CybserSecurity News

Tag: vulnerability scanner

  • Sirius Scan: open-source general purpose vulnerability scanner

    Sirius Scan

    Sirius is the first truly open-source general purpose vulnerability scanner. Today, the information security community remains the best and most expedient source for cybersecurity intelligence. The community itself regularly outperforms commercial vendors. This is the primary advantage Sirius Scan intends to leverage.

    The framework is built around four general vulnerability identification concepts: The vulnerability database, network vulnerability scanning, agent-based discovery, and custom assessor analysis. With these powers combined around an easy to use interface Sirius hopes to enable industry evolution.

    Services

    The system is composed of the following services:

    • Mongo: a NoSQL database used to store data.
    • RabbitMQ: a message broker used to manage communication between services.
    • Sirius API: the API service which provides access to the data stored in Mongo.
    • Sirius Web: the web UI which allows users to view and manage their data pipelines.
    • Sirius Engine: the engine service which manages the execution of data pipelines.

    Install

    To run Sirius clone this repository and invoke the containers with docker-compose. Note that both docker and docker-compose must be installed to do this.

    git clone https://github.com/SiriusScan/Sirius.git
    cd Sirius
    docker-compose up

    Logging in

    The default username and password for Sirius is:admin/sirius

    Usage

    To use Sirius, first start all of the services by running docker-compose up. Then, access the web UI at localhost:5173.

    Remote Scanner

    If you would like to setup Sirius Scan on a remote machine and access it you must modify the./UI/config.json file to include your server details.

    Copyright (c) 2023 SiriusScan

    Source: https://github.com/SiriusScan/

  • octoscan: A static vulnerability scanner for GitHub action workflows

    Octoscan

    Octoscan is a static vulnerability scanner for GitHub action workflows.

    Usage

    download remote workflows

    Octoscan can be run against a local git repository or you can download all the workflows with the dl action:

    [pastacode lang=”markup” manual=”%24%20octoscan%20dl%20-h%20%20%0AOctoscan.%0A%0AUsage%3A%0A%09octoscan%20dl%20%5Boptions%5D%20–org%20%3Corg%3E%20%5B–repo%20%3Crepo%3E%20–token%20%3Cpat%3E%20–default-branch%20–max-branches%20%3Cnum%3E%20–path%20%3Cpath%3E%20–output-dir%20%3Cdir%3E%20–include-archives%5D%0A%0AOptions%3A%0A%09-h%2C%20–help%20%20%09%09%09%09%09%09Show%20help%0A%09-d%2C%20–debug%20%20%09%09%09%09%09%09Debug%20output%0A%09–verbose%20%20%09%09%09%09%09%09Verbose%20output%0A%09–org%20%3Corg%3E%20%20%09%09%09%09%09%09Organizations%20to%20target%0A%09–repo%20%3Crepo%3E%20%20%09%09%09%09%09%09Repository%20to%20target%0A%09–token%20%3Cpat%3E%20%20%09%09%09%09%09%09GHP%20to%20authenticate%20to%20GitHub%0A%09–default-branch%20%20%09%09%09%09%09Only%20download%20workflows%20from%20the%20default%20branch%0A%09–max-branches%20%3Cnum%3E%20%20%09%09%09%09%09Limit%20the%20number%20of%20branches%20to%20download%0A%09–path%20%3Cpath%3E%20%20%09%09%09%09%09%09GitHub%20file%20path%20to%20download%20%5Bdefault%3A%20.github%2Fworkflows%5D%0A%09–output-dir%20%3Cdir%3E%20%20%09%09%09%09%09Output%20dir%20where%20to%20download%20files%20%5Bdefault%3A%20octoscan-output%5D%0A%09–include-archives%20%20%09%09%09%09%09Also%20download%20archived%20repositories” message=”” highlight=”” provider=”manual”/]

    [pastacode lang=”markup” manual=”.%2Foctoscan%20dl%20–token%20ghp_%3Ctoken%3E%20–org%20apache%20–repo%20incubator-answer” message=”” highlight=”” provider=”manual”/]

    analyze

    If you don’t know what to run just run this:

    [pastacode lang=”markup” manual=”.%2Foctoscan%20scan%20path%2Fto%2Frepos%2F%20–disable-rules%20shellcheck%2Clocal-action%20–filter-triggers%20external” message=”” highlight=”” provider=”manual”/]

    It will reduce false positives and give the most interesting results.

