Intruder Cheat Sheet
Overview
Intruder is a cloud-based automated vulnerability scanner that provides continuous security monitoring for web applications, networks, and cloud infrastructure. It offers intelligent scanning capabilities with minimal false positives, automated remediation guidance, and seamless integration into DevOps workflows for proactive security management.
⚠️ Note: Commercial cloud service. Free tier available with limited scans. Paid plans start at $99/month.
Getting Started
Account Setup
# Sign up process:
# 1. Visit intruder.io
# 2. Create account with email
# 3. Verify email address
# 4. Complete onboarding wizard
# 5. Add first target for scanning
# Initial configuration steps:
# - Set up organization profile
# - Configure notification preferences
# - Add team members and roles
# - Set up integrations
# - Define scanning schedules
Dashboard Overview
# Main dashboard sections:
# - Vulnerability overview
# - Recent scan results
# - Target status monitoring
# - Security score trends
# - Upcoming scheduled scans
# - Team activity feed
# - Integration status
# - Compliance reporting
Target Management
# Add targets through web interface:
# 1. Navigate to "Targets" section
# 2. Click "Add Target"
# 3. Enter target details:
# - Domain/IP address
# - Target type (web app, network, cloud)
# - Scan configuration
# - Authentication details
# 4. Configure scan settings
# 5. Set up monitoring schedule
Web Application Scanning
Target Configuration
# Web application target setup:
# Target URL: https://example.com
# Scan depth: Full site crawl
# Authentication: Form-based/HTTP Basic/OAuth
# Exclusions: /admin/*, /api/internal/*
# Custom headers: Authorization, X-API-Key
# Rate limiting: Respectful (default)
# User agent: Custom or default
# Advanced configuration options:
# - Custom login sequences
# - Multi-step authentication
# - Session management
# - Cookie handling
# - JavaScript rendering
# - Single Page Application (SPA) support
Scan Types and Modes
# Quick Scan (15-30 minutes)
# - Essential vulnerability checks
# - OWASP Top 10 coverage
# - Basic configuration issues
# - Suitable for CI/CD integration
# Full Scan (1-4 hours)
# - Comprehensive vulnerability assessment
# - Deep crawling and discovery
# - Advanced attack simulations
# - Detailed configuration analysis
# Custom Scan
# - User-defined test selection
# - Specific vulnerability categories
# - Targeted testing approach
# - Compliance-focused scanning
Authentication Setup
# Form-based authentication configuration:
# 1. Login URL: https://example.com/login
# 2. Username field: email or username
# 3. Password field: password
# 4. Submit button: Login or Sign In
# 5. Success indicator: Dashboard or Welcome
# 6. Logout URL: https://example.com/logout
# HTTP Basic Authentication:
# Username: api_user
# Password: secure_password
# Realm: Protected Area (optional)
# OAuth 2.0 Configuration:
# Authorization URL: https://auth.example.com/oauth/authorize
# Token URL: https://auth.example.com/oauth/token
# Client ID: your_client_id
# Client Secret: your_client_secret
# Scope: read write admin
Vulnerability Categories
# OWASP Top 10 Coverage:
# - Injection vulnerabilities (SQL, NoSQL, LDAP, OS)
# - Broken authentication and session management
# - Sensitive data exposure
# - XML External Entities (XXE)
# - Broken access control
# - Security misconfigurations
# - Cross-Site Scripting (XSS)
# - Insecure deserialization
# - Using components with known vulnerabilities
# - Insufficient logging and monitoring
# Additional vulnerability checks:
# - CSRF (Cross-Site Request Forgery)
# - Clickjacking
# - HTTP security headers
# - SSL/TLS configuration
# - Directory traversal
# - File inclusion vulnerabilities
# - Business logic flaws
# - API security issues
Network and Infrastructure Scanning
Network Target Setup
# Network scanning configuration:
# Target range: 192.168.1.0/24
# Port range: 1-65535 or common ports
# Scan intensity: Light, Normal, Aggressive
# Service detection: Enabled
# OS fingerprinting: Enabled
# Vulnerability assessment: Full
# Cloud infrastructure scanning:
# AWS account integration
# Azure subscription scanning
# Google Cloud Platform monitoring
# Kubernetes cluster assessment
# Docker container security
# Serverless function analysis
Port and Service Discovery
