3

I want to use Burp dastardly which is the new DAST tool from portswigger.
actually I tried it in Gitlab CI/CD but I got an error! even I tried it in my server.

this is how I use it in Gitlab:

Burp_DAST:
  stage: dast
  image: docker:stable
  script:
    - |
      docker run --user $(id -u):$(id -g) --rm -v $(pwd):/dastardly -e \
      DASTARDLY_TARGET_URL=$TARGET_URL -e \
      DASTARDLY_OUTPUT_FILE=/dastardly/$CI_PROJECT_NAME-dastardly-report.xml \
      public.ecr.aws/portswigger/dastardly:latest
  artifacts:
    paths:
      - "$CI_PROJECT_NAME-dastardly-report.xml"
    when: always

and I have this error:

2022-11-01 12:03:09 INFO  dastardly.EventLogPrinter - Nov 01 2022 11:52:22 INFORMATION Audit started.
2022-11-01 12:03:09 INFO  dastardly.EventLogPrinter - Nov 01 2022 11:52:23 ERROR Could not start Burp's browser sandbox because you are running as root. Either switch to running as an unprivileged user or allow running without sandbox.
2022-11-01 12:03:09 ERROR dastardly.ScanFinishedHandler - Failing build as scanner identified issue(s) with severity higher than "INFO":
2022-11-01 12:03:09 ERROR dastardly.ScanFinishedHandler - Path: / Issue Type: Cross-origin resource sharing: arbitrary origin trusted Severity: HIGH
2022-11-01 12:03:09 ERROR dastardly.ScanFinishedHandler - Path: /robots.txt Issue Type: Cross-origin resource sharing: arbitrary origin trusted Severity: HIGH
2022-11-01 12:03:10 INFO  bsee.BurpProcess.scan.scan-1 - Deleting temporary files - please wait ... done.

EDIT

I did try it in my server and found out it will correctly work if you run it with any sudoer user but root. this is my command that I used:

 sudo docker run --user $(id -u):$(id -g) --rm -v $(pwd):/dastardly -e DASTARDLY_TARGET_URL=$TAGET_URL -e DASTARDLY_OUTPUT_FILE=/dastardly/dastardly-report.xml public.ecr.aws/portswigger/dastardly:latest

So I need how to do this in Gitlab since docker:dind run with root user and docker:dind-rootless not working well in gitlab?

Iman
  • 410
  • 7
  • 17
  • Why are you running this in a nested Docker container? Why not run it directly with `image: public.ecr.aws/portswigger/dastardly:latest`. – Moshe Katz Nov 02 '22 at 11:36
  • I will come up with two questions: 1) then what is the script I should run? 2) as I said I did try it in my server with cli but have same problem so what should I do? – Iman Nov 02 '22 at 12:15
  • 2
    If you have this problem locally then it’s not a GitLab problem. don’t try to debug it inside of CI - that’s just going to take way longer. Figure out how to set this up locally -feel free to ask another question and set up a smaller [mre], then try to debug the GitLab setup once you understand that – Michael Delgado Nov 02 '22 at 14:40
  • @MichaelDelgado actually I solved the problem in CLI. you need only use other user than root which is sudor and run the command like this: `sudo docker run --user $(id -u):$(id -g) --rm -v $(pwd):/dastardly -e DASTARDLY_TARGET_URL=$TAGET_URL -e DASTARDLY_OUTPUT_FILE=/dastardly/dastardly-report.xml public.ecr.aws/portswigger/dastardly:latest` any idea how to do it in gitlab? – Iman Nov 05 '22 at 08:44
  • You can change the current user with the USER docker command – Michael Delgado Nov 05 '22 at 16:50
  • I did as you see in my example. Can you show me some examples please? – Iman Nov 06 '22 at 17:13

1 Answers1

1

I am running the script to run docker-entrypoint.sh Here is the working CI that I implemented.

stages:
    - dastardly

dastardly_burpsuit:
    image: 
        name: public.ecr.aws/portswigger/dastardly:latest
        entrypoint: [""]
    stage: dastardly
    variables:
        # No need to clone the repo, we exclusively work on artifacts.  See
        # https://docs.gitlab.com/ee/ci/runners/README.html#git-strategy
        GIT_STRATEGY: none
        DASTARDLY_TARGET_URL: "https://ginandjuice.shop"
        DASTARDLY_OUTPUT_FILE: "$CI_PROJECT_NAME-dastardly-report.xml"
    artifacts:
      paths:
      - "$CI_PROJECT_NAME-dastardly-report.xml"
      when: always
    script:
        - "/bin/bash /usr/local/bin/docker-entrypoint.sh dastardly"
Ahsan Raza
  • 36
  • 1
  • 6
  • 1
    thanks! and you should add `allow_failure: true` for not stopping pipeline! – Iman Nov 07 '22 at 11:53
  • @Iman it depends on the requirements of the user. If you want the pipeline to be failed when there are vulnerabilities in the scan, you wouldn't want the pipeline to continue further. – Ahsan Raza Nov 08 '22 at 16:36
  • 1
    Also if you want to view the test results in gitlab test tab, you can define them as reports. ``` artifacts: paths: - "$CI_PROJECT_NAME-dastardly-report.xml" reports: junit: "$CI_PROJECT_NAME-dastardly-report.xml" ``` – Ahsan Raza Nov 08 '22 at 16:38