CLI Cheat Sheet [old]

General

View help:

# root command
nightvision --help

# subcommand
nightvision scan --help

This will

nightvision login

Project

nightvision scan --help

nightvision login

🖨️ Print NightVision token

This can be helpful if you are trying to print a token that you can put in GitHub Actions, for example.

nightvision token create

Create Project

This can be helpful if you want to create a new project instead of the default project created by NightVision, for example.

nightvision project create project-name

Set a Project

This can be helpful if you want to set a project as your default project in the CLI so that you don’t have to pass “-p” flag with the other commands.

nightvision project set project-name

Note: After setting a project as default, all the apps/targets/auths will be created under it. To reference a different project, use the “-p project-name” or “-P project-id” flag to the relevant commands.

Create Application

This can be helpful if you want to create a new application instead of the default application created by NightVision, for example.

nightvision app create $APP

Scanning

⚡️ Scan a Web App

nightvision app create testphp
nightvision target create testphp http://testphp.vulwneb.com
nightvision scan testphp -t testphp

⚡️ Scan an API

### Using an extracted Swagger spec
git clone https://github.com/vulnerable-apps/javaspringvulny.git
cd javaspringvulny

# create app and target
URL="https://localhost:9000"
# In this example we will reuse the same name. You may use different names on your own objects.
APP="javaspringvulny-api"
TARGET="javaspringvulny-api"
nightvision app create $APP
nightvision target create $TARGET $URL --type api

# Extract the docs
nightvision swagger extract ./ -t $TARGET --lang spring

# Run the scan. It will automatically select the Swagger spec
nightvision scan $TARGET -a $APP

Listing Resources

📃 List Credentials

nightvision token list

📃 List Issues for a Given Scan

# List Issues
nightvision scan issues -s scan-id

API Extraction

🔪 Extract API Documentation

# Clone an example app
git clone https://github.com/vulnerable-apps/javaspringvulny.git

# create app and target
URL="https://localhost:9000"
APP="javaspringvulny-web"
TARGET="javaspringvulny-web"
# we will create the target and auth with same name. You can provide different names.
nightvision app create $APP
nightvision target create $TARGET $URL --type api

# Extract the docs
nightvision swagger extract ./ -t ${TARGET} --lang spring

🔍 Compare Two API Specs

# Compare paths between two OpenAPI spec files: new and old
nightvision swagger diff ./openapi-old.yaml ./generated-new.yaml

Recording Authentication

🔒 Record Authentication (Playwright)

URL="https://localhost:9000"
APP="javaspringvulny-web"
# we will create the target and auth with same name. You can provide different names.
nightvision app create $APP
nightvision target create $APP $URL
nightvision auth playwright create $URL -n $APP

# Single Cookie
nightvision auth cookies create --name myapp-auth -H "Cookie: Authorization=jwtvalue"

# Multiple Cookies
nightvision auth cookies create --name myapp-auth2 -H "Cookie: Authorization=jwtvalue" -H "X-Header: value"

🌐 Create a Header for Authentication

# Single Header
nightvision auth header create --name myapp-auth -H "Authorization:Bearer TOKEN"

# Multiple Headers
nightvision auth header create --name myapp-auth2 -H "Authorization:jwtvalue" -H "Key:value"

Disable Telemetry

The NightVision CLI interacts with our Telemetry service to report metrics such as CLI version, languages analyzed, scan IDs, and crash logs. This helps our team prioritize bug fixes and make feature and roadmap decisions. Additionally, if you reach out to our team for support, you can just provide a UUID printed with the crash logs, and our team will be better equipped to assist you with your problem.

If you want to disable this behavior, you can set this environment variable.

export NIGHTVISION_DISABLE_TELEMETRY=1