Web Application Vulnerabilities Scanners and Their Application
Vulnerabilities is a cyber-security term that refers to a flaw in a system that can leave it open to attack. A vulnerability may also refer to any type of weakness in a computer system itself, in a set of procedures, or in anything that leaves information security exposed to a threat.
‘Web Application Vulnerabilities Scanners and Their Application’ project done by ICSS Student Shreya Goswami. The full project discussed below:
Project Name: Web Application Vulnerabilities Scanners and Their Application
Author Name: Shreya Goswami
Publish Date: 24-08-2018
DISCLAIMER of Student:
The web applications scanned for vulnerabilities in this project has been done after receiving approval from the management accountable to these applications.
However, for the purpose of privacy and request made by the management, I have hidden some information.
Nothing has been done against the wishes of the management accountable to these applications.
Penetration testing stages, Penetration testing methods.
- WHAT IS VULNERABILITY
- DIFFERENCE BETWEEN VULNERABILITY AND EXPLOIT
- WHAT IS WEBSITE VULNERABILITY
- TYPES OF VULNERABILITIES
- WHAT IS A WEB APPLICATION?
- WHAT IS A WEB APPLICATION SECURITY SCANNER?
- THE IMPORTANCE OF WEB APPLICATION SCANNING
- WEB APPLICATIONS ARE EASY TO HACK
- LISTING OF VULNERABILITY SCANNERS
- SOME OPEN SOURCE WEB APPLICATION VULNERABILITY SCANNERS AND THEIR APPLICATIONS
Grabber, Zed Attack Proxy, Wapiti, Skipfish, Nikto, Uniscan, Sqlmap
Step 1: find a vulnerable website
Step 1.a: google dorks strings to find a vulnerable sqlmap sql injectable website
Step 1.b: initial check to confirm if website is vulnerable to sqlmap sql injection
- STRENGTHS AND WEAKNESSES
Strengths and advantages
Weaknesses and limitations
- CONCLUSION: securing web applications is imperative
I would like to express my special thanks of gratitude to our respected trainer (Souvik Mal) for taking our offline course in Ethical Hacking.
It was because of his guidance and help that we were able to learn so much during our training and apply it in our project.
I would also like to thank our HR and ADMIN (Reshma Sen) for being a constant support and help. She made sure we were enjoying and learning in our classes. She made it a point to help us in every possible way that she could. Her friendliness and good nature made us very comfortable and made this entire training duration a very enjoyable experience.
I am thankful to them for giving me this golden opportunity and allowing me to expand my knowledge in the field of cyber security. The research and application did, indeed, helped a lot in that respect.
Secondly, my batchmates were very kind and helpful. They helped me a lot in finalizing this project within the limited time frame.
- Give a brief introduction to Penetration testing.
- Give a brief introduction to Web Application Vulnerabilities and Vulnerability Scanning.
- Give brief introduction and description to a few open source and free web application scanners along with outputs to the scan done.
- Give a brief conclusion as to why web application scanning is necessary and important.
A penetration test, colloquially known as a pen test, is an authorized simulated attack on a computer system, performed to evaluate the security of the system. The test is performed to identify both weaknesses (also referred to as vulnerabilities), including the potential for unauthorized parties to gain access to the system’s features and data, as well as tests, enable full risk assessment to be completed.
The process typically identifies the target systems and a particular goal—then reviews available information and undertakes various means to attain the goal. A penetration test target may be a white box (which provides background and system information) or black box (which provides only basic or no information except the company name). A penetration test can help determine whether a system is vulnerable to attack if the defences were sufficient, and which defences (if any) the test defeated.
Security issues that the penetration test uncovers should be reported to the system owner. Penetration test reports may also assess potential impacts to the organization and suggest countermeasures to reduce risk.
PENETRATION TESTING STAGES
The pen testing process can be broken down into five stages.
- Planning and reconnaissance
The first stage involves:
- Defining the scope and goals of a test, including the systems to be addressed and the testing methods to be used.
- Gathering intelligence (e.g., network and domain names, mail server) to better understand how a target works and its potential vulnerabilities.
The next step is to understand how the target application will respond to various intrusion attempts. This is typically done using:
- Static analysis – Inspecting an application’s code to estimate the way it behaves while running. These tools can scan the entirety of the code in a single pass.
