GitLab

GitLab -

Monitor your web attack surface with GitLab CI/CD and GitLab Pages

DISCLAIMER: We believe that understanding the tactics and techniques of both attackers and defenders is key to keeping our organization secure. It's important to note that GitLab security blog posts are for informational purposes only, not to provide specific security advice. Attackers love insecure web applications. Lucky for them, these applications are everywhere! Test environments, development instances, default installations with hardcoded passwords - you name it, it's out there somewhere waiting to be exploited. The easier it becomes to deploy resources in the cloud, the more of these insecure web applications end up exposed to hacking and/or unintended access. You can get ahead of potential threats by proactively identifying and reviewing your own web application attack surface. In this tutorial, we'll explain how you can monitor the web applications in your environment by generating a screenshot report using GitLab CI/CD, GitLab Pages, and a handful of free and open source security tools. You'll end up with a fully automated solution that can: Identify web services on a list of addresses you own. Capture screenshots of these web services. Build an authenticated web portal for you to visually see each site that was discovered. Building the solution Start with a project Inside the GitLab web interface, create a blank project. The default settings should be fine, but you should review to confirm that the default settings are appropriate. Pay particular attention to the "Visibility Level" - you may want to set this to private. Write the automation scripts We'll use three scripts in this project: setup.sh: Install the required tooling. discover-services.sh: Identify web services using httpx. take-screenshots.sh: Use gowitness to generate a static website containing screenshots of each identified web service. The HTML generated by gowitness will be placed into the public folder, which is used by GitLab Pages to generate a website you can click through to review the findings. Each script will generate output files which may be useful for additional analysis. These will be made available as GitLab job artifacts, so that you can download and review them at will. To complete this step, first create a new folder in your project called scripts. Then, add the following files into that folder: setup.sh #!/bin/bash # create folder for downloaded binaries mkdir bin # install general pre-reqs apt -qq update > /dev/null apt -qq install -y wget unzip > /dev/null # install pre-reqs for gowitness apt -qq install -y chromium > /dev/null # download tools wget -q https://github.com/projectdiscovery/httpx/releases/download/v1.2.5/httpx_1.2.5_linux_amd64.zip wget -q https://github.com/sensepost/gowitness/releases/download/2.4.2/gowitness-2.4.2-linux-amd64 # unzip / move all relases to bin folder unzip httpx_1.2.5_linux_amd64.zip -d bin/ mv gowitness-2.4.2-linux-amd64 bin/gowitness chmod u+x bin/gowitness discover-services.sh #!/bin/bash # You may want to dynamically generate a target file with each run. # For this demo, we are using a list defined inside project CI variables. TARGETS=$TARGET_FILE # create output directory mkdir ./targets # Identify web services echo "Identifying web services across $(cat "$TARGETS" | wc -l) targets..." cat "$TARGETS" | bin/httpx -o targets/web-services.txt -p 80,443 echo "Discovered $(cat targets/web-services.txt | wc -l) web services." take-screenshots.sh #!/bin/bash # Run gowitness bin/gowitness file -f targets/web-services.txt bin/gowitness report export -f report.zip # Move the report to pages outdir unzip report.zip mv gowitness public Set up the pipeline Next, we need to create the .gitlab-ci.yml file where we configure all of these scripts to run inside a pipeline. Create this file in the root of the project with the following contents: stages: - scan - deploy scanner: image: debian:bullseye stage: scan script: - bash ./scripts/setup.sh - bash ./scripts/discover-services.sh - bash ./scripts/take-screenshots.sh only: - schedules - web artifacts: paths: - targets - public pages: stage: deploy script: - echo "" # do nothing only: - schedules - web artifacts: paths: - public This file defines a pipeline with two stages: The first stage (scan) runs all three scripts we created. This will generate a static website inside a folder called public. The second stage (deploy) is required for GitLab Pages to work - this is where the static site is published on a publicly-accessible URL that can be configured to require GitLab authentication. You can see we've added an only condition to both of these stages. This ensures that the tool doesn't run every time you make a change to the code - it runs only on a defined schedule or when you manually choose to run it via the web UI. Define your targets You may have noticed the TARGETS_FILE variable inside the discover-services.sh script from earlier. That's a file variable that will contain the targets you wish to scan. Defining this as a variable allows us to create a generic, portable project that can be forked and cloned without containing any specific targets. To add some targets to your project, go to "Settings -> CI/CD -> Variables" and click the "Add variable" button. Enter TARGET_FILE for the "Key" and fill in one host name or IP address per line in the "Value" section. Make sure to add a blank line to the end of the list - this is required for the scripts to run correctly. We run a similar version of this screenshot tool internally, and we generate this file dynamically by exporting all of our public addresses from our various cloud environments. If you decide to implement something like that, we'd recommend adding an additional stage to your .gitlab-ci.yaml file. Schedule and run the pipeline GitLab projects have a built-in scheduler that lets you automatically run pipelines at specific dates/times. You can access this inside your project at "CI/CD -> Schedules". Here, we'll create a new schedule to run once a week on Monday mornings. After saving the schedule, you can also choose to manually run the pipeline by clicking the play button shown below. If you are following along, go ahead and do this now. You can follow the progress of your pipeline by navigating to "CI/CD -> Pipelines". Click on the status of the most recent pipeline. Here, you'll see the stages we configured earlier. If all goes well, you'll see green check marks on each stage. You can click on an individual stage to watch the console logs and perform any necessary troubleshooting. Enable notifications Once you've set up a schedule, you might want to be alerted whenever a new report is ready. Luckily, GitLab has you covered here! Inside your project, go to "Settings -> Integrations -> Pipeline Status Emails". Put your email address into the "Recipients" field and uncheck the box "Notify only broken pipelines". This will send you an email each time a pipeline completes and a new screenshot report has been published to your GitLab Pages site. GitLab offers a slew of other notifcation options as well, including things like Slack and Teams. If you prefer one of those, you can read more in the docs. View your GitLab Pages site Once the pipeline has completed successfully, your site should be available. You can obtain the site's public address by going to "Settings -> Pages". If you set your project to be private, then by default only project members who are authenticated to the GitLab server can view the site. You can modify these settings under "Settings -> General -> Visibility, project features, permissions -> Pages". Summary Web applications are everywhere. Often, they are deployed with vulnerable configurations and are left forgotten - unmonitored and awaiting exploitation. You can build a monitoring solution using GitLab and free, open-source tools that gives you a visual overview of the web apps running in your own environment. This blog walked you through manually setting this up yourself. You can view our example project here, which was created exactly as decribed above. Feel free to fork or clone that project as a shortcut to setting it up from scratch yourself. We love to find creative uses for GitLab, and this is one we use ourselves internally. If you've come up with some of your own interesting use cases, we would love to hear about them! Or, if there is anything else you'd like our security team to write about, please do let us know! You can share your thoughts in the comments below or via issues and merge requests on any of our projects. Thanks for reading!

