Intruder Cheat Sheet¶
generieren
Überblick¶
Intruder ist ein Cloud-basierter automatisierter Sicherheitsscanner, der eine kontinuierliche Sicherheitsüberwachung für Webanwendungen, Netzwerke und Cloud-Infrastruktur ermöglicht. Es bietet intelligente Scanfähigkeiten mit minimalen falschen Positiven, automatisierter Abhilfeführung und nahtloser Integration in DevOps Workflows für proaktives Sicherheitsmanagement.
ZEIT Note: Kommerzieller Cloud-Service. Kostenloser Tier mit begrenzten Scans verfügbar. Bezahlte Pläne starten bei $99/Monat.
Erste Schritte¶
Kontoaufbau¶
```bash
Sign up process:¶
1. Visit intruder.io¶
2. Create account with email¶
3. Verify email address¶
4. Complete onboarding wizard¶
5. Add first target for scanning¶
Initial configuration steps:¶
- Set up organization profile¶
- Configure notification preferences¶
- Add team members and roles¶
- Set up integrations¶
- Define scanning schedules¶
```_
Dashboard Übersicht¶
```bash
Main dashboard sections:¶
- Vulnerability overview¶
- Recent scan results¶
- Target status monitoring¶
- Security score trends¶
- Upcoming scheduled scans¶
- Team activity feed¶
- Integration status¶
- Compliance reporting¶
```_
Zielmanagement¶
```bash
Add targets through web interface:¶
1. Navigate to "Targets" section¶
2. Click "Add Target"¶
3. Enter target details:¶
- Domain/IP address¶
- Target type (web app, network, cloud)¶
- Scan configuration¶
- Authentication details¶
4. Configure scan settings¶
5. Set up monitoring schedule¶
```_
Web Application Scanning¶
Zielkonfiguration¶
```bash
Web application target setup:¶
Target URL: https://example.com¶
Scan depth: Full site crawl¶
Authentication: Form-based/HTTP Basic/OAuth¶
Exclusions: /admin/, /api/internal/¶
Custom headers: Authorization, X-API-Key¶
Rate limiting: Respectful (default)¶
User agent: Custom or default¶
Advanced configuration options:¶
- Custom login sequences¶
- Multi-step authentication¶
- Session management¶
- Cookie handling¶
- JavaScript rendering¶
- Single Page Application (SPA) support¶
```_
Scannen von Arten und Moden¶
```bash
Quick Scan (15-30 minutes)¶
- Essential vulnerability checks¶
- OWASP Top 10 coverage¶
- Basic configuration issues¶
- Suitable for CI/CD integration¶
Full Scan (1-4 hours)¶
- Comprehensive vulnerability assessment¶
- Deep crawling and discovery¶
- Advanced attack simulations¶
- Detailed configuration analysis¶
Custom Scan¶
- User-defined test selection¶
- Specific vulnerability categories¶
- Targeted testing approach¶
- Compliance-focused scanning¶
```_
Authentication Setup¶
```bash
Form-based authentication configuration:¶
1. Login URL: https://example.com/login¶
2. Username field: email or username¶
3. Password field: password¶
4. Submit button: Login or Sign In¶
5. Success indicator: Dashboard or Welcome¶
6. Logout URL: https://example.com/logout¶
HTTP Basic Authentication:¶
Username: api_user¶
Password: secure_password¶
Realm: Protected Area (optional)¶
OAuth 2.0 Configuration:¶
Authorization URL: https://auth.example.com/oauth/authorize¶
Token URL: https://auth.example.com/oauth/token¶
Client ID: your_client_id¶
Client Secret: your_client_secret¶
Scope: read write admin¶
```_
Schwachstelle Kategorien¶
```bash
OWASP Top 10 Coverage:¶
- Injection vulnerabilities (SQL, NoSQL, LDAP, OS)¶
- Broken authentication and session management¶
- Sensitive data exposure¶
- XML External Entities (XXE)¶
- Broken access control¶
- Security misconfigurations¶
- Cross-Site Scripting (XSS)¶
- Insecure deserialization¶
- Using components with known vulnerabilities¶
- Insufficient logging and monitoring¶
Additional vulnerability checks:¶
