►
A
So
what
is
reaching
attack
simulation
you
might
ask
Regional
attack
simulation,
is
a
security
testing
methodology
for
validating
the
application
and
endpoint
security
controls,
so
that
extends
pastures
with
a
web
spotter
or
a
dynamic
analysis
or
docs
tool
would
do,
and
it
actually
goes
ahead
and
performs
exploitation
of
vulnerabilities
so
that
we
can
prove
out
what
an
attacker
Behavior
could
look
like
on
your
network
and
what
the
implications
of
that
might
be.
A
It
differs
from
penetration
testing,
which
is
typically
manual,
validation
of
external
penetration
and
then
going
ahead
and
finding
what
an
attacker
may
do
on
your
network,
and
this
is
because
boss
is
primarily
automated
and
so
bass
is
a
good
fit
for
being
a
part
of
your
dubstack
Ops
pipeline
as
you're
able
to
add
in
breach
attack
simulation
checks
into
Dynamic
analysis
tools
or
other
automation
inside
your
pipeline
to
add
a
more
extensive
reporting
around
vulnerabilities
so
that
you
can
validate,
which
ones
are
actually
vulnerable,
you're
actually
vulnerable
to
or
what
phone
you
may
have
actually
mitigated
in
some
fashion.
A
That
detections
may
not
have
noticed
so
the
vision.
So,
as
I
mentioned,
the
vision
for
bosses
around
the
devil
stock
UPS
life
cycle,
what
we
want
to
do
is
allow
organizations
to
automatically
simulate
those
attacker
behaviors
as
part
of
the
their
testing
process.
A
So
the
progress
for
February,
what
it's
been
shipped
so
far,
is
I've
gone
ahead
and
worked
with
the
dynamic
dialysis
team
to
add
support
in
for
HTTP
authentication
for
Dost.
Previously
there
was
an
open
issue
around
documentation,
documenting
that
usage
for
users
and
just
as
part
of
my
testing
on
breach
attack
simulation
and
adding
in
additional
checks
for
callback
attacks.
A
I
realized
that
I
needed
to
have
support
myself
for
HTTP
authentication,
so
that
adds
a
basic
digest,
often
exposes
what
the
dynamic
analysis
team
already
did
inside
of
browserger
and
just
expose
that
to
the
Dos
engine
when
you're
running
gitlab,
today,
I'm
now
a
maintainer
on
browserker
the
internal
components
for
browser-based
scanning,
as
well
as
a
disk
maintainer
for
the
the
open
source
Dost
tool,
which
runs
our
different
engines
and
it's
the
analyzer
that
runs
the
different
scanners
that
we
support
for
Doss
guns.
A
After
that
the
progress
for
what's
been
in
review.
One
of
my
focuses
has
been
on
around
callback
servers.
A
Callback
servers
allow
you
to
test
for
out-of-band
interactions,
so
interactions
that
shouldn't
take
place,
that
you
may
have
a
tooling
network
in
your
typical
Network,
where
you'd
want
to
say
hey
that
triggers
a
firewall
rule
or
something
because
it's
actual
trading
data
in
some
way,
whether
it's
a
firewall
rule
or
an
alert
from
SIM
Tool.
That
type
of
interaction
is
something
that
we
want
to
test
for
and
to
do
that,
I've
gone
ahead
and
added
generic
support
for
a
callback
server.
A
So
an
HTTP
callback,
server,
very
simple
I
allow
running
that
as
a
HTTP
on
an
HTTP
ports
and
listening
inside
of
your
job
as
a
service
container,
and
so
your
gitlab
CI
job.
The
dots
job
has
the
ability
to
now.
If
you
enable
this,
a
callback
service
feature
flag,
which
is
in
in
America
request
right
now
being
reviewed.
If
you
enable
a
feature
flag,
we
actually
will
perform
a
callback
attack
in
the
case
of
different
cwes,
like
CW
94,
which
is
around
code
code
injection.
