►
Description
This showcase demonstrates progress and direction for the Breach and Attack Simulation SEG from changes targeting the %15.11 release March 2023 - April 2023.
Feedback Issue: https://gitlab.com/gitlab-org/gitlab/-/issues/404809
A
A
A
So
the
Dos
analyzer
he
he
wrapped
up
a
new
feature
flag,
which
enabled
me
to
create
a
a
document
where
we
have
the
typical
dos
as
well
as
we
have
Das
running
with
an
additional
bass
capability.
So,
with
this
capability,
I've
extended
dos
to
include
callback
attack
supports
where
I
call
out
to
a
server.
So,
on
top
of
that,
I've
also
released
a
new
dosed
colon
breach
and
attack
simulation
image
tag,
and
so
for
folks
who
want
to
use
the
latest
and
greatest
incubation
sort
of
Flavor
of
the
Dust
image.
A
You're
able
to
point
at
this
talk,
I've
gone
I
went
through
a
sack
architectural
proposal
for
reporting
scanner
options,
so
this
proposal
was
accepted
and
the
latest
version
of
the
security
report
schema
includes
the
ability
to
include
scan
options
for
a
particular
vulnerability
reports.
And
so,
if
you
include
the
scan
options,
this
will
allow
adding
accepting
these
into
snowplow
for
metrics
tracking
for
the
sort
of
anonymous
metrics
around
which
scanners
and
analyzers
becoming
popular.
What
type
of
options
are
we
seeing
folks
use?
So
this
is
a
pretty
big
one.
A
A
So
what
opportunities
have
I
identified
first
off
I
will
go
ahead
and
swap
over
to
my
screen
for
a
quick
demonstration,
so
we
can
see,
as
I
mentioned
as
part
of
this
what's
been
shipped,
we
have
a
callback
server.
Now
this
image
was
built
and
now
it's
ready
for
folks
to
pull
down
and
use.
This
is
available
and
open
and
for
pulling
today
we
also
have
a
vulnerable
applications
repository
in
this
vulnerable
web
Optical.
Sorry,
what
it
does
is.
It
introduces
intentionally
vulnerable
code
in
the
case
of
JavaScript.
A
We
can
see
here
that
I
attempt
to
do
some
math
and
in
this
case
I,
if
you
run,
if
you
add
in
an
option
here,
I
will
automatically
evaluate
that
code
and,
if
I'm
evaluated,
because
I'm
trying
to
evaluate
math,
if
you
pass,
if
you
pass
this
argument,
it'll
go
ahead
and
do
an
eval,
and
so
you
can
do
some
code
injection
here.
So
this
is
intentionally
vulnerable
to
the
weakness
cwe
94.
A
So
we
can
see
here
that
we
published
a
Docker
image
inside
of
this
and
so
inside
of
the
container
registry.
We
then
have
the
ability
to
pull
the
particular
vulnerable
application,
so
I'm
categorizing
them
by
the
different
web
server
technology.
So
there's
a
vulnerable
node
application,
which
is
you
can
see.
We
can
see
that
it
was
already
vulnerable
to
CW,
94
I'll,
probably
be
to
introducing
additional
vulnerabilities.
I
I
have
a
patch
for
introducing
CW
611
as
a
vulnerability
for
xxe
injection
and
so
and
references.
A
So
what
I
would
what
I
would
sort
of
Hope
is
that
we
can
use
this
to
Benchmark
additional
security
scanners.
Not
just
a
bridge
attack
simulation
going
forward
outside
of
that.
What
we
can
see
here
is
we
have
the
stats,
callbacks
Repository
stats,
callbacks
repository.
We
can
see
it
uses
the
dust
CI
template
and
then
it
adds
some
additional
configuration
here.
So
we
pull
down
my
particular
image
tag
here
of
this
breach
and
attack
simulation.
A
We
can
see
here
that
we
have
two
services,
so
I'm
using
service
containers
here
to
do
testing
with
NCI,
so
that
I
don't
have
to
reach
out
and
we're
able
to
sort
of
self-contain
this
in
a
a
safe
environment
within
the
same
network.
