search

iriusrisk / bdd-security

BDD Automated Security Tests for Web Applications
http://www.continuumsecurity.net/bdd-intro.html
GNU Affero General Public License v3.0
563 stars 178 forks source link

Nessus_scan #14

Open laminfaty opened 9 years ago

laminfaty commented 9 years ago

@continuumsecurity Nessus_scan story is missing: And the nessus username blablah and the password blablah

iriusrisk commented 9 years ago

That step is now optional. The preferred way is to store those credentials in the config.xml file. This prevents the credentials from being exposed in the HTML reports for the whole world to read.

<nessus>
    <username>continuum</username>
    <password>continuum</password>
</nessus>

 @When("the scanner is run with scan name $scanName")
 public void runScan(String scanName) throws LoginException {
     if (username == null) {
         username = Config.getNessusUsername();
         password = Config.getNessusPassword();
     }
laminfaty commented 9 years ago

Good point for not exposing nessus credentials.

laminfaty commented 9 years ago

In nessus story we need to let the developer know that he/she has options to use nessus web-application policy, server/host policy etc.... Basically, my point is that the developer should be able run any policy he/she wishes. What do you think?

laminfaty commented 9 years ago

@continuumsecurity Nessus story scan time need to be increased if not it will yield some error.

iriusrisk commented 9 years ago

The scan policy is defined in this line: And the scanning policy named test So the user can define any policy they like on the nessus server, then the name of the policy to bdd-sec in that line of the nessus file.

The story timeout can be increased in the config file, it's a global value that applies to all stories. i.e. no story must take longer than the timeout value:

3600
laminfaty commented 9 years ago

@continuumsecurity I was testing nessus story and keep getting the following error. Do you have any idea? My question is where the issues are stored? Are they stored in the nessus scanner or in bed-sec?

And the list of issues is stored (FAILED) (javax.ws.rs.NotAuthorizedException: HTTP 401 Authorization required) [java] And the following false positives are removed [java] [java] |PluginID|Hostname|Reason| [java] |43111|127.0.0.1|Example of how to add a false positive to this story| [java](NOT PERFORMED) [java] Then no severity: 2 or higher issues should be present (NOT PERFORMED) [java] [java] javax.ws.rs.NotAuthorizedException: HTTP 401 Authorization required [java] at org.glassfish.jersey.client.JerseyInvocation.convertToException(JerseyInvocation.java:950) [java] at org.glassfish.jersey.client.JerseyInvocation.translate(JerseyInvocation.java:795) [java] at org.glassfish.jersey.client.JerseyInvocation.access$500(JerseyInvocation.java:91) [java] at org.glassfish.jersey.client.JerseyInvocation$2.call(JerseyInvocation.java:683) [java] at org.glassfish.jersey.internal.Errors.process(Errors.java:315) [java] at org.glassfish.jersey.internal.Errors.process(Errors.java:297) [java] at org.glassfish.jersey.internal.Errors.process(Errors.java:228) [java] at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:443) [java] at org.glassfish.jersey.client.JerseyInvocation.invoke(JerseyInvocation.java:679) [java] at org.glassfish.jersey.client.JerseyInvocation$Builder.method(JerseyInvocation.java:408) [java] at org.glassfish.jersey.client.JerseyInvocation$Builder.get(JerseyInvocation.java:308) [java] at net.continuumsecurity.v6.SessionClientV6.getRequest(SessionClientV6.java:67) [java] at net.continuumsecurity.v6.ScanClientV6.getScanStatus(ScanClientV6.java:24) [java] at net.continuumsecurity.v6.ScanClientV6.isScanRunning(ScanClientV6.java:79) [java] at net.continuumsecurity.steps.NessusScanningSteps.waitForScanToComplete(NessusScanningSteps.java:127) [java] at net.continuumsecurity.steps.NessusScanningSteps.storeIssues(NessusScanningSteps.java:93) [java] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [java] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [java] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [java] at java.lang.reflect.Method.invoke(Method.java:606) [java] at org.jbehave.core.steps.StepCreator$ParameterisedStep.perform(StepCreator.java:569) [java] at org.jbehave.core.embedder.StoryRunner$FineSoFar.run(StoryRunner.java:533) [java] at org.jbehave.core.embedder.StoryRunner.runStepsWhileKeepingState(StoryRunner.java:513) [java] at org.jbehave.core.embedder.StoryRunner.runScenarioSteps(StoryRunner.java:477) [java] at org.jbehave.core.embedder.StoryRunner.runCancellable(StoryRunner.java:308) [java] at org.jbehave.core.embedder.StoryRunner.run(StoryRunner.java:220) [java] at org.jbehave.core.embedder.StoryRunner.run(StoryRunner.java:181) [java] at org.jbehave.core.embedder.StoryManager$EnqueuedStory.call(StoryManager.java:235) [java] at org.jbehave.core.embedder.StoryManager$EnqueuedStory.call(StoryManager.java:207) [java] at java.util.concurrent.FutureTask.run(FutureTask.java:262) [java] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) [java] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) [java] at java.lang.Thread.run(Thread.java:745)

iriusrisk commented 9 years ago

javax.ws.rs.NotAuthorizedException: HTTP 401 Authorization required Looks like you're not authenticating to the nessus server successfully. Most likely cause is that you're using the nessus 6 client on a nessus 5 server or vice versa. You can specify the version in the story file: And a nessus version 6 server at https://localhost:8834

laminfaty commented 9 years ago

The version is fixed but here another issue. I think it has to do with waitForScanToComplete(scanIdentifierForStatus). I can see the scan (bddscan) running when I login to nessus.

Failed to run story nessus_scan.story [java] java.lang.NumberFormatException: For input string: "bddscan" [java] at java.lang.NumberFormatException.forInputString(NumberFormatException.java:65) [java] at java.lang.Integer.parseInt(Integer.java:492) [java] at java.lang.Integer.parseInt(Integer.java:527) [java] at net.continuumsecurity.v6.ScanClientV6.getScanStatus(ScanClientV6.java:23) [java] at net.continuumsecurity.v6.ScanClientV6.isScanRunning(ScanClientV6.java:79) [java] at net.continuumsecurity.steps.NessusScanningSteps.waitForScanToComplete(NessusScanningSteps.java:127) [java] at net.continuumsecurity.steps.NessusScanningSteps.storeIssues(NessusScanningSteps.java:93)

iriusrisk commented 9 years ago

Which version of nessus are you using?

laminfaty commented 9 years ago

@continuumsecurity I am running nessus version 6.2.1

iriusrisk commented 9 years ago

I've retested this and it works as expected. Could you check that you have the latest code, specifically that your NessusScanSteps.java file matches: https://github.com/continuumsecurity/bdd-security/blob/master/src/main/java/net/continuumsecurity/steps/NessusScanningSteps.java

laminfaty commented 9 years ago

@continuumsecurity I am running the latest code. My issue is on this section: And the list of issues is stored (FAILED) [java](javax.ws.rs.NotAuthorizedException: HTTP 401 Authorization required)

My question is where the list of issues being stored?

laminfaty commented 9 years ago

@continuumsecurity I think the issue I am facing with nessus 6.2.1 is that it cannot generate report. Someone already open this issue week ago with nessus support. https://discussions.nessus.org/message/29974#29974

@When("the list of issues is stored") public void storeIssues() throws LoginException { waitForScanToComplete(scanIdentifierForStatus); reportClient = ClientFactory.createReportClient(nessusUrl,nessusVersion, ignoreHostNamesInSSLCert); reportClient.login(username,password); issues = reportClient.getAllIssuesSortedByPluginId(scanUuid);