What to look for vulnerabilities in web applications: compare eight popular scanners
Web application scanners are a rather popular category of software today. There are paid scanners, there are free. Each of them has its own set of parameters and vulnerabilities that can be detected. Some are limited only to those published in the OWASP Top Ten (Open Web Application Security Project), some go much further in their black-box testing.
In this post, we collected eight popular scanners, examined them in more detail and tried it out. Independent points on two platforms (.NET and php) were chosen as training targets: premium.pgabank.com and php.testsparker.com .
As the name suggests, the OWASP organization that we mentioned in the introduction is responsible for the release of the OWASP ZAP . This is a free tool for penetration testing and for finding vulnerabilities in web applications.
')
Main features of OWASP ZAP:
The program interface is translated into Russian, which will be convenient for some users. The OWASP ZAP workspace is composed of several windows. Below - tabs with current tasks and the process of their implementation, on the left - the site tree, in addition, you can display in the right side of the requests and responses window.
With the help of the marketplace, you can slightly extend the functionality of the scanner.
Each component of the program has many customizable parameters. For example, we can configure incoming vectors for active scanning, generate dynamic SSL certificates, add HTTP session identifiers, etc.
Let's move on to the tests. While scanning a site php.testsparker.com Blind SQL Injection was found. At this critical vulnerabilities end.
At premium.bgabank.com we see more interesting results: the Server Side Include (SSI) and Reflected Cross Site Scripting feature was found.
All scan results can be exported to a report (supported * .pdf, * .html, * .xml, * .json). The report describes in detail the vulnerabilities, vectors found, as well as methods for "closing" vulnerabilities.
In general, we liked working with OWASP ZAP. There are all the necessary tools for pentest web applications, simple and intuitive interface, quick scanning in one click. And at the same time flexible, deep settings for a more detailed scan, which can serve as a starting point for further manual search for vulnerabilities. Below we will talk about the Burp Suite Pro scanner, which has a lot in common with the OWASP ZAP. In terms of the quantity and quality of the vulnerabilities found, the first scanner we reviewed showed a very good result. Recommended for use in work.
W9scan is a free console site vulnerability scanner with over 1200 built-in plug-ins that can detect web page footprints, ports, analyze web site structure, find various popular vulnerabilities, scan for SQL Injection, XSS, etc.
W9scan automatically generates HTML scan reports. To start the scan, you only need to specify the URL of the site and the plugins to be used. You can select everything at once by adding “all”.
While scanning php.testsparker.com, W9scan found svn and possible payload download paths. Of the less critical, he determined the versions of the services used, the possible vectors for conducting the XXE, XXS attacks, found the server configuration files and conducted a search for subdomains.
On the website premium.bgabank.com nothing critical was found. But the scanner identified possible vectors for the attacks, the versions of services, directories and subdomains were determined.
Based on the scan results, W9scan automatically generates a report file in HTML format.
W9scan scanner is suitable for quick launch into one command and we recommend using it as an auxiliary tool for determining service versions as well as potential attack vectors.
Another good console scanner . As well as W9scan, it is ready to start in one team, while it has more different scan settings.
Wapiti searches for the following vulnerabilities:
In addition to all of the above, there is support for proxies (HTTP, HTTPs, and SOCKS5), various authentication methods (Basic, Digest, Kerberos, NTLM), support for SSL certificates, the ability to add various HTTP headers or user-agent settings.
When scanning a site php.testsparker.com vulnerabilities were found Blind SQL Injection, Cross Site Scripting, Commands execution. On premium.bgabank.com Wapiti compared with other scanners does not show such outstanding results: only Cross Site Scripting was detected.
The results of the scanner also generate a report in HTML format, which contains the categories and number of found vulnerabilities, their description, requests, commands for curl, and tips on how to close the found security holes.
As expected, the Wapiti does not reach the level of the OWASP ZAP, of course. Nevertheless, it worked better than W9scan , although no directories, subdomains, or versioning of services were searched.
Powerful free combine for web application security testing and vulnerability search. It has a graphical interface and great functionality, which you can read more about on the official website .
Active Testing:
Passive testing:
Impressive, isn't it? But that's not all. A bunch of plugins are wrapped in the web, for example, Passive Proxy, Dictionary attacker for HTTP Auth, Cookie collector, WAF Detector, etc.
