worked and for which field, i am getting a number of outputs in my terminal as follows:

X-Frame-Options Header Not Set
[java] URL: [ some url in the website scanned ]
[java] Parameter:
[java] CWE-ID: 0
[java] WASC-ID: 0

I want to know how to see the list of all xss scripts that are working and where and also, if and how can we set for which fields, xss attacks should be tried.

junit

@continuumsecurity,
Is ant junit.run working on your end? I cannot get it to work. I only use behave.run command.

Is there dependies should i install to with bdd-security

i installed bdd-security and try to configure it to work with my php web application, but there was a lot of errors when BUILD , such as selenium (import org.openqa.selenium.WebElement; and so many ones ..) jbehave (import org.jbehave.core.annotations.*; ...) , htmlunit with selenium ...
what shall i do ?

Story "ssl_crime" in demo hangs if www.cloudflarechallenge.com not reachable

Hello,

when running ant demo.run behind our corporate web-proxy the site www.cloudflarechallenge.com is not reachable (which is not the issue here). I get several "java.net.ConnectException"s and "java.net.SocketException"s and then the ant command hangs. Here the last lines of the console:

[java] (ssl.story)
 [java] Meta:
 [java] @story ssl
 [java]
 [java] Narrative:
 [java] In order to protect my data transmitted over the network
 [java] As a user
 [java] I want to verify that good SSL practices have been implemented and known weaknesses have been avoided
 [java]
 [java] Meta: @story ssl
 [java] Scenario: Disable SSL deflate compression in order to mitigate the risk of the CRIME attack
 [java] Meta:
 [java] @id ssl_crime
 [java]
 [java] could not connect to www.cloudflarechallenge.com/107.170.194.215:443: java.net.ConnectException: Operation timed out
 [java] could not connect to www.cloudflarechallenge.com/107.170.194.215:443: java.net.ConnectException: Operation timed out
 [java] could not connect to www.cloudflarechallenge.com/107.170.194.215:443: java.net.SocketException: Network is unreachable
 [java] could not connect to www.cloudflarechallenge.com/107.170.194.215:443: java.net.SocketException: Network is unreachable
 [java] No SSL/TLS server at www.cloudflarechallenge.com/107.170.194.215:443
 [java] could not connect to www.cloudflarechallenge.com/107.170.194.215:443: java.net.SocketException: Network is unreachable

After these lines nothing else happens (I let it run for 4h).

Environment:

Mac OS 10.10
java version "1.7.0_71"
Java(TM) SE Runtime Environment (build 1.7.0_71-b14)
Java HotSpot(TM) 64-Bit Server VM (build 24.71-b01, mixed mode)

and

Mac OS 10.10
java version "1.8.0_25"
Java(TM) SE Runtime Environment (build 1.8.0_25-b17)
Java HotSpot(TM) 64-Bit Server VM (build 25.25-b02, mixed mode)

and

Windows 7 64Bit (German)
java version "1.7.0_71"
Java(TM) SE Runtime Environment (build 1.7.0_71-b14)
Java HotSpot(TM) 64-Bit Server VM (build 24.71-b01, mixed mode)

junit.run

@continuumsecurity, I am testing junit.run for your late fix, but it kept hanging at the following point:
junit] Running net.continuumsecurity.jbehave.JUnitStoryRunner

PortResult.java

@continuumsecurity
Unable to resolve dependency with the following class:
net.continuumsecurity.scanner.PortResult
The code shows error in import statement itself. I could not find this java file in github also. How to resolve this?

Use groovy script to define the WebDriver steps

This relates to the cukesecure branch, not the master branch of BDD-Security.

Currently, the framework reads the config.xml file and loads the Java class define in the tag: e.g.:
<class>net.continuumsecurity.examples.ropeytasks.RopeyTasksApplication</class>

This class then implements interfaces like ILogin, ILogout etc that are used during the testing process. But since this is a Java class the user needs to compile it and then run the framework. For users who would like a more dynamic approach, it would be easier to supply a groovy script at runtime which can be provided external to the framework. In the future, this will allow us to dockerize the whole framework and then provide the groovy script as a parameter to docker.

