securecodebox/scanner-angularjs-csti-scanner

Sponsored OSS

By iteratec GmbH

Updated about 2 years ago

Image
Languages & Frameworks
Integration & Delivery
Security

10K+

License Apache-2.0GitHub release (latest SemVer)OWASP Lab ProjectArtifact HUBGitHub Repo starsTwitter Follower

What is OWASP secureCodeBox?

secureCodeBox Logo

OWASP secureCodeBox is an automated and scalable open source solution that can be used to integrate various security vulnerability scanners with a simple and lightweight interface. The secureCodeBox mission is to support DevSecOps Teams to make it easy to automate security vulnerability testing in different scenarios.

With the secureCodeBox we provide a toolchain for continuous scanning of applications to find the low-hanging fruit issues early in the development process and free the resources of the penetration tester to concentrate on the major security issues.

The secureCodeBox project is running on Kubernetes. To install it you need Helm, a package manager for Kubernetes. It is also possible to start the different integrated security vulnerability scanners based on a docker infrastructure.

Quickstart with secureCodeBox on kubernetes

You can find resources to help you get started on our documentation website including instruction on how to install the secureCodeBox project and guides to help you run your first scans with it.

Supported Tags

  • latest (represents the latest stable release build)
  • tagged releases, e.g. 3.0.6

How to use this image

This scanner image is intended to work in combination with the corresponding parser image to parse the scanner findings to generic secureCodeBox results. For more information details please take a look at the project page or [documentation page][https://www.securecodebox.io/docs/scanners/angularjs-csti-scanner].

docker pull securecodebox/scanner-angularjs-csti-scanner

What is AngularJS Client-Side Template Injection Scanner (acstis)?

The AngularJS Client-Side Template Injection Scanner (acstis) is an open source scanner for finding possible template injection vulnerabilities on websites using AngularJS.

For more information visit the projects GitHub site.

Scanner Configuration

The only mandatory parameter is:

Optional arguments:

-c, --crawl                                                                      use the crawler to scan all the entire domain
-vp, --verify-payload                                                            use a javascript engine to verify if the payload was executed (otherwise false positives may occur)
-av ANGULAR_VERSION, --angular-version ANGULAR_VERSION                           manually pass the angular version (e.g. 1.4.2) if the automatic check doesn't work
-vrl VULNERABLE_REQUESTS_LOG, --vulnerable-requests-log VULNERABLE_REQUESTS_LOG  log all vulnerable requests to this file (e.g. /var/logs/acstis.log or urls.log)
-siv, --stop-if-vulnerable                                                       (crawler option) stop scanning if a vulnerability was found
-pmm, --protocol-must-match                                                      (crawler option) only scan pages with the same protocol as the starting point (e.g. only https)
-sos, --scan-other-subdomains                                                    (crawler option) also scan pages that have another subdomain than the starting point
-soh, --scan-other-hostnames                                                     (crawler option) also scan pages that have another hostname than the starting point
-sot, --scan-other-tlds                                                          (crawler option) also scan pages that have another tld than the starting point
-md MAX_DEPTH, --max-depth MAX_DEPTH                                             (crawler option) the maximum search depth (default is unlimited)
-mt MAX_THREADS, --max-threads MAX_THREADS                                       (crawler option) the maximum amount of simultaneous threads to use (default is 20)
-iic, --ignore-invalid-certificates                                              (crawler option) ignore invalid ssl certificates

Do not override the option -vrl or --vulnerable-requests-log. It is already configured for automatic findings parsing.

Community

You are welcome, please join us on... 👋

secureCodeBox is an official OWASP project.

License

License

As with all Docker images, these likely also contain other software which may be under other licenses (such as Bash, etc from the base distribution, along with any direct or indirect dependencies of the primary software being contained).

As for any pre-built image usage, it is the image user's responsibility to ensure that any use of this image complies with any relevant licenses for all software contained within.

Docker Pull Command

docker pull securecodebox/scanner-angularjs-csti-scanner