Vulnerability Scanning Tools
Tools and techniques for scanning web services and applications for security vulnerabilities.
Overview
Vulnerability scanning identifies security weaknesses in applications, networks, and systems before attackers can exploit them.
Scanning Types:
- Network scanning
- Web application scanning
- API security testing
- Container/cloud scanning
- Dependency scanning
Network Scanning
Nmap (Network Mapper)
Essential network discovery and security auditing tool.
1# Install
2sudo apt-get install nmap # Debian/Ubuntu
3brew install nmap # macOS
4
5# Basic host discovery
6nmap 192.168.1.0/24
7
8# Port scanning
9nmap -p 80,443 target.com
10nmap -p 1-65535 target.com # All ports
11nmap -p- target.com # All ports (shorthand)
12
13# Service version detection
14nmap -sV target.com
15
16# OS detection
17sudo nmap -O target.com
18
19# Aggressive scan (OS, version, scripts, traceroute)
20sudo nmap -A target.com
21
22# Vulnerability scanning with NSE scripts
23nmap --script vuln target.com
24nmap --script=http-vuln-* target.com
25
26# Specific vulnerabilities
27nmap --script ssl-heartbleed target.com
28nmap --script http-sql-injection target.com
29
30# Stealth scan
31sudo nmap -sS target.com
32
33# UDP scan
34sudo nmap -sU target.com
35
36# Save results
37nmap -oN output.txt target.com # Normal format
38nmap -oX output.xml target.com # XML format
39nmap -oG output.gnmap target.com # Greppable format
40nmap -oA output target.com # All formats
Common Nmap NSE Scripts
1# Web vulnerabilities
2nmap --script http-csrf target.com
3nmap --script http-stored-xss target.com
4nmap --script http-dombased-xss target.com
5
6# SSL/TLS testing
7nmap --script ssl-cert,ssl-enum-ciphers target.com
8nmap --script ssl-poodle target.com
9
10# Authentication
11nmap --script auth target.com
12nmap --script http-brute --script-args userdb=users.txt,passdb=passes.txt target.com
13
14# Database scanning
15nmap -p 3306 --script mysql-* target.com
16nmap -p 5432 --script pgsql-* target.com
17nmap -p 1433 --script ms-sql-* target.com
18
19# SMB vulnerabilities
20nmap --script smb-vuln-* target.com
Web Application Scanning
OWASP ZAP (Zed Attack Proxy)
Free, open-source web application security scanner.
Installation
1# Download from https://www.zaproxy.org/download/
2
3# Or via package manager
4sudo apt-get install zaproxy # Debian/Ubuntu
5brew install --cask owasp-zap # macOS
6
7# Docker
8docker run -u zap -p 8080:8080 owasp/zap2docker-stable zap-webswing.sh
CLI Usage
1# Quick scan
2zap-cli quick-scan http://target.com
3
4# Full scan
5zap-cli active-scan http://target.com
6
7# Spider website first
8zap-cli spider http://target.com
9zap-cli active-scan http://target.com
10
11# Generate report
12zap-cli report -o report.html -f html
13
14# Authenticated scanning
15zap-cli --api-key YOUR_KEY \
16 --zap-url http://localhost:8080 \
17 open-url http://target.com/login
Python API
1from zapv2 import ZAPv2
2
3# Connect to ZAP
4zap = ZAPv2(apikey='your-api-key', proxies={
5 'http': 'http://127.0.0.1:8080',
6 'https': 'http://127.0.0.1:8080'
7})
8
9# Spider target
10print('Spidering target...')
11scan_id = zap.spider.scan('http://target.com')
12while int(zap.spider.status(scan_id)) < 100:
13 print(f'Spider progress: {zap.spider.status(scan_id)}%')
14 time.sleep(2)
15
16# Active scan
17print('Active scanning...')
18scan_id = zap.ascan.scan('http://target.com')
19while int(zap.ascan.status(scan_id)) < 100:
20 print(f'Scan progress: {zap.ascan.status(scan_id)}%')
21 time.sleep(5)
22
23# Get alerts
24alerts = zap.core.alerts(baseurl='http://target.com')
25for alert in alerts:
26 print(f"[{alert['risk']}] {alert['alert']}")
27 print(f" URL: {alert['url']}")
28 print(f" Description: {alert['description']}")
Nikto
Web server scanner.
