- Web Application Security Testing Framework
- backend/Dockerfile
- Create app directory
- Install app dependencies
- Bundle app source
- Expose port
- Start the server
- frontend/Dockerfile
- Create app directory
- Install app dependencies
- Bundle app source
- Build the app
- Serve the app using a static server
- terraform/main.tf
- Additional resources like ECS services, Load Balancers, etc.
The Web Application Security Testing Framework is a comprehensive full-stack application designed to systematically identify and mitigate security vulnerabilities in web applications. It automates security scans, validates input sanitization, checks for common misconfigurations, and generates detailed security reports, focusing on the OWASP Top 10 vulnerabilities.
- OWASP Top 10 Vulnerability Testing: Automated checks for the most critical web application security risks.
- Automated Security Scans: Schedule and execute scans with ease.
- Input Sanitization Validation: Ensure all inputs are properly sanitized to prevent injection attacks.
- Misconfiguration Checks: Identify common misconfigurations in web applications.
- Comprehensive Security Reports: Generate detailed reports with visualizations and remediation recommendations.
- User Authentication & Authorization: Secure access with role-based permissions.
- Real-time Scan Monitoring: Track scan progress in real-time via WebSockets.
The framework follows a modular architecture consisting of:
- Frontend: Built with React.js, providing an intuitive user interface for configuring scans, viewing results, and generating reports.
- Backend: Developed with Node.js and Express.js, handling API requests, orchestrating scans, and managing data.
- Database: Utilizes PostgreSQL for storing user data, scan configurations, results, and reports.
- Scanner Modules: Integrates OWASP ZAP and custom scripts to perform specific security tests.
- Reporting Engine: Aggregates scan data and generates comprehensive reports in various formats.
- Authentication & Authorization: Manages user access using JWT and Passport.js.
The application is organized into distinct frontend and backend components with clear separation of concerns.
Three core models (User, Scan, Report) with well-defined relationships support the application's data requirements.
Secure JWT-based authentication with httpOnly cookies, bcrypt password hashing, and comprehensive validation.
End-to-end security scanning process with real-time updates, OWASP ZAP integration, and automated report generation.
- Framework: React.js
- State Management: Redux
- Styling: Tailwind CSS
- Real-time Communication: Socket.IO
- Framework: Node.js with Express.js
- Language: JavaScript/TypeScript
- Task Scheduler: Bull (for job queues)
- Authentication: JWT with Passport.js
- Relational Database: PostgreSQL
- ORM: Sequelize
- OWASP ZAP: For automated vulnerability scanning
- Custom Scripts: Python scripts for specific tests
- PDF Generation: Puppeteer
- Charts: Chart.js
We utilize GitHub Actions to automate our CI/CD pipeline. The pipeline performs the following:
- Code Linting and Formatting: Ensures code quality and consistency using ESLint and Prettier.
- Running Tests: Executes unit and integration tests to verify functionality.
- Building Docker Images: Builds Docker images for the frontend and backend.
- Deployment: Automatically deploys the application to the staging/production environment upon successful builds.
GitHub Actions Workflow Example:
name: CI/CD Pipeline
on:
push:
branches: [ main ]
pull_request:
branches: [ main ]
jobs:
build:
runs-on: ubuntu-latest
services:
postgres:
image: postgres:12
env:
POSTGRES_USER: username
POSTGRES_PASSWORD: password
POSTGRES_DB: websecdb
ports:
- 5432:5432
options: >-
--health-cmd="pg_isready -U username"
--health-interval=10s
--health-timeout=5s
--health-retries=5
steps:
- uses: actions/checkout@v2
- name: Set up Node.js
uses: actions/setup-node@v2
with:
node-version: '16'
- name: Install Backend Dependencies
working-directory: ./backend
run: npm install
- name: Install Frontend Dependencies
working-directory: ./frontend
run: npm install
- name: Run Backend Tests
working-directory: ./backend
run: npm test
- name: Run Frontend Tests
working-directory: ./frontend
run: npm test
- name: Build Docker Images
run: docker-compose build
- name: Push to Docker Hub
uses: docker/login-action@v1
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Push Backend Image
run: docker push yourdockerhubusername/backend:latest
- name: Push Frontend Image
run: docker push yourdockerhubusername/frontend:latest
- name: Deploy to Production
run: |
ssh user@yourserver "docker pull yourdockerhubusername/backend:latest && docker pull yourdockerhubusername/frontend:latest && docker-compose up -d"
env:
SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
### Containerization with Docker
Containerizing the application ensures consistency across different environments and simplifies deployment.
