WebBreaker is an open source Dynamic Application Security Test Orchestration (DASTO) client, enabling development teams to create pipelines for security testing and automation of functional security tests, with WebInspect, Fortify SSC, and ThreadFix.
The commands are organized by product followed by actions you want to take on the product accompanied with options. For example webbreaker webinspect scan --settings=zerobank
⬇️ Mac OS, Mac installation is available on tap @ homebrew - COMING SOON
brew install webbreaker
⬇️ CentOS/RedHat/Fedora, Linux installation is available @ artifactory
yum install webbreaker
⬇️ Windows 7, Windows installation is available @ Chocolatey - COMING SOON
choco install webbreaker
⬇️ Build and install from source and follow the steps below.
git clone https://github.com/target/webbreakerexport PATH=$PATH:$PYTHONPATHcd webbreaker;pip install -r requirements.txtpython setup.py buildpython setup.py install
✅ If you have downloaded an executable release of webbreaker, add it to your $PATH or %PATH%
✅ First time installs, run the webbreaker command in your terminal to create the default configurations, including the $HOME/.webbreaker/config.ini
✅ Configure the $HOME/.webbreaker/config.ini or %USERPROFILE%\.webbreaker\config.ini
✅ Below are Webinspect, Fortify SSC, and ThreadFix required settings, see User Guide for advanced set-up.
# Your required Fortify SSC URL and run `webbreaker admin credentials --fortify`
[fortify]
ssc_url = https://ssc.example.com/ssc
username =
password =
# Your ThreadFix URL and ThreadFix API Key
[threadfix]
host = https://threadfix.example.com:8443/threadfix
api_key = <put your threadfix api key here>
# Your Webinspect servers with the REST API port, default is 8083/tcp.
server_01 = https://webinspect-1.example.com:8083
server_02 = https://webinspect-2.example.com:8083
endpoint_01 = %(server_01)s|%(large_server_max_concurrent_scans)s
endpoint_02 = %(server_01)s|%(small_server_max_concurrent_scans)s
NOTES:
- If you are using WebInspect turn-on your WebInspect API Service.
- Advance configuration is available on our User Guide.
New Features, bugs and enhancements for this release are documented in our WebBreaker Release Notes
WebBreaker is a command-line interface (CLI) client. See our complete WebBreaker Documentation for further configuration, usage, and installation.
Illustrated below is an example of a typical WebBreaker WebInspect scanning workflow from creation to triage. Please see the WebBreaker Cheatsheet for further examples.
-
Starting WebInspect Proxy
webbreaker webinspect proxy --start --port=9001 --proxy_name=WEBINSPECT_SCAN_NAME -
Stopping WebInspect Proxy
webbreaker webinspect proxy --stop --proxy_name=WEBINSPECT_SCAN_NAME -
WebInspect Scanning from Proxy Results
webbreaker webinspect scan --settings=$WEBINSPECT_SCAN_NAME.xml --scan_name=WEBINSPECT_SCAN_NAME -
Uploading Scan Results to Threadfix
webbreaker threadfix upload --application WEBINSPECT --scan_file WEBINSPECT_SCAN_NAME.xml -
Uploading Scan Results to Fortify SSC
webbreaker fortify upload --version $WEBINSPECT_SCAN_NAME --scan_name $WEBINSPECT_SCAN_NAME -
Running scans in Jenkins
# scan
webbreaker webinspect scan --settings zerobank --scan_name ${BUILD_TAG}
# upload scan to Fortify SSC
webbreaker fortify upload --scan_name ${BUILD_TAG} --version ${JOB_NAME}
# upload scan to ThreadFix
webbreaker threadfix upload --scan_name ${BUILD_TAG} --application ${JOB_NAME}
Found something that doesn't seem right or have a feature request? Please open a new issue.
Copyright 2018 Target Brands, Inc.