Hoja de Cheat Intruso
"Clase de la hoja" id="copy-btn" class="copy-btn" onclick="copyAllCommands()" Copiar todos los comandos id="pdf-btn" class="pdf-btn" onclick="generatePDF()" Generar PDF seleccionado/button ■/div titulada
Sinopsis
Intruder es un escáner de vulnerabilidad automatizado basado en la nube que proporciona monitorización continua de seguridad para aplicaciones web, redes e infraestructura cloud. Ofrece capacidades de escaneado inteligentes con mínimos falsos positivos, orientación automatizada de remediación, e integración perfecta en los flujos de trabajo de DevOps para una gestión de seguridad proactiva.
NOVEDAD Nota: Servicio de nube comercial. Tier gratis disponible con escaneos limitados. Los planes pagados comienzan en $99/mes.
Comienzo
Configuración de la cuenta
# Sign up process:
# 1. Visit intruder.io
# 2. Create account with email
# 3. Verify email address
# 4. Complete onboarding wizard
# 5. Add first target for scanning
# Initial configuration steps:
# - Set up organization profile
# - Configure notification preferences
# - Add team members and roles
# - Set up integrations
# - Define scanning schedules
Dashboard Overview
# Main dashboard sections:
# - Vulnerability overview
# - Recent scan results
# - Target status monitoring
# - Security score trends
# - Upcoming scheduled scans
# - Team activity feed
# - Integration status
# - Compliance reporting
Gestión de objetivos
# Add targets through web interface:
# 1. Navigate to "Targets" section
# 2. Click "Add Target"
# 3. Enter target details:
# - Domain/IP address
# - Target type (web app, network, cloud)
# - Scan configuration
# - Authentication details
# 4. Configure scan settings
# 5. Set up monitoring schedule
Web Application Scanning
Configuración de objetivos
# Web application target setup:
# Target URL: https://example.com
# Scan depth: Full site crawl
# Authentication: Form-based/HTTP Basic/OAuth
# Exclusions: /admin/*, /api/internal/*
# Custom headers: Authorization, X-API-Key
# Rate limiting: Respectful (default)
# User agent: Custom or default
# Advanced configuration options:
# - Custom login sequences
# - Multi-step authentication
# - Session management
# - Cookie handling
# - JavaScript rendering
# - Single Page Application (SPA) support
Tipos y modos de escaneo
# Quick Scan (15-30 minutes)
# - Essential vulnerability checks
# - OWASP Top 10 coverage
# - Basic configuration issues
# - Suitable for CI/CD integration
# Full Scan (1-4 hours)
# - Comprehensive vulnerability assessment
# - Deep crawling and discovery
# - Advanced attack simulations
# - Detailed configuration analysis
# Custom Scan
# - User-defined test selection
# - Specific vulnerability categories
# - Targeted testing approach
# - Compliance-focused scanning
Configuración de autenticación
# Form-based authentication configuration:
# 1. Login URL: https://example.com/login
# 2. Username field: email or username
# 3. Password field: password
# 4. Submit button: Login or Sign In
# 5. Success indicator: Dashboard or Welcome
# 6. Logout URL: https://example.com/logout
# HTTP Basic Authentication:
# Username: api_user
# Password: secure_password
# Realm: Protected Area (optional)
# OAuth 2.0 Configuration:
# Authorization URL: https://auth.example.com/oauth/authorize
# Token URL: https://auth.example.com/oauth/token
# Client ID: your_client_id
# Client Secret: your_client_secret
# Scope: read write admin
Categorías de vulnerabilidad
# OWASP Top 10 Coverage:
# - Injection vulnerabilities (SQL, NoSQL, LDAP, OS)
# - Broken authentication and session management
# - Sensitive data exposure
# - XML External Entities (XXE)
# - Broken access control
# - Security misconfigurations
# - Cross-Site Scripting (XSS)
# - Insecure deserialization
# - Using components with known vulnerabilities
# - Insufficient logging and monitoring
# Additional vulnerability checks:
# - CSRF (Cross-Site Request Forgery)
# - Clickjacking
# - HTTP security headers
# - SSL/TLS configuration
# - Directory traversal
# - File inclusion vulnerabilities
# - Business logic flaws
# - API security issues
Escaneo de redes e infraestructura
Red Target Setup