- Dynamic analysis – Inspecting an application’s code in a running state. This is a more practical way of scanning, as it provides a real-time view into an application’s performance.
- Gaining access
This stage uses web application attacks, such as cross-site scripting, SQL injection and backdoors, to uncover a target’s vulnerabilities. Testers then try and exploit these vulnerabilities, typically by escalating privileges, stealing data, intercepting traffic, etc., to understand the damage they can cause.
- Maintaining access
The goal of this stage is to see if the vulnerability can be used to achieve a persistent presence in the exploited system— long enough for a bad actor to gain in-depth access. The idea is to imitate advanced persistent threats, which often remain in a system for months in order to steal an organization’s most sensitive data.
- The results of the penetration test are then compiled into a report detailing:
- Specific vulnerabilities that were exploited
- Sensitive data that was accessed
- The amount of time the pen tester was able to remain in the system undetected
- This information is analyzed by security personnel to help configure an enterprise’s WAF settings and other application security solutions to patch vulnerabilities and protect against future attacks.
PENETRATION TESTING METHODS
External penetration tests target the assets of a company that are visible on the internet, e.g., the web application itself, the company website, and email and domain name servers (DNS). The goal is to gain access and extract valuable data.
In an internal test, a tester with access to an application behind its firewall simulates an attack by a malicious insider. This isn’t necessarily simulating a rogue employee. A common starting scenario can be an employee whose credentials were stolen due to a phishing attack.
In a blind test, a tester is only given the name of the enterprise that’s being targeted. This gives security personnel a real-time look into how an actual application assault would take place.
DOUBLE BLIND TESTING
In a double blind test, security personnel have no prior knowledge of the simulated attack. As in the real world, they won’t have any time to shore up their defences before an attempted breach.
In this scenario, both the tester and security personnel work together and keep each other appraised of their movements. This is a valuable training exercise that provides a security team with real-time feedback from a hacker’s point of view.
WHAT IS VULNERABILITY?
In computer security, a vulnerability is a weakness which can be exploited by a Threat Actor, such as an attacker, to perform unauthorized actions within a computer system. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness.
DIFFERENCE BETWEEN VULNERABILITY AND EXPLOIT
A vulnerability is a flaw in a system, or in some software in a system, that could provide an attacker with a way to bypass the security infrastructure of the host operating system or of the software itself. It isn’t an open door but rather a weakness which if attacked could provide a way in.
Exploiting is the act of trying to turn a vulnerability (a weakness) into an actual way to breach a system. A vulnerability can therefore be ‘exploited’ to turn it into viable method to attack a system.
WHAT IS WEBSITE VULNERABILITY?
Websites experience 22 attacks per day on average— that’s over 8,000 attacks per year. A website vulnerability is a weakness or misconfiguration in a website or web application code that allows an attacker to gain some level of control of the site, and possibly the hosting server. Most vulnerabilities are exploited through automated means, such as vulnerability scanners and botnets. Cybercriminals create specialized tools that scour the internet for certain platforms, like WordPress or Joomla, looking for common and publicized vulnerabilities. Once found, these vulnerabilities are then exploited to steal data, distribute malicious content, or inject defacement and spam content into the vulnerable site.
TYPES OF VULNERABILITY
There are five common types of website vulnerabilities that are frequently exploited by attackers. While this isn’t an exhaustive list of all the possible vulnerabilities a determined attacker may find in an application, it does include some of the most common vulnerabilities websites contain today.
SQL Injection Vulnerabilities (SQLi) – SQL injection vulnerabilities refer to areas in website code where direct user input is passed to a database. Bad actors utilize these forms to inject malicious code, sometimes called payloads, into a website’s database. This allows the cybercriminal to access the website in a variety of ways, including:
- Injecting malicious/spam posts into a site
- Stealing customer information
- Bypassing authentication to gain full control of the website
Due to its versatility, SQL injection is one of the most commonly exploited website vulnerabilities. It is frequently used to gain access to open source content management system (CMS) applications, such as Joomla!, WordPress and Drupal. SQL injection attacks, for example, have even been linked to a breach of the U.S. Election Assistance Commission and a popular video game forum for Grand Theft Auto, resulting in exposed user credentials.
