<< [[2022-07-03]] | [[2022-07-05]] >>
工具的道与术: 道,是指这个工具内在的哲学,如果你觉得哲学这个词太大了,也可以叫它逻辑。一个工具的优雅之处就体现在「道」上,「道」虽然貌似虚无缥缈,它却是最容易区分同类型工具之间不同之处的东西。 术,就是技术层面,这个工具怎么操作,怎么用起来。
Threatfix¶
0x01简介¶
ThreadFix is a Java EE application which runs on Apache Tomcat and requires a relational SQL database to store and manage user data. The recommended enterprise installation calls for a web application server to run Tomcat and host the ThreadFix web application, and a database server to manage the data backend. MySQL 5.6 or 5.7 and Microsoft SQL Server 2012 and newer are the supported database servers for any installation.
0x02架构图¶
0x03核心能力¶
0x04对比¶
0x05Quickstart¶
require¶
Web Application Server¶
Operating System¶
-
Windows Server 2012 R2 or newer
-
Ubuntu 12.04 or newer
-
CentOS / RedHat 6 or newer
Hardware¶
-
4 Core CPU
-
16 GB RAM
-
100 GB Hard drive
Database Server¶
Operating System¶
-
Windows Server 2012 R2 or newer
-
Ubuntu 12.04 or newer
-
CentOS / RedHat 6 or newer
Hardware¶
-
4 Core CPU
-
8 GB RAM
-
250 GB Hard drive
install centOS¶
install Java¶
# OpenJDK 11 ThreadFix version 2.7.9及以上
sudo yum install java-11-openjdk
# OpenJDK 8 ThreadFix version 2.7
sudo yum install java-1.8.0-openjdk
# OpenJDK 7 ThreadFix 2.6.2.6 and older
wget --no-cookies --no-check-certificate --header "Cookie: gpw_e24=http%3A%2F%2Fwww.oracle.com%2F; oraclelicense=accept-securebackup-cookie" "https://download.oracle.com/otn-pub/java/jdk/8u192-b12/750e1c8617c5452694857ad95c3ee230/jdk-8u192-linux-x64.rpm"
sudo yum localinstall jdk-8u192-linux-x64.rpm
Install and Configure Tomcat 8.5¶
- 下载Tomcat8.5
wget https://dlcdn.apache.org/tomcat/tomcat-8/v8.5.81/bin/apache-tomcat-8.5.81.tar.gz
- 创建目录
sudo mkdir /opt/tomcat
sudo tar xvf apache-tomcat-8*tar.gz -C /opt/tomcat --strip-components=1
- 为tomcat创建用户和组
sudo groupadd tomcat
sudo useradd -s /bin/false -g tomcat -d /opt/tomcat tomcat
- 更新配置文件web.xml
<servlet>
<servlet-name>default</servlet-name>
<servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
<init-param>
<param-name>debug</param-name>
<param-value>0</param-value>
</init-param>
<init-param>
<param-name>listings</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>fileEncoding</param-name>
<param-value>UTF-8</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
- 启动Tomcat服务
创建一个文件
/etc/systemd/system/tomcat.service
# Systemd unit file for tomcat
[Unit]
Description=Apache Tomcat Web Application Container
After=syslog.service network.target
[Service]
Type=forking
Environment=JAVA_HOME=/usr
Environment=CATALINA_PID=/opt/tomcat/temp/tomcat.pid
Environment=CATALINA_HOME=/opt/tomcat
Environment=CATALINA_BASE=/opt/tomcat
Environment='CATALINA_OPTS=-Xms2G -Xmx8G -server -XX:+UseParallelGC'
Environment='JAVA_OPTS=-Djava.awt.headless=true -Djava.security.egd=file:/dev/./urandom'
ExecStart=/opt/tomcat/bin/startup.sh
