purpleteam-doc

local legacy-workflow

First

1. Start NodeGoat in 1st terminal:
   ~/Source/NodeGoat docker-compose up
2. Start zap in container in 2nd terminal:
   docker run -p 8080:8080 --name zap --rm -it owasp/zap2docker-stable zap.sh -daemon -port 8080 -host 0.0.0.0 -config api.addrs.addr(0).name=172.17.0.1 -config api.addrs.addr(1).name=172.17.0.2 -config api.addrs.addr(2).name=zap -config api.addrs.addr(3).name=localhost -config api.key=<key that is also to be supplied in the app-tester via config>
   Or can disable key with -config api.disablekey=true instead
3. Start Redis in container in 3rd terminal:
   docker run --name pt-redis -p 6379:6379 --rm -it redis:alpine
4. Start app-scanner in 4th terminal:
   Relevant config.local.json follows:

      "host": {
        "ip": "127.0.0.1"
      },
      "redis": {
        "clientCreationOptions": {
          "port": 6379,
          "host": "172.17.0.3"
        }
      },
      "emissary": {
        "protocol": "http",
        "ip": "172.17.0.2",
        ...
      }
      ...
   

   ~/Source/purpleteam-app-scanner npm start

5. Start orchestrator in 5th terminal:
   ~/Source/purpleteam-orchestrator npm start
6. Start cli:
   ~/Source/purpleteam npm start -- test

Orchestrator in container using host-net-compose.yml

1. Start NodeGoat in 1st terminal:
   ~/Source/NodeGoat docker-compose up
2. Start zap in container in 2nd terminal:
   docker run -p 8080:8080 --name zap --rm -it owasp/zap2docker-stable zap.sh -daemon -port 8080 -host 0.0.0.0 -config api.addrs.addr(0).name=172.17.0.1 -config api.addrs.addr(1).name=172.17.0.2 -config api.addrs.addr(2).name=zap -config api.addrs.addr(3).name=localhost -config api.key=<key that is also to be supplied in the app-tester via config>
   Or can disable key with -config api.disablekey=true instead
3. Start Redis in container in 3rd terminal:
   docker run --name pt-redis -p 6379:6379 --rm -it redis:alpine
4. Start app-scanner in 4th terminal, config.local.json remains the same as above technique:
   ~/Source/purpleteam-app-scanner npm start
5. Start orchestrator in 5th terminal using the host network:
   Relevant config.local.json follows:

      "host": {
        "ip": "127.0.0.1"
      },
      "redis": {
        "clientCreationOptions": {
          "port": 6379,
          "host": "172.17.0.3"
        }
      },
      "testers": {
        "app": {
          "url": "http://127.0.0.1:3000",
          "active": true
        },
        ...
   

   To build and run, copy and modify the docker commands in the package.json
   Image names created by running docker-compose are: <project>_<service>, where will be `orchestrator` and project defaults to the directory name you're in. https://forums.docker.com/t/accessing-host-machine-from-within-docker-container/14248/2 `config.local.json` remains unchanged from [Standard](#first) non container running. For production a user-defined bridge network will need to be used at a minimum for security. By default docker-compose creates a bridge network, this can be seen by: `docker network ls` `docker network inspect nodegoat_default` More details here: https://docs.docker.com/engine/reference/commandline/network_inspect/ and https://docs.docker.com/compose/networking/

6. Start cli:
   The ip address for the orchestrator defined in config.local.json of the CLI should be as following:

      "purpleteamApi": {
        "protocol": "http",      
        "ip": "127.0.0.1"      
      }
   

   ~/Source/purpleteam npm start -- test
config.local.json remains unchanged from non container running

Orchestrator in container using bridge-net-compose.yml

This technique currently doesn’t work, because containers attached to a user-defined bridge can not access the host.

1. Start NodeGoat in 1st terminal:
   ~/Source/NodeGoat docker-compose up
2. Start zap in container in 2nd terminal:
   docker run -p 8080:8080 --name zap --rm -it owasp/zap2docker-stable zap.sh -daemon -port 8080 -host 0.0.0.0 -config api.addrs.addr(0).name=172.17.0.1 -config api.addrs.addr(1).name=172.17.0.2 -config api.addrs.addr(2).name=zap -config api.addrs.addr(3).name=localhost -config api.key=<key that is also to be supplied in the app-tester via config>
   Or can disable key with -config api.disablekey=true instead
3. Start Redis in container in 3rd terminal:
   docker run --name pt-redis -p 6379:6379 --rm -it redis:alpine
4. Start app-scanner in 4th terminal, config.local.json remains the same as above technique:
   ~/Source/purpleteam-app-scanner npm start
5. Start orchestrator in 5th terminal using a user-defined bridge network:
   Relevant config.local.json follows:

      "host": {
        "ip": "172.25.0.110"
      },
      "redis": {
        "clientCreationOptions": {
          "port": 6379,
          "host": "172.17.0.3"
        }
      },
      "testers": {
        "app": {
          "url": "http://127.0.0.1:3000",
          "active": true
        },
        ...
   

   ~/Source/purpleteam-orchestrator npm run dc-build-orchestrator
   ~/Source/purpleteam-orchestrator npm run dc-up-orchestrator

6. Start cli:
   The ip address for the orchestrator defined in config.local.json of the CLI should be as following:

      "purpleteamApi": {
        "protocol": "http",      
        "ip": "172.25.0.110"      
      }
   

   ~/Source/purpleteam npm start -- test

Orchestrator and testers in container using orchestrator-testers-compose.yml

Assuming the orchestrator-testers-compose.yml has been run and the user-defined bridge network exists,
~/Source/purpleteam-app-emissary docker-compose up --scale zap=2
The two Zap containers are then accessible at http://172.25.0.2:8080/ and http://172.25.0.3:8080/

Change app-scanner config.local.json from:

  "host": {
    "ip": "127.0.0.1"
  },
  "redis": {
    "clientCreationOptions": {
      "port": 6379,
      "host": "172.17.0.3"
    }
  },
  ...

to:

  "host": {
    "ip": "172.25.0.120"
  },
  "redis": {
    "clientCreationOptions": {
      "port": 6379,
      "host": "redis" // when using with docker-compose
    }
  },
  ...

Change orchestrator config.local.json from:

  "redis": {
    "clientCreationOptions": {
      "port": 6379,
      "host": "172.17.0.3"
    }
  },
  "testers": {
    "app": {
      "url": "http://127.0.0.1:3000",
      "active": true
    },
    ...

to:

  "redis": {
    "clientCreationOptions": {
      "port": 6379,
      "host": "redis" // when using with docker-compose
    }
  },
  "testers": {
    "app": {
      "url": "http://172.25.0.120:3000",
      "active": true
    },
    ...

Alternatively: to build app-scanner image via CLI

~/Source/purpleteam-app-scanner docker build --build-arg LOCAL_GROUP_ID=$(id -g) --build-arg LOCAL_USER_ID=$(id -u) --tag purpleteam-app_scanner-img .

Alternatively: to run app-scanner container via CLI

Supposing the compose_pt-net user-defined bridge is already created from the previous docker-compose.yml files (you can check this with docker network ls then docker network inspect compose_pt-net)

~/Source/purpleteam-app-scanner docker run --network=compose_pt-net --ip="172.25.0.120" -e "NODE_ENV=local" -p 3000:3000 -it --rm --name purpleteam-app_scanner-cont purpleteam-app_scanner-img

This site is open source. Improve this page.