Hello,
I am new here, so I may need some help form time to time.
Right now I am working on a project that has this in the do not do list.
“The use of Automated scanners is strictly prohibited”
Not I take it that you can’t run any type of scans on the site.
No nmap
no web scraping
No vulnerability scanner
All work must be done by the keyboard, one tap at a time.
I got used to not run automated scanners because almost every policy says “The use of Automated scanners is strictly prohibited”.
However, I doubt that everyone cares about that. The same happens with the domains in scope.
So, in my opinion is not right. But people get bounties even when not following the rules in the policies, so there is not right answer.
I’d say ‘it depends’. No automated scanners usually refers to vulnerability scanners that automatically crawl, parse and inject everywhere which can cause quite a server load (so things likes nessus, burpsuite pro, Nexpose, Nikto, OpenVAS, etc.). I don’t think nmap would fall into this category nor any kind of targeted scripting (for example, using a burpsuite intruder to parse through HTTP methods or certain directories). While nmap does have various modules to scan for various vulnerabilities I think if you’re just port scanning or enumerating services I think it’s ok.
Agreed. I think this also comes down to ‘noise’ no one wants a page out a 2am because the SIEM is reporting a ton of scanning / injections attempts from one 1 IP.
I agree with what everyone else mentioned, but I’d also add: if you find a potential SQLi, XSS, code injection, etc., I don’t think it’s unreasonable to load up some common payloads in Burp Intruder and fire them off. I’m not saying to use a massive file sending thousands upon thousands of requests to the application–obviously–but I think what they’re mainly speaking against are tools like sqlmap, nikto, sparta, etc. that tend to be extremely noisy on the network. Can Burp also be noisy if you’re using Intruder with lots of payloads? Absolutely, but I think what I’m speaking of is more of a grey area. If you limit it properly, I think it’s perfectly acceptable. I hope that makes sense!