Web Application Vulnerability Scanners are automated tools that scan web applications, normally from the outside, to look for security vulnerabilities such as Cross-site scripting, SQL Injection, Command Injection, Path Traversal and insecure server configuration. This category of tools is frequently referred to as Dynamic Application Security Testing (DAST) Tools. A large number of both commercial and open source tools of this type are available and all of these tools have their own strengths and weaknesses. If you are interested in the effectiveness of DAST tools, check out the OWASP Benchmark project, which is scientifically measuring the effectiveness of all types of vulnerability detection tools, including DAST.
In the software world, security testing involves testing a software application to identify vulnerabilities and misconfiguration that could be exploited by an attacker. These could be as simple as a default admin password, or as complex as an injection vulnerability deep in the application code.
Arachni – Web Application Vulnerability Scanning Framework
Arachni is a web application security scanning tool written in Ruby. It enables auditing and inspection of client-side code through an integrated browser environment, and supports complex web applications that make use of technologies like HTML5, JavaScript, AJAX, HTML5, and DOM manipulation.
Grabber is an easy to use web application vulnerability scanner that not only looks for SQL Injection vulnerabilities, but also Blind SQL injection, XSS Vulnerabilities and file include vulnerabilities.
SQLMate is a tool to perform security assessments and vulnerability of web applications. It can discover admin panels of websites, which might be a way to break into a web application. It also has the option for dorking, which means it can find possible vulnerable targets to a particular attack.
W3af is an open source web application attack and audit framework and helps in scanning for vulnerabilities. The tool comes with both a graphical user interface (GUI) and command line utility. Some of the project files include a copyright line of 2006. That gives a good idea on the maturity of the project, and it is one of the rare tools that is still maintained after so many years.
[] Initializing... [] Preparing plugins... [] ... done. [] BrowserCluster: Initializing 4 browsers... [-] [browser#selenium:1123] Worker: Please ensure that chromedriver and Chrome are the same version and in your PATH. [-] [utilities#exception_jail:428] [Selenium::WebDriver::Error::UnknownError] unknown error: Chrome failed to start: exited abnormally. (unknown error: DevToolsActivePort file doesn't exist) (The process started from chrome location /home/scriptu/weboko/arachni/.system/usr/bin/google-chrome is no longer running, so ChromeDriver is assuming that Chrome has crashed.) [-] [utilities#exception_jail:428] #0 0x5654ae531f33 [-] [utilities#exception_jail:428] #1 0x5654ae27c118 [-] [utilities#exception_jail:428] #2 0x5654ae29f678 [-] [utilities#exception_jail:428] #3 0x5654ae29ad5a [-] [utilities#exception_jail:428] #4 0x5654ae2d5d3a [-] [utilities#exception_jail:428] #5 0x5654ae2cfe63 [-] [utilities#exception_jail:428] #6 0x5654ae2a582a [-] [utilities#exception_jail:428] #7 0x5654ae2a6985 [-] [utilities#exception_jail:428] #8 0x5654ae5764cd [-] [utilities#exception_jail:428] #9 0x5654ae57a5ec [-] [utilities#exception_jail:428] #10 0x5654ae56071e [-] [utilities#exception_jail:428] #11 0x5654ae57b238 [-] [utilities#exception_jail:428] #12 0x5654ae555870 [-] [utilities#exception_jail:428] #13 0x5654ae597608 [-] [utilities#exception_jail:428] #14 