SecTester.Runner 0.41.3

.NET Standard 2.0 
dotnet add package SecTester.Runner --version 0.41.3
NuGet\Install-Package SecTester.Runner -Version 0.41.3
This command is intended to be used within the Package Manager Console in Visual Studio, as it uses the NuGet module's version of Install-Package. 
<PackageReference Include="SecTester.Runner" Version="0.41.3" />
For projects that support PackageReference, copy this XML node into the project file to reference the package. 
paket add SecTester.Runner --version 0.41.3
#r "nuget: SecTester.Runner, 0.41.3"
#r directive can be used in F# Interactive and Polyglot Notebooks. Copy this into the interactive tool or source code of the script to reference the package. 
// Install SecTester.Runner as a Cake Addin
#addin nuget:?package=SecTester.Runner&version=0.41.3

// Install SecTester.Runner as a Cake Tool
#tool nuget:?package=SecTester.Runner&version=0.41.3

SecTester.Scan

Maintainability Test Coverage Build Status Nuget Downloads

Run scanning for vulnerabilities just from your unit tests on CI phase.

Setup

$ dotnet add package SecTester.Runner

Step-by-step guide

Configure SDK

To start writing tests, first obtain a Bright token, which is required for the access to Bright API. More info about setting up an API key.

Then put obtained token into BRIGHT_TOKEN environment variable to make it accessible by default EnvCredentialProvider.

Refer to SecTester.Core documentation for the details on alternative ways of configuring credential providers.

Once it is done, create a configuration object. Single required option is Bright Hostname domain you are going to use, e.g. app.brightsec.com as the main one:

using SecTester.Core;

var config = new Configuration("app.brightsec.com");

Setup runner

To set up a runner, create SecRunner instance passing a previously created configuration as follows:

using SecTester.Core;
using SecTester.Runner;

var config = new Configuration("app.brightsec.com");
await using var runner = await SecRunner.Create(configuration);

After that, you have to initialize a SecRunner instance:

await runner.Init();

The runner is now ready to perform your tests, but you have to create a scan.

To dispose a runner, you just need to call the Clear or DisposeAsync method:

await runner.Clear();

// or

await runner.DisposeAsync();

Starting scan

To start scanning your application, first you have to create a SecScan instance, as shown below:

await using var scan = await runner.CreateScan(new ScanSettingsBuilder()
    .WithTests(new List<TestType> { TestType.Xss }));

Below you will find a list of parameters that can be used to configure a Scan:

Option Description
Target The target that will be attacked. For details, see here.
Tests The list of tests to be performed against the target application. Learn more about tests
RepeaterId Connects the scan to a Repeater agent, which provides secure access to local networks.
Smart Minimize scan time by using automatic smart decisions regarding parameter skipping, detection phases, etc. Enabled by default.
SkipStaticParams Use an advanced algorithm to automatically determine if a parameter has any effect on the target system's behavior when changed, and skip testing such static parameters. Enabled by default.
PoolSize Sets the maximum concurrent requests for the scan, to control the load on your server. By default, 10.
AttackParamLocations Defines which part of the request to attack. By default, body, query, and fragment.
SlowEpTimeout Automatically validate entry-point response time before initiating the vulnerability testing, and reduce scan time by skipping any entry-points that take too long to respond. By default, 1000ms.
TargetTimeout Measure timeout responses from the target application globally, and stop the scan if the target is unresponsive for longer than the specified time. By default, 5min.
Name The scan name. The method and hostname by default, e.g. GET example.com.

We provide a fluent interface for building a ScanSettings object. To use it, you start by creating a ScanSettingsBuilder instance, and then you call its methods to specify the various settings you want to use for the scan as shown above.

Finally, run a scan against your application:

var target = new Target("https://localhost:8000/api/orders")
  .WithMethod(HttpMethod.Post)
  .WithBody(@"{ ""subject"": ""Test"", ""body"": ""<script>alert('xss')</script>"" }", "application/json");

await scan.Run(target);

The Run method takes a single argument (for details, see here), and returns promise that is resolved if scan finishes without any vulnerability found, and is rejected otherwise (on founding issue that meets threshold, on timeout, on scanning error).

If any vulnerabilities are found, they will be pretty-printed to stderr (depending on the testing framework) and formatted depending on chosen Formatter.

By default, each found issue will cause the scan to stop. To control this behavior you can set a severity threshold using the Threshold method:

scan.Threshold(Severity.High);

Now found issues with severity lower than High will not cause the scan to stop.

Sometimes either due to scan configuration issues or target misbehave, the scan might take much more time than you expect. In this case, you can provide a timeout for specifying maximum scan running time:

scan.Timeout(TimeSpan.FromSeconds(30));

In that case after 30 seconds, if the scan isn't finishing or finding any vulnerability, it will throw an error.