The scanner has a nice and concise web interface:
And that's what found Arachni on our test sites. Php.testsparker.com :
On premium.bgabank.com , only the possibility of intersite request forgery (CSRF) was discovered from critical.
Separately, we note what kind of reports Arachni gives us. Many formats are supported - HTML, XML, text, JSON, Marshal, YAML, AFR.
In general, Arachni leaves only positive impressions after work. Our opinion: this is the “Mast kev” in the arsenal of any self-respecting specialist .
Another web vulnerability scanner with a graphical interface. By default, it is included in the Kali Linux distribution and installed locally there. It has a built-in proxy, through which sites are added for analysis, an embedded web spider capable of analyzing a site and building a map of requests.
To scan a user's personal account, you need to log in to the browser with traffic redirection through the Paros proxy enabled. The scanner will use authorized cookies during the scan. Work report can be exported to HTML. It is saved to the root / paros / session / LatestScannedReport.htm file and is overwritten later. If you want to save the result of the previous scan, before starting the next scan you need to create a copy of the existing file.
Key features (with an eye on OWASP TOP 10 2017):
Additional features:
The final report for each type of vulnerabilities has more detailed information and some recommendations on how to fix it.
In our testing, Paros showed rather weak results. On php.testsparker.com were found:
H: SQL injection
M: XSS
M: Legacy source files
M: Use autocomplete in forms with important information (passwords, etc.).
L: Internal IP discovery
On premium.bgabank.com and even less:
M: Directory browsing
M: Use autocomplete in forms with important information (passwords, etc.).
As a result, although the Paros scanner is simple and easy to use, weak scan results force it to be abandoned .
Paid multifunctional cloud scanner that can find a large number of web vulnerabilities and almost completely covers OWASP TOP 10 2017.
The service has a built-in web spider. If you specify authorization data in the scan settings (authorization request, login and password, authorized cookies), then the scanner will also check your personal account (authorized user zone).
In addition to scanning web applications, Tenable.io can scan the network, both for known vulnerabilities and to search for hosts. It is possible to connect agents to scan the internal network. It is possible to export the report to various formats: * .nessus, * .csv, * .db, * .pdf.
In the screenshot all domains are “test”
Additional scan profiles. This article does not affect
After scanning, statistics and prioritization of found vulnerabilities become available - critical, high, middle, low, information
The vulnerability card provides additional information about it and some recommendations for fixing it.
We scan php.testsparker.com . High priority vulnerabilities:
H: Component Vulnerabilities
- PHP version out of support
- out of support version of Apache
H: Code injection
H: SQLinj
H: XSS
H: LFI
H: Path Traversal
Now premium.bgabank.com . High priority vulnerabilities:
H: Component Vulnerabilities
Scanner Tenable.io proved to be good, found many vulnerabilities . Work with him simplifies user-friendly graphical interface and data presentation. Another plus is the presence of additional scanning profiles, in which we have decided not to dig in yet. An important feature is the cloud structure of the service. On the one hand, the service does not use the local computing resources of the working computer. On the other hand, it will not be able to scan web applications on the local network.
Burp Suite is a complete web application verification solution . It includes a variety of utilities to improve and speed up the search for vulnerabilities in web applications.
The Burp Suite includes the following utilities:
The Scanner utility is presented in the tab of the Burp Suite main window of the same name. The interface is English-speaking, but who can it scare now?
The Issue Definition tab provides a complete list of all the vulnerabilities that this scanner can detect. It should be noted that the list is very impressive.
All vulnerabilities are divided into 3 categories: high, medium, low. There is also a category of information, which includes mechanisms for collecting various useful information about the scanned resource.
When we run the scan in the Scan queue window, we can monitor the progress in stages. "Color differentiation of pants" is present.
The Options tab is the basic setting for scanning.
For convenience, the options are divided into categories. If necessary, you can get help for each category right from the settings window.
In general, Burp Suite Pro showed a good result. When scanning php.testsparker.com , enough vulnerabilities were found and classified to gain complete control over the web application and its data - this is both OS command injection, and SSTI, and File path traversal.