ExecStop=/bin/kill -15 $MAINPID
User=tomcat
Group=tomcat
UMask=0007
RestartSec=10
Restart=always
[Install]
WantedBy=multi-user.target
- 重启服务
sudo systemctl daemon-reload
sudo systemctl enable tomcat.service
install mysql 5.7¶
- 下载MySQL5.7YUM源
wget https://dev.mysql.com/get/mysql57-community-release-el7-11.noarch.rpm
- 安装yum源
sudo rpm -ivh mysql57-community-release-el7-11.noarch.rpm
- 安装MySQL服务
sudo yum install mysql-server
- 配置MySQL大数据设置(测试可忽略)
编辑
/etc/my.cnf,在[mysqld]进行如下配置
innodb_buffer_pool_size=12G
tmp_table_size=6G
max_heap_table_size=6G
max_allowed_packet=1G
重启服务后生效,验证如今如下:
select CONCAT(@@innodb_buffer_pool_size/POWER(1024,3),'G') AS INNODB_BUFFER_POOL_SIZE,CONCAT(@@tmp_table_size/POWER(1024,3),'G') AS TMP_TABLE_SIZE,CONCAT(@@max_heap_table_size/POWER(1024,3),'G') AS MAX_HEAP_TABLE_SIZE,CONCAT(@@max_allowed_packet/POWER(1024,3),'G') AS MAX_ALLOWED_PACKET;
- 启动MySQL
sudo systemctl start mysqld
sudo systemctl enable mysqld
# 查看服务状态
sudo systemctl status mysqld
# 查看临时root密码
sudo grep 'temporary password' /var/log/mysqld.log
# MySQL security script
sudo mysql_secure_installation
# 修改临时root密码后登录
mysql -u root -p
- 创建threatfix数据库的账号
CREATE DATABASE threadfix CHARACTER SET = utf8mb4 COLLATE = utf8mb4_unicode_ci;
创建账号并授权
CREATE USER 'threadfix'@'localhost' IDENTIFIED BY 'tfpass'; CREATE USER 'threadfix'@'%' IDENTIFIED BY 'tfpass';
GRANT ALL PRIVILEGES ON threadfix.* TO 'threadfix'@'localhost' IDENTIFIED BY 'tfpass';
GRANT ALL PRIVILEGES ON threadfix.* TO 'threadfix'@'%' IDENTIFIED BY 'tfpass';
FLUSH PRIVILEGES;
0x06使用说明¶
application¶
创建应用-略
外部集成¶
Hybrid Analysis Mapping(HAM)混合分析视图实现更好的动静态漏洞的整合, SSVL转换工具:帮助用户使用cvs、Excel格式化转化
扫描器¶
文件¶
- WebInspect
- Acunetix
- AppScan Enterprise
- AppScan Standard
- AppSpider
- BVM
- CatNet
- Cenzic
- Clang
- Dependency Check
- FindBugs
- InsightVM
- Nessus
- PMD
- SCARF
- Skipfish
- Snyk
- W3af
- Brakeman
- BURP Suite
- Checkmarx
- Netsparker Enterprise
- Fortify Audit Workbench
- OWASP Zed Attack Proxy
扫描agent¶
Remote Provider¶
- Acunetix 360 Remote Provider
- AppScan on Cloud (ASoC) Remote Provider
- AppScan Enterprise Remote Provider
- Bidirectional Sync
- Black Duck Remote Provider
- Checkmarx Remote Provider
- Contrast Remote Provider
- Coverity Remote Provider
- Dependency Track Remote Provider
- Fortify On Demand Remote Provider
- Fortify Software Security Center Remote Provider
- GitHub Dependabot (Beta) Remote Provider
- Netsparker Enterprise Remote Provider
- NowSecure
- Qualys Web Application Scanning (WAS) Remote Provider
- SonarQube Remote Provider
- Sonatype Remote Provider
- WhiteHat Sentinel Remote Provider
- Veracode Analysis Center Remote Provider
plugin¶
WAF¶
-
Barracuda Web Application Firewall
-
BIG-IP ASM
-
DenyAll rWeb
-
Imperva SecureSphere
-
mod_security
-
SteelApp Web App Firewall