Configuration - Attack Surface Monitoring

PreviousConfiguration - Secrets NextCode Scanning

Last updated 2 months ago

Was this helpful?

Configuration - Attack Surface Monitoring

Enable

This setting controls whether the attack surface monitoring feature is enabled.

attack_surface:
  enable: true

Enable DNS Enumeration

This setting controls whether DNS subdomain enumeration should be enabled for the target. When this setting is enabled, Nullify will attempt to discover and scan subdomains of the targets provided, using external sources like .

attack_surface:
  enable: true
  enable_dns_enumeration: true

Hosts

This setting is used to define the full set of targets that is in scope for attack surface monitoring. This list can contain wildcarded domain names and/or IP addresses.

attack_surface:
  enable: true
  hosts:
    - example.com
    - prod.hosting.com
    - "*.sandbox.hosting.com"
    - 10.11.12.13
    - 10.0.0.*

Note that just because a target is included in the hosts field, does not mean scans will run for the target, as the actual set of scannable targets depends on the include_only and ignore fields.

Include Only

This setting is an allowlist for targets that the attack surface monitoring is allowed to scan. Use this option when you want to limit the scope of the attack surface to scan to just a handful of specified targets.

Target endpoints can be specified using a combination of the hosts list and http options (methods and paths). The hosts list can contain wildcarded domain names and/or IP addresses. The http option can contain a list of HTTP methods and/or a list of wildcarded web endpoints.

For example, in the configuration below, the attack surface scan will only be performed on HTTP endpoints on live.prod.hosting.com on paths /main and /api/<any number of intermediary paths>/create, with either the GET or POST method.

attack_surface:
  enable: true
  hosts: [*.hosting.com]
  include_only:
    - hosts: [live.prod.hosting.com]
      http:
        methods: [GET, POST]
        paths: [/main, /api/**/create]

Note that if there is at least 1 target configured in this list, No other targets than the ones explicitly mentioned in this list will be scanned. Furthermore, if a target is not specified within the hosts option, it will not be included.

Ignore

This setting is a denylist for targets that the attack surface monitoring should NOT scan.

Targets can be specified through the following fields:

hosts: a list of hostnames and/or IP addresses (e.g. example.com, test.*, 1.2.3.4)
transport_protocols: a list of transport-layer protocols (TCP or UDP)
ports: a list of individual ports and/or an inclusive range of ports (e.g. 80, 443, 3000-3999)
http:
- methods: a list of HTTP methods (e.g. POST, DELETE)
- paths: a list of paths (e.g. /login, /auth/**/login, /users/*/dashboard)

Here is an example configuration:

attack_surface:
  enable: true
  hosts: [*.example.com]
  ignore:
    - http:
        methods: [DELETE]
    - hosts: [jira.example.com, "*.testing.example.com"]
    - hosts: [100.110.120.130]
      transport_protocols: [tcp]
      ports: [22, 8080, 9990-9999]
    - hosts: ["dev.*", "staging.*"]
      http:
        paths: [/auth]
        methods: [POST]

In the example above, the following endpoints are excluded from the attack surface scan:

Any HTTP endpoints with the DELETE method
Any endpoints belonging to the domain jira.example.com or the subdomain *.testing.example.com
Any endpoints using a TCP port of 22, 8080, or 9990-9999, on the IP address 100.110.120.130
Any HTTP endpoints on any subdomain beginning with dev. or staging. with a POST method to /auth