0x5654ae597788 [-] [utilities#exception_jail:428] #15 0x5654ae5b1f1d [-] [utilities#exception_jail:428] #16 0x7fcac94b8b43 [-] [utilities#exception_jail:428] /home/scriptu/weboko/arachni/.system/gems/gems/selenium-webdriver-4.1.0/lib/selenium/webdriver/remote/response.rb:56:in assert_ok' [-] [utilities#exception_jail:428] /home/scriptu/weboko/arachni/.system/gems/gems/selenium-webdriver-4.1.0/lib/selenium/webdriver/remote/response.rb:35:ininitialize' [-] [utilities#exception_jail:428] /home/scriptu/weboko/arachni/.system/gems/gems/selenium-webdriver-4.1.0/lib/selenium/webdriver/remote/http/common.rb:83:in new' [-] [utilities#exception_jail:428] /home/scriptu/weboko/arachni/.system/gems/gems/selenium-webdriver-4.1.0/lib/selenium/webdriver/remote/http/common.rb:83:increate_response' [-] [utilities#exception_jail:428] /home/scriptu/weboko/arachni/.system/gems/gems/arachni-1.6.1.3/lib/arachni/selenium/webdriver/remote/typhoeus.rb:51:in request' [-] [utilities#exception_jail:428] /home/scriptu/weboko/arachni/.system/gems/gems/selenium-webdriver-4.1.0/lib/selenium/webdriver/remote/http/common.rb:59:incall' [-] [utilities#exception_jail:428] /home/scriptu/weboko/arachni/.system/gems/gems/selenium-webdriver-4.1.0/lib/selenium/webdriver/remote/bridge.rb:588:in execute' [-] [utilities#exception_jail:428] /home/scriptu/weboko/arachni/.system/gems/gems/selenium-webdriver-4.1.0/lib/selenium/webdriver/remote/bridge.rb:52:increate_session' [-] [utilities#exception_jail:428] /home/scriptu/weboko/arachni/.system/gems/gems/selenium-webdriver-4.1.0/lib/selenium/webdriver/common/driver.rb:340:in create_bridge' [-] [utilities#exception_jail:428] /home/scriptu/weboko/arachni/.system/gems/gems/selenium-webdriver-4.1.0/lib/selenium/webdriver/common/driver.rb:74:ininitialize' [-] [utilities#exception_jail:428] /home/scriptu/weboko/arachni/.system/gems/gems/selenium-webdriver-4.1.0/lib/selenium/webdriver/common/driver.rb:47:in new' [-] [utilities#exception_jail:428] /home/scriptu/weboko/arachni/.system/gems/gems/selenium-webdriver-4.1.0/lib/selenium/webdriver/common/driver.rb:47:infor' [-] [utilities#exception_jail:428] /home/scriptu/weboko/arachni/.system/gems/gems/selenium-webdriver-4.1.0/lib/selenium/webdriver.rb:88:in for' [-] [utilities#exception_jail:428] /home/scriptu/weboko/arachni/.system/gems/gems/arachni-1.6.1.3/lib/arachni/browser.rb:1100:inselenium' [-] [utilities#exception_jail:428] /home/scriptu/weboko/arachni/.system/gems/gems/arachni-1.6.1.3/lib/arachni/browser.rb:1274:in start_webdriver' [-] [utilities#exception_jail:428] /home/scriptu/weboko/arachni/.system/gems/gems/arachni-1.6.1.3/lib/arachni/browser.rb:192:ininitialize' [-] [utilities#exception_jail:428] /home/scriptu/weboko/arachni/.system/gems/gems/arachni-1.6.1.3/lib/arachni/browser_cluster/worker.rb:51:in initialize' [-] [utilities#exception_jail:428] /home/scriptu/weboko/arachni/.system/gems/gems/arachni-1.6.1.3/lib/arachni/browser_cluster.rb:495:innew' [-] [utilities#exception_jail:428] /home/scriptu/weboko/arachni/.system/gems/gems/arachni-1.6.1.3/lib/arachni/browser_cluster.rb:495:in block in initialize_workers' [-] [utilities#exception_jail:428] /home/scriptu/weboko/arachni/.system/gems/gems/arachni-1.6.1.3/lib/arachni/browser_cluster.rb:494:intimes' [-] [utilities#exception_jail:428] /home/scriptu/weboko/arachni/.system/gems/gems/arachni-1.6.1.3/lib/arachni/browser_cluster.rb:494:in initialize_workers' [-] [utilities#exception_jail:428] /home/scriptu/weboko/arachni/.system/gems/gems/arachni-1.6.1.3/lib/arachni/browser_cluster.rb:112:ininitialize' [-] [utilities#exception_jail:428] /home/scriptu/weboko/arachni/.system/gems/gems/arachni-1.6.1.3/lib/arachni/framework/parts/browser.rb:33:in