Elastest Documentation

ElasTest Security Service (ESS)

The ElasTest Security Service (ESS) is an ElasTest service for identifying security vulnerabilities in the System under Test (SuT). ESS creates security tests that probe the SuT to discover security vulnerabilities. ESS is based on OWASP ZAP (a prominent open source web vulnerability scanner). ESS not only supports the detection of the common web application vulnerabilities (cross-site scripting, SQL injection etc.), but also cookie misconfigurations, privacy attacks, replay attacks, etc.

Features

The current version of ESS (v1.0.0-beta7) has the following features. 1. Support for programmatically scanning a TJob (see the next section for details) 2. A web-based GUI for keeping track of the progress of a security scan and for displaying the results of a scan 3. Support for detecting common Web application security weaknesses that are supported by OWASP ZAP 4. Supports the detection of insecure cookies that are missing - the secure flag and thereby allowing SSL Stripping attacks - the httponly flag and therefore susceptible Cross-Site Scripting attacks, - the SameSite attribute and thereby facilitating Cross-Site Request Forgery attacks

The future releases of ESS will support the detection of vulnerabilities enabling: - Privacy Attacks (e.g. Cross-Origin State Inference attacks) - Replay attacks - etc.

Using ESS in a TJob

A normal TJob simply contains the code for executing a test (e.g. executing a selenium test using a web browser provided by the EUS). Once the test has dinished executing, the program returns and the TJob execution is completed. For scan a TJob using ESS, the author of the TJob must add the following steps before exiting. 1. read the value of the ET_ESS_API environmental variable to get the URL of the ESS API. The following is an example (in Python) of how this can be done.

import os
ess_api_url=os.environ['ET_ESS_API']

send a HTTP POST request to the path /ess/api/r4/start/ of the ESS API with a JSON body containing the key sites with the value being a list of SuT URLs that needs to be scanned for security. The following is an example (in Python) of how this can be done.

import requests
resp=requests.post(ess_api_url+"/ess/api/r4/start/",json={"sites": ["https://example.com"]})

check whether the ESS scan has completed before exiting

if "starting-ess" in resp.text:
            resp=requests.get(ess_api_url+'/ess/api/r4/status/')
            status=resp.text
            while ("not-yet" in status):
                time.sleep(5)
                resp=requests.get(ess_url+'/ess/api/r4/status/')
                status=resp.text

We have created the docker image of similar TJob and it's code is available here. The docker image is available at

dockernash/test-tjob-ess