gauntlt 0.1.1 → 0.1.2

data/.gitmodules

@@ -6,4 +6,7 @@
 	url = https://github.com/sqlmapproject/sqlmap.git
 [submodule "vendor/Garmr"]
 	path = vendor/Garmr
-	url = https://github.com/freddyb/Garmr.git
+	url = git://github.com/mozilla/Garmr.git
+[submodule "features/support/scapegoat"]
+	path = features/support/scapegoat
+	url = git://github.com/gauntlt/scapegoat.git

data/.travis.yml

@@ -6,9 +6,9 @@ before_install:
   - git submodule update --init --recursive
 before_script:
   - sudo apt-get install nmap
-  - export SSLYZE_PATH="/home/vagrant/builds/thegauntlet/gauntlt/vendor/sslyze/sslyze.py"
-  - export SQLMAP_PATH="/home/vagrant/builds/thegauntlet/gauntlt/vendor/sqlmap/sqlmap.py"
-  - 'cd vendor/Garmr && sudo python setup.py install && sudo easy_install BeautifulSoup && cd ../..'
+  - export SSLYZE_PATH="/home/vagrant/builds/gauntlt/gauntlt/vendor/sslyze/sslyze.py"
+  - export SQLMAP_PATH="/home/vagrant/builds/gauntlt/gauntlt/vendor/sqlmap/sqlmap.py"
+  - 'cd vendor/Garmr && sudo python setup.py install && cd ../..'
 
 matrix:
   allow_failures:

data/Gemfile

@@ -3,4 +3,7 @@ source :rubygems
 gemspec
 
 gem 'debugger', :platform => :mri
+gem 'ruby-debug-base', :platform => :jruby
+
 gem 'sqlite3', :platform => :mri
+gem 'jdbc-sqlite3', :platform => :jruby

data/README.md

@@ -1,4 +1,4 @@
-# gauntlt [![Build Status](https://secure.travis-ci.org/thegauntlet/gauntlt.png?branch=master)](http://travis-ci.org/thegauntlet/gauntlt) [![Code Climate](https://codeclimate.com/badge.png)](https://codeclimate.com/github/thegauntlet/gauntlt)
+# gauntlt [![Build Status](https://secure.travis-ci.org/gauntlt/gauntlt.png?branch=master)](http://travis-ci.org/gauntlt/gauntlt) [![Code Climate](https://codeclimate.com/badge.png)](https://codeclimate.com/github/gauntlt/gauntlt)
 
 gauntlt is a ruggedization framework
 
@@ -10,7 +10,7 @@ Have questions?  Ask us anything on the [gauntlt google group](http://bit.ly/gau
 
 ## GET STARTED
 
-Note: if you are new to gauntlt, have a look at [gauntlt-starter-kit](https://github.com/thegauntlet/gauntlt-starter-kit), which is the easiest way to get up and running with gauntlt.
+Note: if you are new to gauntlt, have a look at [gauntlt-starter-kit](https://github.com/gauntlt/gauntlt-starter-kit), which is the easiest way to get up and running with gauntlt.
 
 You will need ruby version `1.9.3` to run gauntlt, but you can run gauntlt against applications built with any language or platform.
 
@@ -20,21 +20,16 @@ You will need ruby version `1.9.3` to run gauntlt, but you can run gauntlt again
 
 2. Create an attack file and put it anywhere you like
 
-        # nmap.attack
-        Feature: nmap attacks
-          Background:
-            Given "nmap" is installed
-            And the target hostname is "google.com"
-
-          Scenario: Verify server is available on standard web ports
-            When I launch an "nmap" attack with:
+        # simplest.attack
+        Feature: simplest attack possible
+          Scenario:
+            When I launch a "generic" attack with:
               """
-              nmap -p 80,443 <hostname>
+              ls -a
               """
             Then the output should contain:
               """
-              80/tcp  open  http
-              443/tcp open  https
+              .
               """
 
 3. Run gauntlt to launch the attack defined above
@@ -48,7 +43,7 @@ You will need ruby version `1.9.3` to run gauntlt, but you can run gauntlt again
         $ gauntlt my_attacks/*.attack some_other.file
 
 
-      For more attack examples, refer to the [examples](https://github.com/thegauntlet/gauntlt/tree/master/examples).
+      For more attack examples, refer to the [examples](https://github.com/gauntlt/gauntlt/tree/master/examples).
 