So
we
can
just
do
simple.
Http
attacks
in
the
future
we'll
be
doing
more
complicated
attacks,
adding
TLS
using
DNS,
callbacks
and
sort
of
some
more
like
slightly
more
advanced
techniques.
That
may
not
be
picked
up
on
as
easily
as
a
HTTP
callback,
but
enabling
this
is
here.
A
We
can
see
that
for
the
Dos
browser
callback,
a
variable
we
pass
in
a
map
of
options
for
how
we
want
to
do
callbacks
you
can
see
here.
Server
type
is
configurable
for
different
types
of
servers.
We
may
want
to
support
here,
I'm,
choosing
a
simple
callback:
server,
simple
callback
server,
just
points
at
this,
the
Callback
image
that
I've
defined
and
we
published
at
the
docker
registry.
A
We
can
see
here
there's
a
list
of
rules
to
include
so
you
can
now
include
specific
attacks,
which
is
another
which
is
another
Improvement,
Cam
and
I
went
through
for
for
the
15
of
Milestone.
So
you
can
see
here
that
we
can
say:
hey
I
want
to
use
all
all
checks
within
611
or
you
want
to
use
a
very
particular
attack
in
this
case
I'm
using
only
a
callback
attack.
A
Then
we
got
to
the
networking
settings
so
this
goes
through,
and
this
this
repulsory
shows
you
how
to
use
callbacks
in
different
ways:
I'll
be
introducing
a
callbacks
to
off,
like
external
servers,
publicly
accessible
servers
once
I
add
in
TLS
and
token
supports,
but
yeah.
This
is
just
a
good
demonstration
repulsory
for
like
quickly
running
and
getting
getting
back
the
information.
A
A
A
So
I
can
drop
into
a
vulnerability
report
now
and
so
this
vulnerability
reports.
What
I
can
do
is
if
I
enable
all
statuses
and
if
I
go
to
this
previous.
Finding
from
dos
previously
would
have
found
cwe
94
before
we
made
it
blind.
We
can
see
here
that
it
was
resolved
once
I
once
I
saw
created
a
blind
injection.
So
this
was
a
false
negative
if
you're
not
able
to
run
blend
injections
through
the
means
of
callback
attacks,
for
example.
A
So
there's
other
attack
types
and
such
as
timing
attacks,
so
timing
attack
could
determine
that
code
was
still
being
executed,
and
so
that's
one
method
that
we
use
in
DOS
to
get
coverage
of
this.
But
when
I
disabled
the
timing
attack
Logic
the
only
way
to
detect
this
would
then
be
a
callback
attack
rather
than
doing
a
timing
attack,
because
the
match
response
stack,
returns,
nothing
and
so
it'd
be
a
false
negative.
If,
if
we
didn't
perform
callback,
attacks
and
timing
attacks
is
two
different
alternatives
for
this
particular
check.
A
So
we
can
see
here
that
we
have
a
solution
around
this
with
sort
of
guidance,
but
if
we
then
drop
into
the
latest
version
of
normally
we
can
see,
we
now
have
a
critical
vulnerability
found.
One
side
is
scanned.
It's
with
the
Callback
attacks
enabled
so
we
can
see
here
that
it's
a
confirmed,
vulnerability
you
and
that
we
have
callback
details
similar
to
how
we
add,
in
some
of
my
proof
of
concepts
with
the
Callback
details
are
now
added
into
the
vulnerability
reports.
It
tells
you
the
Callback
server
that
was
used.
A
This
is
the
docker
image
that
I
used
it's
a
surface
container
within
in
my
job
configuration.
We
can
see
that
it's
a
protocol
HTTP
and
then
we
can
see
the
correlation
ID
that
was
used.
The
correlation
ID
is
key.
It
is
a
unique
correlation,
ID
based
on
the
attack
ID,
as
well
as
the
injection
location.
So
you
get
a
unique
ID,
that's
being
input
into
the
server
and
then,
if
you
have
it
called
from
different
area.