    If you have downloaded the workflows with the dl command you might have duplicated workflows since by default octoscan will download all the workflows of all the branches. To delete duplicated workflows and speed up the analysis you can use the fdupes command before running the analysis:

    [pastacode lang=”markup” manual=”fdupes%20-n%20-r%20-N%20-d%20path%2Fto%2Frepo” message=”” highlight=”” provider=”manual”/]

    [pastacode lang=”markup” manual=”%24%20octoscan%20scan%20-h%0Aoctoscan%0A%0AUsage%3A%0A%09octoscan%20scan%20%5Boptions%5D%20–list-rules%0A%09octoscan%20scan%20%5Boptions%5D%20%3Ctarget%3E%0A%09octoscan%20scan%20%5Boptions%5D%20%3Ctarget%3E%20%5B–debug-rules%20–filter-triggers%3D%3Ctriggers%3E%20–filter-run%20–ignore%3D%3Cpattern%3E%20((–disable-rules%20%7C%20–enable-rules%20)%20%3Crules%3E)%20–config-file%20%3Cconfig%3E%5D%0A%0AOptions%3A%0A%09-h%2C%20–help%0A%09-v%2C%20–version%0A%09-d%2C%20–debug%0A%09–verbose%0A%09–json%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%09%09%09JSON%20output%0A%09–oneline%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%09%09%09Use%20one%20line%20per%20one%20error.%20Useful%20for%20reading%20error%20messages%20from%20programs%0A%0AArgs%3A%0A%09%3Ctarget%3E%09%09%09%09%09Target%20File%20or%20directory%20to%20scan%0A%09–filter-triggers%20%3Ctriggers%3E%09%09%09Scan%20workflows%20with%20specific%20triggers%20(comma%20separated%20list%3A%20%22push%2Cpull_request_target%22%20or%20pre-configured%3A%20external%2Fallnopr)%0A%09–filter-run%09%09%09%09%09Search%20for%20expression%20injection%20only%20in%20run%20shell%20scripts.%0A%09–ignore%20%3Cpattern%3E%09%09%09%09Regular%20expression%20matching%20to%20error%20messages%20you%20want%20to%20ignore.%0A%09–disable-rules%20%3Crules%3E%09%09%09%09Disable%20specific%20rules.%20Split%20on%20%22%2C%22%0A%09–enable-rules%20%3Crules%3E%09%09%09%09Enable%20specific%20rules%2C%20this%20with%20disable%20all%20other%20rules.%20Split%20on%20%22%2C%22%0A%09–debug-rules%09%09%09%09%09Enable%20debug%20rules.%0A%09–config-file%20%3Cconfig%3E%09%09%09%09Config%20file.%0A%0AExamples%3A%0A%09%24%20octoscan%20scan%20ci.yml%20–disable-rules%20shellcheck%2Clocal-action%20–filter-triggers%20external” message=”” highlight=”” provider=”manual”/]

    Rules

    The complete list of rules can be found with this command:

    [pastacode lang=”markup” manual=”%24%20octoscan%20scan%20–list-rules%20%20%0A2024%2F08%2F07%2016%3A50%3A48%20%5BINFO%5D%20Available%20rules%0A-%20dangerous-action%0A%09Check%20for%20dangerous%20actions.%0A-%20dangerous-checkout%0A%09Check%20for%20dangerous%20checkout.%0A-%20expression-injection%0A%09Check%20for%20expression%20injection.%0A-%20dangerous-write%0A%09Check%20for%20dangerous%20write%20operation%20on%20%24GITHUB_OUTPUT%20or%20%24GITHUB_ENV.%0A-%20local-action%0A%09Check%20for%20local%20actions.%0A-%20oidc-action%0A%09Check%20for%20OIDC%20actions.%0A-%20runner-label%0A%09Checks%20for%20GitHub-hosted%20and%20preset%20self-hosted%20runner%20labels%20in%20%22runs-on%3A%22%0A-%20unsecure-commands%0A%09Check%20’ACTIONS_ALLOW_UNSECURE_COMMANDS’%20env%20variable.%0A-%20known-vulnerability%0A%09Check%20for%20known%20vulnerabilities.%0A-%20bot-check%0A%09Check%20for%20if%20statements%20that%20are%20based%20on%20a%20bot%20identity.%0A-%20debug-external-trigger%0A%09Check%20for%20workflow%20that%20can%20be%20externally%20triggered.%0A-%20debug-artefacts%0A%09Check%20for%20workflow%20that%20upload%20artefacts.%0A-%20debug-js-exec%0A%09Check%20for%20workflow%20that%20execute%20system%20commands%20in%20JS%20scripts.%0A-%20repo-jacking%0A%09Verify%20that%20external%20actions%20are%20pointing%20to%20a%20valid%20GitHub%20user%20or%20organization.” message=”” highlight=”” provider=”manual”/]

    dangerous-checkout

    Triggers like workflow_run or pull_request_target run in a privileged context, as they have read access to secrets and potentially have write access on the targeted repository. Performing an explicit checkout on the untrusted code will result in the attacker code being downloaded in such context.

    Install & Tutorial

  • vuls: Vulnerability scanner for Linux/FreeBSD

    vuls

    For a system administrator, having to perform security vulnerability analysis and software updates on a daily basis can be a burden. To avoid downtime in a production environment, it is common for a system administrator to choose not to use the automatic update option provided by the package manager and to perform the update manually. This leads to the following problems.

    • A system administrator will have to constantly watch out for any new vulnerabilities in NVD(National Vulnerability Database) or similar databases.
    • It might be impossible for the system administrator to monitor all the software if there are a large number of software installed on the server.
    • It is expensive to perform analysis to determine the servers affected by new vulnerabilities. The possibility of overlooking a server or two during analysis is there.

    Vuls is a tool created to solve the problems listed above. It has the following characteristics.

    • Informs users of the vulnerabilities that are related to the system.
    • Informs users of the servers that are affected.
    • Vulnerability detection is done automatically to prevent any oversight.
    • The report is generated on a regular basis using CRON or other methods. to manage vulnerability.

     

    Main Features

    • Scan for any vulnerabilities in Linux/FreeBSD Server
      • Supports Ubuntu, Debian, CentOS, Amazon Linux, RHEL, Oracle Linux, FreeBSD and Raspbian
      • Cloud, on-premise, Docker
    • Scan middleware that are not included in OS package management
      • Scan middleware, programming language libraries and framework for vulnerability
      • Support software registered in CPE
    • Agentless architecture
      • User is required to only setup one machine that is connected to other target servers via SSH
    • Nondestructive testing
    • Pre-authorization is not necessary before scanning on AWS
    • Auto-generation of configuration file template
      • Auto-detection of servers set using CIDR, generate configuration file template
    • Email and Slack notification is possible (supports the Japanese language)
    • Scan result is viewable on accessory software, TUI Viewer on the terminal or Web UI (VulsRepo).

    Download and Tutorial

  • nuclei: A fast and customisable vulnerability scanner

    Nuclei

    Nuclei is a fast vulnerability scanner designed to probe modern applications, infrastructure, cloud platforms, and networks, aiding in the identification and mitigation of exploitable vulnerabilities.

    At its core, Nuclei uses templates—expressed as straightforward YAML files, that delineate methods for detecting, ranking, and addressing specific security flaws.

    Each template delineates a possible attack route, detailing the vulnerability, its severity, priority rating, and occasionally associated exploits. This template-centric methodology ensures Nuclei not only identifies potential threats, but pinpoints exploitable vulnerabilities with tangible real-world implications.

    What are Nuclei’s features?

    Feature Description
    Extensive Template Library Nuclei offers a vast collection of community-powered templates for targeted scans of various vulnerabilities and attack vectors.
    Versatile Target Specification Support for various target specification options, such as URLs, IP ranges, ASN range, and file input, allowing flexibility in defining the scanning scope.
    Bulk Scanning Perform bulk scanning by specifying multiple targets at once, enabling efficient scanning of a large number of assets or websites.
    Flexible Customization Customize scanning templates to fit specific needs, allowing tailored scanning and focusing on relevant security checks.
    Parallel Scanning Supports parallel scanning, reducing scanning time and improving efficiency, especially for large-scale targets.
    Comprehensive Reporting cloud Generates detailed reports with actionable insights, including vulnerability details, severity levels, affected endpoints, and suggested remediation steps.
    Integration with CI/CD Pipelines Seamlessly integrate Nuclei into CI/CD pipelines for automated security testing as part of the development and deployment process.
    CI/CD Integration cloud Actively maintained and developed by the ProjectDiscovery team, introducing new features, bug fixes, and enhancements to provide an up-to-date scanning framework.
    Ticketing integration cloud Two-way ticketing integration with Jira, Splunk, and many others to easily remediate and retest vulnerabilities.
    Customizable Output Format Configure the output format of Nuclei’s scan results to suit your needs, including options for JSON, YAML, and more.
    Dynamic Variables Utilize dynamic variables in templates to perform parameterized scanning, enabling versatile and flexible scanning configurations.
    Inclusion and Exclusion Filters Apply inclusion and exclusion filters to specify targets, reducing scanning scope and focusing on specific areas of interest.
    Authentication Support Nuclei supports various authentication mechanisms, including HTTP basic authentication, JWT token authentication, and more.
    Embedding custom code in templates Execute custom code within Nuclei templates to incorporate user-defined logic, perform advanced scanning actions, and more.

    Install & Use

  • afrog: A Security Tool for Bug Bounty, Pentest and Red Teaming

    What is afrog

    afrog is a high-performance vulnerability scanner that is fast and stable. It supports user-defined PoC and comes with several built-in types, such as CVE, CNVD, default passwords, information disclosure, fingerprint identification, unauthorized access, arbitrary file reading, and command execution. With afrog, network security professionals can quickly validate and remediate vulnerabilities, which helps to enhance their security defense capabilities.

    Features

    •  Open source
    •  Fast, stable, with low false positives
    •  Detailed HTML vulnerability reports
    •  Customizable and stably updatable PoCs
    •  Active community exchange group

    Example

    Scan a single target.

    afrog -t http://example.com -o result.html

     

    Scan multiple targets.

    afrog -T urls.txt -o result.html

    For example urls.txt

    http://example.com
    http://test.com
    http://github.com

     

    Test a single PoC file

    afrog -t http://example.com -P ./testing/poc-test.yaml -o result.html

     

    Test multiple PoC files

    afrog -t http://example.com -P ./testing/ -o result.html

     

    Output html report

     

     

    Install & Use

    Copyright (c) 2022 zan8in