SecTester.Scan 0.33.0

There is a newer version of this package available.
See the version list below for details.
dotnet add package SecTester.Scan --version 0.33.0                
NuGet\Install-Package SecTester.Scan -Version 0.33.0                
This command is intended to be used within the Package Manager Console in Visual Studio, as it uses the NuGet module's version of Install-Package.
<PackageReference Include="SecTester.Scan" Version="0.33.0" />                
For projects that support PackageReference, copy this XML node into the project file to reference the package.
paket add SecTester.Scan --version 0.33.0                
#r "nuget: SecTester.Scan, 0.33.0"                
#r directive can be used in F# Interactive and Polyglot Notebooks. Copy this into the interactive tool or source code of the script to reference the package.
// Install SecTester.Scan as a Cake Addin
#addin nuget:?package=SecTester.Scan&version=0.33.0

// Install SecTester.Scan as a Cake Tool
#tool nuget:?package=SecTester.Scan&version=0.33.0                

SecTester.Scan

Maintainability Test Coverage Build Status Nuget Downloads

The scan package can be used to obtain a config including credentials from different sources, and provide a simplified abstraction to handle events and commands.

Setup

$ dotnet add package SecTester.Scan

Usage

To start scanning your application, you have to configure and retrieve a ScanFactory as follows:

var scanFactory = serviceProvider.GetService<ScanFactory>();

To create a new scan, you have to define a target first (for details, see here):

var target = new Target("https://example.com");

The factory exposes the CreateScan method that returns a new Scan instance:

await using var result = scanFactory.CreateScan(new ScanSettings(
  target,
  new List<TestType>() { TestType.HeaderSecurity }));

Below you will find a list of parameters that can be used to configure a Scan:

Option Description
Target The target that will be attacked. For details, see here.
Tests The list of tests to be performed against the target application. Learn more about tests
RepeaterId Connects the scan to a Repeater agent, which provides secure access to local networks.
Smart Minimize scan time by using automatic smart decisions regarding parameter skipping, detection phases, etc. Enabled by default.
SkipStaticParams Use an advanced algorithm to automatically determine if a parameter has any effect on the target system's behavior when changed, and skip testing such static parameters. Enabled by default.
PoolSize Sets the maximum concurrent requests for the scan, to control the load on your server. By default, 10.
AttackParamLocations Defines which part of the request to attack. By default, body, query, and fragment.
SlowEpTimeout Automatically validate entry-point response time before initiating the vulnerability testing, and reduce scan time by skipping any entry-points that take too long to respond. By default, 1000ms.
TargetTimeout Measure timeout responses from the target application globally, and stop the scan if the target is unresponsive for longer than the specified time. By default, 5min.
Name The scan name. The method and hostname by default, e.g. GET example.com.

We provide a fluent interface for building a ScanSettings object. To use it, you start by creating a ScanSettingsBuilder instance, and then you call its methods to specify the various settings you want to use for the scan.

For example, you could call the WithTarget method to specify the target for the scan, the WithTests method to specify the tests to run, and the Build method to create a ScanSettings object with those settings.

Defining a target for attack

The target can accept the following options:

Url
  • type: string

The server URL that will be used for the request. Usually the Url represents a WHATWG URL:

var target = new Target(
  "https://example.com"
);

If Url contains a query string, they will be parsed as search params:

const target = new Target(
  "https://example.com?foo=bar"
);

If you pass a Query parameter, it will override these which obtained from Url:

var target = new Target("https://example.com?foo=bar")
  .WithQuery(new Dictionary<string, string>() { { "bar", "foo" } });
Method
  • type: string | HttpMethod

The request method to be used when making the request, GET by default:

var target = new Target("https://example.com")
  .WithMethod(HttpMethod.Delete);
Query
  • type: IEnumerable<KeyValuePair<string, string>>

The query parameters to be sent with the request:

var target = new Target("https://example.com")
  .WithQuery(new Dictionary<string, string>()
  {
    {"hello", "world"},
    {"foo", "123"}
  });

This will override the query string in url.

It is possible to define a custom serializer for query parameters:

using Cysharp.Web;

var target = new Target("https://example.com")
  .WithQuery(new Dictionary<string, string>()
  {
    {"foo", "bar"},
    {"foo", "baz"}
  }, query => WebSerializer.ToQueryString(query));
Headers
  • type: IEnumerable<KeyValuePair<string, IEnumerable<string>>>

The HTTP headers to be sent:

var target = new Target("https://example.com")
  .WithHeaders(new Dictionary<string, IEnumerable<string>>()
  {
    { "content-type", new List<string> { "application/json" } },
  });
Body
  • type: string | HttpContent

The data to be sent as the request body. Makes sense only for POST, PUT, PATCH, and DELETE:

var target = new Target("https://example.com")
  .WithBody(@"{""foo"":""bar""}", "application/json");

You can use any derived class of HttpContent, such as MultipartContent, as request body as well:

var content = new MultipartFormDataContent {
  {
    new StringContent("Hello, world!", Encoding.UTF8, "text/plain"),
    "greeting"
  }
};
var target = new Target("https://example.com")
  .WithBody(content);

Managing a scan

The Scan provides a lightweight API to revise and control the status of test execution.