The site premium.bgabank.com found:
H: Cross-site scripting (reflected)
M: SSL cookie without secure flag set
M: SSL certificate (not trusted or expired)
L: Cookie without HttpOnly flag set
L: Password field with autocomplete enabled
L: Strict transport security not enforced
If you often use Burp Suite for web pentest , you like its ecosystem, but I would like to somehow automate the process of searching for vulnerabilities, then this utility will perfectly fit into your arsenal .
In conclusion - another very good commercial scanner . It is very actively promoted through advertising, but Acutenix would not succeed without its extensive functionality. Among the vulnerabilities available to him for detecting vulnerabilities are all types of SQL injection, Cross site scripting, CRLF injection and other pleasures of the web application pentester. It is worth noting that for high-quality scanning is required to select the correct profile.
The dashboard interface is nice:
All identified vulnerabilities traditionally fall into four categories: High, Medium, Low. Well and where without the category Information, which includes all the interesting, according to the scanner, data.
On the Scans tab, we can observe scanning progress and other diagnostic information.
After the scan is completed on the Vulnerabilities tab, we can familiarize yourself with what and how much was found. Color differentiation in place.
In the test for php.testsparker.com the scanner showed a good result, but with premium.bgabank.com frankly let us down .
Acunetix has great features and is suitable if you are looking for a stand-alone solution . The web interface is simple and straightforward, infographics and reports look quite digestible. There may be misfires when scanning, but, as Tony Stark said: “This happens to men. Infrequently. One time out of five.
And now the findings for all tested scanners.
In this post, we collected eight popular scanners, examined them in more detail and tried it out. Independent points on two platforms (.NET and php) were chosen as training targets: premium.pgabank.com and php.testsparker.com .
OWASP ZAP
As the name suggests, the OWASP organization that we mentioned in the introduction is responsible for the release of the OWASP ZAP . This is a free tool for penetration testing and for finding vulnerabilities in web applications.
')
Main features of OWASP ZAP:
- Man-in-the-middle Proxy
- Traditional and AJAX spiders
- Automated scanner
- Passive scanner
- Forced browsing
- Fuzzer
Additional features
- Dynamic SSL certificates
- Smartcard and Client Digital Certificates support
- Web sockets support
- Support for a wide range of scripting languages
- Plug-n-Hack support
- Authentication and session support
- Powerful REST based API
- Automatic updating option
- Integrated and growing marketplace of add-ons
The program interface is translated into Russian, which will be convenient for some users. The OWASP ZAP workspace is composed of several windows. Below - tabs with current tasks and the process of their implementation, on the left - the site tree, in addition, you can display in the right side of the requests and responses window.
With the help of the marketplace, you can slightly extend the functionality of the scanner.
Each component of the program has many customizable parameters. For example, we can configure incoming vectors for active scanning, generate dynamic SSL certificates, add HTTP session identifiers, etc.
Let's move on to the tests. While scanning a site php.testsparker.com Blind SQL Injection was found. At this critical vulnerabilities end.
Full OWASP ZAP results on php.testsparker.com
H: Advanced SQL Injection - AND boolean-based blind - WHERE or HAVING clause
M: X-Frame-Options Header Not Set
L: X-Content-Type-Options Header Missing
L: Web browser xss protection is not enabled
M: X-Frame-Options Header Not Set
L: X-Content-Type-Options Header Missing
L: Web browser xss protection is not enabled
At premium.bgabank.com we see more interesting results: the Server Side Include (SSI) and Reflected Cross Site Scripting feature was found.
Complete OWASP ZAP results on premium.bgabank.com
H: Server Side Include
H: Reflected Cross Site Scripting
M: X-Frame-Options Header Not Set
M: Application Error Disclosure
M: Directory Browsing
M: Secure Pages Include Mixed Content (Including Scripts)
L: X-Content-Type-Options Header Missing
L: Web browser xss protection is not enabled
L: Cross-Domain JavaScript Source File Inclusion
L: Incomplete or No Cache-control and Pragma HTTP Header Set
L: Cookie No HttpOnly Flag
L: Cookie Without Secure Flag
L: Content-Type Header Missing
L: Private IP Disclosure
I: Image Exposes Location or Privacy Data
H: Reflected Cross Site Scripting
M: X-Frame-Options Header Not Set
M: Application Error Disclosure
M: Directory Browsing
M: Secure Pages Include Mixed Content (Including Scripts)
L: X-Content-Type-Options Header Missing
L: Web browser xss protection is not enabled
L: Cross-Domain JavaScript Source File Inclusion
L: Incomplete or No Cache-control and Pragma HTTP Header Set
L: Cookie No HttpOnly Flag
L: Cookie Without Secure Flag
L: Content-Type Header Missing
L: Private IP Disclosure
I: Image Exposes Location or Privacy Data
All scan results can be exported to a report (supported * .pdf, * .html, * .xml, * .json). The report describes in detail the vulnerabilities, vectors found, as well as methods for "closing" vulnerabilities.