 4. Other commands
 
@@ -59,13 +54,72 @@ You will need ruby version `1.9.3` to run gauntlt, but you can run gauntlt again
         $ gauntlt --help
 
 
-## For developers
+## ATTACK ADAPTERS
+
+Gauntlt includes attack adapters for the following tools:
+
+* [curl] [curl]
+* [nmap] [nmap]
+* [sslyze] [sslyze]
+* [sqlmap] [sqlmap]
+* [Garmr] [garmr]
+
+You will need to install each tool yourself before you can use it with gauntlt. However, if you try to use a tool that is not installed or that gauntlt cannot find, you will get a helpful error message from gauntlt with information on how to install and/or configure the tool for use with gauntlt.
+
+We also include a generic attack adapter that allows you to run anything on the command line, parse its output and check its exit status.
+
+
+## ATTACK FILES
+
+### Preamble
+
+To use gauntlt, you will need one or more attack files. An attack file is a plain text file written with [Gherkin](https://github.com/cucumber/gherkin) syntax and named with the `.attack` extension. For more info on the Gherkin syntax, have a look at [Cucumber](http://cukes.info). A gauntlt attack file is almost the same as a cucumber feature file. The main difference is that gauntlt aims to provide the user with predefined steps geared towards security and durability testing so that you do not have to write your own step definitions, whereas cucumber is aimed at developers and stakeholders building features from end to end. Gauntlt and cucumber can and do work together harmoniously.
+
+### What an attack file looks like
+
+    # my.attack
+    Feature: Description for all scenarios in this file
+      Scenario: Description of this scenario
+        Given ...
+        When ...
+        Then ...
+
+      Scenario: ...
+        Given ...
+        When ...
+        Then ...
+
+You can have as many `Scenario` entries as you like, but it is good practice to keep the number low and to ensure that the scenarios in an attack file are all related. You can create as many attack files as you like and organize them in folders and sub-folders as well.
 
-NOTE: We currently use `ruby 1.9.3` and `JRuby 1.7.0-preview2` for development and testing.
+There are a large number of step definitions available, but you can do a lot with just these 3:
+
+    Feature: Attack with kindness
+
+      Scenario: Ensure I am not mean
+        # verify a given attack adapter is installed
+        # HIGHLY RECOMMENDED to catch installation/configuration problems
+        Given "kindness" is installed
+
+        # Execute the attack
+        When I launch a "kindness" attack with:
+          """
+          whoami  # EXACT commands to be executed on the command line
+          """
+
+        # Check exit status and STDOUT
+        Then it should pass with:
+          """
+          very_kind
+          """
+
+
+## FOR DEVELOPERS
+
+NOTE: We currently use `ruby 1.9.3` and `JRuby 1.7.0` for development and testing.
 
 1. Clone the git repo and get the submodules
 
-        $ git clone --recursive git://github.com/thegauntlet/gauntlt.git
+        $ git clone --recursive git://github.com/gauntlt/gauntlt.git
 
 2. Install bundler
 
@@ -92,21 +146,7 @@ NOTE: We currently use `ruby 1.9.3` and `JRuby 1.7.0-preview2` for development a
 
 ## ROADMAP
 
-We are adding different features into gauntlt rignt now.  Please submit issues via github and tag them as enhancements.  The core team meets weekly and will divide out the enhancement requests into our monthly releases.
-
-Below are some tools we are targeting but don't let that stop you from adding your favorite hacking tool.
-
-  * [curl] [curl]
-  * [nmap] [nmap]
-  * [sslyze] [sslyze]
-  * [sqlmap] [sqlmap]
-  * [w3af] [w3af]
-  * [arachni] [arachni]
-
-
-## ADD AN ATTACK ADAPTER
-
-See the wiki on how to add an attack adapter to gauntlt. We would love your contributions.
+Gauntlt is under active development and we appreciate your suggestions and bug reports. We aim to be very responsive and friendly while adhering to a consistent design based on minimalism, simplicity and extensibility.
 
 ## LICENSE
 
@@ -115,6 +155,5 @@ gauntlt is licensed under The MIT License. See the LICENSE file in the repo or v
 [curl]: http://curl.haxx.se
 [nmap]: http://nmap.org
 [sslyze]: https://github.com/iSECPartners/sslyze
-[w3af]: http://w3af.sourceforge.net
 [sqlmap]: http://sqlmap.org
-[arachni]: http://arachni-scanner.com
+[garmr]: https://github.com/mozilla/Garmr

data/examples/curl/cookies.attack

@@ -2,7 +2,9 @@ Feature: Evaluate received cookies against expected.
 