- CSRF (Cross-Site Request Forgery)¶
- Clickjacking¶
- HTTP security headers¶
- SSL/TLS configuration¶
- Directory traversal¶
- File inclusion vulnerabilities¶
- Business logic flaws¶
- API security issues¶
```_
Netzwerk- und Infrastruktur-Scanning¶
Netzwerk Ziel Setup¶
```bash
Network scanning configuration:¶
Target range: 192.168.1.0/24¶
Port range: 1-65535 or common ports¶
Scan intensity: Light, Normal, Aggressive¶
Service detection: Enabled¶
OS fingerprinting: Enabled¶
Vulnerability assessment: Full¶
Cloud infrastructure scanning:¶
AWS account integration¶
Azure subscription scanning¶
Google Cloud Platform monitoring¶
Kubernetes cluster assessment¶
Docker container security¶
Serverless function analysis¶
```_
Hafen und Service Discovery¶
```bash
Common ports scanned:¶
Web services: 80, 443, 8080, 8443¶
SSH: 22, 2222¶
FTP: 21, 990¶
Telnet: 23¶
SMTP: 25, 465, 587¶
DNS: 53¶
HTTP alternatives: 8000, 8008, 9000¶
Database: 3306, 5432, 1433, 27017¶
Remote access: 3389, 5900¶
Service identification includes:¶
- Service version detection¶
- Banner grabbing¶
- Protocol analysis¶
- Configuration assessment¶
- Default credential testing¶
- Known vulnerability matching¶
```_
Infrastruktur Schwachstellen¶
```bash
Network vulnerability categories:¶
- Unpatched operating systems¶
- Insecure service configurations¶
- Default credentials¶
- Weak encryption protocols¶
- Open administrative interfaces¶
- Unnecessary services running¶
- Firewall misconfigurations¶
- Network segmentation issues¶
Cloud-specific vulnerabilities:¶
- Misconfigured S3 buckets¶
- Overprivileged IAM roles¶
- Unencrypted data stores¶
- Public database instances¶
- Insecure API gateways¶
- Container vulnerabilities¶
- Serverless misconfigurations¶
```_
Überwachung der Cloud-Sicherheit¶
AWS Integration¶
```bash
AWS account setup:¶
1. Create IAM role for Intruder¶
2. Attach security audit policies:¶
- SecurityAudit (AWS managed)¶
- ReadOnlyAccess (AWS managed)¶
- Custom policy for specific resources¶
3. Configure cross-account access¶
4. Add AWS account to Intruder¶
5. Verify permissions and connectivity¶
AWS services monitored:¶
- EC2 instances and security groups¶
- S3 buckets and access policies¶
- RDS databases and encryption¶
- IAM users, roles, and policies¶
- VPC configurations and NACLs¶
- CloudTrail logging setup¶
- Lambda function security¶
- API Gateway configurations¶
```_
Integration von Azteken¶
```bash
Azure subscription setup:¶
1. Create service principal¶
2. Assign Reader role to subscription¶
3. Grant additional permissions:¶
- Security Reader¶
- Key Vault Reader¶
- Storage Account Contributor (read-only)¶
4. Configure application registration¶
5. Add Azure subscription to Intruder¶
Azure services monitored:¶
- Virtual machines and NSGs¶
- Storage accounts and access keys¶
- SQL databases and firewalls¶
- Key Vault configurations¶
- Active Directory settings¶
- Application Gateway security¶
- Function App configurations¶
- Cosmos DB security settings¶
```_
Google Cloud Platform¶
```bash
GCP project setup:¶
1. Create service account¶
2. Assign predefined roles:¶
- Security Reviewer¶
- Compute Viewer¶
- Storage Object Viewer¶
- Cloud SQL Viewer¶
3. Generate and download JSON key¶
4. Add GCP project to Intruder¶
5. Verify service account permissions¶
GCP services monitored:¶
- Compute Engine instances¶
- Cloud Storage buckets¶
- Cloud SQL databases¶
- IAM policies and bindings¶
- VPC firewall rules¶
- Cloud Functions security¶
- Kubernetes Engine clusters¶
- API Gateway configurations¶
```_
kontinuierliche Überwachung und Automatisierung¶
Geplantes Scannen¶
```bash
Scan frequency options:¶