Steps required for this:

remove the tag from config.xml and use a hard coded class name: AppDefinition
expect to find the class either in the root of the project ./AppDefinition.groovy or specified in the Property AppDefinition.
Dynamically load the groovy script

This means that the user should be able to run ./gradle -Dtest.single=AuthenticationTest -DAppDefinition=/home/somewhere/AppDefinition.groovy

The rest of the framework should work as it does now.

Set the concurrent threads per host via config.xml

Facing this below issue.. I have everythin installed on my machine

build.xml-error

@continuumsecurity
I got some error while performing ant resolve in build.xml:208:

/var/lib/jenkins/workspace/bdd-sec-lamin-test/lib/ivy not found

AppScanningSteps Error

@continuumsecurity, I got the following error when running the latest bed-sec.

test/src/main/java/net/continuumsecurity/steps/AppScanningSteps.java:92: error: cannot find symbol
byte[] xmlReport = scanner.getXmlReport();

Dockerize bdd-security

I am thinking about way we could dockerize bed-security framework.

connection exception

Hi can anybody help me with the below error.
when i run through gradlew i am facing the below errors.
1.
net.continuumsecurity.proxy.ProxyException
Caused by: org.zaproxy.clientapi.core.ClientApiException
Caused by: java.net.ConnectException
2.
at org.hsqldb.jdbc.Util.sqlException(Unknown Source)
at org.hsqldb.jdbc.Util.sqlException(Unknown Source)
at org.hsqldb.jdbc.JDBCConnection.(Unknown Source)
at org.hsqldb.jdbc.JDBCDriver.getConnection(Unknown Source)
at org.hsqldb.jdbc.JDBCDriver.connect(Unknown Source)
at java.sql.DriverManager.getConnection(Unknown Source)
at java.sql.DriverManager.getConnection(Unknown Source)
at org.parosproxy.paros.db.paros.ParosDatabaseServer.start(Unknown Sourc
e)
at org.parosproxy.paros.db.paros.ParosDatabaseServer.(Unknown Sour
ce)
at org.parosproxy.paros.db.paros.ParosDatabase.open(Unknown Source)
at org.parosproxy.paros.model.Model.createAndOpenUntitledDb(Unknown Sour
ce)
at org.parosproxy.paros.model.Model.init(Unknown Source)
at org.zaproxy.zap.ZapBootstrap.initModel(Unknown Source)
at org.zaproxy.zap.DaemonBootstrap.start(Unknown Source)
at org.zaproxy.zap.ZAP.main(Unknown Source)
Caused by: org.hsqldb.HsqlException: Database lock acquisition failure: lockFile
: org.hsqldb.persist.LockFile@a803b7c5[file =C:\Users\xxxx\Downloads\bdd-secu
rity-master\bdd-security-master\zap\tmp\session\untitled1.lck, exists=true, lock
ed=false, valid=false, ] method: checkHeartbeat read: 2016-06-14 10:18:56 heartb
eat - read: -875 ms.
at org.hsqldb.error.Error.error(Unknown Source)
at org.hsqldb.error.Error.errorn Source)
at org.hsqldb.persist.LockFile.newLockFileLock(Unknown Source)
at org.hsqldb.persist.Logger.acquireLock(Unknown Source)
at org.hsqldb.persist.Logger.openPersistence(Unknown Source)
at org.hsqldb.Database.reopen(Unknown Source)
at org.hsqldb.Database.open(Unknown Source)
at org.hsqldb.DatabaseManager.getDatabase(Unknown Source)
at org.hsqldb.DatabaseManager.newSession(Unknown Source)

The below is the cofig.xml is there anything wrong that i am doing over here, please confirm

<!-- The settings in this file are for the demo ropey-tasks vulnerable web app available at: https://github.com/stephendv/RopeyTasks,
        which is included in the bdd-security framework for demo purposes. -->

<!-- The web driver to use, can be either Firefox, Chrome or HtmlUnit.  Optionally specify path to the driver (required for linux)
     Some drivers require a path to the platform specific driver binary, for example chrome needs chromedriver.  If these values are not specified, we'll use HtmlUnit
<defaultDriver>firefox</defaultDriver>
<defaultDriver path="src/test/resources/drivers/chromedriver-mac">firefox</defaultDriver> -->

<!-- Base URL of the application to test -->
<baseUrl>myapplication URL/</baseUrl>