# Common ports scanned:
# Web services: 80, 443, 8080, 8443
# SSH: 22, 2222
# FTP: 21, 990
# Telnet: 23
# SMTP: 25, 465, 587
# DNS: 53
# HTTP alternatives: 8000, 8008, 9000
# Database: 3306, 5432, 1433, 27017
# Remote access: 3389, 5900
# Service identification includes:
# - Service version detection
# - Banner grabbing
# - Protocol analysis
# - Configuration assessment
# - Default credential testing
# - Known vulnerability matching
Infrastructure Vulnerabilities
# Network vulnerability categories:
# - Unpatched operating systems
# - Insecure service configurations
# - Default credentials
# - Weak encryption protocols
# - Open administrative interfaces
# - Unnecessary services running
# - Firewall misconfigurations
# - Network segmentation issues
# Cloud-specific vulnerabilities:
# - Misconfigured S3 buckets
# - Overprivileged IAM roles
# - Unencrypted data stores
# - Public database instances
# - Insecure API gateways
# - Container vulnerabilities
# - Serverless misconfigurations
Cloud Security Monitoring
AWS Integration
# AWS account setup:
# 1. Create IAM role for Intruder
# 2. Attach security audit policies:
# - SecurityAudit (AWS managed)
# - ReadOnlyAccess (AWS managed)
# - Custom policy for specific resources
# 3. Configure cross-account access
# 4. Add AWS account to Intruder
# 5. Verify permissions and connectivity
# AWS services monitored:
# - EC2 instances and security groups
# - S3 buckets and access policies
# - RDS databases and encryption
# - IAM users, roles, and policies
# - VPC configurations and NACLs
# - CloudTrail logging setup
# - Lambda function security
# - API Gateway configurations
Azure Integration
# Azure subscription setup:
# 1. Create service principal
# 2. Assign Reader role to subscription
# 3. Grant additional permissions:
# - Security Reader
# - Key Vault Reader
# - Storage Account Contributor (read-only)
# 4. Configure application registration
# 5. Add Azure subscription to Intruder
# Azure services monitored:
# - Virtual machines and NSGs
# - Storage accounts and access keys
# - SQL databases and firewalls
# - Key Vault configurations
# - Active Directory settings
# - Application Gateway security
# - Function App configurations
# - Cosmos DB security settings
Google Cloud Platform
# GCP project setup:
# 1. Create service account
# 2. Assign predefined roles:
# - Security Reviewer
# - Compute Viewer
# - Storage Object Viewer
# - Cloud SQL Viewer
# 3. Generate and download JSON key
# 4. Add GCP project to Intruder
# 5. Verify service account permissions
# GCP services monitored:
# - Compute Engine instances
# - Cloud Storage buckets
# - Cloud SQL databases
# - IAM policies and bindings
# - VPC firewall rules
# - Cloud Functions security
# - Kubernetes Engine clusters
# - API Gateway configurations
Continuous Monitoring and Automation
Scheduled Scanning
# Scan frequency options:
# - Daily: High-priority targets
# - Weekly: Standard monitoring
# - Monthly: Comprehensive assessments
# - Custom: User-defined intervals
# Scheduling configuration:
# Target: example.com
# Scan type: Full scan
# Frequency: Weekly
# Day: Sunday
# Time: 02:00 UTC
# Timezone: UTC/Local
# Notifications: Email, Slack, webhook
# Scan optimization:
# - Off-peak scheduling
# - Resource-aware timing
# - Dependency management
# - Parallel scan limits
# - Rate limiting controls
Alert Configuration
# Alert severity levels:
# Critical: Immediate attention required
# High: Address within 24 hours
# Medium: Address within 1 week
# Low: Address during maintenance
# Info: Awareness only
# Notification channels:
# Email: team@example.com
# Slack: #security-alerts
# Microsoft Teams: Security Team
# Webhook: https://api.example.com/security/alerts
# PagerDuty: Security incident escalation
# Jira: Automatic ticket creation
# Alert conditions:
# - New vulnerabilities discovered
# - Vulnerability severity increase
# - Target becomes unreachable
# - Scan failures or errors
# - Compliance violations
# - Security score degradation
Integration with DevOps Tools
