我想使用 Burp dastardly,这是 portswigger 的新 DAST 工具。
实际上我在 Gitlab CI/CD 中尝试过,但出现错误!即使我在我的服务器上尝试过。
这就是我在 Gitlab 中使用它的方式:
Burp_DAST:
stage: dast
image: docker:stable
script:
- |
docker run --user $(id -u):$(id -g) --rm -v $(pwd):/dastardly -e \
DASTARDLY_TARGET_URL=$TARGET_URL -e \
DASTARDLY_OUTPUT_FILE=/dastardly/$CI_PROJECT_NAME-dastardly-report.xml \
public.ecr.aws/portswigger/dastardly:latest
artifacts:
paths:
- "$CI_PROJECT_NAME-dastardly-report.xml"
when: always
我有这个错误:
2022-11-01 12:03:09 INFO dastardly.EventLogPrinter - Nov 01 2022 11:52:22 INFORMATION Audit started.
2022-11-01 12:03:09 INFO dastardly.EventLogPrinter - Nov 01 2022 11:52:23 ERROR Could not start Burp's browser sandbox because you are running as root. Either switch to running as an unprivileged user or allow running without sandbox.
2022-11-01 12:03:09 ERROR dastardly.ScanFinishedHandler - Failing build as scanner identified issue(s) with severity higher than "INFO":
2022-11-01 12:03:09 ERROR dastardly.ScanFinishedHandler - Path: / Issue Type: Cross-origin resource sharing: arbitrary origin trusted Severity: HIGH
2022-11-01 12:03:09 ERROR dastardly.ScanFinishedHandler - Path: /robots.txt Issue Type: Cross-origin resource sharing: arbitrary origin trusted Severity: HIGH
2022-11-01 12:03:10 INFO bsee.BurpProcess.scan.scan-1 - Deleting temporary files - please wait ... done.
编辑
我确实在我的服务器中尝试过它,发现如果您使用除 root 之外的任何 sudoer 用户运行它,它都会正常工作。这是我使用的命令:
sudo docker run --user $(id -u):$(id -g) --rm -v $(pwd):/dastardly -e DASTARDLY_TARGET_URL=$TAGET_URL -e DASTARDLY_OUTPUT_FILE=/dastardly/dastardly-report.xml public.ecr.aws/portswigger/dastardly:latest
所以我需要如何在 Gitlab 中执行此操作,因为
docker:dind
使用 root 用户运行并且 docker:dind-rootless
在 gitlab 中无法正常工作?
我正在运行脚本来运行 docker-entrypoint.sh 这是我实现的工作 CI。
stages:
- dastardly
dastardly_burpsuit:
image:
name: public.ecr.aws/portswigger/dastardly:latest
entrypoint: [""]
stage: dastardly
variables:
# No need to clone the repo, we exclusively work on artifacts. See
# https://docs.gitlab.com/ee/ci/runners/README.html#git-strategy
GIT_STRATEGY: none
DASTARDLY_TARGET_URL: "https://ginandjuice.shop"
DASTARDLY_OUTPUT_FILE: "$CI_PROJECT_NAME-dastardly-report.xml"
artifacts:
paths:
- "$CI_PROJECT_NAME-dastardly-report.xml"
when: always
script:
- "/bin/bash /usr/local/bin/docker-entrypoint.sh dastardly"
如果其他人遇到这篇文章并且上述解决方案不起作用,请尝试将脚本替换为
"/bin/bash /usr/local/bin/dastardly-entrypoint.sh dastardly"