SecTester.Scan 0.30.0

.NET Standard 2.0 This package targets .NET Standard 2.0. The package is compatible with this framework or higher.
There is a newer version of this package available.
See the version list below for details. 
dotnet add package SecTester.Scan --version 0.30.0                

                    
                

            
NuGet\Install-Package SecTester.Scan -Version 0.30.0
This command is intended to be used within the Package Manager Console in Visual Studio, as it uses the NuGet module's version of Install-Package. 
<PackageReference Include="SecTester.Scan" Version="0.30.0" />
For projects that support PackageReference, copy this XML node into the project file to reference the package. 
paket add SecTester.Scan --version 0.30.0                

                    
                

            
#r "nuget: SecTester.Scan, 0.30.0"
#r directive can be used in F# Interactive and Polyglot Notebooks. Copy this into the interactive tool or source code of the script to reference the package. 
// Install SecTester.Scan as a Cake Addin
#addin nuget:?package=SecTester.Scan&version=0.30.0

// Install SecTester.Scan as a Cake Tool
#tool nuget:?package=SecTester.Scan&version=0.30.0

SecTester.Scan

Maintainability Test Coverage Build Status Nuget Downloads

The scan package can be used to obtain a config including credentials from different sources, and provide a simplified abstraction to handle events and commands.

Setup

$ dotnet add package SecTester.Scan

Usage

To start scanning your application, you have to configure and retrieve a ScanFactory as follows:

var scanFactory = serviceProvider.GetService<ScanFactory>();

To create a new scan, you have to define a target first (for details, see here):

var target = new Target("https://example.com");

The factory exposes the CreateScan method that returns a new Scan instance:

await using var result = scanFactory.CreateScan(new ScanSettings(
  target,
  new List<TestType>() { TestType.HeaderSecurity }));

Below you will find a list of parameters that can be used to configure a Scan:

Option Description
Target The target that will be attacked. For details, see here.
Tests The list of tests to be performed against the target application. Learn more about tests
RepeaterId Connects the scan to a Repeater agent, which provides secure access to local networks.
Smart Minimize scan time by using automatic smart decisions regarding parameter skipping, detection phases, etc. Enabled by default.
SkipStaticParams Use an advanced algorithm to automatically determine if a parameter has any effect on the target system's behavior when changed, and skip testing such static parameters. Enabled by default.
PoolSize Sets the maximum concurrent requests for the scan, to control the load on your server. By default, 10.
AttackParamLocations Defines which part of the request to attack. By default, body, query, and fragment.
SlowEpTimeout Automatically validate entry-point response time before initiating the vulnerability testing, and reduce scan time by skipping any entry-points that take too long to respond. By default, 1000ms.
TargetTimeout Measure timeout responses from the target application globally, and stop the scan if the target is unresponsive for longer than the specified time. By default, 5min.
Name The scan name. The method and hostname by default, e.g. GET example.com.

Defining a target for attack

The target can accept the following options:

Url
  • type: string

The server URL that will be used for the request. Usually the Url represents a WHATWG URL:

var target = new Target(
  "https://example.com"
);

If Url contains a query string, they will be parsed as search params:

const target = new Target(
  "https://example.com?foo=bar"
);

If you pass a Query parameter, it will override these which obtained from Url:

var target = new Target("https://example.com?foo=bar")
  .WithQuery(new Dictionary<string, string>() { { "bar", "foo" } });
Method
  • type: string | HttpMethod

The request method to be used when making the request, GET by default:

var target = new Target("https://example.com")
  .WithMethod(HttpMethod.Delete);
Query
  • type: IEnumerable<KeyValuePair<string, string>>

The query parameters to be sent with the request:

var target = new Target("https://example.com")
  .WithQuery(new Dictionary<string, string>()
  {
    {"hello", "world"},
    {"foo", "123"}
  });

This will override the query string in url.

It is possible to define a custom serializer for query parameters:

using Cysharp.Web;

var target = new Target("https://example.com")
  .WithQuery(new Dictionary<string, string>()
  {
    {"foo", "bar"},
    {"foo", "baz"}
  }, query => WebSerializer.ToQueryString(query));
Headers
  • type: IEnumerable<KeyValuePair<string, IEnumerable<string>>>

The HTTP headers to be sent:

var target = new Target("https://example.com")
  .WithHeaders(new Dictionary<string, IEnumerable<string>>()
  {
    { "content-type", new List<string> { "application/json" } },
  });
Body
  • type: string | HttpContent

The data to be sent as the request body. Makes sense only for POST, PUT, PATCH, and DELETE:

var target = new Target("https://example.com")
  .WithBody(@"{""foo"":""bar""}", "application/json");

You can use any derived class of HttpContent, such as MultipartContent, as request body as well:

var content = new MultipartFormDataContent {
  {
    new StringContent("Hello, world!", Encoding.UTF8, "text/plain"),
    "greeting"
  }
};
var target = new Target("https://example.com")
  .WithBody(content);

Managing a scan

The Scan provides a lightweight API to revise and control the status of test execution.

