GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → softrams → Bulwark

softrams / Bulwark

Licence: mit
An organizational asset and vulnerability management tool, with Jira integration, designed for generating application security reports.

Programming Languages

typescript
32286 projects

Labels

nodejsangularexpresssecurity-toolspentestingbugbountyred-teamappsecapplication-securityvulnerability-assessmentvulnerability-management

Projects that are alternatives of or similar to Bulwark

Watchdog
Watchdog - A Comprehensive Security Scanning and a Vulnerability Management Tool.
Stars: ✭ 345 (+205.31%)
Mutual labels:  security-tools, application-security, vulnerability-assessment, vulnerability-management, bugbounty
Wstg
The Web Security Testing Guide is a comprehensive Open Source guide to testing the security of web applications and web services.
Stars: ✭ 3,873 (+3327.43%)
Mutual labels:  pentesting, appsec, application-security, vulnerability-assessment, bugbounty
JWTweak
Detects the algorithm of input JWT Token and provide options to generate the new JWT token based on the user selected algorithm.
Stars: ✭ 85 (-24.78%)
Mutual labels:  application-security, pentesting, bugbounty, appsec, vulnerability-assessment
Whatweb
Next generation web scanner
Stars: ✭ 3,503 (+3000%)
Mutual labels:  security-tools, pentesting, appsec, application-security
Purify
All-in-one tool for managing vulnerability reports from AppSec pipelines
Stars: ✭ 72 (-36.28%)
Mutual labels:  security-tools, appsec, vulnerability-assessment, vulnerability-management
Aiodnsbrute
Python 3.5+ DNS asynchronous brute force utility
Stars: ✭ 370 (+227.43%)
Mutual labels:  security-tools, pentesting, red-team
Hosthunter
HostHunter a recon tool for discovering hostnames using OSINT techniques.
Stars: ✭ 427 (+277.88%)
Mutual labels:  security-tools, pentesting, bugbounty
Bigbountyrecon
BigBountyRecon tool utilises 58 different techniques using various Google dorks and open source tools to expedite the process of initial reconnaissance on the target organisation.
Stars: ✭ 541 (+378.76%)
Mutual labels:  pentesting, red-team, bugbounty
nerdbug
Full Nuclei automation script with logic explanation.
Stars: ✭ 153 (+35.4%)
Mutual labels:  application-security, bugbounty, appsec
Juice Shop
OWASP Juice Shop: Probably the most modern and sophisticated insecure web application
Stars: ✭ 6,270 (+5448.67%)
Mutual labels:  pentesting, appsec, application-security
Jackhammer
Jackhammer - One Security vulnerability assessment/management tool to solve all the security team problems.
Stars: ✭ 633 (+460.18%)
Mutual labels:  application-security, vulnerability-assessment, vulnerability-management
Rapidscan
🆕 The Multi-Tool Web Vulnerability Scanner.
Stars: ✭ 775 (+585.84%)
Mutual labels:  security-tools, vulnerability-assessment, vulnerability-management
Dumpsterfire
"Security Incidents In A Box!" A modular, menu-driven, cross-platform tool for building customized, time-delayed, distributed security events. Easily create custom event chains for Blue- & Red Team drills and sensor / alert mapping. Red Teams can create decoy incidents, distractions, and lures to support and scale their operations. Build event sequences ("narratives") to simulate realistic scenarios and generate corresponding network and filesystem artifacts.
Stars: ✭ 775 (+585.84%)
Mutual labels:  security-tools, pentesting, red-team
Resources
A Storehouse of resources related to Bug Bounty Hunting collected from different sources. Latest guides, tools, methodology, platforms tips, and tricks curated by us.
Stars: ✭ 62 (-45.13%)
Mutual labels:  security-tools, pentesting, bugbounty
Packetwhisper
PacketWhisper: Stealthily exfiltrate data and defeat attribution using DNS queries and text-based steganography. Avoid the problems associated with typical DNS exfiltration methods. Transfer data between systems without the communicating devices directly connecting to each other or to a common endpoint. No need to control a DNS Name Server.
Stars: ✭ 405 (+258.41%)
Mutual labels:  security-tools, pentesting, red-team
awesome-list-of-secrets-in-environment-variables
🦄🔒 Awesome list of secrets in environment variables 🖥️
Stars: ✭ 538 (+376.11%)
Mutual labels:  pentesting, bugbounty, red-team
Security Tools
Collection of small security tools, mostly in Bash and Python. CTFs, Bug Bounty and other stuff.
Stars: ✭ 509 (+350.44%)
Mutual labels:  security-tools, pentesting, bugbounty
Knary
A simple HTTP(S) and DNS Canary bot with Slack/Discord/MS Teams & Pushover support
Stars: ✭ 187 (+65.49%)
Mutual labels:  security-tools, pentesting, bugbounty
Rengine
reNgine is an automated reconnaissance framework for web applications with a focus on highly configurable streamlined recon process via Engines, recon data correlation and organization, continuous monitoring, backed by a database, and simple yet intuitive User Interface. reNgine makes it easy for penetration testers to gather reconnaissance with…
Stars: ✭ 3,439 (+2943.36%)
Mutual labels:  security-tools, pentesting, bugbounty
Dirsearch
Web path scanner
Stars: ✭ 7,246 (+6312.39%)
Mutual labels:  pentesting, appsec, bugbounty
View All Similar Projects ➔