<!-- A Java class to hold the Selenium steps to test the application in depth. Optionally required for in-depth authn/z and session management testing. -->
<class>net.continuumsecurity.examples.ropeytasks.RopeyTasksApplication</class>

<sslyze>
    <path>/opt/sslyze/sslyze_cli.py</path>
    <option>--regular</option>
</sslyze>

<!-- Optional names of the session ID cookies for session management testing. -->
<sessionIds>
    <name>JSESSIONID</name>
</sessionIds>

<!-- the default user to use when logging in to the app -->
<defaultUsername>username</defaultUsername>
<defaultPassword>password</defaultPassword>

<scanner>
    <ignoreUrl>.*logout.*</ignoreUrl>
    <spiderUrl>baseUrl</spiderUrl>
</scanner>

<!-- An upstream proxy through which all HTTP traffic must pass before hitting the target
application under test.  The framework will configure both the WebDriver instance and ZAP to use this proxy.  Note that non-HTTP traffic will not use this proxy. -->
<upstreamProxy>
    <host></host>
    <port></port>
</upstreamProxy>

<incorrectPassword>SDFsdfwjx1</incorrectPassword>
<incorrectUsername>bobbles</incorrectUsername>

<!-- Optional login credentials for the Nessus server, the server location is specified in the nessus_scan.story file -->
<nessus>
    <username>continuum</username>
    <password>continuum</password>
</nessus>

<!-- Optional location of a running OWASP ZAP instance.  Either an external- already running ZAP instance must be specified here, or the zapPath must be specified to launch ZAP
<proxy>
    <host></host>
    <port></port>
    <api></api>
</proxy>-->

<zapPath>zap/zap.bat</zapPath>

Supplying multiple meta tags doesn't work

I've no idea why.

Issues with getting the authorisation feature to work

Hey Stephen,

as you know, I've been taking a closer look at BDD-Security recently and am loving it.
After getting the authentication and some other features to work well, I've been playing around with the authorisation feature and have problems getting it to work.

A clip from the cucumber test pretty report looks like this.

For some reason it skips

14:22:02.159 [DEBUG] [TestEventLogger] net.continuumsecurity.junit.SecurityTest > | viewJacksInfo | [email protected] | yankeessuck | Jack Mannin |.And the login page STARTED
14:22:02.163 [DEBUG] [TestEventLogger] 
14:22:02.163 [DEBUG] [TestEventLogger] net.continuumsecurity.junit.SecurityTest > | viewJacksInfo | [email protected] | yankeessuck | Jack Mannin |.And the login page PASSED
14:22:02.168 [DEBUG] [TestEventLogger] 
14:22:02.168 [DEBUG] [TestEventLogger] net.continuumsecurity.junit.SecurityTest > | viewJacksInfo | [email protected] | yankeessuck | Jack Mannin |.And the username [email protected] STARTED
14:22:02.169 [DEBUG] [TestEventLogger] 
14:22:02.169 [DEBUG] [TestEventLogger] net.continuumsecurity.junit.SecurityTest > | viewJacksInfo | [email protected] | yankeessuck | Jack Mannin |.And the username [email protected] SKIPPED
14:22:02.171 [DEBUG] [TestEventLogger] 
14:22:02.171 [DEBUG] [TestEventLogger] net.continuumsecurity.junit.SecurityTest > | viewJacksInfo | [email protected] | yankeessuck | Jack Mannin |.And the password yankeessuck STARTED
14:22:02.176 [DEBUG] [TestEventLogger] 
14:22:02.176 [DEBUG] [TestEventLogger] net.continuumsecurity.junit.SecurityTest > | viewJacksInfo | [email protected] | yankeessuck | Jack Mannin |.And the password yankeessuck SKIPPED
14:22:02.180 [DEBUG] [TestEventLogger] 
14:22:02.180 [DEBUG] [TestEventLogger] net.continuumsecurity.junit.SecurityTest > | viewJacksInfo | [email protected] | yankeessuck | Jack Mannin |.When the user logs in STARTED
14:22:02.181 [DEBUG] [TestEventLogger] 
14:22:02.181 [DEBUG] [TestEventLogger] net.continuumsecurity.junit.SecurityTest > | viewJacksInfo | [email protected] | yankeessuck | Jack Mannin |.When the user logs in SKIPPED

The authorisation.feature file can be seen below. I'm testing BDD-Security on RailsGoat currently.
authorisation.feature.feature.txt

Finally, my current RailsGoatApplication.java file is attached below:
RailsGoatApplication.java.txt

Looking at the line And the username it doesn't seem to have an according WebApplicationSteps.java mapping. There is one for @given but not for @and. I've even tried mix and matching the keywords, but without success.