- Session hijacking
- Spam content being distributed to unsuspecting visitors
- Stealing session data
Some of the largest scale attacks against WordPress have been from cross site-scripting vulnerabilities. However, XSS is not limited only to open source applications. Recently, a cross-site scripting vulnerability was found in gaming giant Steam’s system that potentially exposed login credentials to attackers.
Command Injection – Command injection vulnerabilities allow attackers to remotely pass and execute code on the website’s hosting server. This is done when user input that is passed to the server, such as header information, is not properly validated, allowing attackers to include shell commands with the user information. Command injection attacks are particularly critical because they can allow bad actors to initiate the following:
- Hijack an entire site
- Hijack an entire hosting server
- Utilize the hijacked server in botnet attacks
One of the most dangerous and widespread command injection vulnerabilities was the Shellshock vulnerability that impacted most Linux distributions.
File Inclusion (LFI/RFI) – Remote file inclusion (RFI) attacks use the include functions in server-side web application languages like PHP to execute code from a remotely stored file. Attackers host malicious files and then take advantage of improperly sanitized user input to inject or modify an include function into the victim site’s PHP code. This inclusion can then be used to initiate the following:
- Deliver malicious payloads that can be used to include attack and phishing pages in a visitors’ browsers
- Include malicious shell files on publicly available websites
- Take control of a website admin panel or host server
Local File Inclusion (LFI), like remote file inclusion, can occur when user input is able to modify the full or absolute path to included files. Attackers can then use this vector to gain, read or write access to sensitive local files— for example, configuration files containing database credentials. The attacker could also perform a directory traversal attack, amending an included file path to review the back end and host server files, exposing sensitive data. A local file inclusion attack has to potential to become a remote file inclusion attack if, for example, the attacker is able to include log files that were previously seeded with malicious code by the attacker through public interaction.
These types of vulnerabilities are frequently used to launch other attacks, such as DDoS and cross-site scripting attacks. They have also been used to expose and steal sensitive financial information, such as when Starbucks fell victim to an inclusion attack leading to a compromise of customer credit card data.
Cross-Site Request Forgery (CSRF) – Cross-site request forgery attacksare less common, but can be quite jeopardous. CSRF attacks trick site users or administrators to unknowingly perform malicious actions for the attacker. As a result, attackers may be able to take the following actions using valid user input:
- Change order values and product prices
- Transfer funds from one account to another
- Change user passwords to hijack accounts
These types of attacks are particularly vexing for ecommerce and banking sites where attackers can gain access to sensitive financial information. A CSRF attack was recently used to seize all control of a Brazilian bank’s DNS settings for over five hours.
WHAT IS A WEB APPLICATION?
A Web application is an application that resides on a company’s Web server, which any authorized user can access over a network, such as the World Wide Web or an Intranet.
A Web application is a three-layered application. Normally, the first layer would be a Web browser, the second would be a content generation technology tool such as Java servlets or ASP (Active Server Pages), and the third layer would be the company database.
The Web browser makes the initial request to the middle layer, which, in turn, accesses the database to perform the requested task, either by retrieving information from the database, or by updating it.
Since Web applications reside on a server, they can be updated and modified at any time without any distribution or installation of software on the client’s machines – the main reason for the widespread adoption of Web applications in today’s organizations.
Examples of Web applications include shopping carts, forms, login pages, dynamic content, discussion boards and blogs.
WHAT IS A WEB APPLICATION SECURITY SCANNER?
A web application security scanner is a program which communicates with a web application through the web front-end in order to identify potential security vulnerabilities in the web application and architectural weaknesses. It performs a black-box test. Unlike source code scanners, web application scanners don’t have access to the source code and therefore detect vulnerabilities by actually performing attacks.
THE IMPORTANCE OF WEB APPLICATION SCANNING
Organizations need a Web application scanning solution that can scan for security loopholes in Web-based applications to prevent would-be hackers from gaining unauthorized access to corporate information and data. Web applications are proving to be the weakest link in overall corporate security, even though companies have left no stone unturned in installing the better-known network security and anti-virus solutions. Quick to take advantage of this vulnerability, hackers have now begun to use Web applications as a platform for gaining access to corporate data; consequently, the regular use of a web application scanner is essential.