- Daily: High-priority targets¶
- Weekly: Standard monitoring¶
- Monthly: Comprehensive assessments¶
- Custom: User-defined intervals¶
Scheduling configuration:¶
Target: example.com¶
Scan type: Full scan¶
Frequency: Weekly¶
Day: Sunday¶
Time: 02:00 UTC¶
Timezone: UTC/Local¶
Notifications: Email, Slack, webhook¶
Scan optimization:¶
- Off-peak scheduling¶
- Resource-aware timing¶
- Dependency management¶
- Parallel scan limits¶
- Rate limiting controls¶
```_
Alarmkonfiguration¶
```bash
Alert severity levels:¶
Critical: Immediate attention required¶
High: Address within 24 hours¶
Medium: Address within 1 week¶
Low: Address during maintenance¶
Info: Awareness only¶
Notification channels:¶
Email: team@example.com¶
Slack: #security-alerts¶
Microsoft Teams: Security Team¶
Webhook: https://api.example.com/security/alerts¶
PagerDuty: Security incident escalation¶
Jira: Automatic ticket creation¶
Alert conditions:¶
- New vulnerabilities discovered¶
- Vulnerability severity increase¶
- Target becomes unreachable¶
- Scan failures or errors¶
- Compliance violations¶
- Security score degradation¶
```_
Integration mit DevOps Tools¶
```bash
CI/CD pipeline integration:¶
Jenkins plugin: Intruder Security Scanner¶
GitHub Actions: intruder-io/intruder-action¶
GitLab CI: Custom webhook integration¶
Azure DevOps: REST API integration¶
CircleCI: Custom orb available¶
API integration examples:¶
Trigger scan: POST /api/v1/scans¶
Get results: GET /api/v1/scans/{scan_id}¶
List vulnerabilities: GET /api/v1/vulnerabilities¶
Update target: PUT /api/v1/targets/{target_id}¶
Export report: GET /api/v1/reports/{report_id}¶
```_
API Nutzung und Automatisierung¶
Authentication¶
```bash
API key authentication:¶
1. Generate API key in dashboard¶
2. Include in request headers:¶
Authorization: Bearer YOUR_API_KEY¶
3. Use HTTPS for all requests¶
4. Rotate keys regularly¶
5. Monitor API usage and limits¶
Rate limiting:¶
- 1000 requests per hour (standard)¶
- 5000 requests per hour (premium)¶
- Burst allowance: 100 requests per minute¶
- Rate limit headers included in responses¶
```_
Gemeinsame API Operationen¶
```bash
Start a new scan¶
curl -X POST "https://api.intruder.io/v1/scans" \ -H "Authorization: Bearer YOUR_API_KEY" \ -H "Content-Type: application/json" \ -d '{ "target_id": "12345", "scan_type": "full", "priority": "normal" }'
Get scan status¶
curl -X GET "https://api.intruder.io/v1/scans/67890" \ -H "Authorization: Bearer YOUR_API_KEY"
List all vulnerabilities¶
curl -X GET "https://api.intruder.io/v1/vulnerabilities?severity=high" \ -H "Authorization: Bearer YOUR_API_KEY"
Export scan report¶
curl -X GET "https://api.intruder.io/v1/reports/12345?format=pdf" \ -H "Authorization: Bearer YOUR_API_KEY" \ -o "security_report.pdf" ```_
Webhook Konfiguration¶
```bash
Webhook setup for real-time notifications:¶
Endpoint URL: https://your-server.com/intruder-webhook¶
Secret: webhook_secret_key¶
Events: scan_completed, vulnerability_found, target_unreachable¶
Webhook payload example:¶
{ "event": "vulnerability_found", "timestamp": "2024-01-15T10:30:00Z", "target": { "id": "12345", "name": "example.com", "type": "web_application" }, "vulnerability": { "id": "67890", "title": "SQL Injection", "severity": "high", "cvss_score": 8.1, "description": "SQL injection vulnerability found in login form", "location": "/login.php?id=1", "remediation": "Use parameterized queries" } } ```_
Automatisierungsskripte¶
```python
Python automation example¶
import requests import json import time
class IntruderAPI: def init(self, api_key): self.api_key = api_key self.base_url = "https://api.intruder.io/v1" self.headers = { "Authorization": f"Bearer {api_key}", "Content-Type": "application/json" }
