-
Notifications
You must be signed in to change notification settings - Fork 655
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #5169 from nanasess/automated-penetration-testing-…
…vulnerability OWASP ZAP のアクティブスキャンを自動化する試み
- Loading branch information
Showing
16 changed files
with
4,493 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,52 @@ | ||
| name: Penetration testing for EC-CUBE | ||
| on: | ||
| schedule: | ||
| - cron: '0 15 * * 1' | ||
|
|
||
| jobs: | ||
| PenetrationTest: | ||
| name: Penetration testing | ||
| runs-on: ${{ matrix.operating-system }} | ||
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| operating-system: [ ubuntu-18.04 ] | ||
| group: | ||
| - 'test/front_login/contact.test.ts' | ||
| - 'test/front_guest/contact.test.ts' | ||
| - 'test/admin/order_mail.test.ts' | ||
|
|
||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v2 | ||
|
|
||
| - name: Setup to EC-CUBE | ||
| run: | | ||
| sudo chown -R 1001:1000 zap | ||
| sudo chmod -R g+w zap | ||
| docker-compose -f docker-compose.yml -f docker-compose.pgsql.yml -f docker-compose.dev.yml -f docker-compose.owaspzap.yml -f docker-compose.owaspzap.daemon.yml up -d | ||
| docker-compose -f docker-compose.yml -f docker-compose.pgsql.yml -f docker-compose.dev.yml -f docker-compose.owaspzap.yml -f docker-compose.owaspzap.daemon.yml exec -T ec-cube bin/console doctrine:schema:create --env=dev | ||
| docker-compose -f docker-compose.yml -f docker-compose.pgsql.yml -f docker-compose.dev.yml -f docker-compose.owaspzap.yml -f docker-compose.owaspzap.daemon.yml exec -T ec-cube bin/console eccube:fixtures:load --env=dev | ||
| docker-compose -f docker-compose.yml -f docker-compose.pgsql.yml -f docker-compose.dev.yml -f docker-compose.owaspzap.yml -f docker-compose.owaspzap.daemon.yml exec -T ec-cube bin/console eccube:fixtures:generate --products=5 --customers=1 --orders=5 | ||
| docker-compose -f docker-compose.yml -f docker-compose.pgsql.yml -f docker-compose.dev.yml -f docker-compose.owaspzap.yml -f docker-compose.owaspzap.daemon.yml exec -T ec-cube bin/console doctrine:query:sql "UPDATE dtb_customer SET email = 'zap_user@example.com' WHERE id = 1;" | ||
| sed -i 's!APP_ENV: "dev"!APP_ENV: "prod"!g' docker-compose.yml | ||
| docker-compose -f docker-compose.yml -f docker-compose.pgsql.yml -f docker-compose.dev.yml -f docker-compose.owaspzap.yml -f docker-compose.owaspzap.daemon.yml up -d ec-cube | ||
| - name: yarn install | ||
| working-directory: zap/selenium/ci/TypeScript | ||
| run: yarn install | ||
| - name: Penetration testing | ||
| working-directory: zap/selenium/ci/TypeScript | ||
| env: | ||
| GROUP: ${{ matrix.group }} | ||
| run: yarn jest ${GROUP} | ||
| - env: | ||
| GROUP: ${{ matrix.group }} | ||
| if: always() | ||
| run: echo "ARTIFACT_NAME=$(echo ${GROUP} | sed 's,/,-,g')" >> $GITHUB_ENV | ||
| - name: Upload evidence | ||
| if: always() | ||
| uses: actions/upload-artifact@v2 | ||
| with: | ||
| name: zap-${{ env.ARTIFACT_NAME }}-session | ||
| path: zap/sessions |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,5 @@ | ||
| version: "3" | ||
|
|
||
| services: | ||
| zap: | ||
| command: bash -c "zap.sh -daemon -addonupdate -addoninstall help_ja_JP -addoninstall wappalyzer -addoninstall sequence -addonuninstall hud -configfile /zap/wrk/options.properties -certpubdump /zap/wrk/owasp_zap_root_ca.cer -host 0.0.0.0 -port 8090 -config api.addrs.addr.name=.* -config api.addrs.addr.regex=true" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,2 +1,3 @@ | ||
| /owasp_zap_root_ca.cer | ||
| /sessions | ||
| !/sessions/.gitkeep |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,8 @@ | ||
| ; Unix-style newlines | ||
| [*] | ||
| charset = utf-8 | ||
| end_of_line = LF | ||
| insert_final_newline = true | ||
| trim_trailing_whitespace = true | ||
| indent_style = space | ||
| indent_size = 2 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,6 @@ | ||