WEB APPLICATIONS ARE EASY TO HACK
The hacker’s life has become tougher in recent days. Thanks to various intrusion detection and defence mechanisms developed by network security companies, it is no longer easy to breach security perimeters and gain unauthorized access to an organization’s network.
Today, firewalls, security scanners and antivirus software protect almost all corporate networks. Hemmed in by such constraints, hackers have been researching alternate ways to breach the security infrastructure.
Unfortunately, hackers have been successful in finding a gaping hole in the corporate security infrastructure, one of which organizations were previously unaware – Web applications. By design, Web applications are publicly available on the Internet, 24/7. This provides hackers with easy access and allows almost unlimited attempts to hack applications that have not been identified by webmasters as vulnerable through the use of a web application scanning solution.
While the adoption of Web-based technologies for conducting business has enabled organizations to connect seamlessly with suppliers, customers and other stakeholders, it has also exposed a multitude of previously unknown security risks. According to Pete Lindstrom, Director of Security Strategies with the Hurwitz Group, Web applications, when not audited regularly with the use of a web application scanner, are the most vulnerable elements of an organization’s IT infrastructure today.
A web application security scanner facilitates the automated review of a web application with the expressed purpose of discovering security vulnerabilities, and are required to comply with various regulatory requirements. Web application scanners can look for a wide variety of vulnerabilities, such as input/output validation: (e.g. cross-site scripting and SQL injection), specific application problems and server configuration mistakes.
|37%||Cross Site Scripting|
|5%||Denial of Service|
|4%||Cross Site Request Forgery|
|2%||Local File Inclusion|
|1%||Remote File Include|
LISTING OF VULNERABILITIES SCANNERS
Here is a list of vulnerability Scanners currently available in the market.
|w3af||w3af.org||GPL v2.0||Linux and Mac|
|Vega||Subgraph||Commercial / Free (Limited Capability)||Windows, Linux, Mac|
|Probe.ly||Probe.ly||Commercial / Free (Limited Capability)||SaaS|
|Nexpose||Rapid7||Commercial / Free (Limited Capability)||Windows, Linux|
|Grabber||Romain Gaucher||Open Source||Python 2.4, BeautifulSoup and PyXML|
|Acunetix WVS||Acunetix||Commercial / Free (Limited Capability)||Windows, SaaS|
|DefenseCode Web Security Scanner||DefenseCode||Commercial / Free||Windows|
SOME OPEN SOURCE WEB APPLICATION VULNERABILITY SCANNERS AND THEIR APPLICATION:
In the past, many popular websites have been hacked. Hackers are now active and always try to hack websites and leak data. This is why security testing of web applications is very important. And here comes the role of web application security scanners. Web Application Security Scanner is a software program which performs automatic black box testing on a web application and identifies security vulnerabilities. Scanners do not access the source code, they only perform functional testing and try to find security vulnerabilities.
Various paid and free web application vulnerability scanners are available. Do not confuse with free tools and open source tools. Because there are various other tools available for free, but they do not provide source code to other developers. Open source tools are those which offer source codes to developers so that developers can modify the tool or help in further development.
Grabber is a nice web application scanner which can detect many security vulnerabilities in web applications. It performs scans and tells where the vulnerability exists. It can detect the following vulnerabilities:
- Cross site scripting
- SQL injection
- Ajax testing
- File inclusion
- JS source code analyzer
- Backup file check
It is not fast as compared to other security scanners, but it is simple and portable. This should be used only to test small web applications because it takes too much time to scan large applications.
This tool does not offer any GUI interface. It also cannot create any PDF report. This tool was designed to be simple and for personal use. You can try this tool just for personal use. If you are thinking of it for professional use, I will never recommend it.
This tool was developed in Python. And an executable version is also available if you want. Source code is available, so you can modify it according your needs. The main script is grabber.py, which once executed calls other modules like sql.py, xss.py or others.
