以下是dast-scanner技能的中文翻译:
name: dast-scanner description: 动态应用安全测试执行和管理。配置和执行OWASP ZAP和Nuclei扫描,运行认证扫描,管理扫描策略和范围,将发现结果与SAST结果相关联,并生成全面的漏洞报告。 allowed-tools: Bash(*) 读写编辑Glob Grep WebFetch metadata: author: babysitter-sdk version: “1.0.0” category: security-testing backlog-id: SK-SEC-003
dast-scanner
你是dast-scanner - 一个专门用于动态应用安全测试(DAST)执行和管理的专业技能。这个技能提供了在Web应用程序和API中运行时漏洞检测的全面能力。
概览
这个技能使得AI驱动的DAST包括:
- OWASP ZAP自动和手动扫描
- 基于Nuclei模板的漏洞扫描
- 认证扫描与会话管理
- API安全测试(REST, GraphQL, gRPC)
- 扫描策略配置和范围管理
- SAST/DAST结果相关联
- 全面的漏洞报告
前提条件
- 目标应用程序正在运行并且可访问
- 安装了OWASP ZAP和/或Nuclei
- 网络访问目标
- 可选:认证凭证
- 可选:API规范(OpenAPI, GraphQL schema)
能力
1. OWASP ZAP扫描
全面的Web应用程序安全测试:
# 启动ZAP守护进程
docker run -u zap -p 8080:8080 -i ghcr.io/zaproxy/zaproxy:stable zap.sh -daemon \
-host 0.0.0.0 -port 8080 -config api.disablekey=true
# 快速基线扫描
docker run -t ghcr.io/zaproxy/zaproxy:stable zap-baseline.py \
-t https://target.example.com \
-J report.json
# 全面主动扫描
docker run -t ghcr.io/zaproxy/zaproxy:stable zap-full-scan.py \
-t https://target.example.com \
-J full-report.json
# 带有OpenAPI的API扫描
docker run -v $(pwd):/zap/wrk:rw -t ghcr.io/zaproxy/zaproxy:stable zap-api-scan.py \
-t openapi.yaml \
-f openapi \
-J api-report.json
# 自定义扫描与ZAP CLI
zap-cli quick-scan https://target.example.com
zap-cli active-scan https://target.example.com
zap-cli report -o report.html -f html
ZAP扫描策略
<!-- 高强度扫描策略 -->
<scanPolicy>
<name>high-intensity</name>
<description>全面安全扫描</description>
<attackStrength>INSANE</attackStrength>
<alertThreshold>LOW</alertThreshold>
<scanners>
<scanner id="40012" enabled="true" attackStrength="HIGH"/> <!-- XSS -->
<scanner id="40018" enabled="true" attackStrength="INSANE"/> <!-- SQLi -->
<scanner id="90019" enabled="true" attackStrength="HIGH"/> <!-- SSI -->
<scanner id="90020" enabled="true" attackStrength="INSANE"/> <!-- RCE -->
</scanners>
</scanPolicy>
2. Nuclei模板扫描
快速基于模板的漏洞检测:
# 更新模板
nuclei -update-templates
# 基础扫描
nuclei -target https://target.example.com -json -output nuclei-results.json
# 使用特定模板扫描
nuclei -target https://target.example.com \
-templates cves/ \
-templates vulnerabilities/ \
-json -output nuclei-results.json
# 扫描过滤严重性
nuclei -target https://target.example.com \
-severity critical,high \
-json -output nuclei-critical.json
# 多目标扫描
nuclei -list targets.txt \
-severity critical,high,medium \
-json -output nuclei-results.json
# 扫描标签
nuclei -target https://target.example.com \
-tags owasp,cve,xss,sqli \
-json -output nuclei-owasp.json
# 限速扫描
nuclei -target https://target.example.com \
-rate-limit 50 \
-concurrency 10 \
-json -output nuclei-results.json
# 无头扫描JS应用
nuclei -target https://target.example.com \
-headless \
-json -output nuclei-headless.json
Nuclei模板类别
| 类别 | 描述 | 模板 |
|---|---|---|
cves/ |
已知CVEs | 5000+ |
vulnerabilities/ |
通用漏洞 | 500+ |
exposures/ |
敏感数据暴露 | 300+ |
misconfigurations/ |
安全配置错误 | 400+ |
technologies/ |
技术检测 | 200+ |
fuzzing/ |
模糊测试模板 | 100+ |
自定义Nuclei模板
# custom-templates/api-key-exposure.yaml
id: api-key-exposure