# Network scanning configuration:
# Target range: 192.168.1.0/24
# Port range: 1-65535 or common ports
# Scan intensity: Light, Normal, Aggressive
# Service detection: Enabled
# OS fingerprinting: Enabled
# Vulnerability assessment: Full
# Cloud infrastructure scanning:
# AWS account integration
# Azure subscription scanning
# Google Cloud Platform monitoring
# Kubernetes cluster assessment
# Docker container security
# Serverless function analysis
Port and Service Discovery
# Common ports scanned:
# Web services: 80, 443, 8080, 8443
# SSH: 22, 2222
# FTP: 21, 990
# Telnet: 23
# SMTP: 25, 465, 587
# DNS: 53
# HTTP alternatives: 8000, 8008, 9000
# Database: 3306, 5432, 1433, 27017
# Remote access: 3389, 5900
# Service identification includes:
# - Service version detection
# - Banner grabbing
# - Protocol analysis
# - Configuration assessment
# - Default credential testing
# - Known vulnerability matching
Capacidades de infraestructura
# Network vulnerability categories:
# - Unpatched operating systems
# - Insecure service configurations
# - Default credentials
# - Weak encryption protocols
# - Open administrative interfaces
# - Unnecessary services running
# - Firewall misconfigurations
# - Network segmentation issues
# Cloud-specific vulnerabilities:
# - Misconfigured S3 buckets
# - Overprivileged IAM roles
# - Unencrypted data stores
# - Public database instances
# - Insecure API gateways
# - Container vulnerabilities
# - Serverless misconfigurations
Vigilancia de la seguridad en la nube
AWS Integration
# AWS account setup:
# 1. Create IAM role for Intruder
# 2. Attach security audit policies:
# - SecurityAudit (AWS managed)
# - ReadOnlyAccess (AWS managed)
# - Custom policy for specific resources
# 3. Configure cross-account access
# 4. Add AWS account to Intruder
# 5. Verify permissions and connectivity
# AWS services monitored:
# - EC2 instances and security groups
# - S3 buckets and access policies
# - RDS databases and encryption
# - IAM users, roles, and policies
# - VPC configurations and NACLs
# - CloudTrail logging setup
# - Lambda function security
# - API Gateway configurations
Azure Integration
# Azure subscription setup:
# 1. Create service principal
# 2. Assign Reader role to subscription
# 3. Grant additional permissions:
# - Security Reader
# - Key Vault Reader
# - Storage Account Contributor (read-only)
# 4. Configure application registration
# 5. Add Azure subscription to Intruder
# Azure services monitored:
# - Virtual machines and NSGs
# - Storage accounts and access keys
# - SQL databases and firewalls
# - Key Vault configurations
# - Active Directory settings
# - Application Gateway security
# - Function App configurations
# - Cosmos DB security settings
Google Cloud Platform
# GCP project setup:
# 1. Create service account
# 2. Assign predefined roles:
# - Security Reviewer
# - Compute Viewer
# - Storage Object Viewer
# - Cloud SQL Viewer
# 3. Generate and download JSON key
# 4. Add GCP project to Intruder
# 5. Verify service account permissions
# GCP services monitored:
# - Compute Engine instances
# - Cloud Storage buckets
# - Cloud SQL databases
# - IAM policies and bindings
# - VPC firewall rules
# - Cloud Functions security
# - Kubernetes Engine clusters
# - API Gateway configurations
Supervisión y automatización continuas
Escaneo programado
# Scan frequency options:
# - Daily: High-priority targets
# - Weekly: Standard monitoring
# - Monthly: Comprehensive assessments
# - Custom: User-defined intervals
# Scheduling configuration:
# Target: example.com
# Scan type: Full scan
# Frequency: Weekly
# Day: Sunday
# Time: 02:00 UTC
# Timezone: UTC/Local
# Notifications: Email, Slack, webhook
# Scan optimization:
# - Off-peak scheduling
# - Resource-aware timing
# - Dependency management
# - Parallel scan limits
# - Rate limiting controls
Configuración de alerta
# Alert severity levels:
# Critical: Immediate attention required
# High: Address within 24 hours
# Medium: Address within 1 week
# Low: Address during maintenance
# Info: Awareness only
# Notification channels:
# Email: team@example.com
# Slack: #security-alerts
# Microsoft Teams: Security Team
# Webhook: https://api.example.com/security/alerts
# PagerDuty: Security incident escalation
# Jira: Automatic ticket creation
# Alert conditions:
# - New vulnerabilities discovered
# - Vulnerability severity increase
# - Target becomes unreachable
# - Scan failures or errors
# - Compliance violations
# - Security score degradation
Integración con Herramientas DevOps
