PAC Config File

Introduction

Prancer's Pentest as Code (PAC) allows users to create a PAC file that contains all the PenTest configurations for a specific scenario, either through the PAC wizard or manually.

The example below contains an example of a PAC file is used to run Pentesting on a target application using Azure infrastructure. This sample PAC file is provided as an example of the configurations needed to perform a Pentest on a target application. By utilizing the PAC file, Prancer provides users with a streamlined and comprehensive approach to PenTesting, allowing them to easily configure and customize the Pentest to their specific needs.

ConnectionName: test_azure_connector
CloudType: azure
ApplicationName: test_log4j
RiskLevel: attack
Compliance:
- CIS
- CSA-CCM
ApplicationType: WebScan
Schedule: onetime
Target: http://20.110.226.159:8081
ResourceID: dummyResourceID
paths:
  exclude: []
  include: []
CVE:
- Path:
    Include:
      - .*\.js
    - abc.java
    Exclude:
      - .*\.py
  Connector: azure_custom_script_connector
Scanner:
  Cloud:
    Platform:
      Azure:
        ContainerInstance:
          AfterRun: stop
          NewContainerInstance:
            External:
              SubscriptionId: a6941677-4c37-42fb-960c-dad8f25060a3
              ResourceGp: pac
              Region: eastus
              ContainerGroupName: Prancer-scanner-group
              ContainerName: Prancer-pentest-instance
              ResourceName: Prancer-instances
AuthenticationMethod: noAuthentication
AddOns:
- accessControl
- ascanrulesAlpha

In this sample PAC file, here is the descriptive explanation of each field :

Field Name	Value	Description
ConnectionName	test_azure_connector	Used to find the connector which Prancer can connect to the cloud
CloudType	azure	Used to define the type of cloud which Prancer should use to create the scanner
Scanner	-	In this field we use different configuration to setup infrastructure of scanner instance
ApplicationName	test_log4j	This field just use for define a name for pac file
ApplicationType	WebScan	This field designate the type of pentest this type can have 2 different values (WebScan and APIScan)
Target	http://20.110.226.159:8081	Prancer will go to run pentest against the target value
ResourceID	dummyResourceID	Resource ID would be ARN incase of AWS resources (API-Gateway,Rest-API etc)
paths		add some paths for include or exclude from scanner
AuthenticationMethod	noAuthentication	This field will define the method od the application authentication , the value of this field can be noAuthentication,formBasedAuthentication,jsonBasedAuthentication and jwtAuthentication
Addons		This field used for installing different addons for running and check related scanners

ConnectionName

This field is used for connecting to the cloud and creating the scanner instance to run the pentest. For more information about the connector files, you can go in connector introduction . Each pac file should have just one connectionName if the type of the scanner is any of the supported cloud types. For example connection name, as you can see in the example, is test_azure_connector. Please make sure if you are setting any name for this field, it should exist inside the same collection which have the PAC file.

CloudType

Cloud type should be selected from the supported cloud types in pac. For now, these cloud types are supported : - Azure - AWS For each type, we have different fields to fill out. We will review them in detail.

Azure

For scenarios based on the Azure cloud, Prancer engine creates the scanner by using an ACI resource type and pulling a custom Prancer PAC scanner image from the image registry. This image runs the pentest. When pentesting is done, the Prancer scanner instance will send all the found alerts to the customer dashboard. (we describe this in other section). There are certain configurations available for the Azure cloud :

Scanner:
  Cloud:
    Platform:
      Azure:
        ContainerInstance:
          AfterRun: stop
          NewContainerInstance:
            External:
              SubscriptionId: a6941677-4c37-42fb-960c-dad8f25060a3
              ResourceGp: pac
              Region: eastus
              ContainerGroupName: Prancer-scanner-group
              ContainerName: Prancer-pentest-instance
              ResourceName: Prancer-instances

The details are as follows in the Azure cloud :

