No Automation need some help

bluedog · August 24, 2018, 7:14pm

Hello,
I am new here, so I may need some help form time to time.
Right now I am working on a project that has this in the do not do list.

“The use of Automated scanners is strictly prohibited”

Not I take it that you can’t run any type of scans on the site.
No nmap
no web scraping
No vulnerability scanner
All work must be done by the keyboard, one tap at a time.

Is this right, yes or no
Thank you
bluedog

stefanofinding · September 5, 2018, 8:39am

Hi @bluedog,

I got used to not run automated scanners because almost every policy says “The use of Automated scanners is strictly prohibited”.
However, I doubt that everyone cares about that. The same happens with the domains in scope.

So, in my opinion is not right. But people get bounties even when not following the rules in the policies, so there is not right answer.

Good luck with the project.

bluedog · September 6, 2018, 11:43am

Thank you stefanofinding for the info.

ARKADA · April 9, 2019, 9:55am

I’d say ‘it depends’. No automated scanners usually refers to vulnerability scanners that automatically crawl, parse and inject everywhere which can cause quite a server load (so things likes nessus, burpsuite pro, Nexpose, Nikto, OpenVAS, etc.). I don’t think nmap would fall into this category nor any kind of targeted scripting (for example, using a burpsuite intruder to parse through HTTP methods or certain directories). While nmap does have various modules to scan for various vulnerabilities I think if you’re just port scanning or enumerating services I think it’s ok.

at0mix · May 16, 2019, 11:29pm

Agreed. I think this also comes down to ‘noise’ no one wants a page out a 2am because the SIEM is reporting a ton of scanning / injections attempts from one 1 IP.

pisteuo · May 17, 2019, 6:24pm

I agree with what everyone else mentioned, but I’d also add: if you find a potential SQLi, XSS, code injection, etc., I don’t think it’s unreasonable to load up some common payloads in Burp Intruder and fire them off. I’m not saying to use a massive file sending thousands upon thousands of requests to the application–obviously–but I think what they’re mainly speaking against are tools like sqlmap, nikto, sparta, etc. that tend to be extremely noisy on the network. Can Burp also be noisy if you’re using Intruder with lots of payloads? Absolutely, but I think what I’m speaking of is more of a grey area. If you limit it properly, I think it’s perfectly acceptable. I hope that makes sense!

DirabouAmani · July 21, 2020, 10:41pm

Hi,
I need someone who can teach me step by step instructions how to do an automatique test with QTP?

Topic		Replies	Views
When automated scanning is not allowed in a program Starter Zone	0	1565	October 25, 2019
I am ready to go, Is this all I need to do to start Starter Zone	6	2373	October 23, 2019
I need some Guide On SQLmap Web Hacking	2	2100	February 1, 2020
Is Burp Suite Spider and Intruder Safe? Recon Techniques	6	5090	August 17, 2023
Looking for ways to do some undetecable web crawling Recon Techniques	10	3965	October 23, 2018

No Automation need some help

Related Topics