 Background:
   Given "curl" is installed
-  And the target hostname is "google.com"
+  And the following profile:
+    | name     | value      |
+    | hostname | google.com |
 
 Scenario: Verify server is returning the cookies expected
   When I launch a "curl" attack with:

data/examples/curl/simple.attack

@@ -2,7 +2,9 @@ Feature: Launch curl attack
 
 Background:
   Given "curl" is installed
-  And the target hostname is "google.com"
+  And the following profile:
+    | name     | value      |
+    | hostname | google.com |
 
 Scenario: Verify a 301 is received from a curl
   When I launch a "curl" attack with:

data/examples/curl/verbs.attack

@@ -2,7 +2,9 @@ Feature: Evaluate responses to various HTTP methods.
 
 Background:
   Given "curl" is installed
-  And the target hostname is "google.com"
+  And the following profile:
+    | name     | value      |
+    | hostname | google.com |
 
 Scenario Outline: Verify server responds correctly to various HTTP methods
   When I launch a "curl" attack with:

data/examples/garmr/garmr.attack

@@ -2,12 +2,20 @@ Feature: Run garmr scan on a URL
 
 Scenario: Use Garmr to scan a website for basic security requirements
   Given "garmr" is installed
-  And the target URL is "http://localhost:9292/inline-js"
+  And the following profile:
+    | name       | value                           |
+    | target_url | http://localhost:9292/inline-js |
   When I launch a "garmr" attack with:
     """
-    garmr -u <target_url>
+    garmr -u <target_url> -o my_garmr_output.xml
     """
   Then it should pass with:
     """
     [Garmr.corechecks.InlineJS] Fail Inline JavaScript found
-    """
+    """
+  And the file "my_garmr_output.xml" should contain XML:
+    | css                               |
+    | testcase[name="InlineJS"] failure |
+  And the file "my_garmr_output.xml" should not contain XML:
+    | css                               |
+    | testcase[name="SCSPHeaderCheck"] failure |

data/examples/generic/generic.attack

@@ -4,7 +4,9 @@ This attack adapter allows for any command line binary to be executed and the ou
 
 Background:
   Given the "ping" command line binary is installed
-  And the target hostname is "google.com"
+  And the following profile:
+    | name     | value      |
+    | hostname | google.com |
 
 Scenario: Verify a 301 is received from a curl
   When I launch a "generic" attack with:

data/examples/nmap/nmap.attack

@@ -3,9 +3,10 @@
 Feature: nmap attacks for example.com
   Background:
     Given "nmap" is installed
-    And the target hostname is "google.com"
-    And the target tcp_ping_ports are "22,25,80,443"
-
+    And the following profile:
+      | name           | value        |
+      | hostname       | google.com   |
+      | tcp_ping_ports | 22,25,80,443 |
 
   Scenario: Verify server is open on expected set of ports using the nmap fast flag
     When I launch an "nmap" attack with:
@@ -30,19 +31,6 @@ Feature: nmap attacks for example.com
       25/tcp
       """
 
-  Scenario: Using tcp syn ping scan and the nmap fast flag
-    When I launch an "nmap" attack with:
-      """
-      nmap -F -PS<tcp_ping_ports> <hostname>
-      """
-    Then the output should contain:
-      """
-      80/tcp   open  http
-      443/tcp  open  https
-      3128/tcp open  squid-http
-      8080/tcp open  http-proxy
-      """
-
   Scenario: Output to XML
     When I launch an "nmap" attack with:
       """

data/examples/nmap/os_detection.attack

@@ -2,7 +2,9 @@ Feature: OS detection
 
   Background:
     Given "nmap" is installed
-    And the target hostname is "google.com"
+    And the following profile:
+      | name     | value      |
+      | hostname | google.com |
 
   @slow
   Scenario: Detect OS

data/examples/nmap/simple.attack

@@ -2,7 +2,9 @@ Feature: simple nmap attack (sanity check)
 
   Background:
     Given "nmap" is installed
-    And the target hostname is "google.com"
+    And the following profile:
+      | name     | value      |
+      | hostname | google.com |
 
   Scenario: Verify server is available on standard web ports
     When I launch an "nmap" attack with:

data/examples/nmap/tcp_ping_ports.attack

@@ -1,16 +1,18 @@
+@slow @announce
 Feature: nmap attacks for example.com
   Background:
     Given "nmap" is installed
-    And the target hostname is "google.com"
-    And the target tcp_ping_ports are "22,25,80,443"
+    And the following profile:
+      | name           | value           |
+      | hostname       | scanme.nmap.org |
+      | tcp_ping_ports | 22,25,80,443    |
 
