SecTester.Runner
0.41.4
dotnet add package SecTester.Runner --version 0.41.4
NuGet\Install-Package SecTester.Runner -Version 0.41.4
<PackageReference Include="SecTester.Runner" Version="0.41.4" />
paket add SecTester.Runner --version 0.41.4
#r "nuget: SecTester.Runner, 0.41.4"
// Install SecTester.Runner as a Cake Addin #addin nuget:?package=SecTester.Runner&version=0.41.4 // Install SecTester.Runner as a Cake Tool #tool nuget:?package=SecTester.Runner&version=0.41.4
SecTester.Scan
Run scanning for vulnerabilities just from your unit tests on CI phase.
Setup
$ dotnet add package SecTester.Runner
Step-by-step guide
Configure SDK
To start writing tests, first obtain a Bright token, which is required for the access to Bright API. More info about setting up an API key.
Then put obtained token into BRIGHT_TOKEN
environment variable to make it accessible by default EnvCredentialProvider
.
Refer to
SecTester.Core
documentation for the details on alternative ways of configuring credential providers.
Once it is done, create a configuration object. Single required option is Bright Hostname
domain you are going to use, e.g. app.brightsec.com
as the main one:
using SecTester.Core;
var config = new Configuration("app.brightsec.com");
Setup runner
To set up a runner, create SecRunner
instance passing a previously created configuration as follows:
using SecTester.Core;
using SecTester.Runner;
var config = new Configuration("app.brightsec.com");
await using var runner = await SecRunner.Create(configuration);
After that, you have to initialize a SecRunner
instance:
await runner.Init();
The runner is now ready to perform your tests, but you have to create a scan.
To dispose a runner, you just need to call the Clear
or DisposeAsync
method:
await runner.Clear();
// or
await runner.DisposeAsync();
Starting scan
To start scanning your application, first you have to create a SecScan
instance, as shown below:
await using var scan = await runner.CreateScan(new ScanSettingsBuilder()
.WithTests(new List<TestType> { TestType.Xss }));
Below you will find a list of parameters that can be used to configure a Scan
:
Option | Description |
---|---|
Target |
The target that will be attacked. For details, see here. |
Tests |
The list of tests to be performed against the target application. Learn more about tests |
RepeaterId |
Connects the scan to a Repeater agent, which provides secure access to local networks. |
Smart |
Minimize scan time by using automatic smart decisions regarding parameter skipping, detection phases, etc. Enabled by default. |
SkipStaticParams |
Use an advanced algorithm to automatically determine if a parameter has any effect on the target system's behavior when changed, and skip testing such static parameters. Enabled by default. |
PoolSize |
Sets the maximum concurrent requests for the scan, to control the load on your server. By default, 10 . |
AttackParamLocations |
Defines which part of the request to attack. By default, body , query , and fragment . |
SlowEpTimeout |
Automatically validate entry-point response time before initiating the vulnerability testing, and reduce scan time by skipping any entry-points that take too long to respond. By default, 1000ms. |
TargetTimeout |
Measure timeout responses from the target application globally, and stop the scan if the target is unresponsive for longer than the specified time. By default, 5min. |
Name |
The scan name. The method and hostname by default, e.g. GET example.com . |
We provide a fluent interface for building a ScanSettings
object. To use it, you start by creating a ScanSettingsBuilder
instance, and then you call its methods to specify the various settings you want to use for the scan as shown above.
Finally, run a scan against your application:
var target = new Target("https://localhost:8000/api/orders")
.WithMethod(HttpMethod.Post)
.WithBody(@"{ ""subject"": ""Test"", ""body"": ""<script>alert('xss')</script>"" }", "application/json");
await scan.Run(target);
The Run
method takes a single argument (for details, see here), and returns promise that is resolved if scan finishes without any vulnerability found, and is rejected otherwise (on founding issue that meets threshold, on timeout, on scanning error).
If any vulnerabilities are found, they will be pretty-printed to stderr (depending on the testing framework) and formatted depending on chosen Formatter
.
By default, each found issue will cause the scan to stop. To control this behavior you can set a severity threshold using the Threshold
method:
scan.Threshold(Severity.High);
Now found issues with severity lower than High
will not cause the scan to stop.
Sometimes either due to scan configuration issues or target misbehave, the scan might take much more time than you expect. In this case, you can provide a timeout for specifying maximum scan running time:
scan.Timeout(TimeSpan.FromSeconds(30));
In that case after 30 seconds, if the scan isn't finishing or finding any vulnerability, it will throw an error.
