purpleteam-labs / purpleteam Goto Github PK
View Code? Open in Web Editor NEWCLI component of OWASP PurpleTeam
Home Page: https://owasp.org/www-project-purpleteam
License: Other
CLI component of OWASP PurpleTeam
Home Page: https://owasp.org/www-project-purpleteam
License: Other
Add releases using github but in the changelog format. Using np
After selecting the version to release, np runs the full release and publish to npm.
np installed globally.
np doesn't allow one to add the latest
tag to a pre-release, so next
seems the only option. Do this, then:
npm dist-tag add [email protected] latest
Check the files
array in package.json to make sure no secrets can be published. Double check what will be published
From project root dir: np
(release and publish to npm)
After selecting the version to release, np runs:
Todo: detail what np runs.
Once published to npm npm install
and check the file contents.
Check the Github release Assets archive.
From project root dir: np --no-publish
After selecting the version to release, np runs:
✔ Git
✔ Installing dependencies using npm
✔ Running tests using npm
✔ Bumping version using npm
✔ Pushing tags
✔ Creating release draft on GitHub
Check the Github release Assets archive.
From project root dir: np --no-publish --no-tests
Check the Github release Assets archive.
hour produced by NowAsFileName
returns 05
when it's 17
.
Issue exists in all testers that use the NowAsFileName
function.
Should return time as according to local
During a Test Run this is executed.
The Date Get methods return values based on the local time, problem is the timezone is set in the container image (in our case to UTC). If we change it, then we change it for everyone that uses the images.
The folloing placed into the docker-compose file fixes it for New Zealand, but then it's wrong for everyone else:
environment:
- TZ=Pacific/Auckland
We've decided to leave it as UTC.
The enhancement may already be reported! Please search for the enhancement before creating one.
colorsEnabled
is set to true in app-scanner.
Provide ability for buildUserConfig Job file to pass through flag for testers to check whether colour should be enabled or dissabled in tester reporting
I wouldn't have to see colour symbols in cli logs that are writen to file
No CodeQL
Set-up CodeQL as github action for semantic code analysis across all repos where it makes sense.
Example here: https://github.com/OWASP/NodeGoat/pull/229/files
Find bad coding patterns so that they can be fixed.
This is in the app-scanner. This will probably reduce memory usage as well, which would be great for getting EC2 instance sizes down.
Links to get started:
Will want to put call out for volunteers.
Some origonal thoughts were:
We have a process that runs anywhere. Do we need integrations with the likes of Github, Gitlab, others?
Integrations
Good question?
That's what this issue is about answering.
Resources that may be helpful:
As part of ci-cd for the CLI, we should test that purpleteam CLI installs and runs correctly as if it was done so from NPM. We can do this using verdaccio:
No integration test for the CLI
Add integration tests that:
Basically we want to be testing things we don't usually test in development... like the actual ilnstallation and verifying that the CLI runs as a Build User would use it.
It would provide confidence that the community can install and run purpleteam without errors
The enhancement may already be reported! Please search for the enhancement before creating one.
Not sure. Investigate what we need to do to support GraphQL if we don't already
Implement GraphQL support if it doesn't exist.
Not sure, who actually wants this? Anyone?
Secure as much as possible selenium: https://github.com/elgalu/docker-selenium/blob/master/SECURITY.md
cloud
and local
architecture diagramsProjects involved:
TextDecoder
cloud
app_scan_steps.js in app-scanner uses explicit waits. We can do better than this. We started changing to implicit in the webDriverFactory.js, but this is currently commented out.
You could probably have a look at this one @ricekot? Get your bearings and propose the change?
All the source files that have a Copyright notice at the top refer to purpleteam
as the solution.
Also the last two lines of the Copyright are:
// You should have received a copy of the GNU Affero General Public License
// along with purpleteam. If not, see <https://www.gnu.org/licenses/>.
// You should have received a copy of the GNU Affero General Public License
// along with this PurpleTeam project. If not, see <https://www.gnu.org/licenses/>.
This affects most/all public PurpleTeam projects.
Mentioned by Nicholas Tolstoshev on #project-zap of OWASP Slack
Mentioned by @ricekot on #project-zap of OWASP Slack
Mentioned by @kingthorin_rm on #project-zap of OWASP Slack
Mentioned by @Kinnaird McQuade on #project-zap of OWASP Slack
In local
env the very first response is 'app tests are running'
In cloud
env the very first reponse is 'initialising job'
I think this may be because the cloud
returns the status faster than local
but unsure.