# CI/CD pipeline integration:
# Jenkins plugin: Intruder Security Scanner
# GitHub Actions: intruder-io/intruder-action
# GitLab CI: Custom webhook integration
# Azure DevOps: REST API integration
# CircleCI: Custom orb available
# API integration examples:
# Trigger scan: POST /api/v1/scans
# Get results: GET /api/v1/scans/{scan_id}
# List vulnerabilities: GET /api/v1/vulnerabilities
# Update target: PUT /api/v1/targets/{target_id}
# Export report: GET /api/v1/reports/{report_id}
Uso y automatización de API
Autenticación
# API key authentication:
# 1. Generate API key in dashboard
# 2. Include in request headers:
# Authorization: Bearer YOUR_API_KEY
# 3. Use HTTPS for all requests
# 4. Rotate keys regularly
# 5. Monitor API usage and limits
# Rate limiting:
# - 1000 requests per hour (standard)
# - 5000 requests per hour (premium)
# - Burst allowance: 100 requests per minute
# - Rate limit headers included in responses
API común Operaciones
# Start a new scan
curl -X POST "https://api.intruder.io/v1/scans" \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"target_id": "12345",
"scan_type": "full",
"priority": "normal"
}'
# Get scan status
curl -X GET "https://api.intruder.io/v1/scans/67890" \
-H "Authorization: Bearer YOUR_API_KEY"
# List all vulnerabilities
curl -X GET "https://api.intruder.io/v1/vulnerabilities?severity=high" \
-H "Authorization: Bearer YOUR_API_KEY"
# Export scan report
curl -X GET "https://api.intruder.io/v1/reports/12345?format=pdf" \
-H "Authorization: Bearer YOUR_API_KEY" \
-o "security_report.pdf"
Configuración Webhook
# Webhook setup for real-time notifications:
# Endpoint URL: https://your-server.com/intruder-webhook
# Secret: webhook_secret_key
# Events: scan_completed, vulnerability_found, target_unreachable
# Webhook payload example:
{
"event": "vulnerability_found",
"timestamp": "2024-01-15T10:30:00Z",
"target": {
"id": "12345",
"name": "example.com",
"type": "web_application"
},
"vulnerability": {
"id": "67890",
"title": "SQL Injection",
"severity": "high",
"cvss_score": 8.1,
"description": "SQL injection vulnerability found in login form",
"location": "/login.php?id=1",
"remediation": "Use parameterized queries"
}
}
Scripts de automatización
# Python automation example
import requests
import json
import time
class IntruderAPI:
def __init__(self, api_key):
self.api_key = api_key
self.base_url = "https://api.intruder.io/v1"
self.headers = {
"Authorization": f"Bearer {api_key}",
"Content-Type": "application/json"
}
def start_scan(self, target_id, scan_type="full"):
"""Start a new security scan"""
data = {
"target_id": target_id,
"scan_type": scan_type,
"priority": "normal"
}
response = requests.post(
f"{self.base_url}/scans",
headers=self.headers,
json=data
)
return response.json()
def get_scan_status(self, scan_id):
"""Get the status of a running scan"""
response = requests.get(
f"{self.base_url}/scans/{scan_id}",
headers=self.headers
)
return response.json()
def wait_for_scan_completion(self, scan_id, timeout=3600):
"""Wait for scan to complete with timeout"""
start_time = time.time()
while time.time() - start_time < timeout:
status = self.get_scan_status(scan_id)
if status["status"] == "completed":
return status
elif status["status"] == "failed":
raise Exception(f"Scan failed: {status['error']}")
time.sleep(30) # Check every 30 seconds
raise TimeoutError("Scan did not complete within timeout")
def get_vulnerabilities(self, target_id=None, severity=None):
"""Get list of vulnerabilities"""
params = {}
if target_id:
params["target_id"] = target_id
if severity:
params["severity"] = severity
response = requests.get(
f"{self.base_url}/vulnerabilities",
headers=self.headers,
params=params
)
return response.json()
# Usage example
api = IntruderAPI("your_api_key_here")
# Start scan and wait for completion
scan_result = api.start_scan("12345", "full")
scan_id = scan_result["scan_id"]
print(f"Started scan {scan_id}, waiting for completion...")
