Skip to content
Cloudkrunch
Linkedin

Dastardly Web Scanner

Testing, Github Actions, CICD2 min read

Pipelines

It's that time again! Time to dust off my CICD pipelines and add some new features that could help with the security of my applications. This time around, I found a cool and interesting tool developed by PortSwigger, the owner of BurpSuite a well respected DAST scanner in application security circles. BurpSuite is a pricey piece of software coming in at $450 a year at the time of this writting for the professional version (what a general pentester would typically use or a small business). Fortunately, a small subset of the BurpSuite DAST scanner ruleset is available in a FOSS (free and opensource software) tool called Dastardly.

Adding it to the pipeline

Dastardly is really easy to set up and looking at the offering you can get a pretty good idea at what it does well.

Here's a list of the vulnerabilities that Dastardly looks at:

  1. Cross-site Scripting (XSS)
  2. Cross-origin resource sharing (CORS)
  3. Vulnerable JavaScript dependencies
  4. Content type not being specified
  5. Multiple content types being specified
  6. HTML charsets no specified
  7. Duplicate cookies set

Looking at this list it becomes apparent what this scanner is best at and that would be web application scanning, specfically webpages. With this in mind, I thought that it would make sense to try out this scanner on the Cloudkrunch blog. Adding this into my existing Github Actions pipeline was super simple. I followed the directions on their Github README and put it after the deployment code for the site. I used the "suggested usage" section and only changed the "@main" image to be the "@v1.0.0" to keep it versioned. This let me get the results as a summary in the overview of the Github Actions job.

Results

Dastardly Report

Dastardly tested 52 rules and the website passed all of them. The blog is a simple Gatsby static site so I wasn't expecting any vulnerabilities. Also, this is done post deployment just as a sanity check, but I might add this as a multi-environment deployment one day and it could be useful as a control gate.

Wrapping up

This was a small improvement, but a fun one. I'll be doing some more security related work soon, so keep a look out for that. If you found the article helpful, send it to a friend please! Have a good day.