Page tree
Skip to end of metadata
Go to start of metadata

This guide explains how to set the Crashtest Security Suite up to get you started with automated penetration tests.

  1. Introduction
  2. The first log-in
  3. Creating a project
    1. Specifying a Swagger-file
    2. Verifying a project
  4. Starting a scan
  5. Interpreting scan results
  6. Continuous security testing setup


1. Introduction

Crashtest Security was founded in 2017 in Munich and has established itself as the leading service provider for automated penetration testing for web applications and APIs in the DACH region. 


2. The first log-in


To use the Crashtest Security Suite, log in with your user credentials on: https://www.crashtest.cloud.

You will see your empty dashboard.

Click the Plus Button to create your first project.


3. Creating a project

Our sign-up process is designed for a fast setup and you should be able to run your first scan within 2 minutes.


Let us guide you through the process: 

Step 1: Project type

First, you can define the type of project that shall be scanned. 

You can choose between: 

  • Multi Page Application
    A traditional application written with a server-side programming language.
  • Application Programming Interface (API)
    A REST API. For this type of project, you need a Swagger 2.0 file which describes the API for proper scanning.

If the application you would like to scan is a Single Page Application, please choose API as project type and directly scan the API. If you need any help with the setup, you can always contact our support for specific guidance on your situation.




Step 2: Project details

Second, you define the basic information of your project:

  • Title
    The name of the project which is shown in the dashboard and PDF report
  • Description
    Optional text to better identify your project
  • Protocol
    The protocol which will be used to scan your project (i.e. "http" / "https")
  • URL
    The domain name or IP address of the project. The security scanners will run all tests on this URL.

If you are setting up a project for API scanning, the next step is to specify the location of your swagger-file.



Step 3: Project environment

Third, you define the type of environment in which you are running our scanners.

  • "Production" - Environment
    This setting ensures that only non-invasive scanners will be executed.
  • "Testing" - Environment
    This choice executes all security scanners and should only be performed on easily reproducible staging-systems with no live customer data.
    Our scanners may damage the tested system. These damages might include, but is not limited to the following list:
    • Sending arbitrary form requests that may pollute databases with random data
    • Creating workload spikes that might impact the user experience of other users when performing multiple requests at the same time (adjustable via "throttle"-setting)
    • Publishing production data (which might contain privacy-sensitive customer data) through altering SQL database requests

For a complete list of all security scanners and an overview under which setting they are used, please refer to our complete list of scanners.



After creating the project, it will appear in the project list on your dashboard.


3a. Specifying a Swagger-file

This section only applies when you would like to scan an API.


Please specify the location where your Swagger 2.0 /YAML file is stored.

The file needs the following requirements 

A sample file can be downloaded here

If you do not have a Swagger 2.0 file, please contact us and we will be happy to help.


3b. Verifying a project

This section only applies when you chose the testing environment.

Before starting our scanners, you need to first verify that the application belongs to you - by uploading a text file to the root directory of the URL.

You will see the lock if you need to verify the project. Otherwise you will see the start scan button on the bottom of the picture.

This is necessary to validate that you have access rights to the domain and are legally allowed to perform pentests.




To verify a project, you need to create an .html file that contains a secure hash. The file needs to be named according to the file name that is displayed in your project verification (see screenshot on the right). Upload the file so that is available under the root directory of the URL you entered when creating the project. Your specific path is displayed in your project setting.

After you have uploaded this file, you can initiate the verification. Afterwards your project is ready to scan.


If your project is protected by HTTP Basic Authentication (htaccess protection), you need to configure the username and password in the project settings before trying to verify the project.





4. Starting a scan

Now you are ready to start you first scan. Simply press the "Start" button.

Alternatively, you can open the project page by clicking on the project name and clicking on "Start Scan".


5. Interpreting scan results

Our software provides three views to give you the most relevant information on your projects.

Home

This is the landing page when you log in to the application. It is also called the dashboard, as it gives you the most relevant information on a high level for all your projects.

At the top, the screen shows the number of findings by criticality for all your projects.
We rate our findings according to the Common Vulnerability Scoring System (CVSS). More information on the scoring system can be found here.

Below, you see a list of your projects, including the type of scan, as well as the last scan time.

The status dot at the left side of the row indicates the current state of the scan. When you hover the mouse over the dot, you see the current status.

If you want to add more projects, simple click the yellow "+"-button on the bottom right of the project list.

On the bottom of the page, you see the details of the last scan you ran, with the project name on the top. This gives you direct access to the most current vulnerabilities for quick fixing. The findings are sorted by criticality, with the most critical finding at the top. 

You can see more details per project when you click on a project row. 



Project Overview

Our software provides an overview over the history of scans per project - and ideally the increased security (meaning fewer vulnerabilities) - over time.

