Phase 3: Automated Vulnerability Scanning¶

Overview¶

Phase 3 executes automated vulnerability scanners against all discovered endpoints. This phase identifies known CVEs, misconfigurations, insecure headers, and other low-hanging fruit that can be detected without deep application logic analysis.

Purpose: Quickly identify publicly known vulnerabilities, security misconfigurations, and information disclosure issues.

Two-Scanner Approach¶

Phase 3 uses two specialized scanners in parallel:

1. Nuclei: Template-based scanning for 9000+ known vulnerabilities
2. Nikto: Classic web server/application scanner for headers, SSL/TLS, and CORS issues

Execution Flow¶

graph TB
    A["Start Phase 3<br/>Scanning"] --> B["Load Endpoints<br/>From Phase 2"]
    B --> C["Initialize Nuclei<br/>Update templates"]
    C --> D["Agent 1: Nuclei CVE+Exposure<br/>"]
    D --> E["Agent 2: Nuclei Misconfig<br/>"]
    E --> F["Agent 3: Nikto + Headers<br/>"]
    F --> G["Merge Results<br/>scan-results.json"]
    G --> H["Feed to Phase 3.5<br/>Smart Router"]

    style A fill:#4a148c,color:#fff
    style H fill:#4a148c,color:#fff
    style G fill:#ab47bc,color:#fff

Agent 1: Nuclei - CVEs & Exposures¶

Purpose: Detect known CVEs in detected technologies and exposed sensitive files

docker run --rm -v $(pwd):/work pentest-tools \
  nuclei -list discovery/httpx-results.txt \
  -t nuclei/cves/ \
  -t nuclei/exposures/ \
  -o discovery/scan-nuclei-cve.json \
  -severity critical,high \
  -json

Coverage¶

• CVEs: Apache Log4j RCE (CVE-2021-44228), Spring4Shell (CVE-2022-22965), Struts2 RCE, WordPress plugin vulnerabilities
• Exposures: Exposed .env files, package.json files, git repositories, AWS credentials, API keys
• Known vulnerabilities: Default credentials, debug modes, outdated framework versions

Example Findings¶

{
  "info": {
    "name": "Log4j RCE Detection",
    "severity": "critical"
  },
  "endpoint": "https://api.example.com/api/v1/logs",
  "matched_at": "https://api.example.com/api/v1/logs",
  "type": "http",
  "extracted_results": ["vulnerable to CVE-2021-44228"]
}

Agent 2: Nuclei - Misconfigurations & Defaults¶

Purpose: Detect security misconfigurations and default credentials

docker run --rm -v $(pwd):/work pentest-tools \
  nuclei -list discovery/httpx-results.txt \
  -t nuclei/default-logins/ \
  -t nuclei/misconfigurations/ \
  -t nuclei/fuzzing/ \
  -o discovery/scan-nuclei-misconfig.json \
  -severity high,medium \
  -json

Coverage¶

• Default Credentials: Admin panels with default admin/admin, admin/password
• Misconfigurations:
• Open S3 buckets
• Exposed database interfaces
• Unprotected Kubernetes dashboards
• Elasticsearch without authentication
• Redis exposed to internet
• HTTP Headers: Missing HSTS, X-Frame-Options, CSP
• Fuzzing Templates: Directory/file discovery through fuzzing

Example Finding¶

{
  "info": {
    "name": "Missing Security Headers (HSTS)",
    "severity": "medium"
  },
  "endpoint": "https://example.com",
  "evidence": {
    "header": "X-Hsts-Header not found"
  }
}

Agent 3: Nikto - Web Server & TLS Analysis¶

Purpose: Deep analysis of web server configuration and cryptography

docker run --rm -v $(pwd):/work pentest-tools \
  nikto -h https://api.example.com \
  -Format json \
  -output discovery/scan-nikto.json

Coverage¶

• HTTP Methods: Checks for dangerous methods (TRACE, PUT, DELETE if enabled)
• Server Info Disclosure: Server version, X-Powered-By, X-AspNet-Version headers
• SSL/TLS Analysis:
• Certificate validity and expiration
• Supported cipher suites (weak ciphers like DES, RC4)
• Supported protocols (SSLv2, SSLv3, TLSv1.0 - all deprecated)
• HSTS configuration
• CORS Headers: Misconfigured Access-Control-Allow-Origin
• Clickjacking: Missing X-Frame-Options header
• MIME Type Sniffing: Missing X-Content-Type-Options
• XSS Protection: Missing X-XSS-Protection header

SSL/TLS Check Example¶

❌ Weak Cipher: DES-CBC3-SHA (168-bit) - DEPRECATED
❌ TLS 1.0 supported - Should use TLS 1.2+
✅ HSTS header: max-age=31536000
✅ Certificate valid: example.com (expires 2025-12-31)

Scanning Best Practices¶

1. Rate Limiting¶

Even with automated tools, respect rate limits:

# Add delay between requests
nuclei -l endpoints.txt -rate-limit 10

2. WAF/IDS Awareness¶

If WAF detected in Phase 0, use stealth options:

# Disable header randomization for consistency
nuclei -l endpoints.txt -no-header-randomization

3. Scope Filtering¶

Only scan in-scope targets from Phase 1:

# Filter endpoints by scope
grep 'example.com' discovery/httpx-results.txt > scoped-endpoints.txt

docker run --rm -v $(pwd):/work pentest-tools \
  nuclei -l scoped-endpoints.txt -severity critical,high

Output Files¶

Finding Categories¶

Nuclei and Nikto findings fall into these categories:

De-duplication & False Positive Removal¶

Nuclei and Nikto may report the same issue multiple times:

# Remove duplicates
cat discovery/scan-nuclei-*.json discovery/scan-nikto.json \
  | jq -s 'unique_by(.endpoint + .info.name)' \
  > discovery/scan-deduplicated.json

Decision Points¶

After Phase 3 scanning:

1. No critical/high findings: Proceed to Phase 3.5 (Smart Router) as planned
2. CVE found:
3. Verify it's not a false positive (some CVEs don't apply to this tech stack)
4. Confirm severity assessment
5. Proceed to Phase 4 testing
6. Default credentials found:
7. Attempt login with reported credentials
8. If successful, continue to Phase 4 with authenticated context
9. Log success for verification phase

Pipeline Tier Overlap¶

IMPORTANT: Phase 3 scanning CAN overlap with earlier phases if needed for schedule optimization, but results are only used in Phase 3.5+.

Next Phase¶

After Phase 3 completes, proceed to Phase 3.5: Smart Routing to map discovered endpoints to appropriate test scopes.