Skip to content

Introduction

ASM scanners are used to identify assets to add to the Escape Platform.

Alongside discovery, the ASM scanners will also execute surface scanning on the assets to provide a glance of the asset risks.

Example

Here is an example configuration:

---
port_scanning:
  ports:
  - 80
  - 443
  - 22
  - 8080
service_discovery:
  base_urls_delimiters:
  - ^.*/api/v1/
  - ^.*/api/v2/
  base_urls_wordlist:
  - https://api.example.com
  blocklisted_domains: []
  endpoints_wordlist: []
  graphql_endpoints_wordlist: []
  user_agents: []
subdomain_enumeration:
  blocklist:
  - ^.*\.example\.org$

Configuration reference

Fields

PortScannerConfig

Configuration for the port scanner.

ports

Type : List[integer]*

List of ports to scan. If empty, most common ports will be scanned.

ServiceDiscoveryConfig

Configuration for the service discovery.

base_urls_delimiters

Type : List[string]*

List of delimiters to use to split the crawled URLs into services.

If you want to customize how Escape splits crawled URLs into services, you can use this list.

This is a list of regexes we will be matched against the crawled URLs using a regex match. Then the smallest right part of the match will be used as the endpoint, and the left part as the service.

Example:

base_urls_delimiters:
  - '^.*/api/v1/'
  - '^.*/api/v2/'
  # others delimiters ...

base_urls_wordlist

Type : List[string]*

Wordlist of base URLs to try to discover services on.

blocklisted_domains

Type : List[string]*

List of regexes to filter out domains from service discovery.

If you don't want Escape to explore a specific domain, you can skip it here.

Example:

blocklisted_domains:
  - "auth\.example\.com" # Skip one domain
  - ".*\.example\.com" # Skip all domains
  - "auth" # Greedy match: will skip if "auth" is contained in the string

endpoints_wordlist

Type : List[string]*

Wordlist of endpoints to try to discover services on.

graphql_endpoints_wordlist

Type : List[string]*

Wordlist of GraphQL endpoints to try to discover services on.

If you want to customize how Escape discovers GraphQL services, define a wordlist of endpoints to try. By default, Escape will try most common GraphQL endpoints. If multiples endpoints matches, Escape will retain the first one.

Example:

graphql_endpoints_wordlist:
  - '/graphql'
  - '/api/graphql'
  - '/v1/graphql'
  - '/appsync'
  # others endpoints to test ...

user_agents

Type : List[string]*

List of user agents to use for the service discovery.

The user agent with the best HTTP status will be used.

Example:

user_agents:
  - 'curl/8.6.0'
  - 'python-requests/2.31.0'

SubdomainEnumerationConfig

blocklist

Type : List[string]*

List of regexes to filter out subdomains from enumeration.

If a subdomain matches one of the regexes, it will not be enumerated.

Example:

blocklist:
  - "^example\.com$" # Skip one domain
  - "^.*\.example\.org$" # Skip all domains
  - "auth" # Greedy match: will skip if "auth" is contained in the string