the idea of a vulnerability verification framework

Posted by tetley at 2020-02-27


This article focuses on the idea of a vulnerability verification framework, but does not explain the details of the internal implementation. This article is a little longer, please be patient.


To do a vulnerability scanner, first of all, we need to understand the effect that the scan needs to achieve. What does it need? What needs to be supported?

Possible needs are as follows:

requirement analysis

The requirements of some vulnerability scanners are simply defined above, and the implementation of the requirements is best to select appropriate technologies according to the requirements.

Cross platform operation

There are many cross platform development languages, such as C, C + +, Java, python, go and so on.

The choice of development language needs to be considered according to the operation efficiency and development efficiency that the framework needs to meet.

If you need high running efficiency and high development efficiency, you can choose to use Java or Python and other languages. If you need to pursue high efficiency, you can use go language.


Java programs actually run in Java virtual machine (JRE is a software implementation). Java virtual machine is similar to a simulated execution environment, and has different Java virtual machine implementations on different operating systems. However, these Java virtual machines follow a unified specification to interpret class files and class files The instructions in the file are converted to the instructions corresponding to the local operating system, so that the same class file can be realized. The class file can be converted to the corresponding instructions on the corresponding operating system through the Java virtual machine, that is, the cross platform nature of Java programs.


Python is a cross platform scripting language. Python specifies a python syntax rule, and the interpreter that implements Python syntax becomes the interpreter of Python.

Custom POC

The essence of custom POC and exp is POC written based on template, which enables scanning framework to recognize and run. The composition of the template is generally divided into vulnerability basic information, POC verification information and exp utilization information.

Multiple operation modes

Multiple operation modes, including multi process, multi thread and distributed operation. If the scanner needs large-scale scanning and detection, it is recommended to use distributed nodes for operation. In general, multithreading and multiprocessing can meet most of the requirements.

Generally distributed is suitable for large-scale intranet or large-scale scanning detection.


At present, there are three popular schemes for the selection of visualization technology.

The first is to develop visualization program by using QT.

The second is to use electron or nw.js to develop visual applications. The famous fofa Pro client, goby, China ant sword and so on are developed based on this scheme. There are many programs developed based on this framework on electron's official website.

The third is to use the B / S architecture for development, the back-end control uses web for control, and the nodes use python, Java and other languages for development, among which bugscan, w8scan, and patrol are all based on the B / S architecture.


Electron is an open source library developed by GitHub to build cross platform desktop applications with HTML, CSS and Ja VASC ript. Electron does this by merging chromium and node. JS into the same runtime environment and packaging them as applications under Mac, windows and Linux systems.

Electron was developed in 2013 as a framework for building atom, a programmable text editor on GitHub. The two projects were opened in spring 2014.

At present, it has become a common development tool for open source developers, start-ups and established companies.


Nw.js is based on chromium and node.js. Nw.js uses web technology and node.js and its modules to develop desktop applications.

asset management

Asset management, which is used to manage the asset information of the scan detection results, and to associate the asset with the corresponding POC. Among them, asset management mainly contains asset identification rules, which are used to identify asset information. For example, rules are made to identify the asset by its title, body, certificate, header and banner.


The overall framework is divided into four modules: concurrency engine, plug-in center, target center and vulnerability verification.

Technological process

Concurrency engine

The concurrency engine is mainly the running mode selected by the vulnerability verifier when it is running. There are three running modes: multithreading, multiprocessing and distributed. The multithreading, multiprocessing and distributed running modes are used to ensure the efficiency of the vulnerability verifier.

Under normal circumstances, using multithreading and multiprocessing is suitable for most scenarios.

Distributed operation is used for intranet detection or large-scale network detection in large enterprises.

Plug-in Center

The plug-in center is composed of template center, plug-in loading center and plug-in management center.

The template center provides POC and exp template information, mainly including general template and programming language template.

Plug in center, which provides users with optional plug-ins to be tested for loading.

Plug in management center manages POC written by user.

Template center

Template center is mainly divided into general template, programming language template, two modules. Each of them is composed of plug-in basic information, POC information and exp information.

Plug in basic information consists of plug-in name (vulnerability name), type, product name, level, product home page, description, etc.

POC information consists of contract awarding agreement, contract awarding method, contract awarding content, logical judgment, etc.

Exp information consists of POC information and execution command.

Generally, the contract awarding protocol is HTTP, HTTPS, TCP, UDP, etc. the contract awarding methods of the protocol (part) include get, post, put, head, delete, options, trace, connect, etc. the logical judgment is made by "and or not".

Plug in loading Center

The plug-in is loaded by the user's selection method (full load, specified load).

Plug in Management Center

The plug-in management center manages and writes plug-in information, and performs operations such as modifying, deleting, and querying plug-ins.

Target center

The target center is mainly responsible for analyzing the three modules of target loading, asset management and vulnerability management.

The vulnerability plug-in information can be stored by using the database with GIT. The database stores the basic plug-in information. Git stores the specific code information of the plug-in. Git can be used to control the version of the plug-in and perform operations such as fallback.

Target loading

At present, loading can be done by loading single IP, IP segment and file import.

asset management

The asset management module is mainly used to manage and analyze the successful asset information, vulnerability management and identification rule management.

Log management

The log management module mainly manages the log information of the overall framework, including log recording, query and other operations.


Flow chart in the paper: ripts

This article describes a vulnerability detection framework that I have conceived. If there are any discrepancies and problems described in the article, please don't be stingy, please correct them.