Introduction to openrisk
The openrisk project is a groundbreaking experimental tool developed by the ProjectDiscovery Research Team. Its primary function is to assess potential risks by analyzing the output from Nuclei scans, including formats such as text, markdown, and JSON. By leveraging OpenAI's GPT-3 model, openrisk generates a risk score for hosts, tailored for analyzing a single target at a time.
Background
openrisk emerges in the security ecosystem with a focus on experimental technology, aiming to harness the capabilities of artificial intelligence to provide risk assessments. It is an innovative approach, though users should note that as an experimental tool, it may not adhere to the same coding standards and testing rigor as other fully established projects by ProjectDiscovery. The team is actively welcoming user suggestions, bug reports, and ideas on how to integrate openrisk with other tools to enhance its utility and reliability.
Installation
To get started with openrisk, users will need Go programming language version 1.20 or newer. The installation process is straightforward and can be accomplished with a single command:
go install -v github.com/projectdiscovery/openrisk@latest
Once installed, users can run openrisk to assess and generate risk scores using the outputs from Nuclei scans.
How to Use openrisk
Running openrisk is simple. Upon installation, users can execute the tool using command-line instructions. The basic usage is as follows:
openrisk -h
This will reveal available options and flags for using openrisk effectively. One critical requirement is obtaining an API key from OpenAI, which facilitates the tool's communication with the GPT-3 model to calculate risk scores.
Generating a Risk Score
To generate a risk score, users should set their OpenAI API key in the environment:
export OPENAI_API_KEY=<YOUR_OPENAI_API_KEY>
Following this step, users can execute a command to analyze results, such as:
openrisk -f nuclei_scan_result.txt
This command instructs openrisk to analyze the specified Nuclei scan result file and generate a risk score based on potential vulnerabilities identified.
Example Usage
An example of running openrisk might look like this in the console:
openrisk -f nuclei_results.txt
_ __
____ ____ ___ ____ _____(_)____/ /__
/ __ \/ __ \/ _ \/ __ \/ ___/ / ___/ //_/
/ /_/ / /_/ / __/ / / / / / (__ ) ,<
\____/ .___/\___/_/ /_/_/ /_/____/_/|_| Powered by OpenAI (GPT-3)
/_/ v0.0.1 (experimental)
projectdiscovery.io
[RISK SCORE] The 10-scale risk score for the Nuclei scan results is 10. There are multiple high-severity vulnerabilities related to Pantheon, AWS, and Netlify takeovers.
In this scenario, openrisk processes the scan results and reports a risk score from 1 to 10, with detailed findings on identified vulnerabilities.
Integrating openrisk as a Library
For developers looking to extend openrisk’s functionalities, it can be integrated as a library. It involves utilizing an Options
structure to input the OpenAI API key and specify a sample Nuclei scan result file. The OpenRisk
and IssueProcessor
classes can then be used to generate risk scores, as demonstrated in the examples provided within the openrisk repository.
In summary, openrisk is a promising tool that pushes the boundaries of automated risk assessment by combining traditional scanning outputs and advanced AI technologies. While still in the experimental stage, it holds significant potential for security experts aiming to streamline their vulnerability assessment processes.