def start_scan(self, target_id, scan_type="full"):
"""Start a new security scan"""
data = {
"target_id": target_id,
"scan_type": scan_type,
"priority": "normal"
}
response = requests.post(
f"{self.base_url}/scans",
headers=self.headers,
json=data
)
return response.json()
def get_scan_status(self, scan_id):
"""Get the status of a running scan"""
response = requests.get(
f"{self.base_url}/scans/{scan_id}",
headers=self.headers
)
return response.json()
def wait_for_scan_completion(self, scan_id, timeout=3600):
"""Wait for scan to complete with timeout"""
start_time = time.time()
while time.time() - start_time < timeout:
status = self.get_scan_status(scan_id)
if status["status"] == "completed":
return status
elif status["status"] == "failed":
raise Exception(f"Scan failed: {status['error']}")
time.sleep(30) # Check every 30 seconds
raise TimeoutError("Scan did not complete within timeout")
def get_vulnerabilities(self, target_id=None, severity=None):
"""Get list of vulnerabilities"""
params = {}
if target_id:
params["target_id"] = target_id
if severity:
params["severity"] = severity
response = requests.get(
f"{self.base_url}/vulnerabilities",
headers=self.headers,
params=params
)
return response.json()
Usage example¶
api = IntruderAPI("your_api_key_here")
Start scan and wait for completion¶
scan_result = api.start_scan("12345", "full") scan_id = scan_result["scan_id"]
print(f"Started scan {scan_id}, waiting for completion...") completed_scan = api.wait_for_scan_completion(scan_id)
Get high severity vulnerabilities¶
high_vulns = api.get_vulnerabilities(severity="high") print(f"Found {len(high_vulns)} high severity vulnerabilities") ```_
Reporting und Compliance¶
Bericht Generation¶
```bash
Available report formats:¶
- PDF: Executive and technical reports¶
- HTML: Interactive web reports¶
- CSV: Vulnerability data export¶
- JSON: API data format¶
- XML: Structured data export¶
Report types:¶
Executive Summary:¶
- High-level security overview¶
- Risk assessment summary¶
- Trend analysis¶
- Compliance status¶
- Recommendations¶
Technical Report:¶
- Detailed vulnerability listings¶
- Proof of concept details¶
- Remediation instructions¶
- CVSS scoring¶
- Technical references¶
Compliance Report:¶
- PCI DSS compliance¶
- ISO 27001 alignment¶
- NIST framework mapping¶
- SOC 2 requirements¶
- Custom compliance frameworks¶
```_
Compliance Frameworks¶
```bash
PCI DSS Compliance:¶
Requirement 6.5: Address common vulnerabilities¶
Requirement 11.2: Run quarterly vulnerability scans¶
Requirement 11.3: Perform penetration testing¶
ASV (Approved Scanning Vendor) certified scans¶
Quarterly external vulnerability scans¶
Annual penetration testing requirements¶
ISO 27001 Alignment:¶
A.12.6.1: Management of technical vulnerabilities¶
A.14.2.1: Secure development policy¶
A.14.2.5: Secure system engineering principles¶
Continuous monitoring requirements¶
Risk assessment integration¶
Documentation and evidence collection¶
NIST Cybersecurity Framework:¶
Identify: Asset and vulnerability discovery¶
Protect: Security control implementation¶
Detect: Continuous monitoring and alerting¶
Respond: Incident response integration¶
Recover: Remediation tracking and validation¶
```_
Berichterstattung¶
```bash
Report customization options:¶
- Company branding and logos¶
- Custom executive summary¶
- Filtered vulnerability lists¶
- Risk scoring methodology¶
- Remediation prioritization¶
- Trend analysis periods¶
- Compliance mapping¶
- Technical appendices¶
Automated report distribution:¶
- Scheduled report generation¶
