Security Knowledge Framework

项目地址:

可以用于 Pen-test Checklist.

1. Docker

项目提供了多种安装方式, 笔者尝试使用 Chef 安装, 但是遇到Error executing action 'install' on resource 'yum_package[python-pip.noarch]', 原因未明.

后来使用 Docker.

docker run -ti -p 127.0.0.1:443:5443 blabla1337/skf-flask

Visit https://127.0.0.1

2. 使用

2.1 注册用户

一定需要使用以下信息注册, 注册时不需要用户名. 用户名是 admin.

Pincode: 1234
Email : example@owasp.org
Username that is being configured is: admin

2.2 Create a new project

  • Pre-Development
  • Post-Development

2.3 Pre-Development

定义有哪些功能, 如 registration, File download.

定义完之后,可以前往 result - Functions 看建议.

2.4 Post-Development

Run Checklist.

首先需要选择该项目的 ASVS Level (wiki). 简单来说,就是按项目的重要性, 得出要 check 的项目的多少.

3. Troubleshooting

3.1. Vagrant Download box

需要使用 centOS 7.1. Chef 会处理一切,不过 vagrant 下载速度很慢. 于是利用save file to dropbox 先将文件下载到本地, 然后利用下面 command 添加到 vagrant.

➜  vagrant_project vagrant box add bento/centos-7.1 ~/Project/tools/vagrant-local-box/cent71/virtualbox.box
==> box: Box file was not detected as metadata. Adding it directly...
==> box: Adding box 'bento/centos-7.1' (v0) for provider:
    box: Unpacking necessary files from: file:///Users/its/Project/tools/vagrant-local-box/cent71/virtualbox.box
==> box: Successfully added box 'bento/centos-7.1' (v0) for 'virtualbox'!

3.2. Chef Kitchen converge default

wget timeout.

Try to use privoxy+shadowsocks. (Cant use proxychains4).

wget 仅支持 http proxy, 不支持 socks5, 需要利用 privoxy.

3.2.1 Privoxy

brew install privoxy

配置 config, /usr/local/etc/privoxy/config, 底部加入

listen-address 0.0.0.0:8118
forward-socks5 / 127.0.0.1:1080 .
➜  tools /usr/local/sbin/privoxy /usr/local/etc/privoxy/config

3.2.2 wget via proxy

vim ~/.wgetrc

#You can set the default proxies for Wget to use for http, https, and ftp.
# They will override the value in the environment.
https_proxy = http://127.0.0.1:8188/
http_proxy = http://127.0.0.1:8188/
ftp_proxy = http://127.0.0.1:8188/

# If you do not want to use proxy at all, set this to off.
use_proxy = on

注意端口与 privoxy 一致.

Ref

Show Comments