Both local
and cloud
to be the same
Run a test
If the orchestrator.js testTeamAttack
returns initTesterResponsesForCli
due to failedTesterInitialisations.length || !startTesters
, for example if a Tester failure:
occurred, for example due to:
tlsScanner
resource object being provided in the Job file
Tester initialised.
Tester initialised.
This means subsequent calls to orchestrator.js
testTeamAttack
will return the same internals.initTesterResponsesForCli
as last time, and Testers will never change state.
reset
routine for each TesterThe first place the reset
should be invoked from would be within the first option of the current internals.initTesterResponsesForCli = failedTesterInitialisations.length || !startTesters
ternary in testTeamAttack
of orchestrator.js
.
internals.initTesterResponsesForCli = null
which is currently in orchestrator.js
processTesterFeedbackMessageForCli
should be in something like a resetTesters
routine of the orchestrator.
The resetTesters
routine would also call each model's testerFinished(true)
reset
should probably attempt stopping any s2 containers as well as setting status.
Add tests, even if manual
Wanted to try out purpleteam (guide at https://purpleteam-labs.com/doc/local/set-up/)
Cloned https://github.com/purpleteam-labs/purpleteam-orchestrator
npm run dc-build
results in
npm run dc-build
> [email protected] dc-build /Users/my-user/Develop/purpleteam-orchestrator
> npm run dc-orchestrator-testers build
> [email protected] dc-orchestrator-testers /Users/my-user/Develop/purpleteam-orchestrator
> APP_SCANNER_GROUP_ID=$(id -g) APP_SCANNER_USER_ID=$(id -u) ORCHESTRATOR_GROUP_ID=$(id -g) ORCHESTRATOR_USER_ID=$(id -u) docker-compose -f ./compose/orchestrator-testers-compose.yml "build"
WARNING: The HOST_DIR variable is not set. Defaulting to a blank string.
ERROR: build path /Users/my-user/develop/purpleteam-app-scanner either does not exist, is not accessible, or is not a valid URL.
Mh, okay. Can't see that in instructions, but okay. Cloned https://github.com/purpleteam-labs/purpleteam-app-scanner.
npm run dc-build
now results in
npm run dc-up
> [email protected] dc-up /Users/my-user/Develop/purpleteam-orchestrator
> npm run dc-orchestrator-testers up
> [email protected] dc-orchestrator-testers /Users/my-user/Develop/purpleteam-orchestrator
> APP_SCANNER_GROUP_ID=$(id -g) APP_SCANNER_USER_ID=$(id -u) ORCHESTRATOR_GROUP_ID=$(id -g) ORCHESTRATOR_USER_ID=$(id -u) docker-compose -f ./compose/orchestrator-testers-compose.yml "up"
WARNING: The HOST_DIR variable is not set. Defaulting to a blank string.
Creating network "compose_pt-net" with the default driver
Pulling redis (redis:alpine)...
alpine: Pulling from library/redis
540db60ca938: Pull complete
29712d301e8c: Pull complete
8173c12df40f: Pull complete
a77b7ddf4978: Pull complete
3f34a000c6b3: Pull complete
275dfaedaf41: Pull complete
Digest: sha256:f8f0e809a4281714c33edf86f6da6cc2d4058c8549e44d8c83303c28b3123072
Status: Downloaded newer image for redis:alpine
Creating compose_redis_1 ... done
Creating pt-app-scanner-cont ... error
Creating pt-orchestrator-cont ...
Creating pt-orchestrator-cont ... error
ERROR: for pt-orchestrator-cont Cannot create container for service orchestrator: invalid mount config for type "bind": field Source must not be empty
ERROR: for app-scanner Cannot create container for service app-scanner: invalid mount config for type "bind": field Source must not be empty
ERROR: for orchestrator Cannot create container for service orchestrator: invalid mount config for type "bind": field Source must not be empty
ERROR: Encountered errors while bringing up the project.
...
Either something starts without error or guide has clear instructions.
...
Seen above.
...
Rework how we handle environment variables in most of our services and CLI, use a .env and dotenv/config for local
and provide a .env.example for source control. We use .env files in a few places, but will take this a bit further,
TERM
env var) in pt cli and detail what to do commitDoc changes here (https://github.com/purpleteam-labs/purpleteam) and probably quite a few other places.
dotenv doesn't overload by default environment variables that are already set and by the look of it, can't do it using the pre-load technique (node -r dotenv/config server.js
)
Running (spawn
ing, etc) purpleteam within another process, for example the NPM install locally option causes blessed errors due to the fact that the purpleteam CLI is not running directly within a terminal.
npm start
for example.
