10-08-2009, 07:25 PM
Hi SF,
You got a website and want to protect it? Check this thread out!
Sources: Here and Here
---------------------------------------------------------------------
Simple test you can do on your own to check for Website flaws:
SQL injection: To test for SQL injection bugs, peruse the application and find places where users can enter text, such as where the text is used to perform a lookup function. Then type a single quote character and some text: If the application shows an error message from your database, then you're likely housing an SQL injection bug.
Cross-site scripting (XSS): Find areas in your application that accept user input, such as a page where users can send in their feedback or reviews of a product, for example. Try submitting this text -- a less-than sign, the word "script," and then the greater-than sign (with no spaces in between): < script >
If that text displays where you reload the page, then your site has an XSS vulnerability, according to Breach.
Session hijacking: If your application has a session identifier number in the URL decrease that number by one and reload the page. The app has a session hijacking vulnerability if the app then "sees" you as a different user. And if you don't have a session identifier in the URL, load a plug-in onto your browser that lets you view and modify cookies, according to Breach, which sells Web application firewalls. Look in the cookie for session identifiers and perform the same test.
Top 10 Web Vulnerability Scanners
#1
Nikto : A more comprehensive web scanner
Nikto is an open source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 3200 potentially dangerous files/CGIs, versions on over 625 servers, and version specific problems on over 230 servers. Scan items and plugins are frequently updated and can be automatically updated (if desired). It uses Whisker/libwhisker for much of its underlying functionality. It is a great tool, but the value is limited by its infrequent updates. The newest and most critical vulnerabilities are often not detected.
Work with Linux, Windows, Apple Mac OS X and OpenBSD, FreeBSD, Solaris, and/or other UNIX variants.
Features a command-line interface.
Source code available for inspection.
#2
Paros Proxy : A web application vulnerability assessment proxy
A Java based web proxy for assessing web application vulnerability. It supports editing/viewing HTTP/HTTPS messages on-the-fly to change items such as cookies and form fields. It includes a web traffic recorder, web spider, hash calculator, and a scanner for testing common web application attacks such as SQL injection and cross-site scripting.
Work with Linux, Windows, Apple Mac OS X and OpenBSD, FreeBSD, Solaris, and/or other UNIX variants.
Features a command-line interface.
Source code available for inspection.
Offers a GUI (point and click) interface.
#3
WebScarab : A framework for analyzing applications that communicate using the HTTP and HTTPS protocols
In its simplest form, WebScarab records the conversations (requests and responses) that it observes, and allows the operator to review them in various ways. WebScarab is designed to be a tool for anyone who needs to expose the workings of an HTTP(S) based application, whether to allow the developer to debug otherwise difficult problems, or to allow a security specialist to identify vulnerabilities in the way that the application has been designed or implemented.
Work with Linux, Windows, Apple Mac OS X and OpenBSD, FreeBSD, Solaris, and/or other UNIX variants.
Source code available for inspection.
Offers a GUI (point and click) interface.
#4
WebInspect Free 15 day trial : A Powerful Web Application Scanner
SPI Dynamics' WebInspect application security assessment tool helps identify known and unknown vulnerabilities within the Web application layer. WebInspect can also help check that a Web server is configured properly, and attempts common web attacks such as parameter injection, cross-site scripting, directory traversal, and more.
Generally costs money. A free limited/demo/trial version may be available.
Work on Microsoft Windows.
Offers a GUI (point and click) interface.
#5
Whisker/libwhisker : Rain.Forest.Puppy's CGI vulnerability scanner and library
Libwhisker is a Perl module geared geared towards HTTP testing. It provides functions for testing HTTP servers for many known security holes, particularly the presence of dangerous CGIs. Whisker is a scanner that used libwhisker but is now deprecated in favor of Nikto which also uses libwhisker.
Work with Linux, Windows, Apple Mac OS X and OpenBSD, FreeBSD, Solaris, and/or other UNIX variants.
Source code available for inspection.
Offers a GUI (point and click) interface.
#6
Burpsuite : An integrated platform for attacking web applications
Burp suite allows an attacker to combine manual and automated techniques to enumerate, analyze, attack and exploit web applications. The various burp tools work together effectively to share information and allow findings identified within one tool to form the basis of an attack using another.
Work on Linux, Microsoft Windows and Apple Mac Os X.
Offers a GUI (point and click) interface.
#7
Wikto : Web Server Assessment Tool
Wikto is a tool that checks for flaws in webservers. It provides much the same functionality as Nikto but adds various interesting pieces of functionality, such as a Back-End miner and close Google integration. Wikto is written for the MS .NET environment and registration is required to download the binary and/or source code.