@Given("^the username (\\s+)$")
    public void setUsernameFromExamples(String username) {
        World.getInstance().getUserPassCredentials().setUsername(username);
    }

Any idea what needs to be done to make it work?

Thanks,
Stefan

Remove execute permissions from files in repo

A lot of files have execute permission when pulled from github. A few suggestions to fix (via bash).

for f in $(find . -type f -executable -regextype posix-extended -iregex '.+?.((java)|(jar)|(xml)|(js)|(ftl)|(css)|(properties)|(jpg)|(jpeg)|(png)|(gif)|(sample)|(story)|(txt)|(md))'); do chmod -x "$f"; done

for f in $(find . -type f -name '.DS_Store'); do rm $f; done

After the clean-up, this more or less looks like the set of things that needs to be executable.

find . -type f -executable
./console.sh
./drivers/chromedriver-linux32
./drivers/chromedriver-linux64
./drivers/chromedriver-mac
./drivers/chromedriver.exe
./runconfig.sh
./runscenario.sh
./runstory.sh
./zap/zap.sh

Nessus_scan

@continuumsecurity
Nessus_scan story is missing:
And the nessus username blablah and the password blablah

Create Amazon AWS instance with Jenkins and BDD-Security pre-installed and configured

Remove tables/false_positives.table because it is no longer used

Replaced by nessus and zap specific tables.

net.continuumsecurity.proxy.ProxyException: org.zaproxy.clientapi.core.ClientApiException: N''existe pas (does_not_exist) : Default Context

Hello, i changed the baseUrl to access to my application http://localhost://Forum/ and then tried to run basic ZAP scanning: with the command below
./runstory.sh app_scan
but an error is shown in the jBehave report :

Scenario: Navigate and spider the application and find vulnerabilities through passive scanning
Meta:
@pre navigate
Given a new browser or client instance
And a new scanning session
And the passive scanner is enabled
And the page flow described in the method: navigate is run through the proxy
And the URL regular expressions listed in the file:
tables/exclude_urls.table
are excluded from the spider
And the spider is configured for a maximum depth of 10
And the spider is configured for 1000 maximum children
And the spider is configured for 10 concurrent threads
And the following URLs are spidered:
url
baseUrl
(FAILED)
net.continuumsecurity.proxy.ProxyException: org.zaproxy.clientapi.core.ClientApiException: N''existe pas (does_not_exist) : Default Context
And the spider status reaches 100% complete (NOT PERFORMED)
And the following false positives are removed:
tables/zap.false_positives.table
(NOT PERFORMED)
And the XML report is written to the file passive.xml (NOT PERFORMED)
Then no Medium or higher risk vulnerabilities should be present (NOT PERFORMED)

net.continuumsecurity.proxy.ProxyException: org.zaproxy.clientapi.core.ClientApiException: N''existe pas (does_not_exist) : Default Context
at net.continuumsecurity.proxy.ZAProxyScanner.spider(ZAProxyScanner.java:322)
at net.continuumsecurity.steps.AppScanningSteps.spider(AppScanningSteps.java:145)
at net.continuumsecurity.steps.AppScanningSteps.spiderUrls(AppScanningSteps.java:117)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at org.jbehave.core.steps.StepCreator$ParameterisedStep.perform(StepCreator.java:569)
at org.jbehave.core.embedder.StoryRunner$FineSoFar.run(StoryRunner.java:533)
at org.jbehave.core.embedder.StoryRunner.runStepsWhileKeepingState(StoryRunner.java:513)
at org.jbehave.core.embedder.StoryRunner.runScenarioSteps(StoryRunner.java:477)
at org.jbehave.core.embedder.StoryRunner.runCancellable(StoryRunner.java:308)
at org.jbehave.core.embedder.StoryRunner.run(StoryRunner.java:220)
at org.jbehave.core.embedder.StoryRunner.runGivenStories(StoryRunner.java:393)
at org.jbehave.core.embedder.StoryRunner.runCancellable(StoryRunner.java:272)
at org.jbehave.core.embedder.StoryRunner.run(StoryRunner.java:220)
at org.jbehave.core.embedder.StoryRunner.run(StoryRunner.java:181)
at org.jbehave.core.embedder.StoryManager$EnqueuedStory.call(StoryManager.java:235)
at org.jbehave.core.embedder.StoryManager$EnqueuedStory.call(StoryManager.java:207)
at java.util.concurrent.FutureTask.run(FutureTask.java:262)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)
Caused by: org.zaproxy.clientapi.core.ClientApiException: N''existe pas (does_not_exist) : Default Context
at org.zaproxy.clientapi.core.ApiResponseFactory.getResponse(Unknown Source)
at org.zaproxy.clientapi.core.ClientApi.callApi(Unknown Source)
at org.zaproxy.clientapi.gen.Spider.scan(Unknown Source)
at net.continuumsecurity.proxy.ZAProxyScanner.spider(ZAProxyScanner.java:319)
... 22 more