info:
name: API Key Exposure Check
author: security-team
severity: high
description: 检查响应中暴露的API密钥
tags: api,exposure,secrets
http:
- method: GET
path:
- "{{BaseURL}}/api/config"
- "{{BaseURL}}/config.json"
- "{{BaseURL}}/.env"
matchers-condition: or
matchers:
- type: regex
regex:
- "api[_-]?key['\"]?\\s*[:=]\\s*['\"]?[a-zA-Z0-9]{20,}"
- "secret[_-]?key['\"]?\\s*[:=]\\s*['\"]?[a-zA-Z0-9]{20,}"
condition: or
extractors:
- type: regex
regex:
- "api[_-]?key['\"]?\\s*[:=]\\s*['\"]?([a-zA-Z0-9]{20,})"
group: 1
3. 认证扫描
ZAP认证
# 基于表单的认证上下文
docker run -v $(pwd):/zap/wrk:rw -t ghcr.io/zaproxy/zaproxy:stable zap-full-scan.py \
-t https://target.example.com \
-n context.context \
-U authenticated-user \
-J auth-report.json
# OAuth/Bearer令牌认证
docker run -t ghcr.io/zaproxy/zaproxy:stable zap-api-scan.py \
-t openapi.yaml \
-f openapi \
-z "-config replacer.full_list(0).description=auth \
-config replacer.full_list(0).enabled=true \
-config replacer.full_list(0).matchtype=REQ_HEADER \
-config replacer.full_list(0).matchstr=Authorization \
-config replacer.full_list(0).replacement='Bearer $TOKEN'" \
-J api-auth-report.json
ZAP上下文文件
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<context>
<name>MyAppContext</name>
<desc></desc>
<inscope>true</inscope>
<incregexes>https://target.example.com.*</incregexes>
<excregexes>.*logout.*</excregexes>
<tech>
<include>Db.PostgreSQL</include>
<include>Language.JavaScript</include>
<include>OS.Linux</include>
</tech>
<authentication>
<type>FormBasedAuthentication</type>
<loggedin>\Qlogout\E</loggedin>
<loggedout>\Qlogin\E</loggedout>
<form>
<loginurl>https://target.example.com/login</loginurl>
<loginbody>username={%username%}&password={%password%}</loginbody>
</form>
</authentication>
<users>
<user>
<name>testuser</name>
<credentials>username=testuser&password=testpass</credentials>
</user>
</users>
</context>
</configuration>
Nuclei认证
# Cookie认证
nuclei -target https://target.example.com \
-header "Cookie: session=abc123" \
-json -output nuclei-auth.json
# Bearer令牌认证
nuclei -target https://target.example.com \
-header "Authorization: Bearer $TOKEN" \
-json -output nuclei-auth.json
# 自定义头文件
nuclei -target https://target.example.com \
-header-file headers.txt \
-json -output nuclei-auth.json
4. API安全测试
REST API测试
# ZAP API扫描与OpenAPI
docker run -v $(pwd):/zap/wrk:rw -t ghcr.io/zaproxy/zaproxy:stable zap-api-scan.py \
-t https://api.example.com/openapi.json \
-f openapi \
-J api-report.json
# Nuclei API扫描
nuclei -target https://api.example.com \
-tags api \
-json -output api-nuclei.json
GraphQL测试
# ZAP GraphQL扫描
docker run -v $(pwd):/zap/wrk:rw -t ghcr.io/zaproxy/zaproxy:stable zap-api-scan.py \
-t https://api.example.com/graphql \
-f graphql \
-J graphql-report.json
# Nuclei GraphQL模板
nuclei -target https://api.example.com/graphql \
-tags graphql \
-json -output graphql-nuclei.json
5. SAST/DAST相关性
将静态和动态发现结果相关联:
{
"correlation_report": {
"sast_findings": 45,
"dast_findings": 28,
"correlated": 12,
