Webhooks

Owned by Nithin Jois (Unlicensed)
Last updated: Nov 13, 2018
5 min read

The Feature

Webhooks are the best part of Orchestron. This is the easiest way of getting results into Orchestron. A Webhook is bound to an Application. For example, if you have an application called "OWASP Juice Shop" and you are using "OWASP ZAP" in your CI/CD pipeline or for a general scan, you can push the results to the webhook to consume these results.

Webhooks are automatically created for an application. You  obtain a unique-ID and a URL that you can post the results of your scan (file) to. If your tool is not supported by Orchestron. Not to worry, you can even send results to Orchestron with its custom JSON format. Please see below for list of support tool (result files) and formats


Please note:

Orchestron Community only supports tools that provide CWE values. The reason for this is that CWE is the parameter used for automatically correlating the vulnerabilities. Therefore, even when you use Orchestron JSON format, you would NEED to use CWE to push vulnerability results into Orchestron. 

  • There are some tools that provide multiple CWEs per vulnerability (like BurpSuite Pro), which we have normalized by providing a "best case" mapping for BurpSuite Vulnerabilities
  • There are several tools that DO NOT provide CWE (Brakeman, Bandit, etc), of which some are not supported by Orchestron Community. We however, have provided support (our own CWE mapping for Bandit vulnerabilities) for Bandit, because we love it so much (smile)


Orchestron Enterprise comes equipped with "Intelligent Correlation" which gives you correlation across almost any tool/custom signature that you can think of. In addition, it provides a powerful CWE database with code examples, advanced metrics, OWASP ASVS, Compliance details and so on. 



Webhooks can be used to write results of automated scans on an application.

Click "Webhooks" menu on the left and you will see the listing of available webhooks as follow. A webhook is created for every Application.

List of Webhooks



4.0 Copy Webhook's ID, User Token and Curl Commands

[curl is a tool to transfer data from or to a server, using one of the supported protocols (DICT, FILE, FTP, FTPS, GOPHER, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, POP3, POP3S, RTMP, RTSP, SCP, SFTP, SMB, SMBS, SMTP, SMTPS, TELNET and TFTP). The command is designed to work without user interaction. Please refer to https://curl.haxx.se/docs/manpage.html for more details.]

You can copy the curl commands for file processing and JSON processing for results of automated scans of an application.

The information such as webhook ID, user token and curl commands will be displayed as shown below. You will also need to replace the "<engagement_id>" in the curl commands with the actual ID of the engagement you want to post the results to. To get the engagement ID, please go to Engagements Tab. You can also give the scan a name by replacing "<scan_name>".

Details of Webhook



4.1 List of Supported Tools and Formats in Webhooks

  • Orchestron JSON (json) => JSON as HTTP POST Payload and not file
  • OWASP ZAP 2.7.0 (json, xml) => Export Report JSON File or OWASP ZAP XML File
  • BurpSuite Professional (xml) => BurpSuite XML File
  • Bandit (json) => Bandit JSON File
  • Arachni (json) => Arachni JSON File
  • AppSpider (xml) => AppSpider XML File
  • Checkmarx (xml) => Checkmarx XML File
  • w3af (xml) => w3af XML File
  • OWASP Dependency Checker (xml) => OWASP Dependency Check XML File
  • AppScan - DAST (xml) => AppScan DAST XML file
  • Xanitizer (xml) => Xanitizer XML File,
  • HP Fortify (xml) => Fortify XML File

4.2 Example of using Custom Orchestron JSON to push results to Orchestron

vuls = {
  "tool": "Nikto",
  "vulnerabilities": [
      {
        "name": "SQL Injection",
        "description": "Description of the Finding",
        "cwe": 89,
        "severity": 3,
        "remediation": "Remediation text for Vulnerability (if any)",
        "evidences": [
            {
              "url": "http://base_url/vul_uri",
              "param": "param_name",
              "request": "QmFzZTY0IEVuY29kZWQgSFRUUCBSZXF1ZXN0",
              "response": "QmFzZTY0IEVuY29kZWQgSFRUUCBSZXF1ZXN0",
              "log": "Code Snippets, etc for SAST, SCA Tool",
              "file": ""
            }
          ]
      },
      {
        "name": "SQL Injection 2",
        "description": "Description of the Finding",
        "cwe": 89,
        "severity": 3,
        "remediation": "Remediation text for Vulnerability (if any)",
        "evidences": [
            {
              "url": "http://base_url/vul_uri",
              "param": "param_name",
              "request": "QmFzZTY0IEVuY29kZWQgSFRUUCBSZXF1ZXN0",
              "response": "QmFzZTY0IEVuY29kZWQgSFRUUCBSZXF1ZXN0",
              "log": "Code Snippets, etc for SAST, SCA Tool",
              "file": ""
            }
          ]
      }
    ]
}


import requests

r = requests.post('http://localhost:8000/api/webhook/post/9b9f9c4e-306a-4d1a-8ead-d6dd0aff0cee/',
		headers={'Authorization':'Token 46c2db63ce8dba0001bf5058e9517b98a573711e','X-Engagement-ID':'0ec950cd-d501-471d-827f-52059c806483'},
		json={'vuls':vuls})
print r.status_code
print r.content


4.3 Example of using Curl Command to push results to Orchestron


curl -H "Authorization: Token eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX2lkIjoxLCJleHAiOjE1Mjk0NzkwNjMsImVtYWlsIjoiYWRtaW5Ab3JnYW5pemF0aW9uLmNvbSIsInVzZXJuYW1lIjoiYWRtaW5Ab3JnYW5pemF0aW9uLmNvbSJ9.ULn43mu_jrNHibVZDuJAnzonKR_Tute2MEG8ar7wvyQ" -H "Scan-Name: TestFire_Scan" -v -F file=@/home/user/Desktop/file.xml http://127.0.0.1/api/webhook/post/174d98b3-9eef-43f8-8f1d-b57ca34cd9a0