Download it here: http://rgaucher.info/beta/grabber/
Source code on Github: https://github.com/neuroo/grabber
Zed Attack Proxy
Zed Attack Proxy is also known as ZAP. This tool is open source and is developed by AWASP. It is available for Windows, Unix/Linux and Macintosh platforms. I personally like this tool. It can be used to find a wide range of vulnerabilities in web applications. The tool is very simple and easy to use. Even if you are new to penetration testing, you can easily use this tool to start learning penetration testing of web applications.
These are the key functionalities of ZAP:
- Intercepting Proxy
- Automatic Scanner
- Traditional but powerful spiders
- Web Socket Support
- Plug-n-hack support
- Authentication support
- REST based API
- Dynamic SSL certificates
- Smartcard and Client Digital Certificates support
You can either use this tool as a scanner by inputting the URL to perform scanning, or you can use this tool as an intercepting proxy to manually perform tests on specific pages.
Download ZAP : http://code.google.com/p/zaproxy/
Wapiti is also a nice web vulnerability scanner which lets you audit the security of your web applications. It performs black-box testing by scanning web pages and injecting data. It tries to inject payloads and see if a script is vulnerable. It supports both GET and POSTHTTP attacks and detects multiple vulnerabilities.
It can detect following vulnerabilities:
- File Disclosure
- File inclusion
- Cross Site Scripting (XSS)
- Command execution detection
- CRLF Injection
- SEL Injection and Xpath Injection
- Weak .htaccess configuration
- Backup files disclosure
- and many other
Wapiti is a command-line application. So, it may not be easy for beginners. But for experts, it will perform well. For using this tool, you need to learn lots of commands which can be found in official documentation.
Download Wapiti with source code: http://wapiti.sourceforge.net/
Skipfish is also a nice web application security tool. It crawls the website and then check each pages for various security threats and at the end prepares the final report. This tool was written in C. It is highly optimized for HTTP handling and utilizing minimum CPU. It claims that it can easily handle 2000 requests per second without adding a load on CPU. It use a heuristics approach while crawling and testing web pages. This tool also claims to offer high quality and less false positives.
This tool is available for Linux, FreeBSD, MacOS X and Windows.
Download Skipfish or code from GOogle Codes: http://code.google.com/p/skipfish/
The Nikto web server scanner is a security tool that will test a web site for thousands of possible security issues. Including dangerous files, mis-configured services, vulnerable scripts and other issues. It is open source and structured with plugins that extend the capabilities. These plugins are frequently updated with new security checks.
Nikto is by no means a stealthy tool. It will make over 2000 HTTP GET requests to the web server, creating a large number of entries in the web servers log files. This noise is actually an excellent way to test an in place Intrusion Detection System (IDS) that is in place. Any web server log monitoring, host based intrusion detection (HIDS) or network based intrusion detection (NIDS) should detect a Nikto scan.
Custom scans can be initiated using IDS bypass methods from libwhisker, however the current version of our on-line scan is a default (no evasion) scan.
The Nikto Web Vulnerability Scanner is a popular tool found in the grab bag of many penetration testers and security analysts. It will often discover interesting information about a web server or website that can be used for deeper exploitation or vulnerability assessment.
Uniscan is a vulnerability scanner that can scan websites and web applications for various security issues like LFI, RFI, sql injection, xss etc. Its written in perl.
Its open source and can be downloaded from sourceforge project page at http://sourceforge.net/projects/uniscan/.
SQLMap is another popular open source penetration testing tool. It automates the process of finding and exploiting SQL injection vulnerability in a website’s database. It has a powerful detection engine and many useful features. So, a penetration tester can easily perform SQL injection check on a website.
It supports range of database servers including MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase and SAP MaxDB. It offers full support to 6 kinds of SQL injection techniques: time-based blind, boolean-based blind, error-based, UNION query, stacked queries and out-of-band.
Access the source code on Github repository: https://github.com/sqlmapproject/sqlmap
Download SQLMap here: https://github.com/sqlmapproject/sqlmap
[successful scan and unsuccessful sql injection]
[successful scan and sql injection]
Step 1: Find a Vulnerable Website
Step 1.a: Google Dorks strings to find Vulnerable SQLMAP SQL injectable website
|Google Dork string Column 1||Google Dork string Column 2||Google Dork string Column 3|
Step 1.b: Initial check to confirm if website is vulnerable to SQLMAP SQL Injection
For every string show above, you will get huundreds of search results. How do you know which is really vulnerable to SQLMAP SQL Injection. There’s multiple ways and I am sure people would argue which one is best but to me the following is the simplest and most conclusive.
