SecTester.Scan 0.39.0

There is a newer version of this package available.
See the version list below for details.

dotnet add package SecTester.Scan --version 0.39.0

NuGet\Install-Package SecTester.Scan -Version 0.39.0

This command is intended to be used within the Package Manager Console in Visual Studio, as it uses the NuGet module's version of Install-Package.

<PackageReference Include="SecTester.Scan" Version="0.39.0" />

For projects that support PackageReference, copy this XML node into the project file to reference the package.

paket add SecTester.Scan --version 0.39.0

The NuGet Team does not provide support for this client. Please contact its maintainers for support.

#r "nuget: SecTester.Scan, 0.39.0"

#r directive can be used in F# Interactive and Polyglot Notebooks. Copy this into the interactive tool or source code of the script to reference the package.

// Install SecTester.Scan as a Cake Addin
#addin nuget:?package=SecTester.Scan&version=0.39.0

// Install SecTester.Scan as a Cake Tool
#tool nuget:?package=SecTester.Scan&version=0.39.0

The NuGet Team does not provide support for this client. Please contact its maintainers for support.

SecTester.Scan

Nuget Downloads

The scan package can be used to obtain a config including credentials from different sources, and provide a simplified abstraction to handle events and commands.

Setup

$ dotnet add package SecTester.Scan

Usage

To start scanning your application, you have to configure and retrieve a ScanFactory as follows:

var scanFactory = serviceProvider.GetService<ScanFactory>();

To create a new scan, you have to define a target first (for details, see here):

var target = new Target("https://example.com");

The factory exposes the CreateScan method that returns a new Scan instance:

await using var result = scanFactory.CreateScan(new ScanSettings(
  target,
  new List<TestType>() { TestType.HeaderSecurity }));

Below you will find a list of parameters that can be used to configure a Scan:

Option	Description
`Target`	The target that will be attacked. For details, see here.
`Tests`	The list of tests to be performed against the target application. Learn more about tests
`RepeaterId`	Connects the scan to a Repeater agent, which provides secure access to local networks.
`Smart`	Minimize scan time by using automatic smart decisions regarding parameter skipping, detection phases, etc. Enabled by default.
`SkipStaticParams`	Use an advanced algorithm to automatically determine if a parameter has any effect on the target system's behavior when changed, and skip testing such static parameters. Enabled by default.
`PoolSize`	Sets the maximum concurrent requests for the scan, to control the load on your server. By default, `10`.
`AttackParamLocations`	Defines which part of the request to attack. By default, `body`, `query`, and `fragment`.
`SlowEpTimeout`	Automatically validate entry-point response time before initiating the vulnerability testing, and reduce scan time by skipping any entry-points that take too long to respond. By default, 1000ms.
`TargetTimeout`	Measure timeout responses from the target application globally, and stop the scan if the target is unresponsive for longer than the specified time. By default, 5min.
`Name`	The scan name. The method and hostname by default, e.g. `GET example.com`.

We provide a fluent interface for building a ScanSettings object. To use it, you start by creating a ScanSettingsBuilder instance, and then you call its methods to specify the various settings you want to use for the scan.

For example, you could call the WithTarget method to specify the target for the scan, the WithTests method to specify the tests to run, and the Build method to create a ScanSettings object with those settings.

Defining a target for attack

The target can accept the following options:

Url

type: string

The server URL that will be used for the request. Usually the Url represents a WHATWG URL:

var target = new Target(
  "https://example.com"
);

If Url contains a query string, they will be parsed as search params:

const target = new Target(
  "https://example.com?foo=bar"
);

If you pass a Query parameter, it will override these which obtained from Url:

var target = new Target("https://example.com?foo=bar")
  .WithQuery(new Dictionary<string, string>() { { "bar", "foo" } });

Method

type: string | HttpMethod

The request method to be used when making the request, GET by default:

var target = new Target("https://example.com")
  .WithMethod(HttpMethod.Delete);

Query

type: IEnumerable<KeyValuePair<string, string>>

The query parameters to be sent with the request:

var target = new Target("https://example.com")
  .WithQuery(new Dictionary<string, string>()
  {
    {"hello", "world"},
    {"foo", "123"}
  });

This will override the query string in url.

It is possible to define a custom serializer for query parameters:

using Cysharp.Web;

var target = new Target("https://example.com")
  .WithQuery(new Dictionary<string, string>()
  {
    {"foo", "bar"},
    {"foo", "baz"}
  }, query => WebSerializer.ToQueryString(query));

Headers

type: IEnumerable<KeyValuePair<string, IEnumerable<string>>>

The HTTP headers to be sent:

var target = new Target("https://example.com")
  .WithHeaders(new Dictionary<string, IEnumerable<string>>()
  {
    { "content-type", new List<string> { "application/json" } },
  });

Body

type: string | HttpContent

The data to be sent as the request body. Makes sense only for POST, PUT, PATCH, and DELETE:

var target = new Target("https://example.com")
  .WithBody(@"{""foo"":""bar""}", "application/json");

You can use any derived class of HttpContent, such as MultipartContent, as request body as well:

var content = new MultipartFormDataContent {
  {
    new StringContent("Hello, world!", Encoding.UTF8, "text/plain"),
    "greeting"
  }
};
var target = new Target("https://example.com")
  .WithBody(content);

Managing a scan

The Scan provides a lightweight API to revise and control the status of test execution.