A
If,
when
you
run
different
scans,
that
is
consistent,
so
it
Maps
the
same
vulnerability
but
then
in
as
as
you
go
and
test,
you'll
be
able
to
potentially
use
to
find
different
location
because
there's
different
locations.
If
you
find
two
findings,
you,
you
would
see
the
sort
of
uniqueness
through
the
correlation
ID
you
can
see
here.
This
is
the
sort
of
the
the
URL
that
it
was
error.
Code
is
available,
Lots
and
there's
a
query
parameter
that
was
about
vulnerable
to
this
injection.
A
Okay
and
then
just
finally
here's
the
the
docker,
and
if
we
look
at
the
container
registry,
we
can
see
that
a
Docker
image
is
published
with
the
Callback
server
again.
The
Callback
server
is
very
simple:
it's
just
a
HTTP
server.
Listening,
it's
written
in
golang!
This
is
available.
If
you
go
to
fit
the
incubation
project
and
then
under
bridge
intoxication
I'll,
be
eventually
we'll
be
moving
this
once
it's
stable,
we're
moving
it
under
the
gitlab.org
security
pro
products
group.
A
A
A
A
Research
team
I,
like
I,
have
really
good
conversations
with
Isaac,
as
well
as
the
national
team,
for
how
we
can
have
more
intelligent
workflows
based
on
security
findings,
whether
that's
using
machine
learning
or
AI
that
type
of
technology,
or
whether
it's
just
taking
existing
findings
that
we
have
and
augmenting
some
of
the
abilities
by
having
like
a
smart
workflow
of
hey.
This
is
the
tax
service
that
we
detected,
based
on
your
discovery
of
different
assets,
for
example,
or
information
around
hey.
A
We've
also
been
going
over
expecting
we're
we're
expecting
now
to
join
a
creative
joints
proposal
together.
So
we'll
joined
the
process
through
going
through
proposal
for
creating
instance,
details
and
so
the
instance
details
will
cover
when
we
do
Discovery
and
finding
different
subdomains
or
IP
addresses
available
with
the
technologies
that
the
photograph
manage
team
is
Keen
on
monitoring
and
then
finally
highlighting
exploitability
of
detective
vulnerabilities.
A
We
can
see
that
I
had
callback
details
added
in
so
that
is
now
available
on
gitlab.com
with
the
1511
Milestone
and
that's
great,
but
further
highlighting.
That
is
something
that
we
would
love
to
strive
towards,
and,
and
one
of
the
conversations
we
recently
had
with
Von
management
is
it'd,
be
great
if
we
could
reference
the
infrastructure
from
vulnerability
details
whenever
we
do
want
to
use
our
the
bridge
and
sax
solution
tool
for
doing
scanning.
So
for
dog
fooding.
A
And
so
what
is
my
next
Focus?
My
next
focus
is
very
much
going
to
be
around
CI
templates
for
enabling
bass
security
scans.
So
right
now,
there's
there
was
a
bit
of
configuration
to
do
for
doing
a
bridge
in
stock
simulation
security.
Scan
I
would
like
to
move
instead
of
forcing
certain
flags
that
must
be
set.
A
I
would
like
to
have
templates
available
a
template
for
Docker
and
Docker,
whether
if
you're
running,
Docker,
executors
or
templates,
for
if
you're
running
against
a
callback
server,
that's
in
a
different
location,
that's
not
on
your
Runner,
so
you
can
just
run
dust
directly
against
it,
but
you
don't
actually
need
to
run
the
Callback
server
in
the
same
location
as
dust
shipping
scan
option
metrics.
Currently
we
I
I
got
the
proposal
approved
and
shipped
for
scan,
option,
metrics
and
so
scan
option.
A
If
it's
present
highlighting
it
similar
to
how
I've
highlighted
callback
details
so
highlighting
those
Discovery
settings,
one
of
the
things
I
I
personally
been
working
on
outside
of
the
breach
of
stock
simulation
sag
as
well.
It's
been
dependency,
firewall
I've
been
focused
quite
a
bit.
There
I've
been
collaborating
with
the
package
team
and
just
going
back
and
forth
around.