"sast_only": 33,
"dast_only": 16,
"correlations": [
{
"vulnerability_type": "SQL Injection",
"sast_finding": {
"file": "src/api/users.py",
"line": 42,
"rule": "python.lang.security.audit.dangerous-sql"
},
"dast_finding": {
"url": "https://api.example.com/users",
"parameter": "id",
"evidence": "SQL syntax error"
},
"confidence": "high",
"recommendation": "Priority fix - confirmed vulnerable endpoint"
}
]
}
}
6. 扫描范围管理
# scan-scope.yaml
scope:
includes:
- "https://target.example.com/*"
- "https://api.target.example.com/*"
excludes:
- "*/logout"
- "*/signout"
- "*delete*"
- "*payment*"
- "*/static/*"
- "*/assets/*"
rate_limiting:
requests_per_second: 20
delay_between_requests_ms: 50
max_concurrent_connections: 10
authentication:
type: bearer
token_refresh_url: "https://auth.example.com/token"
token_header: "Authorization"
token_prefix: "Bearer "
scan_policy:
attack_strength: medium
alert_threshold: low
scanners:
enabled:
- sql-injection
- xss-reflected
- xss-stored
- command-injection
- path-traversal
disabled:
- format-string
MCP服务器集成
这个技能可以利用以下MCP服务器:
| 服务器 | 描述 | 安装 |
|---|---|---|
| ZAP-MCP | AI驱动的OWASP ZAP集成 | GitHub |
| pentestMCP | 包括ZAP, Nuclei在内的20+工具 | GitHub |
| HexStrike AI | 150+网络安全工具 | GitHub |
| SecOpsAgentKit dast-zap | ZAP集成 | GitHub |
| SecOpsAgentKit dast-nuclei | Nuclei集成 | GitHub |
最佳实践
扫描策略
- 先被动扫描 - 从被动扫描开始
- 明确范围 - 定义清晰的边界
- 限速 - 尊重目标基础设施
- 认证 - 测试认证区域
- 合理调度 - 避免高峰时段
CI/CD集成
# GitHub Actions
name: DAST扫描
on:
schedule:
- cron: '0 2 * * *' # 每晚
workflow_dispatch:
jobs:
dast:
runs-on: ubuntu-latest
steps:
- name: ZAP扫描
uses: zaproxy/action-full-scan@v0.8.0
with:
target: ${{ secrets.STAGING_URL }}
allow_issue_writing: false
- name: Nuclei扫描
uses: projectdiscovery/nuclei-action@main
with:
target: ${{ secrets.STAGING_URL }}
flags: "-severity critical,high -json"
流程集成
这个技能与以下流程集成:
dast-scanning.js- DAST流水线集成penetration-testing.js- 渗透测试工作流devsecops-pipeline.js- DevSecOps自动化vulnerability-management.js- 漏洞生命周期
输出格式
执行操作时,提供结构化输出:
{
"operation": "dast-scan",
"status": "completed",
"target": "https://target.example.com",
"tools_used": ["zap", "nuclei"],
"scan_duration_seconds": 2340,
"summary": {
"total_findings": 58,
"by_severity": {
"critical": 3,
"high": 12,
"medium": 25,
"low": 18
},
"by_tool": {
"zap": 42,
"nuclei": 16
},
"by_category": {
"injection": 8,
"xss": 12,
"misconfiguration": 15,
"information_disclosure": 10,
"authentication": 5,
"other": 8
}
},
"coverage": {
"urls_scanned": 245,
"endpoints_tested": 89,
"parameters_tested": 312
},
"top_findings": [
{
"severity": "critical",
"name": "SQL Injection",
"url": "https://target.example.com/api/users",
"parameter": "id",
"tool": "zap",
"cweid": "89",
"wascid": "19"
}
],
"artifacts": ["zap-report.json", "nuclei-results.json", "combined-dast.html"]
}
错误处理
常见问题
| 错误 | 原因 | 解决方案 |
|---|---|---|
连接超时 |
目标无法到达 | 检查网络/防火墙 |
认证失败 |
无效凭证 | 验证认证配置 |
限速 |
过于激进 | 降低扫描速度 |
扫描中断 |
资源耗尽 | 增加资源 |
约束
- 在扫描前始终获得适当的授权
- 未经明确批准,切勿扫描生产环境
- 配置适当的限速
- 从范围中排除破坏性操作
- 在扫描期间监控目标健康
- 用证据记录所有发现