In general, we liked working with OWASP ZAP. There are all the necessary tools for pentest web applications, simple and intuitive interface, quick scanning in one click. And at the same time flexible, deep settings for a more detailed scan, which can serve as a starting point for further manual search for vulnerabilities. Below we will talk about the Burp Suite Pro scanner, which has a lot in common with the OWASP ZAP. In terms of the quantity and quality of the vulnerabilities found, the first scanner we reviewed showed a very good result. Recommended for use in work.
W9scan
W9scan is a free console site vulnerability scanner with over 1200 built-in plug-ins that can detect web page footprints, ports, analyze web site structure, find various popular vulnerabilities, scan for SQL Injection, XSS, etc.
A more complete list of W9scan features
- Fingerprint detection
- Attack parameter
- Violent cracking
- Collect message
- Can identify common website CMS fingerprints (300+)
- Recognizable common website frame
- Identify common port service fingerprints
- Detect website scripting language
- Detect operating system type
- Detection Website Firewall (WAF)
- Attack parameter
- SQL injection (based on crawlers)
- XSS injection (based on reptiles)
- A large number of Fuzz parameter scans
- CVE vulnerability
- struts Vulnerability collection (including automatic detection)
- Shellshock cgi test
- heartbeat bleeding heart
- IIS parsing vulnerability
- IIS Put vulnerability
- Violent cracking
- Backup files and directories (based on crawlers)
- Backup files and directories (based on domain name)
- Common directory
- Common file
- Subdomain violence analysis
- fckeditorPath enumeration
- Common mdbdatabase enumeration
- git svn Leak identification
- TOMCAT web.xml Give way
- Collect message
- Emails (based on reptiles)
- Private IP (based on reptiles)
- E-mail (based on reptiles)
- Detecting Warnings, Fatal Error, ...
- PHP version identification
- IIS information disclosure
- IP address attribution
- Integrated Wappalyzer recognition script
- robots.txt Analysis
- Detecting unsafe headers in headers
- Detecting unsafe factors in cookies
W9scan automatically generates HTML scan reports. To start the scan, you only need to specify the URL of the site and the plugins to be used. You can select everything at once by adding “all”.
While scanning php.testsparker.com, W9scan found svn and possible payload download paths. Of the less critical, he determined the versions of the services used, the possible vectors for conducting the XXE, XXS attacks, found the server configuration files and conducted a search for subdomains.
On the website premium.bgabank.com nothing critical was found. But the scanner identified possible vectors for the attacks, the versions of services, directories and subdomains were determined.
Based on the scan results, W9scan automatically generates a report file in HTML format.
W9scan scanner is suitable for quick launch into one command and we recommend using it as an auxiliary tool for determining service versions as well as potential attack vectors.
Wapiti
Another good console scanner . As well as W9scan, it is ready to start in one team, while it has more different scan settings.
Wapiti searches for the following vulnerabilities:
- File disclosure (Local and remote include / require, fopen, readfile ...)
- Database Injection (PHP / JSP / ASP SQL Injections and XPath Injections)
- XSS (Cross Site Scripting) injection (reflected and permanent)
- Command Execution detection (eval (), system (), passtru () ...)
- CRLF Injection (HTTP Response Splitting, session fixation ...)
- XXE (XML External Entity) injection
- SSRF (Server Side Request Forgery)
- Use of know potentially dangerous files
- Weak .htaccess configurations that can be bypassed
- Presence of backup files giving sensitive information
- Shellshock
In addition to all of the above, there is support for proxies (HTTP, HTTPs, and SOCKS5), various authentication methods (Basic, Digest, Kerberos, NTLM), support for SSL certificates, the ability to add various HTTP headers or user-agent settings.