On the top, you can see a visual representation of the past scans. The bars show the number of findings per scan, as well as the number and date of the scan. The findings are grouped by severity as indicated by the color scheme directly below the graph. You can click on the respective bar to jump to the specific scan view.

In the top right, you see the buttons for the general project actions and settings: 

  • "Start Scan": Starts a manual scan
  • "Preferences": Lets you change the project settings.
    These are described in continuous security testing setup.
  • "Delete": This will delete the project.
    Attention: This will also delete the scan history. Make sure you downloaded all documents you will need in the future.

Below the graph, you see a list of all scans, including the status, the type of scan, and the last scan time.

By clicking on a scan row or the respective bar in the graph, you will get to the overview over one scan. 





Scan Details

The scan details page gives you an overview over the specific scan results.
After a scan has been started, you can see the findings appear in the findings list in real-time.

The top left box gives general information, such as the scanned URL, the type of scan, the time when it was started, how the scan was started, and the duration. For more information on the individual items, you can hover the mouse over them.

The options for the scan start include "Manual", "Scheduler", or "Webhook". For more information on the settings for the scan start, please see continuous security testing setup.
This box also gives you the option to go quickly to a different scan number for the same project with the buttons at the bottom - or you can enter a specific scan number in the text field.

The top middle box is a pie chart to add a visual representation of the number of findings, grouped by severity.

The top right box shows the maximum CVSS severity.

The top right corner shows the different options to download the report for this specific scan: either in .pdf format or in the machine readable J-Unit format.  

The bottom box has two tabs - finding details or the status of the individual scanners.

The screenshot at the right shows the second tab for the bottom box.
Here, you can see the individual scanner status for this scan and any detailed information in case the scanner was not able to run. The screenshot on the right shows that for the Cross-Site Request Forgery (CSRF) scanner to be executed, you would need to configure the application credentials in the project setting (see continuous security testing setup on how to do that).   





The finding details are shown on the screenshot on the right.

It shows the title of the vulnerability scanner, the detailed information of the vulnerability we found, and the criticality, from left to right.
The standard sort is by severity, but you can change that by clicking on the respective column header - for example if you would like to find all SQL Injection vulnerabilities next to each other.

You can also filter for the scanner title or for a specific description content (i.e. "certificate" for SSL certificate vulnerabilities).


To get further information about a vulnerability simply click on its name. This opens an overlay with an additional description. To get advice on remediation of the vulnerability click on the provided link “How to fix this issue?”. This will lead you to our knowledge base with detailed explanation on the issue and how to fix it.


6. Continuous security testing setup

In the project preferences, you may configure further settings for further fine tuning of your security scan.
Especially the automation part is where you can use our software to the fullest extent and get started on a continuous security testing journey (also referred to as "DevSevOps"). 


  • Authentication
    If your system is protected by an authentication, you can specify the needed authentication to access the system:
    • System authentication
      If http basic authentication (.htaccess protection) is enabled, configure the credentials here
    • Application authentication
      If your application has a login form, you may add credentials here.
      This only works for Multi Page Applications.
    • API authentication
      If your API needs authentication, you can enter HTTP headers or GET-parameter for authentication here.
      This option is only displayed for API projects.
      For an in-depth guide to API authentication, please check out this wiki article.







  • Automation 
    This setting is where our software starts to bring you the sweet fruits of automated pentesting - starting a security scan automatically by time or event:
    • Scheduled scans
      Configure a daily or weekly schedule so that your scans are started automatically at a certain time a day or week.
    • Webhook
      Create a webhook so that your build system can start a security scan automatically based on your needs. You can easily integrate it into your CI/CD pipeline following the steps explained here.






  • Notification
    Enter a Slack webhook so that we notify you every time a scan has finished.

  • Other settings
    • Crawling method
      Adjust the crawler mode to define whether the smart crawling should try to detect forms which appear on multiple sites and only scan them once to reduce the scan duration.
      You can choose between the following crawling methods:
      • The Smart Crawling mode tries to detect forms, which appear on multiple sites (e.g. a search form) and only scan them once to reduce the scan duration.
        Depending on the implementation of your web application this might reduce the scan coverage, if an identical form appears on multiple sites, but is processed differently.
        Please choose the exhaustive crawling, if this is the case.
      • The Exhaustive Crawling mode scans each detected form for vulnerabilities.
        Therefore forms appearing on multiple sites are scanned each time individually.
        This might significantly increase the scan duration, but can increase the detection rate.
    • Throttling
      Adjust the throttling threshold to limit the maximum amount of requests per second, which are sent to scan your server.
      Please consider that the threshold influences the scan duration and that certain scanners require a minimum threshold.




We hope you found this user guide useful.

If you have feedback of any sort, positive or negative, please write us.


Happy automated Pentesting!

  • No labels