Getting Started with ThreadFix 3.X
You will learn
How to log into ThreadFix, create a team, create applications, and begin uploading vulnerability scans for an Application or Infrastructure user.
Prerequisites
Audience: IT Professional, or End User
Difficulty: Basic
Time needed: Approximately 15 minutes
Tools required: Sample scan file w3af-demo-site.xml (optional)
This section is a simple demo that walks through the basic ThreadFix setup and functionality after having set up ThreadFix per the ThreadFix Setup guides.
Accessing the Login Page
After launching Tomcat for the first time following ThreadFix deployment, ThreadFix will connect to the organization’s database server and populate the schema. This can take several minutes; the progress can be monitored via the
<threadfix_deploy>/logs/threadfix.logfile.Locate a "Finished updating Enterprise Tags" entry to signal the deployment is complete. Access the login page to verify.
Example deployment URL
If the ThreadFix artifact was deployed in the <catalina_home>/webapps/threadfix directory, the ThreadFix URL, by default, would be the user’s Tomcat URL plus "/threadfix" at the end. For instance, If the user is connected to Tomcat at http://my.tomcat.server:8080, the user’s ThreadFix URL would be http://my.tomcat.server:8080/threadfix.
If the login prompt does not render correctly in Internet Explorer, ensure that Compatibility View is disabled. Users may need to disable the "Display intranet sites in Compatibility View" setting.
Logging In
Log in with the following default credentials:
Username: user
Password: password
After logging in for the first time, change the default user's username and password or create a new local admin user and delete the default. For more information refer to the Identity Management section.
Application Usage
Dashboard
After logging in, users are presented with the Dashboard. To be able to upload a scan, the user needs to create at least one team and at least one application within that team.
Note an empty dashboard with no scans uploaded below:
Note a Dashboard populated with scan data below:
Create Team
Teams can be created from the Portfolio page which can be found by clicking on the Application menu from the Navigation sidebar and selecting the Portfolio page.
Click the Add Team button.
Type the desired team name in the New Team modal dialog and click the Add Team button.
A success banner will appear at the top of the Portfolio page, and the new team will be listed.
Create Application
To create an application in the new team, click the team name to expand it and click the Add Application button.
A New Application modal dialog will appear. Fill out at least the Name field to add an application.
A success banner will appear, and the team can be expanded to see the newly created application.
Upload Scan
Expand the application and click the Upload Scan button to open an Upload Scan dialog. Either drag and drop a scan file into the dialog or click Browse to navigate to the file. A sample scan file, w3af-demo-site.xml, has been provided.
Alternately, click on the application's link to navigate to its Application Details page and either drag and drop a scan file into it or click the Action button and select Upload Scan to open the same dialog shown below.
Note the Upload Scan pop-up below:
Multiple Scan Upload
Users can upload more than one scan file at a time into ThreadFix by dragging them into the Application Details page or the Upload Scan dialog. ThreadFix will ask the user to choose between uploading them as a single scan (combining all of the scans' findings into a single scan) or as multiple scans. Note the example use cases for each option below:
Single scan: If an application was scanned in parts (e.g., microservices) by the same scanning tool, the user can upload all of the scans encompassing the entire application as a single scan. Note that all subsequent uploads will need to include the newest available scan for all of the parts, whether they've all been re-scanned or not.
Multiple scans: If a single application was scanned by more than one scanning tool, the user can upload all of the scans as multiple scans, which will result in ThreadFix aggregating and/or merging the findings from all of the scans.
Scan Queue
The uploaded scan will be put into a queue. Check its progress from the Application Details page by clicking on the application.
A banner at the top will indicate that changes are pending. Clicking the banner will expand it to show the scan upload being executed. When complete, the banner at the top will indicate as such.
Click the banner to refresh the page which will show the result of the uploaded scan.
Infrastructure Usage
Accessing the Login Page
After deploying ThreadFix for the first time, allow several minutes for it to complete. Run sudo docker ps -a to verify the containers started and are running as expected. Results should resemble the following:
Output
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
acb3ab26b4af denimgroup/importer:latest "java -Djava.securit…" 5 minutes ago Up 5 minutes 8060/tcp threadfix_importer_1
07c2edd38100 denimgroup/provider-web:latest "java -Djava.securit…" 5 minutes ago Up 5 minutes 8095/tcp threadfix_provider_1
688ba82c6a0d denimgroup/provider-migration:latest "java -Djava.securit…" 5 minutes ago Exited (0) 4 minutes ago threadfix_provider-migration_1
de3d1e4e2ad5 denimgroup/dbtools:latest "java -Djava.securit…" 5 minutes ago Exited (0) 4 minutes ago threadfix_db-migration_1
dd3681885116 denimgroup/ui:latest "nginx -g 'daemon of…" 5 minutes ago Up 5 minutes 0.0.0.0:8071->80/tcp threadfix_tn-ui_1
