Example Rundown
Install mermaidJS and mermaidCLI globally:
Create Virtualenv with Python 2.7.X
Install the Dependencies for the example with
pip install -r requirements.txtInstall the vulnerable flask app with
docker pull abhaybhargav/vul_flaskIn the robot file, make sure you edit the ZAP specific variables to the ones you have in your ZAP deployment. This includes:
Path to the zap.sh executable. You don't need to include the sh file in the path
Port that ZAP runs on. Mine runs on port 8090. Please feel free to change
Install the "Export Report" add-on on ZAP
For this example, you will need nmap installed on the machine you are running this example as well
The example gives you a perspective of how you can use ThreatPlaybook.
The app that I am using to test ThreatPlaybook is a simple REST API, running on a Docker container. It can be pulled with docker pull abhaybhargav/vul_flask
All of the relevant tests, yaml files, etc are in in the Simple-API directory
All of the User Stories -> Abuse Cases -> Threat Scenarios are individually available (yml files) in the cases directory
Security Tests are in the YML file in the security_tests directory
Entities and connections are in the yml file directory entities
Once you are done with Installation, all you have to do is cd into the Simple-API directory and run:
robot SecurityTest.robot
and watch the results.
All the results are written into the results directory, including the Report.md, which is the final Markdown report.
