►
Description
This showcase demonstrates progress and direction for the Breach and Attack Simulation SEG from changes targeting the %15.11 release March 2023 - April 2023.
Feedback Issue: https://gitlab.com/gitlab-org/gitlab/-/issues/404809
A
Hey
y'all
I'm,
Aaron
Kerry
and
welcome
back
to
the
breach
attacks
limitation
showcases.
Today
we're
going
to
be
going
over
1511,
the
April
Milestone,
where
we
got
some
of
my
change
from
the
end
of
March
and
the
month
of
April
and
to
get
lab.
A
A
We've
got
some
of
those
changes
in
the
product
for
being
able
to
configure
breachness
acceleration
as
part
of
your
CI
configuration
so
what's
been
shipped
over
1511
has
been
the
latest
dos
3
analyzer
release
includes
a
new
enabled
boss
feature
flag:
the
kudos
to
cam
swords
from
the
dynamic
analysis
group
on
this
cam
swords
went
ahead
and
instead
of
merging
my
massive
monolith
Mr,
he
he
really
saved
the
day
and
helping
me
get
a
lot
of
these
changes
into
dust.
A
So
the
Dos
analyzer
he
he
wrapped
up
a
new
feature
flag,
which
enabled
me
to
create
a
a
document
where
we
have
the
typical
dos
as
well
as
we
have
Das
running
with
an
additional
bass
capability.
So,
with
this
capability,
I've
extended
dos
to
include
callback
attack
supports
where
I
call
out
to
a
server.
So,
on
top
of
that,
I've
also
released
a
new
dosed
colon
breach
and
attack
simulation
image
tag,
and
so
for
folks
who
want
to
use
the
latest
and
greatest
incubation
sort
of
Flavor
of
the
Dust
image.
A
You're
able
to
point
at
this
talk,
I've
gone
I
went
through
a
sack
architectural
proposal
for
reporting
scanner
options,
so
this
proposal
was
accepted
and
the
latest
version
of
the
security
report
schema
includes
the
ability
to
include
scan
options
for
a
particular
vulnerability
reports.
And
so,
if
you
include
the
scan
options,
this
will
allow
adding
accepting
these
into
snowplow
for
metrics
tracking
for
the
sort
of
anonymous
metrics
around
which
scanners
and
analyzers
becoming
popular.
What
type
of
options
are
we
seeing
folks
use?
So
this
is
a
pretty
big
one.
A
A
So
on
this
configuration
page,
you
can
go
and
it
has
it
talks
about
that,
the
having
dast
available
and
then
how
we
can
extend
dust
inside
of
that
bridge
intact
simulation
card,
where
we
link
to
the
bridge
attack
simulation
documentation
as
well
as
linking
to
to
adding
an
additional
update
about
the
feature
flag
that
cam
helped
introduce
in
into
the
last
CI
configuration
variables,
we've
updated
the
scanner
ID
for
better
aggregation,
vulnerability
findings,
the
new
architecture
proposal
for
the
additional
schema.
A
So
what
opportunities
have
I
identified
first
off
I
will
go
ahead
and
swap
over
to
my
screen
for
a
quick
demonstration,
so
we
can
see,
as
I
mentioned
as
part
of
this
what's
been
shipped,
we
have
a
callback
server.
Now
this
image
was
built
and
now
it's
ready
for
folks
to
pull
down
and
use.
This
is
available
and
open
and
for
pulling
today
we
also
have
a
vulnerable
applications
repository
in
this
vulnerable
web
Optical.
Sorry,
what
it
does
is.
It
introduces
intentionally
vulnerable
code
in
the
case
of
JavaScript.
A
We
can
see
here
that
I
attempt
to
do
some
math
and
in
this
case
I,
if
you
run,
if
you
add
in
an
option
here,
I
will
automatically
evaluate
that
code
and,
if
I'm
evaluated,
because
I'm
trying
to
evaluate
math,
if
you
pass,
if
you
pass
this
argument,
it'll
go
ahead
and
do
an
eval,
and
so
you
can
do
some
code
injection
here.
So
this
is
intentionally
vulnerable
to
the
weakness
cwe
94.
A
But
the
case
here
is
that
it's
not
actually
something
that
could
be
called
by
a
match
response
attack,
which
is
one
of
the
typical
attack
you'd,
see
from
active,
active
scans
and
so
to
to
get
the
finding
in
dust
on
within
a
blind
injection
without
actually
seeing
the
response
played
back
to
the
user.
A
A
So
we
can
see
here
that
we
published
a
Docker
image
inside
of
this
and
so
inside
of
the
container
registry.