c84b3ab2a00b denimgroup/processor:latest "java -Djava.securit…" 5 minutes ago Up 5 minutes 8077/tcp threadfix_processor_1
c725b893dc43 denimgroup/crud-api:latest "java -Djava.securit…" 5 minutes ago Up 5 minutes 8070/tcp threadfix_crud-api_1
c9de3621e800 denimgroup/search:latest "java -Djava.securit…" 5 minutes ago Up 5 minutes 8075/tcp threadfix_search_1
c2732f66c278 denimgroup/notifier:latest "java -Djava.securit…" 5 minutes ago Up 5 minutes 8085/tcp threadfix_ui-websocket_1
26de6a425d05 denimgroup/appsec:latest "catalina.sh run" 5 minutes ago Up 5 minutes 8080/tcp threadfix_appsec_1
b7054fb29db5 wurstmeister/kafka "start-kafka.sh" 5 minutes ago Up 5 minutes 9092/tcp threadfix_kafka_1
f86369d773be kong:0.14 "/docker-entrypoint.…" 5 minutes ago Up 5 minutes 0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp, 8000/tcp, 0.0.0.0:8001->8001/tcp, 0.0.0.0:8444->8444/tcp, 8443/tcp threadfix_kong_1
8749f4c71350 denimgroup/es-migration:latest "java -Djava.securit…" 5 minutes ago Exited (0) 2 seconds ago 8076/tcp threadfix_es-migration_1
a6d3f86b037b wurstmeister/kafka "start-kafka.sh" 5 minutes ago Up 5 minutes 9092/tcp threadfix_kafka_1
a93af97fba9c docker.elastic.co/elasticsearch/elasticsearch:6.6.2 "/usr/local/bin/dock…" 5 minutes ago Up 5 minutes 9200/tcp, 9300/tcp elasticsearch2
d5628ec367f9 docker.elastic.co/elasticsearch/elasticsearch:6.6.2 "/usr/local/bin/dock…" 5 minutes ago Up 5 minutes 9200/tcp, 9300/tcp elasticsearch
b059ad73d88d denimgroup/auth:latest "java -Djava.securit…" 5 minutes ago Up 5 minutes 8050/tcp, 8070/tcp threadfix_auth_1
2ce03ca51c81 docker.elastic.co/elasticsearch/elasticsearch:6.6.2 "/usr/local/bin/dock…" 5 minutes ago Up 5 minutes 9200/tcp, 9300/tcp elasticsearch3
1300a6999fa5 mysql:8.0 "docker-entrypoint.s…" 5 minutes ago Up 5 minutes 3306/tcp, 33060/tcp threadfix_db_1
9999ea7f3faf wurstmeister/zookeeper "/bin/sh -c '/usr/sb…" 5 minutes ago Up 5 minutes 22/tcp, 2181/tcp, 2888/tcp, 3888/tcp threadfix_zookeeper_1
de1df97334be denimgroup/kongdb:latest "docker-entrypoint.s…" 5 minutes ago Up 5 minutes 5432/tcp threadfix_kong-db_1Example deployment URL
If the login prompt does not render correctly in Internet Explorer, ensure that Compatibility View is disabled. E.g., it may be necessary to disable the "Display intranet sites in Compatibility View" setting.
Logging In
Log in with the following default credentials:
Username: user
Password: password
After logging in for the first time, users should either change the default username and password or create a new local admin user and delete the default.
Dashboard
After logging in, the Infrastructure Dashboard will be displayed.
Networks
To get started, add one or more networks from the Network page found within the Infrastructure menu on the left. Click the Add New button on the top right.
Fill in the Network Name, Description, Location, and Department fields accordingly and specify the IP Ranges or list them individually. Click the Save button at the bottom to save the network.
Network Details
After saving one or more networks, they will be listed in the Network page, click on any of them to see statistics and details.
Assets
Assets will automatically get created, if missing, when uploading/importing a scan, but they can be created in advance.
To create an asset, from the Infrastructure menu, click on the Asset page and click the Add New button at the top right.
Fill in the details accordingly and click the Save button at the bottom when finished.
View its details, as well as edit/delete/archive the asset, from the Assets page.
Upload Scan
To upload a scan, click on the Scans page from the Infrastructure menu on the left and click the Upload Scan button.
Within the Upload Scan pop-up modal, either drag & drop or browse & select the scan file. A banner at the top will confirm the scan file was uploaded and is queued for processing.
Scan Queue
Within the Scans page, users can view the scan upload's status in the queue by clicking the <#> Scan Queued tab.
When complete, the scan will appear in the Imported Scans tab, along with asset and vulnerability counts.
Assets Added From Scan Upload
Users can view the assets what were added from the uploaded scans within the Scans page.
Dashboard After Scan Upload
Navigate back to the Dashboard page after the scan is processed to see updated vulnerability statistics.
Network Page After Scan Upload
Users can likewise see updated statistics for networks after processing a scan.
Vulnerability Details
Users can view vulnerability details for specific assets by drilling through the Network or Assets page. Below is an example vulnerability listing for an asset from the Assets page:
Note the results details below the graph.
Click on any of the vulnerabilities to see its details, change its severity/status, and/or create a defect.
Table of Contents
- 1 You will learn
- 1.1 Prerequisites
- 2 Accessing the Login Page
- 2.1.1 Example deployment URL
- 2.2 Logging In
- 3 Application Usage
- 3.1 Dashboard
- 3.1.1 Create Team
- 3.1.2 Create Application
- 3.2 Upload Scan
- 3.2.1 Multiple Scan Upload
- 3.2.2 Scan Queue
- 3.1 Dashboard
- 4 Infrastructure Usage
- 4.1 Accessing the Login Page
- 4.1.1 Example deployment URL
- 4.2 Logging In
- 4.3 Dashboard
- 4.4 Networks
- 4.4.1 Network Details
- 4.5 Assets
- 4.6 Upload Scan
- 4.7 Scan Queue
- 4.8 Vulnerability Details
- 4.1 Accessing the Login Page
- 5 Table of Contents
www.threadfix.it | www.coalfire.com
Copyright © 2024 Coalfire. All rights reserved.
This Information Security Policy is CoalFire - Public: Distribution of this material is not limited.