Field	Value	Description
AfterRun	stop	This field use for define action which Prancer should do after scan is done it can be stop or delete
SubscriptionId		SubscriptionId is the azure subscription which Prancer should create scanner inside it
ResourceGp		This filed is the resource group which Prancer should create scanner instance inside it. This resource group should exist inside the subscirption which is defined in previous field
Region		This filed is using for filtering the resource group and find it easier. This field is mandatory too.
ContainerGroupName		ContainerGroupName is used for define the name for the ACI group which Prancer going to create inside the resource group
ContainerName		ContainerName is the field which designate the container name inside the aci
ResourceName		resource name will define the name of the resource which should create in resource group by Prancer

AWS

For the AWS cloud, Prancer creates the scanner by creating an ECS fargate instance and pulling a custom Prancer pac scanner image. This image will run the pentest scenario based on the configurations in the PAC file. Then the pentest scanner instance will send all the found alerts to the customer dashboard. (we describe this in other section).

Scanner:
  Cloud:
    Platform:
      AWS:
        AfterRun: delete
        NewFargate:
          External:
            AccountId: "18993667260"
            Region: us-west-2
            TaskDefinition: pentest-task
            ClusterName: pentest-cluster
            SecurityGroup: pentest-security-group
            ContainerName: Prancer-scanner-4
            SubnetId: subnet-bdcdcff6

let's have quick look to different fields that we have for aws cloud type :

Field	Value	Description
AfterRun	delete	This field used for define action which Prancer should do after scan is done it can be stop or delete
AccountId		AccountId used for finding the account which Prancer should create scanner inside it
Region		This filed used for which region Prancer should create the fargate instance
TaskDefinition		Task definition name used for designate the name of task which should create by Prancer
ClusterName		Cluster name is the field which define the name of the cluster which is going to create by Prancer
SecurityGroup		security group will select by user to associate with an EC2 to control the inbound and outbound traffic for the instance
ContainerName		Container name will fill and use as name of the name scanner instance
SubnetId		SubnetId is using for attach range of IP addresses that EC2 instance can create by Prancer

we finished the infrastructure of pentesting by Prancer. Let's move on for the other feature that Prancer provides for pentest as code.

APIScan

If the application type is equal to APIScan, there are some other configurations available.

Swagger file

We can specify what is the path to the swagger file, which has all the endpoint information

APIScan:
  Type: OpenAPI
  DirectionProvider: "link"
  Direction: https://petstore.swagger.io/v2/swagger.json

Postman integration

You can use the postman collection as a manifest for all the available endpoints to run an attack inside the Prancer. PostmanCollectionRepo can include the repository of the postman collection. Postman remote files should include a path that has postman collection file For postman env remote files, if you have an environment variable file, you can put the path inside the postmanEnvRemote file so Prancer will go and extract the env variables and their values and merge them with postman collection.

For detailed procedure needs to visit postman wizard steps

APIScan:
  Type: OpenAPI
  DirectionProvider: "git"
  Connector: <<git connector>>
  PostmanRemoteFile: <<file locationn in git repo>>
  PostmanEnvRemoteFile: <<file location in git repo>>

Authentication fields

For different authentication methods we have different fields as we have in scanner. Let's dive in :

jwtAuthentication

below fields will use for jwt authentication. Let's focus on fields which exists in sample :

JWTAuth:
    UsernameSecretKey: crUsername
    PasswordSecretKey: crPassword
    LoginUrl: /identity/api/auth/login
    LogoutUrl: /identity/api/auth/logout
    LoginBodyTemplate: '{"email":"%username%","password":"%password%"}'
    LoginIndicator: ^.*token.*$
    AuthorizationType: Header
    AuthorizationKey: Authorization
    AuthorizationTokenType: Bearer