We
then
have
the
ability
to
pull
the
particular
vulnerable
application,
so
I'm
categorizing
them
by
the
different
web
server
technology.
So
there's
a
vulnerable
node
application,
which
is
you
can
see.
We
can
see
that
it
was
already
vulnerable
to
CW,
94
I'll,
probably
be
to
introducing
additional
vulnerabilities.
I
I
have
a
patch
for
introducing
CW
611
as
a
vulnerability
for
xxe
injection
and
so
and
references.
A
So
what
I
would
what
I
would
sort
of
Hope
is
that
we
can
use
this
to
Benchmark
additional
security
scanners.
Not
just
a
bridge
attack
simulation
going
forward
outside
of
that.
What
we
can
see
here
is
we
have
the
stats,
callbacks
Repository
stats,
callbacks
repository.
We
can
see
it
uses
the
dust
CI
template
and
then
it
adds
some
additional
configuration
here.
So
we
pull
down
my
particular
image
tag
here
of
this
breach
and
attack
simulation.
A
So
if
you
use
the
dot
dos
bridge
and
attack
simulation
latest
image,
it'll
immediately
pull
the
latest
incubation
code
rather
than
pulling
the
latest
version
of
Dos,
which
has
a
feature
flag
but
may
not
have
all
the
latest
and
greatest
technology
that
I've
done
past
a
particular
milestone.
A
We
can
see
here
that
we
have
two
services,
so
I'm
using
service
containers
here
to
do
testing
with
NCI,
so
that
I
don't
have
to
reach
out
and
we're
able
to
sort
of
self-contain
this
in
a
a
safe
environment
within
the
same
network.
So
we
can
just
do
simple.
Http
attacks
in
the
future
we'll
be
doing
more
complicated
attacks,
adding
TLS
using
DNS,
callbacks
and
sort
of
some
more
like
slightly
more
advanced
techniques.
That
may
not
be
picked
up
on
as
easily
as
a
HTTP
callback,
but
enabling
this
is
here.
A
We
can
see
that
for
the
Dos
browser
callback,
a
variable
we
pass
in
a
map
of
options
for
how
we
want
to
do
callbacks
you
can
see
here.
Server
type
is
configurable
for
different
types
of
servers.
We
may
want
to
support
here,
I'm,
choosing
a
simple
callback:
server,
simple
callback
server,
just
points
at
this,
the
Callback
image
that
I've
defined
and
we
published
at
the
docker
registry.
A
We
can
see
here
there's
a
list
of
rules
to
include
so
you
can
now
include
specific
attacks,
which
is
another
which
is
another
Improvement,
Cam
and
I
went
through
for
for
the
15
of
Milestone.
So
you
can
see
here
that
we
can
say:
hey
I
want
to
use
all
all
checks
within
611
or
you
want
to
use
a
very
particular
attack
in
this
case
I'm
using
only
a
callback
attack.
A
Then
we
got
to
the
networking
settings
so
this
goes
through,
and
this
this
repulsory
shows
you
how
to
use
callbacks
in
different
ways:
I'll
be
introducing
a
callbacks
to
off,
like
external
servers,
publicly
accessible
servers
once
I
add
in
TLS
and
token
supports,
but
yeah.
This
is
just
a
good
demonstration
repulsory
for
like
quickly
running
and
getting
getting
back
the
information.
A
So
if
I
go
to
the
security
configuration
of
this
project
because
I
have
an
ultimate
license
here
and
we
have
a
dust,
we
immediately
get
this
new
incubating
feature
a
tag.
Here
we
can
see
there's
a
new
configuration
which
is
more
incubating.
A
It
talks
a
little
bit
about
breach
and
stock
simulation.
It
then
says:
hey.
You
can
enable
out
of
bound
application
security
system
lost
testing
by
enabling
boss
inside
of
your
dos
guns.
A
So
if
we
go
to
the
documentation
for
boss,
we
can
then
see
that,
as
part
of
this
Milestone
I
went
ahead
and
published
some
documentation
which
talks
about
some
of
the
basic
stuff
you
can
do
for
enabling
it
in
your
template
and
then
for
enabling
boss
in
your
templates
and
then
further
I'll,
be
extending
this
documentation
include
specifics,
similar
to
how
I
have
in
the
Callback
download
repository
of
how
you
can
specify
typically
enable
callback
attacks.
A
So
I
can
drop
into
a
vulnerability
report
now
and
so
this
vulnerability
reports.
