securitygitlabdevopsgitlab-ciburp

dastardly burp with gitlab

I want to use Burp dastardly which is the new DAST tool from portswigger.
actually I tried it in Gitlab CI/CD but I got an error! even I tried it in my server.

this is how I use it in Gitlab:

Burp_DAST:
  stage: dast
  image: docker:stable
  script:
    - |
      docker run --user $(id -u):$(id -g) --rm -v $(pwd):/dastardly -e \
      DASTARDLY_TARGET_URL=$TARGET_URL -e \
      DASTARDLY_OUTPUT_FILE=/dastardly/$CI_PROJECT_NAME-dastardly-report.xml \
      public.ecr.aws/portswigger/dastardly:latest
  artifacts:
    paths:
      - "$CI_PROJECT_NAME-dastardly-report.xml"
    when: always

and I have this error:

2022-11-01 12:03:09 INFO  dastardly.EventLogPrinter - Nov 01 2022 11:52:22 INFORMATION Audit started.
2022-11-01 12:03:09 INFO  dastardly.EventLogPrinter - Nov 01 2022 11:52:23 ERROR Could not start Burp's browser sandbox because you are running as root. Either switch to running as an unprivileged user or allow running without sandbox.
2022-11-01 12:03:09 ERROR dastardly.ScanFinishedHandler - Failing build as scanner identified issue(s) with severity higher than "INFO":
2022-11-01 12:03:09 ERROR dastardly.ScanFinishedHandler - Path: / Issue Type: Cross-origin resource sharing: arbitrary origin trusted Severity: HIGH
2022-11-01 12:03:09 ERROR dastardly.ScanFinishedHandler - Path: /robots.txt Issue Type: Cross-origin resource sharing: arbitrary origin trusted Severity: HIGH
2022-11-01 12:03:10 INFO  bsee.BurpProcess.scan.scan-1 - Deleting temporary files - please wait ... done.

EDIT

I did try it in my server and found out it will correctly work if you run it with any sudoer user but root. this is my command that I used:

 sudo docker run --user $(id -u):$(id -g) --rm -v $(pwd):/dastardly -e DASTARDLY_TARGET_URL=$TAGET_URL -e DASTARDLY_OUTPUT_FILE=/dastardly/dastardly-report.xml public.ecr.aws/portswigger/dastardly:latest

So I need how to do this in Gitlab since docker:dind run with root user and docker:dind-rootless not working well in gitlab?

Solution

  • I am running the script to run docker-entrypoint.sh Here is the working CI that I implemented.

    stages:
    - dastardly

dastardly_burpsuit:
    image: 
        name: public.ecr.aws/portswigger/dastardly:latest
        entrypoint: [""]
    stage: dastardly
    variables:
        # No need to clone the repo, we exclusively work on artifacts.  See
        # https://docs.gitlab.com/ee/ci/runners/README.html#git-strategy
        GIT_STRATEGY: none
        DASTARDLY_TARGET_URL: "https://ginandjuice.shop"
        DASTARDLY_OUTPUT_FILE: "$CI_PROJECT_NAME-dastardly-report.xml"
    artifacts:
      paths:
      - "$CI_PROJECT_NAME-dastardly-report.xml"
      when: always
    script:
        - "/bin/bash /usr/local/bin/docker-entrypoint.sh dastardly"