completed_scan = api.wait_for_scan_completion(scan_id)
# Get high severity vulnerabilities
high_vulns = api.get_vulnerabilities(severity="high")
print(f"Found {len(high_vulns)} high severity vulnerabilities")
Presentación de informes y cumplimiento
Report Generation
# Available report formats:
# - PDF: Executive and technical reports
# - HTML: Interactive web reports
# - CSV: Vulnerability data export
# - JSON: API data format
# - XML: Structured data export
# Report types:
# Executive Summary:
# - High-level security overview
# - Risk assessment summary
# - Trend analysis
# - Compliance status
# - Recommendations
# Technical Report:
# - Detailed vulnerability listings
# - Proof of concept details
# - Remediation instructions
# - CVSS scoring
# - Technical references
# Compliance Report:
# - PCI DSS compliance
# - ISO 27001 alignment
# - NIST framework mapping
# - SOC 2 requirements
# - Custom compliance frameworks
Marcos de cumplimiento
# PCI DSS Compliance:
# Requirement 6.5: Address common vulnerabilities
# Requirement 11.2: Run quarterly vulnerability scans
# Requirement 11.3: Perform penetration testing
# ASV (Approved Scanning Vendor) certified scans
# Quarterly external vulnerability scans
# Annual penetration testing requirements
# ISO 27001 Alignment:
# A.12.6.1: Management of technical vulnerabilities
# A.14.2.1: Secure development policy
# A.14.2.5: Secure system engineering principles
# Continuous monitoring requirements
# Risk assessment integration
# Documentation and evidence collection
# NIST Cybersecurity Framework:
# Identify: Asset and vulnerability discovery
# Protect: Security control implementation
# Detect: Continuous monitoring and alerting
# Respond: Incident response integration
# Recover: Remediation tracking and validation
Custom Reporting
# Report customization options:
# - Company branding and logos
# - Custom executive summary
# - Filtered vulnerability lists
# - Risk scoring methodology
# - Remediation prioritization
# - Trend analysis periods
# - Compliance mapping
# - Technical appendices
# Automated report distribution:
# - Scheduled report generation
# - Email distribution lists
# - Secure file sharing
# - API-driven report delivery
# - Integration with ticketing systems
# - Dashboard embedding
Características avanzadas
Smart Scanning Technology
# Intelligent vulnerability detection:
# - Machine learning-based false positive reduction
# - Context-aware vulnerability assessment
# - Business logic flaw detection
# - Advanced payload generation
# - Evasion technique detection
# - Zero-day vulnerability research
# Adaptive scanning algorithms:
# - Dynamic scan optimization
# - Resource-aware scanning
# - Application behavior learning
# - Custom attack pattern recognition
# - Threat intelligence integration
# - Emerging vulnerability detection
Threat Intelligence Integración
# External threat intelligence sources:
# - CVE database integration
# - NIST vulnerability database
# - Exploit database correlation
# - Dark web monitoring
# - Threat actor attribution
# - IoC (Indicators of Compromise) matching
# Real-time threat updates:
# - New vulnerability notifications
# - Exploit availability alerts
# - Threat landscape changes
# - Attack pattern evolution
# - Remediation priority updates
# - Emergency security bulletins
Características de la colaboración
# Team collaboration tools:
# - Shared vulnerability management
# - Assignment and tracking
# - Comment and annotation system
# - Approval workflows
# - Progress tracking
# - Knowledge base integration
# Role-based access control:
# - Administrator: Full system access
# - Security Manager: Scan management and reporting
# - Security Analyst: Vulnerability analysis and remediation
# - Developer: Assigned vulnerability access
# - Auditor: Read-only compliance access
# - Guest: Limited dashboard access
Ejemplos de integración
Slack Integration
# Slack webhook configuration:
# 1. Create Slack app in workspace
# 2. Add incoming webhook
# 3. Configure webhook URL in Intruder
# 4. Set notification preferences
# 5. Test integration
# Slack notification format:
# Channel: #security-alerts
# Message: "🚨 High severity vulnerability found on example.com"
# Details: "SQL Injection in /login.php (CVSS: 8.1)"
| # Actions: "View Details | Assign | Mark as False Positive" |
Jira Integration
