Skip to content
Custom DAST Scans

[3.0.34] Fix backend and fronted bugs #349

Sign in to view logs

[3.0.34] Fix backend and fronted bugs

[3.0.34] Fix backend and fronted bugs #349

Workflow file for this run

.github/workflows/kali_tools_scans.yml at 208a343
name: Custom DAST Scans
on:
push:
branches:
- master
- main
jobs:
scans:
runs-on: ubuntu-latest
steps:
#
# UPDATE AND INSTALL
#
- uses: actions/checkout@v2
- name: update and install
run: |
#
# UPDATE
#
sudo apt update -y
sudo apt upgrade -y
#
# INSTALL KALI TOOLS
#
sudo apt install -y dirb nikto whatweb zip wapiti
#
# INSTALL SKIPFISH
#
wget http://apt.nuxeo.org/nuxeo.key -O - | sudo apt-key add
sudo add-apt-repository "deb http://apt.nuxeo.org/ bionic releases"
sudo add-apt-repository "deb http://apt.nuxeo.org/ bionic fasttracks"
sudo apt install wget libc6 libpcre3 zlib1g debconf perl-base -y
wget -O libidn11.deb http://ubuntu.cs.utah.edu/ubuntu/pool/main/libi/libidn/libidn11_1.33-2.1ubuntu1_amd64.deb
wget -O debconf.deb http://archive.ubuntu.com/ubuntu/pool/main/d/debconf/debconf_1.5.66_all.deb
wget -O libssl.deb http://archive.ubuntu.com/ubuntu/pool/main/o/openssl1.0/libssl1.0.0_1.0.2n-1ubuntu5_amd64.deb
wget -O skipfish.deb http://archive.ubuntu.com/ubuntu/pool/universe/s/skipfish/skipfish_2.10b-1.1_amd64.deb
sudo dpkg -i debconf.deb
sudo dpkg -i libidn11.deb
sudo dpkg -i libssl.deb
sudo dpkg -i skipfish.deb
- name: Setup Python 3.11
uses: actions/setup-python@v2
with:
python-version: 3.11
#
# LAUNCH SERVICE
#
- name: Launch WebScripts
run: |
mkdir WebScripts/hardening
echo "{}" > WebScripts/hardening/logs_checks.json
echo "{}" > WebScripts/hardening/uploads_file_integrity.json
echo "{}" > WebScripts/hardening/webscripts_file_integrity.json
echo "{}" > WebScripts/hardening/audit.html
echo "{}" > WebScripts/hardening/audit.txt
echo "{}" > WebScripts/hardening/audit.json
python3.11 -c "import json as j,os;f=os.path.join('WebScripts','config','server.json');d=j.load(open(f));d['server']['force_file_permissions']=False;j.dump(d,open(f,'w'))"
python3.11 -c "import os;f=os.path.join('WebScripts','WebScripts.py');d=open(f).read().replace('force_file_permissions = secure','force_file_permissions=False');open(f,'w').write(d)"
python3.11 -m WebScripts --accept-unauthenticated-user --accept-unknow-user --blacklist-time 0 --auth-failures-to-blacklist 99999 &>output.txt &
sleep 15
#
# LAUNCH SCANS
#
- name: dirb scan
run: |
dirb http://127.0.0.1:8000/ -u Admin:Admin -o dirb.txt
- name: nikto scan
run: |
nikto -o nikto.html -Format html -Tuning x -evasion 12345678AB -id Admin:Admin -Display V -C all -h http://127.0.0.1:8000/web/auth/
- name: whatweb scan
run: |
whatweb -u Admin:Admin -v -a 4 http://127.0.0.1:8000/ --log-json=whatweb.json
- name: skipfish scan
run: |
skipfish -v -u -H Api-Key=AdminAdminAdminAdminAdminAdminAdminAdminAdminAdminAdminAdminAdminAdminAdminAdminAdminAdminAdminAdminAdminAdminAdminAdminAdminAdminAdminAdminAdminAdminAdminAdmin -o skipfish http://127.0.0.1:8000/
zip -r skipfish.zip skipfish
- name: wapiti scan
run: |
wapiti --update
wapiti -u http://127.0.0.1:8000/ -m all -a Admin%Admin --auth-type basic -S insane -f html -o wapiti
- name: WebScripts logs
run: |
tar -czvf logs.tar.gz logs/
#
# UPLOAD REPORTS
#
- name: nikto uploads
uses: actions/upload-artifact@v1
with:
name: nikto_report
path: nikto.html
- name: skipfish uploads
uses: actions/upload-artifact@v1
with:
name: skipfish_report
path: skipfish/
- name: wapiti uploads
uses: actions/upload-artifact@v1
with:
name: wapiti_report
path: wapiti
- name: whatweb uploads
uses: actions/upload-artifact@v1
with:
name: whatweb_report
path: whatweb.json
- name: dirb uploads
uses: actions/upload-artifact@v1
with:
name: dirb_report
path: dirb.txt
- name: WebScripts logs uploads
uses: actions/upload-artifact@v1
with:
name: webscripts_logs
path: logs/
- name: WebScripts output uploads
uses: actions/upload-artifact@v1
with:
name: webscripts_output
path: output.txt