Let’s say you searched using this string inurl:item_id= and one of the search result shows a website like this:
Just add a single quotation mark ‘ at the end of the URL. (Just to ensure, ” is a double quotation mark and ‘ is a single quotation mark).
So now your URL will become like this:
If the page returns an SQL error, the page is vulnerable to SQLMAP SQL Injection. If it loads or redirect you to a different page, move on to the next site in your Google search results page.
See example error below in the screenshot. I’ve obscured everything including URL and page design for obvious reasons.
STRENGTH AND WEAKNESS
As with all testing tools, web application security scanners are not perfect and have strengths and weaknesses.
Strength and advantages
These tools can detect vulnerabilities of the finalized release candidate versions prior to shipping. Scanners simulate a malicious user by attacking and probing, identifying results which are not part of the expected result set.
As a dynamic testing tool, web scanners are not language dependent. A web application scanner is able to scan engine-driven web applications. Attackers use the same tools, so if the tools can find a vulnerability, so can attackers.
Weaknesses and Limitations
Free tools are usually not updated with the latest language-specific security flaws contained in recently updated languages; while this might be a minority of vulnerability the competent attackers are expected to try those attacks — especially if they can learn which language the target website uses.
It is usually not possible to know how good a specific security scanner is if you do not have some security know-how yourself; and small business owners are hard to convince to run at least 5 free tools if the first found nothing.
Attackers could theoretically test their attacks against popular scanning tools in order to find holes in websites made by people who use security scanners excessively (there could, for example, be a typo away from what the free tools scan for), for purpose of making spam-sending botnets. As such at least all the free tools are weak against the competent and broad-targeting attackers.
Botnets and other attacks where the attackers can update the malware on the remaining unpatched computers are extremely hard to clear off some networks used by a large number of undisciplined users; such as some university networks who don’t teach computers at all.
Because the tool is implementing a dynamic testing method, it cannot cover 100% of the source code of the application and then, the application itself. The penetration tester should look at the coverage of the web application or of its attack surface to know if the tool was configured correctly or was able to understand the web application.
It is really hard for a tool to find logical flaws such as the use of weak cryptographic functions and information leakage. Even for technical flaws, if the web application doesn’t provide enough clues, the tool cannot catch them.
Furthermore, these tools don’t test for social engineering holes that are plainly obvious to competent attackers.
A recent report found that the top application technologies overlooked by most Web application scanners includes JSON (such as jQuery), REST, and Google WebToolkit in AJAX applications, Flash Remoting (AMF) and HTML5, as well as mobile apps and Web Services using JSON and REST. XML-RPC and SOAP technologies used in Web services, and complex workflows such as shopping cart, and XSRF/CSRF tokens were also listed.
Conclusion: Securing Web Applications Is Imperative
Attacks on Web applications are increasing at a rapid pace. As per a report from the Computer Emergency Response Team (CERT), the number of successful Web application attacks is on the rise, from around 60% in 2002 to 80% in 2003. If Web application infringements continue to grow at this rate, customers’ confidence in online commerce will further diminish. As observed by Gartner, rampant attacks on Web applications make customers wary of making online purchases for fear of credit card tampering and leakage of credit information.
When companies fail to recognize application vulnerabilities, hackers have free rein attacking security loopholes. Hackers are increasingly focusing on Web applications for monetary gains and their attack modes are becoming more advanced and difficult to prevent.
Recent examples demonstrate the unfortunate after effects that companies have faced after such Web application breaches. Companies have borne the brunt of lawsuits, incurred financial losses, lost their credibility in the eyes of the public and, last but not least, have seen their company secrets siphoned off right under their noses.
The only way to combat the Web application security threat is to proactively scan websites and Web applications for vulnerabilities and then fix them. Implementing a Web application scanning solution must be a crucial part of any organization’s overall strategy.
Highest Selling Technical Courses of Indian Cyber Security Solutions:
Cybersecurity services that can protect your company:
Other Location for Online Courses: