Shulou(Shulou.com)06/03 Report--

This article introduces the knowledge of "how to deploy DongTai passive IAST tools". In the operation of actual cases, many people will encounter such a dilemma, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

Catalogue

01. Environmental preparation

02. Quick installation and deployment

03. Preliminary testing experience

I applied for the internal test of Cave IAST Enterprise Edition in May, which is a relatively early group of users. Let's talk about a few issues that I care about, such as API interface coverage, third-party open source component detection and dirty data, which are all pain points in security testing, so we will find the answer in the application of this tool.

Here, let's do a simple installation and deployment, access the shooting range for testing experience.

01. Environmental preparation

Docker installation

1. Install the required software packages

Sudo yum install-y yum-utils\

Device-mapper-persistent-data\

Lvm2

2. Set up the warehouse

Sudo yum-config-manager\

-- add-repo\

Http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo

3. Install the latest Docker Engine-Community and containerd

Sudo yum install docker-ce docker-ce-cli containerd.io

Docker-compose installation

Wget https://github.com/docker/compose/releases/download/1.29.2/docker-compose-Linux-x86_64mv docker-compose-Linux-x86_64 / usr/local/bin/docker-compose chmod + x / usr/local/bin/docker-compose sudo ln-s / usr/local/bin/docker-compose / usr/bin/docker-compose02, rapid installation and deployment

Hole IAST supports a variety of deployment methods, and localized deployment can use docker-compose deployment.

$git clone https://github.com/HXSecurity/DongTai.git$ cd DongTai$ chmod upright x build_with_docker_compose.sh$. / build_with_docker_compose.sh

For the first time, you can complete the basic deployment and configuration of the environment by logging in with the default account admin/admin and configuring dongtai-openapi.

The basic environment installation and configuration can be completed by logging in with the default account admin/admin for the first time and configuring the OpenAPO service address.

03. The preliminary test experience takes Webgoat as the shooting range, create a new project, load agent, access the web application normally, and trigger api to detect vulnerabilities.

Deploy Agent:

Java-javaagent:./agent.jar-jar webgoat-server-8.1.0.jar-server.port=9999-server.address=0.0.0.0

Detected vulnerabilities:

Here, several vulnerability ranges developed using java are recommended:

Webgoat: https://github.com/WebGoat/WebGoat

Wavsep: https://github.com/sectooladdict/wavsep

Bodgeit: https://github.com/psiinon/bodgeit

SecExample: https://github.com/tangxiaofeng7/SecExample

Finally, by connecting IAST tools to the DevOps process and completing the installation of Agent in CI/CD pipeline, you can automate security testing and turn on vulnerability harvesting mode, which should be an interesting attempt.

Note: delete all containers docker rm-f `docker images-a-q` delete all images docker rmi `docker images-q`

That's all for "how to deploy DongTai passive IAST tools". Thank you for reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.