OWASP - User contributions [en]

Key Project Information:OWASP Web Application Scanner Specification Project

2009-02-25T21:44:03Z

Coreylebleu: /* Content */

----
{| style="width:100%" border="0" align="center"
! colspan="8" align="center" style="background:#4058A0; color:white"|'''PROJECT INFORMATION'''
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Project Name'''
| colspan="7" style="width:85%; background:#cccccc" align="left"|'''OWASP Web Application Scanner Specification Project'''
|-
| style="width:15%; background:#7B8ABD" align="center"| '''Short Project Description'''
| colspan="7" style="width:85%; background:#cccccc" align="left"|
There will always be a "gap" between the types of attacks that can be performed and those which can be found by an automated scanner. This project will attempt to outline some of those shortcomings and offer a plan for comparing and/or building web application vulnerability scanners. The project will also include feature suggestions beneficial to advanced users.
|-
| style="width:15%; background:#7B8ABD" align="center"|
'''Key Project Information'''
| style="width:14%; background:#cccccc" align="center"|
Project Leader [mailto:coreylebleu@gmail.com '''Corey LeBleu''']
| style="width:15%; background:#cccccc" align="center"|
Project Contibutors (if any)
| style="width:10%; background:#cccccc" align="center"|
Mailing List [https://lists.owasp.org/mailman/admin/owasp-web-app-scanner-specification-project '''Subscribe here'''] [mailto:owasp-web-app-scanner-specification-project@lists.owasp.org '''Use here''']
| style="width:17%; background:#cccccc" align="center"|
License [http://creativecommons.org/licenses/by-sa/3.0/ '''Creative Commons Attribution Share Alike 3.0''']
| style="width:14%; background:#cccccc" align="center"|
Project Type [[:Category:OWASP_Project#Alpha_Status_Projects|'''Document''']]
| style="width:15%; background:#cccccc" align="center"|
Sponsors if any, add link
|}
{| style="width:100%" border="0" align="center"
! align="center" style="background:#7B8ABD; color:white"|'''Release Status'''
! align="center" style="background:#7B8ABD; color:white"|'''Main Links'''
! align="center" style="background:#7B8ABD; color:white"|'''Related Projects'''
|-
| style="width:29%; background:#cccccc" align="center"|
'''[[:Category:OWASP Project Assessment#Alpha Quality Documentation Criteria|Apha Quality]]''' [[:OWASP Web Application Scanner Specification Project - Assessment Frame|Please see here for complete information.]]
| style="width:42%; background:#cccccc" align="center"|
* add link(s)
| style="width:29%; background:#cccccc" align="center"|
* if any, add link(s)
|}
----

== About ==
This project will attempt to outline some of the shortcomings of currently available web application vulnerability scanners and offer a plan for comparing and/or building web application vulnerability scanners.

== Goals & Roadmap ==
In the near future, we will be focused on the following goals...

1. Clean up feature redundancy

2. Further categorize and document modules

3. Add to platform specific checks (ex. file extensions, )

4. Adding additional "check" modules

== Content ==
 

Dynamic
Analysis of Web Application Security in Respect to Current Web
Application Vulnerability Scanners: Specification of Needs in
Comparison to Current Offerings
Introduction/Scope:
There
will always be a "gap" between the types of attacks that
can be performed and those which can be found by an automated
scanner. This paper will attempt to outline some of those
shortcomings and offer a plan for comparing/building a web
application vulnerability scanner.
 • Need
for analysis by attack type

 • Coverage
and integration with other tools and/or scripting support
 • Need
to assist "technical" attacker to perform "custom"
checks
 • Support
for "custom" reporting

_____________________________________________________________________________________
General
Topics:
 • Automated
vs. Manual Discovery – The Need for Integration Between Tools
 • Web
Application Security – The Need for Automated Testing Tools 


 • Integrated
Threat Modeling Feature – Identifying API Exposures and
Assigning Risk
_____________________________________________________________________________________
[[OWASP_Web_Application_Scanner_Specification_Project_Baseline]]

Ideal
Baseline - Needs For Scanner:

 • Integration
with Std. VA scanner
 • Integration
with HTTP Proxies

 • Exportable
Storage of Results
 • XML
Format
 • Database
Formats

 • Search Engine
Harvester Modules
 • Ability
to Document/Flag Good and Bad Results
 • Limit
scan to specified IPs/Hosts, Domains, and Ports Discovered on Host
running HTTP(s) 

 •
checksum content b/t ports, hosts, etc. for same content

 • Be
able to accurately reproduce results (ex. -- reply request
and show in browser)
 • Spidering
and Resource Identification 

 • User
defined optimization of scan threads, timeouts, etc
 • Virtual
host identification - edit cost, diff btw pages –

 •
HDM idea - Intranet hostname exposure, etc.....over 512 bytes, insane
overhead
 • DNS
grinding, etc 

 • http://www.owasp.org/index.php/Testing_for_Application_Discovery_(OWASP-IG-005)
 • Auth
vs UnAuth forced Browsing 


 • checkout
step bypass, etc
 • Accurately
identify directories and files present (and supported extensions)
 • Ability
to add checks for permeation based dir checks
 • User
is able to specify and retest extra files, dirs, and attacks as well
as add to test "template"

 • (retest/add
this dir for all vulns/files, retest this dir for XSS, rerun all SQL
injection, etc)
 • Ability
to specify custom HTTP requests and form templates based on HTTP
requests and errors
 • Fuzzer


 • ability
to model after "stored" requests,

 • pop
out?
 • HTTP
 • WSDL
 • Iteration
based fuzzing and discovery - ie, Pornzilla
 • Cookies/Session
testing and analysis 


 • automated
analysis and manual analysis replay idea (my idea kinda......need to
elaborate)
 • Platform
Specific tests and customization/AI (MS, .Net, Java, Apache)
 • Path,
Error Path and Verbose errors Identification 

 • Tomcat

 • ASP.NET
 • CFM
 • JSP
 • Apache
 • Request
Comparison

 • Cookies
 • Collection
 • Encoder/Decoder
 • Comparison
 • Authentication
Tester/Brute Forcer

 • Form
 • Basic
 • NTLM
 • Cookies/Sessions
 • SSL/Encryption
strength analysis

 • Easy
"dictionary" customization
 • Application
Servers/Frameworks
 • Apache
Tomcat
 • Ruby
on Rails

 • Django
 • JavaScript
Framework Identification
 • Dojo
 • script.aculo.us
 • Prototype

 • DWR
 • GWT
 • Sajax 
 • Endpoint
Identification
 • 3rd
Party Resources

 • RSS
 • Atom
 • Misc.
Web Service oriented
 • Web
Admin Console Identification
 • JBoss