Read Time Out

Lately I noticed the following error when bdd-security is running especially against a huge app/site

10802624 [ZAP-ActiveScanner-1] WARN org.zaproxy.zap.extension.ascanrules.TestPathTraversal - Error scanning parameters for Path Traversal: Read timed out
[java] java.net.SocketTimeoutException: Read timed out
[java] at java.net.SocketInputStream.socketRead0(Native Method)
[java] at java.net.SocketInputStream.read(SocketInputStream.java:152)
[java] at java.net.SocketInputStream.read(SocketInputStream.java:122)
[java] at java.io.BufferedInputStream.fill(BufferedInputStream.java:235)
[java] at java.io.BufferedInputStream.read(BufferedInputStream.java:254)
[java] at org.apache.commons.httpclient.HttpParser.readRawLine(HttpParser.java:78)
[java] at org.apache.commons.httpclient.HttpParser.readLine(HttpParser.java:106)
[java] at org.apache.commons.httpclient.HttpConnection.readLine(HttpConnection.java:1116)
[java] at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.readLine(MultiThreadedHttpConnectionManager.java:1413)
[java] at org.apache.commons.httpclient.HttpMethodBase.readStatusLine(Unknown Source)
[java] at org.zaproxy.zap.ZapGetMethod.readResponse(Unknown Source)
[java] at org.apache.commons.httpclient.HttpMethodBase.execute(Unknown Source)
[java] at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(Unknown Source)
[java] at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(Unknown Source)
[java] at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
[java] at org.parosproxy.paros.network.HttpSender.executeMethod(Unknown Source)
[java] at org.parosproxy.paros.network.HttpSender.runMethod(Unknown Source)
[java] at org.parosproxy.paros.network.HttpSender.send(Unknown Source)
[java] at org.parosproxy.paros.network.HttpSender.sendAuthenticated(Unknown Source)
[java] at org.parosproxy.paros.network.HttpSender.sendAndReceive(Unknown Source)
[java] at org.parosproxy.paros.core.scanner.AbstractPlugin.sendAndReceive(Unknown Source)
[java] at org.parosproxy.paros.core.scanner.AbstractPlugin.sendAndReceive(Unknown Source)
[java] at org.parosproxy.paros.core.scanner.AbstractPlugin.sendAndReceive(Unknown Source)
[java] at org.zaproxy.zap.extension.ascanrules.TestPathTraversal.scan(TestPathTraversal.java:323)
[java] at org.parosproxy.paros.core.scanner.AbstractAppParamPlugin.scan(Unknown Source)
[java] at org.parosproxy.paros.core.scanner.AbstractAppParamPlugin.scanVariant(Unknown Source)
[java] at org.parosproxy.paros.core.scanner.AbstractAppParamPlugin.scan(Unknown Source)
[java] at org.parosproxy.paros.core.scanner.AbstractPlugin.run(Unknown Source)
[java] at java.lang.Thread.run(Thread.java:745)

