Automation With Cohesion

Cohesion is an automated web application security testing tool designed to be used in CD/CI environments. It comes as a maven plugin and integrates well with Jenkins and all kinds of other build environments. However, Cohesion is a lot more than this and we use it almost daily for research and for fun.

Screenshot 01

To illustrate what Cohesion can do, we have made a full-featured web application security scanner that runs from a configurable pom.xml file (maven). The project is hosted on GitHub as usual. The scanner works by defining different execution stages which launch various scans against the targets in the list. Output files in HTML and XML are kept separately for brevity.

To add a new scan simply modify the following template and paste it inside the pom.xml file.

<execution>
	<id>demo.testfire.net</id>
	<phase>integration-test</phase>
	<goals><goal>scan</goal></goals>

	<configuration>
		<target>**YOUR TARGET HERE**</target>
		<fail>false</fail>
		<output>${project.build.directory}/**YOUR OUTPUT FILE PREFIX HERE**</output>
	</configuration>
</execution>

The snippet is self explanatory. You can even add multiple URLs by doing something like this:

<execution>
	<id>demo.testfire.net</id>
	<phase>integration-test</phase>
	<goals><goal>scan</goal></goals>

	<configuration>
		<target>**YOUR TARGET HERE**</target>
		<fail>false</fail>
		<output>${project.build.directory}/**YOUR OUTPUT FILE PREFIX HERE**</output>
		<includes>
			<target>**ADDITIONAL TARGET**</target>
		</includes>
	</configuration>
</execution>

Further more, why not exclude some URLs from the scans as well just in case?

<execution>
	<id>demo.testfire.net</id>
	<phase>integration-test</phase>
	<goals><goal>scan</goal></goals>

	<configuration>
		<target>**YOUR TARGET HERE**</target>
		<fail>false</fail>
		<output>${project.build.directory}/**YOUR OUTPUT FILE PREFIX HERE**</output>
		<includes>
			<target>**ADDITIONAL TARGET**</target>
		</includes>
		<excludes>
			<target>**TARGET TO EXCLUDE**</target>
		</excludes>
	</configuration>
</execution>

You can see how quickly you can build it up from here. However, this is not all. There are plenty of options that we have added to give you all kinds of control. A better article that explains some of the features of Cohesion can be found here.

Cohesion is great for doing continuous automation of web application security assessments. It is automatic. It runs with very little configuration and requires no user intervention. For Continuous Integration/Delivery pipelines this is all that you need.