Tools
Proxy
The Cohesion Proxy is designed to perform security tests on all requests in transit based on the provided scope. The proxy works for both unencrypted and encrypted traffic. Encrypted traffic is actively intercepted via man-in-the-middle attack techniques.
To start the proxy, you need to specify a scope URL:
$ cohesion proxy http://target/
All requests which match "http://target/" will be actively intercepted and tested with the built-in web security testing engine. All other requests are passed without buffering and active testing to their designated destinations.
All common options apply. For example, the "-t" (tests) option can be used to specify which tests much be included, while the "-p" (ping) option can be used to specify an endpoint where vulnerability data will be forwarded if and when discovered.
Integration Testing Example
While the proxy can be used as a standalone tool, it is best used with other testing tools such as your unit and integration tests. These tests are specifically designed to exercise the application or service and as such will provide an excellent baseline for security testing. All we have to do is to start the Cohesion Proxy and point the unit and integration tests to run through it.
There are many ways this can be done but in most scenarios, it is down to either providing command-line options or using proxy configuration environment variables such as "http_proxy" and "https_proxy".
For example, here is how we do a very good and quite deep security test of a web application reusing already existing integration tests.
$ cohesion proxy http://target:9090 --wait=http://target:9090 --exit=">=7" --exit-code="777" & COHESION=$!
$ http_proxy=http://localhost:8080 https_proxy=http://localhost:8080 ./run_integration_tests.py & TESTS=$!
$ wait $COHESION
$ echo "Cohesion exited with $?"
In the example above we simply start the Cohesion Proxy in the background. Then we configure the integration tests to use the proxy. While the integration tests are run, Cohesion is performing an active scan using the integration tests as a baseline. The proxy will immediately exit if a critical vulnerability is identified. In the last line, we simply wait for cohesion to exit and print out the exit code which will be set to 777 if a critical vulnerability is identified during the course of the test.
Simplified Integration Testing Example
Notice that in the example above we are taking advantage of a few advanced shell scripting tricks. We are also not handling the situation where the tests are running post the proxy exits with the error code. While it is possible to fix the issue, Cohesion comes some helper flags to help us in this situation.
Let's try the above example again:
$ cohesion proxy http://target:9090 --wait=http://target:9090 --exit=">=7" --exit-code="777" --exec="./run_integration_tests.py"
$ echo "Cohesion exited with $?"
In this example, we managed to squeeze the whole workflow in a single line and it all works as expected. All we did is to add one extra command-line option.
The "--exec" option will launch the provided executable with the correct environment variables. It will also terminate the executable when the proxy shut down due to a critical vulnerability being identified.
Standalone Mode
The Cohesion Proxy can be used also as a general-purpose web application security testing tool.
Start the proxy first:
$ cohesion proxy http://target/
Now we need to set up our browser. Follow your preferred browser proxy configuration options.