Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Argo CD weak credential tester #502

Open
wants to merge 8 commits into
base: master
Choose a base branch
from
Open

Argo CD weak credential tester #502

wants to merge 8 commits into from
+350 −0

Conversation

JamesFoxxx
Copy link
Contributor

@JamesFoxxx JamesFoxxx mentioned this pull request Jun 14, 2024
Open
@tooryx tooryx linked an issue Aug 6, 2024 that may be closed by this pull request
AI PRP: Request Weak Credential tester for Argo CD #419
Open
@tooryx tooryx added the Contributor main The main issue a contributor is working on (top of the contribution queue). label Aug 6, 2024
@leonardo-doyensec
Copy link
Collaborator

Hi @JamesFoxxx, thank you for your contribution. I'm noticing that the plugin is not working on my side, can you please check it? Feels like the fingerprint phase never ran.

@JamesFoxxx
Copy link
Contributor Author

@leonardo-doyensec hii
you are right, I'm using tsunami v0.0.24 with the --http-client-trust-all-certificates(google/tsunami-security-scanner#118) switch, and with a few changes it is working now.

Also according to the last commit, it seems that tsunami doesn't redirect by default for the 307 redirect status code and It's weird because the http redirect is true by default.

@JamesFoxxx
Copy link
Contributor Author

@leonardo-doyensec we should compile two separate gradle projects, one for weak credentials and one for the web fingerprint, and use both plugins when running the Tsunami scanner.

leonardo-doyensec
leonardo-doyensec reviewed Oct 15, 2024
View reviewed changes
Copy link
Collaborator

@leonardo-doyensec leonardo-doyensec left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hello @JamesFoxxx, thank you for your changes.
I confirm that the plugin is working correctly. You can find some issues to address down below.

...tectors/credentials/genericweakcredentialdetector/testers/argocd/ArgoCdCredentialTester.java Show resolved Hide resolved
...tectors/credentials/genericweakcredentialdetector/testers/argocd/ArgoCdCredentialTester.java Outdated Show resolved Hide resolved
...tectors/credentials/genericweakcredentialdetector/testers/argocd/ArgoCdCredentialTester.java Outdated Show resolved Hide resolved
...tectors/credentials/genericweakcredentialdetector/testers/argocd/ArgoCdCredentialTester.java Outdated Show resolved Hide resolved
...tectors/credentials/genericweakcredentialdetector/testers/argocd/ArgoCdCredentialTester.java Outdated Show resolved Hide resolved
...tectors/credentials/genericweakcredentialdetector/testers/argocd/ArgoCdCredentialTester.java Outdated Show resolved Hide resolved
...tectors/credentials/genericweakcredentialdetector/testers/argocd/ArgoCdCredentialTester.java Outdated Show resolved Hide resolved
...tectors/credentials/genericweakcredentialdetector/testers/argocd/ArgoCdCredentialTester.java Outdated Show resolved Hide resolved
...ors/credentials/genericweakcredentialdetector/testers/argocd/ArgoCdCredentialTesterTest.java Outdated Show resolved Hide resolved
@leonardo-doyensec
Copy link
Collaborator

LGTM - Approved
@maoning we can merge this and google/security-testbeds#60

Reviewer: Leonardo, Doyensec
Plugin: Argo CD Weak Credentials Tester

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@leonardo-doyensec leonardo-doyensec leonardo-doyensec left review comments

Assignees

@JamesFoxxx JamesFoxxx

Labels
Contributor main The main issue a contributor is working on (top of the contribution queue). lgtm
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

AI PRP: Request Weak Credential tester for Argo CD
3 participants
@JamesFoxxx @leonardo-doyensec @tooryx