This week's book giveaway is in the Spring forum.
We're giving away four copies of Spring in Action (5th edition) and have Craig Walls on-line!
See this thread for details.
Win a copy of Spring in Action (5th edition) this week in the Spring forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Bear Bibeault
  • Devaka Cooray
  • Liutauras Vilda
  • Jeanne Boyarsky
Sheriffs:
  • Knute Snortum
  • Junilu Lacar
  • paul wheaton
Saloon Keepers:
  • Ganesh Patekar
  • Frits Walraven
  • Tim Moores
  • Ron McLeod
  • Carey Brown
Bartenders:
  • Stephan van Hulst
  • salvin francis
  • Tim Holloway

Universal security testing tool development  RSS feed

 
Greenhorn
Posts: 24
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

How to develop an universal security testing tool using open source and commercial tools Need to invoke opensource tools like Finsecbugs cli, commercial tools like IBM Appscan enterprise/Standard/Source, NMAP etc in HMTL5 or Python Need to customize the scan reports generated by the tools and displayed the security issues identified by tools in a dashboard.


Thanks  
 
Saloon Keeper
Posts: 5041
134
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
That sounds like quite a project. How many man-months (more likely man-years) of development effort are you prepared to invest in that? Do you have much experience in security and penetration testing?
 
Marshal
Posts: 6257
420
BSD
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I think from what Tim mentioned, the last sentence is of most relevance to you.

Taking some dummy example assuming I know what I'm doing with Nmap for instance, producing the final report is just the result's parsing from tool's output and spitting out 1 document with nicely formatted info. So that doesn't sound like a most difficult part.

But as Tim mentioned, it isn't just about that.

But do you understand in general what the Nmap is, how to find vulnerabilities, where to look for them? (no need to answer, just to think for yourself). Nmap isn't the tool which will identify and name you vulnerabilities as such, it will just show you requested info about the network. But will you understand how to read that info and how to interpret that? How knowing such hypothetical info could open some doors for you for further investigations? As far as I imagine, there isn't defined exact steps A -> B -> C -> D which after accomplishing them in such order will tell you if there is an issue(s) or not. It requires I presume some sophisticated algorithms or direct human involvement.

Anyway, some resources for you to start with to investigate/research if you are interested in this field, it may give you some ideas:

Tools: Metasploit, Nmap (you already mentioned that one).
Book: "Nmap Network Scanning" by Gordon Fyodor Lyon
 
Ranch Hand
Posts: 355
8
BSD Debian Open BSD
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

jkp wk wrote:Hi,
How to develop an universal ...  


That (in bold) sounds al least weird to me
 
Jim ken
Greenhorn
Posts: 24
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
actually it should be completed with in one week. and programming language could be used either as python,java or any open source technology.
 
Tim Moores
Saloon Keeper
Posts: 5041
134
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
One week? Is this some sort of homework assignment? Either way, without severe additional constraints about what it should do, it's not going to happen in a week, nor in a month, and probably not in year.
 
Jim ken
Greenhorn
Posts: 24
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
hi, to explain in more detail with code example unable to upload note pad file,.doc file so in what format can we upload here?
 
Marshal
Posts: 61741
193
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Please copy'n'paste your code into code tags. That link explains how they work.
 
Tim Moores
Saloon Keeper
Posts: 5041
134
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You can't upload those file types here, but you can upload them somewhere else and link to them.
 
Jim ken
Greenhorn
Posts: 24
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
somewhere else means where?
 
Campbell Ritchie
Marshal
Posts: 61741
193
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
On another website. Find out about pastebin, github, etc. I would still prefer to see copy'n'paste however; it is easier to find from here.
 
Liutauras Vilda
Marshal
Posts: 6257
420
BSD
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Think critically where, anywhere you like+can.

You have been told about the other options already.
 
Jim ken
Greenhorn
Posts: 24
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
copy and paste also not working getting below error:-

We're sorry, but your post appears to contain abbreviations that we don't like people to use at the Ranch. Because JavaRanch is an international forum, many of our members are not native English speakers. For that reason, it's important that we all try to write clear, standard English, and avoid abbreviations and SMS shortcuts. See here for more of an explanation. Thanks for understanding.

If the abbreviation occurs within code, you can use code tags to post it successfully. If the abbreviation is a variable name, you can use the tt tag.

