This repo is intended for hosting a handful of scripts for security testing based on James Wickett's security testing class, and dockerized owasp-zap for CI/CD by Stephen Donner
The Gauntlt container is purposely made to get started with security testing with Gauntlt.
- Arachni, nikto, dirb, sqlmap, nmap, owasp-zap (zap-cli, and zapr are included) are installed inside the container as a basic set of attacking tools
- Gauntlt is installed and is set as the entrypoint
- You can run
make pathfor includinggauntlt-dockerand other scripts into your path - Gauntlt is based on Aruba extension for Cucumber framework; hence yo can define your attacks using Gherkin syntax for your scenarios (i.e. using Given, When, Then, clauses)
- You can find sample attacks from James Wicketts's classes included into the
attacksfolder.
You can also run your attacks using Arachni or ZAP outside Gauntlt.
There are two ad-hoc scripts for doing that you can use and modify:
zap-docker <target-url>arachni-docker <target-url>
- Clone this repo
git clone https://github.com/devopstf/gauntlt-zap
- Build the docker container
$ cd /path/to/cloned/repo/gauntlt-docker
$ make build
- Copy binary stub to your $PATH (like
/usr/local/bin)
$ make path
- Test it out,
$ gauntlt-docker --help
- Set your target URL into the config file for Cucumber, located at
config/cucumber.yml, using the following command:
$ gauntlt-target <target-url>
- Launch your attack,
gauntl-docker path/to/your/file.attack
You can get interactive access to the container (with current path bind mounted to /working) to individually test attack tools installed
$ make interactive
You can use Gruyere, the cheese web application from Google Code Labs for testing purposes: you can either set it up online, or using a docker image through the makefile provided:
$ cd /path/to/cloned/repo/gauntlt-docker
$ make get-gruyere
$ make gruyere-start
Once you're done, you can simply kill the application instance issuing this command:
$ make gruyere-kill