What
I
can
do
is
if
I
enable
all
statuses
and
if
I
go
to
this
previous.
Finding
from
dos
previously
would
have
found
cwe
94
before
we
made
it
blind.
We
can
see
here
that
it
was
resolved
once
I
once
I
saw
created
a
blind
injection.
So
this
was
a
false
negative
if
you're
not
able
to
run
blend
injections
through
the
means
of
callback
attacks,
for
example.
A
So
there's
other
attack
types
and
such
as
timing
attacks,
so
timing
attack
could
determine
that
code
was
still
being
executed,
and
so
that's
one
method
that
we
use
in
DOS
to
get
coverage
of
this.
But
when
I
disabled
the
timing
attack
Logic
the
only
way
to
detect
this
would
then
be
a
callback
attack
rather
than
doing
a
timing
attack,
because
the
match
response
stack,
returns,
nothing
and
so
it'd
be
a
false
negative.
If,
if
we
didn't
perform
callback,
attacks
and
timing
attacks
is
two
different
alternatives
for
this
particular
check.
A
So
we
can
see
here
that
we
have
a
solution
around
this
with
sort
of
guidance,
but
if
we
then
drop
into
the
latest
version
of
normally
we
can
see,
we
now
have
a
critical
vulnerability
found.
One
side
is
scanned.
It's
with
the
Callback
attacks
enabled
so
we
can
see
here
that
it's
a
confirmed,
vulnerability
you
and
that
we
have
callback
details
similar
to
how
we
add,
in
some
of
my
proof
of
concepts
with
the
Callback
details
are
now
added
into
the
vulnerability
reports.
It
tells
you
the
Callback
server
that
was
used.
A
This
is
the
docker
image
that
I
used
it's
a
surface
container
within
in
my
job
configuration.
We
can
see
that
it's
a
protocol
HTTP
and
then
we
can
see
the
correlation
ID
that
was
used.
The
correlation
ID
is
key.
It
is
a
unique
correlation,
ID
based
on
the
attack
ID,
as
well
as
the
injection
location.
So
you
get
a
unique
ID,
that's
being
input
into
the
server
and
then,
if
you
have
it
called
from
different
area.
A
If,
when
you
run
different
scans,
that
is
consistent,
so
it
Maps
the
same
vulnerability
but
then
in
as
as
you
go
and
test,
you'll
be
able
to
potentially
use
to
find
different
location
because
there's
different
locations.
If
you
find
two
findings,
you,
you
would
see
the
sort
of
uniqueness
through
the
correlation
ID
you
can
see
here.
This
is
the
sort
of
the
the
URL
that
it
was
error.
Code
is
available,
Lots
and
there's
a
query
parameter
that
was
about
vulnerable
to
this
injection.
A
Okay
and
then
just
finally
here's
the
the
docker,
and
if
we
look
at
the
container
registry,
we
can
see
that
a
Docker
image
is
published
with
the
Callback
server
again.
The
Callback
server
is
very
simple:
it's
just
a
HTTP
server.
Listening,
it's
written
in
golang!
This
is
available.
If
you
go
to
fit
the
incubation
project
and
then
under
bridge
intoxication
I'll,
be
eventually
we'll
be
moving
this
once
it's
stable,
we're
moving
it
under
the
gitlab.org
security
pro
products
group.
A
A
We
can
see
here
is
just
I
was
going
to
demonstrate
as
well
that
you
can
see
that
the
finding
comes
up
in
your
your
pipeline,
including
again
the
correlation
information
around.
Why
how
we
detected
the
particular
callback.
A
A
A
Research
team
I,
like
I,
have
really
good
conversations
with
Isaac,
as
well
as
the
national
team,
for
how
we
can
have
more
intelligent
workflows
based
on
security
findings,
whether
that's
using
machine
learning
or
AI
that
type
of
technology,
or
whether
it's
just
taking
existing
findings
that
we
have
and
augmenting
some
of
the
abilities
by
having
like
a
smart
workflow
of
hey.
This
is
the
tax
service
that
we
detected,
based
on
your
discovery
of
different
assets,
for
example,
or
information
around
hey.
A
We
should
prioritize
it
here
because
this
is
maybe
a
potentially
a
known,
exploited,
vulnerability,
and
so
there's
been
some
really
good
conversations
there
and
for
further
from
that
I've
been
sharing
the
security
scanner
development
process
of
vulnerability
management
James
on
the
vulnerable
match
team
they've
been
doing
a
fantastic
job
of
rubber
ducking
with
me,
going
back
and
forth
just
talking
about
how
we
could
use
the
scan
reports
that
I've
been
prototyping
now
getting
into
the
1511
Milestone
and
how
we
could
enable
dog
food
in
that
for
the
vulnerability
management
team
at
gitlab
and
how
where
they
can
use
breach
intoxication
rather
than
other
tools
where
possible
and
then
just
we've
been
all.