Dockerfile for Backend:
# backend/Dockerfile
FROM node:16
# Create app directory
WORKDIR /usr/src/app
# Install app dependencies
COPY backend/package*.json ./
RUN npm install
# Bundle app source
COPY backend/. .
# Expose port
EXPOSE 5002
# Start the server
CMD [ "npm", "start" ]
Dockerfile for Frontend:
# frontend/Dockerfile
FROM node:16
# Create app directory
WORKDIR /usr/src/app
# Install app dependencies
COPY frontend/package*.json ./
RUN npm install
# Bundle app source
COPY frontend/. .
# Build the app
RUN npm run build
# Serve the app using a static server
RUN npm install -g serve
CMD ["serve", "-s", "build", "-l", "3001"]
docker-compose.yml:
version: '3.8'
services:
backend:
build: ./backend
ports:
- "5002:5002"
environment:
- DATABASE_URL=postgres://username:password@db:5432/websecdb
- JWT_SECRET=your_jwt_secret
- ZAP_API_KEY=your_zap_api_key
depends_on:
- db
frontend:
build: ./frontend
ports:
- "3001:3001"
depends_on:
- backend
db:
image: postgres:12
environment:
POSTGRES_USER: username
POSTGRES_PASSWORD: password
POSTGRES_DB: websecdb
ports:
- "5432:5432"
volumes:
- db-data:/var/lib/postgresql/data
prometheus:
image: prom/prometheus
volumes:
- ./prometheus/prometheus.yml:/etc/prometheus/prometheus.yml
ports:
- "9090:9090"
volumes:
db-data:
Running with Docker Compose:
docker-compose up --build
Infrastructure as Code (IaC)
If you’re provisioning infrastructure using tools like Terraform or Ansible, include the relevant scripts and instructions here.
Example: Terraform Setup
# terraform/main.tf
provider "aws" {
region = "us-west-2"
}
resource "aws_ecs_cluster" "websec_cluster" {
name = "websec-cluster"
}
# Additional resources like ECS services, Load Balancers, etc.
Running Terraform:
cd terraform
terraform init
terraform apply
Monitoring and Logging
Implement monitoring and logging to track application performance and security.
• Prometheus & Grafana: For monitoring metrics.
• ELK Stack (Elasticsearch, Logstash, Kibana): For centralized logging and visualization.
Example: Adding Prometheus to docker-compose.yml
prometheus:
image: prom/prometheus
volumes:
- ./prometheus/prometheus.yml:/etc/prometheus/prometheus.yml
ports:
- "9090:9090"
Installation
Prerequisites
Ensure you have the following installed on your system:
• Node.js: v14.x or higher
• npm: v6.x or higher
• PostgreSQL: v12.x or higher
• Python: v3.8 or higher (for custom scanner scripts)
• Docker: (Optional, for containerized setup)
• Docker Compose: (If using Docker for orchestration)
Backend Setup
1. Clone the Repository:
git clone https://github.com/yourusername/web-sec-testing-framework.git
cd web-sec-testing-framework/backend
2. Install Dependencies:
npm install
3. Configure Environment Variables:
Create a .env file in the backend directory:
PORT=5002
DATABASE_URL=postgres://username:password@localhost:5432/websecdb
JWT_SECRET=your_jwt_secret
ZAP_API_KEY=your_zap_api_key
4. Run Database Migrations:
npx sequelize-cli db:migrate
5. Start the Backend Server:
npm start
Frontend Setup
1. Navigate to Frontend Directory:
cd ../frontend
2. Install Dependencies:
npm install
3. Configure Environment Variables:
Create a .env file in the frontend directory:
REACT_APP_API_URL=http://localhost:5002/api
4. Start the Frontend Server:
npm start
Database Setup
1. Install PostgreSQL:
Follow the official installation guide for your operating system.
