Introduction
Testing Modes
Cohesion comes with several commands and options to help you automate various types of web application security tests. Each testing flow has its own designated command.
Scanner
The Scanner is a fully-automated, web security assessment tool. When configured, the tool will automatically discover web resources by spidering (crawling) the application and bruteforcing common files and folder. Discovered resources are automatically tested for a wide range of vulnerabilities such as SQL Injection, Cross-Scripting, Code Execution, File Include vulnerabilities and much more.
To start a scan simply type:
$ cohesion scanner 'http://target'
The target can also be a file containing an HTTP request:
$ cohesion scanner request.http
Where the file request.http
has the following content:
GET http://target HTTP/1.1
Host: target
The Scanner will automatically add the target URL to the current scope, set up all rules and configurations for security tests, and start the testing process.
Spider
The Spider is the automatic resource identification and information gathering process used by the Scanner but it can be used separately for resource discovery. You can use the spider to footprint the application and identify hidden files and folders, identify problems passively and ensure the target application or API does not come with insecure defaults.
Like the Scanner, it is easy to get started. Consider the following command:
$ cohesion spider 'http://target'
You can also use a file to define the starting request. For example:
GET http://target HTTP/1.1
Host: target
Use the following command to start the spider with the request file:
$ cohesion spider request.http
Fuzzer
Use the Fuzzer to identify vulnerabilities within specific requests in mind. This tool is most useful when testing API endpoints or re-testing previously reported issues identified by the Scanner.
Use the following command to get started:
$ cohesion fuzzer 'http://target/?param=a'
The Fuzzer works best when provided with a request from a file rather than specified in the command line. File requests help you customize the method, headers and the request body, which is particularly important when testing web services.
Save the following request into a file request.http
:
POST http://target/path/to/location HTTP/1.1
Content-Type: application/json
{
"hello": "world"
}
Fuzz the request using the following command:
$ cohesion fuzzer request.http
Proxy
The Cohesion Proxy is capable of testing every request captured in transit and as such it can be used with other tools part of the testing pipeline, such as unit and integration tests. With the Proxy, you can achieve the same level of security and resilience coverage as you get from your tests.
Use the following command to start the proxy with a specific target. Only requests matching the target will be tested:
$ cohesion proxy 'http://target/'
By default, the proxy runs on localhost port 9090. You can change the address via the '--proxy' command line flag. Once running, you need to configure your existing tooling to use the proxy when performing tests. Please consult with the proxy setup manual specific to your development environment.
As a general rule of the thumb, the proxy configuration can be passed with the "http_proxy" and "https_proxy" environment variables. Assuming that Cohesion Proxy runs on localhost port 9090, this is how existing tools can be configured:
$ export http_proxy=http://localhost:9090
$ export https_proxy=http://localhost:9090
$ ./run-tests.sh