This directory contains tools for executing SCB functions inside a Bash shell.

Syntax: ./run_scanner.sh [options] scanner target Runs a scanner and stores findings on disk. Helpful for use in combination with Continuous integration software like Jenkins, Bamboo, etc. The following scanners (scanner parameter) and variants are currently supported:

• Arachni (arachni)
• Nikto (nikto)
• NMAP (nmap)
• NMAP, raw results (nmap-raw)
• Combined NMAP, Nikto (nmap-nikto)
• SSLyze (sslyze)
• Zed Attack Proxy (zap)

A simple call looks like this: ./run_scanner.sh sslyze example.com:443

This call queries the local SCB instance (expected to run on http://localhost:8080) to start the SSLyze scanner for the host example.com on port 443. Afterwards it repeatedly queries the local Elasticsearch engine (expected to run on http://localhost:9200) until scan results (findings) have been received and their number has been verified. It performs a maximum of 30 queries to Elasticsearch where it waits for 60 seconds between each query operation.

A more elaborate call could look like this: ./run_scanner.sh --backend http://scb_engine:8080 http://es_engine:9200 --auth a2VybWl0OmE= --max_iter 10 --wait 20 --tenant mytenant zap http://www.example.com/shop

This call executes the remote SCB instance on http://scb_engine:8080 to start the OWASP Zed Attack Proxy for the URL http://www.example.com/shop. An HTTP Basic authentication is performed with header value a2VybWl0OmE=. Afterwards it queries the Elasticsearch engine on http://es_engine:9200 for findings. It performs a maximum of 10 queries to Elasticsearch and waits for 20 seconds between each query operation. All operations are performed on the mytenant tenant.

./run_scanner.sh scanner target The script expects to receive at least two arguments scanner and target,

• scanner: SCB scan engine to run the test on
• target: Target hostname / IP address / URI to scan

While some scanners require the scan target to have a specific format (URI, hostname, hostname and port, etc.) the run_scanner.sh script is able to automatically transform the given argument to match the required format. Thus, it is safe to always pass a target URI, like for example http://www.example:8080/some/path, regardless of the scanner to use.

The following optional parameters may be passed:

• --help: Displays a help page
• --auth: HTTP Basic authentication string
• --max-iter: Maximum number of Elasticsearch queries to perform
• --tenant: SCB/Elasticsearch tenant to address
• --wait: Number of seconds to wait between Elasticsearch queries

During execution the script generates some files that are all stored in the working directory. When called it renames old data files from the previous run that facilitated the same tenant and scanner: The file extension .last is appended to each filename. The script then creates the following data files:

• job_[TENANT]_[SCANNER]_payload.json is the JSON payload which is sent to the SCB engine in order to start the scan.
• job_[TENANT]_[SCANNER]_result.json contains JSON data of all findings returned by Elasticsearch.
• job_[TENANT]_[SCANNER]_result.readable contains all findings returned by Elasticsearch. The contents are said to be somewhat more readable than their JSON counterpart.
• job_[TENANT]_[SCANNER].log contains the console output of the script

Filenames consist of the following dynamic parts:

• [TENANT] corresponds to the value passed to the --tenant parameter and
• [SCANNER] corresponds to the scanner used.

The file job_[TENANT]_[SCANNER]_payload.json is generated by replacing the following variables in the corresponding the template file [SCANNER].template.json:

• %TENANT%: Tenant, as given; e.g. mytenant
• %TARGET%: Scan target, as given; e.g. http://www.example.com:8080/shop
• %HOST_PORT% Scan target, hostname and port number; e.g. www.example.com:8080
• %HOST%: Scan target, hostname; e.g. www.example.com
• %PORT%: Scan target, port number: e.g. 8080