Young hacker smiling

We hack your software

zero false positives

Attacking Applications, APIs, Mobile Apps Servers, Networks, IoT Devices
ICS: Industrial Control System
SOC: Security Operations Center

Asserts

1. Description

Asserts is an engine to automate the closing of security findings over execution environments (DAST).

Asserts
Figure 1. Use case

2. Execution

In a PC

Linux

To run an exploit, just execute:

$ pip install -U fluidasserts
$ export FA_STRICT="false"

$ python exploit.py

Windows

Just like in Linux, execute:

> pip install -U fluidasserts
> set FA_STRICT="false"

> python exploit.py

In a CI (Continuous Integration) pipeline

If you have an application subscribed to our Continuous Hacking Service which includes the use of Asserts, you may add it to your Continuous Integration pipeline. To achieve this, follow these steps:

  • Add the required environment variables USER, PASS, ORG and APP. Don’t worry, the values will be provided by us!:

    • USER: Name of the user from our Container Registry

    • PASS: The password of the user

    • ORG: The name of the organization

    • APP: The name of the application

Variables de entorno
Figure 2. Example of environment variables in Gitlab CI
  • Add a job where the container is executed.

In Gitlab CI, add:
fluidasserts:
    script:
        - docker login fluid-docker.jfrog.io -u $USER -p $PASS
        - docker pull fluid-docker.jfrog.io/$ORG:$APP
        - docker run -e ORG=$ORG -e APP=$APP -e USER=$USER -e PASS=$PASS -e FA_STRICT="true" fluid-docker.jfrog.io/$ORG:$APP

NOTE: The variable FA_STRICT must have the values true or false. When it is set to true, and one of the vulnerabilities remains open, the pipeline will break!

3. Requirements

To execute in a PC

  • Operating system:

    • Any SO that supports Python

  • Network:

    • Access to the Artifacts Repository here.

  • Software dependencies:

    • Python 3.6

To include in a CI pipeline

  • Operating system:

    • Any Linux-based distribution that supports Docker CE

    • Windows Server with HyperV and Docker

    • MacOS

  • Network:

    • Access to the integration environment where your application or platform is running

  • Software dependencies:

    • DockerCE 17 or superior

Commons

  • CPU: 4 cores @1.8GHz

  • RAM: 4GiB DDR3 @1.6Ghz

  • Disk space: 10GiB

4. Exploit examples

SQL Injection

ex1_open.py: Verify if SQL injection is still present
1
2
3
4
5
from fluidasserts.proto import http

URL = 'http://testphp.vulnweb.com/AJAX/infoartist.php?id=3%27'

http.has_sqli(URL)
Results from executing ex1_open.py
# FLUIDAsserts by Fluid Attacks (https://fluidattacks.com)
# All rights reserved.
# Loading attack modules ...
---
check: fluidasserts.proto.http.has_multiple_text
status: OPEN
message: 'A bad text was present: "Warning.*mysql_.*"'
details:
  url: http://testphp.vulnweb.com/AJAX/infoartist.php?id=3%27
when: 2018-05-16 08:41:04.397649
ex1_close.py: Verify closed SQL injection
1
2
3
4
5
from fluidasserts.proto import http

URL = 'http://testphp.vulnweb.com/AJAX/infoartist.php?id=3'

http.has_sqli(URL)
Results from executing ex1_close.py
# FLUIDAsserts by Fluid Attacks (https://fluidattacks.com)
# All rights reserved.
# Loading attack modules ...
---
check: fluidasserts.proto.http.has_multiple_text
status: CLOSE
message: No bad text was present
details:
  url: http://testphp.vulnweb.com/AJAX/infoartist.php?id=3
when: 2018-05-16 08:42:02.448463

Cross-Site Scripting

ex2_open.py: Verify if XSS is still present
1
2
3
4
5
6
7
from fluidasserts.proto import http

URL = 'http://testphp.vulnweb.com/guestbook.php'
BAD_TEXT = r"<script>alert\('Hacked by Fluid Attacks'\)</script>"

DATA = 'name=test&text=%3Cscript%3Ealert%28%27Hacked+by+Fluid+Attacks%27%29%3C%2Fscript%3E&submit=add+message'
http.has_xss(URL, BAD_TEXT, data=DATA)
Results from executing ex2_open.py
# FLUIDAsserts by Fluid Attacks (https://fluidattacks.com)
# All rights reserved.
# Loading attack modules ...
---
check: fluidasserts.proto.http.has_text
status: OPEN
message: 'Bad text present: "<script>alert\(''Hacked by Fluid Attacks''\)</script>"'
details:
  url: http://testphp.vulnweb.com/guestbook.php
when: 2018-05-16 08:43:49.769936
ex2_close.py: Verify closed XSS
1
2
3
4
5
6
7
from fluidasserts.proto import http

URL = 'http://testphp.vulnweb.com/guestbook.php'
BAD_TEXT = r"<script>alert\('Hacked by Fluid Attacks'\)</script>"

DATA = 'name=test&text=Hacked+by+Fluid+Attacks&submit=add+message'
http.has_xss(URL, BAD_TEXT, data=DATA)
Results from executing ex2_close.py
# FLUIDAsserts by Fluid Attacks (https://fluidattacks.com)
# All rights reserved.
# Loading attack modules ...
---
check: fluidasserts.proto.http.has_text
status: CLOSE
message: 'Bad text not present: "<script>alert\(''Hacked by Fluid Attacks''\)</script>"'
details:
  url: http://testphp.vulnweb.com/guestbook.php

Breaking the Continuous Integration pipeline

ex1_open.py: Verify if SQL Injection is still present
1
2
3
4
5
from fluidasserts.proto import http

URL = 'http://testphp.vulnweb.com/AJAX/infoartist.php?id=3%27'

http.has_sqli(URL)
Execution result breaking the pipeline
$ export FA_STRICT="false"
$ python ex1_open.py
---
# FLUIDAsserts by Fluid Attacks (https://fluidattacks.com)
# All rights reserved.
# Loading attack modules ...
---
check: fluidasserts.proto.http.has_multiple_text
status: OPEN
message: 'A bad text was present: "Warning.*mysql_.*"'
details:
  url: http://testphp.vulnweb.com/AJAX/infoartist.php?id=3%27
when: 2018-05-16 08:46:28.312329
$ echo $?
0
$ export FA_STRICT="true"
$ python ex1_open.py
---
# FLUIDAsserts by Fluid Attacks (https://fluidattacks.com)
# All rights reserved.
# Loading attack modules ...
---
check: fluidasserts.proto.http.has_multiple_text
status: OPEN
message: 'A bad text was present: "Warning.*mysql_.*"'
details:
  url: http://testphp.vulnweb.com/AJAX/infoartist.php?id=3%27
when: 2018-05-16 08:46:45.719005
$ echo $?
1

Service status - Terms of Use