1# Install
2sudo apt-get install nikto
3
4# Basic scan
5nikto -h http://target.com
6
7# Scan specific port
8nikto -h target.com -p 8080
9
10# SSL scan
11nikto -h https://target.com -ssl
12
13# Tune scan (select tests)
14nikto -h target.com -Tuning 123456789ab
15
16# Tuning options:
17# 1: Interesting files
18# 2: Misconfiguration
19# 3: Information disclosure
20# 4: Injection (XSS/Script/HTML)
21# 5: Remote file retrieval
22# 6: Denial of service
23# 7: Remote file retrieval (inside web root)
24# 8: Command execution
25# 9: SQL injection
26# a: Authentication bypass
27# b: Software identification
28
29# Save output
30nikto -h target.com -o report.html -Format html
31
32# Use proxy
33nikto -h target.com -useproxy http://proxy:8080
Nuclei
Fast vulnerability scanner using YAML templates.
1# Install
2go install -v github.com/projectdiscovery/nuclei/v2/cmd/nuclei@latest
3
4# Update templates
5nuclei -update-templates
6
7# Scan single target
8nuclei -u http://target.com
9
10# Scan multiple targets
11nuclei -l targets.txt
12
13# Scan with specific templates
14nuclei -u http://target.com -t cves/
15nuclei -u http://target.com -t exposures/
16
17# Scan for specific CVE
18nuclei -u http://target.com -t cves/2021/CVE-2021-44228.yaml
19
20# Custom severity
21nuclei -u http://target.com -severity critical,high
22
23# Rate limiting
24nuclei -u http://target.com -rate-limit 10
25
26# Output
27nuclei -u http://target.com -o results.txt
28nuclei -u http://target.com -json -o results.json
Custom Nuclei Template
1# custom-check.yaml
2id: custom-admin-panel
3
4info:
5 name: Admin Panel Detection
6 author: your-name
7 severity: info
8 description: Detects common admin panel paths
9
10requests:
11 - method: GET
12 path:
13 - "{{BaseURL}}/admin"
14 - "{{BaseURL}}/administrator"
15 - "{{BaseURL}}/wp-admin"
16 - "{{BaseURL}}/admin.php"
17
18 matchers-condition: and
19 matchers:
20 - type: status
21 status:
22 - 200
23 - 301
24 - 302
25
26 - type: word
27 words:
28 - "admin"
29 - "login"
30 - "dashboard"
31 condition: or
1# Run custom template
2nuclei -u http://target.com -t custom-check.yaml
API Security Testing
Postman
1// Pre-request script: SQL injection test
2pm.environment.set("payload", "' OR '1'='1");
3
4// Test script: Check for vulnerabilities
5pm.test("No SQL error in response", function () {
6 pm.expect(pm.response.text()).to.not.include("SQL syntax");
7 pm.expect(pm.response.text()).to.not.include("mysql_fetch");
8});
9
10pm.test("Response time acceptable", function () {
11 pm.expect(pm.response.responseTime).to.be.below(5000);
12});
RESTler
Microsoft's REST API fuzzer.
1# Install
2pip install restler-fuzzer
3
4# Compile API specification
5restler compile --api_spec swagger.json
6
7# Test
8restler test --grammar_file Compile/grammar.py \
9 --dictionary_file Compile/dict.json \
10 --settings Compile/engine_settings.json
11
12# Fuzz
13restler fuzz --grammar_file Compile/grammar.py \
14 --dictionary_file Compile/dict.json \
15 --time_budget 1
OWASP API Security Testing
1# Using curl for manual testing
2
3# 1. Broken Object Level Authorization
4curl -H "Authorization: Bearer TOKEN" \
5 http://api.target.com/users/123/orders
6# Try changing user ID to access other users' data
7
8# 2. Broken Authentication
9curl -X POST http://api.target.com/auth/login \
10 -d '{"username":"admin","password":"admin"}'
11# Test weak credentials
12
13# 3. Excessive Data Exposure
14curl http://api.target.com/users/me
15# Check if response includes sensitive fields
16
17# 4. Lack of Rate Limiting
18for i in {1..1000}; do
19 curl http://api.target.com/api/endpoint &
20done
21# Check if rate limiting is enforced
22
23# 5. Mass Assignment
24curl -X POST http://api.target.com/users \
25 -d '{"username":"test","is_admin":true}'
26# Try to set privileged fields
Specialized Scanners
SQLMap (SQL Injection)
1# Install
2sudo apt-get install sqlmap
3
4# Basic scan
5sqlmap -u "http://target.com/page?id=1"
6