-  @slow
   Scenario: Using tcp syn ping scan and the nmap fast flag
     When I launch an "nmap" attack with:
       """
-      nmap -F -PS<tcp_ping_ports> <hostname>
-      """
-    Then the output should contain:
-      """
-      80/tcp
+      nmap -F -PS<tcp_ping_ports> <hostname> -oX foo.xml
       """
+    Then the file "foo.xml" should contain XML:
+      | css                                                         |
+      | ports port[protocol="tcp"][portid="80"] state[state="open"] |
+      | ports port[protocol="tcp"][portid="22"] state[state="open"] |

data/examples/nmap/xml_output.attack

@@ -2,7 +2,9 @@ Feature: XML output
 
   Background:
     Given "nmap" is installed
-    And the target hostname is "google.com"
+    And the following profile:
+      | name     | value      |
+      | hostname | google.com |
 
   Scenario: Output to XML
     When I launch an "nmap" attack with:

data/examples/simplest.attack

@@ -0,0 +1,10 @@
+Feature: simplest attack possible
+  Scenario:
+    When I launch a "generic" attack with:
+      """
+      ls -a
+      """
+    Then the output should contain:
+      """
+      .
+      """

data/examples/sqlmap/sqlmap.attack

@@ -1,14 +1,26 @@
-@slow
+@slow @announce
 Feature: Run sqlmap against a target
+  # See:
+  #   https://github.com/sqlmapproject/sqlmap/wiki/Usage
 
 Scenario: Identify SQL injection vulnerabilities
   Given "sqlmap" is installed
-  And the target URL is "http://localhost:9292/sql-injection?number_id=1"
+  And the following profile:
+    | name       | value                                           |
+    | target_url | http://localhost:9292/sql-injection?number_id=1 |
   When I launch a "sqlmap" attack with:
     """
-    python <sqlmap_path> -u <target_url> --dbms sqlite --batch -v 0
+    python <sqlmap_path> -u <target_url> --dbms sqlite --batch -v 0 --tables
     """
   Then the output should contain:
     """
     sqlmap identified the following injection points
+    """
+  And the output should contain:
+    """
+    [2 tables]
+    +-----------------+
+    | numbers         |
+    | sqlite_sequence |
+    +-----------------+
     """

data/examples/sslyze/sslyze.attack

@@ -2,7 +2,9 @@ Feature: Run sslyze against a target
 
 Background:
   Given "sslyze" is installed
-  And the target hostname is "google.com"
+  And the following profile:
+    | name     | value      |
+    | hostname | google.com |
 
 Scenario: Ensure no anonymous certificates
   When I launch an "sslyze" attack with:
@@ -12,12 +14,4 @@ Scenario: Ensure no anonymous certificates
   Then the output should not contain:
     """
     Anon
-    """
-
-# Scenario: Make sure that the certificate key size is at least 2048
-#   Given the target hostname is "google.com"
-#   When I launch an "sslyze" attack with:
-#     """
-#       python <sslyze_path> <hostname>:443
-#     """
-#   Then the key size should be at least 2048
+    """

data/features/attack.feature

@@ -12,70 +12,65 @@ Feature: Verify the attack behaviour is correct
       nmap
       """
 
-  @slow
   Scenario: Run attack
     Given an attack "nmap" exists
     And a file named "nmap.attack" with:
-    """
-    Feature: my nmap attacks
-      Scenario: nmap attack works
-        Given "nmap" is installed
-        And the target hostname is "google.com"
-        When I launch an "nmap" attack with:
-          \"\"\"
-          nmap -p 80,443 <hostname>
-          \"\"\"
-        Then the output should contain:
-          \"\"\"
-          80/tcp  open  http
-          443/tcp open  https
-          \"\"\"
-    """
+      """
+      Feature: simplest attack possible
+        Scenario:
+          When I launch a "generic" attack with:
+            \"\"\"
+            ls -a
+            \"\"\"
+          Then the output should contain:
+            \"\"\"
+            .
+            \"\"\"
+      """
     When I run `gauntlt`
     Then it should pass with:
-    """
-    4 steps (4 passed)
-    """
+      """
+      2 steps (2 passed)
+      """
 