Usage sample
using System.Configuration;
using SecTester.Runner;
using SecTester.Scan;
using SecTester.Scan.Models;
public class SecRunnerFixture : IAsyncLifetime
{
public SecRunner Runner { get; private set; }
public async Task InitializeAsync()
{
var hostname = ConfigurationManager.AppSettings["BrightHost"];
// create a test runner
Runner = await SecRunner.Create(new SecTester.Core.Configuration(hostname));
// initialize a test runner
await Runner.Init();
}
public async Task DisposeAsync()
{
if (Runner is not null)
{
// clean up runner
await Runner.DisposeAsync();
}
GC.SuppressFinalize(this);
}
}
public class OrdersApiTests : IClassFixture<SecRunnerFixture>, IAsyncDisposable
{
private readonly SecRunnerFixture _fixture;
private readonly SecScan _test;
public OrdersApiTests(SecRunnerFixture fixture)
{
_fixture = fixture;
_test = _fixture
.Runner
.CreateScan(new ScanSettingsBuilder()
.WithTests(new List<TestType> { TestType.Xss }))
.Threshold(Severity.Medium)
.Timeout(TimeSpan.FromMinutes(5));
}
public async ValueTask DisposeAsync()
{
await _fixture.DisposeAsync();
GC.SuppressFinalize(this);
}
[Fact]
public async Task Post_ApiOrder_ShouldNotHavePersistentXss()
{
var target = new Target("https://localhost:8000/api/orders")
.WithMethod(HttpMethod.Post)
.WithBody(@"{ ""subject"": ""Test"", ""body"": ""<script>alert('xss')</script>"" }", "application/json");
await _test.Run(target);
}
[Fact]
public async Task Get_ApiOrder_ShouldNotHaveReflectiveXss()
{
var target = new Target("https://localhost:8000/api/orders")
.WithQuery(new Dictionary<string, string> { { "q", "<script>alert('xss')</script>" } });
await _test.Run(target);
}
}
License
Copyright © 2022 Bright Security.
This project is licensed under the MIT License - see the LICENSE file for details.
Product | Versions Compatible and additional computed target framework versions. |
---|---|
.NET | net5.0 was computed. net5.0-windows was computed. net6.0 was computed. net6.0-android was computed. net6.0-ios was computed. net6.0-maccatalyst was computed. net6.0-macos was computed. net6.0-tvos was computed. net6.0-windows was computed. net7.0 was computed. net7.0-android was computed. net7.0-ios was computed. net7.0-maccatalyst was computed. net7.0-macos was computed. net7.0-tvos was computed. net7.0-windows was computed. net8.0 was computed. net8.0-android was computed. net8.0-browser was computed. net8.0-ios was computed. net8.0-maccatalyst was computed. net8.0-macos was computed. net8.0-tvos was computed. net8.0-windows was computed. |
.NET Core | netcoreapp2.0 was computed. netcoreapp2.1 was computed. netcoreapp2.2 was computed. netcoreapp3.0 was computed. netcoreapp3.1 was computed. |
.NET Standard | netstandard2.0 is compatible. netstandard2.1 was computed. |
.NET Framework | net461 was computed. net462 was computed. net463 was computed. net47 was computed. net471 was computed. net472 was computed. net48 was computed. net481 was computed. |
MonoAndroid | monoandroid was computed. |
MonoMac | monomac was computed. |
MonoTouch | monotouch was computed. |
Tizen | tizen40 was computed. tizen60 was computed. |
Xamarin.iOS | xamarinios was computed. |
Xamarin.Mac | xamarinmac was computed. |
Xamarin.TVOS | xamarintvos was computed. |
Xamarin.WatchOS | xamarinwatchos was computed. |
-
.NETStandard 2.0
- Microsoft.Extensions.DependencyInjection.Abstractions (>= 6.0.0)
- SecTester.Repeater (>= 0.41.4)
- SecTester.Reporter (>= 0.41.4)
- SecTester.Scan (>= 0.41.4)
NuGet packages
This package is not used by any NuGet packages.
GitHub repositories
This package is not used by any popular GitHub repositories.
Version | Downloads | Last updated |
---|---|---|
0.41.4 | 124 | 6/8/2024 |
0.41.3 | 156 | 10/4/2023 |
0.41.2 | 108 | 10/4/2023 |
0.41.1 | 135 | 10/4/2023 |
0.41.0 | 126 | 10/4/2023 |
0.40.0 | 196 | 8/3/2023 |
0.39.1 | 175 | 8/1/2023 |
0.39.0 | 172 | 7/31/2023 |
0.38.0 | 176 | 7/28/2023 |
0.37.0 | 182 | 7/20/2023 |
0.36.0 | 173 | 6/5/2023 |
0.35.1 | 168 | 5/2/2023 |
0.35.0 | 225 | 4/11/2023 |
0.34.0 | 298 | 2/8/2023 |
0.33.7 | 322 | 12/20/2022 |
0.33.6 | 322 | 12/16/2022 |
0.33.5 | 316 | 12/16/2022 |
0.33.4 | 333 | 12/15/2022 |
0.33.3 | 311 | 12/14/2022 |
0.33.2 | 318 | 12/14/2022 |
0.33.1 | 322 | 12/14/2022 |
0.33.0 | 301 | 12/14/2022 |
0.32.8 | 302 | 12/13/2022 |
0.32.7 | 296 | 12/13/2022 |
0.32.6 | 310 | 12/13/2022 |
0.32.5 | 312 | 12/13/2022 |
0.32.4 | 313 | 12/13/2022 |
0.32.3 | 301 | 12/13/2022 |
0.32.2 | 296 | 12/13/2022 |
0.32.1 | 289 | 12/13/2022 |
0.32.0 | 308 | 12/13/2022 |
0.31.0 | 309 | 12/11/2022 |