Our blog contains the activity stream of Orchard Dojo: general news, new resources or tutorials are announced here.

Featured tags

IIS
API
All tags >

Introducing ConfigureAsync method, Security scanning with ZAP in the Lombiq UI Testing Toolbox - This week in Orchard (22/12/2023)

Introducing ConfigureAsync method and the IAsyncConfigureOptions interface, demo about Security scanning with ZAP in the Lombiq UI Testing Toolbox, and some photos of our Christmas event! Let's see the details! Orchard Core updates Introducing ConfigureAsync method In the Startup files, you can use the Configure method to configure the tenant pipeline. Now, if you implement the IAsyncStartup interface, you will be able to configure the tenant pipeline asynchronously by using the new ConfigureAsync method. This means the initialization of the tenants will be much faster in the future in a SaaS environment. Here, you can see an example of how to use this method in the Startup file of the Localization module, where we don't need to call the GetAwaiter() and the GetResult() methods when getting the default culture and the supported cultures. IAsyncConfigureOptions interface In this PR, Jean-Thierry Kéchichian introduced the IAsyncOptions and IAsyncConfigureOptions<TOptions> interfaces that can be used globally across your Orchard Core solution. The IAsyncConfigureOptions can be used to configure asynchronously a type of options just after a tenant container is created, and the IAsyncOptions marks a type of option intended to be registered as a singleton and configured asynchronously by an IAsyncConfigureOptions<TOptions> just after a tenant container is created. For example, here the BlobOptions will be registered once as a singleton and configured asynchronously once by BlobOptionsSetup.ConfigureAsync() just after a tenant container is created using this single line of code: services.Configure<BlobOptions, BlobOptionsSetup>(). Demos Security scanning with ZAP in the Lombiq UI Testing Toolbox Maybe you have already heard about the Lombiq UI Testing Toolbox, our web UI testing toolbox mostly for Orchard Core applications. Everything you need to do UI testing with Selenium for an Orchard app is here. We wrote about it several times here as well, first when we open-sourced it, when we added some Orchard Core Features tests to it when we added the automated monkey testing feature to it, and when we introduced the Visual verification testing. At the end of last year, we showed you the latest updates about integrating UI testing into Orchard Core and the way you can use WebApplicationFactory, a fake video capture source, or the interactive mode. This time, we will check out a slightly different topic, security scanning! Of course, security is important, you don't want your web app to be used for spamming or cryptocurrency mining, or you don't want your users' data to be lost or get into the hands of others. So, you want to secure your application. There are many layers to that, and many layers to enforcing or ensuring your application is secure including manual reviews and static code analysis. Another layer is penetration testing. It means that somebody going to your application and trying to break it in some way, get into it in a way that they shouldn't be able to. Pen testers use some tools, and one of the most widely used tools is the Zed Attack Proxy (ZAP). This is a very popular open-source project, which is a security scanner. It can check your application for security issues. This is a JAVA application, and it checks web apps for general web application security issues. It can do generally dangerous attacks, it can do that actively and passively, so let's see that in action and see how to automate those scans! The easiest way is to clone Lombiq's Open-Source Orchard Core Extensions solution. This Orchard Core Visual Studio solution contains most of Lombiq's open-source Orchard modules and themes, as well as related utilities and libraries, containing our UI Testing Toolbox for Orchard Core, which contains a feature for ZAP. Here you can see quite detailed documentation about this but what's more important we also have some samples. Here, you can run ZAP with a DotNet API. It's just a simple scan but you can utilize the DotNet API more if you add some more configuration as you can see on the screen. This SecurityScanWithCustomConfigurationShouldPass method adds some configuration, like you can exclude URLs from the scan, disable rules for just a given URL, can authenticate and while we are talking about testing, you can also assert on the results. The results are not just available on a human-readable HTML report but also as a sarif-json which is a standard way of sharing such scan results. Do you want to know more about how to do an automated security scan of your Orchard Core app with ZAP? Check out our post in Orchard Dojo about it, and don't forget to head to YouTube for a recording to see how you can run these tests from Visual Studio! News from the community Christmas in Lombiq Sometimes we do stuff. Together. Not (just) in front of computer screens. These are some usual events in Lombiq that are all announced and arranged in advance. We periodically have an event called RnDay: this is a few hour-long event where we share what we recently worked on and what we plan to do. E.g., If we recently finished a project, then the project's team members demo what they've done. We had our last RnDay for this year in the Loffice, which is a coworking and event space where we held this event. And at the end of the day, we visited a nearby restaurant to have dinner together. We would like to thank you all for reading our posts and making the Orchard community stronger together with us! We hope that we can give you valuable news and demos about the happenings around Orchard and Orchard Core from time to time by reading our posts and of course the This week in Orchard newsletter. We would like to wish everyone a Merry Christmas with some photos of our latest event! Orchard Dojo Newsletter Lombiq's Orchard Dojo Newsletter has 486 subscribers! We have started this newsletter to inform the community around Orchard of the latest news about the platform. By subscribing to this newsletter, you will get an e-mail whenever a new post is published to Orchard Dojo, including This week in Orchard of course. Do you know of other Orchard enthusiasts who would like to read our weekly articles? Tell them to subscribe here! If you are interested in more news about Orchard and the details of the topics above, don't forget to check out the recording of this Orchard meeting!

How to do a security scan of an Orchard Core app - Orchard Core Nuggets

You don't want malicious people to crack your web apps to use them for spamming, cryptocurrency mining, and spreading malware, nor do you want them to get access to your users' personal data (if you actually do want to cooperate with criminals, you don't need to read further). Thus, you want your app to be secure. One aspect of achieving this is to do penetration testing on your app. Thankfully, much of this can be automated, and with the help of Lombiq UI Testing Toolbox for Orchard Core and Zed Attack Proxy (ZAP) you can conveniently do this for your Orchard Core app. Let's see how! First, install v8.2.1-alpha.6.osoe-351 or greater of the UI Testing Toolbox from NuGet because that's the one that added security scanning. There are a couple of minor breaking changes that should affect nobody, really, in this, so it'll be part of the upcoming v.9.0.0 (but for that, we're waiting for Orchard Core 1.8). Set up UI testing as explained in the UI Testing Toolbox's documentation. While we're focusing on security scanning here, the UI Testing Toolbox can do a lot, and I really mean a lot more, including one-liners to test if the basic Orchard Core features still work in your app, or unleashing automated monkey testing to try to break your app. We never work on an Orchard Core app without its safety net! Add one or more test cases to run ZAP's security scan. Since all the configuration of ZAP is available to you, customization is unlimited, but to give you a glimpse, this is how a basic security scan that's already a good start would look like: [Fact] public Task BasicSecurityScanShouldPass() => ExecuteTestAfterSetupAsync(context => context.RunAndAssertBaselineSecurityScanAsync()); And that's it! OK, I might have omitted the last step here: 4. Fix all the security issues ZAP finds, because it'll definitely find at least a couple of them! This was just a short teaser, but be sure to check out the UI Testing Toolbox's security scanning documentation, because we tried to summarize everything necessary to get you going there, including samples that you can just copy-paste. Do you want to see security scanning in action? Check out the demo video too! Also, security starts with quality code. Check out our Lombiq .NET Analyzers project to get automated checks for your code too, including pointing out potential security issues even before running the app. Did you like this post? It's part of our Orchard Core Nuggets series where we answer common Orchard questions, be it about user-facing features or developer-level issues. Check out the other posts for more such bite-sized Orchard Core tips and let us know if you have another question!