For instance, to get a list of found issues, you can use the issues method:

var issues = await scan.Issues();

To wait for certain conditions you can use the expect method:

await scan.Expect(Severity.High);
var issues = await scan.Issues();

It returns control as soon as a scan is done, timeout is gone, or an expectation is satisfied.

You can also define a custom expectation passing a function that accepts an instance of Scan as follows:

await scan.Expect(async scan => {
    var issues = await scan.Issues();

    return issues.Count() > 3;
});

You can use the Status method to obtain scan status, to ensure that the scan is done and nothing prevents the user to check for issues, or for other reasons:

await foreach (var state in scan.Status())
{
  // your code
}

This await foreach...in will work while a scan is active.

To stop scan, use the Stop method:

await scan.Stop();

To delete a scan while disposing, you just need to set the DeleteOnDispose option in the ScanOptions as follows:

await using var scan = scanFactory.CreateScan(settings, new ScanOptions { DeleteOnDispose = true });

await scan.Expect(Severity.High);

License

Copyright © 2022 Bright Security.

This project is licensed under the MIT License - see the LICENSE file for details.

Product Compatible and additional computed target framework versions.
.NET net5.0 was computed.  net5.0-windows was computed.  net6.0 was computed.  net6.0-android was computed.  net6.0-ios was computed.  net6.0-maccatalyst was computed.  net6.0-macos was computed.  net6.0-tvos was computed.  net6.0-windows was computed.  net7.0 was computed.  net7.0-android was computed.  net7.0-ios was computed.  net7.0-maccatalyst was computed.  net7.0-macos was computed.  net7.0-tvos was computed.  net7.0-windows was computed.  net8.0 was computed.  net8.0-android was computed.  net8.0-browser was computed.  net8.0-ios was computed.  net8.0-maccatalyst was computed.  net8.0-macos was computed.  net8.0-tvos was computed.  net8.0-windows was computed. 
.NET Core netcoreapp2.0 was computed.  netcoreapp2.1 was computed.  netcoreapp2.2 was computed.  netcoreapp3.0 was computed.  netcoreapp3.1 was computed. 
.NET Standard netstandard2.0 is compatible.  netstandard2.1 was computed. 
.NET Framework net461 was computed.  net462 was computed.  net463 was computed.  net47 was computed.  net471 was computed.  net472 was computed.  net48 was computed.  net481 was computed. 
MonoAndroid monoandroid was computed. 
MonoMac monomac was computed. 
MonoTouch monotouch was computed. 
Tizen tizen40 was computed.  tizen60 was computed. 
Xamarin.iOS xamarinios was computed. 
Xamarin.Mac xamarinmac was computed. 
Xamarin.TVOS xamarintvos was computed. 
Xamarin.WatchOS xamarinwatchos was computed. 
Compatible target framework(s)
Included target framework(s) (in package)
Learn more about Target Frameworks and .NET Standard.

NuGet packages (2)

Showing the top 2 NuGet packages that depend on SecTester.Scan:

Package Downloads
SecTester.Reporter

This SDK is designed to provide all the basic tools and functions that will allow you to easily integrate the Bright security testing engine into your own project.
SecTester.Runner

This SDK is designed to provide all the basic tools and functions that will allow you to easily integrate the Bright security testing engine into your own project.

GitHub repositories

This package is not used by any popular GitHub repositories.

Version Downloads Last updated
0.41.4 184 6/8/2024
0.41.3 279 10/4/2023
0.41.2 219 10/4/2023
0.41.1 235 10/4/2023
0.41.0 235 10/4/2023
0.40.0 322 8/3/2023
0.39.1 283 8/1/2023
0.39.0 293 7/31/2023
0.38.0 290 7/28/2023
0.37.0 272 7/20/2023
0.36.0 267 6/5/2023
0.35.1 312 5/2/2023
0.35.0 389 4/11/2023
0.34.0 576 2/8/2023
0.33.7 669 12/20/2022
0.33.6 670 12/16/2022
0.33.5 684 12/16/2022
0.33.4 688 12/15/2022
0.33.3 673 12/14/2022
0.33.2 671 12/14/2022
0.33.1 679 12/14/2022
0.33.0 644 12/14/2022
0.32.8 676 12/13/2022
0.32.7 639 12/13/2022
0.32.6 681 12/13/2022
0.32.5 669 12/13/2022
0.32.4 689 12/13/2022
0.32.3 661 12/13/2022
0.32.2 646 12/13/2022
0.32.1 713 12/13/2022
0.32.0 676 12/13/2022
0.31.0 687 12/11/2022
0.30.1 475 12/10/2022
0.30.0 504 12/9/2022
0.29.2 291 12/9/2022
0.29.1 319 12/9/2022
0.29.0 317 12/8/2022
0.28.0 323 12/8/2022
0.27.0 304 12/8/2022
0.26.0 296 12/7/2022
0.25.0 320 12/7/2022
0.24.0 307 12/6/2022
0.23.0 334 12/5/2022
0.22.0 348 12/2/2022
0.21.0 340 12/1/2022
0.20.0 367 12/1/2022
0.19.0 348 11/28/2022
0.18.0 356 11/28/2022
0.17.0 343 11/28/2022
0.16.0 347 11/28/2022
0.15.0 330 11/21/2022