Remote Scan injection for WebGUI
Hi there,
I am currently trying to automate builds in our company for continuous integration and also experimenting with automated penetration testing.
We use Jenkins as CI server and I first thought about integrating arachni into Jenkins by simply adding a schedules build job with shell execution. The problem is presentation and analysing the log output would not be that easy/comfortable.
Then I took a look at the WebGUI and i was really impressed! I only knew the command line interfaces until now...
So my question is: is there any way I could inject scans into the WebGUI remotely via Jenkins? I have not seen any scheduling mechanism in the WebGUI until now as that would be nice too. I would be glad with either solution. Just to set up a set of scans which run periodically once a week or so.
Thanks in advance and keep the good work up :)
Best regards, Patrick
Comments are currently closed for this discussion. You can start a new one.
Keyboard shortcuts
Generic
| ? | Show this help |
|---|---|
| ESC | Blurs the current field |
Comment Form
| r | Focus the comment reply box |
|---|---|
| ^ + ↩ | Submit the comment |
You can use Command ⌘ instead of Control ^ on Mac
Support Staff 1 Posted by Tasos Laskos on 23 Jul, 2013 12:29 PM
Hi Patrick,
The way people usually do this is via the RPC API, i.e. don't go through the UIs at all. They write a small script or something that gets triggered by Jenkins and that starts the scan, once the scan finishes it grabs the report and handles the results. The results would be in a data structure which you can easily manipulate, not sure about presenting them thougg, I assume Jenkins has a way to present data from plugins and such.
Would that work for you?
2 Posted by Patrick on 23 Jul, 2013 05:20 PM
Thanks for the quicks reply. I guess that would be possible... somehow :D At least there is a Plugin for Jenkins to execute Ruby Scripts. (I just don't know Ruby and the RPC API yet)
But I was hoping to be able to use the WebGUI because I think it is really comfortable to click through and review found vulnerabilities. If I have to do it in Jenkins it's quite hard to analyze the logfiles. There are plugins to color specific lines based on regex but that's not the same...
Anyway: is there any difference between using the RPC API instead of a direct call of the Arachni executable? (assuming Jenkins and Arachni are installed on the same server)
Support Staff 3 Posted by Tasos Laskos on 23 Jul, 2013 06:23 PM
Yeah that makes sense, I've added a feature request for it: https://github.com/Arachni/arachni-ui-web/issues/24
Although, it will take some time to implement as I'm mostly working on refactoring the framework for v0.5.
The RPC API allows you monitor and control scans programatically instead of using a UI.
4 Posted by Patrick on 29 Jul, 2013 02:29 PM
Hi, I need to bother you again, sry :)
Today I wanted to test out the RPC dispatcher and client.
I started a local dispatcher and added it in the WebUI.
But how is it possible to use the dispatcher within the WebUI?
I was at least able to start a scan via command line RPC client, referencing the same dispatcher. I can also see that there was a scan in the WebUI but there are no results? Is it not possible to get the results in the WebUI?
If no, why is it even possible to configure dispatchers in the WebUI?
Or how can they be used from there? This statement indicates to me that there has to be a way to use them...!?
"Rows in yellow indicate that the Instance was not created by this WebUI."
Thank you, best regards
Support Staff 5 Posted by Tasos Laskos on 29 Jul, 2013 02:52 PM
Hi, this should explain it: https://github.com/Arachni/arachni-ui-web/wiki/scans#wiki-New-scan-...
But, you can't manage scans not started by the WebUI as there will be a lot of data missing -- like the used profile, the scan owner etc.
Let me know if you need more info.
Tasos Laskos closed this discussion on 29 Jul, 2013 02:52 PM.