Web application discovery

Overview

twigs supports discovering and scanning web applications. This mode will discover a web application running on a given URL as well, run DAST test on it using ZAP Proxy and discover the underlying host endpoint and its services using nmap.

Pre-requisites

You need to have nmap installed on your host (where you will be running twigs). Nmap needs to be available as /usr/bin/nmap. If you are using the twigs docker image, nmap is pre-bundled with it.

You also need ZAP proxy installed. Details can be found here. Zap proxy CLI is expected to be in the PATH as ‘zaproxy’. Some versions of ZAP installers may not be installing this CLI. Instead they may have a CLI called ‘zap.sh’ which will need to be linked as ‘zaproxy’ and included in your PATH.

Steps

The steps involved to discover assets using nmap in your environment are as below:

  • Open a new shell / terminal.
  • Check that twigs is installed and running properly by running below command:

twigs webapp -h

Discover web application using its URL

twigs webapp --url <url> [--assetname <user friendly name>] [--run_nmap] [--no_ssh_audit] [--no_ssl_audit]

This will run DAST / web application test using ZAP (if available), test the SSL settings and certificates for any vulnerabilities and discover and scan the web application endpoint server for vulnerabilities.

For OS discovery, twigs is recommended to be run in as root since nmap requires it. However, OS discovery will not be as accurate as running a credentialed scan using twigs. This may result in false positives. ThreatWorx console will try and adjust the confidence score of vulnerability findings resulting from nmap discovery which will allow you to filter / hide some of these these results from the console as required. Depending on the size of the network and number of active endpoints, this discovery mode can also take a significant amount of time to complete.

Examples

$ twigs webapp --url https://somecompany.com/portal

Run web application scan for company portal

$ twigs webapp --url https://10.10.1.1/myapp --run_nmap

Run web application and host discovery (uncredentialed)

$ twigs webapp --url https://10.10.1.1/myapp --run_nmap --no_ssh_audit

Run web application and host discovery (uncredentialed) without ssh audit checks