Posts

Extracting Dynamic Values from Multiple Requests in a Nuclei Template

Introduction We are using Nuclei for all the Security Automation tasks. We create a lot of custom templates to automate custom Authenticated APIs. A major challenge that we faced in automating this is dependence on dynamic variables. Site24x7's APIs have various dynamic entities that are dependent on other APIs for data. You can find Site24x7 Rest API reference.  Problem Statement Let's take this example for this blog. To automate monitor addition in Site24x7, we need to call a POST API "https://www.site24x7.com/api/monitors" with some body content. But, the problem is body content has so many dependencies which are dependent on other APIs. For example to call the above api, we need threshold_profile, notification_profile, user_group_id. So, to get these three values, we have to call the three apis sequentially extract the ids and pass it on to the Monitor Addition API. Nuclei Extractors https://nuclei.projectdiscovery.io/templating-guide/operators/extractors/ To ac

Security Score Card using Nuclei Automation

Image
  Introduction Nuclei by Project Discovery is a great tool for automation, and I've started using the tool for automated scanning of vulnerabilities and for automated regression testing. I find it very useful in adding customized templates and get accurate results. Now for a complete automation, I've written python wrapper around my nuclei test cases and added the python script to the crontab. It may not be possible to automate 0-days, but once it is a 1-day, you should have an automation to check for the vulnerability, else someone else will find it. The Idea of Score Card: Everything works great, and my target is a fixed set of around 600 servers. I had an idea to build an executive level dashboard, that can calculate a score based on the results of the automation. So, I started to build a score-card using Site24x7,  The Logic: The logic is a weighted sum of the categories of issues found.  For example in a given scenario, Severity Score High 60  Medium 30  Low 10  The formul

Importance of Attack Surfaces in Log4shell Context

  Introduction Everyone in the IT Industry is alarmed by the discovery of a 0-day vulnerability in the famous Log4j, java logging framework. It's been assigned with a CVSS score of 10, which means any application using a vulnerable version of Log4j can be exploited by anyone. Such is the the severity of this vulnerability. It's imperative to fix this vulnerability and there are various threads out there on how to fix this issue and there are different third-party tools to find the usage of vulnerable log4j jars. This blog will not talk about this and is talking about the importance of keeping track of your IT Assets to stay resilient when attacks of such scale emerge in the future.  Know Your Attack Surface Attack Surface - Different Points in the IT landscape of an organization, through which an attacker can attack your IT Infrastructure.  With the increase in the IT complexity and the presence in the IT Landscape, the Attack surface of any organization is growing day by day.

How I used Nuclei to Automate Basic Security Checks

 Nuclei by Project Discovery Nuclei is an automation tool built by Project Discovery. The tool is open source and has various CVE Templates bundled with it. Also, the templates are updated on a regular basis. You can also create a customized template for your needs.    Why I chose Nuclei as a DAST tool? I've been doing Product Security Testing for one of my targets. We have found various categories of bugs manually, and considering the fact that the product is a growing one and the same bug may pop-out again, we have decided to automate the security cases that we have found earlier. The tools that I considered are Burp, ZAP automation, and later I got to know about Nuclei.  I'm using the free version of Burp and it doesn't support automation, otherwise an excellent tool. ZAP is an open source tool, and it has so many options available but I feel it to be little complicated and find it difficult to use on a regular basis.  On surfing Twitter and YouTube, I got to know about

Enterprise Business - Checklist to verify your Software Vendors

  Introduction   Businesses cannot run without software, So every business in the wild is vulnerable to Cyber Attacks. It is important to know your Vendor, similar to how you are protecting your infrastructure. A Software product supplied by a vendor can expose significant Attack Surfaces to the wild. This is the classic Supply Chain Attack. How can Enterprises make sure the vendors are maintaining their software vendors and products are secured against Hackers. This post can help you check the list and maintain the integrity of your environment.  Know Your Vendor "Know Your Vendor" is a right to every customer who are using the Vendor's product. You can ask any number of questions and then decide on a Vendor. I herewith summarize the following points which I have seen customers asking me before installing our products and also from my own experience.  What level of Permission does the Software take to run on the system. root/SYSTEM privileges shouldn't be given unles

Purpose of the Blog

I am witnessing a lot of Security Issues happening in the Software Industry. Software is key to any business today and digital footprint is mandatory for organizations of all the sizes across different industry.  Security Issues are increasing on a daily basis, but the software industry not lacing up to look up the challenge. It's important to think about security while designing your application.  "Better to be Safe than Sorry"  So I've decided to share my learning in the Security space to the security community. I'm a learner in the security industry and I'm learning a lot from other security researchers, youTube channels, twitter and the like.  The primary motives of this blog,  Secure Product Design Talks about recent vulnerabilities and CVEs  Offensive Security  Some Good Blogs Sharing here my  security knowledge

Key Points in Product Security

  Key Things to Consider for Product Security The primary aim of this blog is to share my ideas on Product Security. Key trends and how to secure a software product. In this blog, we are going to talk about "Pushing Security to the Left" in SDLC Push Security to the left of SDLC SDLC - Software Development Life Cycle SDLC consists of Design - Development - Testing - Production Product Owners think about Security only in Testing or Production environment Product Owners should start thinking about Security while designing the application Majority of the Security risks if we think about security while designing the application   Important Security decisions to consider while Designing your product?   Assign or get only the required permissions in your Product  Store only the data which are absolutely required If you store any PII data, kindly encrypt the data  Try to whitelist all the input that you are obtaining from the user If your application receives any data other than wha