 • JRun
 • Web
Services
 • SOAP
 • WSDL
 • UDDI/Endpoint
Discovery Protocols

 • WS-Security
 • ReST
 • Flash/Flex
 • Java
 • ActiveX

 • User
identification (error messages, user dirs, etc) and customization
(ex. add to BF dictionary)
 • DB
Platform Identification
 • MSSQL
 • MySQL
 • Sybase

 • MS
Access
 • Oracle
 • DB2
 • DB/XML
store of files/dirs - grepable
_____________________________________________________________________________________

Platform
and Resource Requirements:
 • DB
Platform Identification
 • MSSQL
 • MySQL
 • Sybase

 • MS
Access
 • Oracle
 • DB2
 • Web
Platform Identification
 • IIS

 • Tomcat
 • ASP.NET
 • CFM
 • JSP
 • Apache

 • ActiveX
 • Java
Applets
 • Javascript
and JS Frameworks
 • Flex
 • Flash

 • ReST
 • SOAP/WSDL
 • WEBrick
 • Django
(python)
_____________________________________________________________________________________

Modules:
 • XSS

 • DOM
Injection Attacks
 • Stored
 • Reflected

 • Injection
Attacks
 • SQL
 • XML/XPATH/XMLRCP/SOAP
- DOM-based XSS - Difficult - can't grep sourcd
 • JSON
(Javascript Object Notation) 


 • Link
Injection/Insertion (eg. OWA)
 • Dir
Traversal
 • File
Include
 • XSRF
 • HTTP
Response Splitting

 • Cookie
Collector and Checks
 • Cookies
Enabled (Y/N)
 • Flags
Set in Cookies
 • HTTPOnly
 • Secure

 • Domain
 • Path
 • Expires
 • Cookie
Randomization
 • GUI
plotting

 • Web
Platform Specific Checks
 • IIS
 • IPP
 • IDA/IDQ
 • FrontPage

 • Anon
 • Files/Extensions
 • MSSQL
 • Microsoft
.NET
 • .NET
Version Enumeration

 • ViewState
 • Decoder
 • Value
collection
 • Value
comparison
 • Identification
of Repeating VS Unique Values

 • Identification
of Possibly Sensitive Values
 • Changes
in Relation to Application Logic
 • Apache
 • userdir
 • MySQL

 • Docs
 • Modules
installed
 • OpenSSL
 • ModSSL
 • Expect

 • ModSecurity
 • Mod_jk
 • Apache
Tomcat
 • mgmt/admin
interface
 • Docs

 • General
platform and hardware/device specific checks
 • Parameter
identification (Identify inputs)
 • Identify
ALL Resources that appear to accept "user-defined" input
 • HTTP
OPTIONS

 • HTTP
Track/XST
 • Comments
 • Internal
IP Disclosure
 • Mgmt
Interface Scanner 


 • /jmx-console
 • /web-console
 • Conf
File Scanner 

 • /WEB-INF/web.xml

 • /robots.txt
 • /.htaccess
 • /jmx-console
site enumeration (not just identify presence of web console)
 • /web-console
site enumeration (not just identify presence of web console)
 • File
Include/Insertion Scanner (esp PHP)

 • Authentication
Scanner
 • Basic/NTLM
Identification
 • Form-based
Authentication Identification
 • Username
Enumeration
 • User-dir

 • Page
Scraping 

 • Site
Mirroring
 • Google
– Email Scraper 

 • Brute-Forcer

 • Dictionary
attacker
 • Easy
"dictionary" customization
 • Default
Password Tester
 • By
Platform

 • Source
Code Disclosure (eg. %00, %20)
 • Page
pattern matcher (Page Structure VS <Diff> Page Content)
 • Incorrect
usage of eval()
 • OS
command shell


 • Software
Version Identification 

 • regex
values
 • window
<Title> names

 • comments


 • base
platform
 • Hidden
Fields/Links Enumerator
 • File
Upload Enumerator

 • Log
File Scanner
 • Temp
Files
 • Search
Function for associated Vulns and software versions
 • Ability
to Reference Common Security Sites for Vulnerability Information
 • Path
Case-sensitivity enumerator

 • Encodings
Supported
 • Servlet
Mapper
 • Local
Search Engine Enumeration
 • Google
File/DIR mapper
 • BackEnd
DB Type Enumerator

 • Application
logic enumerator
 • ActiveX,
Java object enumerator
 • LDAP
Checks
 • File
Ext and Dir Mapper 


 • System
Platform Type/Version Enumerator
 • Supported
File Types Enumerator
 • Unmapped
File Extensions
 • Identifying
"sensitive" data

 • Web
Framework and Application Fingerprinting 

 • Flash/Flex


 • J2EE
 • JBoss



 • JRun
 • Apache
Foundation
 • Web
Server
 • Tomcat

 • Axis


 • Ruby
on Rails
 • Zend
 • Django



 • Jakarta
Struts (and other MVC architectures)
 • Exposed
Source-Code analysis (VM-like environment to run in)
 • FireBug
(pop-out?)
_____________________________________________________________________________________
Reporting/Results:

 • Database/XML
compatible storage 

 • data
correlation with other (HTTP) tools
 • AUTO
TXT, DB, SQL, source file ARCHIVER/STORED DIRECTORY

Key Project Information:OWASP Web Application Scanner Specification Project

2009-02-25T21:40:10Z

Coreylebleu: /* Content */

----
{| style="width:100%" border="0" align="center"
! colspan="8" align="center" style="background:#4058A0; color:white"|'''PROJECT INFORMATION'''
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Project Name'''
| colspan="7" style="width:85%; background:#cccccc" align="left"|'''OWASP Web Application Scanner Specification Project'''
|-
| style="width:15%; background:#7B8ABD" align="center"| '''Short Project Description'''
| colspan="7" style="width:85%; background:#cccccc" align="left"|
There will always be a "gap" between the types of attacks that can be performed and those which can be found by an automated scanner. This project will attempt to outline some of those shortcomings and offer a plan for comparing and/or building web application vulnerability scanners. The project will also include feature suggestions beneficial to advanced users.
|-
| style="width:15%; background:#7B8ABD" align="center"|
'''Key Project Information'''
| style="width:14%; background:#cccccc" align="center"|
Project Leader [mailto:coreylebleu@gmail.com '''Corey LeBleu''']
| style="width:15%; background:#cccccc" align="center"|
Project Contibutors (if any)
| style="width:10%; background:#cccccc" align="center"|
Mailing List [https://lists.owasp.org/mailman/admin/owasp-web-app-scanner-specification-project '''Subscribe here'''] [mailto:owasp-web-app-scanner-specification-project@lists.owasp.org '''Use here''']
| style="width:17%; background:#cccccc" align="center"|
License [http://creativecommons.org/licenses/by-sa/3.0/ '''Creative Commons Attribution Share Alike 3.0''']
| style="width:14%; background:#cccccc" align="center"|
Project Type [[:Category:OWASP_Project#Alpha_Status_Projects|'''Document''']]
| style="width:15%; background:#cccccc" align="center"|
Sponsors if any, add link
|}
{| style="width:100%" border="0" align="center"
! align="center" style="background:#7B8ABD; color:white"|'''Release Status'''
! align="center" style="background:#7B8ABD; color:white"|'''Main Links'''
! align="center" style="background:#7B8ABD; color:white"|'''Related Projects'''
|-
| style="width:29%; background:#cccccc" align="center"|
'''[[:Category:OWASP Project Assessment#Alpha Quality Documentation Criteria|Apha Quality]]''' [[:OWASP Web Application Scanner Specification Project - Assessment Frame|Please see here for complete information.]]
| style="width:42%; background:#cccccc" align="center"|
* add link(s)
| style="width:29%; background:#cccccc" align="center"|
* if any, add link(s)
|}
----

