Examples

A list of common cases that OXO’s platform can be used to run scans. It covers Web scan, Network scan, SBOM file, etc.


Web scan

For the Web scan, we will be using:

  • Zap: Application crawling and fuzzing for application-level vulnerabilities.
  • Nuclei: Detection of known vulnerabilities.
  • Asteroid: Detection of known vulnerabilities.
  • Metasploit: Detection of known vulnerabilities.
  • Tsunami: Detection of known vulnerabilities.
  • Semgrep: Javascript and HTML source code review.
  • Trufflehog: Leaked secret detection.

To perform your Web scan, you have two options depending on your target.

Scanning a Host:

To scan a domain, simply run the following command:

oxo scan run --install -g agent_group.yaml domain-name www.example.com
Scanning a URL:

To scan a link, simply run the following command:

oxo scan run --install -g agent_group.yaml link --url https://www.example.com --method GET

Agent group definition

You can copy the Agent Group Definition example:

kind: AgentGroup
description: Agent Group for extensive Web Testing with crawling, fuzzing and known vulnerability discovery.
agents:
  - key: agent/ostorlab/zap
    args:
      - name: scan_profile
        type: string
        description: "Accepts three values: `baseline` which runs the ZAP spider against
          the target for (by default) 1 minute followed by an optional ajax
          spider scan before reporting the results of the passive scanning.
          `full` which runs the ZAP spider against the target (by default with
          no time limit) followed by an optional ajax spider scan and then a
          full active scan before reporting the results and `api` Scan which
          performs an active scan against APIs defined by OpenAPI, or GraphQL
          (post 2.9.0) via either a local file or a URL."
        value: full
  - key: agent/ostorlab/nuclei
  - key: agent/ostorlab/asteroid
  - key: agent/ostorlab/metasploit
  - key: agent/ostorlab/tsunami
  - key: agent/ostorlab/semgrep
  - key: agent/ostorlab/trufflehog

Network scan

For the Network scan, we will be using:

  • Nmap: Network Port and Service scanning.
  • Nuclei: Detection of known vulnerabilities.
  • Asteroid: Detection of known vulnerabilities.
  • Metasploit: Detection of known vulnerabilities.
  • Tsunami: Detection of known vulnerabilities.
  • OpenVas: Detection of known vulnerabilities.

To perform your Network scan, you use the ip asset.

oxo scan run --install -g agent_group.yaml ip 8.8.8.8

Agent group definition

You can copy the Agent Group Definition example:

kind: AgentGroup
description: Agent Group for Extensive network scanning.
agents:
  - key: agent/ostorlab/nmap
    args:
      - name: fast_mode
        type: boolean
        description: Fast mode scans fewer ports than the default mode.
        value: true
      - name: ports
        type: string
        description: List of ports to scan.
        value: 0-65535
      - name: timing_template
        type: string
        description: Template of timing settings (T0, T1, ... T5).
        value: T3
      - name: scripts
        type: array
        description: List of scripts to run using Nmap
        value: "['banner']"
  - key: agent/ostorlab/asteroid
  - key: agent/ostorlab/metasploit
  - key: agent/ostorlab/openvas
  - key: agent/ostorlab/nuclei
  - key: agent/ostorlab/tsunami
    port_mapping: []

SBOM file scan

To scan an SBOM file, we will be using the Agent osv.

To perform your SBOM file scan, you use the file asset.

oxo scan run --install -g agent_group.yaml file --file /tmp/my_sbom_file

Agent group definition

You can copy the Agent Group Definition example:

kind: AgentGroup
description: SBOM scan
agents:
  - key: agent/ostorlab/osv
    args:
      - name: nvd_api_key
        type: string
        description: NVD api key.
        value: ""
    port_mapping: []

Enumerate domains

To improve the scope of detection, it's possible to enumerate and target subdomains of a given asset by adding Subfinder and/or Dnsx to the agent group definition agent_group.yaml.

Amass, all_tlds, whois_domain are other agents that will aid with subdomain discovery.

WhatWeb and Nmap will handle port, service and tech stack scanning.

Agent group definition

You can copy the Agent Group Definition example:

kind: AgentGroup
description: Enumerate domain scan
agents:
  - key: agent/ostorlab/subfinder
  - key: agent/ostorlab/dnsx
  - key: agent/ostorlab/all_tlds
  - key: agent/ostorlab/amass
  - key: agent/ostorlab/whois_domain
  - key: agent/ostorlab/whatweb
  - key: agent/ostorlab/nmap

Check a single bug with a nuclei template

To check a single bug using nuclei template, we will customize the arguments passed to Agent nuclei in the agent group definition.

To perform your Network scan, you use the ip asset.

oxo scan run --install -g agent_group.yaml ip 8.8.8.8

Agent group definition

To customize the list of templates, we set the value of the argument template_urls to the list of templates to run.

kind: AgentGroup
description: Network scan
agents:
  - key: agent/ostorlab/nuclei
    args:
      - name: template_urls
        type: array
        description: List of template urls to run. These will be fetched by the agent
          and passed to Nuclei.
        value: 
          - "URL1_To_TEMPLATE"
          - "URL2_To_TEMPLATE"

Override agent in_selectors:

To override the default selectors that an agent listens to, you can use the in_selectors field in the agent group definition.

For example, Agent Zap listens to the v3.asset.domain_name and v3.asset.link selectors.

If you want the agent to target only the v3.asset.link selector, you can specify it in the agent group definition.

kind: AgentGroup
description: Override agent in_selectors example
agents:
  - key: agent/ostorlab/zap
    in_selectors:
      - v3.asset.link

Specify the list of accepted agents:

To specify to an agent which agents to receive messages from, you can use the accepted_agents field in the agent group definition.

kind: AgentGroup
description: Specify to an agent the list of agents to receive messages from
agents:
  - key: agent/ostorlab/zap
    accepted_agents: ["inject_asset"]