« Bypassing XSS web filters by using US ASCII encoding…
Blind SQL injections for dummies »

Web Hacking Web app security tools…

1 Comment

June 29th, 2008 by admin

Introduction

This section is going to be a live article about the current web app security testing tools:

Web scanners:

WebInspect : A Powerful Web Application Scanner SPI Dynamics’ WebInspect application security assessment tool helps identify known and unknown vulnerabilities within the Web application layer. WebInspect can also help check that a Web server is configured properly, and attempts common web attacks such as parameter injection, cross-site scripting, directory traversal, and more.[1]

NTOSpider is the first next-generation web application vulnerability scanner, providing automated vulnerability assessment with unprecedented accuracy and comprehensiveness. Able to quickly scan and analyze large complex web sites/applications, NTOSpider identifies application vulnerabilities as well as site exposure risk, ranks threat priority, produces highly graphical, intuitive HTML reports, and indicates site security posture by vulnerabilities and threat exposure.[24]

Acunetix Web Vulnerability Scanner : Commercial Web Vulnerability Scanner Acunetix WVS automatically checks your web applications for vulnerabilities such as SQL Injection, cross site scripting, and weak password strength on authentication pages. Acunetix WVS boasts a comfortable GUI and an ability to create professional website security audit reports.[1]

Nikto : A more comprehensive web scanner Nikto is an open source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 3200 potentially dangerous files/CGIs, versions on over 625 servers, and version specific problems on over 230 servers. Scan items and plugins are frequently updated and can be automatically updated (if desired). It uses Whisker/libwhisker for much of its underlying functionality. It is a great tool, but the value is limited by its infrequent updates. The newest and most critical vulnerabilities are often not detected.[1]

Whisker/libwhisker : Rain.Forest.Puppy’s CGI vulnerability scanner and library Libwhisker is a Perl module geared geared towards HTTP testing. It provides functions for testing HTTP servers for many known security holes, particularly the presence of dangerous CGIs. Whisker is a scanner that used libwhisker but is now deprecated in favor of Nikto which also uses libwhisker.[1]

Wikto : Web Server Assessment Tool Wikto is a tool that checks for flaws in webservers. It provides much the same functionality as Nikto but adds various interesting pieces of functionality, such as a Back-End miner and close Google integration. Wikto is written for the MS .NET environment and registration is required to download the binary and/or source code.[1]

N-Stealth : Web server scanner N-Stealth is a commercial web server security scanner. It is generally updated more frequently than free web scanners such as Whisker/libwhisker and Nikto, but do take their web site with a grain of salt. The claims of “30,000 vulnerabilities and exploits” and “Dozens of vulnerability checks are added every day” are highly questionable. Also note that essentially all general VA tools such as Nessus, ISS Internet Scanner, Retina, SAINT, and Sara include web scanning components. They may not all be as up-to-date or flexible though. N-Stealth is Windows only and no source code is provided.[1]

Security/?referer=http://blog.kassaras.com/wp-admin/edit.php');urchinTracker('/outgoing/www.windowsecurity.com/software/Web-Application-Security/?referer=http://blog.kassaras.com/wp-admin/post.php/?action=edit&post=38&message=1&_wp_original_http_referer=http%3A%2F%2Fblog.kassaras.com%2Fwp-admin%2Fedit.php');urchinTracker('/outgoing/www.windowsecurity.com/software/Web-Application-Security/?referer=http://blog.kassaras.com/wp-admin/post.php?action=edit&post=38&message=1&_wp_original_http_referer=http%3A%2F%2Fblog.kassaras.com%2Fwp-admin%2Fedit.php');urchinTracker('/outgoing/www.windowsecurity.com/software/Web-Application-Security/?referer=http://blog.kassaras.com/wp-admin/post.php?action=edit&post=38&message=1&_wp_original_http_referer=http%3A%2F%2Fblog.kassaras.com%2Fwp-admin%2Fedit.php');urchinTracker('/outgoing/www.windowsecurity.com/software/Web-Application-Security/?referer=http://blog.kassaras.com/wp-admin/post.php?action=edit&post=38&message=1&_wp_original_http_referer=http%3A%2F%2Fblog.kassaras.com%2Fwp-admin%2Fedit.php');urchinTracker('/outgoing/www.windowsecurity.com/software/Web-Application-Security/?referer=http://blog.kassaras.com/wp-admin/post.php?action=edit&post=38&message=1&_wp_original_http_referer=http%3A%2F%2Fblog.kassaras.com%2Fwp-admin%2Fedit.php');urchinTracker('/outgoing/www.windowsecurity.com/software/Web-Application-Security/?referer=http://blog.kassaras.com/wp-admin/post.php?action=edit&post=38&message=1&_wp_original_http_referer=http%3A%2F%2Fblog.kassaras.com%2Fwp-admin%2Fedit.php');urchinTracker('/outgoing/www.windowsecurity.com/software/Web-Application-Security/?referer=http://blog.kassaras.com/wp-admin/post.php?action=edit&post=38&message=1&_wp_original_http_referer=http%3A%2F%2Fblog.kassaras.com%2Fwp-admin%2Fedit.php');urchinTracker('/outgoing/www.windowsecurity.com/software/Web-Application-Security/?referer=http://blog.kassaras.com/wp-admin/post.php?action=edit&post=38&message=1&_wp_original_http_referer=http%3A%2F%2Fblog.kassaras.com%2Fwp-admin%2Fedit.php');urchinTracker('/outgoing/www.windowsecurity.com/software/Web-Application-Security/?referer=http://blog.kassaras.com/wp-admin/post.php?action=edit&post=38&message=1&_wp_original_http_referer=http%3A%2F%2Fblog.kassaras.com%2Fwp-admin%2Fedit.php');urchinTracker('/outgoing/www.windowsecurity.com/software/Web-Application-Security/?referer=http://blog.kassaras.com/wp-admin/post.php?action=edit&post=38&message=1&_wp_original_http_referer=http%3A%2F%2Fblog.kassaras.com%2Fwp-admin%2Fedit.php');urchinTracker('/outgoing/www.windowsecurity.com/software/Web-Application-Security/?referer=http://blog.kassaras.com/wp-admin/post.php?action=edit&post=38&message=1&_wp_original_http_referer=http%3A%2F%2Fblog.kassaras.com%2Fwp-admin%2Fedit.php');urchinTracker('/outgoing/www.windowsecurity.com/software/Web-Application-Security/?referer=http://blog.kassaras.com/wp-admin/post.php?action=edit&post=38&message=1&_wp_original_http_referer=http%3A%2F%2Fblog.kassaras.com%2Fwp-admin%2Fedit.php');" href="http://www.windowsecurity.com/software/Web-Application-Security/">The ScanDo Web: ScanDo web application scanner allows the enterprise to conduct ongoing risk assessments to identify the vulnerability of Web applications to hostile attack. It identifies security weaknesses in the Web applications environment and helps eliminate them before they are exploited by hackers and thieves. It scans Web application technologies, including Flash, JavaScript, ASP, XML and Web Services. ScanDo offers control of both automated and manual scanning as well as the ability to replay discovered vulnerabilities to conduct in-depth analysis.

It supports a database for all scanning results with Web reporting for centralized management, and it provides privacy through detection of Social Security and credit card numbers. ScanDo offers a three-stage process for application risk assessment. First, it explores the entire Web application environment and registers its structure and contents. Then it mimics actual hacking methods to identify and uncover the details of any point that is susceptible to attack. In the third stage, ScanDo outputs all scan results into reports that show how to eliminate vulnerabilities.[2]

VForce is a web application security scanner, that simulates attacks for the purpose of testing and analysing a web application for security weaknesses. Like other tools it scans for buffer overruns, manipulation of HTTP requests, brute force vulnerabilities, etc.[2]

ratproxy is a semi-automated, largely passive web application security audit tool, optimized for an accurate and sensitive detection, and automatic annotation, of potential problems and security-relevant design patterns based on the observation of existing, user-initiated traffic in complex web 2.0 environments.[19]

Goolag Scanner is a standalone windows GUI based application.

1. Configuration. gS uses one xml-based configuration file for its
settings (see Settings).

2. Data-House-holding. All dorks coming with the distribution of gS
are kept inside one file, which resides in
{$Goolag Scanner-Installation Directory}/DorkData/gdorks.xml

The name gdorks.xml is predefined from the configuration (see
above).[22]

security testing tool. It has automated testing module for detecting common web application vulnerabilities, and features geared at aiding manual penetration tests. The only system requirement is Java 5; Windows, Linux and Macintosh builds are available. " target="_blank">Grendel-Scan is an open-source web application security testing tool. It has automated testing module for detecting common web application vulnerabilities, and features geared at aiding manual penetration tests. The only system requirement is Java 5; Windows, Linux and Macintosh builds are available.[23]

APACHE_USERS: Apache username enumerator, via /~username requests. This script uses a list of common system names like root, admin etc … You should manually check the issue to establish the http return code, ie: 403 as this is needed for the command line. No native SSL support.[7]

nnikto a console app to perform forced browsing checks against a web server. The application uses a simple algorithm and various techniques to prevent/reduce false positives.[25]

Manual security testing:

Paros proxy : A web application vulnerability assessment proxy A Java based web proxy for assessing web application vulnerability. It supports editing/viewing HTTP/HTTPS messages on-the-fly to change items such as cookies and form fields. It includes a web traffic recorder, web spider, hash calculator, and a scanner for testing common web application attacks such as SQL injection and cross-site scripting.[1]

WebScarab : A framework for analyzing applications that communicate using the HTTP and HTTPS protocols In its simplest form, WebScarab records the conversations (requests and responses) that it observes, and allows the operator to review them in various ways. WebScarab is designed to be a tool for anyone who needs to expose the workings of an HTTP(S) based application, whether to allow the developer to debug otherwise difficult problems, or to allow a security specialist to identify vulnerabilities in the way that the application has been designed or implemented.[1]

Burpsuite : An integrated platform for attacking web applications Burp suite allows an attacker to combine manual and automated techniques to enumerate, analyze, attack and exploit web applications. The various burp tools work together effectively to share information and allow findings identified within one tool to form the basis of an attack using another.[1]

SPIKE Proxy : HTTP Hacking Spike Proxy is an open source HTTP proxy for finding security flaws in web sites. It is part of the Spike Application Testing Suite and supports automated SQL injection detection, web site crawling, login form brute forcing, overflow detection, and directory traversal detection.[1]

CAL9000: CAL9000 brings together a host of web application security testing tools into one convenient package. It is designed to be used in the Firefox browser. CAL9000 functionality may be limited when used with other browsers.[11]

httpedit:httpedit is a ‘low-level’ interface to HTTP. The application allows you to write a raw HTTP request, send it against a web server and review the response, all from within the same app.[11]

Decompilers:

Jad is a Java decompiler, i.e. program that reads one or more Java class files and converts them into Java source files which can be compiled again.[3]

Jad can be used:

  • for recovering lost source codes;
  • for exploring the sources of Java runtime libraries;
  • as a Java disassembler;
  • as a Java source code cleaner and beautifier. just kidding

Web session analyzers:

Stompy is an advanced utility to test the quality of WWW session identifiers and other tokens that are meant to be unpredictable. It is fully automated, employs a remarkably advanced collection of tests, and probably scratches an important pen-testing itch.[4]

Web fuzzers:

PROTOS HTTP-reply – Another fuzzer from the PROTOS dudes for attack HTTP responses, useful for browser vulns.[5]

Screaming Cobra - Name makes the fuzzer sound better than it really is, but is good for finding CGI bugs. Also, its a perl scrpt so easy to modify or extend.[5]

Mangle – A fuzzer for generating odd HTML tags, it will also autolaunch a browser. Mangle found the infamous IFRAME IE bug.[5]

FUZZLED: Fuzzled is a powerful fuzzing framework. Fuzzled includes helper functions, namespaces, factories which allow a wide variety of fuzzing tools to be developed. Fuzzled comes with several example protocols and drivers for them .This most recent release includes : * Support for a raft of additional protocols, including HTTPInject, NNTP, SMTP and IMAP. * New and improved namespaces. * Improvements to the pattern factory. * Documentation on writing a fuzzer in Fuzzled. * Numerous bugfixes and other minor improvements.[7]

RFuzz is a Ruby library to easily test web applications from the outside using a fast HttpClient and wicked evil RandomGenerator allowing the average programmer to use advanced fuzzing techniques for just pennies a day.[16]

PROTOS HTTP-reply – Another fuzzer from the PROTOS dudes for attack HTTP responses, useful for broswer vulns.[15]

Ajax Security:

Spajax is a security .NET ajax scanning tools from OWASP.[6]

XSS exploiting

XSSshell: XSS Tunnel is a proxy which allows you to traffic any HTTP traffic through a Cross-site Scripting (XSS) Channel opened by XSS Shell. This release includes a new version of XSS Shell, XSS Tunnel and source codes. Please refer to the white paper for details.[7]

XSSSHELL: XSS Shell is a powerful XSS backdoor. XSS Shell allows interactively getting control over a Cross-site Scripting (XSS) vulnerability in a web application. Demonstrates the real power and damage of Cross-site Scripting attacks.[7]

SQL injection exploiting

SqlServerDataExtractor Sometimes we need to drop a binary onto a box and extract the data. This application allows you to specify the connection string and SQL statement. Once the SQL statement executed, the data is output to a file in the application directory, which is loaded into a browser control on the second tab. The reason for using HTML to display the data, is that the application should be flexible enough to handle alot of data.[25]

SSL enumeration & exploitation

ManySSL:Primarily a tool for Linux users to enumerate the SSL ciphers in use on any SSL encrypted service, including mail servers that utilise starttls. This tool has an option to identify only the weak ciphers (Ciphers under 128 bit) so administrators can know which ciphers to remove from their service.[7]

SSLDigger v1.02 Released 8/26/2004. Copyright 2004 (c) by Foundstone, Inc.SSLDigger v1.02 is a tool to assess the strength of SSL servers by testing the ciphers supported. Some of these ciphers are known to be insecure.[8]

THCIISSLame version 0.2 IIS 5 SSL remote root exploit. Uses a connect back shell. [13]

THC SSL Check is a small tool that checks the remote SSL stack for supported ciphers and versions. Useful for pentesting for weak SSL configuration discovery.[13]

THCSSLProxy THCSSLProxy is a small command-line SSL proxy for Window that is useful for penetration testing SSL services like HTTPS, SMTPS, LDAPS, POP3S, and more.[13]

sslciphercheck a new console tool to check supported SSL ciphers, it will also retrieve and extract the certificate information including whether Server Gated Cryptography (SGC) is supported The main problem with existing tools e.g. SSLDigger and thcsslcheck is that they either don’t support SSLv2 or they don’t retrieve the certificate information, so you cannot tell if Server Gated Cryptography is supported…sslciphercheck is designed to over come these issues.[25]

Web Service scanner

WSDigger v1.0 Released 7/12/2005. Copyright 2005 (c) by Foundstone, Inc. WSDigger is a free open source tool designed by Foundstone to automate black-box web services security testing (also known as penetration testing). WSDigger is more than a tool, it is a web services testing framework. Version one of this framework contains sample attack plug-ins for SQL injection, cross site scripting and XPATH injection attacks. A web service vulnerable to XPATH injection is provided as an example with the tool. By releasing the framework as an open-source tool, users are encouraged to develop and share their own plug-ins.System requirements Windows: .NET Framework

Http probers

hoppy:Hoppy (*[H]ttp [O]ptions [P]rober In [PY]thon*) is a http server method prober written in python, does exactly what it says on the tin. It tests http methods for configuration issues leaking information or just to see if they are enabled. Latest Version is 1.5.1[7]

httprint:httprint is a web server fingerprinting tool. It relies on web server characteristics to accurately identify web servers, despite the fact that they may have been obfuscated by changing the server banner strings, or by plug-ins such as mod_security or servermask.

THCSSLProxy: Small commandline SSL proxy for windows useful for pentesting SSL services like HTTPS, SMTPS, LDAPS, POP3S etc.[12]

Web spiders:

SiteDigger v2.0 Released 1/06/2005. Copyright 2005 (c) by Foundstone, Inc. SiteDigger 2.0 searches Google?€™s cache to look for vulnerabilities, errors, configuration issues, proprietary information, and interesting security nuggets on web sites.[10]
What’s New in SiteDigger 2.0

* 10 times more results! Now you can use FSDB / GHDB and generate 10 results per signature.
* Improved user interface, help file, signature update and results page.
* Decreased false positives.
* Latest signatures (open webcams, credit card numbers, etc).
* Ability to raw search.

Aura:A while back Google encouraged developers to make use of their API. Many people built applications around the API, but alas Google has stopped issuing API keys. This means that those applications (like wikto / etc) lost large portions of their functionality. SensePost AURA (Api Usable / Re-usable Again) will help to get those tools working again. Aura is a very simple web app that runs as an executable on your windows machine and listens on 127.0.0.1:80. [11]

HTTrack:HTTrack is a free and easy-to-use offline browser utility. It allows you to download a World Wide Web site from the Internet to a local directory, building recursively all directories, getting HTML, images, and other files from the server to your computer.

Web Brute forcer’s

WWWhack is a brute force utility that will try to crack web sites guarded by an web access password. This utility can use a word file or try all possible combinations, and by trial-and-error, will attempt to find a combination of username/password that is accepted by the web server.[14]

Database enumeration

Sqlmap is an automatic SQL injection tool developed in Python. Its goal is to detect and take advantage of SQL injection vulnerabilities on web applications. Once it detects one or more SQL injections on the target host, the user can choose among a variety of options to perform an extensive back-end database management system fingerprint, retrieve DBMS session user and database, enumerate users, password hashes, privileges, databases, dump entire or user’s specific DBMS tables/columns, run his own SQL SELECT statement, read specific files on the file system and much more.[18]

Frameworks

ProxMon is an extensible Python based framework that reduces testing effort, improves consistency and reduces errors. Its use requires limited additional effort as it processes the proxy logs that you?€™re already generating and reports discovered issues. In addition to penetration testing, ProxMon is useful in QA, developer testing and regression testing scenarios.[20]

Pantera uses an improved version of SpikeProxy to provide a powerful web application analysis engine.[21]

Reference [1]:http://sectools.org/web-scanners.html

Reference [2]:http://www.windowsecurity.com/software/Web-Application-Security/

Reference [3]:http://www.kpdus.com/jad.html#general

Reference [4]:http://lcamtuf.coredump.cx/

Reference [5]:http://www.infosecinstitute.com/blog/2005/12/fuzzers-ultimate-list.html

Reference [6]:http://cvs.drupal.org/viewvc.py/drupal/contributions/modules/spajax/

Reference [7]: http://www.portcullis.co.uk/16.php

Reference [8]:http://www.foundstone.com/us/resources/proddesc/ssldigger.htm

Reference [9]:http://www.foundstone.com/us/resources/proddesc/wsdigger.htm

Reference [10]:http://www.foundstone.com/us/resources/proddesc/sitedigger.htm

Reference [11]:http://www.hacktoolrepository.com/category.pl?cid=8&categoryname=Web%20applications

Reference [12]:http://freeworld.thc.org/root/tools/

Reference [13]:http://packetstormsecurity.org/groups/thc/index5.html

Reference[14]:http://www.darknet.org.uk/2006/12/wwwhack-19-download-wwwhack19zip-web-hacking-tool/

Reference [15]:http://www.infosecinstitute.com/blog/2005/12/fuzzers-ultimate-list.html

Reference [16]:http://rfuzz.rubyforge.org/

Reference [17]:http://www.gnucitizen.org/blog/web-client-fuzzer_py/

Reference [18]:http://sqlmap.sourceforge.net/

Reference [19]:security.html" target="_blank">http://code.google.com/p/ratproxy/

Reference [20]:http://www.isecpartners.com/proxmon.html

Reference [21]:http://www.owasp.org/index.php/Category:OWASP_Pantera_Web_Assessment_Studio_Project

Reference [22]: http://www.goolag.org/specifications.html

Reference [23]: http://www.grendel-scan.com/

Reference [24]: http://www.ntobjectives.com/products/ntospider.php

Reference [25]: http://www.woany.co.uk

One Response to “Web app security tools…”

  1. only_samurai Says:
    July 9th, 2008 at 6:11 pm

    If you are looking for more tools to use to manually probe sites, check out this article SamuraiNet Blog. I cover a few firefox plugins that make it easier to probe these things by hand. Also, I’m doing some follow up articles that explain more in-depth how to use said tools.