== About ==
This project will attempt to outline some of the shortcomings of currently available web application vulnerability scanners and offer a plan for comparing and/or building web application vulnerability scanners.

== Goals & Roadmap ==
In the near future, we will be focused on the following goals...

1. Clean up feature redundancy

2. Further categorize and document modules

3. Add to platform specific checks (ex. file extensions, )

4. Adding additional "check" modules

== Content ==
 

Dynamic
Analysis of Web Application Security in Respect to Current Web
Application Vulnerability Scanners: Specification of Needs in
Comparison to Current Offerings
Introduction/Scope:
There
will always be a "gap" between the types of attacks that
can be performed and those which can be found by an automated
scanner. This paper will attempt to outline some of those
shortcomings and offer a plan for comparing/building a web
application vulnerability scanner.
 • Need
for analysis by attack type

 • Coverage
and integration with other tools and/or scripting support
 • Need
to assist "technical" attacker to perform "custom"
checks
 • Support
for "custom" reporting

_____________________________________________________________________________________
General
Topics:
 • Automated
vs. Manual Discovery – The Need for Integration Between Tools
 • Web
Application Security – The Need for Automated Testing Tools 


 • Integrated
Threat Modeling Feature – Identifying API Exposures and
Assigning Risk
_____________________________________________________________________________________
Ideal
Baseline - Needs For Scanner:[[OWASP_Web_Application_Scanner_Specification_Project_Baseline]]

 • Integration
with Std. VA scanner
 • Integration
with HTTP Proxies

 • Exportable
Storage of Results
 • XML
Format
 • Database
Formats

 • Search Engine
Harvester Modules
 • Ability
to Document/Flag Good and Bad Results
 • Limit
scan to specified IPs/Hosts, Domains, and Ports Discovered on Host
running HTTP(s) 

 •
checksum content b/t ports, hosts, etc. for same content

 • Be
able to accurately reproduce results (ex. -- reply request
and show in browser)
 • Spidering
and Resource Identification 

 • User
defined optimization of scan threads, timeouts, etc
 • Virtual
host identification - edit cost, diff btw pages –

 •
HDM idea - Intranet hostname exposure, etc.....over 512 bytes, insane
overhead
 • DNS
grinding, etc 

 • http://www.owasp.org/index.php/Testing_for_Application_Discovery_(OWASP-IG-005)
 • Auth
vs UnAuth forced Browsing 


 • checkout
step bypass, etc
 • Accurately
identify directories and files present (and supported extensions)
 • Ability
to add checks for permeation based dir checks
 • User
is able to specify and retest extra files, dirs, and attacks as well
as add to test "template"

 • (retest/add
this dir for all vulns/files, retest this dir for XSS, rerun all SQL
injection, etc)
 • Ability
to specify custom HTTP requests and form templates based on HTTP
requests and errors
 • Fuzzer


 • ability
to model after "stored" requests,

 • pop
out?
 • HTTP
 • WSDL
 • Iteration
based fuzzing and discovery - ie, Pornzilla
 • Cookies/Session
testing and analysis 


 • automated
analysis and manual analysis replay idea (my idea kinda......need to
elaborate)
 • Platform
Specific tests and customization/AI (MS, .Net, Java, Apache)
 • Path,
Error Path and Verbose errors Identification 

 • Tomcat

 • ASP.NET
 • CFM
 • JSP
 • Apache
 • Request
Comparison

 • Cookies
 • Collection
 • Encoder/Decoder
 • Comparison
 • Authentication
Tester/Brute Forcer

 • Form
 • Basic
 • NTLM
 • Cookies/Sessions
 • SSL/Encryption
strength analysis

 • Easy
"dictionary" customization
 • Application
Servers/Frameworks
 • Apache
Tomcat
 • Ruby
on Rails

 • Django
 • JavaScript
Framework Identification
 • Dojo
 • script.aculo.us
 • Prototype

 • DWR
 • GWT
 • Sajax 
 • Endpoint
Identification
 • 3rd
Party Resources

 • RSS
 • Atom
 • Misc.
Web Service oriented
 • Web
Admin Console Identification
 • JBoss

 • JRun
 • Web
Services
 • SOAP
 • WSDL
 • UDDI/Endpoint
Discovery Protocols

 • WS-Security
 • ReST
 • Flash/Flex
 • Java
 • ActiveX

 • User
identification (error messages, user dirs, etc) and customization
(ex. add to BF dictionary)
 • DB
Platform Identification
 • MSSQL
 • MySQL
 • Sybase

 • MS
Access
 • Oracle
 • DB2
 • DB/XML
store of files/dirs - grepable
_____________________________________________________________________________________

Platform
and Resource Requirements:
 • DB
Platform Identification
 • MSSQL
 • MySQL
 • Sybase

 • MS
Access
 • Oracle
 • DB2
 • Web
Platform Identification
 • IIS

 • Tomcat
 • ASP.NET
 • CFM
 • JSP
 • Apache

 • ActiveX
 • Java
Applets
 • Javascript
and JS Frameworks
 • Flex
 • Flash

 • ReST
 • SOAP/WSDL
 • WEBrick
 • Django
(python)
_____________________________________________________________________________________

Modules:
 • XSS

 • DOM
Injection Attacks
 • Stored
 • Reflected

 • Injection
Attacks
 • SQL
 • XML/XPATH/XMLRCP/SOAP
- DOM-based XSS - Difficult - can't grep sourcd
 • JSON
(Javascript Object Notation) 


 • Link
Injection/Insertion (eg. OWA)
 • Dir
Traversal
 • File
Include
 • XSRF
 • HTTP
Response Splitting

 • Cookie
Collector and Checks
 • Cookies
Enabled (Y/N)
 • Flags
Set in Cookies
 • HTTPOnly
 • Secure

