The Websecurify Team is very excited to announce the official release of Driver - a selenium-based execution tool for local testing in continuous delivery/integration environments and much more. With the help of the Driver you can run all of our online tools on your own servers which is perfect for all kinds of automation tasks.
Short Introduction
The SecApps Drivers is open-source, selenium-based, dockerized, meta-tool for automated testing. You can use it as it is or make it your own by forking our project on GitHub. The Driver behaves as a normal command-line tool, which makes it universally integratable into any type of delivery pipeline.
For example, this is how you can launch Foundation to pick up some Cross-site Scripting vulnerabilities:
docker --rm websecurify/secapps-driver foundation http://target/
Easy enough but we can make it more exiting. In order to use Scanner, Recon or even the WPScanner (our Wordpress security scanner) we need to provide an access token, which you can get from the Launchpad once you login. To make things even more interesting we will export the results in XML format. All of that look likes this from the command-line:
docker --rm -v ~:/output websecurify/secapps-driver scanner http://target/ -r xml -a d45971599d5a54f5d419e9628f5853f41b15dd34
Voalá! Now the report is available in our home folder ready to be inspected. I hope you can start seeing the benefits of using the Driver. Anything you can do from the browser, now can be done via the command-line.
Usage Scenarios
The Sky is the limit but here are a few suggestions.
- Integrate it with Jenkins or Travis CI. Why not? In a single step you can spun your own continuous integration environment for security testing. There is no need to install any additional software, keep your scans up-to-date and that sort of thing. Everything is taken care of automatically by us.
- Keeping things secure. Now you can start using a modern scanning technology to keep your web estate secure through automation. Just setup a cron job for regular scans. Put the reports into Jira or any other ticketing system. It is really easy when you have the right tool for the job and with SecApps you have more than one tool to choose from. The power is in the choice.
- Earn some bounties. We have used our software to claim bounties from numerous bounty programs. Sometimes we got payed twice for the same bug. We pulled this of by automation. Now you can do it too.
- Make it your own. If you don't like the Driver or if you prefer to customize it in an awesome way then you can just fork our project. You can do whatever you want with it.
Honestly, we can think of at least a dozen of cool ways to use the SecApps Driver. It is up to you.