   Scenario: Run attack with custom filename
     Given an attack "nmap" exists
     And a file named "my.awesome.attack.file" with:
-    """
-    Feature: my nmap attacks
-      Scenario: nmap attack works
-        Given "nmap" is installed
-    """
+      """
+      Feature: my nmap attacks
+        Scenario: nmap attack works
+          Given "nmap" is installed
+      """
     When I run `gauntlt my.awesome.attack.file`
     Then it should pass with:
-    """
-    1 step (1 passed)
-    """
+      """
+      1 step (1 passed)
+      """
 
   Scenario: Run attack with undefined steps
     Given an attack "nmap" exists
     And a file named "nmap.attack" with:
-    """
-    Feature: my non-existent attack
-      Scenario: Fail on undefined step definition
-        Given "thisattackwouldneverexist" is installed
-    """
+      """
+      Feature: my non-existent attack
+        Scenario: Fail on undefined step definition
+          Given "thisattackwouldneverexist" is installed
+      """
     When I run `gauntlt`
     Then it should fail with:
-    """
-    Bad or undefined attack!
-    """
-
+      """
+      Bad or undefined attack!
+      """
 
   Scenario: No attack files in default path
     When I run `gauntlt`
     Then it should fail with:
-    """
-    No files found in path
-    """
+      """
+      No files found in path
+      """
 
   Scenario: No attack files in specified path
     When I run `gauntlt apaththatdoesnotexist`
     Then it should fail with:
-    """
-    No files found in path: apaththatdoesnotexist
-    """
+      """
+      No files found in path: apaththatdoesnotexist
+      """

data/features/attacks/garmr.feature

@@ -1,8 +1,8 @@
+@scapegoat
 Feature: Garmr scan
   Background:
-    Given an attack "curl" exists
+    Given an attack "garmr" exists
     And scapegoat is running on port 9292
-    And an attack "garmr" exists
     And I copy the attack files from the "examples/garmr" folder
     And the following attack files exist:
       | filename      |
@@ -10,6 +10,6 @@ Feature: Garmr scan
     When I run `gauntlt`
     Then it should pass with:
       """
-      4 steps (4 passed)
+      6 steps (6 passed)
       """
     And scapegoat should quit

data/features/attacks/nmap.feature

@@ -28,7 +28,7 @@ Feature: nmap attack
     When I run `gauntlt tcp_ping_ports.attack`
     Then it should pass with:
       """
-      5 steps (5 passed)
+      4 steps (4 passed)
       """
 
   Scenario: Handle XML output file

data/features/attacks/sqlmap.feature

@@ -1,10 +1,10 @@
-@skip-on-jruby
+@scapegoat
 Feature: sqlmap attack
 
   @slow
   Scenario:
-    Given scapegoat is running on port 9292
-    And an attack "sqlmap" exists
+    Given an attack "sqlmap" exists
+    And scapegoat is running on port 9292
     And I copy the attack files from the "examples/sqlmap" folder
     And the following attack files exist:
       | filename      |
@@ -12,6 +12,6 @@ Feature: sqlmap attack
     When I run `gauntlt`
     Then it should pass with:
       """
-      4 steps (4 passed)
+      5 steps (5 passed)
       """
     And scapegoat should quit

data/features/step_definitions/support_steps.rb

@@ -21,12 +21,23 @@ end
 
 require 'rack/handler/webrick'
 Given /^scapegoat is running on port (\d+)$/ do |port|
-  Gauntlt::Scapegoat.set :port, port.to_i
-  Gauntlt::Scapegoat.set :logging, nil
-  @scapegoat_pid = Process.fork do
-    trap(:INT) { ::Rack::Handler::WEBrick.shutdown }
-    Gauntlt::Scapegoat.run!
-    exit # manually exit; otherwise this sub-process will re-run the specs that haven't run yet.
+  if Scapegoat.running?
+    if Scapegoat.port != port.to_i
+      raise "Scapegoat already running on port #{Scapegoat.port} (not #{port})"
+    end
+  else
+    Scapegoat.set :port, port.to_i
+    Scapegoat.set :logging, nil
+
+    if RUBY_PLATFORM == 'java'
+      Thread.new { Scapegoat.run! }
+    else
+      @scapegoat_pid = Process.fork do
+        trap(:INT) { ::Rack::Handler::WEBrick.shutdown }
+        Scapegoat.run!
+        exit # manually exit; otherwise this sub-process will re-run the specs that haven't run yet.
+      end
+    end
   end
 end
 

data/features/support/hooks.rb

@@ -1,3 +1,9 @@
 Before('@slow') do
   @aruba_timeout_seconds = 30
+end
+
+if RUBY_PLATFORM == 'java'
+  Before do
+    @aruba_timeout_seconds = 30
+  end
 end

data/features/tags.feature

@@ -1,44 +1,47 @@
 Feature: Run attacks by tag
 
   Background:
-    Given an attack "nmap" exists
-    And a file named "nmap.attack" with:
-    """
-    Feature: my nmap attacks
+    Given a file named "foobar.attack" with:
+      """
+      Feature: silly attack
 
