Shell Scripting

Cohesion comes with several features to simplify the orchestration of web security testing tasks executed from a standard shell.

Exit Codes

By default, Cohesion terminates with exit status code 0 - successful completion. This behavior is unchanged even if major vulnerabilities are discovered because the testing results are to be displayed on the standard output.

In order to make Cohesion script-friendly, we need to take advantage of the "--exit" and "--exit-code" command-line options available in all testing tools.

Consider the following example:

$ cohesion scanner --exit=">=8" --exit-code=2 http://target || echo "!!! SERIOUS VULNERABILITY IDENTIFIED"

The command above will force Cohesion to terminate as soon as a critical vulnerability is identified. The exit code is set to 2. The command, "echo", is only executed when Cohesion exits with a non-zero value. In the example above, "echo" is only executed when a serious vulnerability is identified.

This example can be expanded in the following more elaborate form:

#!/usr/bin/env bash

cohesion scanner --exit=">=8" --exit-code=2 http://target

if [ $? -ne 0 ]
then
  echo "!!! SERIOUS VULNERABILITY IDENTIFIED"
else
  echo "THE TARGET IS CLEAN"
fi

This shell primitive is the core building blog for automating various Cohesion tasks.

Wait Option

The standard software delivery pipeline consists of many stages including steps for standing up the application or service in pre-prod and test environments. This step is particularly important launching the next phase where system integration and security tests need to be executed.

Standing up a complex piece of software could be a cumbersome process and may require several related components to be initialized too and as a result, while reachable, it may not be fully working or temporary misconfigured and as such not fit for testing purposes.

With the help of the "--wait" command-line option, we can tell Cohesion to pause testing until the target is considered healthy. For example:

$ cohesion fuzzer --wait="http://target/ping" --wait-status="200" request.txt

The fuzzer is started in a paused state. The target URL "http//target/ping" is continuously probed until it is available and the HTTP response status is 200.

Testing Targets

Testing targets can be supplied directly as URLs or as request files. For example:

$ cohesion fuzzer http://target/?a=b

The same target can be provided as a request file. First, let's create a file with the following contents:

GET http://target/?a=b HTTP/1.1
Host: target
User-Agent: Custom User Agent

To use the file we need the following command:

$ cohesion fuzzer request.txt