Instructions for Velocity EU 2013 Workshop "Be Mean to Your Code with Gauntlt and the Rugged Way"

01_Overview.md

Be Mean to Your Code with Gauntlt and the Rugged Way - Velocity EU 2013 Workshop

Setup

There are two options for working through the workshop. The recommended way is to use the virtual box image as there are a couple of security tools (arachni, nmap, ...) that we will be using. It is not required for you to use it though and you can just clone the repo if you have ruby 1.9.3 and bundler.

If you want to use the vagrant box setup for the workshop, please follow the instructions in 02_Using Vagrant Box.md and if you want to just use our own box, follow the directions in 03_Using Repo Only.md

This has been tested to work on linux and OS X.

02_Using Vagrant Box.md

Using the Vagrant Box

Download gauntlt-velocity.box (~700MB)

wget http://bit.ly/velocity-gauntlt

Install Vagrant

http://downloads.vagrantup.com/

Set up a working directory

mkdir ~/velocity
cd ~/velocity
vagrant box add velocity /path/where/you/downloaded/gauntlt-velocity.box
vagrant init velocity

Edit VagrantFile and add this line

config.vm.network :forwarded_port, guest: 3000, host: 3000

Start up the box

vagrant up
vagrant ssh

You should be greeted with vagrant@precise32:~$ if it all worked ok.

Initialize

Make sure the repo is up-to-date

vagrant@precise32:~$ cd gauntlt-demo
vagrant@precise32:~/gauntlt-demo$ git pull
vagrant@precise32:~/gauntlt-demo$ rvm use 1.9.3
vagrant@precise32:~/gauntlt-demo$ bundle install

03_Using Repo Only.md

Using the Repo Only

Initialize your box

$ git clone https://github.com/gauntlt/gauntlt-demo
$ cd ./gauntlt-demo
$ git submodule update --init --recursive
$ bundle

04_Hello World with Gauntlt.md

Hello World

From the gauntlt-demo directory, run the following

$ bundle exec gauntlt ./examples/hello_world/hello_world.attack

If all succeeded, you should see the resulting output

@final
Feature: hello world with gauntlt using the generic command line attack

  Scenario:                                # ./examples/hello_world/hello_world.attack:3
    When I launch a "generic" attack with: # gauntlt-1.0.6/lib/gauntlt/attack_adapters/generic.rb:1
      """
      cat /etc/passwd
      """
    Then the output should contain:        # aruba-0.5.3/lib/aruba/cucumber.rb:113
      """
      root
      """

1 scenario (1 passed)
2 steps (2 passed)
0m0.175s

Notice how we used Feature and Scenario here. We could have created a Background if we had any setup steps that needed to be run before each Scenario.

05_Start up Railsgoat.md

Start up the Railsgoat target

The gauntlt-demo repo adds on Railsgoat as a target for you test against. Railsgoat is a vulnerable web application provided by OWASP and @cktricky. Please use caution as running a vulnerable web application like Railsgoat and turn on your firewall and make sure you dont have port 3000 open in your firewall.

Start Railsgoat

$ cd vendor/railsgoat
$ bundle install --binstubs
$ rake db:setup
$ rake server:start

You should be able to point your browser at http://localhost:3000 and see railsgoat running.

At the end of the workshop, you can go back to vendor/railsgoat and run $ rake server:stop to stop railsgoat.

06_Port Check.md

Port checking with nmap

Gauntlt supports nmap. Lets write a real simple port check attack.

To get started with this, go to examples/port_check and open up challenge_port-check.attack. Besides using Background there is one new concept that we are using in this challenge. We use the And the following profile: which is the same as saying Given the following profile:.

Profiles

Gauntlt uses profiles in setup steps to pass in values to the subsequent steps. These profiles must start with the first line of | name | value | but after that you can assign names and values as you see fit. Once we work with attack aliases we will see why that is important.

Try the challenge

Edit the challenge_port-check.attack and try to test to see if port 3000 is open. You can run $ bundle exec gauntlt challenge_port-check.attack to see if your solution works. Check the README.md in examples/port_check for hints.