An organizational asset and vulnerability management tool, with Jira integration, designed for generating application security reports.

Features

  • Multi-client Vulnerability Management
  • Security Report Generation
  • Jira Integration
  • Team-based Roles Authorization
  • API Key & Management
  • Email Integration
  • Markdown Support

Note

Please keep in mind, this project is in early development.

Demo

Bulwark Walkthrough Demo

Jira Integration

Bulwark Jira Demo

Launch with Docker

  1. Install Docker
  2. Create a .env file and supply the following properties:
MYSQL_DATABASE="bulwark"
MYSQL_PASSWORD="bulwark"
MYSQL_ROOT_PASSWORD="bulwark"
MYSQL_USER="root"
MYSQL_DB_CHECK="mysql"
DB_PASSWORD="bulwark"
DB_URL="172.16.16.3"
DB_ROOT="root"
DB_USERNAME="bulwark"
DB_PORT=3306
DB_NAME="bulwark"
DB_TYPE="mysql"
NODE_ENV="production"
DEV_URL="http://localhost:4200"
SERVER_ADDRESS="http://localhost"
PORT=5000
JWT_KEY="changeme"
JWT_REFRESH_KEY="changeme"
CRYPTO_SECRET="changeme"
CRYPTO_SALT="changeme"

Build and start Bulwark containers:

docker-compose up

Start/Stop Bulwark containers:

docker-compose start
docker-compose stop

Remove Bulwark containers:

docker-compose down

Bulwark will be available at localhost:5000

Local Installation

$ git clone (url)
$ cd bulwark
$ npm install

Running npm install will install both server-side and client-side modules. Furthermore, it will run the script npm run config which will dynamically set the environment variables in addition to updating the Angular environment.

Development Mode

Set NODE_ENV="development"

$ npm run config
$ npm run start:dev

Production Mode

Set NODE_ENV="production" Please note: npm install will automatically build in production mode

$ npm run config
$ npm run build:prod
$ npm start

Environment variables

Create a .env file on the root directory. This will be parsed with dotenv by the application.

DB_PASSWORD

DB_PASSWORD="somePassword"

Set this variable to database password

DB_USERNAME

DB_USERNAME="foobar"

Set this variable to database user name

DB_URL

DB_URL=something-foo-bar.dbnet

Set this variable to database URL

DB_PORT

DB_PORT=3306

Set this variable to database port

DB_NAME

DB_NAME="foobar"

Set this variable to database connection name

DB_TYPE

DB_TYPE="mysql"

The application was developed using a MySQL database. See the typeorm documentation for more database options.

