Configuration - Attack Surface Monitoring
Enable
This setting controls whether the attack surface monitoring feature is enabled.
Enable DNS Enumeration
This setting controls whether DNS subdomain enumeration should be enabled for the target. When this setting is enabled, Nullify will attempt to discover and scan subdomains of the targets provided, using external sources like crt.sh.
Hosts
This setting is used to define the full set of targets that is in scope for attack surface monitoring. This list can contain wildcarded domain names and/or IP addresses.
Note that just because a target is included in the hosts
field, does not mean scans will run for the target, as the actual set of scannable targets depends on the include_only
and ignore
fields.
Include Only
This setting is an allowlist for targets that the attack surface monitoring is allowed to scan. Use this option when you want to limit the scope of the attack surface to scan to just a handful of specified targets.
Target endpoints can be specified using a combination of the hosts
list and http
options (methods
and paths
). The hosts
list can contain wildcarded domain names and/or IP addresses. The http
option can contain a list of HTTP methods and/or a list of wildcarded web endpoints.
For example, in the configuration below, the attack surface scan will only be performed on HTTP endpoints on live.prod.hosting.com on paths /main and /api/<any number of intermediary paths>/create, with either the GET or POST method.
Note that if there is at least 1 target configured in this list, No other targets than the ones explicitly mentioned in this list will be scanned. Furthermore, if a target is not specified within the hosts
option, it will not be included.
Ignore
This setting is a denylist for targets that the attack surface monitoring should NOT scan.
Targets can be specified through the following fields:
hosts
: a list of hostnames and/or IP addresses (e.g. example.com, test.*, 1.2.3.4)transport_protocols
: a list of transport-layer protocols (TCP or UDP)ports
: a list of individual ports and/or an inclusive range of ports (e.g. 80, 443, 3000-3999)http
:methods
: a list of HTTP methods (e.g. POST, DELETE)paths
: a list of paths (e.g. /login, /auth/**/login, /users/*/dashboard)
Here is an example configuration:
In the example above, the following endpoints are excluded from the attack surface scan:
Any HTTP endpoints with the DELETE method
Any endpoints belonging to the domain jira.example.com or the subdomain *.testing.example.com
Any endpoints using a TCP port of 22, 8080, or 9990-9999, on the IP address 100.110.120.130
Any HTTP endpoints on any subdomain beginning with dev. or staging. with a POST method to /auth
Last updated
Was this helpful?