automated post-launch security checks for projects
For a client, we also handle the vulnerability management of the projects. This also involves manual checks after a new project is launched, to ensure that no critical security problem is caused by misconfiguration.
So we wanted to implement an easy-to-use solution for a post-launch check and security regression testing, which can be easily automated.
The self-proclaimed requirements were:
- single portable binary for every major platform
- easy to learn, apply and use
- optimized for performance
- actively developed and supported
My research yielded some relatively new but quite popular solution called nuclei, which checks all the checkboxes.
portable binary
nuclei is written in Golang, which is relatively fast and allows cross-compilation for all major platforms. Fortunately, we do not have to compile it ourselves as there are prebuilt binaries for the relevant platforms.
The binary is not that small, but much smaller compared to other solutions, which often require many more parts to have a working setup.
ease of use
To run nuclei you may need only a simple command to load a folder of templates and start all the checks. We use the following command in a bash script, which
- loads the relevant files from a
template
folder (-t
,-templates string[]
: list of template or template directory to run (comma-separated, file)) - uses the supplied target URL (
-u
,-target string[]
: target URLs/hosts to scan) - disables the download and usage of the internal templates (
-duc
,-disable-update-check
: disable automatic nuclei/templates update check) - and lists the loaded templates (
-vv
: display templates loaded for scan)
nuclei -t ./templates -u https://example.com -duc -vv
In our bash script (nuclei.sh) we wrap the relevant binary name / command depending on the used platform and architecture.
Templates can be created with a powerful yaml DSL (domain specific language) and there are many templates from the community, which can be used, adapted and combined.
performance
A simple scan with nuclei takes not more than a few seconds and tools based on Go are often very performant. This makes it a good solution to check many projects at once and also saves some time when used in CI pipelines.
actively maintained
Almost every month there is at least one new release and open issues are relatively small compared to the closed ones.
There is a growing list of active contributors, which ensures that there will be more releases and bugfixes in the future.
example output (excerpt)
A simple run of nuclei looks like this:
__ _
____ __ _______/ /__ (_)
/ __ \/ / / / ___/ / _ \/ /
/ / / / /_/ / /__/ / __/ /
/_/ /_/\__,_/\___/_/\___/_/ 2.7.5
projectdiscovery.io
[WRN] Use with caution. You are responsible for your actions.
[WRN] Developers assume no liability and are not responsible for any misuse or damage.
[ERR] Could not read nuclei-ignore file: open /home/user/.config/nuclei/.nuclei-ignore: no such file or directory
[INF] Using Nuclei Engine 2.7.5 (latest)
[INF] Using Nuclei Templates 9.1.3 (latest)
[INF] Templates added in last update: 0
[INF] Templates loaded for scan: 18
...
[ssl-dns-names] SSL DNS Names (@pdteam) [info]
[statuscode-500] statuscode 500 (@danielruf) [low]
[deprecated-tls] Deprecated TLS Detection (TLS 1.1 or SSLv3) (@righettod,@forgedhallpass) [info]
[tls-version] TLS Version (@pdteam) [info]
[INF] Templates clustered: 2 (Reduced 2 HTTP Requests)
[2022-08-16 10:15:44] [tls-version] [ssl] [info] https://bitexpert.de [TLS12]
[2022-08-16 10:15:44] [ssl-dns-names] [ssl] [info] https://bitexpert.de [*.bitexpert.de,bitexpert.de]
.../nuclei.sh 0,31s user 0,18s system 12% cpu 4,103 total