4942425ce5
- add docs/ with installation, usage, modules, scans, and api docs - add docs link to main readme - fix release.yml to bundle modules directory with releases - add module system tests to runtest.yml - standardize go version to 1.23 across workflows
3.8 KiB
scans
detailed information about sif's built-in security scans.
base scan
runs automatically unless -noscan is specified.
checks:
- robots.txt parsing
- common files (sitemap.xml, security.txt, etc)
- basic reconnaissance
directory fuzzing (-dirlist)
brute-forces directories and files using wordlists.
sizes
| size | entries | use case |
|---|---|---|
| small | ~1k | quick scan, low noise |
| medium | ~10k | balanced coverage |
| large | ~100k | thorough, takes longer |
what it finds
- hidden directories (/admin, /backup, /config)
- backup files (.bak, .old, .zip)
- configuration files
- development artifacts
subdomain enumeration (-dnslist)
discovers subdomains via dns brute-forcing.
sizes
| size | entries | use case |
|---|---|---|
| small | ~1k | quick discovery |
| medium | ~10k | common subdomains |
| large | ~100k | comprehensive |
what it finds
- dev/staging environments
- internal services
- forgotten subdomains
- api endpoints
port scanning (-ports)
scans for open ports and identifies services.
scopes
| scope | ports | description |
|---|---|---|
| common | top 1000 | most common services |
| full | 1-65535 | all ports, slow |
what it finds
- web servers (80, 443, 8080)
- databases (3306, 5432, 27017)
- admin interfaces (8443, 9090)
- development servers
framework detection (-framework)
identifies web frameworks and their versions.
detects
- react, vue, angular, next.js
- django, flask, rails
- laravel, symfony, express
- wordpress, drupal, joomla
features
- version detection
- cve lookup for known vulnerabilities
- confidence scoring
javascript analysis (-js)
analyzes javascript files for security issues.
finds
- api endpoints and keys
- hardcoded credentials
- internal urls
- framework configurations
- source maps
http headers (-headers)
analyzes security headers.
checks
- content-security-policy
- x-frame-options
- x-content-type-options
- strict-transport-security
- x-xss-protection
- permissions-policy
cms detection (-cms)
identifies content management systems.
detects
- wordpress (with version)
- drupal
- joomla
- magento
- shopify
- ghost
git repository (-git)
checks for exposed git repositories.
finds
- .git/HEAD
- .git/config
- .git/index
- source code exposure risk
cloud storage (-c3)
checks for cloud storage misconfigurations.
checks
- s3 bucket access
- azure blob storage
- gcp storage buckets
- open bucket policies
subdomain takeover (-st)
detects subdomain takeover vulnerabilities.
requires -dnslist to enumerate subdomains first.
checks
- dangling cname records
- unclaimed cloud services
- expired third-party services
shodan lookup (-shodan)
queries shodan for host intelligence.
requires SHODAN_API_KEY environment variable.
returns
- open ports
- services and versions
- known vulnerabilities
- ssl/tls info
- organization data
sql reconnaissance (-sql)
detects sql-related exposures.
finds
- admin panels (/phpmyadmin, /adminer)
- database error messages
- sql injection indicators
lfi scanning (-lfi)
checks for local file inclusion vulnerabilities.
tests
- path traversal (../)
- null byte injection
- common lfi payloads
- sensitive file disclosure
whois lookup (-whois)
performs whois lookups on target domains.
returns
- registrar info
- creation/expiration dates
- nameservers
- registrant info (if available)
google dorking (-dork)
automated google dorking for target.
searches
- indexed sensitive files
- exposed admin panels
- configuration files
- backup files
- error pages
nuclei scanning (-nuclei)
runs nuclei vulnerability templates.
requires nuclei to be installed.
templates
- cve detection
- misconfigurations
- exposures
- default credentials