Implementing DAST with Arachni

Summary of DAST tools: Best Vulnerability Scanner Software: User Reviews from August 2024 (g2.com)

Arachni tool link: Arachni/arachni (github.com)

1. Create a New User

Since Arachni cannot run with root privileges, we will create a new user for Arachni on the Build Instance.

adduser arachni

image.png

Switch to the arachni user.

su arachni && cd

2. Install the Tool and Run Manually

You can refer to the releases here: Releases · Arachni/arachni (github.com)

Download Arachni:

wget https://github.com/Arachni/arachni/releases/download/v1.4/arachni-1.4-0.5.10-linux-x86_64.tar.gz

image.png

Extract the downloaded file:

tar -xvf arachni-1.4-0.5.10-linux-x86_64.tar.gz

image.png

Navigate to the directory:

cd arachni-1.4-0.5.10

You will find many commands in the bin folder.

ls bin/

image.png

Build the .arf file. You can learn more here: Command line user interface · Arachni/arachni Wiki (github.com)

bin/arachni --output-verbose --scope-include-subdomains http://3.106.228.72:3000/ --report-save-path=/tmp/frontend-ecommerce.arf

image.png

You must replace placeholders with your own variables to get accurate results!

This is the result of the security scan. After scanning, a file frontend-ecommerce.arf is created in the /tmp directory.

image.png

Convert the .arf file to an .html file so it can be read:

bin/arachni_reporter /tmp/frontend-ecommerce.arf --reporter=html:outfile=frontend-ecommerce.html.zip

The result is a .zip file.

image.png

To view it, switch to root and copy it to the /home/ubuntu/ directory:

exit
cp /home/arachni/arachni-1.4-0.5.10/frontend-ecommerce.html.zip /home/ubuntu/

You will see a .zip file has been copied. Grant permissions to ubuntu, download, and open the .html file:

sudo chown -R ubuntu:ubuntu /home/ubuntu/frontend-ecommerce.html.zip

image.png

This is the analysis result from Arachni.

image.png

3. Write a Dockerfile

Now we will write a Dockerfile to simplify the process.

Switch to the arachni user:

su arachni
cd

Create a working directory and Dockerfile:

mkdir -p tools/arachni && vi tools/arachni/Dockerfile

Enter the following lines:

FROM ubuntu:latest

RUN apt update -y && \
    apt install -y wget tar && \
    rm -rf /var/lib/apt/lists/*

RUN wget https://github.com/Arachni/arachni/releases/download/v1.4/arachni-1.4-0.5.10-linux-x86_64.tar.gz && \
    tar -xvf arachni-1.4-0.5.10-linux-x86_64.tar.gz && \
    rm arachni-1.4-0.5.10-linux-x86_64.tar.gz

WORKDIR /arachni-1.4-0.5.10

CMD ["bin/arachni"]

Switch to root and add the arachni user to the docker group:

exit
usermod -aG docker arachni

Add the following line to visudo:

arachni ALL=(ALL) NOPASSWD:ALL

image.png

Switch back to arachni and build the Dockerfile into a Docker image:

su arachni
cd
docker build -t arachni tools/arachni/

image.png

Run Arachni using Docker with the same command as before:

docker run --rm -v /tmp/:/tmp/ arachni bin/arachni --output-verbose --scope-include-subdomains http://3.106.228.72:3000/ --report-save-path=/tmp/frontend-ecommerce.arf

image.png

Also, convert the .arf file to .html using Docker:

docker run --rm -v /tmp/:/tmp/ arachni bin/arachni_reporter /tmp/frontend-ecommerce.arf --reporter=html:outfile=/tmp/frontend-ecommerce.html.zip

And the results are the same.

image.png

4. Apply to CI/CD Frontend

image.png

image.png

variables:
    USER_PROJECT: "ecommerce"
    PATH_PROJECT: "/home/${USER_PROJECT}/${CI_PROJECT_NAME}"
    IMAGE_VERSION: "${CI_REGISTRY_USER}/${CI_PROJECT_NAME}-${USER_PROJECT}:${CI_COMMIT_REF_NAME}_${CI_COMMIT_SHORT_SHA}"
    ARACHNI_WEBSITE_REPORT: "arachni_scan_${CI_PROJECT_NAME}:${CI_COMMIT_REF_NAME}_${CI_COMMIT_SHORT_SHA}_report"

stages:
    - clone
    - SAST
    - SCA
    - build
    - image can
    - push registry
    - deploy
    - DAST

before_script:
    - sudo mkdir -p $PATH_PROJECT

clone repository:
    stage: clone
    script:
        - echo "Repository cloned."
    tags:
        - group-ecommerce-shell-runner-build

build:
    stage: build
    variables:
        GIT_STRATEGY: clone
    before_script:
        - sudo docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PWD
    script:
        - sudo docker build -t $IMAGE_VERSION .
    after_script:
        - sudo docker logout
    tags:
        - group-ecommerce-shell-runner-build
    only:
        - tags

dockerhub pushing:
    stage: push registry
    variables:
        GIT_STRATEGY: none
    before_script:
        - sudo docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PWD
    script:
        - sudo docker push $IMAGE_VERSION
    after_script:
        - sudo docker logout
    tags:
        - group-ecommerce-shell-runner-build
    needs:
        - job: build
    only:
        - tags

deploy:
    stage: deploy
    variables:
        GIT_STRATEGY: none
    before_script:
        - sudo docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PWD
    script:
        - sudo docker pull $IMAGE_VERSION
        - sudo su ${USER_PROJECT} -c "
            container_exists=\$(sudo docker ps -a -q -f name=${CI_PROJECT_NAME});
            if [ ! -z \"\$container_exists\" ]; then
                sudo docker rm -f ${CI_PROJECT_NAME};
            fi;
            sudo docker run --name ${CI_PROJECT_NAME} -dp ${FRONTEND_PORT}:80 ${IMAGE_VERSION}"
    after_script:
        - sudo docker logout
    tags:
        - group-ecommerce-shell-runner
    needs:
        - job: dockerhub pushing
    only:
        - tags

arachni scanning website:
    stage: DAST
    variables:
        GIT_STRATEGY: none
    before_script:
        - sudo docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PWD
    script:
        - docker run --rm -v /tmp/:/tmp/ arachni bin/arachni --output-verbose --scope-include-subdomains http://3.106.228.72:3000/ --report-save-path=/tmp/$ARACHNI_WEBSITE_REPORT.arf > /dev/null 2>&1
        - docker run --rm -v /tmp/:/tmp/ arachni bin/arachni_reporter /tmp/frontend-ecommerce.arf --reporter=html:outfile=/tmp/$ARACHNI_WEBSITE_REPORT.html.zip
        - sudo chmod 777 /tmp/$ARACHNI_WEBSITE_REPORT.html.zip
        - cp /tmp/$ARACHNI_WEBSITE_REPORT.html.zip .
    after_script:
        - sudo docker logout
    tags:
        - group-ecommerce-shell-runner-build
    needs:
        - job: deploy
    only:
        - tags
    artifacts:
        paths:
            - $ARACHNI_WEBSITE_REPORT.html.zip
        expire_in: 1 day

To simplify, unnecessary stages have been removed to keep it lean, and only essential stages such as clone, build, push registry, deploy, and the new DAST stage have been kept.

image.png

image.png

Download and extract the results, which remain the same.

image.png