sridevi-15
commented
7 years ago Zap tool : Did security scans to following versions sync-gateway -> 1.5 couchbase-server -> 5.0.0-3217(beta version) Worked on security scans on VMs using Zap tool. Tested with exposed end points and scanned with admin and non admin interfaces /db/doc /db /db/_bulk_docs /db/changes /db/_oidc Did port scanning on sync-gateway VM using nmap As Zap tool does only get calls while scanning, I did some post actions on admin interface and added zap as proxy on browser and got some post and Put calls from browser on zap and ran scan with all end points
Qualys tool : As Qualys tool accept only public ips, sync-gateway and CBS were set up on AWS instance Also Set up sync-gateway to port 80 to publish ip as public to run on Qualys tool. Areas covered
- security vulnerabilities
- web application scanning
- port scanning
- malware detection
- port scanning
Tested on admin and non admin interface with port 80
Here is the ticket that caught during all security scans https://github.com/couchbase/sync_gateway/issues/2711
Run security scans against SG using Qualys tools