# CI/CD pipeline integration:
# Jenkins plugin: Intruder Security Scanner
# GitHub Actions: intruder-io/intruder-action
# GitLab CI: Custom webhook integration
# Azure DevOps: REST API integration
# CircleCI: Custom orb available
# API integration examples:
# Trigger scan: POST /api/v1/scans
# Get results: GET /api/v1/scans/{scan_id}
# List vulnerabilities: GET /api/v1/vulnerabilities
# Update target: PUT /api/v1/targets/{target_id}
# Export report: GET /api/v1/reports/{report_id}
API Usage and Automation
Authentication
# API key authentication:
# 1. Generate API key in dashboard
# 2. Include in request headers:
# Authorization: Bearer YOUR_API_KEY
# 3. Use HTTPS for all requests
# 4. Rotate keys regularly
# 5. Monitor API usage and limits
# Rate limiting:
# - 1000 requests per hour (standard)
# - 5000 requests per hour (premium)
# - Burst allowance: 100 requests per minute
# - Rate limit headers included in responses
Common API Operations
# Start a new scan
curl -X POST "https://api.intruder.io/v1/scans" \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"target_id": "12345",
"scan_type": "full",
"priority": "normal"
}'
# Get scan status
curl -X GET "https://api.intruder.io/v1/scans/67890" \
-H "Authorization: Bearer YOUR_API_KEY"
# List all vulnerabilities
curl -X GET "https://api.intruder.io/v1/vulnerabilities?severity=high" \
-H "Authorization: Bearer YOUR_API_KEY"
# Export scan report
curl -X GET "https://api.intruder.io/v1/reports/12345?format=pdf" \
-H "Authorization: Bearer YOUR_API_KEY" \
-o "security_report.pdf"
Webhook Configuration
# Webhook setup for real-time notifications:
# Endpoint URL: https://your-server.com/intruder-webhook
# Secret: webhook_secret_key
# Events: scan_completed, vulnerability_found, target_unreachable
# Webhook payload example:
{
"event": "vulnerability_found",
"timestamp": "2024-01-15T10:30:00Z",
"target": {
"id": "12345",
"name": "example.com",
"type": "web_application"
},
"vulnerability": {
"id": "67890",
"title": "SQL Injection",
"severity": "high",
"cvss_score": 8.1,
"description": "SQL injection vulnerability found in login form",
"location": "/login.php?id=1",
"remediation": "Use parameterized queries"
}
}
Automation Scripts
# Python automation example
import requests
import json
import time
class IntruderAPI:
def __init__(self, api_key):
self.api_key = api_key
self.base_url = "https://api.intruder.io/v1"
self.headers = {
"Authorization": f"Bearer {api_key}",
"Content-Type": "application/json"
}
def start_scan(self, target_id, scan_type="full"):
"""Start a new security scan"""
data = {
"target_id": target_id,
"scan_type": scan_type,
"priority": "normal"
}
response = requests.post(
f"{self.base_url}/scans",
headers=self.headers,
json=data
)
return response.json()
def get_scan_status(self, scan_id):
"""Get the status of a running scan"""
response = requests.get(
f"{self.base_url}/scans/{scan_id}",
headers=self.headers
)
return response.json()
def wait_for_scan_completion(self, scan_id, timeout=3600):
"""Wait for scan to complete with timeout"""
start_time = time.time()
while time.time() - start_time < timeout:
status = self.get_scan_status(scan_id)
if status["status"] == "completed":
return status
elif status["status"] == "failed":
raise Exception(f"Scan failed: {status['error']}")
time.sleep(30) # Check every 30 seconds
raise TimeoutError("Scan did not complete within timeout")
def get_vulnerabilities(self, target_id=None, severity=None):
"""Get list of vulnerabilities"""
params = {}
if target_id:
params["target_id"] = target_id
if severity:
params["severity"] = severity
response = requests.get(
f"{self.base_url}/vulnerabilities",
headers=self.headers,
params=params
)
return response.json()
# Usage example
api = IntruderAPI("your_api_key_here")
# Start scan and wait for completion
scan_result = api.start_scan("12345", "full")
scan_id = scan_result["scan_id"]
print(f"Started scan {scan_id}, waiting for completion...")
