Shell Scripting

Cohesion comes with several features to simplify the orchestration of web security testing tasks executed from a standard shell.

Exit Codes

By default, Cohesion terminates with exit status code 0 - successful completion. This behaviour is unchanged even if major vulnerabilities are discovered because the testing results are be displayed on the standard output.

In order to make Cohesion script-friendly, we need to take advantage of the "--exit" and "--exit-code" command line options available in all testing tools.

Consider the following example:

$ cohesion scanner --exit=">=8" --exit-code=2 http://target || echo "!!! SERIOUS VULNERABILITY IDENTIFIED"

The command above will force Cohesion to terminate as soon as a critical vulnerability is identified. The exit code is set to 2. The followup command, "echo", is only executed when Cohesion exits with a non-zero value. In the example above, "echo" is only execute when a serious vulnerability is identified.

This example can be expanded in the following more elaborate form:

#!/usr/bin/env bash

cohesion scanner --exit=">=8" --exit-code=2 http://target

if [ $? -ne 0 ]
then
    echo "!!! SERIOUS VULNERABILITY IDENTIFIED"
else
    echo "THE TARGET IS CLEAN"
fi

This shell primitive is the core building blog for automating various Cohesion tasks.

Wait Option

The standard software delivery pipeline consists of many stages including steps for standing up the application or service in pre-prod and test environments. This step is particularly important launching the next phase where system integration and security tests need to be executed.

Standing up a complex piece of software could be a cumbersome process and may require several related components to be initialized too and as a result, while reachable, it may not be fully working or temporary misconfigured and as such not fit for testing purposes.

With the help of the "--wait" command line option, we can tell Cohesion to pause testing until the target is considered healthy. For example:

$ cohesion fuzzer --wait="http://target/ping" --wait-status="200" request.txt

The fuzzer is started in paused state. The target URL "http//target/ping" is continuously probed until it is available and the HTTP response status is 200.

Testing Targets

Testing targets can be supplied directly URLs or as request files. For example:

$ cohesion fuzzer http://target/?a=b

The same target can be provided as a request file. First, let's create the a file with the following contents:

GET http://target/?a=b HTTP/1.1
Host: target
User-Agent: Custom User Agent

To use the file we need the following command:

$ cohesion fuzzer request.txt