-      @foo
-      Scenario: Foo
-        Given the target hostname is "foo"
+        @foo
+        Scenario: Foo
+          Given the following profile:
+            | name | value |
+            | foo  | bar   |
 
-      @bar
-      Scenario: Bar
-        Given the target hostname is "bar"
-    """
+        @bar
+        Scenario: Bar
+          Given the following profile:
+            | name | value |
+            | bar  | baz   |
+      """
 
   Scenario: Run attack for one tag
     When I run `gauntlt --tags @foo`
     Then it should pass with:
-    """
-    Feature: my nmap attacks
+      """
+      Feature: silly attack
 
-      @foo
-    """
+        @foo
+      """
     And the stdout should contain:
-    """
-    1 scenario (1 passed)
-    1 step (1 passed)
-    """
+      """
+      1 scenario (1 passed)
+      1 step (1 passed)
+      """
 
   Scenario: Run attack by exluding one tag
     When I run `gauntlt --tags ~@foo`
     Then it should pass with:
-    """
-    Feature: my nmap attacks
+      """
+      Feature: silly attack
 
-      @bar
-    """
+        @bar
+      """
     And the stdout should contain:
-    """
-    1 scenario (1 passed)
-    1 step (1 passed)
-    """
+      """
+      1 scenario (1 passed)
+      1 step (1 passed)
+      """

data/gauntlt.gemspec

@@ -7,7 +7,7 @@ Gem::Specification.new do |s|
   s.version     = Gauntlt::VERSION
   s.authors     = ["James Wickett", "Mani Tadayon"]
   s.email       = ["james@ruggeddevops.org"]
-  s.homepage    = "https://github.com/thegauntlet/gauntlt"
+  s.homepage    = "https://github.com/gauntlt/gauntlt"
   s.summary     = %q{behaviour-driven security using cucumber}
   s.description = %q{Using standard Gherkin language to define security tests, gauntlt happily wraps cucumber functionality and provides a security testing framework that security engineers, developers and operations teams can collaborate on together.}
 

data/lib/gauntlt/attack_adapters/curl.rb

@@ -3,8 +3,7 @@ When /^"curl" is installed$/ do
 end
 
 When /^I launch a "curl" attack with:$/ do |command|
-  command.gsub!('<hostname>', hostname)
-  run command
+  run_with_profile command
   @raw_curl_response = all_output # aruba defines all_output
 end
 

data/lib/gauntlt/attack_adapters/garmr.rb

@@ -3,7 +3,6 @@ When /^"garmr" is installed$/ do
 end
 
 When /^I launch a "garmr" attack with:$/ do |command|
-  command.gsub!('<target_url>', target_url)
-  run command
+  run_with_profile command
   @raw_garmr_output = all_output
 end

data/lib/gauntlt/attack_adapters/gauntlt.rb

@@ -1,7 +1,19 @@
-When /^the target hostname is "(.*?)"$/ do |host|
-  set_hostname host
+require 'nokogiri'
+
+Given /^the following profile:$/ do |table|
+  table.hashes.each do |hsh|
+    add_to_profile( hsh['name'], hsh['value'] )
+  end
 end
 
-When /^the target URL is "(.*?)"$/ do |u|
-  set_target_url u
+When /^the file "(.*?)" should contain XML:$/ do |filename, css_selectors|
+  css_selectors.hashes.each do |row|
+    assert_xml_includes(filename, row['css'])
+  end
 end
+
+When /^the file "(.*?)" should not contain XML:$/ do |filename, css_selectors|
+  css_selectors.hashes.each do |row|
+    assert_xml_does_not_include(filename, row['css'])
+  end
+end

data/lib/gauntlt/attack_adapters/generic.rb

@@ -1,6 +1,5 @@
 When /^I launch a "generic" attack with:$/ do |command|
-  command.gsub!('<hostname>', hostname)
-  run command
+  run_with_profile command
 end
 