completed_scan = api.wait_for_scan_completion(scan_id)
# Get high severity vulnerabilities
high_vulns = api.get_vulnerabilities(severity="high")
print(f"Found {len(high_vulns)} high severity vulnerabilities")
Reporting and Compliance
Report Generation
# Available report formats:
# - PDF: Executive and technical reports
# - HTML: Interactive web reports
# - CSV: Vulnerability data export
# - JSON: API data format
# - XML: Structured data export
# Report types:
# Executive Summary:
# - High-level security overview
# - Risk assessment summary
# - Trend analysis
# - Compliance status
# - Recommendations
# Technical Report:
# - Detailed vulnerability listings
# - Proof of concept details
# - Remediation instructions
# - CVSS scoring
# - Technical references
# Compliance Report:
# - PCI DSS compliance
# - ISO 27001 alignment
# - NIST framework mapping
# - SOC 2 requirements
# - Custom compliance frameworks
Compliance Frameworks
# PCI DSS Compliance:
# Requirement 6.5: Address common vulnerabilities
# Requirement 11.2: Run quarterly vulnerability scans
# Requirement 11.3: Perform penetration testing
# ASV (Approved Scanning Vendor) certified scans
# Quarterly external vulnerability scans
# Annual penetration testing requirements
# ISO 27001 Alignment:
# A.12.6.1: Management of technical vulnerabilities
# A.14.2.1: Secure development policy
# A.14.2.5: Secure system engineering principles
# Continuous monitoring requirements
# Risk assessment integration
# Documentation and evidence collection
# NIST Cybersecurity Framework:
# Identify: Asset and vulnerability discovery
# Protect: Security control implementation
# Detect: Continuous monitoring and alerting
# Respond: Incident response integration
# Recover: Remediation tracking and validation
Custom Reporting
# Report customization options:
# - Company branding and logos
# - Custom executive summary
# - Filtered vulnerability lists
# - Risk scoring methodology
# - Remediation prioritization
# - Trend analysis periods
# - Compliance mapping
# - Technical appendices
# Automated report distribution:
# - Scheduled report generation
# - Email distribution lists
# - Secure file sharing
# - API-driven report delivery
# - Integration with ticketing systems
# - Dashboard embedding
Advanced Features
Smart Scanning Technology
# Intelligent vulnerability detection:
# - Machine learning-based false positive reduction
# - Context-aware vulnerability assessment
# - Business logic flaw detection
# - Advanced payload generation
# - Evasion technique detection
# - Zero-day vulnerability research
# Adaptive scanning algorithms:
# - Dynamic scan optimization
# - Resource-aware scanning
# - Application behavior learning
# - Custom attack pattern recognition
# - Threat intelligence integration
# - Emerging vulnerability detection
Threat Intelligence Integration
# External threat intelligence sources:
# - CVE database integration
# - NIST vulnerability database
# - Exploit database correlation
# - Dark web monitoring
# - Threat actor attribution
# - IoC (Indicators of Compromise) matching
# Real-time threat updates:
# - New vulnerability notifications
# - Exploit availability alerts
# - Threat landscape changes
# - Attack pattern evolution
# - Remediation priority updates
# - Emergency security bulletins
Collaboration Features
# Team collaboration tools:
# - Shared vulnerability management
# - Assignment and tracking
# - Comment and annotation system
# - Approval workflows
# - Progress tracking
# - Knowledge base integration
# Role-based access control:
# - Administrator: Full system access
# - Security Manager: Scan management and reporting
# - Security Analyst: Vulnerability analysis and remediation
# - Developer: Assigned vulnerability access
# - Auditor: Read-only compliance access
# - Guest: Limited dashboard access
Integration Examples
Slack Integration
# Slack webhook configuration:
# 1. Create Slack app in workspace
# 2. Add incoming webhook
# 3. Configure webhook URL in Intruder
# 4. Set notification preferences
# 5. Test integration
# Slack notification format:
# Channel: #security-alerts
# Message: "🚨 High severity vulnerability found on example.com"
# Details: "SQL Injection in /login.php (CVSS: 8.1)"
# Actions: "View Details | Assign | Mark as False Positive"
Jira Integration