Solution

The answer is in final_port-check.attack and you can compare it to your solution. Run $ bundle exec gauntlt final_port-check.attack and you should see the following output:

@final @slow
Feature: check to make sure the right ports are open on our server

  Background:                  # port_check/final_port-check.attack:4
    Given "nmap" is installed  # gauntlt-1.0.6/lib/gauntlt/attack_adapters/nmap.rb:4
    And the following profile: # gauntlt-1.0.6/lib/gauntlt/attack_adapters/gauntlt.rb:9
      | name | value     |
      | host | localhost |

  Scenario: Verify server is open on expected ports # port_check/final_port-check.attack:10
    When I launch an "nmap" attack with:            # gauntlt-1.0.6/lib/gauntlt/attack_adapters/nmap.rb:8
      """
      nmap -F <host>
      """
    Then the output should contain:                 # aruba-0.5.3/lib/aruba/cucumber.rb:113
      """
      3000
      """

1 scenario (1 passed)
4 steps (4 passed)

07_Working with Gauntlt CLI.md

Working with the Gauntlt CLI

As you may have noticed, in the port_check example, gauntlt comes with pre-packaged steps for you to use and doesn't allow you to create new ones (though that may change in the future). To work with gauntlt, you need to know what attack steps are available for you to use.

Run each of these commands

$ bundle exec gauntlt --help
$ bundle exec gauntlt --allsteps
$ bundle exec gauntlt --steps
$ bundle exec gauntlt --list

We will be doing a regex example next, so make sure you look through the output of --allsteps to be familiar with it.

08_Regex.md

Regex with Gauntlt

Challenge

This is not really a networking problem, but we thought this would be a good place to look at regex and output parsing with gauntlt. One popular network scanning tool, nmap, pads its output with spaces so it can make it difficult to parse the output reliably. Start with challenge_regex.attack and customize it so that you parse the output using regex.

Try the challenge

Start with with the README.md in examples/regex and check the hints section.

Solution

Check final_regex.attack for a working solution answer.

Run $ bundle exec gauntlt final_regex.attack and you should get the below output:

@final @slow
Feature: check to make sure the right ports are open on our server

  Background:                  # final_regex.attack:4
    Given "nmap" is installed  # gauntlt-1.0.6/lib/gauntlt/attack_adapters/nmap.rb:4
    And the following profile: # gauntlt-1.0.6/lib/gauntlt/attack_adapters/gauntlt.rb:9
      | name | value     |
      | host | localhost |

  Scenario: Verify server is open on expected ports    # final_regex.attack:10
    When I launch an "nmap" attack with:               # gauntlt-1.0.6/lib/gauntlt/attack_adapters/nmap.rb:8
      """
      nmap -F <host>
      """
    Then the output should match:                      # aruba-0.5.3/lib/aruba/cucumber.rb:141
      """
      3000\/tcp\s+open
      """
    Then the output should not match /3001.tcp\s+open/ # aruba-0.5.3/lib/aruba/cucumber.rb:146

1 scenario (1 passed)
5 steps (5 passed)

09_Garmr and Web Security.md

Garmr and Web Security Policies

Install

If you are using the Vagrant box provided, you should be all set. If you need to install Garmr for your OS, please check vendor/Garmr/README.md to see how to install it. Also the README.md in examples/garmr/README.md has some tips for installing on ubuntu.

Challenge

Garmr is a tool built my Mozilla that checks webpages to meet their security requirements. Some of the things it detects are trivial and some are more important. Since we are using this tool against vulnerable web applications and servers we aren't going to require that it passes all tests. In your environment you can assess what is important for a failure or a pass. This is one of the nice features behind gauntlt--you get to decide what is good or bad on a per application basis.

The challenge is to run garmr and parse the output.

Start with examples/garmr/challenge_garmr.attack

Solution

@final @slow
Feature: Run a Garmr scan on a single URL

  Scenario: Use Garmr to scan a website for basic security requirements # ./examples/garmr/final_garmr.attack:4
    Given "garmr" is installed                                          # gauntlt-1.0.6/lib/gauntlt/attack_adapters/garmr.rb:1
    And the following profile:                                          # gauntlt-1.0.6/lib/gauntlt/attack_adapters/gauntlt.rb:9
      | name       | value                 |
      | target_url | http://localhost:3000 |
    When I launch a "garmr" attack with:                                # gauntlt-1.0.6/lib/gauntlt/attack_adapters/garmr.rb:5
      """
      garmr -u <target_url> -o my_garmr_output.xml
      """
    Then it should pass with:                                           # aruba-0.5.3/lib/aruba/cucumber.rb:162
      """
      [Garmr.corechecks.WebTouch] Pass The request returned an HTTP 200 response
      """
    And the file "my_garmr_output.xml" should not contain XML:          # gauntlt-1.0.6/lib/gauntlt/attack_adapters/gauntlt.rb:21
      | css                                   |
      | testcase[name="Http200Check"] failure |
    And the file "my_garmr_output.xml" should contain XML:              # gauntlt-1.0.6/lib/gauntlt/attack_adapters/gauntlt.rb:15
      | css                               |
      | testcase[name="InlineJS"] failure |

1 scenario (1 passed)
6 steps (6 passed)

10_Arachni and XSS testing.md

XSS Testing with Arachni

Installation

Check examples/arachni-xss/README.md for installation instructions and details. Arachni is a rubygem and is added to the Gemfile for the gauntlt-demo repo so when you ran bundle it should have been setup.