 Given /^the "(.*?)" command line binary is installed$/ do |bin|

data/lib/gauntlt/attack_adapters/nmap.rb

@@ -4,30 +4,6 @@ When /^"nmap" is installed$/ do
   ensure_cli_installed("nmap")
 end
 
-When /^the target tcp_ping_ports are "(.*?)"$/ do |ports|
-  set_tcp_ping_ports ports
-end
-
 When /^I launch an "nmap" attack with:$/ do |command|
-  # hostname defined in Gauntlt::Support::ProfileHelper
-  command.gsub!('<hostname>', hostname)
-
-  # tcp_ping_ports defined in Gauntlt::Support::ProfileHelper
-  command.gsub!('<tcp_ping_ports>', tcp_ping_ports) if tcp_ping_ports
-
-  run command
-end
-
-require 'nokogiri'
-
-When /^the file "(.*?)" should contain XML:$/ do |filename, css_selectors|
-  css_selectors.hashes.each do |row|
-    assert_xml_includes(filename, row['css'])
-  end
-end
-
-When /^the file "(.*?)" should not contain XML:$/ do |filename, css_selectors|
-  css_selectors.hashes.each do |row|
-    assert_xml_does_not_include(filename, row['css'])
-  end
+  run_with_profile command
 end

data/lib/gauntlt/attack_adapters/sqlmap.rb

@@ -3,9 +3,7 @@ Given /^"sqlmap" is installed$/ do
 end
 
 When /^I launch an? "sqlmap" attack with:$/ do |command|
-  sqlmap_path = path_to_python_script("sqlmap")
+  add_to_profile('sqlmap_path', path_to_python_script("sqlmap"))
 
-  command.gsub!('<target_url>', target_url)
-  command.gsub!('<sqlmap_path>', sqlmap_path)
-  run command
+  run_with_profile command
 end

data/lib/gauntlt/attack_adapters/sslyze.rb

@@ -3,13 +3,7 @@ Given /^"sslyze" is installed$/ do
 end
 
 When /^I launch an "sslyze" attack with:$/ do |command|
-  sslyze_path = path_to_python_script("sslyze")
+  add_to_profile( 'sslyze', path_to_python_script('sslyze') )
 
-  command.gsub!('<hostname>', hostname)
-  command.gsub!('<sslyze_path>', sslyze_path)
-  run command
-end
-
-Then /^the key size should be at least (\d+)$/ do |arg1|
-  pending # express the regexp above with the code you wish you had
+  run_with_profile command
 end

data/lib/gauntlt/attack_adapters/support/profile_helper.rb

@@ -1,32 +1,23 @@
 module Gauntlt
   module Support
     module ProfileHelper
-      def hostname
-        raise "No host defined" if @hostname.nil?
-
-        @hostname
-      end
-
-      def target_url
-        raise "No target URL defined" if @target_url.nil?
-
-        @target_url
+      def gauntlt_profile
+        @gauntlt_profile ||= {}
       end
 
-      def tcp_ping_ports
-        @tcp_ping_ports
+      def add_to_profile(k,v)
+        puts "Overwriting profile value for #{k}" if gauntlt_profile.has_key?(k)
+        gauntlt_profile[k] = v
       end
 
-      def set_hostname(s)
-        @hostname = s
-      end
+      def run_with_profile(command_template)
+        command = command_template.dup
 
-      def set_target_url(s)
-        @target_url = s
-      end
+        gauntlt_profile.each do |name, value|
+          command.gsub!( "<#{name}>", value )
+        end
 
-      def set_tcp_ping_ports(s)
-        @tcp_ping_ports = s
+        run command
       end
     end
   end

