Websecurify

Websecurify free and premium security tools automatically scan websites for vulnerabilities like SQL Injection, Cross-site Scripting and others

Maven Integration

Perfect Maven-ready web application security testing toolkit

Cohesion comes with the following Maven goals out of the box.

Command: scan

The scan goal is used to perform a complete, automated web application security test against the specified target. By default the scanner will fail the building phase if critical vulnerabilities are encountered. Use the following list of parameters to configure this goal.

Property Description
target The target url to be tested.
includes|includeUrls A list of urls to include as part of the test.
excludes|excludeUrls A list of urls to exclude from the test.
level A value between 0 and 10 (inclusive) that specifies the vulnerability level above which the scan will fail the phase. The default level is 7.
output A path to indicate where to store reports.
fast A boolean property to indicate if the test should fail on the first occurrence of a vulnerability above or equal to the failure level. This property is enabled by default.
fail A boolean property to indicate if the test should fail if any vulnerabilities are encountered. This property is enabled by default.

Command: start-proxy

The start-proxy goal is used to perform an automated web application security test driven by the HTTP requests generated from your unit and integration tests. In other words, the proxy observes all traffic generated during the testing stages and performs similar requests but with the intention to uncover security vulnerabilities. This type of security testing is as deep and detailed as your unit and integration tests and therefore produces more interesting results.

Property Description
port The local port on which the proxy server will be listening on.
includes|includeUrls A list of urls to include as part of the test.
excludes|excludeUrls A list of urls to exclude from the test.
level A value between 0 and 10 (inclusive) that specifies the vulnerability level above which the scan will fail the phase. The default level is 7.
output A path to indicate where to store reports.
fast A boolean property to indicate if the test should fail on the first occurrence of a vulnerability above or equal to the failure level. This property is enabled by default.
fail A boolean property to indicate if the test should fail if any vulnerabilities are encountered. This property is enabled by default.

Command: stop-proxy

The stop-proxy goal simply stops the proxy at the end of a phase. There are no parameters that you need to pass to this goal as it is entirely optional and typically used for greater control over the testing process.


Maven Examples

It is very easy to get started with Cohesion and maven

Basic Scanner

The following example demonstrates how to start a scan from a Maven pom file.

<project
    xmlns="http://maven.apache.org/POM/4.0.0"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">

    <modelVersion>4.0.0</modelVersion>
    <groupId>com.websecurify.cohesion</groupId>
    <artifactId>scanner</artifactId>
    <version>1.0.0-SNAPSHOT</version>
    <name>Cohesion Scanner</name>

    <build>
        <plugins>
            <plugin>
                <groupId>com.websecurify</groupId>
                <artifactId>cohesion</artifactId>
                <version>1.7.0-SNAPSHOT</version>

                <executions>
                    <execution>
                        <id>security-test</id>
                        <phase>integration-test</phase>
                        <goals><goal>scan</goal></goals>

                        <configuration>
                            <target>http://localhost:${port}/</target>
                            <output>${project.build.directory}/security</output>
                        </configuration>
                    </execution>
                </executions>
            </plugin>
        </plugins>
    </build>
</project>

Basic Proxy

This example starts the proxy before the integration tests. HTTP requests generated during this phase are proxied and tested against a range of issues.

<project
    xmlns="http://maven.apache.org/POM/4.0.0"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">

    <modelVersion>4.0.0</modelVersion>
    <groupId>com.websecurify.cohesion</groupId>
    <artifactId>scanner</artifactId>
    <version>1.0.0-SNAPSHOT</version>
    <name>Cohesion Scanner</name>

    <build>
        <plugins>
            <plugin>
                <groupId>com.websecurify</groupId>
                <artifactId>cohesion</artifactId>
                <version>1.7.0-SNAPSHOT</version>

                <executions>
                    <execution>
                        <id>start-proxy</id>
                        <phase>pre-integration-test</phase>
                        <goals><goal>proxy-start</goal></goals>

                        <configuration>
                            <output>${project.build.directory}/security</output>
                        </configuration>
                    </execution>
                </executions>

                <executions>
                    <execution>
                        <id>stop-proxy</id>
                        <phase>post-integration-test</phase>
                        <goals><goal>proxy-stop</goal></goals>
                    </execution>
                </executions>
            </plugin>
        </plugins>
    </build>
</project>

Security Test via Jetty

This example is a bit more involved. We simply start the app in a Jetty container. The scanner is launched subsequently to test for web security vulnerabilities.

<project
    xmlns="http://maven.apache.org/POM/4.0.0"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">

    <modelVersion>4.0.0</modelVersion>
    <groupId>com.websecurify.cohesion</groupId>
    <artifactId>scanner</artifactId>
    <version>1.0.0-SNAPSHOT</version>
    <name>Cohesion Scanner</name>

    <build>
        <plugins>
            <plugin>
                <groupId>org.mortbay.jetty</groupId>
                <artifactId>maven-jetty-plugin</artifactId>
                <version>6.1.16</version>

                <configuration>
                    <stopPort>9095</stopPort>
                    <stopKey>STOP</stopKey>
                    <scanIntervalSeconds>10</scanIntervalSeconds>
                    <contextPath>/</contextPath>
                </configuration>

                <executions>
                    <execution>
                        <id>start-jetty</id>
                        <phase>pre-integration-test</phase>

                        <goals>
                            <goal>run</goal>
                        </goals>

                        <configuration>
                            <scanIntervalSeconds>0</scanIntervalSeconds>
                            <daemon>true</daemon>
                        </configuration>
                    </execution>

                    <execution>
                        <id>stop-jetty</id>
                        <phase>post-integration-test</phase>

                        <goals>
                            <goal>stop</goal>
                        </goals>
                    </execution>
                </executions>
            </plugin>

            <plugin>
                <groupId>com.websecurify</groupId>
                <artifactId>cohesion</artifactId>
                <version>1.7.0-SNAPSHOT</version>

                <executions>
                     <execution>
                        <id>websecurify-scan</id>
                        <phase>integration-test</phase>

                        <goals>
                            <goal>scan</goal>
                        </goals>

                        <configuration>
                            <target>http://localhost:${jetty.port}/</target>
                        </configuration>
                    </execution>
                </executions>
            </plugin>
        </plugins>
    </build>
</project>