 • Domain
 • Path
 • Expires
 • Cookie
Randomization
 • GUI
plotting

 • Web
Platform Specific Checks
 • IIS
 • IPP
 • IDA/IDQ
 • FrontPage

 • Anon
 • Files/Extensions
 • MSSQL
 • Microsoft
.NET
 • .NET
Version Enumeration

 • ViewState
 • Decoder
 • Value
collection
 • Value
comparison
 • Identification
of Repeating VS Unique Values

 • Identification
of Possibly Sensitive Values
 • Changes
in Relation to Application Logic
 • Apache
 • userdir
 • MySQL

 • Docs
 • Modules
installed
 • OpenSSL
 • ModSSL
 • Expect

 • ModSecurity
 • Mod_jk
 • Apache
Tomcat
 • mgmt/admin
interface
 • Docs

 • General
platform and hardware/device specific checks
 • Parameter
identification (Identify inputs)
 • Identify
ALL Resources that appear to accept "user-defined" input
 • HTTP
OPTIONS

 • HTTP
Track/XST
 • Comments
 • Internal
IP Disclosure
 • Mgmt
Interface Scanner 


 • /jmx-console
 • /web-console
 • Conf
File Scanner 

 • /WEB-INF/web.xml

 • /robots.txt
 • /.htaccess
 • /jmx-console
site enumeration (not just identify presence of web console)
 • /web-console
site enumeration (not just identify presence of web console)
 • File
Include/Insertion Scanner (esp PHP)

 • Authentication
Scanner
 • Basic/NTLM
Identification
 • Form-based
Authentication Identification
 • Username
Enumeration
 • User-dir

 • Page
Scraping 

 • Site
Mirroring
 • Google
– Email Scraper 

 • Brute-Forcer

 • Dictionary
attacker
 • Easy
"dictionary" customization
 • Default
Password Tester
 • By
Platform

 • Source
Code Disclosure (eg. %00, %20)
 • Page
pattern matcher (Page Structure VS <Diff> Page Content)
 • Incorrect
usage of eval()
 • OS
command shell


 • Software
Version Identification 

 • regex
values
 • window
<Title> names

 • comments


 • base
platform
 • Hidden
Fields/Links Enumerator
 • File
Upload Enumerator

 • Log
File Scanner
 • Temp
Files
 • Search
Function for associated Vulns and software versions
 • Ability
to Reference Common Security Sites for Vulnerability Information
 • Path
Case-sensitivity enumerator

 • Encodings
Supported
 • Servlet
Mapper
 • Local
Search Engine Enumeration
 • Google
File/DIR mapper
 • BackEnd
DB Type Enumerator

 • Application
logic enumerator
 • ActiveX,
Java object enumerator
 • LDAP
Checks
 • File
Ext and Dir Mapper 


 • System
Platform Type/Version Enumerator
 • Supported
File Types Enumerator
 • Unmapped
File Extensions
 • Identifying
"sensitive" data

 • Web
Framework and Application Fingerprinting 

 • Flash/Flex


 • J2EE
 • JBoss



 • JRun
 • Apache
Foundation
 • Web
Server
 • Tomcat

 • Axis


 • Ruby
on Rails
 • Zend
 • Django



 • Jakarta
Struts (and other MVC architectures)
 • Exposed
Source-Code analysis (VM-like environment to run in)
 • FireBug
(pop-out?)
_____________________________________________________________________________________
Reporting/Results:

 • Database/XML
compatible storage 

 • data
correlation with other (HTTP) tools
 • AUTO
TXT, DB, SQL, source file ARCHIVER/STORED DIRECTORY

OWASP Web Application Scanner Specification Project Baseline

2009-02-25T21:32:42Z

Coreylebleu: New page: holding page

holding page

Key Project Information:OWASP Web Application Scanner Specification Project

2009-02-25T03:02:30Z

Coreylebleu: /* Content */

----
{| style="width:100%" border="0" align="center"
! colspan="8" align="center" style="background:#4058A0; color:white"|'''PROJECT INFORMATION'''
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Project Name'''
| colspan="7" style="width:85%; background:#cccccc" align="left"|'''OWASP Web Application Scanner Specification Project'''
|-
| style="width:15%; background:#7B8ABD" align="center"| '''Short Project Description'''
| colspan="7" style="width:85%; background:#cccccc" align="left"|
There will always be a "gap" between the types of attacks that can be performed and those which can be found by an automated scanner. This project will attempt to outline some of those shortcomings and offer a plan for comparing and/or building web application vulnerability scanners. The project will also include feature suggestions beneficial to advanced users.
|-
| style="width:15%; background:#7B8ABD" align="center"|
'''Key Project Information'''
| style="width:14%; background:#cccccc" align="center"|
Project Leader [mailto:coreylebleu@gmail.com '''Corey LeBleu''']
| style="width:15%; background:#cccccc" align="center"|
Project Contibutors (if any)
| style="width:10%; background:#cccccc" align="center"|
Mailing List [https://lists.owasp.org/mailman/admin/owasp-web-app-scanner-specification-project '''Subscribe here'''] [mailto:owasp-web-app-scanner-specification-project@lists.owasp.org '''Use here''']
| style="width:17%; background:#cccccc" align="center"|
License [http://creativecommons.org/licenses/by-sa/3.0/ '''Creative Commons Attribution Share Alike 3.0''']
| style="width:14%; background:#cccccc" align="center"|
Project Type [[:Category:OWASP_Project#Alpha_Status_Projects|'''Document''']]
| style="width:15%; background:#cccccc" align="center"|
Sponsors if any, add link
|}
{| style="width:100%" border="0" align="center"
! align="center" style="background:#7B8ABD; color:white"|'''Release Status'''
! align="center" style="background:#7B8ABD; color:white"|'''Main Links'''
! align="center" style="background:#7B8ABD; color:white"|'''Related Projects'''
|-
| style="width:29%; background:#cccccc" align="center"|
'''[[:Category:OWASP Project Assessment#Alpha Quality Documentation Criteria|Apha Quality]]''' [[:OWASP Web Application Scanner Specification Project - Assessment Frame|Please see here for complete information.]]
| style="width:42%; background:#cccccc" align="center"|
* add link(s)
| style="width:29%; background:#cccccc" align="center"|
* if any, add link(s)
|}
----

== About ==
This project will attempt to outline some of the shortcomings of currently available web application vulnerability scanners and offer a plan for comparing and/or building web application vulnerability scanners.

== Goals & Roadmap ==
In the near future, we will be focused on the following goals...

1. Clean up feature redundancy

2. Further categorize and document modules

3. Add to platform specific checks (ex. file extensions, )

4. Adding additional "check" modules

== Content ==
 

Dynamic
Analysis of Web Application Security in Respect to Current Web
Application Vulnerability Scanners: Specification of Needs in
Comparison to Current Offerings
Introduction/Scope:
There
will always be a "gap" between the types of attacks that
can be performed and those which can be found by an automated
scanner. This paper will attempt to outline some of those
shortcomings and offer a plan for comparing/building a web
application vulnerability scanner.
 • Need
for analysis by attack type

 • Coverage
and integration with other tools and/or scripting support
 • Need
to assist "technical" attacker to perform "custom"
checks
 • Support
for "custom" reporting

_____________________________________________________________________________________
General
Topics:
 • Automated
vs. Manual Discovery – The Need for Integration Between Tools
 • Web
Application Security – The Need for Automated Testing Tools 


 • Integrated
Threat Modeling Feature – Identifying API Exposures and
Assigning Risk
_____________________________________________________________________________________
Ideal
Baseline - Needs For Scanner:
 • Integration
with Std. VA scanner
 • Integration
with HTTP Proxies

 • Exportable
Storage of Results
 • XML
Format
 • Database
Formats

 • Search Engine
Harvester Modules
 • Ability
to Document/Flag Good and Bad Results
 • Limit
scan to specified IPs/Hosts, Domains, and Ports Discovered on Host
running HTTP(s) 

 •
checksum content b/t ports, hosts, etc. for same content

 • Be
able to accurately reproduce results (ex. -- reply request
and show in browser)
 • Spidering
and Resource Identification 

 • User
defined optimization of scan threads, timeouts, etc
 • Virtual
host identification - edit cost, diff btw pages –

 •
HDM idea - Intranet hostname exposure, etc.....over 512 bytes, insane
overhead
 • DNS
grinding, etc 

 • http://www.owasp.org/index.php/Testing_for_Application_Discovery_(OWASP-IG-005)
 • Auth
vs UnAuth forced Browsing 


 • checkout
step bypass, etc
 • Accurately
identify directories and files present (and supported extensions)
 • Ability
to add checks for permeation based dir checks
 • User
is able to specify and retest extra files, dirs, and attacks as well
as add to test "template"

 • (retest/add
this dir for all vulns/files, retest this dir for XSS, rerun all SQL
injection, etc)
 • Ability
to specify custom HTTP requests and form templates based on HTTP
requests and errors
 • Fuzzer


 • ability
to model after "stored" requests,

 • pop
out?
 • HTTP
 • WSDL
 • Iteration
based fuzzing and discovery - ie, Pornzilla
 • Cookies/Session
testing and analysis 


 • automated
analysis and manual analysis replay idea (my idea kinda......need to
elaborate)
 • Platform
Specific tests and customization/AI (MS, .Net, Java, Apache)
 • Path,
Error Path and Verbose errors Identification 

 • Tomcat

 • ASP.NET
 • CFM
 • JSP
 • Apache
 • Request
Comparison

 • Cookies
 • Collection
 • Encoder/Decoder
 • Comparison
 • Authentication
Tester/Brute Forcer

 • Form
 • Basic
 • NTLM
 • Cookies/Sessions
 • SSL/Encryption
strength analysis

 • Easy
"dictionary" customization
 • Application
Servers/Frameworks
 • Apache
Tomcat
 • Ruby
on Rails

 • Django
 • JavaScript
Framework Identification
 • Dojo
 • script.aculo.us
 • Prototype

 • DWR
 • GWT
 • Sajax 
 • Endpoint
Identification
 • 3rd
Party Resources

 • RSS
 • Atom
 • Misc.
Web Service oriented
 • Web
Admin Console Identification
 • JBoss

 • JRun
 • Web
Services
 • SOAP
 • WSDL
 • UDDI/Endpoint
Discovery Protocols

 • WS-Security
 • ReST
 • Flash/Flex
 • Java
 • ActiveX

 • User
identification (error messages, user dirs, etc) and customization
(ex. add to BF dictionary)
 • DB
Platform Identification
 • MSSQL
 • MySQL
 • Sybase

 • MS
Access
 • Oracle
 • DB2
 • DB/XML
store of files/dirs - grepable
_____________________________________________________________________________________

Platform
and Resource Requirements:
 • DB
Platform Identification
 • MSSQL
 • MySQL
 • Sybase

 • MS
Access
 • Oracle
 • DB2
 • Web
Platform Identification
 • IIS

 • Tomcat
 • ASP.NET
 • CFM
 • JSP
 • Apache

 • ActiveX
 • Java
Applets
 • Javascript
and JS Frameworks
 • Flex
 • Flash

 • ReST
 • SOAP/WSDL
 • WEBrick
 • Django
(python)
_____________________________________________________________________________________

Modules:
 • XSS

 • DOM
Injection Attacks
 • Stored
 • Reflected

 • Injection
Attacks
 • SQL
 • XML/XPATH/XMLRCP/SOAP
- DOM-based XSS - Difficult - can't grep sourcd
 • JSON
(Javascript Object Notation) 


 • Link
Injection/Insertion (eg. OWA)
 • Dir
Traversal
 • File
Include
 • XSRF
 • HTTP
Response Splitting

 • Cookie
Collector and Checks
 • Cookies
Enabled (Y/N)
 • Flags
Set in Cookies
 • HTTPOnly
 • Secure

 • Domain
 • Path
 • Expires
 • Cookie
Randomization
 • GUI
plotting

 • Web
Platform Specific Checks
 • IIS
 • IPP
 • IDA/IDQ
 • FrontPage

 • Anon
 • Files/Extensions
 • MSSQL
 • Microsoft
.NET
 • .NET
Version Enumeration

 • ViewState
 • Decoder
 • Value
collection
 • Value
comparison
 • Identification
of Repeating VS Unique Values

 • Identification
of Possibly Sensitive Values
 • Changes
in Relation to Application Logic
 • Apache
 • userdir
 • MySQL

 • Docs
 • Modules
installed
 • OpenSSL
 • ModSSL
 • Expect

 • ModSecurity
 • Mod_jk
 • Apache
Tomcat
 • mgmt/admin
interface
 • Docs

 • General
platform and hardware/device specific checks
 • Parameter
identification (Identify inputs)
 • Identify
ALL Resources that appear to accept "user-defined" input
 • HTTP
OPTIONS

 • HTTP
Track/XST
 • Comments
 • Internal
IP Disclosure
 • Mgmt
Interface Scanner 


 • /jmx-console
 • /web-console
 • Conf
File Scanner 

 • /WEB-INF/web.xml

 • /robots.txt
 • /.htaccess
 • /jmx-console
site enumeration (not just identify presence of web console)
 • /web-console
site enumeration (not just identify presence of web console)
 • File
Include/Insertion Scanner (esp PHP)

 • Authentication
Scanner
 • Basic/NTLM
Identification
 • Form-based
Authentication Identification
 • Username
Enumeration
 • User-dir