Field	Value	Description
UsernameSecretKey	crUsername	This field is username key and the real value of username should get from secret manager if the cloud type is aws and get from keyvault if cloud type is azure
PasswordSecretKey	crPassword	This field is password key and the real value of password should get from secret manager if the cloud type is aws and get from keyvault if cloud type is azure
LoginUrl	/identity/api/auth/login	The login url for the application
LogoutUrl	/identity/api/auth/logout	The logout url will be exclude from the path to prevent expire the token
LoginBodyTemplate		LoginBodyTemplate is the field which define the body template of login request
LoginIndicator	^.token.$	After login request sent and get response , Prancer will find login indicator inside the response body and if Prancer find the login indicator inside the response will find out login successfully done
AuthorizationType	Header	This field is required for finding the authorization type
AuthorizationKey	Authorization	This field is key name of authorization field in header
AuthorizationTokenType	Bearer	Authorization token type is used for defining of token type

Form based authentication

Form based authentication mainly used by web application. Here are the fields for the form based authentication

FormBaseAuth:
    UsernameSecretKey: username
    PasswordSecretKey: password
    LoginUrl: /login
    LogoutUrl: /logout
    LoginRequestPostData: identifier={%username%}&password={%password%}
    LoginIndicator: "logout"

Field	Value	Description
UsernameSecretKey	username	the label we are using in the secret manager to store username
PasswordSecretKey	password	the label we are using in the secret manager to store password
LoginUrl	/login	login URL
LogoutUrl	/logout	logout URL
LoginRequestPostData	identifier={%username%}&password={%password%}	post data format to submit the login form
LoginIndicator	logout	an indicator on the page which shows the user is logged in

no authentication

If you don't want to use any authentication, you can choose no authentication option

AuthenticationMethod: noAuthentication

CVE

Prancer provide the support to define the custom scripts that can be embedded within ZAP. You can enhance the attacks by adding multiple scripts supported by ZAP, https://www.zaproxy.org/docs/desktop/addons/script-console/

CVE:
- Path:
    Include:
      - .*\.js
    - abc.java
    Exclude:
      - .*\.py
  Connector: azure_custom_script_connector

Field	Value	Description
Path	Include and Exclude paths	Contains list of include and exclude paths
Path.Include	list of path	Contains list of script paths ( Regex ) which need to include in processing
Path.Exclude	list of path	Contains list of paths ( Regex ) which will be excluded while load the scripts.
Connector	connector name	the name of the connector to connect with the git repository.

Check Common Vulnerabilities and Exposures (CVE), for the complete steps to integrate the custom scripts in PAC.

AddOns

Prancer uses open source scanner to pentest target applications. If the scanner is ZAP, you can select which AddOns you want to load while pentesting the application. Based on the type of the application these addons load dynamically into the PAC file

AddOns:
  - accessControl
  - ascanrulesAlpha

a list of all addons available here : https://www.zaproxy.org/addons

AWS sample

Here is another sample PAC file used to run Pentesting on a target application using AWS infrastructure. :

ConnectionName: test_shahin_aws_ws_att_connector
CloudType: aws
ApplicatioName: test_shahin_aws_ws_att_app
RiskLevel: attack
Compliance:
- CIS
- CSA-CCM
- HIPAA
ApplicationType: WebScan
Schedule: onetime
Target: https://ctflearn.com
ResourceID: dummyResourceID
paths:
  exclude: []
  include: []
Scanner:
  Cloud:
    Platform:
      AWS:
        AfterRun: delete
        NewFargate:
          External:
            AccountId: "15557887260"
            Region: us-west-2
            TaskDefinition: pentest-task
            ClusterName: pentest-cluster
            SecurityGroup: pentest-security-group
            ContainerName: Prancer-scanner-4
            SubnetId: subnet-bdcdcff6
AuthenticationMethod: noAuthentication
# All the addons ID listed on link https://www.zaproxy.org/addons.
AddOns:
#  - accessControl
#  - ascanrulesAlpha