{"id":3775,"date":"2014-08-23T04:50:25","date_gmt":"2014-08-22T20:50:25","guid":{"rendered":"https:\/\/www.darknet.org.uk\/?p=3775"},"modified":"2014-08-23T04:50:35","modified_gmt":"2014-08-22T20:50:35","slug":"garmr-automate-web-application-security-tests","status":"publish","type":"post","link":"https:\/\/www.darknet.org.uk\/2014\/08\/garmr-automate-web-application-security-tests\/","title":{"rendered":"Garmr &#8211; Automate Web Application Security Tests"},"content":{"rendered":"<p>Garmr is a tool to inspect the responses from websites for basic security requirements. It includes a set of core test cases implemented in corechecks that are derived from the Mozilla Secure Coding Guidelines which can be found here:<\/p>\n<p><a href=\"https:\/\/wiki.mozilla.org\/WebAppSec\/Secure_Coding_Guidelines\">https:\/\/wiki.mozilla.org\/WebAppSec\/Secure_Coding_Guidelines<\/a><\/p>\n<blockquote><p>The purpose of this page is to establish a concise and consistent approach to secure application development of Mozilla web applications and web services. The information provided here will be focused towards web based applications; however, the concepts can be universally applied to applications to implement sound security controls and design.<\/p>\n<p>This page will largely focus on secure guidelines and may provide example code at a later time.<\/p><\/blockquote>\n<p align=\"center\"><img decoding=\"async\" src=\"https:\/\/farm6.staticflickr.com\/5570\/14815815909_be42219b81.jpg\" alt=\"Garmr - Automate Web Application Security Tests\" \/><\/p>\n<p>It&#8217;s a useful tool, combined with others to automate web application security tests to a decent, fairly comprehensive baseline. It was built to be part of a Continuous Integration process by the Mozilla WebQA team, but could easily be adopted by other teams and used in a similar way &#8211; it ouputs a JUnit style XML report that can be consumed by other tools such as Jenkins.<\/p>\n<p>This is why it&#8217;s well suited to be used in a tool such as &#8211; <a href=\"https:\/\/www.darknet.org.uk\/2014\/07\/gauntlt-security-testing-framework-developers-ops\/\">Gauntlt \u2013 Security Testing Framework For Developers &#038; Ops<\/a>.<\/p>\n<p><strong>Usage<\/strong><\/p>\n<pre>usage: Runs a set of tests against the set of provided URLs\r\n   [-h] [-u TARGETS] [-f TARGET_FILES] [-S] [-m MODULES] [-D] [-p] [-d]\r\n   [-r REPORT] [-o OUTPUT] [-c OPTS] [-e EXCLUSIONS] [--save DUMP_PATH]\r\n\r\noptional arguments:\r\n  -h, --help            show this help message and exit\r\n  -u TARGETS, --url TARGETS\r\n                        Add a target to test\r\n  -f TARGET_FILES, --target-file TARGET_FILES\r\n                        File with URLs to test\r\n  -S, --new-sessions    Create new Session for each test\r\n  -m MODULES, --module MODULES\r\n                        Load an extension module\r\n  -D, --disable-core    Disable corechecks\r\n  -p, --force-passive   Force passives to be run for each active test\r\n  -d, --dns             Skip DNS resolution when registering a target\r\n  -r REPORT, --report REPORT\r\n                        Load a reporter e.g. -r reporter.AntXmlReporter\r\n  -o OUTPUT, --output OUTPUT\r\n                        Default output is garmr-results.xml\r\n  -c OPTS, --check OPTS\r\n                        Set a parameter for a check (check:opt=value)\r\n  -e EXCLUSIONS, --exclude EXCLUSIONS\r\n                        Prevent a check from being run\/processed\r\n  --save DUMP_PATH      Write out a configuration file based on parameters\r\n                        (won't run scan)\r\n\r\n\r\nA TARGET is an http or https scheme url to execute tests against.\r\n e.g. garmr -u http:\/\/localhost\r\n\r\nA MODULE is the name of a module; resolving this path needs to be improved\r\n e.g. garmr -m djangochecks (Experimental)\r\n\r\nAn OPTS field contains the path and name of the option to set\r\n e.g. garmr -m webchecks -c webchecks.RobotsTest:save_contents=True\r\n\r\nA REPORT is the namespace qualified name of a reporter object or a valid alias (xml is the only current valid alias, and the default)\r\n e.g. garmr -r xml\r\n\r\nAn EXCLUSION prevents a check from being executed\r\n e.g. garmr -e WebTouch\r\n\r\nDisable core checks will prevent all of the checks in corechecks from being loaded; this is useful to limit the scope of testing.<\/pre>\n<p>You can download the latest version here:<\/p>\n<p><a href=\"https:\/\/github.com\/mozilla\/Garmr\/archive\/master.zip\">master.zip<\/a><\/p>\n<p>Or read more <a href=\"https:\/\/github.com\/mozilla\/Garmr\">here<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Garmr is a tool to inspect the responses from websites for basic security requirements. It includes a set of core test cases implemented in corechecks that are derived from the Mozilla Secure Coding Guidelines which can be found here: https:\/\/wiki.mozilla.org\/WebAppSec\/Secure_Coding_Guidelines The purpose of this page is to establish a concise and consistent approach to secure [&hellip;]<\/p>\n","protected":false},"author":25,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"","_seopress_titles_title":"","_seopress_titles_desc":"Garmr is a tool to inspect the responses from websites for basic security requirements, designed to help automate web application security tests.","_seopress_robots_index":"","_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[9,15],"tags":[1178,4825,396,1582,376,2601],"featured_image_src":null,"featured_image_src_square":null,"author_info":{"display_name":"Darknet","author_link":"https:\/\/www.darknet.org.uk\/author\/darknet\/"},"_links":{"self":[{"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/posts\/3775"}],"collection":[{"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/users\/25"}],"replies":[{"embeddable":true,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/comments?post=3775"}],"version-history":[{"count":0,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/posts\/3775\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/media?parent=3775"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/categories?post=3775"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/tags?post=3775"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}