When scanning a site php.testsparker.com vulnerabilities were found Blind SQL Injection, Cross Site Scripting, Commands execution. On premium.bgabank.com Wapiti compared with other scanners does not show such outstanding results: only Cross Site Scripting was detected.
The results of the scanner also generate a report in HTML format, which contains the categories and number of found vulnerabilities, their description, requests, commands for curl, and tips on how to close the found security holes.
As expected, the Wapiti does not reach the level of the OWASP ZAP, of course. Nevertheless, it worked better than W9scan , although no directories, subdomains, or versioning of services were searched.
Arachni
Powerful free combine for web application security testing and vulnerability search. It has a graphical interface and great functionality, which you can read more about on the official website .
Active Testing:
- SQL injection - Error based detection
- Blind SQL injection using differential analysis
- Blind SQL injection using timing attacks
- NoSQL injection - Error based vulnerability detection
- Blind NoSQL injection using differential analysis
Full feature list for active testing.
- CSRF detection
- Code injection
- Blind code injection using timing attacks
- LDAP injection
- Path traversal
- File inclusion
- Response splitting
- OS command injection
- Blind OS command injection timing timing attacks
- Remote file inclusion
- Unvalidated redirects
- Unvalidated DOM redirects
- Xpath injection
- Xss
- Path xss
- XSS in event attributes of HTML elements
- XSS in HTML tags
- XSS in script context
- DOM XSS
- DOM XSS script context
- Source code disclosure
- XML External Entity
Passive testing:
- Allowed HTTP methods
- Backup files
- Backup directories
- Common administration interfaces
- Common directories
- Common files
Complete list of passive testing features.
- HTTP PUT
- Insufficient Transport Layer Protection for password forms
- WebDAV detection (webdav).
- HTTP TRACE detection
- Credit Card number disclosure
- CVS / SVN user disclosure
- Private IP address disclosure
- Common backdoors
- .htaccess LIMIT misconfiguration
- Interesting responses
- HTML object grepper
- E-mail address disclosure
- US Social Security Number disclosure
- Forceful directory listing
- Mixed Resource / Scripting
- Insecure cookies
- HttpOnly cookies
- Auto-complete for password form fields.
- Origin Spoof Access Restriction Bypass
- Form-based upload
- localstart.asp
- Cookie set for parent domain
- Missing Strict Transport-Security headers for HTTPS sites
- Missing X-Frame-Options headers
- Insecure CORS policy
- Insecure cross-domain policy
- Insecure cross-domain policy
- Insecure client-access policy
Impressive, isn't it? But that's not all. A bunch of plugins are wrapped in the web, for example, Passive Proxy, Dictionary attacker for HTTP Auth, Cookie collector, WAF Detector, etc.
The scanner has a nice and concise web interface:
And that's what found Arachni on our test sites. Php.testsparker.com :
- Cross-Site Scripting (XSS) in script context
- Blind SQL Injection (differential analysis)
- Code injection
- Code injection (timing attack)
- Operating system command injection (timing attack)
- Operating system command injection
The remaining vulnerabilities on php.testsparker.com
H: File Inclusion
H: Cross-Site Scripting (XSS) in HTML tag
H: Cross-Site Scripting (XSS)
H: Path Traversal
M: Backup file
M: Common directory
M: HTTP TRACE
L: Missing 'X-Frame-Options' header
L: Password field with auto-complete
L: Insecure client-access policy
L: Insecure cross-domain policy (allow-access-from)
L: Common sensitive file
H: Cross-Site Scripting (XSS) in HTML tag
H: Cross-Site Scripting (XSS)
H: Path Traversal
M: Backup file
M: Common directory
M: HTTP TRACE
L: Missing 'X-Frame-Options' header
L: Password field with auto-complete
L: Insecure client-access policy
L: Insecure cross-domain policy (allow-access-from)
L: Common sensitive file
On premium.bgabank.com , only the possibility of intersite request forgery (CSRF) was discovered from critical.
Full Arachni results on premium.bgabank.com
H: Cross-Site Request Forgery
M: Mixed Resource
M: HTTP TRACE
M: Common directory
M: Missing 'Strict-Transport-Security' header
L: Private IP address disclosure
M: Mixed Resource
M: HTTP TRACE
M: Common directory
M: Missing 'Strict-Transport-Security' header
L: Private IP address disclosure
Separately, we note what kind of reports Arachni gives us. Many formats are supported - HTML, XML, text, JSON, Marshal, YAML, AFR.
