Example Rundown

This is a detailed explanation of an example of a Project in ThreatPlaybook

Location of Example Code

Running the Example

Install - Steps

  • Install mermaidJS and mermaidCLI globally:

  • Create Virtualenv with Python 2.7.X

  • Install the Dependencies for the example with pip install -r requirements.txt

  • Install the vulnerable flask app with docker pull abhaybhargav/vul_flask

  • In the robot file, make sure you edit the ZAP specific variables to the ones you have in your ZAP deployment. This includes:

    • Path to the zap.sh executable. You don't need to include the sh file in the path

    • Port that ZAP runs on. Mine runs on port 8090. Please feel free to change

    • Install the "Export Report" add-on on ZAP

  • For this example, you will need nmap installed on the machine you are running this example as well

The example gives you a perspective of how you can use ThreatPlaybook.

The app that I am using to test ThreatPlaybook is a simple REST API, running on a Docker container. It can be pulled with docker pull abhaybhargav/vul_flask

All of the relevant tests, yaml files, etc are in in the Simple-API directory

All of the User Stories -> Abuse Cases -> Threat Scenarios are individually available (yml files) in the cases directory

Security Tests are in the YML file in the security_tests directory

Entities and connections are in the yml file directory entities

Running the Example

Once you are done with Installation, all you have to do is cd into the Simple-API directory and run:

robot SecurityTest.robot

and watch the results.

All the results are written into the results directory, including the Report.md, which is the final Markdown report.

Video of the Running ThreatPlaybook