7# POST request
8sqlmap -u "http://target.com/login" \
9 --data="username=admin&password=pass"
10
11# With cookie
12sqlmap -u "http://target.com/page?id=1" \
13 --cookie="PHPSESSID=abc123"
14
15# Enumerate databases
16sqlmap -u "http://target.com/page?id=1" --dbs
17
18# Enumerate tables
19sqlmap -u "http://target.com/page?id=1" -D database_name --tables
20
21# Dump table
22sqlmap -u "http://target.com/page?id=1" \
23 -D database_name -T users --dump
24
25# Batch mode (non-interactive)
26sqlmap -u "http://target.com/page?id=1" --batch
27
28# Risk and level
29sqlmap -u "http://target.com/page?id=1" --risk=3 --level=5
30
31# Tamper scripts (bypass WAF)
32sqlmap -u "http://target.com/page?id=1" \
33 --tamper=space2comment,between
XSStrike (XSS Scanner)
1# Install
2git clone https://github.com/s0md3v/XSStrike
3cd XSStrike
4pip install -r requirements.txt
5
6# Scan URL
7python xsstrike.py -u "http://target.com/search?q=test"
8
9# Crawl and scan
10python xsstrike.py -u "http://target.com" --crawl
11
12# Scan with custom payload
13python xsstrike.py -u "http://target.com/search?q=test" \
14 --payload "<script>alert(1)</script>"
Commix (Command Injection)
1# Install
2git clone https://github.com/commixproject/commix
3cd commix
4python commix.py
5
6# Scan URL parameter
7python commix.py --url="http://target.com/page?cmd=test"
8
9# POST data
10python commix.py --url="http://target.com/page" \
11 --data="cmd=test&other=value"
12
13# Cookie injection
14python commix.py --url="http://target.com/page" \
15 --cookie="cmd=test"
Container & Cloud Security
Trivy (Container Vulnerability Scanner)
1# Install
2brew install aquasecurity/trivy/trivy # macOS
3sudo apt-get install trivy # Debian/Ubuntu
4
5# Scan Docker image
6trivy image nginx:latest
7trivy image myapp:1.0
8
9# Scan filesystem
10trivy fs /path/to/project
11
12# Scan git repository
13trivy repo https://github.com/user/repo
14
15# Scan Kubernetes cluster
16trivy k8s --report summary
17
18# Output formats
19trivy image --format json nginx:latest
20trivy image --format sarif -o results.sarif nginx:latest
21
22# Severity filtering
23trivy image --severity HIGH,CRITICAL nginx:latest
24
25# Ignore unfixed vulnerabilities
26trivy image --ignore-unfixed nginx:latest
Grype (Vulnerability Scanner)
1# Install
2brew install grype
3
4# Scan image
5grype nginx:latest
6
7# Scan directory
8grype dir:/path/to/project
9
10# Output formats
11grype nginx:latest -o json
12grype nginx:latest -o table
13grype nginx:latest -o cyclonedx
Dependency Scanning
OWASP Dependency-Check
1# Install
2brew install dependency-check
3
4# Scan project
5dependency-check --project "MyProject" \
6 --scan /path/to/project \
7 --out report.html
8
9# Specific ecosystems
10dependency-check --enableExperimental \
11 --scan /path/to/project \
12 --out report.html
Snyk
1# Install
2npm install -g snyk
3
4# Authenticate
5snyk auth
6
7# Test for vulnerabilities
8snyk test
9
10# Test Docker image
11snyk container test nginx:latest
12
13# Test Kubernetes
14snyk iac test k8s-deployment.yaml
15
16# Monitor project
17snyk monitor
18
19# Fix vulnerabilities
20snyk fix
Safety (Python)
1# Install
2pip install safety
3
4# Check installed packages
5safety check
6
7# Check requirements file
8safety check -r requirements.txt
9
10# JSON output
11safety check --json
12
13# Ignore specific vulnerabilities
14safety check --ignore 12345
Automated Security Testing
GitHub Actions Workflow
1# .github/workflows/security-scan.yml
2name: Security Scan
3
4on:
5 push:
6 branches: [ main ]
7 pull_request:
8 branches: [ main ]
9 schedule:
10 - cron: '0 0 * * 0' # Weekly
11
12jobs:
13 dependency-scan:
14 runs-on: ubuntu-latest
15 steps:
16 - uses: actions/checkout@v2
17
18 - name: Run Snyk
19 uses: snyk/actions/node@master
20 env:
21 SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
22
23 - name: Run Trivy
24 uses: aquasecurity/trivy-action@master
25 with:
26 scan-type: 'fs'
27 scan-ref: '.'