Support testing HTTP API's through an arbitrary client

Remove dependency on Selenium

Test the new cukesecure branch

Add OWASP reference tags

Add OWASP Top Ten and OWASP ASVS tags to the scenarios

Embedded proxy ZAP with chrome driver

I have this error when I'm trying to use ZAP scan

6385 [ZAP-daemon] INFO org.zaproxy.zap.control.ExtensionFactory  - Loading extensions
     [java] Dec 09, 2015 3:38:57 AM net.continuumsecurity.Config getProxyHost
     [java] WARNING: Error starting embedded ZAP
     [java] java.lang.RuntimeException: Unable to connect to ZAP's proxy after 15000 milliseconds.
     [java]     at net.continuumsecurity.scanner.ZapManager.waitForSuccessfulConnectionToZap(ZapManager.java:98)
     [java]     at net.continuumsecurity.scanner.ZapManager.startZAP(ZapManager.java:62)
     [java]     at net.continuumsecurity.Config.getProxyHost(Config.java:193)
     [java]     at net.continuumsecurity.web.drivers.DriverFactory.createProxyCapabilities(DriverFactory.java:164)
     [java]     at net.continuumsecurity.web.drivers.DriverFactory.createProxyDriver(DriverFactory.java:119)
     [java]     at net.continuumsecurity.web.drivers.DriverFactory.findOrCreate(DriverFactory.java:95)
     [java]     at net.continuumsecurity.web.drivers.DriverFactory.getDriver(DriverFactory.java:64)
     [java]     at net.continuumsecurity.web.drivers.DriverFactory.getProxyDriver(DriverFactory.java:54)
     [java]     at net.continuumsecurity.web.WebApplication.enableHttpLoggingClient(WebApplication.java:92)
     [java]     at net.continuumsecurity.steps.WebApplicationSteps.enableLoggingDriver(WebApplicationSteps.java:239)
     [java]     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
     [java]     at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
     [java]     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
     [java]     at java.lang.reflect.Method.invoke(Method.java:497)
     [java]     at org.jbehave.core.steps.StepCreator$ParameterisedStep.perform(StepCreator.java:569)
     [java]     at org.jbehave.core.embedder.StoryRunner$FineSoFar.run(StoryRunner.java:533)
     [java]     at org.jbehave.core.embedder.StoryRunner.runStepsWhileKeepingState(StoryRunner.java:513)
     [java]     at org.jbehave.core.embedder.StoryRunner.runScenarioSteps(StoryRunner.java:477)
     [java]     at org.jbehave.core.embedder.StoryRunner.runCancellable(StoryRunner.java:308)
     [java]     at org.jbehave.core.embedder.StoryRunner.run(StoryRunner.java:220)
     [java]     at org.jbehave.core.embedder.StoryRunner.run(StoryRunner.java:181)
     [java]     at org.jbehave.core.embedder.StoryManager$EnqueuedStory.call(StoryManager.java:235)
     [java]     at org.jbehave.core.embedder.StoryManager$EnqueuedStory.call(StoryManager.java:207)
     [java]     at java.util.concurrent.FutureTask.run(FutureTask.java:266)
     [java]     at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
     [java]     at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
     [java]     at java.lang.Thread.run(Thread.java:745)
     [java] Dec 09, 2015 3:38:57 AM net.continuumsecurity.scanner.ZapManager startZAP
     [java] INFO: ZAP already started.
     [java] Dec 09, 2015 3:38:57 AM net.continuumsecurity.Config getDefaultDriverPath
     [java] INFO: No path to the defaultDriver specified in config.xml, using auto-detection.
     [java] Dec 09, 2015 3:38:57 AM net.continuumsecurity.Config getDefaultDriverPath
     [java] INFO: Using driver at: drivers\chromedriver.exe
     [java] Starting ChromeDriver 2.20.353145 (343b531d31eeb933ec778dbcf7081628a1396067) on port 1694
     [java] Only local connections are allowed.

HTTP Headers Scenario

@continuumsecurity
Http_header kept failing even though my application has all security headers configured.

java.lang.RuntimeException: No HTTP requests-responses recorded at net.continuumsecurity.steps.WebApplicationSteps.recordFirstHarEntry(WebApplicationSteps.java:513) at net.continuumsecurity.steps.WebApplicationSteps.accessSecureBaseUrlAndRecordHTTPResponse(WebApplicationSteps.java:543) at ✽.When the following URLs are visited and their HTTP responses recorded(http_headers.feature:7)

Given a new browser or client instance......................................passed
When the following URLs are visited and their HTTP responses recorded.......failed
Then the X-Frame-Options header is either SAMEORIGIN or DENY................skipped