NODE_ENV

NODE_ENV=production

Set this variable to determine node environment

DEV_URL="http://localhost:4200"

Used by Angular to build and serve the application

SERVER_ADDRESS="http://localhost"

Update if a different server address is required

PORT=5000

Update if a different server port is required

JWT_KEY

JWT_KEY="changeMe"

Set this variable to the JWT secret

JWT_REFRESH_KEY

JWT_REFRESH_KEY="changeMe"

Set this variable to the refresh JWT secret

CRYPTO_SECRET

CRYPTO_SECRET="randomValue"

Set this variable to the Scrypt password.

CRYPTO_SALT

CRYPTO_SECRET="randomValue"

Set this variable to the Scrypt salt.

Empty .env file template

DB_PASSWORD=""
DB_URL=""
DB_USERNAME=""
DB_PORT=3306
DB_NAME=""
DB_TYPE=""
NODE_ENV=""
DEV_URL="http://localhost:4200"
SERVER_ADDRESS="http://localhost"
PORT=5000
JWT_KEY=""
JWT_REFRESH_KEY=""
CRYPTO_SECRET=""
CRYPTO_SALT=""

Create Initial Database Migration

  1. Create the initial database migration
$ npm run migration:init
  1. Run the initial database migration
$ npm run migration:run

Default credentials

A user account is created on initial startup with the following credentials:

Upon first login, update the default user password under the profile section.

Roles

The application utilizes least privilege access with team-based authorization. Teams are assigned a role which determines the features available to that specific team. A user will inherit roles from team membership. Administrators have team management access and must assign users to teams. Initially, users are created with no team association and will not have access to any features in the application.

The three roles include:

  1. Admin
  2. Tester
  3. Read-Only

A team can only be associated to a single organization. However, a team can be associated to multiple assets within the same organization. A user can be a member of multiple teams. If a user is assigned to multiple teams of the same organization, the system will choose the highest authorized team.

Please note: The default user is automatically assigned to the Administrators team on initial startup

Role Matrix

Admin Tester Read-Only
User-Profile Management x x x
Team Management x
User Management x
Invite User x
Create User x
Email Settings Management x
Jira Integration x
Organization: Read x x x
Organization: Full Write x
Asset: Read x x x
Asset: Full Write x
Assessment: Read x x x
Assessment: Full Write x x
Vulnerability: Read x x x
Vulnerability: Full Write x x
Export Vulnerability to Jira x x
Report Generation x x x

API Key & Management

A user may generate a single API key which can be used in place of their authorization token. This API key allows for all actions against the application that the user is authorized for.

Generating an API key pair

  1. Login to the application
  2. Navigate to the User Profile section
  3. Select Generate API Key

This action will generate a pair of keys:

  1. Bulwark-Api-Key
    1. This is a generated plaintext value to identify the user.
  2. Bulwark-Secret-Key
    1. This is a generated plaintext value to verify the user by comparing a Bcrypt hash stored in the database.

Write down the generated keys in a safe place. You will not be able to retrieve the keys at a later time.

How to use API keys

The API key pair values must be matched and appended to the following HTTP request headers:

  • Bulwark-Api-Key
  • Bulwark-Secret-Key

Example:

GET /api/assessment/1 HTTP/1.1
Host: localhost:5000
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Bulwark-Api-Key: {{changeMe}}
Bulwark-Secret-Key: {{changeMe}}
Origin: http://localhost:4200
Connection: close
Referer: http://localhost:4200/
Pragma: no-cache
Cache-Control: no-cache

Built With

  • Typeorm - The ORM used
  • Angular - The Angular Framework
  • Express - A minimal and flexible Node.js web application framework

Team

The Softrams Bulwark core development team are:

Contributing

Pull requests are welcome. For major changes, please open an issue first to discuss what you would like to change. Read the contribution guidelines for more information.

License

MIT

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].