28 format: 'sarif'
29 output: 'trivy-results.sarif'
30
31 - name: Upload results
32 uses: github/codeql-action/upload-sarif@v2
33 with:
34 sarif_file: 'trivy-results.sarif'
35
36 web-scan:
37 runs-on: ubuntu-latest
38 steps:
39 - name: ZAP Scan
40 uses: zaproxy/action-baseline@v0.7.0
41 with:
42 target: 'https://target.com'
43 rules_file_name: '.zap/rules.tsv'
44 cmd_options: '-a'
Web Application Firewall (WAF) Testing
Bypass Techniques
1# Test WAF presence
2wafw00f http://target.com
3
4# SQL injection bypass examples
5# URL encoding
6%27%20OR%20%271%27=%271
7
8# Double encoding
9%2527%2520OR%2520%25271%2527=%25271
10
11# Case variation
12' oR '1'='1
13
14# Comment injection
15'/**/OR/**/1=1--
16
17# Null byte
18%00' OR '1'='1
19
20# Unicode
21' OR '1'='1
Bypass Tools
1# SQLMap with tamper scripts
2sqlmap -u "http://target.com/?id=1" \
3 --tamper=space2comment,between,randomcase
4
5# Available tamper scripts:
6# apostrophemask, apostrophenullencode, appendnullbyte
7# base64encode, between, bluecoat, chardoubleencode
8# charencode, charunicodeencode, concat2concatws
9# equaltolike, greatest, halfversionedmorekeywords
10# ifnull2ifisnull, modsecurityversioned, modsecurityzeroversioned
11# multiplespaces, nonrecursivereplacement, percentage
12# randomcase, randomcomments, securesphere, space2comment
13# space2dash, space2hash, space2morehash, space2mssqlblank
14# space2mssqlhash, space2mysqlblank, space2mysqldash
15# space2plus, space2randomblank, sp_password, unionalltounion
16# unmagicquotes, versionedkeywords, versionedmorekeywords
Reporting & Prioritization
Vulnerability Severity (CVSS)
1Critical (9.0-10.0):
2- Remote code execution
3- Authentication bypass
4- SQL injection with data access
5
6High (7.0-8.9):
7- XSS with session hijacking
8- CSRF on critical functions
9- Privilege escalation
10
11Medium (4.0-6.9):
12- Information disclosure
13- CSRF on non-critical functions
14- Weak cryptography
15
16Low (0.1-3.9):
17- Minor information leaks
18- Missing security headers
19- Verbose error messages
Sample Report Structure
1# Vulnerability Report
2
3## Executive Summary
4- Total vulnerabilities: 15
5- Critical: 2
6- High: 5
7- Medium: 6
8- Low: 2
9
10## Critical Findings
11
12### 1. SQL Injection in Login Form
13**Severity:** Critical (CVSS 9.8)
14**URL:** http://target.com/login
15**Parameter:** username
16**Payload:** `admin' OR '1'='1'--`
17
18**Impact:**
19- Full database access
20- User credential theft
21- Data modification
22
23**Remediation:**
24- Use parameterized queries
25- Implement input validation
26- Apply principle of least privilege
27
28**Evidence:**
29```sql
30SELECT * FROM users WHERE username='admin' OR '1'='1'--' AND password='...'
2. Remote Code Execution
...
1
2---
3
4## Best Practices
5
6```text
7✅ DO:
8- Get written permission before scanning
9- Start with passive reconnaissance
10- Use rate limiting to avoid DoS
11- Scan during maintenance windows
12- Document all findings
13- Verify vulnerabilities manually
14- Provide remediation guidance
15- Re-scan after fixes
16
17❌ DON'T:
18- Scan without authorization
19- Use aggressive settings on production
20- Rely solely on automated tools
21- Ignore false positives
22- Share vulnerabilities publicly before fix
23- Test exploits without permission
24- Forget to clean up test data
Legal Considerations
1⚠️ WARNING:
2Unauthorized scanning may be illegal under:
3- Computer Fraud and Abuse Act (CFAA) - USA
4- Computer Misuse Act - UK
5- Similar laws in other countries
6
7Always:
81. Get written authorization
92. Define scope clearly
103. Follow responsible disclosure
114. Document permission
125. Use bug bounty programs when available
Further Reading
- OWASP Testing Guide
- OWASP Top 10
- PortSwigger Web Security Academy
- HackerOne Disclosure Guidelines
- NIST NVD
- CVE Details
Related Snippets
- Fuzzing Tools and Techniques
Fuzzing (fuzz testing) automatically generates and injects malformed or …