Work on Microsoft Windows only.
Source code available for inspection.
Offers a GUI (point and click) interface.
#8
Acunetix WVS : Commercial Web Vulnerability Scanner
Acunetix WVS automatically checks web applications for vulnerabilities such as SQL Injections, cross site scripting, arbitrary file creation/deletion, weak password strength on authentication pages. AcuSensor technology detects vulnerabilities which typical black box scanners miss. Acunetix WVS boasts a comfortable GUI, an ability to create professional security audit and compliance reports, and tools for advanced manual webapp testing.
Generally costs money. A free limited/demo/trial version may be available.
Work on Microsoft Windows only.
Features a command-line interface.
Offers a GUI (point and click) interface.
#9
Rational AppScan Free Trial : Commercial Web Vulnerability Scanner
AppScan provides security testing throughout the application development lifecycle, easing unit testing and security assurance early in the development phase. Appscan scans for many common vulnerabilities, such as cross site scripting, HTTP response splitting, parameter tampering, hidden field manipulation, backdoors/debug options, buffer overflows and more. Appscan was merged into IBM's Rational division after IBM purchased it's original developer (Watchfire) in 2007.
Generally costs money. A free limited/demo/trial version may be available.
Work on Microsoft Windows only.
Offers a GUI (point and click) interface.
#10
N-Stealth Free Trial: Web server scanner
N-Stealth is a commercial web server security scanner. It is generally updated more frequently than free web scanners such as Whisker/libwhisker and Nikto, but do take their web site with a grain of salt. The claims of "30,000 vulnerabilities and exploits" and "Dozens of vulnerability checks are added every day" are highly questionable. Also note that essentially all general VA tools such as Nessus, ISS Internet Scanner, Retina, SAINT, and Sara include web scanning components. They may not all be as up-to-date or flexible though. N-Stealth is Windows only and no source code is provided.
Generally costs money. A free limited/demo/trial version may be available.
Work on Microsoft Windows only.
Offers a GUI (point and click) interface.
------------------------------------------------------------
Hope I helped, I will update to make it more complete with other articles that I will find.
Sincerly,
So.Liberty
You got a website and want to protect it? Check this thread out!
Sources: Here and Here
---------------------------------------------------------------------
Simple test you can do on your own to check for Website flaws:
SQL injection: To test for SQL injection bugs, peruse the application and find places where users can enter text, such as where the text is used to perform a lookup function. Then type a single quote character and some text: If the application shows an error message from your database, then you're likely housing an SQL injection bug.
Cross-site scripting (XSS): Find areas in your application that accept user input, such as a page where users can send in their feedback or reviews of a product, for example. Try submitting this text -- a less-than sign, the word "script," and then the greater-than sign (with no spaces in between): < script >
If that text displays where you reload the page, then your site has an XSS vulnerability, according to Breach.
Session hijacking: If your application has a session identifier number in the URL decrease that number by one and reload the page. The app has a session hijacking vulnerability if the app then "sees" you as a different user. And if you don't have a session identifier in the URL, load a plug-in onto your browser that lets you view and modify cookies, according to Breach, which sells Web application firewalls. Look in the cookie for session identifiers and perform the same test.
Top 10 Web Vulnerability Scanners
#1
Nikto : A more comprehensive web scanner
Nikto is an open source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 3200 potentially dangerous files/CGIs, versions on over 625 servers, and version specific problems on over 230 servers. Scan items and plugins are frequently updated and can be automatically updated (if desired). It uses Whisker/libwhisker for much of its underlying functionality. It is a great tool, but the value is limited by its infrequent updates. The newest and most critical vulnerabilities are often not detected.
Work with Linux, Windows, Apple Mac OS X and OpenBSD, FreeBSD, Solaris, and/or other UNIX variants.
Features a command-line interface.
Source code available for inspection.
#2
Paros Proxy : A web application vulnerability assessment proxy
A Java based web proxy for assessing web application vulnerability. It supports editing/viewing HTTP/HTTPS messages on-the-fly to change items such as cookies and form fields. It includes a web traffic recorder, web spider, hash calculator, and a scanner for testing common web application attacks such as SQL injection and cross-site scripting.
Work with Linux, Windows, Apple Mac OS X and OpenBSD, FreeBSD, Solaris, and/or other UNIX variants.
Features a command-line interface.
Source code available for inspection.
Offers a GUI (point and click) interface.
#3
WebScarab : A framework for analyzing applications that communicate using the HTTP and HTTPS protocols
In its simplest form, WebScarab records the conversations (requests and responses) that it observes, and allows the operator to review them in various ways. WebScarab is designed to be a tool for anyone who needs to expose the workings of an HTTP(S) based application, whether to allow the developer to debug otherwise difficult problems, or to allow a security specialist to identify vulnerabilities in the way that the application has been designed or implemented.
Work with Linux, Windows, Apple Mac OS X and OpenBSD, FreeBSD, Solaris, and/or other UNIX variants.
Source code available for inspection.
Offers a GUI (point and click) interface.
#4
WebInspect Free 15 day trial : A Powerful Web Application Scanner
SPI Dynamics' WebInspect application security assessment tool helps identify known and unknown vulnerabilities within the Web application layer. WebInspect can also help check that a Web server is configured properly, and attempts common web attacks such as parameter injection, cross-site scripting, directory traversal, and more.
Generally costs money. A free limited/demo/trial version may be available.
Work on Microsoft Windows.
Offers a GUI (point and click) interface.
#5
Whisker/libwhisker : Rain.Forest.Puppy's CGI vulnerability scanner and library
Libwhisker is a Perl module geared geared towards HTTP testing. It provides functions for testing HTTP servers for many known security holes, particularly the presence of dangerous CGIs. Whisker is a scanner that used libwhisker but is now deprecated in favor of Nikto which also uses libwhisker.
Work with Linux, Windows, Apple Mac OS X and OpenBSD, FreeBSD, Solaris, and/or other UNIX variants.
Source code available for inspection.
Offers a GUI (point and click) interface.
#6
Burpsuite : An integrated platform for attacking web applications
Burp suite allows an attacker to combine manual and automated techniques to enumerate, analyze, attack and exploit web applications. The various burp tools work together effectively to share information and allow findings identified within one tool to form the basis of an attack using another.
Work on Linux, Microsoft Windows and Apple Mac Os X.
Offers a GUI (point and click) interface.
#7
Wikto : Web Server Assessment Tool
Wikto is a tool that checks for flaws in webservers. It provides much the same functionality as Nikto but adds various interesting pieces of functionality, such as a Back-End miner and close Google integration. Wikto is written for the MS .NET environment and registration is required to download the binary and/or source code.
Work on Microsoft Windows only.
Source code available for inspection.
Offers a GUI (point and click) interface.
#8
Acunetix WVS : Commercial Web Vulnerability Scanner
Acunetix WVS automatically checks web applications for vulnerabilities such as SQL Injections, cross site scripting, arbitrary file creation/deletion, weak password strength on authentication pages. AcuSensor technology detects vulnerabilities which typical black box scanners miss. Acunetix WVS boasts a comfortable GUI, an ability to create professional security audit and compliance reports, and tools for advanced manual webapp testing.
Generally costs money. A free limited/demo/trial version may be available.
Work on Microsoft Windows only.
Features a command-line interface.
Offers a GUI (point and click) interface.
#9
Rational AppScan Free Trial : Commercial Web Vulnerability Scanner
AppScan provides security testing throughout the application development lifecycle, easing unit testing and security assurance early in the development phase. Appscan scans for many common vulnerabilities, such as cross site scripting, HTTP response splitting, parameter tampering, hidden field manipulation, backdoors/debug options, buffer overflows and more. Appscan was merged into IBM's Rational division after IBM purchased it's original developer (Watchfire) in 2007.
Generally costs money. A free limited/demo/trial version may be available.
Work on Microsoft Windows only.
Offers a GUI (point and click) interface.
#10
N-Stealth Free Trial: Web server scanner
N-Stealth is a commercial web server security scanner. It is generally updated more frequently than free web scanners such as Whisker/libwhisker and Nikto, but do take their web site with a grain of salt. The claims of "30,000 vulnerabilities and exploits" and "Dozens of vulnerability checks are added every day" are highly questionable. Also note that essentially all general VA tools such as Nessus, ISS Internet Scanner, Retina, SAINT, and Sara include web scanning components. They may not all be as up-to-date or flexible though. N-Stealth is Windows only and no source code is provided.
Generally costs money. A free limited/demo/trial version may be available.
Work on Microsoft Windows only.
Offers a GUI (point and click) interface.
------------------------------------------------------------
Hope I helped, I will update to make it more complete with other articles that I will find.
Sincerly,
So.Liberty
![[Image: f_pgfbb4em_bde9974.png]](http://img02.imagefra.me/img/img02/2/10/9/f_pgfbb4em_bde9974.png)