Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update Nuclei cascading rule to include protocol information and allow alternative HTTP ports #920

Merged
merged 1 commit into from
Jan 10, 2022
Merged

Update Nuclei cascading rule to include protocol information and allow alternative HTTP ports #920

merged 1 commit into from
Jan 10, 2022

Conversation

malexmave
Copy link
Member

The nuclei rule had problems because it omitted the protocol and port information (#713). This PR splits it into two separate rules, one for http and one for https. This should make it more robust.

An alternative that would only require a single rule would be the following:

# SPDX-FileCopyrightText: 2021 iteratec GmbH
#
# SPDX-License-Identifier: Apache-2.0

apiVersion: "cascading.securecodebox.io/v1"
kind: CascadingRule
metadata:
  name: "nuclei-subdomain-scan-light"
  labels:
    securecodebox.io/invasive: non-invasive
    securecodebox.io/intensive: light
spec:
  matches:
    anyOf:
      - category: "Open Port"
        attributes:
          port: 80
          state: open
      - category: "Open Port"
        attributes:
          port: 443
          state: open
      - category: "Open Port"
        attributes:
          service: "http"
          state: open
      - category: "Open Port"
        attributes:
          service: "https"
          state: open
      
  scanSpec:
    scanType: "nuclei"
    parameters:
      # Target domain name of the finding and start a nuclei scan
      - "-u"
      - "{{attributes.service}}://{{$.hostOrIP}}:{{attributes.port}}"

However, this would no longer allow us to trigger on alternative HTTP(S) ports like 8080, 8443, etc., since they have alternative service descriptors (http-proxy, ...) which would break the URL when based on {{attributes.service}} as the protocol selector. I thus opted to split it into two separate rules.

Closes #713.

Checklist

  • Test your changes as thoroughly as possible before you commit them. Preferably, automate your test by unit/integration tests.
  • Make sure npm test runs for the whole project.
  • Make codeclimate checks happy

@malexmave malexmave added bug Bugs scanner Implement or update a security scanner labels Jan 10, 2022
@malexmave malexmave requested a review from J12934 January 10, 2022 14:53
@malexmave malexmave added this to In progress in secureCodeBox v3 via automation Jan 10, 2022
@malexmave malexmave self-assigned this Jan 10, 2022
@malexmave malexmave moved this from In progress to To Review in secureCodeBox v3 Jan 10, 2022
malexmave added a commit that referenced this pull request Jan 10, 2022
@malexmave
Split ZAP cascadingrule into two rules
fab0023 
Analogous to #920, this commit splits the cascading rule for ZAP into
two: one for HTTP and one for HTTPS. This allows it to cover HTTP(S)
services on nonstandard ports. This also requires adding the port as
an extra parameter.

Signed-off-by: Max Maass <max.maass@iteratec.com>
@malexmave malexmave mentioned this pull request Jan 10, 2022
Merged
3 tasks
@malexmave malexmave changed the title Update Nuclei cascading rule to include protocol information Update Nuclei cascading rule to include protocol information and allow alternative HTTP ports Jan 10, 2022
@malexmave
Split Nuclei cascade into two
61416bd 
The nuclei rule had problems because it omitted the protocol and port
information. This commit splits it into two separate rules, one for
http and one for https. This should make it more robust.

Signed-off-by: Max Maass <max.maass@iteratec.com>
@malexmave malexmave force-pushed the fix/nuclei-cascading-scan-rule branch from 0d94008 to 61416bd Compare January 10, 2022 16:08
secureCodeBox v3 automation moved this from To Review to Reviewer approved Jan 10, 2022
@malexmave malexmave merged commit 049a857 into main Jan 10, 2022
secureCodeBox v3 automation moved this from Reviewer approved to Done Jan 10, 2022
@malexmave malexmave deleted the fix/nuclei-cascading-scan-rule branch January 10, 2022 16:21
@malexmave malexmave moved this from Done to counter in secureCodeBox v3 Jan 14, 2022
This was referenced Jan 6, 2023
Merged
Merged
@rseedorff rseedorff mentioned this pull request Jan 11, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@J12934 J12934 J12934 approved these changes

Assignees

@malexmave malexmave

Labels
bug Bugs scanner Implement or update a security scanner
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Nuclei Cascading Rules don't start Scans with Protocol (http/https)
2 participants
@malexmave @J12934