The specific error message is: "u" is a silly English abbreviation; use "you" instead.
 
Jim ken
Greenhorn
Posts: 24
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
seems too difficult to paste code here and ask for help on it here.
 
Sheriff
Posts: 5446
147
Chrome Eclipse IDE Java Postgres Database VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Jim ken wrote:copy and paste also not working getting below error:-

We're sorry, but your post appears to contain abbreviations that we don't like people to use at the Ranch. Because JavaRanch is an international forum, many of our members are not native English speakers. For that reason, it's important that we all try to write clear, standard English, and avoid abbreviations and SMS shortcuts. See here for more of an explanation. Thanks for understanding.

If the abbreviation occurs within code, you can use code tags to post it successfully. If the abbreviation is a variable name, you can use the tt tag.

The specific error message is: "u" is a silly English abbreviation; use "you" instead.


This looks like you didn't UseCodeTags (that's a link) and you happen to have a variable u.
 
Knute Snortum
Sheriff
Posts: 5446
147
Chrome Eclipse IDE Java Postgres Database VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Jim ken wrote:seems too difficult to paste code here and ask for help on it here.


You can look at this page for instructions.  I can show you a simple example:
[code][/code]
 
Harry Kar
Ranch Hand
Posts: 355
8
BSD Debian Open BSD
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Jim ken wrote:seems too difficult to paste code here and ask for help on it here.



1. copy and  past your code here in the left hand side (it's a formatter press beautify button up left)
2.  copy the formatted  code (on the right side of formatter) and past it here (in your post editor)
3. select (in your post editor) your formatted code snippet and press the Code button up
4...continue with your post, see if there is some error, correct it and press submit
 
Jim ken
Greenhorn
Posts: 24
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Please find the uploaded java file which has code in it it's uploaded after following advised steps:-

copy and  past your code here in the left hand side (it's a formatter press beautify button up left)
2.  copy the formatted  code (on the right side of formatter) and past it here (in your post editor)
3. select (in your post editor) your formatted code snippet and press the Code button up
4...continue with your post, see if there is some error, correct it and press submit


 
Jim ken
Greenhorn
Posts: 24
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
again attachment is not uploaded and same error -

We're sorry, but your post appears to contain abbreviations that we don't like people to use at the Ranch. Because JavaRanch is an international forum, many of our members are not native English speakers. For that reason, it's important that we all try to write clear, standard English, and avoid abbreviations and SMS shortcuts. See here for more of an explanation. Thanks for understanding.

If the abbreviation occurs within code, you can use code tags to post it successfully. If the abbreviation is a variable name, you can use the tt tag.

The specific error message is: "u" is a silly English abbreviation; use "you" instead.
 
Jim ken
Greenhorn
Posts: 24
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Trying to post it in different parts as whole code is not getting pasted completely:-

Part 1:-

 
Jim ken
Greenhorn
Posts: 24
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Part 2:-

 
Jim ken
Greenhorn
Posts: 24
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Part 3:-

 
Jim ken
Greenhorn
Posts: 24
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Part 4:-

 
Jim ken
Greenhorn
Posts: 24
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Part 5:-

 
 
Jim ken
Greenhorn
Posts: 24
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
so please  copy all these parts starting from part 1 to 5 one after another and take it as a complete code for this tool.

here once we execute this python script main goal is to have to work on the SAST and Dependency Check Tool part of the tool first.

Lets complete this activity and we will update other modules in a similar way.

SAST Tools - VCG,YASCA and a script to search keywords and function names from the codebase and reports the Match term+LineNo and instances.

Options to save the reports in html/pdf/xml in the UI.(options to select the code technology for scanning - java/.net for now)

so how to achieve this scanning (searching) of keywords and function names from the codebase and also to write the code for reports generation with the matching term( from the specific keywords/parameters) with their line numbers along with them and their instances.
 
Tim Moores
Saloon Keeper
Posts: 5041
134
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
That's a lot of largely unformatted and largely uncommented code to ask people to take a look at. What specifically is wrong with it? Where are you stuck making it do what you need it to do? What ideas have you had about that?
 
Liutauras Vilda
Marshal
Posts: 6257
420
BSD
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Jim ken wrote:Trying to post it in different parts as whole code is not getting pasted completely


Good that it doesn't let post all, I think we added prevention system some time ago from such occasions, which rarely happen, but sometimes they still do. We might need to revise it and improve further.

