Dastardly — Web Application Security Scanner — CI/CD
Introduction
As a Security engineer, ensuring the security of your application is of the utmost importance. With the advent of Dastardly, a free, lightweight web application security scanner, integrating security checks into your CI/CD pipeline has never been easier. Dastardly is specifically designed for Security engineers and checks for seven security issues that are commonly encountered during software development. Dastardly is built on the same technology as Burp Suite's Burp Scanner, a trusted tool used by security professionals at thousands of companies worldwide. With Dastardly, you can rest assured that your application is secure and ready for deployment.
Read Complete Article on: https://securitycipher.com/2023/01/23/dastardly-web-application-security-scanner/
Dastardly
Introducing Dastardly, a cutting-edge web application security scanner designed for software developers. This powerful, yet lightweight tool is available at no cost and can be integrated seamlessly into your CI/CD pipeline. Dastardly's scanner technology is based on Burp Suite's scanner, providing thorough and accurate scans for seven common security concerns during the software development process. Enhance your security measures and protect your applications with Dastardly.
Features
- Dastardly is a free, lightweight web application security scanner for your CI/CD pipeline.
- Dastardly scans your application from the outside, just like an attacker, providing accurate results.
- Scans run no longer than 10 minutes, ensuring minimal disruption to your development workflow.
- Dastardly is based on the same scanner as Burp Suite, the world's leading toolkit for web security testing used by over 16,000 organizations.
- With Dastardly, you can proactively identify vulnerabilities in your code before they become a problem, saving you time and effort in fixing bugs in old code.
- Dastardly eliminates the need to wait for a pentester to point out any holes in your code, allowing you to take control of your application security.
Read Complete Article on: https://securitycipher.com/2023/01/23/dastardly-web-application-security-scanner/
How to Run
Dastardly utilizes Docker technology to seamlessly integrate into your continuous integration and continuous delivery pipeline. We have detailed documentation on integrating Dastardly with various CI/CD platforms, as well as a generic Docker command to allow for integration with any platform of your choice. For further information, please refer to our guide on integrating Dastardly with your existing CI/CD pipeline.
To perform a scan on the endpoint "https://ginandjuice.shop" using Docker, execute the following command. The scan will be completed in a timely manner of 10 minutes, and the output will be in the form of a JUnit XML report, which is compatible with any JUnit XML parser.
docker run --user $(id -u) --rm -v $(pwd):/dastardly -e \
DASTARDLY_TARGET_URL=https://ginandjuice.shop -e \
DASTARDLY_OUTPUT_FILE=/dastardly/dastardly-report.xml \
public.ecr.aws/portswigger/dastardly:latest
The results of the DAST scan are provided below. A total of 7 instances of cross-site scripting were identified, along with the corresponding affected paths. Additional details can be found in the "dastardly-report.xml" file.
Limitations
Dastardly is a web security scanner that integrates into the CI/CD pipeline, however, it may not handle login procedures well and it's recommended to disable auth features during scan. It can scan APIs based on OpenAPI v3.x.x specification and detect 7 prevalent issues commonly found in web development. However, API calls outside of the seed URL's domain are not included in the scan. Dastardly is based on the same technology as Burp Suite.
Authentication
Dastardly may not effectively handle login procedures. Therefore, when utilizing Dastardly for scanning purposes, it is recommended to disable any authentication features within the application.
Scanning API's
Dastardly is a tool that performs a thorough analysis of OpenAPI v3.x.x specification JSON-based API definitions, searching for any potential vulnerabilities. The tool conducts a scan on API calls made to endpoints within the same domain as the initial seed URL. However, any API calls made to endpoints outside of the seed URL's domain are not included in the scan as they are considered out of scope.
Scan Checks
Dastardly, dynamic application security testing (DAST) scanner, which is based on the same technology utilized in the widely trusted Burp Suite, can assist in identifying key security vulnerabilities within your application. By integrating seamlessly into the CI/CD pipeline, the scanner can detect seven prevalent issues commonly found in web development. These issues, while representing a small portion of the over many security vulnerabilities that can be identified by Burp scanner, have the potential to cause significant harm if they were to be exploited in a production environment. In the worst-case scenario, these issues could potentially grant malicious actors complete control over the systems.
Security Issues Supported by Dastardly
✔ Cross-site scripting (XSS) (reflected)
✔ Cross-origin resource sharing (CORS) issues
✔ Vulnerable JavaScript dependency
✔ Content type is not specified
✔ Multiple content types specified
✔ HTML does not specify charset
✔ Duplicate cookies set
Read Complete Article on: https://securitycipher.com/2023/01/23/dastardly-web-application-security-scanner/
Follow me on:
Twitter: https://twitter.com/piyush-kumawat
Linkedin: https://linkedin.com/piyush-kumawat
Website: https://securitycipher.com
#security #cybersecurity #burpsuite #securitycipher