| module.exports = { | ||
| presets: [ | ||
| ['@babel/preset-env', {targets: {node: 'current'}}], | ||
| '@babel/preset-typescript' | ||
| ], | ||
| }; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,20 @@ | ||
| { | ||
| "name": "TypeScript", | ||
| "version": "1.0.0", | ||
| "main": "index.js", | ||
| "license": "MIT", | ||
| "devDependencies": { | ||
| "@babel/core": "^7.15.5", | ||
| "@babel/preset-env": "^7.15.4", | ||
| "@babel/preset-typescript": "^7.15.0", | ||
| "@types/jest": "^27.0.1", | ||
| "@types/request-promise-native": "^1.0.18", | ||
| "@types/selenium-webdriver": "^4.0.15", | ||
| "babel-jest": "^27.1.0", | ||
| "jest": "^27.1.0", | ||
| "selenium-webdriver": "^4.0.0-rc-1", | ||
| "ts-jest": "^27.0.5", | ||
| "typescript": "^4.4.2", | ||
| "zaproxy": "^1.0.1" | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,80 @@ | ||
| import { Builder, By, until } from 'selenium-webdriver' | ||
| import { ZapClient, Mode, ContextType, Risk } from '../../utils/ZapClient'; | ||
| import { intervalRepeater } from '../../utils/Progress'; | ||
| import { SeleniumCapabilities } from '../../utils/SeleniumCapabilities'; | ||
| const zapClient = new ZapClient('http://127.0.0.1:8090'); | ||
|
|
||
| jest.setTimeout(6000000); | ||
|
|
||
| const baseURL = 'https://ec-cube/admin'; | ||
| const url = baseURL + '/order/4/mail'; | ||
|
|
||
| beforeAll(async () => { | ||
| await zapClient.setMode(Mode.Protect); | ||
| await zapClient.newSession('/zap/wrk/sessions/admin_order_mail', true); | ||
| await zapClient.importContext(ContextType.Admin); | ||
|
|
||
| if (!await zapClient.isForcedUserModeEnabled()) { | ||
| await zapClient.setForcedUserModeEnabled(); | ||
| expect(await zapClient.isForcedUserModeEnabled()).toBeTruthy(); | ||
| } | ||
| }); | ||
|
|
||
| test('受注管理>メール通知 - GET', async () => { | ||
| const driver = await new Builder() | ||
| .withCapabilities(SeleniumCapabilities) | ||
| .build(); | ||
|
|
||
| try { | ||
| await driver.get(url); | ||
| const title = await driver.wait( | ||
| until.elementLocated(By.className('c-pageTitle__title')) | ||
| , 10000).getText(); | ||
| expect(title).toBe('メール通知'); | ||
|
|
||
| const scanId = await zapClient.activeScanAsUser(url, 2, 55, false, null, 'GET'); | ||
|
|
||
| await intervalRepeater(async () => await zapClient.getActiveScanStatus(scanId), 5000); | ||
|
|
||
| await zapClient.getAlerts(url, 0, 1, Risk.High) | ||
| .then(alerts => alerts.forEach((alert: any) => { | ||
| throw new Error(alert.name); | ||
| })); | ||
| } finally { | ||
| driver && await driver.quit() | ||
| } | ||
| }); | ||
|
|
||
| test('受注管理>メール通知(確認ページ) - POST', async () => { | ||
| const driver = await new Builder() | ||
| .withCapabilities(SeleniumCapabilities) | ||
| .build(); | ||
|
|
||
| try { | ||
| await driver.get(url); | ||
| const title = await driver.wait( | ||
| until.elementLocated(By.className('c-pageTitle__title')) | ||
| , 10000).getText(); | ||
| expect(title).toBe('メール通知'); | ||
|
|
||
| await driver.findElement(By.xpath('//*[@id="template-change"]/option[2]')).click(); | ||
| const subject = await driver.wait( | ||
| until.elementLocated(By.xpath('//*[@id="admin_order_mail_mail_subject"]')) | ||
| , 10000).getAttribute('value'); | ||
| expect(subject).toBe('ご注文ありがとうございます'); | ||
|
|
||
| await driver.findElement(By.xpath('//*[@id="order-mail-form"]/div[2]/div/div/div[2]/div/div/button')).click(); | ||
|
|
||
| const message = await zapClient.getLastMessage(url); | ||
| const scanId = await zapClient.activeScanAsUser(url, 2, 55, false, null, 'POST', message.requestBody); | ||
|
|
||
| await intervalRepeater(async () => await zapClient.getActiveScanStatus(scanId), 5000); | ||
|
|
||
| await zapClient.getAlerts(url, 0, 1, Risk.High) | ||
| .then(alerts => alerts.forEach((alert: any) => { | ||
| throw new Error(alert.name); | ||
| })); | ||
| } finally { | ||
| driver && await driver.quit() | ||
| } | ||
| }); |
Oops, something went wrong.