For instance, to get a list of found issues, you can use the issues method:

var issues = await scan.Issues();

To wait for certain conditions you can use the expect method:

await scan.Expect(Severity.High);
var issues = await scan.Issues();

It returns control as soon as a scan is done, timeout is gone, or an expectation is satisfied.

You can also define a custom expectation passing a function that accepts an instance of Scan as follows:

await scan.Expect(async scan => {
    var issues = await scan.Issues();

    return issues.Count() > 3;
});

You can use the Status method to obtain scan status, to ensure that the scan is done and nothing prevents the user to check for issues, or for other reasons:

await foreach (var state in scan.Status())
{
  // your code
}

This await foreach...in will work while a scan is active.

To stop scan, use the Stop method:

await scan.Stop();

To delete a scan while disposing, you just need to set the DeleteOnDispose option in the ScanOptions as follows:

await using var scan = scanFactory.CreateScan(settings, new ScanOptions { DeleteOnDispose = true });

await scan.Expect(Severity.High);

License

This project is licensed under the MIT License - see the LICENSE file for details.

Product	Compatible and additional computed target framework versions.
.NET	net5.0 was computed. net5.0-windows was computed. net6.0 was computed. net6.0-android was computed. net6.0-ios was computed. net6.0-maccatalyst was computed. net6.0-macos was computed. net6.0-tvos was computed. net6.0-windows was computed. net7.0 was computed. net7.0-android was computed. net7.0-ios was computed. net7.0-maccatalyst was computed. net7.0-macos was computed. net7.0-tvos was computed. net7.0-windows was computed. net8.0 was computed. net8.0-android was computed. net8.0-browser was computed. net8.0-ios was computed. net8.0-maccatalyst was computed. net8.0-macos was computed. net8.0-tvos was computed. net8.0-windows was computed.
.NET Core	netcoreapp2.0 was computed. netcoreapp2.1 was computed. netcoreapp2.2 was computed. netcoreapp3.0 was computed. netcoreapp3.1 was computed.
.NET Standard	netstandard2.0 is compatible. netstandard2.1 was computed.
.NET Framework	net461 was computed. net462 was computed. net463 was computed. net47 was computed. net471 was computed. net472 was computed. net48 was computed. net481 was computed.
MonoAndroid	monoandroid was computed.
MonoMac	monomac was computed.
MonoTouch	monotouch was computed.
Tizen	tizen40 was computed. tizen60 was computed.
Xamarin.iOS	xamarinios was computed.
Xamarin.Mac	xamarinmac was computed.
Xamarin.TVOS	xamarintvos was computed.
Xamarin.WatchOS	xamarinwatchos was computed.

Compatible target framework(s)

Included target framework(s) (in package)

Learn more about Target Frameworks and .NET Standard.

.NETStandard 2.0
- Macross.Json.Extensions (>= 3.0.0)
- Microsoft.Extensions.DependencyInjection.Abstractions (>= 6.0.0)
- SecTester.Bus (>= 0.39.0)
- SecTester.Core (>= 0.39.0)
- System.Linq.Async (>= 6.0.1)
- System.Text.Json (>= 6.0.0)

NuGet packages (2)

Showing the top 2 NuGet packages that depend on SecTester.Scan:

Package	Downloads
SecTester.Reporter This SDK is designed to provide all the basic tools and functions that will allow you to easily integrate the Bright security testing engine into your own project.	12.3K
SecTester.Runner This SDK is designed to provide all the basic tools and functions that will allow you to easily integrate the Bright security testing engine into your own project.	7.8K

GitHub repositories

This package is not used by any popular GitHub repositories.

Version	Downloads	Last updated
0.41.4	184	6/8/2024
0.41.3	279	10/4/2023
0.41.2	219	10/4/2023
0.41.1	235	10/4/2023
0.41.0	235	10/4/2023
0.40.0	322	8/3/2023
0.39.1	283	8/1/2023
0.39.0	293	7/31/2023
0.38.0	290	7/28/2023
0.37.0	272	7/20/2023
0.36.0	267	6/5/2023
0.35.1	312	5/2/2023
0.35.0	389	4/11/2023
0.34.0	576	2/8/2023
0.33.7	669	12/20/2022
0.33.6	670	12/16/2022
0.33.5	684	12/16/2022
0.33.4	688	12/15/2022
0.33.3	673	12/14/2022
0.33.2	671	12/14/2022
0.33.1	679	12/14/2022
0.33.0	644	12/14/2022
0.32.8	676	12/13/2022
0.32.7	639	12/13/2022
0.32.6	681	12/13/2022
0.32.5	669	12/13/2022
0.32.4	689	12/13/2022
0.32.3	661	12/13/2022
0.32.2	646	12/13/2022
0.32.1	713	12/13/2022
0.32.0	676	12/13/2022
0.31.0	687	12/11/2022
0.30.1	475	12/10/2022
0.30.0	504	12/9/2022
0.29.2	291	12/9/2022
0.29.1	319	12/9/2022
0.29.0	317	12/8/2022
0.28.0	323	12/8/2022
0.27.0	304	12/8/2022
0.26.0	296	12/7/2022
0.25.0	320	12/7/2022
0.24.0	307	12/6/2022
0.23.0	334	12/5/2022
0.22.0	348	12/2/2022
0.21.0	340	12/1/2022
0.20.0	367	12/1/2022
0.19.0	348	11/28/2022
0.18.0	356	11/28/2022
0.17.0	343	11/28/2022
0.16.0	347	11/28/2022
0.15.0	330	11/21/2022