Skip to content

When troubleshooting, it's often helpful to have test sites that provide something closer to "known good" than the system you are working on. I want to start collecting useful test sites/services/apps et cetera.

⚠️ As always, make sure that you are working within the terms of the test site. I present these with no guarantee.

The above options are awesome but I want something that I:

  • control
  • can (readily) deploy within a GitLab CI pipeline.

WIP The available options to consider include:

  • Self-hosted httpbin (docker run -p 80:80 kennethreitz/httpbin)
  • webfakes

Container Registry

SELECT created_at,migration_state FROM container_repositories WHERE project_id=14;

Using a Bearer token to authenticate to HTTPbin

Using curl:

curl --request GET \
  --url \
  --header 'Authorization: Bearer cats'
  "authenticated": true,
  "token": "cats"


or httpie:

https -A bearer -a token
HTTP/1.1 200 OK
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: *
Connection: keep-alive
Content-Length: 49
Content-Type: application/json
Date: Thu, 10 Nov 2022 04:18:23 GMT
Server: gunicorn/19.9.0

    "authenticated": true,
    "token": "token"

For DAST and authentication:

  • Don't.
    • Deploy the app in an isolated pre-production environment. There you should bypass, disable or greatly simplify authentication.
  • Sites like Authentication Test are great. The linked has everything from super simple form auth to interactive MFA.
  • I also like, which can easily be deployed for self-hosted usage.

DAST and HTTP Headers

To do basic authentication with DAST, do something like:

    variables: DAST_REQUEST_HEADERS: "Authorization: Basic $BASE64_AUTH"

Make $BASE64_AUTH a masked CI variable.

To do Bearer auth, do something like:

Authenticating to a GitLab instance with DAST

You can use DAST to authenticate to and then scan a self-managed GitLab instance. Here's how I'm successfully doing that as of November 2022:

  - template: DAST.gitlab-ci.yml

  - 🍓🥝🍏
  - 🍋🍯🌻
  - 🐈💖🐕
  - 🦋🦄​🌈

  extends: dast
  stage: 🍓🥝🍏
    DAST_AUTH_REPORT: "true"
    DAST_PATHS: "/admin,/-/graphql-explorer"
    DAST_AUTH_URL: "" # LDAP is enabled but this lets me skip using LDAP for the DAST scan.
    DAST_HTML_REPORT: "lol.txt"
    DAST_USERNAME: "root"
    DAST_USERNAME_FIELD: "id:user_login"
    DAST_PASSWORD_FIELD: "id:user_password"
    DAST_SUBMIT_FIELD: "name:button"
    paths: [gl-dast-debug-auth-report.html]
    when: always

Useful Commands

These don't have a dedicated page but they belong somewhere.

date +%Y-%m-%B-%d--%T-$(openssl rand -hex 20)

Let's use a slightly modified version to quickly create a unique tag:

git tag $(date +%Y-%m-%B-%d--%H%M%S-$(openssl rand -hex 20))

See Automating select git operations.