 • Page
Scraping 

 • Site
Mirroring
 • Google
– Email Scraper 

 • Brute-Forcer

 • Dictionary
attacker
 • Easy
"dictionary" customization
 • Default
Password Tester
 • By
Platform

 • Source
Code Disclosure (eg. %00, %20)
 • Page
pattern matcher (Page Structure VS <Diff> Page Content)
 • Incorrect
usage of eval()
 • OS
command shell


 • Software
Version Identification 

 • regex
values
 • window
<Title> names

 • comments


 • base
platform
 • Hidden
Fields/Links Enumerator
 • File
Upload Enumerator

 • Log
File Scanner
 • Temp
Files
 • Search
Function for associated Vulns and software versions
 • Ability
to Reference Common Security Sites for Vulnerability Information
 • Path
Case-sensitivity enumerator

 • Encodings
Supported
 • Servlet
Mapper
 • Local
Search Engine Enumeration
 • Google
File/DIR mapper
 • BackEnd
DB Type Enumerator

 • Application
logic enumerator
 • ActiveX,
Java object enumerator
 • LDAP
Checks
 • File
Ext and Dir Mapper 


 • System
Platform Type/Version Enumerator
 • Supported
File Types Enumerator
 • Unmapped
File Extensions
 • Identifying
"sensitive" data

 • Web
Framework and Application Fingerprinting 

 • Flash/Flex


 • J2EE
 • JBoss



 • JRun
 • Apache
Foundation
 • Web
Server
 • Tomcat

 • Axis


 • Ruby
on Rails
 • Zend
 • Django



 • Jakarta
Struts (and other MVC architectures)
 • Exposed
Source-Code analysis (VM-like environment to run in)
 • FireBug
(pop-out?)
_____________________________________________________________________________________
Reporting/Results:

 • Database/XML
compatible storage 

 • data
correlation with other (HTTP) tools
 • AUTO
TXT, DB, SQL, source file ARCHIVER/STORED DIRECTORY

Key Project Information:OWASP Web Application Scanner Specification Project

2009-02-25T02:06:08Z

Coreylebleu: /* Content */

----
{| style="width:100%" border="0" align="center"
! colspan="8" align="center" style="background:#4058A0; color:white"|'''PROJECT INFORMATION'''
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Project Name'''
| colspan="7" style="width:85%; background:#cccccc" align="left"|'''OWASP Web Application Scanner Specification Project'''
|-
| style="width:15%; background:#7B8ABD" align="center"| '''Short Project Description'''
| colspan="7" style="width:85%; background:#cccccc" align="left"|
There will always be a "gap" between the types of attacks that can be performed and those which can be found by an automated scanner. This project will attempt to outline some of those shortcomings and offer a plan for comparing and/or building web application vulnerability scanners. The project will also include feature suggestions beneficial to advanced users.
|-
| style="width:15%; background:#7B8ABD" align="center"|
'''Key Project Information'''
| style="width:14%; background:#cccccc" align="center"|
Project Leader [mailto:coreylebleu@gmail.com '''Corey LeBleu''']
| style="width:15%; background:#cccccc" align="center"|
Project Contibutors (if any)
| style="width:10%; background:#cccccc" align="center"|
Mailing List [https://lists.owasp.org/mailman/admin/owasp-web-app-scanner-specification-project '''Subscribe here'''] [mailto:owasp-web-app-scanner-specification-project@lists.owasp.org '''Use here''']
| style="width:17%; background:#cccccc" align="center"|
License [http://creativecommons.org/licenses/by-sa/3.0/ '''Creative Commons Attribution Share Alike 3.0''']
| style="width:14%; background:#cccccc" align="center"|
Project Type [[:Category:OWASP_Project#Alpha_Status_Projects|'''Document''']]
| style="width:15%; background:#cccccc" align="center"|
Sponsors if any, add link
|}
{| style="width:100%" border="0" align="center"
! align="center" style="background:#7B8ABD; color:white"|'''Release Status'''
! align="center" style="background:#7B8ABD; color:white"|'''Main Links'''
! align="center" style="background:#7B8ABD; color:white"|'''Related Projects'''
|-
| style="width:29%; background:#cccccc" align="center"|
'''[[:Category:OWASP Project Assessment#Alpha Quality Documentation Criteria|Apha Quality]]''' [[:OWASP Web Application Scanner Specification Project - Assessment Frame|Please see here for complete information.]]
| style="width:42%; background:#cccccc" align="center"|
* add link(s)
| style="width:29%; background:#cccccc" align="center"|
* if any, add link(s)
|}
----

== About ==
This project will attempt to outline some of the shortcomings of currently available web application vulnerability scanners and offer a plan for comparing and/or building web application vulnerability scanners.

== Goals & Roadmap ==
In the near future, we will be focused on the following goals...

1. Clean up feature redundancy

2. Further categorize and document modules

3. Add to platform specific checks (ex. file extensions, )

4. Adding additional "check" modules

== Content ==
 

Dynamic
Analysis of Web Application Security in Respect to Current Web
Application Vulnerability Scanners: Specification of Needs in
Comparison to Current Offerings
Introduction/Scope:
There
will always be a "gap" between the types of attacks that
can be performed and those which can be found by an automated
scanner. This paper will attempt to outline some of those
shortcomings and offer a plan for comparing/building a web
application vulnerability scanner.
 • Need
for analysis by attack type

 • Coverage
and integration with other tools and/or scripting support
 • Need
to assist "technical" attacker to perform "custom"
checks
 • Support
for "custom" reporting

_____________________________________________________________________________________
General
Topics:
 • Automated
vs. Manual Discovery – The Need for Integration Between Tools
 • Web
Application Security – The Need for Automated Testing Tools 


 • Integrated
Threat Modeling Feature – Identifying API Exposures and
Assigning Risk
_____________________________________________________________________________________
Ideal
Baseline - Needs For Scanner:
 • Integration
with Std. VA scanner
 • Integration
with HTTP Proxies

 • Exportable
Storage of Results
 • XML
Format
 • Database
Formats

 • Google
harvester module
 • Ability
to Document/Flag Good and Bad Results
 • Limit
scan to specified IPs/Hosts, Domains, and Ports Discovered on Host
running HTTP(s) 

 •
checksum content b/t ports, hosts, etc. for same content

 • Be
able to accurately reproduce results (ex. -- reply request
and show in browser)
 • Spidering
and Resource Identification 

 • User
defined optimization of scan threads, timeouts, etc
 • Virtual
host identification - edit cost, diff btw pages –

 •
HDM idea - Intranet hostname exposure, etc.....over 512 bytes, insane
overhead
 • DNS
grinding, etc 

 • http://www.owasp.org/index.php/Testing_for_Application_Discovery_(OWASP-IG-005)
 • Auth
vs UnAuth forced Browsing 