# Jira integration setup:
# 1. Create Jira API token
# 2. Configure Jira connection in Intruder
# 3. Map vulnerability fields to Jira fields
# 4. Set up automatic ticket creation rules
# 5. Configure status synchronization
# Automatic ticket creation:
# Project: SECURITY
# Issue Type: Bug
# Priority: Based on vulnerability severity
# Assignee: Security team or developer
# Labels: vulnerability, security, intruder
# Description: Detailed vulnerability information
SIEM Integración
# SIEM integration via API:
# - Real-time vulnerability feed
# - Security event correlation
# - Threat intelligence enrichment
# - Incident response automation
# - Compliance reporting
# - Risk scoring integration
# Splunk integration example:
# Data input: HTTP Event Collector
# Index: security_vulnerabilities
# Source type: intruder_vulnerability
# Fields: severity, target, vulnerability_type, cvss_score
# Dashboards: Security posture overview
# Alerts: High severity vulnerability detection
CI/CD Pipeline Integration
# Jenkins pipeline example:
pipeline {
agent any
stages {
stage('Security Scan') {
steps {
script {
// Trigger Intruder scan
def scanResult = sh(
script: """
curl -X POST "https://api.intruder.io/v1/scans" \
-H "Authorization: Bearer ${INTRUDER_API_KEY}" \
-H "Content-Type: application/json" \
-d '{"target_id": "${TARGET_ID}", "scan_type": "quick"}'
""",
returnStdout: true
)
def scanId = readJSON(text: scanResult).scan_id
// Wait for scan completion
timeout(time: 30, unit: 'MINUTES') {
waitUntil {
script {
def status = sh(
script: """
curl -X GET "https://api.intruder.io/v1/scans/${scanId}" \
-H "Authorization: Bearer ${INTRUDER_API_KEY}"
""",
returnStdout: true
)
def statusJson = readJSON(text: status)
return statusJson.status == 'completed'
}
}
}
// Check for high severity vulnerabilities
def vulns = sh(
script: """
curl -X GET "https://api.intruder.io/v1/vulnerabilities?severity=high⌖_id=${TARGET_ID}" \
-H "Authorization: Bearer ${INTRUDER_API_KEY}"
""",
returnStdout: true
)
def vulnCount = readJSON(text: vulns).size()
if (vulnCount > 0) {
error("High severity vulnerabilities found: ${vulnCount}")
}
}
}
}
}
}
Solución de problemas y mejores prácticas
Problemas y soluciones comunes
# Scan failures and timeouts:
# Issue: Target unreachable during scan
# Solution: Verify network connectivity and firewall rules
# Check: DNS resolution, port accessibility, rate limiting
# Authentication problems:
# Issue: Login sequence fails during scan
# Solution: Update authentication credentials
# Check: Session timeout, CSRF tokens, multi-factor authentication
# False positives:
# Issue: Legitimate functionality flagged as vulnerability
# Solution: Mark as false positive and add to exclusions
# Check: Business logic understanding, custom applications
# Performance impact:
# Issue: Scans affecting application performance
# Solution: Adjust scan intensity and timing
# Check: Rate limiting, resource usage, peak hours
Estrategias de optimización
# Scan performance optimization:
# - Schedule scans during off-peak hours
# - Use appropriate scan intensity levels
# - Configure rate limiting for sensitive applications
# - Implement scan result caching
# - Optimize target scope and exclusions
# - Monitor resource usage during scans
# False positive reduction:
# - Maintain accurate asset inventory
# - Configure proper authentication
# - Use application-specific scan profiles
# - Regularly review and tune scan settings
# - Implement feedback loops for accuracy
# - Train team on vulnerability validation
Prácticas óptimas de seguridad
# API security:
# - Use strong API keys with limited scope
# - Implement API key rotation policy
# - Monitor API usage and access logs
# - Use HTTPS for all API communications
# - Implement rate limiting and throttling
# - Validate webhook signatures
# Data protection:
# - Encrypt sensitive scan data
# - Implement access controls and RBAC
# - Regular security audits of Intruder usage
# - Secure storage of authentication credentials
# - Data retention and deletion policies
# - Compliance with data protection regulations
Vigilancia y mantenimiento
# Regular maintenance tasks:
# - Review and update target configurations
# - Validate authentication credentials
# - Update scan schedules and frequencies
# - Review and tune alert thresholds
# - Analyze scan performance metrics
# - Update integration configurations
# - Review user access and permissions
# - Validate compliance reporting accuracy
# Performance monitoring:
# - Track scan completion rates
# - Monitor false positive trends
# - Analyze vulnerability discovery rates
# - Review remediation timelines
# - Assess security posture improvements
# - Monitor integration health
# - Track API usage and limits