A
So
if
I
can
do
code
injection
and
prove
that
out,
I
will,
instead
of
actually
just
doing
a
hello
world
type
request,
with
unique
string
to
prove
that
we
injected
arbitrary
code
I'll
actually
make
a
request
to
a
callback
server,
so
I'm
supporting
that
generic
callback
service
that
I've
created
as
a
service
center
or
in
the
case
of
an
on-demand
scan
or
a
dash
scan
that
you
don't
want
to
talk
out
to
the
internet
instead
of
just
talking
internally
to
another
container
in
your
Runner
I,
have
the
ability
to
configure
interact
as
H
and
so
I've
been
adding
that
ability
for
interact,
sh
I'm
still
doing
some
work
around
the
credential
managements
of
that
and
sort
of
enforcement
of
whether
we
in
planning
around
whether
we
want
to
allow
the
public
OST
demands
or
whether
we
want
to
enforce
running
your
own
interact.sage
server
running
your
own
interact.
A
Sh
server
solves
some
security
implications,
so
I
think
the
defaults
that
I'm
going
to
be
leaning
towards
right
now
is
having
the
ability
to
configure
your
own
personal
server,
where
you
have
to
use
credentialed
access
and
enforce.
Enforce
encryption
for
your
connections.
A
I'll
be
documenting
all
of
that
in
a
public
issue
with
all
those
findings,
once
I've
made
those
sort
of
internal
changes,
the
browser,
browsarker
scanner
for
out
of
bound
interaction,
one
of
the
things
I've
done
in
my
previous
showcase
I
went
over
using
a
nuclei
and
where
I
was
able
to
use
nuclei,
interact,
sh
interaction
and
then
append
those
details
into
the
vulnerability
reports.
Using
the
generic
report
schema
well.
A
I've
now
moved
that
natively
into
our
own
dos
dungeon,
where
I'm
actually,
pending
that
interaction
details,
whether
constant
interact,
sh
or
whether
it
comes
from
another
callback
server.
So
I've
made
a
generic
report
on
top
of
the
generic
Port.
What
I've
done
is
I've
added
in
details
about
different
interaction,
types.
What
and
it
doesn't
matter
which
engine
you
use
for
your
callback
server,
it's
ill
across
those.
A
We
all
got
a
consistent
reports
with
details
about
the
type
of
interaction
that's
made
place
and
what
the
sort
of
implications
of
that
are
so
usage
usage
I've,
been
following
the
dynamic
analysis,
pipelines
and
sort
of
internal
metrics
around
different
usage
there
for
folks
that
decide
to
share
that
with
those
and
my
sort
of
planning
around
that
is
I
want
to
draft
a
blog
post
for
announcing
the
Callback
attack,
supports
I'll,
be
detailing
how
you
can
enable
that
that,
in
whenever
that
goes
into
early
preview,
and
once
that's
done,
I
I'll
be
I'll,
be
adding
in
additional
metrics
which
I
want
to
get
out
from
the
starts.
A
But
so
I
have
additional
metrics
that
we
start
collecting,
where
we
can
see
that
there's
not
many
users
using
the
Callback
server
attack
feature
flag,
and
then
we
can
see
the
growth
and
I
can
provide
metrics
around
the
growth
of
the
unique
number
of
projects
that
we're
seeing
with
the
Callback
attack,
feature
flag,
enabled
for
their
dos
jobs,
and
so
that's
going
to
be
totally
Anonymous,
but
we'll
just
get
it.
She
was
a
really
quick
metric
around
hey.
A
This
is
the
number
of
projects
that
are
using
this
and
that's
going
to
give
some
good
visibility
into
the
sort
of
pickup
of
who
decides
to
enable
those
callback
attacks
whenever
we
first
roll
the
feature
on
top
of
that
I've
been
connecting
with
a
few
customer
facing
team
members,
who've
been
interested
in
penetration
testing
and
different
types
of
offensive
security
related
offerings
that
GitHub
might
be
providing
or
plan
to
provide
in
the
future.
