CMSeeK
What is CMSeeK?
CMSeeK is an open source penetration testing tool to automate the process of detecting various types of CMS and its installed extensions. Only the Joomla CMS is supported by secureCodeBox. CMSeeK has a database with known vulnerabilities.
To learn more about the CMSeeK scanner itself, visit the CMSeeK GitHub repository here.
Deployment
The cmseek chart can be deployed via helm:
# Install HelmChart (use -n to configure another namespace)
helm upgrade --install cmseek secureCodeBox/cmseek
Scanner Configuration
The CMSeeK targets are specified with the -u
parameter. The target should be a URL.
Additional CMSeeK scan features can be configured via the parameter attribute.
Some useful example parameters listed below:
-u URL, --url URL
: Target Url.--follow-redirect
: Follows all/any redirect(s).--no-redirect
: skips all redirects and tests the input target(s)-r, --random-agent
: Use a random user agent.--googlebot
: Use Google bot user agent.--user-agent USER_AGENT
: Specify a custom user agent
Requirements
Kubernetes: >=v1.11.0-0
Values
Key | Type | Default | Description |
---|---|---|---|
cascadingRules.enabled | bool | false | Enables or disables the installation of the default cascading rules for this scanner |
imagePullSecrets | list | [] | Define imagePullSecrets when a private registry is used (see: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/) |
parser.affinity | object | {} | Optional affinity settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) |
parser.env | list | [] | Optional environment variables mapped into each parseJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) |
parser.image.pullPolicy | string | "IfNotPresent" | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images |
parser.image.repository | string | "docker.io/securecodebox/parser-cmseek" | Parser image repository |
parser.image.tag | string | defaults to the charts version | Parser image tag |
parser.resources | object | { requests: { cpu: "200m", memory: "100Mi" }, limits: { cpu: "400m", memory: "200Mi" } } | Optional resources lets you control resource limits and requests for the parser container. See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ |
parser.scopeLimiterAliases | object | {} | Optional finding aliases to be used in the scopeLimiter. |
parser.tolerations | list | [] | Optional tolerations settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) |
parser.ttlSecondsAfterFinished | string | nil | seconds after which the Kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ |
scanner.activeDeadlineSeconds | string | nil | There are situations where you want to fail a scan Job after some amount of time. To do so, set activeDeadlineSeconds to define an active deadline (in seconds) when considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#job-termination-and-cleanup) |
scanner.affinity | object | {} | Optional affinity settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) |
scanner.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) |
scanner.env | list | [] | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) |
scanner.extraContainers | list | [] | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) |
scanner.extraVolumeMounts | list | [] | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) |
scanner.extraVolumes | list | [] | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) |
scanner.image.pullPolicy | string | "IfNotPresent" | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images |
scanner.image.repository | string | "docker.io/securecodebox/scanner-cmseek" | Container Image to run the scan |
scanner.image.tag | string | nil | defaults to the charts appVersion |
scanner.nameAppend | string | nil | append a string to the default scantype name. |
scanner.podSecurityContext | object | {} | Optional securityContext set on scanner pod (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) |
scanner.resources | object | {} | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) |
scanner.securityContext | object | {"allowPrivilegeEscalation":false,"capabilities":{"drop":["all"]},"privileged":false,"readOnlyRootFilesystem":false,"runAsNonRoot":true} | Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) |
scanner.securityContext.allowPrivilegeEscalation | bool | false | Ensure that users privileges cannot be escalated |
scanner.securityContext.capabilities.drop[0] | string | "all" | This drops all linux privileges from the container. |
scanner.securityContext.privileged | bool | false | Ensures that the scanner container is not run in privileged mode |
scanner.securityContext.readOnlyRootFilesystem | bool | false | Prevents write access to the containers file system |
scanner.securityContext.runAsNonRoot | bool | true | Enforces that the scanner image is run as a non root user |
scanner.suspend | bool | false | if set to true the scan job will be suspended after creation. You can then resume the job using kubectl resume <jobname> or using a job scheduler like kueue |
scanner.tolerations | list | [] | Optional tolerations settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) |
scanner.ttlSecondsAfterFinished | string | nil | seconds after which the Kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ |
License
Code of secureCodeBox is licensed under the Apache License 2.0.
CPU architectures
The scanner is currently supported for these CPU architectures:
- linux/amd64
Examples
demo-old-joomla
- Scan
- Findings
# SPDX-FileCopyrightText: the secureCodeBox authors
#
# SPDX-License-Identifier: Apache-2.0
apiVersion: "execution.securecodebox.io/v1"
kind: Scan
metadata:
name: cmseek-example
spec:
scanType: "cmseek"
parameters:
- "-u"
- "old-joomla.demo-targets.svc.cluster.local" # Change to the website you want to scan
- "--no-redirect"
# SPDX-FileCopyrightText: the secureCodeBox authors
#
# SPDX-License-Identifier: Apache-2.0
[
{
"name": "PHPMailer Remote Code Execution Vulnerability",
"description": "Vulnerability of type PHPMailer Remote Code Execution Vulnerability found",
"category": "Vulnerability",
"location": "http://old-joomla.demo-targets.svc.cluster.local",
"osi_layer": "APPLICATION",
"severity": "HIGH",
"attributes":
{
"joomla_version": "3.6.5",
"references":
[
"CVE : CVE-2016-10033",
"https://www.rapid7.com/db/modules/exploit/multi/http/phpmailer_arg_injection",
"https://github.com/opsxcq/exploit-CVE-2016-10033",
"EDB : https://www.exploit-db.com/exploits/40969/",
],
},
"id": "f41eeb1c-142e-46f2-96ae-01c9f7ca1aa7",
"parsed_at": "2021-09-28T15:06:29.225Z",
},
{
"name": "PPHPMailer Incomplete Fix Remote Code Execution Vulnerability",
"description": "Vulnerability of type PPHPMailer Incomplete Fix Remote Code Execution Vulnerability found",
"category": "Vulnerability",
"location": "http://old-joomla.demo-targets.svc.cluster.local",
"osi_layer": "APPLICATION",
"severity": "HIGH",
"attributes":
{
"joomla_version": "3.6.5",
"references":
[
"CVE : CVE-2016-10045",
"https://www.rapid7.com/db/modules/exploit/multi/http/phpmailer_arg_injection",
"EDB : https://www.exploit-db.com/exploits/40969/",
],
},
"id": "ef8852d1-719b-4a4d-8cd6-d818fffb6fd2",
"parsed_at": "2021-09-28T15:06:29.225Z",
},
{
"name": "Backup files",
"description": "Visible Backup files found",
"category": "Visible internal files",
"location": "http://old-joomla.demo-targets.svc.cluster.local",
"osi_layer": "APPLICATION",
"severity": "INFORMATIONAL",
"attributes":
{
"joomla_backup_files": "http://old-joomla.demo-targets.svc.cluster.local/administrator,",
},
"id": "021b92a7-0c24-4f3c-b4b9-217e3a2e1ce9",
"parsed_at": "2021-09-28T15:06:29.225Z",
},
]