Common Options

Cohesion comes with a number of common configuration options available in most testing tools.

Verbosity

The tool verbosity levels can be configured using the "-v" command line flag. By default, most tools do not print verbose messages.

$ cohesion scanner -vv http://target

Level 1 ("-v") prints summary of the request and response status information. Level 2 ("-vv") prints the request in full including response status information. Level 3 ("-vvv") prints requests and responses in full.

Concurrency

Cohesion is designed with concurrency and precision in mind. The concurrency level does not correspond to the number of threads used by the application but the total number of requests allowed to be submitted concurrently.

This behavior is similar to the network behavior in common browsers like Mozilla Firefox and Google Chrome. By default, the concurrency level is set to a low value to reduce the chance of denial of service and false-positives due to application unavailability. Setting the concurrency level to a higher value will speed up the testing but also could run into various networking and application problems.

It is best to experiment with different values to find the right balance between speed and consistency or use the defaults.

Ping

Use the "ping" command line options to send vulnerability reports to any arbitrary HTTP endpoint. This is very useful for data collection and reporting. Reports are submitted as soon as issues are identified.

$ cohesion scanner --ping="http://report/endpoint" http://target 

You can also specify a severity level filter so that only the vulnerabilities matching the level are reported. For example:

$ cohesion scanner --ping="http://report/endpoint" --ping-level=">=8" http://target 

The command above will only report vulnerabilities with severity level 8 or greater. Consult with the cohesion show vulnerabilities and cohesion show levels for more information.

Tests

The Cohesion security testing suite comes with many active vulnerability tests. By default, all tests are executed. In order to reduce the number of test use the "-t" command line option. For example, to execute just the cross-site scripting testing suite, you will need the following command:

$ cohesion scanner -t xss http://target

For more information about the tests, consult with the cohesion show tests command.

Wait

There are situations when the service or application you want to test is booted but not yet available. You can pause the execution of the tool until the server is fully loaded and the application is serving. For example:

$ cohesion scanner --wait=http://target http://target

The Scanner will be paused until the application becomes responsive.

Exit

Use the "--exit" flag to terminate the application as soon as a vulnerability of the specified severity level is identified. For example, the following command will terminate as soon as the fuzzer identifies a vulnerability with a severity level of 8 or above.

$ cohesion fuzzer --exit=">=8" api-request.txt

This option is particularly useful when scripting CI/CD pipelines as the pipeline will fail if major security issues are identified.

The "--exit-code" command line option can be used to specify the process exit code.

Arbitrary headers can be passed to all requests generated by Cohesion using the "--header" command line option. For example:

$ cohesion fuzzer --header="Authorization: Bearer jwt" api-request.txt

The command above will add the "Authorization" to all requests, which, as illustrated by the example, is used for authentication among many other things.

Exporting

Cohesion can export vulnerability data in multiple file formats such as CSV, XML, JSON, and HTML. For example, the following command line can be used to export both JSON and XML reports in the current folder:

$ cohesion scanner --export-json=report.json --export-xml=report.xml http://target

The exporting options also support basic string interpolation of dynamic values to make scripting easier. The following command will export an HTML report with the current timestamp and target in the file name.

$ cohesion scanner --export-html=report-{target}-{now}.html http://target