A
So
I've
been
able
to
speak
through
the
Showcase
and
show
them
previous
showcase
videos
and
I'll
be
continuing
to
do
that,
where
I'm
able
to
collaborate
with
them
and
then
reach
out
to
customers
who
want
to
talk
more
about
the
features
ad
and
see
if
it
solves
their
use
cases,
because
a
lot
of
the
time
when
folks
ask
for
penetration
testing,
some
of
those
things
can
actually
be
covered
automatically
or
in
an
automated
fashion
through
a
bridge
and
attack
simulation,
so
opportunities
that
I've
identified
off
the
back
of
that
is
additional
coverage
for
CWS.
A
We
already
have
support
for
a
few
CWS
and
different
types
of
checks
for
different
different
software
as
we
might
scan,
and
what
I
would
like
to
do
is
I'd
like
to
work
with
the
dynamic
analyzes
team
to
add
an
additional
cwe
supports
for
those
callback
callback
attacks
when
that
makes
sense
for
things
like
xxxe
and
other
serialized
level
types
which
can
call
out
to
actual
resources.
A
That's
something
I
really
want
to
say
because
right
now,
it's
it's
heavily
around
code
injection
there's
other
types
of
vulnerabilities,
where
I
can
enforce
a
website
to
reach
out
to
my
callback
server
to
Prevail,
there's
also
integration
with
custom
scanners.
That's
some
really
good
conversations
with
the
nuclei
team
and
the
and
the
project.
Discovery
team.
A
You
build
nuclei
around
potential
Integrations
there
and
I've
planned
some
Upstream
changes
around
the
nuclear
analyzer
tool
that
I
built
and
merging
a
lot
of
that
functionality
for
generating
a
gitlab
security
reports
back
into
the
the
open
source
nuclei
tool
and
giving
back
to
the
community
there
as
well
as
that
is
there's
integration
with
third-party
callback
servers
interact.
Sh
is
one
that
I've
demoed
in
the
past
and
adding
in
the
integration
from
there
from
the
gitlab
side.
A
A
So
what
is
my
next
Focus
I'm
going
to
be
focusing
next
up
around
adding
incubating
feature,
banners
and
different
calls
to
action
within
the
product
for
folks
that
are
using
Dynamic
analysis
or
on-demand
scanning,
as
well
as,
if
you
have
a
vulnerability
report,
just
enabling
a
user
to
see
hey
you've
got
a
vulnerability
report.
A
Why
don't
you
click
this
button
to
simulate
an
attack
so
adding
that
in
is
an
ability
where
you're
able
to
either
take
a
service
container
or
a
test
endpoints,
which
we
can
prove
that
you,
you
have
ownership
of
and
being
able
to
simulate
an
attack
against
that
based
on
different
vulnerability,
foundings
we
had
in
from
your
pipeline
for
a
different,
cves
or
cwes
that
be
detected
based
on
whether
it
was
found
in
dependency
scanning,
potentially
or
whether
it
was
found
as
part
of
your
Dost
scan
in
the
in
the
case
of
just
the
common
web.
A
A
So
what
I'd
like
to
get,
though,
is
as
well
as
that
blog
post,
introducing
the
feature
I'd
like
to
have
a
good
user
documentation
up
front
for
folks
who
want
to
enable
that
incubating
feature
as
well
as
that
is
just
supporting
the
on
demand
simulation
of
Das
finding
so
in
in
an
on-demand
desk,
and
you
can
already
input
a
Target
to
scan
and
I'd
like
to
add
the
ability
for
that
on-demand
type
scan
for
you
to
be
able
to
say,
hey,
I,
want
to
run
breach
and
attack
simulation
as
well,
and
then,
for
that
on
demand,
scan
we're
able
to
do
pre-flight
checks
and
say:
hey
can
I,
actually
attempt
these
different
types
of
attacks
against
that
server
and
just
the
pandex.
A
As
always.
My
handbook
page
is
linked
sort
of
the
issues.
I'll
be
dropping
those
links
inside
of
the
YouTube
video.
It
was
great
talking
all
again
and
I
hope
to
give
you
all
an
update
soon.
Thank
you.