In general, Arachni leaves only positive impressions after work. Our opinion: this is the “Mast kev” in the arsenal of any self-respecting specialist .
Paros
Another web vulnerability scanner with a graphical interface. By default, it is included in the Kali Linux distribution and installed locally there. It has a built-in proxy, through which sites are added for analysis, an embedded web spider capable of analyzing a site and building a map of requests.
To scan a user's personal account, you need to log in to the browser with traffic redirection through the Paros proxy enabled. The scanner will use authorized cookies during the scan. Work report can be exported to HTML. It is saved to the root / paros / session / LatestScannedReport.htm file and is overwritten later. If you want to save the result of the previous scan, before starting the next scan you need to create a copy of the existing file.
Key features (with an eye on OWASP TOP 10 2017):
- A1: Injection - SQLinjection, SQLinjection Fingerprint (places where SQLinj could potentially be)
- A6: Security Misconfiguration - Directory browsing, ISS default file, Tomcat source file disclosure, IBM WebSphere default files and some other standard or obsolete files (Obsolete file) containing source code and more.
- A7: XSS
Additional features:
- Search for included autocomplete for password forms. Moreover, if the input field has an attribute type = "password", a false positive is obtained.
- CRLF injection
- Secure page browser cache (caching pages in the browser with important information)
- Ability to scan the user's protected area (personal account)
- Ability to scan web applications on the local network
The final report for each type of vulnerabilities has more detailed information and some recommendations on how to fix it.
In our testing, Paros showed rather weak results. On php.testsparker.com were found:
H: SQL injection
M: XSS
M: Legacy source files
M: Use autocomplete in forms with important information (passwords, etc.).
L: Internal IP discovery
On premium.bgabank.com and even less:
M: Directory browsing
M: Use autocomplete in forms with important information (passwords, etc.).
As a result, although the Paros scanner is simple and easy to use, weak scan results force it to be abandoned .
Tenable.io
Paid multifunctional cloud scanner that can find a large number of web vulnerabilities and almost completely covers OWASP TOP 10 2017.
The service has a built-in web spider. If you specify authorization data in the scan settings (authorization request, login and password, authorized cookies), then the scanner will also check your personal account (authorized user zone).
In addition to scanning web applications, Tenable.io can scan the network, both for known vulnerabilities and to search for hosts. It is possible to connect agents to scan the internal network. It is possible to export the report to various formats: * .nessus, * .csv, * .db, * .pdf.
In the screenshot all domains are “test”
Additional scan profiles. This article does not affect
After scanning, statistics and prioritization of found vulnerabilities become available - critical, high, middle, low, information
The vulnerability card provides additional information about it and some recommendations for fixing it.
We scan php.testsparker.com . High priority vulnerabilities:
H: Component Vulnerabilities
- PHP version out of support
- out of support version of Apache
H: Code injection
H: SQLinj
H: XSS
H: LFI
H: Path Traversal
Middle and low vulnerabilities
M: Disclosure of valuable data - full path backups
M: Internal IP discovery
M: Cookie without HTTPOnly flag
M: Sending a password via HTTP
L: Using autocomplete in forms with important information
L: Server response to TRACE requests
L: Cache-Control, X-Content-Type-Options, X-Frame-Options, X-XSS-Protection headers not installed
M: Internal IP discovery
M: Cookie without HTTPOnly flag
M: Sending a password via HTTP
L: Using autocomplete in forms with important information
L: Server response to TRACE requests
L: Cache-Control, X-Content-Type-Options, X-Frame-Options, X-XSS-Protection headers not installed
Now premium.bgabank.com . High priority vulnerabilities:
H: Component Vulnerabilities
- out of support php version
- Apache vulnerabilities
- Bootstrap vulnerabilities
- jQuery vulnerabilities
Middle and low vulnerabilities
M: Web server phpinfo ()
M: Sharing HTTP and HTTPS
M: No redirection from HTTP to HTTPS
M: Directory browsing
M: Backup files found
M: Using an insecure version of the SSL protocol
M: SSL / TLS Certificate Expiration
L: Internal IP discovery
L: Cookie without HTTPOnly flag
L: Server response to TRACE requests
L: Strict-Transport-Security, Cache-Control, X-Content-Type-Options, X-Frame-Options, X-XSS-Protection headers not installed
M: Sharing HTTP and HTTPS
M: No redirection from HTTP to HTTPS
M: Directory browsing
M: Backup files found
M: Using an insecure version of the SSL protocol
M: SSL / TLS Certificate Expiration
L: Internal IP discovery
L: Cookie without HTTPOnly flag
L: Server response to TRACE requests
L: Strict-Transport-Security, Cache-Control, X-Content-Type-Options, X-Frame-Options, X-XSS-Protection headers not installed
Scanner Tenable.io proved to be good, found many vulnerabilities . Work with him simplifies user-friendly graphical interface and data presentation. Another plus is the presence of additional scanning profiles, in which we have decided not to dig in yet. An important feature is the cloud structure of the service. On the one hand, the service does not use the local computing resources of the working computer. On the other hand, it will not be able to scan web applications on the local network.