2. Create Database and User:
CREATE DATABASE websecdb;
CREATE USER username WITH ENCRYPTED PASSWORD 'password';
GRANT ALL PRIVILEGES ON DATABASE websecdb TO username;
3. Verify Connection:
Ensure that the backend can connect to the PostgreSQL database using the provided DATABASE_URL.
Docker Setup
1. Ensure Docker and Docker Compose are Installed:
• Install Docker
• Install Docker Compose
2. Build and Run Containers:
docker-compose up --build
3. Access the Application:
• Frontend: http://localhost:3001
• Backend: http://localhost:5002
Usage
Running the Application
1. Start Backend and Frontend Servers:
Ensure both backend and frontend servers are running (either via Docker or manually).
2. Access the Application:
Open your browser and navigate to http://localhost:3001.
Performing a Security Scan
1. Login/Register:
• Register a new account or log in with existing credentials.
2. Configure a New Scan:
• Navigate to the Dashboard.
• Click on New Scan.
• Enter the target web application URL.
• Select specific OWASP Top 10 vulnerabilities to test or choose a full scan.
• Configure additional scan settings as needed.
3. Initiate the Scan:
• Click on Start Scan.
• Monitor scan progress in real-time via the dashboard.
4. View Scan Results:
• Once the scan is complete, view detailed results highlighting identified vulnerabilities.
Generating Reports
1. Navigate to Reports:
• Go to the Reports section in the dashboard.
2. Generate a Report:
• Select the completed scan for which you want to generate a report.
• Choose the desired format (PDF, HTML, JSON).
• Click on Generate Report.
3. Download/View Report:
• Once generated, download the report or view it directly in the browser.
Testing
Running Tests
Ensure all tests pass before contributing or deploying.
1. Backend Tests:
cd backend
npm test
2. Frontend Tests:
cd frontend
npm test
3. End-to-End Tests:
(If applicable, describe how to run e2e tests using tools like Cypress)
npm run e2e
API Documentation
Comprehensive API documentation is available here.
Troubleshooting
• Backend Not Connecting to Database:
• Ensure PostgreSQL is running.
• Verify DATABASE_URL in .env is correct.
• Port Conflicts:
• Change the default ports in .env or docker-compose.yml if ports 3001 or 5002 are in use.
• Docker Issues:
• Ensure Docker daemon is running.
• Check Docker Compose logs for errors:
docker-compose logs
• Scan Failures:
• Verify the target URL is correct and accessible.
• Check ZAP_API_KEY and ensure OWASP ZAP is running properly.
Contributing
Contributions are welcome! Please follow these steps to contribute:
1. Fork the Repository
2. Create a Feature Branch
git checkout -b feature/YourFeature
3. Commit Your Changes
git commit -m "Add some feature"
4. Push to the Branch
git push origin feature/YourFeature
5. Open a Pull Request
Please ensure that your code adheres to the project’s coding standards and passes all tests.
License
This project is licensed under the MIT License.
## 👤 Author & Maintainer
This repository is maintained by [Donnivis Baker](https://github.com/dbsectrainer). For questions or feedback, please open an issue or reach out directly.
Acknowledgements
• OWASP ZAP - Open-source security tool for scanning web applications.
• React.js - Frontend library for building user interfaces.
• Node.js - JavaScript runtime for backend development.
• Docker - Platform for containerizing applications.
• Prometheus & Grafana - Monitoring and visualization tools.
• Sequelize - Promise-based Node.js ORM for PostgreSQL.
© 2024 Web Application Security Testing Framework. All rights reserved.