Example output follows:
No errors
Run the CLI from within another process. It must get to the stage where the blessed screen is actually drawn though. So the orchestrator has to be running.
Because the CLI errors when creating the screen, the cli log also fails to be written.
NO_SCREEN
ptLogger
is init
ed with to probably Console
npm list -g --depth 0
before and after linking to see the differencesWhile doing this:
POST
retry on again (default 2 retries), will this effect the cloud
? Adds complexity for little gain. Currently there isn't really a need, and the time-outs would have to be tweaked quite a bit. Added comments to apiDecoratingAdapter.jshttps://github.com/purpleteam-labs/purpleteam/blob/main/README.md#clone-the-git-repository
also needs to include npm install
With an optional npm link
to install the repo as a system command
Probably also add some details to the Run section
purpleteam build failing due to code --coverage
Chase AWS around security testing compliance
From issue Update Packages gherkin (currently required to support cucumber-redacted.js). Issue submitted, waiting for response. Currently working on app-scanner branch binarymist/cucumber-redacted-removal
Useful Resources:
Todo:
cucumber.getTestCasesFromFilesystem
functionality which causes tests to fail. issue Big thanks to @aurelien-reeves for getting this over the lineon
function expected on cucumberCliStdout
that's used to instantiate the cucumber Cli. Introduced in @cucumber/cucumber 7.1.0Can not upgrade from "@cucumber/gherkin": "17.0.2" to "@cucumber/gherkin-streams": "2.0.2" https://github.com/cucumber/cucumber-js/issues/1675
gotPt.defaults
having to be reset in the CLI
Possibly use https://github.com/sullo/nikto as the emissary.
Nikto: (Perl) Tests web servers. GPL which sounds fine used in a SaaS. The AGPL on the other hand means the code must be open. In Docker container: https://github.com/ellerbrock/nikto-docker or https://hub.docker.com/r/frapsoft/nikto/
throw
s and Todo's in app.parallel.js
timeOut
(70000 at time of writing) app.parallel
getS2ContainerHostNamesWithPorts
reject
s with new
Error
'Timed out while waiting for S2 Service Discovery Service Instances to be available.'. This is currently fatal (app-scanner container hangs), Can we reduce the timeOut
to well under the Api Gateway timeout and use our redis publisher
to publish
a message. Then retry getS2ContainerHostNamesWithPorts
up to two more times? This would satisfy the Api Gateway 30 second timeout, provide some feedback to the purpleteam CLI, and almost certainly be successful. The first try on a cold EC2 instance takes longer. Also the s2 Service Discovery Service Instances that are up will remain up after retrys, making subsequent retrys faster. Also if an exception is thrown, which in this case it is, the s2 Service Discovery Service Instances will currently never be brought down. This is also a problem that needs addressing. If the AMI resources is not sufficient for the number of containers requested, then the timeOut
will consistenly be hit, there is a comment in getS2ContainerHostNamesWithPorts
of app.parallel
around this.publish
ing feedback to the purpleteam CLIOrchestrator Tester models startTester
, initTester
and plan
:
plan
already has some, but it'll probably need changinginitTester
should be easy to handle as we can just pass back a "Tester failure:"startTester
may be a little more work,
startTester
needs to set isFinished
to true and return a "Tester failure:" message, which would also need to be augmented into the combinedInitTesterResponses
that the orchestrator returns to the CLI#warmUpTestSessionMessageChannels
should probably also check that it's only acting on Tester models where testerFinished()
is trueMay as well swap axios and http-proxy-agent for got and hpagent in app.emissary.js of the app-scanner.
Add tests, even if manual
slave
-> emissary
slaves
-> emissaries
Slave
-> Emissary
Slaves
-> Emissaries
proj | commited | apply -> search again |
merged | pushed | change-set |
---|---|---|---|---|---|
doc | ✓ | - | ✓ | ✓ | commit |
CLI | ✓ | - | ✓ | ✓ | commit |
app-scanner | ✓ | - | ✓ | ✓ | commit |
lambda | ✓ | - | ✓ | ✓ | commit |
s2-containers | ✓ | - | ✓ | ✓ | commit |
orchestrator | ✓ | - | ✓ | ✓ | commit |
iac-sut | - | - | - | - | - |
logger | - | - | - | - | - |
tls-checker | - | - | - | - | - |
server-scanner | - | - | - | - | - |
We're going to be using Nikto. The majority of the code will be in https://github.com/purpleteam-labs/purpleteam-server-scanner.
This is mostly green fields work. We have the app-scanner and tls-scanner fully implemented to use as a reference for what Testers look like.