- Email distribution lists¶
- Secure file sharing¶
- API-driven report delivery¶
- Integration with ticketing systems¶
- Dashboard embedding¶
```_
Erweiterte Funktionen¶
Smart Scaning Technologie¶
```bash
Intelligent vulnerability detection:¶
- Machine learning-based false positive reduction¶
- Context-aware vulnerability assessment¶
- Business logic flaw detection¶
- Advanced payload generation¶
- Evasion technique detection¶
- Zero-day vulnerability research¶
Adaptive scanning algorithms:¶
- Dynamic scan optimization¶
- Resource-aware scanning¶
- Application behavior learning¶
- Custom attack pattern recognition¶
- Threat intelligence integration¶
- Emerging vulnerability detection¶
```_
Threat Intelligence Integration¶
```bash
External threat intelligence sources:¶
- CVE database integration¶
- NIST vulnerability database¶
- Exploit database correlation¶
- Dark web monitoring¶
- Threat actor attribution¶
- IoC (Indicators of Compromise) matching¶
Real-time threat updates:¶
- New vulnerability notifications¶
- Exploit availability alerts¶
- Threat landscape changes¶
- Attack pattern evolution¶
- Remediation priority updates¶
- Emergency security bulletins¶
```_
Funktionen der Zusammenarbeit¶
```bash
Team collaboration tools:¶
- Shared vulnerability management¶
- Assignment and tracking¶
- Comment and annotation system¶
- Approval workflows¶
- Progress tracking¶
- Knowledge base integration¶
Role-based access control:¶
- Administrator: Full system access¶
- Security Manager: Scan management and reporting¶
- Security Analyst: Vulnerability analysis and remediation¶
- Developer: Assigned vulnerability access¶
- Auditor: Read-only compliance access¶
- Guest: Limited dashboard access¶
```_
Integrationsbeispiele¶
Slack Integration¶
```bash
Slack webhook configuration:¶
1. Create Slack app in workspace¶
2. Add incoming webhook¶
3. Configure webhook URL in Intruder¶
4. Set notification preferences¶
5. Test integration¶
Slack notification format:¶
Channel: #security-alerts¶
Message: "🚨 High severity vulnerability found on example.com"¶
Details: "SQL Injection in /login.php (CVSS: 8.1)"¶
Actions: "View Details | Assign | Mark as False Positive"¶
```_
Jira Integration¶
```bash
Jira integration setup:¶
1. Create Jira API token¶
2. Configure Jira connection in Intruder¶
3. Map vulnerability fields to Jira fields¶
4. Set up automatic ticket creation rules¶
5. Configure status synchronization¶
Automatic ticket creation:¶
Project: SECURITY¶
Issue Type: Bug¶
Priority: Based on vulnerability severity¶
Assignee: Security team or developer¶
Labels: vulnerability, security, intruder¶
Description: Detailed vulnerability information¶
```_
SIEM Integration¶
```bash
SIEM integration via API:¶
- Real-time vulnerability feed¶
- Security event correlation¶
- Threat intelligence enrichment¶
- Incident response automation¶
- Compliance reporting¶
- Risk scoring integration¶
Splunk integration example:¶
Data input: HTTP Event Collector¶
Index: security_vulnerabilities¶
Source type: intruder_vulnerability¶
Fields: severity, target, vulnerability_type, cvss_score¶
Dashboards: Security posture overview¶
Alerts: High severity vulnerability detection¶
```_
CI/CD Pipeline Integration¶
```bash
Jenkins pipeline example:¶
pipeline { agent any
stages {
stage('Security Scan') {
steps {
script {
// Trigger Intruder scan
def scanResult = sh(
script: """
curl -X POST "https://api.intruder.io/v1/scans" \
-H "Authorization: Bearer ${INTRUDER_API_KEY}" \
-H "Content-Type: application/json" \
-d '{"target_id": "${TARGET_ID}", "scan_type": "quick"}'
""",
returnStdout: true
)