Anyway, I had to scroll down to remind myself what was your question. Were you given this GUI template?

Well, this program in general wouldn't work due to incorrect formatting. Python is strict on that.

There are code parts which don't make sense, for instance the following:
So the instruction would look like: cmd /k ..\\plugins\\DatabaseAudit\\DatabaseAudit.jar.
Now, obviously this wouldn't work. Jar files get executed differently. Same problem occurs with many other instructions to be invoked.

The problem in general with your script is, that it is not organized at all. It is more than 500 lines of code and all crammed to a singular file which makes hard to follow.
I have deleted GUI stuff, and actual non-gui stuff isn't that much, so I'd start this tool not from the GUI, but would get it work from console first.

First task could be:
1. execute python script which executes jar (I presume it is executable) file
2. print executable jar's outputed file (I assume it is a text file) to a console

For going small steps like that you might could achieve something, at least it would look a bit more promising than it is now.

 
Jim ken
Greenhorn
Posts: 24
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
it does work if compiled using Python TestSuite.py and once 'SAST' should be clicked it should scan some file let's say html file and scan for some specific keywords like followings:-

addBatch
execute
executeQuery
ExecuteUpdate
prepareStatement
prepareCall
createNativeQuery
createQuery
createSQLQuery
find
delete
save
saveOrUpdate
load
update
File
RandomAccessFile
FileReader
FileInputStream
FileWriter
FileOutputStream
getResource
getResourceAsStream
internetAddress
parse
Compile
Evaluate
XPath
getValue
query
setContent
getConnection
print
println
setAttribute
readLine
exec
compile
sleep
load
loadLibrary
XmlRpcClient
execute
executeAsync
InitialDirContext
search
setReturningAttributes
connect
search
config
fine
finer
finest
info
warning
severe
entering
log
debug
error
fatal
trace
warn
write
readLine
printStackTrace

and once it finds match then it should tell how many times it found match for these keywords in this file and also tell the line number where it found the match.

So how to write code for this pattern matching once the button of 'SAST' is clicked upon.
 
Jim ken
Greenhorn
Posts: 24
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
also after finding the match and number of such occurences in file(html) it should also generate the report in some pdf file or text file for the same.
 
Liutauras Vilda
Marshal
Posts: 6257
420
BSD
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
OK, I'm failing to understand what is really happening here, so not much can help anymore.
 
Jim ken
Greenhorn
Posts: 24
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Python experts could you please assist here?
 
Jim ken
Greenhorn
Posts: 24
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Ok, once again explaining with this complete set of code starting from part 1 to part 5 when it's compiled and executed using Python TestSuite.py and once 'SAST' button
should be clicked it should scan some file let's say html file and scan for some specific keywords like posted in previous post:-
addBatch
execute
executeQuery
ExecuteUpdate
prepareStatement
prepareCall
createNativeQuery
createQuery
createSQLQuery
find
delete
save
saveOrUpdate
load
update
File
RandomAccessFile
FileReader
FileInputStream
FileWriter
FileOutputStream
getResource
getResourceAsStream
internetAddress
parse
Compile
Evaluate
XPath
getValue
query
setContent
getConnection
print
println
setAttribute
readLine
exec
compile
sleep
load
loadLibrary
XmlRpcClient
execute
executeAsync
InitialDirContext
search
setReturningAttributes
connect
search
config
fine
finer
finest
info
warning
severe
entering
log
debug
error
fatal
trace
warn
write
readLine
printStackTrace

so after scanning for these keywords this script should be modified in such a way that it should be able to generate some report in pdf format or text format with these details that this particular keyword is matched in that html file and it's match found in this html file at this particular line number and these many times it occured in this html file.Hope everything is clear now.

Thanks.
 
Jim ken
Greenhorn
Posts: 24
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Any updates by experts please?
 
Tim Moores
Saloon Keeper
Posts: 5041
134
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Frankly, I doubt that there will be useful answers. It's unclear what you intend to achieve, and the code is pretty hard to read and rather unwieldy. More focused questions with short, relevant code examples tend to attract more replies.
 
Jim ken
Greenhorn
Posts: 24
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Ok, then can some admin please delete my all posts regarding this query from this forum.
 
It is sorta covered in the JavaRanch Style Guide.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!