For instance, to get a list of found issues, you can use the issues method:

var issues = await scan.Issues();

To wait for certain conditions you can use the expect method:

await scan.Expect(Severity.High);
var issues = await scan.Issues();

It returns control as soon as a scan is done, timeout is gone, or an expectation is satisfied.

You can also define a custom expectation passing a function that accepts an instance of Scan as follows:

await scan.Expect(async scan => {
    var issues = await scan.Issues();

    return issues.Count() > 3;
});

You can use the Status method to obtain scan status, to ensure that the scan is done and nothing prevents the user to check for issues, or for other reasons:

await foreach (var state in scan.Status())
{
  // your code
}

This await foreach...in will work while a scan is active.

To stop scan, use the Stop method:

await scan.Stop();

To delete a scan while disposing, you just need to set the DeleteOnDispose option in the ScanOptions as follows:

await using var scan = scanFactory.CreateScan(settings, new ScanOptions { DeleteOnDispose = true });

await scan.Expect(Severity.High);

License

Copyright © 2022 Bright Security.

This project is licensed under the MIT License - see the LICENSE file for details.

Product Compatible and additional computed target framework versions.
.NET net5.0 was computed.  net5.0-windows was computed.  net6.0 was computed.  net6.0-android was computed.  net6.0-ios was computed.  net6.0-maccatalyst was computed.  net6.0-macos was computed.  net6.0-tvos was computed.  net6.0-windows was computed.  net7.0 was computed.  net7.0-android was computed.  net7.0-ios was computed.  net7.0-maccatalyst was computed.  net7.0-macos was computed.  net7.0-tvos was computed.  net7.0-windows was computed.  net8.0 was computed.  net8.0-android was computed.  net8.0-browser was computed.  net8.0-ios was computed.  net8.0-maccatalyst was computed.  net8.0-macos was computed.  net8.0-tvos was computed.  net8.0-windows was computed. 
.NET Core netcoreapp2.0 was computed.  netcoreapp2.1 was computed.  netcoreapp2.2 was computed.  netcoreapp3.0 was computed.  netcoreapp3.1 was computed. 
.NET Standard netstandard2.0 is compatible.  netstandard2.1 was computed. 
.NET Framework net461 was computed.  net462 was computed.  net463 was computed.  net47 was computed.  net471 was computed.  net472 was computed.  net48 was computed.  net481 was computed. 
MonoAndroid monoandroid was computed. 
MonoMac monomac was computed. 
MonoTouch monotouch was computed. 
Tizen tizen40 was computed.  tizen60 was computed. 
Xamarin.iOS xamarinios was computed. 
Xamarin.Mac xamarinmac was computed. 
Xamarin.TVOS xamarintvos was computed. 
Xamarin.WatchOS xamarinwatchos was computed. 
Compatible target framework(s)
Included target framework(s) (in package)
Learn more about Target Frameworks and .NET Standard.

NuGet packages (2)

Showing the top 2 NuGet packages that depend on SecTester.Scan:

Package Downloads
SecTester.Reporter

This SDK is designed to provide all the basic tools and functions that will allow you to easily integrate the Bright security testing engine into your own project.

SecTester.Runner

This SDK is designed to provide all the basic tools and functions that will allow you to easily integrate the Bright security testing engine into your own project.

GitHub repositories

This package is not used by any popular GitHub repositories.

Version Downloads Last updated
0.41.4 186 6/8/2024
0.41.3 281 10/4/2023
0.41.2 221 10/4/2023
0.41.1 237 10/4/2023
0.41.0 237 10/4/2023
0.40.0 324 8/3/2023
0.39.1 285 8/1/2023
0.39.0 295 7/31/2023
0.38.0 294 7/28/2023
0.37.0 274 7/20/2023
0.36.0 269 6/5/2023
0.35.1 314 5/2/2023
0.35.0 391 4/11/2023
0.34.0 578 2/8/2023
0.33.7 671 12/20/2022
0.33.6 672 12/16/2022
0.33.5 686 12/16/2022
0.33.4 690 12/15/2022
0.33.3 675 12/14/2022
0.33.2 673 12/14/2022
0.33.1 681 12/14/2022
0.33.0 646 12/14/2022
0.32.8 678 12/13/2022
0.32.7 641 12/13/2022
0.32.6 683 12/13/2022
0.32.5 671 12/13/2022
0.32.4 691 12/13/2022
0.32.3 663 12/13/2022
0.32.2 648 12/13/2022
0.32.1 715 12/13/2022
0.32.0 678 12/13/2022
0.31.0 689 12/11/2022
0.30.1 477 12/10/2022
0.30.0 506 12/9/2022
0.29.2 293 12/9/2022
0.29.1 321 12/9/2022
0.29.0 319 12/8/2022
0.28.0 325 12/8/2022
0.27.0 306 12/8/2022
0.26.0 300 12/7/2022
0.25.0 322 12/7/2022
0.24.0 309 12/6/2022
0.23.0 338 12/5/2022
0.22.0 350 12/2/2022
0.21.0 342 12/1/2022
0.20.0 369 12/1/2022
0.19.0 350 11/28/2022
0.18.0 358 11/28/2022
0.17.0 345 11/28/2022
0.16.0 349 11/28/2022
0.15.0 332 11/21/2022