def scanId = readJSON(text: scanResult).scan_id
// Wait for scan completion
timeout(time: 30, unit: 'MINUTES') {
waitUntil {
script {
def status = sh(
script: """
curl -X GET "https://api.intruder.io/v1/scans/${scanId}" \
-H "Authorization: Bearer ${INTRUDER_API_KEY}"
""",
returnStdout: true
)
def statusJson = readJSON(text: status)
return statusJson.status == 'completed'
}
}
}
// Check for high severity vulnerabilities
def vulns = sh(
script: """
curl -X GET "https://api.intruder.io/v1/vulnerabilities?severity=high&target_id=${TARGET_ID}" \
-H "Authorization: Bearer ${INTRUDER_API_KEY}"
""",
returnStdout: true
)
def vulnCount = readJSON(text: vulns).size()
if (vulnCount > 0) {
error("High severity vulnerabilities found: ${vulnCount}")
}
}
}
}
}
} ```_
Fehlerbehebung und Best Practices¶
Gemeinsame Themen und Lösungen¶
```bash
Scan failures and timeouts:¶
Issue: Target unreachable during scan¶
Solution: Verify network connectivity and firewall rules¶
Check: DNS resolution, port accessibility, rate limiting¶
Authentication problems:¶
Issue: Login sequence fails during scan¶
Solution: Update authentication credentials¶
Check: Session timeout, CSRF tokens, multi-factor authentication¶
False positives:¶
Issue: Legitimate functionality flagged as vulnerability¶
Solution: Mark as false positive and add to exclusions¶
Check: Business logic understanding, custom applications¶
Performance impact:¶
Issue: Scans affecting application performance¶
Solution: Adjust scan intensity and timing¶
Check: Rate limiting, resource usage, peak hours¶
```_
Optimierungsstrategien¶
```bash
Scan performance optimization:¶
- Schedule scans during off-peak hours¶
- Use appropriate scan intensity levels¶
- Configure rate limiting for sensitive applications¶
- Implement scan result caching¶
- Optimize target scope and exclusions¶
- Monitor resource usage during scans¶
False positive reduction:¶
- Maintain accurate asset inventory¶
- Configure proper authentication¶
- Use application-specific scan profiles¶
- Regularly review and tune scan settings¶
- Implement feedback loops for accuracy¶
- Train team on vulnerability validation¶
```_
Sicherheit Best Practices¶
```bash
API security:¶
- Use strong API keys with limited scope¶
- Implement API key rotation policy¶
- Monitor API usage and access logs¶
- Use HTTPS for all API communications¶
- Implement rate limiting and throttling¶
- Validate webhook signatures¶
Data protection:¶
- Encrypt sensitive scan data¶
- Implement access controls and RBAC¶
- Regular security audits of Intruder usage¶
- Secure storage of authentication credentials¶
- Data retention and deletion policies¶
- Compliance with data protection regulations¶
```_
Überwachung und Wartung¶
```bash
Regular maintenance tasks:¶
- Review and update target configurations¶
- Validate authentication credentials¶
- Update scan schedules and frequencies¶
- Review and tune alert thresholds¶
- Analyze scan performance metrics¶
- Update integration configurations¶
- Review user access and permissions¶
- Validate compliance reporting accuracy¶
Performance monitoring:¶
- Track scan completion rates¶
- Monitor false positive trends¶
- Analyze vulnerability discovery rates¶
- Review remediation timelines¶
- Assess security posture improvements¶
- Monitor integration health¶
- Track API usage and limits¶
```_
Ressourcen¶
Dokumentation¶
- Eindringliche Dokumentation
- [API Reference](LINK_10__
- (URL_2)
Unterstützung und Gemeinschaft¶
- [Intruder Support Portal](URL_3_
- [Wissensbasis](LINK_13__
- [Gemeinschaftsforum](LINK_14__
Schulung und Zertifizierung¶
- Intruder Academy
- [Webinar Series](LINK_16__
- (URL_8)