Usage sample

using System.Configuration;
using SecTester.Runner;
using SecTester.Scan;
using SecTester.Scan.Models;

public class SecRunnerFixture : IAsyncLifetime
{
  public SecRunner Runner { get; private set; }

  public async Task InitializeAsync()
  {
    var hostname = ConfigurationManager.AppSettings["BrightHost"];
    // create a test runner
    Runner = await SecRunner.Create(new SecTester.Core.Configuration(hostname));
    // initialize a test runner
    await Runner.Init();
  }

  public async Task DisposeAsync()
  {
    if (Runner is not null)
    {
      // clean up runner
      await Runner.DisposeAsync();
    }

    GC.SuppressFinalize(this);
  }
}

public class OrdersApiTests : IClassFixture<SecRunnerFixture>, IAsyncDisposable
{
  private readonly SecRunnerFixture _fixture;
  private readonly SecScan _test;

  public OrdersApiTests(SecRunnerFixture fixture)
  {
    _fixture = fixture;
    _test = _fixture
      .Runner
      .CreateScan(new ScanSettingsBuilder()
        .WithTests(new List<TestType> { TestType.Xss }))
      .Threshold(Severity.Medium)
      .Timeout(TimeSpan.FromMinutes(5));
  }

  public async ValueTask DisposeAsync()
  {
    await _fixture.DisposeAsync();
    GC.SuppressFinalize(this);
  }

  [Fact]
  public async Task Post_ApiOrder_ShouldNotHavePersistentXss()
  {
    var target = new Target("https://localhost:8000/api/orders")
      .WithMethod(HttpMethod.Post)
      .WithBody(@"{ ""subject"": ""Test"", ""body"": ""<script>alert('xss')</script>"" }", "application/json");

    await _test.Run(target);
  }

  [Fact]
  public async Task Get_ApiOrder_ShouldNotHaveReflectiveXss()
  {
    var target = new Target("https://localhost:8000/api/orders")
      .WithQuery(new Dictionary<string, string> { { "q", "<script>alert('xss')</script>" } });

    await _test.Run(target);
  }
}

License

Copyright © 2022 Bright Security.

This project is licensed under the MIT License - see the LICENSE file for details.

Product Compatible and additional computed target framework versions.
.NET net5.0 was computed.  net5.0-windows was computed.  net6.0 was computed.  net6.0-android was computed.  net6.0-ios was computed.  net6.0-maccatalyst was computed.  net6.0-macos was computed.  net6.0-tvos was computed.  net6.0-windows was computed.  net7.0 was computed.  net7.0-android was computed.  net7.0-ios was computed.  net7.0-maccatalyst was computed.  net7.0-macos was computed.  net7.0-tvos was computed.  net7.0-windows was computed.  net8.0 was computed.  net8.0-android was computed.  net8.0-browser was computed.  net8.0-ios was computed.  net8.0-maccatalyst was computed.  net8.0-macos was computed.  net8.0-tvos was computed.  net8.0-windows was computed. 
.NET Core netcoreapp2.0 was computed.  netcoreapp2.1 was computed.  netcoreapp2.2 was computed.  netcoreapp3.0 was computed.  netcoreapp3.1 was computed. 
.NET Standard netstandard2.0 is compatible.  netstandard2.1 was computed. 
.NET Framework net461 was computed.  net462 was computed.  net463 was computed.  net47 was computed.  net471 was computed.  net472 was computed.  net48 was computed.  net481 was computed. 
MonoAndroid monoandroid was computed. 
MonoMac monomac was computed. 
MonoTouch monotouch was computed. 
Tizen tizen40 was computed.  tizen60 was computed. 
Xamarin.iOS xamarinios was computed. 
Xamarin.Mac xamarinmac was computed. 
Xamarin.TVOS xamarintvos was computed. 
Xamarin.WatchOS xamarinwatchos was computed. 
Compatible target framework(s)
Included target framework(s) (in package)
Learn more about Target Frameworks and .NET Standard.

NuGet packages

This package is not used by any NuGet packages.

GitHub repositories

This package is not used by any popular GitHub repositories.

Version Downloads Last updated
0.41.3 113 10/4/2023
0.41.2 75 10/4/2023
0.41.1 105 10/4/2023
0.41.0 92 10/4/2023
0.40.0 161 8/3/2023
0.39.1 136 8/1/2023
0.39.0 131 7/31/2023
0.38.0 142 7/28/2023
0.37.0 144 7/20/2023
0.36.0 141 6/5/2023
0.35.1 134 5/2/2023
0.35.0 184 4/11/2023
0.34.0 264 2/8/2023
0.33.7 286 12/20/2022
0.33.6 283 12/16/2022
0.33.5 284 12/16/2022
0.33.4 297 12/15/2022
0.33.3 284 12/14/2022
0.33.2 285 12/14/2022
0.33.1 287 12/14/2022
0.33.0 283 12/14/2022
0.32.8 273 12/13/2022
0.32.7 268 12/13/2022
0.32.6 277 12/13/2022
0.32.5 274 12/13/2022
0.32.4 278 12/13/2022
0.32.3 269 12/13/2022
0.32.2 278 12/13/2022
0.32.1 270 12/13/2022
0.32.0 281 12/13/2022
0.31.0 277 12/11/2022