Finding issues¶
The search for issues is divided into two successive phases:
Endpoint discovery modules¶
| Module name | Methods of discovering endpoints | Description |
|---|---|---|
static-crawler |
 Static web crawling and dirbusting |
A search module that crawls web resources and analyzes HTML markup without opening and rendering the page. As part of the module, it is possible to enable and disable dirbusting |
waf-har-extractor |
Integration with SolidWall WAF | A module that exports endpoints from SolidWall WAF |
dynamic-crawler |
Dynamic web crawling |
A search module that identifies endpoints via dynamic interaction with web application interfaces using a managed browser |
har-importer |
Importing HAR files | A module that exports endpoints from HAR files. The module accepts browser HAR files and files containing an array (JSON and NDJSON type) of HTTP request descriptions in the extended HAR format as input |
openapi-hars-generator |
Importing an OpenAPI specification | A module that exports endpoints from the OpenAPI specification |
js-analyzer |
Analysis of client-side JavaScript code | A module that identifies server endpoints by analyzing client-side JavaScript code |
graphql-inspector |
Detection of GraphQL endpoints | A module that sends GraphQL-specific HTTP requests in order to identify GraphQL endpoints |
Issue detection modules¶
In this section, the term “issue” is understood in a broad sense and also includes vulnerabilities and attacks.
| Module name | Detectable issues | Description |
|---|---|---|
nuclei-runner-deps |
Issues described by extended Nuclei templates | An active scanning module of identified endpoints that uses extended Nuclei templates. For the specified endpoints, the module allows you to set the conditions for starting the analysis |
nuclei-runner |
Issues described by Nuclei templates | An active scanning module that uses templates in YAML format and scans various protocols |
powby2 |
Issues described by Powby2 templates | A passive scanning module that identifies various technologies, analyzes the resources in the database, and compares them to templates |
zvlom-serialize |
Controllable serialized data | The module searches for serialized objects in the server response. It can identify serialized objects that are encoded either once or as a chain of several encodings or compression algorithms. Searches for objects serialized in applications using PHP, Python (Pickle), Ruby, Java, .NET, and other technologies |
cspp-scanner |
Client-Side Prototype Pollution | The module identifies issues by dynamically checking the execution of JavaScript code on the application page in the browser |
dynamic-page-analyzer-cspp |
Client-Side Prototype Pollution | The module uses dynamic analysis to search for data flows that may lead to Client-Side Prototype Pollution |
dynamic-page-analyzer-domxss |
DOM XSS | The module uses dynamic analysis to search for data flows that may lead to DOM XSS |
stored-xss |
Stored XSS | The module detects issues by using a two-step crawl of the application and dynamically checking the execution of JavaScript code on the application page in the web browser |
bruteforce |
Insecure credentials | The module identifies accounts in the system that have weak credentials using a dictionary search. In addition to the built-in dictionary, it is also possible to use a custom one. Currently, user dictionary support is implemented only for fuchsiactl |
file-upload-scanner |
File upload vulnerabilities | The module identifies issues associated with uploading files to a web server. The following vulnerabilities are detected: 1. execution of arbitrary PHP code; 2. vulnerabilities related to the ImageMagick image processor; 3. Reflected XSS (The module loads an HTML page and analyzes the contained text) |
java-deserialize |
Insecure deserialization in Java | The module identifies issues in Java web applications using serialized objects found by the zvlom-serialize module |
nosql |
NoSQL injection | The module detects issues that occur when user data enters the context of NoSQL database commands due to insufficient or incorrect filtering. Vulnerability validation is performed in two ways: 1. The HTTP response contains NoSQL errors; 2. Several HTTP requests with opposite NoSQL operators are sent and differences in the responses are identified |
path-traversal-scanner |
Path Traversal | The module detects issues which allow access to arbitrary files and directories on the server where the web application is running. The vulnerability is detected when trying to search for the contents of standard files for different operating systems in HTTP responses |
reflected-xss-cspp |
Reflected XSS | The module detects issues based on the result of the cspp-scanner module operation |
reflected-xss |
Reflected XSS | The module detects issues by dynamically checking the execution of JavaScript code on the application page in the web browser |
shell-injection-scanner |
Shell injection | The module detects issues by implementing shell commands with different variations of exiting from the data context into the command context. Vulnerability validation is performed by network communication and searching for the result of the command output in the body of the HTTP response |
sql-franziscanner |
SQL injection | The module detects issues that occur when user data is used in an SQL statement without proper filtration. The module identifies the specified issue in the following ways: 1. blind boolean-based checks; 2. blind checks based on HTTP response time; 3. error-based checks; 4. checks using the UNION operator; 5. checks using compound queries; 6. out-of-band interaction |
sql-injection-scanner |
SQL injection | The module detects issues in the following ways: 1. out-of-band interaction; 2. delay-based checks; 3. busy wait checks; 4. checks by adding quotes |
ssti-franziscanner |
SSTI | The module detects issues that occur when a web application incorrectly handles user input in server templates. Issues are identified in the following ways: 1. out-of-band interaction; 2. search for command execution results in HTTP response bodies; 3. detection based on HTTP response time |
xxe-franziscanner |
XXE | The module detects issues in an application that analyzes XML input data. This vulnerability occurs when XML input data containing a reference to an external entity is processed by a poorly configured XML analyzer. Issues are identified in the following ways: 1. out-of-band interaction; 2. search HTTP responses for contents of standard files for various operating systems, connected as an external entity to the XML document sent to the server; 3. local DTDs techniques |
php-unserialize-fuzzer |
Insecure deserialization in PHP | The module detects issues in PHP web applications using serialized objects found by the zvlom-serialize module |