Burp Suite Pro
Burp Suite is a complete web application verification solution . It includes a variety of utilities to improve and speed up the search for vulnerabilities in web applications.
The Burp Suite includes the following utilities:
- Proxy is a proxy server that intercepts HTTP (S) traffic in man-in-the-middle mode. Located between the browser and the target web application, this utility allows you to intercept, examine and modify traffic going in both directions.
- Spider is a web spider that automatically collects information about the content and functionality of the application (web resource).
- Scanner (only in Burp Suite Pro) - a scanner to automatically search for vulnerabilities in web applications.
- Intruder is a flexible utility that allows you to automatically perform attacks of various types. For example, enumeration of identifiers, collection of important information and so on.
- Repeater is a tool for manually changing and re-sending individual HTTP requests, as well as for analyzing application responses.
- Sequencer is a utility for analyzing random application data on the ability to predict the algorithm of their generation.
- Decoder is a utility for manual or automatic encoding and decoding application data.
- Comparer is a tool for finding visual differences between two data variations.
- Extender - tool to add extensions to Burp Suite
The Scanner utility is presented in the tab of the Burp Suite main window of the same name. The interface is English-speaking, but who can it scare now?
The Issue Definition tab provides a complete list of all the vulnerabilities that this scanner can detect. It should be noted that the list is very impressive.
All vulnerabilities are divided into 3 categories: high, medium, low. There is also a category of information, which includes mechanisms for collecting various useful information about the scanned resource.
When we run the scan in the Scan queue window, we can monitor the progress in stages. "Color differentiation of pants" is present.
The Options tab is the basic setting for scanning.
For convenience, the options are divided into categories. If necessary, you can get help for each category right from the settings window.
In general, Burp Suite Pro showed a good result. When scanning php.testsparker.com , enough vulnerabilities were found and classified to gain complete control over the web application and its data - this is both OS command injection, and SSTI, and File path traversal.
Full Burp Suite Pro results in php.testsparker.com
H: OS command injection
H: File path traversal
H: Out-of-band resource load (HTTP)
H: Server-side template injection
H: Cross-site scripting (reflected)
H: Flash cross-domain policy
H: Silverlight cross-domain policy
H: Cleartext submission of password
H: External service interaction (DNS)
H: External service interaction (HTTP)
M: SSL certificate (not trusted or expired)
L: Password field with autocomplete enabled
L: Form action hijacking (reflected)
L: Unencrypted communications
L: Strict transport security not enforced
H: File path traversal
H: Out-of-band resource load (HTTP)
H: Server-side template injection
H: Cross-site scripting (reflected)
H: Flash cross-domain policy
H: Silverlight cross-domain policy
H: Cleartext submission of password
H: External service interaction (DNS)
H: External service interaction (HTTP)
M: SSL certificate (not trusted or expired)
L: Password field with autocomplete enabled
L: Form action hijacking (reflected)
L: Unencrypted communications
L: Strict transport security not enforced
The site premium.bgabank.com found:
H: Cross-site scripting (reflected)
M: SSL cookie without secure flag set
M: SSL certificate (not trusted or expired)
L: Cookie without HttpOnly flag set
L: Password field with autocomplete enabled
L: Strict transport security not enforced
If you often use Burp Suite for web pentest , you like its ecosystem, but I would like to somehow automate the process of searching for vulnerabilities, then this utility will perfectly fit into your arsenal .