A
We've
also
been
going
over
expecting
we're
we're
expecting
now
to
join
a
creative
joints
proposal
together.
So
we'll
joined
the
process
through
going
through
proposal
for
creating
instance,
details
and
so
the
instance
details
will
cover
when
we
do
Discovery
and
finding
different
subdomains
or
IP
addresses
available
with
the
technologies
that
the
photograph
manage
team
is
Keen
on
monitoring
and
then
finally
highlighting
exploitability
of
detective
vulnerabilities.
A
We
can
see
that
I
had
callback
details
added
in
so
that
is
now
available
on
gitlab.com
with
the
1511
Milestone
and
that's
great,
but
further
highlighting.
That
is
something
that
we
would
love
to
strive
towards,
and,
and
one
of
the
conversations
we
recently
had
with
Von
management
is
it'd,
be
great
if
we
could
reference
the
infrastructure
from
vulnerability
details
whenever
we
do
want
to
use
our
the
bridge
and
sax
solution
tool
for
doing
scanning.
So
for
dog
fooding.
A
We
should
also
add
in
references
to
assets
that
we
can
find
in
other
tools
and
that
the
team
is
using.
A
And
so
what
is
my
next
Focus?
My
next
focus
is
very
much
going
to
be
around
CI
templates
for
enabling
bass
security
scans.
So
right
now,
there's
there
was
a
bit
of
configuration
to
do
for
doing
a
bridge
in
stock
simulation
security.
Scan
I
would
like
to
move
instead
of
forcing
certain
flags
that
must
be
set.
A
I
would
like
to
have
templates
available
a
template
for
Docker
and
Docker,
whether
if
you're
running,
Docker,
executors
or
templates,
for
if
you're
running
against
a
callback
server,
that's
in
a
different
location,
that's
not
on
your
Runner,
so
you
can
just
run
dust
directly
against
it,
but
you
don't
actually
need
to
run
the
Callback
server
in
the
same
location
as
dust
shipping
scan
option
metrics.
Currently
we
I
I
got
the
proposal
approved
and
shipped
for
scan,
option,
metrics
and
so
scan
option.
A
Metrics
would
add
in
some
really
good
tracking,
around
the
sort
of
adoption
usage
of
different
options
that
we're
proposing
options
that
we
would
like
to
duplicate
and
remove
in
the
future
and
then
just
upcoming
and
incubating
features,
I
suppose
in
Discovery
fundings,
I
I've
mentioned
a
few
times
now
proposing
this
new
schema,
as
well
as
presenting
a
security
scan
reports.
A
If
it's
present
highlighting
it
similar
to
how
I've
highlighted
callback
details
so
highlighting
those
Discovery
settings,
one
of
the
things
I
I
personally
been
working
on
outside
of
the
breach
of
stock
simulation
sag
as
well.
It's
been
dependency,
firewall
I've
been
focused
quite
a
bit.
There
I've
been
collaborating
with
the
package
team
and
just
going
back
and
forth
around.
A
What's
the
the
minimal
viable
product
could
potentially
look
like
in
terms
of
of
creating
another
incubation
project
in
sag
around
that
and
how
it
we've
sort
of
matured
for
our
dependency
firewall
or
our
dependency
proxy,
as
well
as
our
package
registry,
and
how
we
could
potentially
get
to
a
MVP
for
dependency
firewall,
so
I'll
be
continuing
to
get
that
proposal
to
a
more
mature,
State
and
and
hopefully
hear
more
from
that
soon,
thanks
y'all,
as
always,
any
questions
can
be
and
issues
can
be
raised.
A
There
is
now
a
feedback
issue
under
the
gitlab
project.
So
if
you
would
like
to
add
any
breach
and
attack
simulation
feedback,
go
to
the
gitlab
issue,
I'll
be
linking
the
new
issue
in
the
bottom
of
the
YouTube
video,
as
well
as
linking
it
below
I
will
go
ahead.
A
As
as
well
as
look
in
the
below
I'll
go
ahead
and
make
sure
that
it's
linked
in
all
the
existing
issues
that
I've
linked
in
Prior
videos,
thanks
y'all
as
always,
okay
I,
would
love
to
hear
your
yours
feedback
and
I
can't
wait
to
see
another
update
peace.