Contents x
    Test and Custom Plugin
    • 11 Nov 2024
    • 5 Minutes to read
    • Print
    • PDF
    Contents

    Test and Custom Plugin

    • Updated on 11 Nov 2024
    • 5 Minutes to read
    • Print
    • PDF
    Article summary

    Plugins facilitate the testing of APIs used by your application. Using these plugins you can validate the effectiveness of security configurations and policies under various scenarios. Traceable provides you two types of plugins:

    • Test (Traceable) Plugin — Traceable provides these plugins out-of-the-box. These plugins are pre-designed to assess and validate the security of your APIs against the most common vulnerabilities. Test plugins are part of the scan policy, and you can use them to perform security checks, identify vulnerabilities, and potential security weaknesses. You can view these test plugins by navigating to TestingTest PluginsTraceable.

    • Custom Plugin — Traceable provides you the option to create plugins according to your requirements. These plugins enable you to implement specific security rules or logic, such as enforcing particular security policies, etc. You can configure these plugins either from the Traceable platform or using the config.yaml file. You can view your created plugins by navigating to Testing Test Plugins Custom tab.

    You can use these plugins for regular security assessments, compliance checks, custom compliance reporting, and advanced threat detection. By using these plugins together, you can ensure that your application security is efficient and robust.

    traceable_ast_testing_plugins(1)

    The Test Plugins page also contains the Overrides tab that lists the assertion and mutation overrides configured for a quick scan or suite. You can navigate to the tab and view, edit, or delete these overrides according to your requirements. For more information on overrides, see Mutation and Assertion Overrides.

    Custom Plugins

    You can configure custom plugins in Traceable using either of the following options:

    This section explains the steps to configure a custom plugin using either of the above options.

    Using the Traceable platform

    To create a custom plugin using the Traceable platform, navigate to Testing Test Plugins and click Create Plugin in the page’s top right corner. Creating a custom plugin is a 3 step process:

    1. Selecting the vulnerability type you want to detect using the plugin.

    2. Configuring the custom plugin labels.

    3. Specifying the plugin definition according to your requirements.

    Step 1 — Vulnerability Types

    This step requires you to select the desired custom vulnerability you want Traceable to detect. To do this, you can use the Configure Vulnerability Types drop-down. The drop-down lists the custom vulnerability types you may have created in the Vulnerability Types page. For more information, see Vulnerability Types.

    traceable_ast_test_plugins_custom_plugin_vulnerability_types


    You can also click + Create New to create a new custom vulnerability. Once you have selected a vulnerability type, click Next.

    Step 2 — Custom Plugin

    This step requires you to specify the custom plugin labels that are required to describe the plugin in the Traceable platform. Following is the list of labels that you need to configure:

    • Safe from Production Environment — If disabled, Traceable does not use the custom plugin on your production environment, minimizing risks of impact on live data. If enabled, Traceable uses the custom plugin on your production environment.

    • Plugin name — The name of the custom plugin.

    • Description — Some basic information about the plugin, for example, the vulnerability it is detecting, any references.

    • Attack Methodology — A description of the attack methodology that you are going to use in the plugin, for example, how it detects a vulnerability, tests the APIs.

    • Category — The category of the plugin:

      • Active — This category of plugins actively interact with your application by making API calls to your application environment.

      • Passive — This category of plugins do not actively interacting with your application and observe the calls made to your application environment.

    • Tags — The metadata (key-value pairs) you want to apply to the plugin. For example, if the plugin detects vulnerabilities related to PCI DSS data, you can specify the key as Compliance with the value PCI DSS.
      To add multiple tags, click + Add Tag.

    Once you have specified the above configurations, click Next.

    Step 3 — Plugin Definition

    This step requires you to select the kind of custom plugin (Python or YAML) that you wish to create. After you have selected the plugin type, you can either upload the custom plugin code file or specify its code snippet. To upload the custom plugin file, click Import from file. For more information on the attributes, functions, and operators you can use in a custom Python or YAML plugin, see Python-based Plugins and YAML-based Plugins respectively.

    After you have specified the custom plugin code, you can test the plugin using the Test Plugin widget. To do so, you must complete the following configurations:

    • Endpoint selection — You can do the following to use an endpoint for testing:

      • Select an endpoint from the drop-down.

      • Click Advanced Search and select an API endpoint.

      • Specify the Endpoint URL.

      Traceable populates the Request Headers and Request Body sections based on your selection. The selected endpoint acts as a reference. You can add Request Headers by clicking + Add Headers and Request Body according to your requirements. Traceable uses this request header and body for testing the plugin.

    • Runner selection — You can select a specific runner or allow Traceable to select one automatically. This runner is used for testing the plugin.

    • Run the scan — After you have completed the above step, click Run from the widget’s top right corner. Traceable displays the result below the Request Body section.

    Once you have tested the plugin, click Submit. Traceable displays the plugin in the Custom tab. You can also click the Ellipse (traceable_ellipse_icon) icon corresponding to a plugin to edit or delete it.

    Using config.yaml

    This method enables you to create custom Python plugins using the config.yaml file (plugins section) on your local machine. Following are configurations that you can use while creating the plugin:

    Default Location — TRACEABLE_HOME

    CLI — $HOME/.traceable

    Docker — /app/userdata

    File Directory

    Default Location

    Description

    config.yaml

    $TRACEABLE_HOME`

    Contains the configuration for AST, such as pre-hooks, post-hooks, and custom plugin definitions.

    custom

    $TRACEABLE_HOME/plugins/custom

    Contains the custom plugin implementations.

    hooks

    $TRACEABLE_HOME/hooks

    Contains the pre and post-hooks.

    testsuite (per API)

    $TRACEABLE_HOME/data/<scan_id>/*.json

    Contains the JSON files that represent test suites. Each file is a suite of tests generated at the moment for a specific API.

    Configuring custom plugins

    The following section in the config.yaml file defines the custom plugins to load during the test runs:

    custom:
   sample_plugin: {}

    In the above code snippet, the plugin name is sample_plugin which should match the name of the plugin defined in the custom plugin code placed in the $TRACEABLE_HOME/plugins/custom directory. For more information on writing custom Python plugins, see Python-based plugins.

    Was this article helpful?
    What's Next
    ©2023 Traceable Inc
    terms of services
    privacy policy
    oss disclosures