Challenge

Start with the README.md in examples/arachni-xss to get started. Edit examples/arachni-xss/challenge_arachni-xss.attack and get started.

Solution

You should notice that the final solution uses gauntlt attack aliases. For arachni, you can use "arachni-simple_xss" and "arachni-full_xss" in your attack. Currently, gauntlt doesnt expose attack aliases and to see what is available, you can consult the source.

You should get the following output:

@slow @final
Feature: Look for cross site scripting (xss) using arachni against a URL

  Scenario: Using arachni, look for cross site scripting and verify no issues are found # final_arachni-xss.attack:4
    Given "arachni" is installed                                                        # gauntlt-1.0.6/lib/gauntlt/attack_adapters/arachni.rb:1
    And the following profile:                                                          # gauntlt-1.0.6/lib/gauntlt/attack_adapters/gauntlt.rb:9
      | name | value                 |
      | url  | http://localhost:3000 |
    When I launch an "arachni" attack with:                                             # gauntlt-1.0.6/lib/gauntlt/attack_adapters/arachni.rb:5
      """
      arachni --modules=xss --depth=1 --link-count=10 --auto-redundant=2 <url>
      """
    Then the output should contain "0 issues were detected."                            # aruba-0.5.3/lib/aruba/cucumber.rb:97

  Scenario: Using arachni, look for cross site scripting and verify no issues are found # final_arachni-xss.attack:15
    Given "arachni" is installed                                                        # gauntlt-1.0.6/lib/gauntlt/attack_adapters/arachni.rb:1
    And the following profile:                                                          # gauntlt-1.0.6/lib/gauntlt/attack_adapters/gauntlt.rb:9
      | name | value                 |
      | url  | http://localhost:3000 |
Running a arachni-simple_xss attack. This attack has this description:
 This is a scan for cross site scripting (xss) that only runs the base xss module in arachni.  The scan only crawls one level deep which makes it faster.  For more depth, run the gauntlt attack alias 'arachni-simple_xss_with_depth' and specifiy depth.
The arachni-simple_xss attack requires the following to be set in the profile:
 ["<url>"]
    When I launch an "arachni-simple_xss" attack                                        # gauntlt-1.0.6/lib/gauntlt/attack_adapters/arachni.rb:9
    Then the output should contain "0 issues were detected."                            # aruba-0.5.3/lib/aruba/cucumber.rb:97

  Scenario: On the signup page, use arachni to look for cross site scripting and verify no issues are found # final_arachni-xss.attack:23
    Given "arachni" is installed                                                                            # gauntlt-1.0.6/lib/gauntlt/attack_adapters/arachni.rb:1
    And the following profile:                                                                              # gauntlt-1.0.6/lib/gauntlt/attack_adapters/gauntlt.rb:9
      | name | value                        |
      | url  | http://localhost:3000/signup |
Running a arachni-full_xss attack. This attack has this description:
 This is a scan for cross site scripting (xss) that only runs all the xss modules in arachni.  The scan only crawls one level deep, which makes it faster.  For more depth, run the gauntlt attack alias 'arachni-full_xss_with_depth' and specifiy depth.
The arachni-full_xss attack requires the following to be set in the profile:
 ["<url>"]
    When I launch an "arachni-full_xss" attack                                                              # gauntlt-1.0.6/lib/gauntlt/attack_adapters/arachni.rb:9
    Then the output should contain "0 issues were detected."                                                # aruba-0.5.3/lib/aruba/cucumber.rb:97

3 scenarios (3 passed)
12 steps (12 passed)

11_SQL Injection on Forms.md

Inject forms you know about

Installation

Add this to your .bashrc (or .profile).

export SQLMAP_PATH="/path/to/gauntlt-demo/vendor/sqlmap/sqlmap.py"

Challenge

See the challenge in examples/form_injection/README.md

You will need these switches for sqlmap, --batch --forms --dbms sqlite -p email,password

Solution

See examples/form_injection/final_sqlmap-forms.attack

12_Output to HTML.md

Output to html

bundle exec gauntlt --format html > out.html