The diagram here shows where Testers fit into the architecture.
As with the TLS Tester, this will require on-going maintenance, is the work worth what the Server Tester provides? If not, decide what to do.
This covers Zap self-signed certs and self-signed certs that SUTs may present.
Currently all self-signed certs presented to the webdriver are accepted. Ideally where we want to get to is to not trust any insecure certificates, that is passing false
in the following calls in webDriverFactory.js in the app-scanner:
chromeOptions.setAcceptInsecureCerts(true)
firefoxOptions.setAcceptInsecureCerts(true)
In order to do this the following two items need to be done.
Each Zap instance uses it's own root certificate.
Currently if we have:
chromeOptions.setAcceptInsecureCerts(false)
firefoxOptions.setAcceptInsecureCerts(false)
With the Zap self-signed cert, this will block the selenium browser currently. So what we need to do is:
coreOtherRootcert
should do the trickThese steps should be performed within the routines addressed by the following calls in the Cucumber world
:
async initialiseBrowser() {
await this.sut.initialiseBrowser(this.zap.getPropertiesForBrowser(), this.selenium);
}
Step 2 and 3 of the above will be similar, but we will need to work out where the best place to source the self-signed customer SUT certificate from. A couple of thoughts:
local
and cloud
I have enabled the Discussions feature. It would be a good place to ask purpleteam-related questions and discuss it in general.
Please be kind and constructive.
This issue can be used for discussing adding new categories and other meta things.
This is another you could dive into @ricekot. If and when you do, let me know and I'll dig out as much info as I have. I've done this once before. My fork is here: https://github.com/binarymist/zap-api-nodejs
purpleteam-app-scanner interfaces with Zap via the zap-api-nodejs. The app-scanner is currently pointing at a commit (https://github.com/purpleteam-labs/purpleteam-app-scanner/blob/main/package.json#L88)
Basically we need to update the HTTP library (move away from request as it's now depricated): https://github.com/binarymist/zap-api-nodejs/blob/master/package.json#L28-L29
I'd probably use got again. I moved from request to got in the CLI. Most of the changes were in the apiDecoratingAdapter.js: a705ae8
The zap-api-nodejs is all generated JavaScript, so you need to play a little with Java, not a big deal though. When you get there give me a yell. This not only affects purpleteam-labs but also Zap obviously and all of it's consumers via the Node API @psiinon would also be happy 😄
Update: (2021-02-25) See issue in zaproxy
Currently public doc:
public docs need to have their own website
Users wil be able to find information about purpleteam, it'll be user friendly
@binarymist has been doing research on this for a couple of years and has a bunch of ideas, requirements and a shortlist of possible platforms to use. Ping @binarymist when starting this. Some of the notes taken have a degree of sensitivity.
As a stop-gap measure we've hosted https://github.com/purpleteam-labs/purpleteam-doc as doc.purpleteam-labs.com
Details here: https://webmasters.stackexchange.com/questions/105899/cloudflare-dns-how-to-setup-a-github-repository-to-a-custom-sub-domain
We could change all occurances of sutIp
to hostname
, but what would make the most sense is to just combine:
sutIp
, sutPort
, sutProtocol
from the job file into sutUrlOrigin
We should also be using URL:
terragrunt init -upgrade
terragrunt apply
terragrunt init -upgrade
terragrunt apply
local
local
with cloud sutcloud
local
local
with cloud sutcloud
devDependencies
dependencies
local
local
with cloud sutcloud
devDependencies
dependencies
local
local
with cloud sutcloud
local
@hapi/good (API here) is deprecated. It doesn't actually do anything other than log process metrics (memory, uptime, load). All other logging is done by the generic hapi logger (server.log
, request.log
) or purpleteam-logger. good can stay until it no longer works, then we can just remove it along with hapi-good-winston.
Message on #hapi Slack from the BDFL on 2020-07-05:
eran 08:05
@channel hapi v18 will is being soft-deprecated. This means it will only get critical security fixed between now and the end of the year. No other bug fixes or node version updates will be released. It was supposed to be deprecated months ago but was postponed due to the COVID-19 situation. You will start seeing a deprecation message on npm now, and then it will no longer receive any support or security fixed at the end of the year. There is no reason not to upgrade to hapi v19. It is a trivial upgrade from v18
hapijs/hapi#4111
We have username and password SUT login.
Build Users would be able to provide authentication details to purpleteam other than username and password so that purpleteam can authenticate with the SUT
Not all password fields are currently masked in logs
Mask them all
Keeping in mind future auth types
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.