Pentesters have to perform a lot of repetitive tasks to find vulnerabilities on a web application. Google has made it’s ‘Tsunami Web Vulnerability Scanner’ open-source for just this task. And as a cherry
Google previously used Tsunami internally. It may be a tool developed by Google, but the open-source community would maintain it.
The instructions to install Tsunami and scan web applications can be found over here at Github.
Tsunami vs. Other Vulnerability Scanners
That’s great, but there are already tonnes of automated vulnerability scanners available. What’s so great about this one?
That’s a good question. Unlike other vulnerability scanners, Tsunami has been designed to find vulnerabilities in large networks that include hundreds of thousands of servers and devices.
According to Google, Tsunami has been designed to adapt to the incredibly diverse and large scale networks on the go.
Google achieved this by splitting Tsunami into two parts with a modular structure in which plugins can be added for additional features.
Components of Tsunami
The first part of the Web Vulnerability Scanner is based on Nmap, the industry-tested network mapping engine, and some custom code from Google.
This component scans the network for open ports. The next step is to find the services and protocols running behind them.
The second component is a bit more complicated. The results of the port scan are fed into it, and it tests known vulnerabilities for it.
The modular approach allows plugins to be added for different features.
Google already provides two plugins in the initial version of the scanner.
- Exposed sensitive UIs: Applications such as Jenkins, Jupyter, and Hadoop Yarn ship with UIs that allow users to schedule workloads or execute system commands. If these systems are exposed to the internet without authentication, attackers can leverage the application’s functionality to execute malicious commands.
- Weak credentials: Tsunami uses other open-source tools such as ncrack to detect weak passwords used by protocols and tools, including SSH, FTP, RDP, and MySQL.
“In the coming months, we plan to release many more detectors for vulnerabilities similar to remote code execution (RCE). Furthermore, we are working on several other new features that will make the engine more powerful and easier to use and extend.”, says Google.
We can expect new plugins for Tsunami in some time, from Google and the Open Source Community as well.
Aim of No False Positives
Most of the commercially available web scanners give a load of false positives. Google’s aim with Tsunami is to minimize these for companies such as itself to increase efficiency.
The primary goal of Google is to increase scan accuracy. False positives can hinder the workflow in large networks as pushing a patch in an incorrect place can result in a device or network crash.
Furthermore, Tsunami is focused on finding high severity vulnerabilities instead of scanning everything as most vulnerability scanners do. This is also to reduce pressure on the security teams.