You are currently viewing Dastardly – Web Application Security Scanner – CI/CD <span class="bsf-rt-reading-time"><span class="bsf-rt-display-label" prefix=""></span> <span class="bsf-rt-display-time" reading_time="5"></span> <span class="bsf-rt-display-postfix" postfix="min read"></span></span><!-- .bsf-rt-reading-time -->

Dastardly – Web Application Security Scanner – CI/CD

Introduction

As a Security engineer, ensuring the security of your application is of the utmost importance. With the advent of Dastardly, a free, lightweight web application security scanner, integrating security checks into your CI/CD pipeline has never been easier. Dastardly is specifically designed for Security engineers and checks for seven security issues that are commonly encountered during software development. Dastardly is built on the same technology as Burp Suite’s Burp Scanner, a trusted tool used by security professionals at thousands of companies worldwide. With Dastardly, you can rest assured that your application is secure and ready for deployment.

Dastardly
Dastardly
Table of Content hide
1. Introduction
1.1. CI/CD (Continuous Integration/Continuous Deployment)
1.2. Dastardly
1.3. Features
1.4. How to Run
1.4.1. Integrating Dastardly with your existing CI/CD platform
1.5. Limitations
1.5.1. Authencation
1.5.2. Scanning API’s
1.5.3. Scan Checks
1.6. Conclusion

CI/CD (Continuous Integration/Continuous Deployment)

CI/CD (Continuous Integration/Continuous Deployment) is a software development practice that aims to minimize the time between writing code and deploying it to production. The process involves automatically building, testing, and deploying code changes as soon as they are committed to the source code repository. This allows for faster feedback and identification of issues, ultimately leading to faster and more reliable software releases. By automating the integration and deployment process, developers can focus on writing code and delivering value to customers, rather than spending time on manual integration and deployment tasks. This results in improved collaboration, quality, and productivity for the development team.

Dastardly

Introducing Dastardly, a cutting-edge web application security scanner designed for software developers. This powerful, yet lightweight tool is available at no cost and can be integrated seamlessly into your CI/CD pipeline. Dastardly’s scanner technology is based on Burp Suite’s scanner, providing thorough and accurate scans for seven common security concerns during the software development process. Enhance your security measures and protect your applications with Dastardly.

Features

  • Dastardly is a free, lightweight web application security scanner for your CI/CD pipeline.
  • Dastardly scans your application from the outside, just like an attacker, providing accurate results.
  • Scans run no longer than 10 minutes, ensuring minimal disruption to your development workflow.
  • Dastardly is based on the same scanner as Burp Suite, the world’s leading toolkit for web security testing used by over 16,000 organizations.
  • With Dastardly, you can proactively identify vulnerabilities in your code before they become a problem, saving you time and effort in fixing bugs in old code.
  • Dastardly eliminates the need to wait for a pentester to point out any holes in your code, allowing you to take control of your application security.

How to Run

Dastardly utilizes Docker technology to seamlessly integrate into your continuous integration and continuous delivery pipeline. We have detailed documentation on integrating Dastardly with various CI/CD platforms, as well as a generic Docker command to allow for integration with any platform of your choice. For further information, please refer to our guide on integrating Dastardly with your existing CI/CD pipeline.

To perform a scan on the endpoint “https://ginandjuice.shop” using Docker, execute the following command. The scan will be completed in a timely manner of 10 minutes, and the output will be in the form of a JUnit XML report, which is compatible with any JUnit XML parser.

docker run --user $(id -u) --rm -v $(pwd):/dastardly -e \
DASTARDLY_TARGET_URL=https://ginandjuice.shop -e \
DASTARDLY_OUTPUT_FILE=/dastardly/dastardly-report.xml \
public.ecr.aws/portswigger/dastardly:latest

The results of the DAST scan are provided below. A total of 7 instances of cross-site scripting were identified, along with the corresponding affected paths. Additional details can be found in the “dastardly-report.xml” file.

Dastardly Scan output
Dastardly Scan output

Integrating Dastardly with your existing CI/CD platform

The integration of Dastardly with your existing CI/CD platform is a straightforward process. Dastardly can be easily integrated with popular CI/CD platforms such as Jenkins, GitHub Actions, and TeamCity. This integration will ensure that Dastardly scans are seamlessly incorporated into your development workflow and vulnerabilities are identified and addressed in a timely manner.

Limitations

Dastardly is a web security scanner that integrates into CI/CD pipeline, however it may not handle login procedures well and it’s recommended to disable auth features during scan. It can scan API’s based on OpenAPI v3.x.x specification and detects 7 prevalent issues commonly found in web development. However, API calls outside of the seed URL’s domain are not included in the scan. Dastardly is based on the same technology as Burp Suite.

Authencation

Dastardly may not effectively handle login procedures. Therefore, when utilizing Dastardly for scanning purposes, it is recommended to disable any authentication features within the application. 

Scanning API’s

Dastardly is a tool that performs a thorough analysis of OpenAPI v3.x.x specification JSON-based API definitions, searching for any potential vulnerabilities. The tool conducts a scan on API calls made to endpoints within the same domain as the initial seed URL. However, any API calls made to endpoints outside of the seed URL’s domain are not included in the scan as they are considered out of scope.

Scan Checks

Dastardly, dynamic application security testing (DAST) scanner, which is based on the same technology utilized in the widely trusted Burp Suite, can assist in identifying key security vulnerabilities within your application. By integrating seamlessly into the CI/CD pipeline, the scanner can detect seven prevalent issues commonly found in web development. These issues, while representing a small portion of the over many security vulnerabilities that can be identified by Burp scanner, have the potential to cause significant harm if they were to be exploited in a production environment. In the worst-case scenario, these issues could potentially grant malicious actors complete control over the systems.

Security IssuesSupported by Dastardly
Cross-site scripting (XSS) (reflected)✔️
Cross-origin resource sharing (CORS) issues✔️
Vulnerable JavaScript dependency✔️
Content type is not specified✔️
Multiple content types specified✔️
HTML does not specify charset✔️
Duplicate cookies set✔️

Conclusion

In summary, Dastardly is a free and lightweight web application security scanner that can be integrated into the CI/CD pipeline. It is based on the same technology as Burp Suite and scans for seven common security issues, running scans in 10 minutes or less. Authentication features should be disabled during scan and it may not handle login procedures effectively. It scans API’s based on OpenAPI v3.x.x specification and detects 7 prevalent issues commonly found in web development. Its goal is to proactively identify vulnerabilities in code before they become a problem, saving time and effort in fixing bugs in old code.

Tags: , , , , , , , , ,

Piyush Kumawat

Ethical Hacker || Penetration Tester || Gamer || Blogger || Application Security Engineer

Leave a Reply