Netsparker Hawk is the infrastructure the Netsparker web application security scanner uses to detect Server Side Request Forgery (SSRF), and all other kinds of blind, asynchronous and second order vulnerabilities that require data to be sent over out-of-band channels.
This topic explains how to hosting Netsparker Hawk infrastructure on your environment.
For further information, see How Netsparker Hawk Finds Vulnerabilities.
These are the minimum requirements for the machines on which you install Netsparker Hawk:
- Docker must be installed
- SSL certificate ready in .pem format for <DOMAIN_NAME>
- Recommended RAM: 4 GB
- Recommended disk: 100 GB (mostly for logging purposes)
How to Install Netsparker Hawk Internally
- Make sure you have a Static IP address to allocate to the DNS Server, which will be referred to as <STATIC_IP> in these steps.
- Register a short DNS Address, which will be referred to as <DOMAIN_NAME> or example.com in this document.
- Register ns.<DOMAIN_NAME> and ns2.<DOMAIN_NAME> as Name Servers for <DOMAIN_NAME>.
- Point ns.<DOMAIN_NAME> and ns2.<DOMAIN_NAME> to <STATIC_IP>. The Name Server will be hosted inside the Docker Container.
- Please make sure that the following Netsparker Hawk ports are reachable and not used by any other process:
- TCP 80, 53, 443; from everywhere
- UDP 53; from everywhere
- Download the latest Hawk installation files and copy the extracted contents of the archive to a machine with Docker installation. You can download them from this link: https://s3.amazonaws.com/ns.hawk/latest.7z.
- We recommend that you have SSL support between Netsparker and Netsparker Hawk. If your certificates are in .crt and .key file formats, they should be converted to .pem files (see https://stackoverflow.com/search?q=crt+key+pem).
- Copy your certificate into the cert folder next to the Dockerfile to /cert/fullchain.pem
- Copy your private key into the cert folder next to the Dockerfile to /cert/privkey.pem
- If you do not wish to use HTTPS, e.g. for testing purposes, pass http_only=YES argument to the docker build
- While in the dockme-hawk folder, run the Docker build command. The most recent version of this command is in the repository in Dockerfile itself. It should start with 'sudo docker build'. Arguments listed in the Dockerfile will be replaced where necessary.
- Example: sudo docker build -f Dockerfile -t netsparkerhawk --build-arg static_ip=<STATIC_IP> --build-arg domain_name=<DOMAIN_NAME> .
- While in the dockme-hawk folder, start the docker container. The most recent version of this command is in the repository in Dockerfile itself. It should start with 'sudo docker run'. Arguments listed in the Dockerfile will be replaced where necessary.
- Example: sudo docker run -it --security-opt=no-new-privileges --restart=always --oom-kill-disable --memory=3g -p 80:80 -p 443:443 -p 53:53/udp netsparkerhawk
- Configure DNS for <DOMAIN_NAME>, as in example.com:
- Define two name servers ns.example.com and ns2.example.com to point to the static IP address of the docker host
- Check that the docker host machine is accessible using these DNS names
- Netsparker Hawk should be able to resolve the following addresses:
- Change Netsparker Hawk URI in the policy to https://example.com or http://example.com if you do not want to use HTTPS.
- Validate DNS Settings and Validate Netsparker Hawk.
- You can now run Netsparker scans using a custom server that uses this policy for Netsparker Hawk verification.