Home

Awesome

<img src="https://user-images.githubusercontent.com/11267537/43043618-29ab7286-8db5-11e8-9603-71b30596d047.png" width="250" />
A Testing Environment for Manual Security Testers

Rawsec's CyberSecurity Inventory

Sh00t

Features:

Installation:

  1. Install Docker if not available. Windows 10 Home users or older release users, refer the Alternative Installation instructions below.
  2. Pull Sh00t Docker image: docker pull pavanw3b/sh00t:latest
  3. Create Volume for data persistence across docker containers: docker volume create --name sh00t
  4. Run the container: docker run -d -p 8000:8000 --name sh00t -v sh00t:/root/sh00t/db pavanw3b/sh00t:latest
  5. Logon to http://127.0.0.1:8000/ on your favorite browser.
  6. Login with sh00t / sh00t credentials
  7. To stop: docker stop sht00t

Alternate Installations:

Using Sh00t later:

  1. Start the container: docker start sh00t
  2. Logon to http://YOUR_IP:8000/ on your favorite browser
  3. Login with sh00t / sh00t if you haven't changed it
  4. Stop container if you care: docker stop sh00t

and repeat!

Note: Always use docker start and docker stop. You may loose your data if you remove the container or the volume.

Upgrade

It's important to keep your Sh00t to latest to avail the new features ang bug fixes.

  1. Remove the existing container: docker container rm -f sh00t Do not worry, your data is safe unless you remove the docker volume.
  2. Pull latest docker image: docker pull pavanw3b/sh00t:latest
  3. Start a new container with the latest code, but still the old data: docker run -d -p 8000:8000 --name sh00t -v sh00t:/root/sh00t/db pavanw3b/sh00t:latest

Uninstallation

In the event you want to delete all Sh00t images, containers, and volumes, the following statements may be executed. Note: This is a destructive operation and cannot be undone.

  1. Remove image: docker rmi pavanw3b/sh00t:latest
  2. Remove container: docker rm sh00t
  3. Remove volume: docker volume rm sh00t:/root/sh00t/db

Troubleshoot:

Sh00t is written in Python and powered by Django Web Framework. If you are stuck with any errors, Googling on the error message, should help you most of the times. If you are not sure, please file a new issue on github.

Glossary:

How does it work?

Begin with creating a new Assessment. Choose what methodology you want to test with. Today there are 330 test cases, grouped into 86 Flags, belonging to 13 Modules which are created with reference to "Web Application Hacker's Handbook" Testing Methodology. Modules & Flags can be handpicked & customized. Once Assessments are created with the Flags, now the tester has to test them either manually, or semi automated with the help of scanners, tools or however it's required, mark it "Done" on completion. While performing assessment we often come with custom test cases that is specific to certain scenario in the application. A new Flag can be created easily at any point of time.

Whenever a Flag is confirmed to be a valid bug, a Sh0t can be created. One can choose a bug template that matches best, and sh00t will auto fill the bug report based on the template chosen.

Who can use Sh00t?

Screenshots:

Dashboard:

dashboard

Working on a Flag:

flag

Editing in fullscreen:

flag_fullscreen

Choosing Methodology and Test Cases while creating a new Assessment:

assessment

Filing a bug pre-filled with a template:

sh0t

Configruations:

configuration

Implementation details:

Contribution:

Credits: