鬼仔's Blog

# 鬼仔：在包子那里看到的。

原文链接

Web Application Vulnerability Scanners are tools designed to automatically scan web applications for potential vulnerabilities. These tools differ from general vulnerability assessment tools in that they do not perform a broad range of checks on a myriad of software and hardware. Instead, they perform other checks, such as potential field manipulation and cookie poisoning, which allows a more focused assessment of web applications by exposing vulnerabilities of which standard VA tools are unaware.

Web Application Security

Web Applications Issues

• Scripting issues
• Sources of input: forms, text boxes, dialog windows, etc.
• Multiple Charset Encodings (UTF-8, ISO-8859-15, UTF-7, etc.)
• Regular expression checks
• Header integrity (e.g. Multiple HTTP Content Length, HTTP Response Splitting)
• Session handling/fixation
• Cookies
• Framework vulnerabities(Java Server Pages, .NET, Ruby On Rails, Django, etc.)
• Success control: front door, back door vulnerability assessment
• Penetration attempts versus failures

Technical vulnerabilities

• Unvalidated input:
  • Tainted parameters – Parameters users in URLs, HTTP headers, and forms are often used to control and validate access to sentitive information.
  • Tainted data
• Cross-Site Scripting flaws:
  • XSS takes advantage of a vulnerable web site to attack clients who visit that web site. The most frequent goal is to steal the credentials of users who visit the site.
• Content Injection flaws:
  • Data injection
  • SQL injection – SQL injection allows commands to be executed directly against the database, allowing disclosure and modification of data in the database
  • XPath injection – XPath injection allows attacker to manipulate the data in the XML database
  • Command injection – OS and platform commands can often be used to give attackers access to data and escalate privileges on backend servers.
  • Process injection
• Cross-site Request Forgeries

Security Vulnerabilities

• Denial of Service
• Broken access control
• Path manipulation
• Broken session management (synchronization timing problems)
• Weak cryptographic functions, Non salt hash

Architectural/Logical Vulnerabilities

• Information leakage
• Insufficient authentification
• Password change form disclosing detailed errors
• Session-idle deconstruction not consistent with policies
• Spend deposit before deposit funds are validated

Other vulnerabilities

• Debug mode
• Thread Safety
• Hidden Form Field Manipulation
• Weak Session Cookies: Cookies are often used to transit sensitive credentials, and are often easily modified to escalate access or assume another user’s identify.
• Fail Open Authentication
• Dangers of HTML Comments

Some Instances

Please contact us if you think something should be included. If it has all the characteristics of the tool, techniques, etc., we will be happy to add it. We can be contacted at http://samate.nist.gov/Images/sam8ATnistDOTguv.jpg

Commercial tools

• Acunetix WVS by Acunetix
• AppScan DE by IBM/Watchfire, Inc.
• Hailstorm by Cenzic
• N-Stealth by N-Stalker
• NTOSpider by NTObjectives
• WebInspect by HP/SPI-Dynamics
• WebKing by Parasoft
• elanize’s Security Scanner by Elanize KG
• MileScan Web Security Auditor by MileSCAN Tech
• WebApp360 by nCircle

Free/OpenSource Tools

• Grabber by Romain Gaucher
• Grendel-Scan by David Byrne and Eric Duprey
• Nikto by Sullo
• Pantera by Simon Roses Femerling (OWASP Project)
• Paros by Chinotec
• Powerfuzzer by Marcin Kozlowski
• Spike Proxy by Immunity (Now as OWASP Pantera)
• WebScarab by Rogan Dawes of Aspect Security (OWASP Project)
• Wapiti by Nicolas Surribas
• W3AF by Andres Riancho
• SecurityQA Toolbar by iSEC Partners

A more complete list of tools is available in the OWASP Phoenix/Tools