Open-sourced last year, Google's Tsunami security scanner has received a significant update extending its detection capabilities and adding support for Web application fingerprinting, among other things.
Google Tsunami is a security scanner that attempts to address the specific challenge that hackers pose to large organizations such as Google itself:
In such hyperscale environments, security vulnerabilities must be detected and, ideally, remediated in a fully automated fashion. To make this possible, information security teams need to be able to roll out detectors for novel security issues at scale in a very short amount of time. Furthermore, it is important that the detection quality is consistently very high.
Tsunami scans systems in two steps. First, it detects any services accessible on open ports using nmap
and a fingerprinting-based technique. In a second step, Tsunami uses all available plugins for each identified services to run benign exploits in order to confirm that a vulnerability actually exists.
With its latest update, Tsunami gains 15 new plugins that address actively exploited vulnerabilities. In addition to plugins for services like Jenkins, Jupyter, and Hadoop Yarn, which were already included in the initial release, Tsunami now provides plugins for Kubernetes, PHPUnit Vulnerable eval-stdin.php, Spring Boot Actuator Endpoint, and Elasticsearch. Furthermore, Tsunami includes an entire new set of plugins addressing remote code execution vulnerabilities. Those include PHP CVE-2012-1823, several Apache Struts command injection, and more.
Another area where Tsunami has gained new capabilities is fingerprinting, which enables identifying the name and version of several popular Web applications. Among them, Tsunami now supports out-of-the-box GitLab, Drupal, Grafana, Magento, OpenCart, phpMyAdmin, and others.
Tsunami is still in its infancy and Google will continue to work on it to further extend its detection capabilities:
In order to keep Tsunami's detection capabilities up-to-date, we kicked-off various projects to research the exploitation of vulnerabilities in the wild. We will soon publish more information about our initiatives in this space.
Tsunami is not the only open-source security scanner available. As a mature alternative, albeit not specifically aimed at large organizations, you can check out OpenVAS, which includes tests for over 50,000 known vulnerabilities.
You can fork Tsunami on GitHub.