data/lib/gauntlt/version.rb

@@ -1,3 +1,3 @@
 module Gauntlt
-  VERSION = "0.1.1"
+  VERSION = "0.1.2"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: gauntlt
 version: !ruby/object:Gem::Version
-  version: 0.1.1
+  version: 0.1.2
   prerelease: 
 platform: ruby
 authors:
@@ -10,7 +10,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2012-10-27 00:00:00.000000000 Z
+date: 2012-10-30 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: cucumber
@@ -168,6 +168,7 @@ files:
 - examples/nmap/simple.attack
 - examples/nmap/tcp_ping_ports.attack
 - examples/nmap/xml_output.attack
+- examples/simplest.attack
 - examples/sqlmap/sqlmap.attack
 - examples/sslyze/sslyze.attack
 - features/attack.feature
@@ -184,11 +185,6 @@ files:
 - features/support/aruba.rb
 - features/support/env.rb
 - features/support/hooks.rb
-- features/support/scapegoat/scapegoat.rb
-- features/support/scapegoat/views/index.erb
-- features/support/scapegoat/views/inline_js.erb
-- features/support/scapegoat/views/layout.erb
-- features/support/scapegoat/views/sqlmap.erb
 - features/tags.feature
 - gauntlt.gemspec
 - gem_tasks/cucumber.rake
@@ -214,7 +210,7 @@ files:
 - test/test_helper.rb
 - test/tmf.rb
 - vendor/sslyze_output.README
-homepage: https://github.com/thegauntlet/gauntlt
+homepage: https://github.com/gauntlt/gauntlt
 licenses: []
 post_install_message: 
 rdoc_options: []
@@ -253,11 +249,6 @@ test_files:
 - features/support/aruba.rb
 - features/support/env.rb
 - features/support/hooks.rb
-- features/support/scapegoat/scapegoat.rb
-- features/support/scapegoat/views/index.erb
-- features/support/scapegoat/views/inline_js.erb
-- features/support/scapegoat/views/layout.erb
-- features/support/scapegoat/views/sqlmap.erb
 - features/tags.feature
 - test/gauntlt/attack_test.rb
 - test/gauntlt_test.rb

data/features/support/scapegoat/scapegoat.rb

@@ -1,59 +0,0 @@
-if RUBY_PLATFORM != 'java'
-
-  require 'rubygems'
-  require 'sinatra/base'
-  require 'sqlite3'
-
-
-  $DB = SQLite3::Database.new "goat.$DB"
-
-  # Create a database
-  rows = $DB.execute <<-SQL
-  create table if not exists numbers (
-    id INTEGER PRIMARY KEY AUTOINCREMENT,
-    name varchar(30),
-    val int
-  );
-SQL
-
-  # Execute a few inserts
-  {
-    "one" => 1,
-    "two" => 2,
-  }.each do |pair|
-    $DB.execute "insert into numbers(id, name, val) values ( NULL, ?, ? )", pair
-  end
-
-  module Gauntlt
-  end
-
-  class Gauntlt::Scapegoat < Sinatra::Base
-    helpers do
-      def page_title
-      end
-    end
-
-    get '/' do
-      erb :index
-    end
-
-    # sqlmap.py -u "http://localhost:9292/sql-injection?number_id=1"  --dbms sqlite
-    get '/sql-injection' do
-      query = if params['number_id']
-                "select * from numbers where id = #{params['number_id']}"
-              elsif params['sql']
-                params['sql']
-              end
-
-      result = $DB.execute(query) if query
-
-      erb :sqlmap, :locals => {:result => result}
-    end
-
-    get '/inline-js' do
-      erb :inline_js
-    end
-    
-    run! if app_file == $0
-  end
-end

data/features/support/scapegoat/views/index.erb

@@ -1,17 +0,0 @@
-<pre>
-
-    ______________________
-   < Welcome to scapegoat >
-    ----------------------
-        \\
-         \\  (__)
-            (\\/)
-     /-------\\/
-    / |     ||
-   /  ||----||
-      ~~    ~~
-
-
-Available goats:     * <a href="/sql-injection">sql-goat</a>
-                     * <a href="/inline-js">inline js</a>
-</pre>

data/features/support/scapegoat/views/inline_js.erb

@@ -1,3 +0,0 @@
-<script>
-  alert("hi from inline javascript");
-</script>

data/features/support/scapegoat/views/layout.erb

@@ -1,10 +0,0 @@
-<html>
-  <head>
-    <title>
-      <%= page_title || 'scapegoat' %>
-    </title>
-  </head>
-  <body>
-    <%= yield %>
-  </body>
-</html>

data/features/support/scapegoat/views/sqlmap.erb

@@ -1,25 +0,0 @@
-<h1>The form on this page is vulnerable to SQL injection</h1>
-<h2>Received params</h2>
-<pre id='received-params'>
-  <%= params.inspect %>
-</pre>
-<h2>Data returned from database</h2>
-<pre id='result'>
-  <%= result %>
-</pre>
-<br />
-<br />
-<form>
-  <label>
-    <fieldset>
-      <legend>Enter your SQL injection attack here:</legend>
-      <label>
-        Number to look up
-        <input name='number_id' />
-      </label>
-    </fieldset>
-    <fieldset>
-      <input type='submit' />
-    </fieldset>
-  </label>
-</form>