gitlab gitlab surface web

相关推荐 去reddit讨论
分享给好友
沉浸式翻译 immersive translate
fomepay

热榜 Top10

  1. VideoTrans – 开源视频翻译项目:自动识别并生成字幕后,翻译 + 配音[Windows]
  2. Building an RSS Generator with RSSHub on Synology Docker
  3. OTPAUTH,两步验证中的通用协议
  4. 使用 RSSHub 搭建 RSS 生成器(群晖 Docker)
  5. 香港保号卡 / 流量卡怎么选,看这一篇就够了
  6. 联想 ThinkBook 16+ 笔记本电脑 更换无线网卡和加装固态硬盘教程
  7. 小米 / 红米 / MIUI / HyperOS 的 Google Play 安装教程
  8. Headscale渐入佳境-路由设置
  9. 在 OpenResty Edge 中配置 SNI 代理
  10. InseRF: 文本驱动的神经三维场景中物体插入生成
  1. 使用 Zeabur 构建我的 n8n 赛博空间
  2. South Korea’s next sales frontier: Retail media networks
  3. 香港保号卡 / 流量卡怎么选,看这一篇就够了
  4. 小米 / 红米 / MIUI / HyperOS 的 Google Play 安装教程
  5. Building an RSS Generator with RSSHub on Synology Docker
  6. OTPAUTH,两步验证中的通用协议
  7. 2024十大高性价比设计专业图形移动工作站笔记本排行榜及避坑指南,轻松省下1W+!(内含专业图形显卡天梯)
  8. OpenAPI生成器中实现自定义模板
  9. 联想 ThinkBook 16+ 笔记本电脑 更换无线网卡和加装固态硬盘教程
  10. VideoTrans – 开源视频翻译项目:自动识别并生成字幕后,翻译 + 配音[Windows]
  1. 使用 Zeabur 构建我的 n8n 赛博空间
  2. 香港保号卡 / 流量卡怎么选,看这一篇就够了
  3. Building an RSS Generator with RSSHub on Synology Docker
  4. 使用 RSSHub 搭建 RSS 生成器(群晖 Docker)
  5. South Korea’s next sales frontier: Retail media networks
  6. 1.1.1.1 WARP 使用教程 iOS 版
  7. 香港 Club SIM 申请 eSIM 及从其他运营商转入号码教程
  8. Pydroid3 v7.0整合版(汉化+内置所有依赖)安装教程
  9. 2024十大高性价比设计专业图形移动工作站笔记本排行榜及避坑指南,轻松省下1W+!(内含专业图形显卡天梯)
  10. OTPAUTH,两步验证中的通用协议

标签 Top100

全部

ai 语言模型 神经网络 linux llm 开源 微软 .net python 数据集 人工智能 算法 google 扩散模型 apple 安全 苹果 机器学习 java 深度学习 rust android 建模 postgresql 游戏 机器人 谷歌 漏洞 ios windows mysql spring openai 大模型 c# api 函数 开发者 gpt 教程 github windows 11 microsoft chatgpt 数据库 卷积 web nvidia 浏览器 内存 mongodb iphone 强化学习 docker cloud 插件 security 编码器 sql 大语言模型 基准测试 wordpress 欧盟 程序员 联邦学习 黑客 总结 mac 流量 postgres 入门 c++ 解决方案 generative ai 无监督 一致性 sora 点云 swift 视图 工程师 重建 spring boot 网络安全 接口 单片机 redis pdf kubernetes 前端 硬件 cve 多智能体 源码 git chrome 容器 面试 visual studio cpu

赞助商

我也要赞助
eolink
eolink
观测云
观测云
Dify.AI
Dify.AI
LigaAI
LigaAI

推荐或自荐

意见或建议