Acunetix
In conclusion - another very good commercial scanner . It is very actively promoted through advertising, but Acutenix would not succeed without its extensive functionality. Among the vulnerabilities available to him for detecting vulnerabilities are all types of SQL injection, Cross site scripting, CRLF injection and other pleasures of the web application pentester. It is worth noting that for high-quality scanning is required to select the correct profile.
The dashboard interface is nice:
All identified vulnerabilities traditionally fall into four categories: High, Medium, Low. Well and where without the category Information, which includes all the interesting, according to the scanner, data.
On the Scans tab, we can observe scanning progress and other diagnostic information.
After the scan is completed on the Vulnerabilities tab, we can familiarize yourself with what and how much was found. Color differentiation in place.
In the test for php.testsparker.com the scanner showed a good result, but with premium.bgabank.com frankly let us down .
Full Acunetix Results
php.testsparker.com:
H: Apache 2.2.14 mod_isapi Dangling Pointer
H: Blind SQL Injection
H: Cross site scripting
H: Cross site scripting (verified)
H: Directory traversal
H: File inclusion
H: PHP code injection
H: Server-side template injection
H: SVN repository found
H: User controllable script source
M: Access database found
M: Apache 2.x version older than 2.2.9
M: Apache httpd remote denial of service
M: Apache httpOnly cookie disclosure
M: Application error message
M: Backup files
M: Directory listing
M: HTML form without CSRF protection
M: Insecure clientaccesspolicy.xml file
M: Partial user controllable script source
M: PHP hangs on parsing number
M: PHP preg_replace used on user input
M: Source code disclosure
M: User credentials are sent in clear text
L: Apache 2.x version older than 2.2.10
L: Apache mod_negotiation filename bruteforcing
L: Clickjacking: X-Frame-Options header header missing
L: Login page password-guessing attack
L: Possible relative path overwrite
L: Possible sensitive directories
L: Possible sensitive files
L: TRACE method is enabled
premium.bgabank.com:
L: Clickjacking: X-Frame-Options header header missing
H: Apache 2.2.14 mod_isapi Dangling Pointer
H: Blind SQL Injection
H: Cross site scripting
H: Cross site scripting (verified)
H: Directory traversal
H: File inclusion
H: PHP code injection
H: Server-side template injection
H: SVN repository found
H: User controllable script source
M: Access database found
M: Apache 2.x version older than 2.2.9
M: Apache httpd remote denial of service
M: Apache httpOnly cookie disclosure
M: Application error message
M: Backup files
M: Directory listing
M: HTML form without CSRF protection
M: Insecure clientaccesspolicy.xml file
M: Partial user controllable script source
M: PHP hangs on parsing number
M: PHP preg_replace used on user input
M: Source code disclosure
M: User credentials are sent in clear text
L: Apache 2.x version older than 2.2.10
L: Apache mod_negotiation filename bruteforcing
L: Clickjacking: X-Frame-Options header header missing
L: Login page password-guessing attack
L: Possible relative path overwrite
L: Possible sensitive directories
L: Possible sensitive files
L: TRACE method is enabled
premium.bgabank.com:
L: Clickjacking: X-Frame-Options header header missing
Acunetix has great features and is suitable if you are looking for a stand-alone solution . The web interface is simple and straightforward, infographics and reports look quite digestible. There may be misfires when scanning, but, as Tony Stark said: “This happens to men. Infrequently. One time out of five.
Grand total
And now the findings for all tested scanners.
- OWASP ZAP we liked. Recommended for use.
- We recommend using W9scan as an auxiliary tool for determining versions and services, as well as potential attack vectors.
- Wapiti to OWASP ZAP does not reach, but we have worked better than W9scan.
- Arachni is just a “must-have”.
- Paros scans poorly and we do not recommend it.
- Tenable.io is good, finds a lot of vulnerabilities. But it is worth considering that it is cloudy.
- Burp Suite Pro we advise those who like the Burp Suite ecosystem, but lack automation.
- Acunetix is ​​suitable for those who are looking for a scanner as a stand-alone application.
Source: https://habr.com/ru/post/456892/
All Articles