new' [-] [utilities#exception_jail:428] /home/scriptu/weboko/arachni/.system/gems/gems/arachni-1.6.1.3/lib/arachni/framework/parts/browser.rb:33:inblock in browser_cluster' [-] [utilities#exception_jail:428] /home/scriptu/weboko/arachni/.system/usr/lib/ruby/2.7.0/monitor.rb:202:in synchronize' [-] [utilities#exception_jail:428] /home/scriptu/weboko/arachni/.system/usr/lib/ruby/2.7.0/monitor.rb:202:inmon_synchronize' [-] [utilities#exception_jail:428] /home/scriptu/weboko/arachni/.system/gems/gems/arachni-1.6.1.3/lib/arachni/framework/parts/browser.rb:28:in browser_cluster' [-] [utilities#exception_jail:428] /home/scriptu/weboko/arachni/.system/gems/gems/arachni-1.6.1.3/lib/arachni/framework/parts/audit.rb:173:inaudit' [-] [utilities#exception_jail:428] /home/scriptu/weboko/arachni/.system/gems/gems/arachni-1.6.1.3/lib/arachni/framework.rb:117:in block in run' [-] [utilities#exception_jail:428] /home/scriptu/weboko/arachni/.system/gems/gems/arachni-1.6.1.3/lib/arachni/utilities.rb:425:inexception_jail' [-] [utilities#exception_jail:428] /home/scriptu/weboko/arachni/.system/gems/gems/arachni-1.6.1.3/lib/arachni/framework.rb:117:in run' [-] [utilities#exception_jail:428] /home/scriptu/weboko/arachni/.system/gems/gems/arachni-1.6.1.3/ui/cli/framework.rb:80:inblock in run' [-] [utilities#exception_jail:429] [-] [utilities#exception_jail:430] Parent: [-] [utilities#exception_jail:431] Arachni::Framework [-] [utilities#exception_jail:432] [-] [utilities#exception_jail:433] Block: [-] [utilities#exception_jail:434] # [-] [utilities#exception_jail:435] [-] [utilities#exception_jail:436] Caller: [-] [utilities#exception_jail:437] /home/scriptu/weboko/arachni/.system/gems/gems/arachni-1.6.1.3/lib/arachni/utilities.rb:424:in exception_jail' [-] [utilities#exception_jail:437] /home/scriptu/weboko/arachni/.system/gems/gems/arachni-1.6.1.3/lib/arachni/framework.rb:117:inrun' [-] [utilities#exception_jail:437] /home/scriptu/weboko/arachni/.system/gems/gems/arachni-1.6.1.3/ui/cli/framework.rb:80:in `block in run' [-] [utilities#exception_jail:438] --------------------------------------------------------------------------------
Arachni is an open source framework that is used to evaluate the web applications security by performing active and passive security analysis. The active security checks include detection of SQL injection, blind SQL injection, NoSQL injection, CSRF detection, code injection, LDAP injection, path traversal, OS command injection, XPATH injection, remote file inclusion test, XSS, and DOM XSS attacks analysis. The OS command injection is analyzed against nix, BSD, IBM AIX, and Windows system. The XPATH injection analysis is performed for Generic, PHP, dotNET, Java, and libXML2 scripts. Similarly in the passive security tests, Arachni searches for files, folders, and signatures. These include backup files, backup directories, forms, credit card data, .htaccess files misconfiguration, cookies, and files containing policies and other legal data. Besides vulnerability analysis, Arachni can perform fingerprinting based on operating systems, web servers, frameworks, and programing languages. The operating systems must be Linux, UNIX, BSD, Solaris, and Windows OS. The supported web servers are Apache, Nginx, IIS, Tomcat, Jetty, and Gunicorn. The frameworks identified by Arachni are ASP .Net, Rails, Rack, CakePHP, Django, CherryPy, Symfony, JSF, and Netty. Similary, the supported programming languages are PHP, Python, Java, ASP, ASPX, and Ruby. 2ff7e9595c
Comments