Cohesion is a state of the art web application security testing toolkit designed to be scripted, automated and used as part of a continuous delivery and continuous integration pipelines. In this tutorial we will discover how to install Cohesion and use it effectively to discover vulnerabilities with the scanner sub-command.
Installation
Cohesion is published on npmjs.com as a package Nodejs module. For this reason you need to have node pre-installed in order to use Cohesion. Detailed instructions on how to install Nodejs can be found here.
With Nodejs in readily available, Cohesion is just a short step away. Use npm to install: npm install -g @secapps/cohesion. Notice the -g option. This indicates that the tool will be installed globally.
Alternatively you can add Cohesion as part of your local package.json file with the following command: npm install -d @secapps/cohesion. The -d flag indicates that the tool will be installed as a developer dependency. This method is most useful if you want to embed Cohesion and use it as part of your project dependencies. Keep in mind that your project does not need to be written in JavaScript and Nodejs.
There are other methods of installing and using Cohesion as well which we are not covering in this tutorial but they are worth mentioning. Due to the flexible nature of the installation process you can permanently install the package inside a specific Docker image for example. This image can be then used for all intents and purposes of this tutorial.
The First Scan
Let’s start by performing a simple scan. The command we need is straightforward:
$ cohesion scanner http://target
We simply run the scanner and point it to the target. While this is an easy way to get started, you might want to customize the process. For example, let’s add an additional request header:
$ cohesion scanner -H ‘X-Testing: cohesion’ http://target
All requests are now going to contain the X-Testing header we set up above. You can use the same method to add cookies, specific authentication information and much more to your tests.
Alternatively, instead of starting with a target URL in the command-line, we can start with a full web request. Let’s create a file with the request and start the scanner.
GET http://target/ HTTP/1.1 X-Testing: cohesion
And now let’s run this request via the scanner as we saw previously.
$ cohesion scanner test.request
In this example test.request is the file which contains the request we wrote above.
Explore the builtin documentation for more option flags and configuration options or consult with the cohesion online manual.
Reporting
Although it is pretty useful to get the results directly in the output of the command, for most intents and purposes we need some kind of report deliverable. Luckily cohesion comes with a number of report exporting options. The most automation-friendly report is going to be JSON as it is easy to parse with tools like jq. But if you are interested in using the tool as part of the output of your merge requests in GitLab for example, you might want to consider using the junit reporting format as described in this tutorial.
Here we are going to simply export the report as json.
$ cohesion scanner --export-json report.json test.request
That was easy! If you happen to use the tool interactively press the r key on your keyboard to get the current state of the report as the testing is in progress.
Automation Options
Cohesion is most powerful when it is configured to be fully automated and for that we have created many flags and options. In fact, there are so many of them that it will be difficult to list all of them here but let’s use a few just to show their power.
In automated tests, we most likely want to exit the testing process as soon as a vulnerability is found. In other words we would like to break the build. The --exit option comes most useful in this scenario.
$ cohesion scanner --exit=">=8" test.request
In the example above the scanner will exit if it encounters a vulnerability that is level 8 or above. Such vulnerabilities are considered a critical risk and we should avoid publishing production applications and services in such a state at all cost. To learn more about the different levels use the info sub-command: cohesion info levels.
We can also use the --wait flag to ensure that the application we want to test is up and running before we start. This flag comes very handy to avoid writing glue code to run the scanner when the target application reaches a specific state.
$ cohesion scanner --wait=http://target/status http://target
In the example above we will wait for http://target/status to start returning 200 OK status when requested. Only when we reach this state, the scanner will proceed executing.
Follow up with the online documentation for more about available options and testing modes.