Back to All Modules

Automated Web Assessment Playbook

#Purpose

This playbook performs repeatable exposure and vulnerability checks, saves machine-readable results, and produces a review queue. It does not invoke payload templates, attempt authentication attacks, or automatically exploit a match.

#Paste-Ready Script

#!/usr/bin/env bash
set -Eeuo pipefail
umask 077

[[ $# -eq 1 ]] || { echo "Usage: $0 <approved-urls.txt>"; exit 1; }
INPUT="$(realpath "$1")"
[[ -s "$INPUT" ]] || { echo "URL file is empty"; exit 1; }
[[ -n "${ENGAGEMENT_ROOT:-}" ]] || { echo "Load engagement.env first"; exit 1; }
for tool in httpx nuclei jq; do
  command -v "$tool" >/dev/null 2>&1 || { echo "Missing dependency: $tool"; exit 1; }
done

OUT="$RAW_DIR/web-validation-$(date -u +%Y%m%dT%H%M%SZ)"
mkdir -p "$OUT"/{probe,nuclei,review}

httpx -silent -l "$INPUT" -follow-redirects -status-code -title -tech-detect \
  -server -ip -json -rate-limit "${HTTP_RATE:-20}" \
  -o "$OUT/probe/httpx.jsonl"
jq -r '.url // empty' "$OUT/probe/httpx.jsonl" | sort -u > "$OUT/live-urls.txt"

# Detection and configuration checks only. Exclude fuzzing, DoS, and intrusive tags.
nuclei -silent -l "$OUT/live-urls.txt" \
  -severity info,low,medium,high,critical \
  -exclude-tags fuzz,dos,intrusive,bruteforce \
  -rate-limit "${HTTP_RATE:-20}" -bulk-size 10 -concurrency 10 \
  -jsonl -o "$OUT/nuclei/findings.jsonl" || true

jq -r '[
  (.info.severity // "unknown"),
  (.template-id // ""),
  (.matched-at // .host // ""),
  (.info.name // "")
] | @tsv' "$OUT/nuclei/findings.jsonl" 2>/dev/null \
  | sort -u > "$OUT/review/candidates.tsv" || true

echo "Review queue: $OUT/review/candidates.tsv"
echo "A template match is a lead, not a confirmed vulnerability."
BASH

#Operator-Selected Validation

For each candidate:

  1. Read the exact template and vendor advisory.
  2. Confirm the detected product and affected version.
  3. Reproduce with a single request where possible.
  4. Avoid data modification and command execution unless explicitly approved.
  5. Capture request, response, timestamp, affected asset, and cleanup requirements.

Examples of bounded checks:

curl -ksS -D headers.txt -o body.txt 'https://approved.example/path'
nmap -Pn -p 443 --script ssl-cert,ssl-enum-ciphers approved.example
sqlmap -u 'https://approved.example/item?id=1' --batch --level=1 --risk=1 --flush-session
BASH

The sqlmap example is a low-risk confirmation pass against one operator-selected parameter. Database extraction, file access, OS command execution, and crawling are not enabled.

Use the relevant Web Attacks page for manual validation and cleanup details.