Skip to content

  • Projects
  • Groups
  • Snippets
  • Help
  • This project
    • Loading...
  • Sign in / Register
GitLab Community Edition
GitLab Community Edition
  • Overview
    • Overview
    • Details
    • Activity
    • Cycle Analytics
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
    • Charts
    • Locked Files
  • Issues 10,449
    • Issues 10,449
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
  • Merge Requests 549
    • Merge Requests 549
  • CI / CD
    • CI / CD
    • Pipelines
    • Jobs
    • Schedules
    • Charts
  • Snippets
    • Snippets
  • Members
    • Members
  • Collapse sidebar
  • Activity
  • Graph
  • Charts
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
  • GitLab.org
  • GitLab Community EditionGitLab Community Edition
  • Issues
  • #40119

Closed
Open
Opened Nov 12, 2017 by Sid Sijbrandij@sytses 
  • Report abuse
  • New issue
Report abuse New issue

GitLab Recon

In CE to make our security product more popular.

The ideal flow is: enter a domain name 'example.com' and get a list of vulnerabilities with the most likely ones on top (sorted by signal to noise ratio).

To do this there are two components, Recon (this issue) and DAST gitlab-ee#3956 (closed)

The first iteration user flow will be:

  1. Create a new project with the 'Recon' GitLab CI template.
  2. Enter the TARGET_DOMAIN environmental variable.
  3. Receive a list of subdomains in a yaml compatible format.

Rest of the workflow, not part of Recon:

  1. Copy (part of) that list to the clipboard
  2. Create a new project with the 'DAST' GitLab CI template.
  3. Past the list into the .gitlab-ci.yml file to run the DAST in parallel against all subdomains.
  4. Get a list of vulnerabilities with the most likely ones on top

The GitLab Recon CI template has two stages:

  1. Running a number of subdomain discovery tools in parallel.
  2. Running a task that aggregates their output and deduplicates it.

The subdomain discovery tools would be based on https://news.ycombinator.com/item?id=15676951 Example commands:

  • /cdx-index-client.py -c CC-MAIN-2017-43 '*.example.com' with http://index.commoncrawl.org/
  • python sublist3r.py -d example.com with https://github.com/aboul3la/Sublist3r
  • ./ct.py example.com | ./bin/massdns -r resolvers.txt -t A -q -a -o -w with https://github.com/appsecco/bugcrowd-levelup-subdomain-enumeration
  • python dnsrecon.py -n ns1.example.com -d example.com -D subdomains-top1mil-5000.txt -t brt with https://github.com/darkoperator/dnsrecon
  • `dig +multi AXFR @ns1.exaple.com example.com
  • ldns-walk @ns1.example.com example.com with https://www.nlnetlabs.nl/projects/ldns/

/cc @kathyw @dzaporozhets @bikebilly @markpundsack

Edited Apr 02, 2018 by Sid Sijbrandij

Related issues

Assignee
Assign to
Epic
Next 7-13 releases
Milestone
Next 7-13 releases
Assign milestone
Time tracking
None
Due date
No due date
3
Labels
Security Products direction feature proposal
Assign labels
  • View project labels
Reference: gitlab-org/gitlab-ce#40119