# Jira integration setup:
# 1. Create Jira API token
# 2. Configure Jira connection in Intruder
# 3. Map vulnerability fields to Jira fields
# 4. Set up automatic ticket creation rules
# 5. Configure status synchronization
# Automatic ticket creation:
# Project: SECURITY
# Issue Type: Bug
# Priority: Based on vulnerability severity
# Assignee: Security team or developer
# Labels: vulnerability, security, intruder
# Description: Detailed vulnerability information
SIEM Integration
# SIEM integration via API:
# - Real-time vulnerability feed
# - Security event correlation
# - Threat intelligence enrichment
# - Incident response automation
# - Compliance reporting
# - Risk scoring integration
# Splunk integration example:
# Data input: HTTP Event Collector
# Index: security_vulnerabilities
# Source type: intruder_vulnerability
# Fields: severity, target, vulnerability_type, cvss_score
# Dashboards: Security posture overview
# Alerts: High severity vulnerability detection
CI/CD Pipeline Integration
# Jenkins pipeline example:
pipeline {
agent any
stages {
stage('Security Scan') {
steps {
script {
// Trigger Intruder scan
def scanResult = sh(
script: """
curl -X POST "https://api.intruder.io/v1/scans" \
-H "Authorization: Bearer ${INTRUDER_API_KEY}" \
-H "Content-Type: application/json" \
-d '{"target_id": "${TARGET_ID}", "scan_type": "quick"}'
""",
returnStdout: true
)
def scanId = readJSON(text: scanResult).scan_id
// Wait for scan completion
timeout(time: 30, unit: 'MINUTES') {
waitUntil {
script {
def status = sh(
script: """
curl -X GET "https://api.intruder.io/v1/scans/${scanId}" \
-H "Authorization: Bearer ${INTRUDER_API_KEY}"
""",
returnStdout: true
)
def statusJson = readJSON(text: status)
return statusJson.status == 'completed'
}
}
}
// Check for high severity vulnerabilities
def vulns = sh(
script: """
curl -X GET "https://api.intruder.io/v1/vulnerabilities?severity=high&target_id=${TARGET_ID}" \
-H "Authorization: Bearer ${INTRUDER_API_KEY}"
""",
returnStdout: true
)
def vulnCount = readJSON(text: vulns).size()
if (vulnCount > 0) {
error("High severity vulnerabilities found: ${vulnCount}")
}
}
}
}
}
}
Troubleshooting and Best Practices
Common Issues and Solutions
# Scan failures and timeouts:
# Issue: Target unreachable during scan
# Solution: Verify network connectivity and firewall rules
# Check: DNS resolution, port accessibility, rate limiting
# Authentication problems:
# Issue: Login sequence fails during scan
# Solution: Update authentication credentials
# Check: Session timeout, CSRF tokens, multi-factor authentication
# False positives:
# Issue: Legitimate functionality flagged as vulnerability
# Solution: Mark as false positive and add to exclusions
# Check: Business logic understanding, custom applications
# Performance impact:
# Issue: Scans affecting application performance
# Solution: Adjust scan intensity and timing
# Check: Rate limiting, resource usage, peak hours
Optimization Strategies
# Scan performance optimization:
# - Schedule scans during off-peak hours
# - Use appropriate scan intensity levels
# - Configure rate limiting for sensitive applications
# - Implement scan result caching
# - Optimize target scope and exclusions
# - Monitor resource usage during scans
# False positive reduction:
# - Maintain accurate asset inventory
# - Configure proper authentication
# - Use application-specific scan profiles
# - Regularly review and tune scan settings
# - Implement feedback loops for accuracy
# - Train team on vulnerability validation
Security Best Practices
# API security:
# - Use strong API keys with limited scope
# - Implement API key rotation policy
# - Monitor API usage and access logs
# - Use HTTPS for all API communications
# - Implement rate limiting and throttling
# - Validate webhook signatures
# Data protection:
# - Encrypt sensitive scan data
# - Implement access controls and RBAC
# - Regular security audits of Intruder usage
# - Secure storage of authentication credentials
# - Data retention and deletion policies
# - Compliance with data protection regulations
Monitoring and Maintenance
# Regular maintenance tasks:
# - Review and update target configurations
# - Validate authentication credentials
# - Update scan schedules and frequencies
# - Review and tune alert thresholds
# - Analyze scan performance metrics
# - Update integration configurations
# - Review user access and permissions
# - Validate compliance reporting accuracy
# Performance monitoring:
# - Track scan completion rates
# - Monitor false positive trends
# - Analyze vulnerability discovery rates
# - Review remediation timelines
# - Assess security posture improvements
# - Monitor integration health
# - Track API usage and limits