 • checkout
step bypass, etc
 • Accurately
identify directories and files present (and supported extensions)
 • Ability
to add checks for permeation based dir checks
 • User
is able to specify and retest extra files, dirs, and attacks as well
as add to test "template"

 • (retest/add
this dir for all vulns/files, retest this dir for XSS, rerun all SQL
injection, etc)
 • Ability
to specify custom HTTP requests and form templates based on HTTP
requests and errors
 • Fuzzer


 • ability
to model after "stored" requests,

 • pop
out?
 • HTTP
 • WSDL
 • Iteration
based fuzzing and discovery - ie, Pornzilla
 • Cookies/Session
testing and analysis 


 • automated
analysis and manual analysis replay idea (my idea kinda......need to
elaborate)
 • Platform
Specific tests and customization/AI (MS, .Net, Java, Apache)
 • Path,
Error Path and Verbose errors Identification 

 • Tomcat

 • ASP.NET
 • CFM
 • JSP
 • Apache
 • Request
Comparison

 • Cookies
 • Collection
 • Encoder/Decoder
 • Comparison
 • Authentication
Tester/Brute Forcer

 • Form
 • Basic
 • NTLM
 • Cookies/Sessions
 • SSL/Encryption
strength analysis

 • Easy
"dictionary" customization
 • Application
Servers/Frameworks
 • Apache
Tomcat
 • Ruby
on Rails

 • Django
 • JavaScript
Framework Identification
 • Dojo
 • script.aculo.us
 • Prototype

 • DWR
 • GWT
 • Sajax 
 • Endpoint
Identification
 • 3rd
Party Resources

 • RSS
 • Atom
 • Misc.
Web Service oriented
 • Web
Admin Console Identification
 • JBoss

 • JRun
 • Web
Services
 • SOAP
 • WSDL
 • UDDI/Endpoint
Discovery Protocols

 • WS-Security
 • ReST
 • Flash/Flex
 • Java
 • ActiveX

 • User
identification (error messages, user dirs, etc) and customization
(ex. add to BF dictionary)
 • DB
Platform Identification
 • MSSQL
 • MySQL
 • Sybase

 • MS
Access
 • Oracle
 • DB2
 • DB/XML
store of files/dirs - grepable
_____________________________________________________________________________________

Platform
and Resource Requirements:
 • DB
Platform Identification
 • MSSQL
 • MySQL
 • Sybase

 • MS
Access
 • Oracle
 • DB2
 • Web
Platform Identification
 • IIS

 • Tomcat
 • ASP.NET
 • CFM
 • JSP
 • Apache

 • ActiveX
 • Java
Applets
 • Javascript
and JS Frameworks
 • Flex
 • Flash

 • ReST
 • SOAP/WSDL
 • WEBrick
 • Django
(python)
_____________________________________________________________________________________

Modules:
 • XSS

 • DOM
Injection Attacks
 • Stored
 • Reflected

 • Injection
Attacks
 • SQL
 • XML/XPATH/XMLRCP/SOAP
- DOM-based XSS - Difficult - can't grep sourcd
 • JSON
(Javascript Object Notation) 


 • Link
Injection/Insertion (eg. OWA)
 • Dir
Traversal
 • File
Include
 • XSRF
 • HTTP
Response Splitting

 • Cookie
Collector and Checks
 • Cookies
Enabled (Y/N)
 • Flags
Set in Cookies
 • HTTPOnly
 • Secure

 • Domain
 • Path
 • Expires
 • Cookie
Randomization
 • GUI
plotting

 • Web
Platform Specific Checks
 • IIS
 • IPP
 • IDA/IDQ
 • FrontPage

 • Anon
 • Files/Extensions
 • MSSQL
 • Microsoft
.NET
 • .NET
Version Enumeration

 • ViewState
 • Decoder
 • Value
collection
 • Value
comparison
 • Identification
of Repeating VS Unique Values

 • Identification
of Possibly Sensitive Values
 • Changes
in Relation to Application Logic
 • Apache
 • userdir
 • MySQL

 • Docs
 • Modules
installed
 • OpenSSL
 • ModSSL
 • Expect

 • ModSecurity
 • Mod_jk
 • Apache
Tomcat
 • mgmt/admin
interface
 • Docs

 • General
platform and hardware/device specific checks
 • Parameter
identification (Identify inputs)
 • Identify
ALL Resources that appear to accept "user-defined" input
 • HTTP
OPTIONS

 • HTTP
Track/XST
 • Comments
 • Internal
IP Disclosure
 • Mgmt
Interface Scanner 


 • /jmx-console
 • /web-console
 • Conf
File Scanner 

 • /WEB-INF/web.xml

 • /robots.txt
 • /.htaccess
 • /jmx-console
site enumeration (not just identify presence of web console)
 • /web-console
site enumeration (not just identify presence of web console)
 • File
Include/Insertion Scanner (esp PHP)

 • Authentication
Scanner
 • Basic/NTLM
Identification
 • Form-based
Authentication Identification
 • Username
Enumeration
 • User-dir

 • Page
Scraping 

 • Site
Mirroring
 • Google
– Email Scraper 

 • Brute-Forcer

 • Dictionary
attacker
 • Easy
"dictionary" customization
 • Default
Password Tester
 • By
Platform

 • Source
Code Disclosure (eg. %00, %20)
 • Page
pattern matcher (Page Structure VS <Diff> Page Content)
 • Incorrect
usage of eval()
 • OS
command shell


 • Software
Version Identification 

 • regex
values
 • window
<Title> names

 • comments


 • base
platform
 • Hidden
Fields/Links Enumerator
 • File
Upload Enumerator

 • Log
File Scanner
 • Temp
Files
 • Search
Function for associated Vulns and software versions
 • Ability
to Reference Common Security Sites for Vulnerability Information
 • Path
Case-sensitivity enumerator

 • Encodings
Supported
 • Servlet
Mapper
 • Local
Search Engine Enumeration
 • Google
File/DIR mapper
 • BackEnd
DB Type Enumerator

 • Application
logic enumerator
 • ActiveX,
Java object enumerator
 • LDAP
Checks
 • File
Ext and Dir Mapper 


 • System
Platform Type/Version Enumerator
 • Supported
File Types Enumerator
 • Unmapped
File Extensions
 • Identifying
"sensitive" data

 • Web
Framework and Application Fingerprinting 

 • Flash/Flex


 • J2EE
 • JBoss



 • JRun
 • Apache
Foundation
 • Web
Server
 • Tomcat

 • Axis


 • Ruby
on Rails
 • Zend
 • Django



 • Jakarta
Struts (and other MVC architectures)
 • Exposed
Source-Code analysis (VM-like environment to run in)
 • FireBug
(pop-out?)
_____________________________________________________________________________________
Reporting/Results:

 • Database/XML
compatible storage 

 • data
correlation with other (HTTP) tools
 • AUTO
TXT, DB, SQL, source file ARCHIVER/STORED DIRECTORY

Key Project Information:OWASP Web Application Scanner Specification Project

2009-02-24T21:30:43Z

Coreylebleu: /* About */

----
{| style="width:100%" border="0" align="center"
! colspan="8" align="center" style="background:#4058A0; color:white"|'''PROJECT INFORMATION'''
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Project Name'''
| colspan="7" style="width:85%; background:#cccccc" align="left"|'''OWASP Web Application Scanner Specification Project'''
|-
| style="width:15%; background:#7B8ABD" align="center"| '''Short Project Description'''
| colspan="7" style="width:85%; background:#cccccc" align="left"|
There will always be a "gap" between the types of attacks that can be performed and those which can be found by an automated scanner. This project will attempt to outline some of those shortcomings and offer a plan for comparing and/or building web application vulnerability scanners. The project will also include feature suggestions beneficial to advanced users.
|-
| style="width:15%; background:#7B8ABD" align="center"|
'''Key Project Information'''
| style="width:14%; background:#cccccc" align="center"|
Project Leader [mailto:coreylebleu@gmail.com '''Corey LeBleu''']
| style="width:15%; background:#cccccc" align="center"|
Project Contibutors (if any)
| style="width:10%; background:#cccccc" align="center"|
Mailing List [https://lists.owasp.org/mailman/admin/owasp-web-app-scanner-specification-project '''Subscribe here'''] [mailto:owasp-web-app-scanner-specification-project@lists.owasp.org '''Use here''']
| style="width:17%; background:#cccccc" align="center"|
License [http://creativecommons.org/licenses/by-sa/3.0/ '''Creative Commons Attribution Share Alike 3.0''']
| style="width:14%; background:#cccccc" align="center"|
Project Type [[:Category:OWASP_Project#Alpha_Status_Projects|'''Document''']]
| style="width:15%; background:#cccccc" align="center"|
Sponsors if any, add link
|}
{| style="width:100%" border="0" align="center"
! align="center" style="background:#7B8ABD; color:white"|'''Release Status'''
! align="center" style="background:#7B8ABD; color:white"|'''Main Links'''
! align="center" style="background:#7B8ABD; color:white"|'''Related Projects'''
|-
| style="width:29%; background:#cccccc" align="center"|
'''[[:Category:OWASP Project Assessment#Alpha Quality Documentation Criteria|Apha Quality]]''' [[:OWASP Web Application Scanner Specification Project - Assessment Frame|Please see here for complete information.]]
| style="width:42%; background:#cccccc" align="center"|
* add link(s)
| style="width:29%; background:#cccccc" align="center"|
* if any, add link(s)
|}
----

== About ==
This project will attempt to outline some of the shortcomings of currently available web application vulnerability scanners and offer a plan for comparing and/or building web application vulnerability scanners.

== Goals & Roadmap ==
In the near future, we will be focused on the following goals...

1. Clean up feature redundancy

2. Further categorize and document modules

3. Add to platform specific checks (ex. file extensions, )

4. Adding additional "check" modules

== Content ==
 

Dynamic
Analysis of Web Application Security in Respect to Current Web
Application Vulnerability Scanners: Specification of Needs in
Comparison to Current Offerings
Introduction/Scope:
There
will always be a "gap" between the types of attacks that
can be performed and those which can be found by an automated
scanner. This paper will attempt to outline some of those
shortcomings and offer a plan for comparing/building a web
application vulnerability scanner.
 • Need
for analysis by attack type

 • Coverage
and integration with other tools and/or scripting support
 • Need
to assist "technical" attacker to perform "custom"
checks
 • Support
for "custom" reporting

_____________________________________________________________________________________
General
Topics:
 • Automated
vs. Manual Discovery – The Need for Integration Between Tools
 • Web
Application Security – The Need for Automated Testing Tools 


 • Integrated
Threat Modeling Feature – Identifying API Exposures and
Assigning Risk
_____________________________________________________________________________________
Ideal
Baseline - Needs For Scanner:
 • Integration
with Std. VA scanner
 • Integration
with HTTP Proxies

 • Exportable
Storage of Results
 • XML
Format
 • Database
Formats
 • Scanners
and Tools to Integrate With
 • OWASP
WebScarab

 • XXXcommercialXXX
 • XXXcommercialXXX
 • XXXcommercialXXX
 • XXXcommercialXXX
 • OWASP
DIRBuster

 • Google
harvester module
 • Ability
to Document/Flag Good and Bad Results
 • Limit
scan to specified IPs/Hosts, Domains, and Ports Discovered on Host
running HTTP(s) 

 •
checksum content b/t ports, hosts, etc. for same content

 • Be
able to accurately reproduce results (ex. AppScan -- reply request
and show in browser)
 • Spidering
and Resource Identification 

 • User
defined optimization of scan threads, timeouts, etc
 • Virtual
host identification - edit cost, diff btw pages –

 •
HDM idea - Intranet hostname exposure, etc.....over 512 bytes, insane
overhead
 • DNS
grinding, etc 

 • http://www.owasp.org/index.php/Testing_for_Application_Discovery_(OWASP-IG-005)
 • Auth
vs UnAuth forced Browsing 


 • checkout
step bypass, etc
 • Accurately
identify directories and files present (and supported extensions)
 • Ability
to add checks for permeation based dir checks
 • User
is able to specify and retest extra files, dirs, and attacks as well
as add to test "template"

 • (retest/add
this dir for all vulns/files, retest this dir for XSS, rerun all SQL
injection, etc)
 • Ability
to specify custom HTTP requests and form templates based on HTTP
requests and errors
 • Fuzzer


 • ability
to model after "stored" requests,

 • pop
out?
 • HTTP
 • WSDL
 • Iteration
based fuzzing and discovery - ie, Pornzilla
 • Cookies/Session
testing and analysis 


 • automated
analysis and manual analysis replay idea (my idea kinda......need to
elaborate)
 • Platform
Specific tests and customization/AI (MS, .Net, Java, Apache)
 • Path,
Error Path and Verbose errors Identification 

 • Tomcat

 • ASP.NET
 • CFM
 • JSP
 • Apache
 • Request
Comparison

 • Cookies
 • Collection
 • Encoder/Decoder
 • Comparison
 • Authentication
Tester/Brute Forcer

 • Form
 • Basic
 • NTLM
 • Cookies/Sessions
 • SSL/Encryption
strength analysis

 • Easy
"dictionary" customization
 • Application
Servers/Frameworks
 • Apache
Tomcat
 • Ruby
on Rails

 • Django
 • JavaScript
Framework Identification
 • Dojo
 • script.aculo.us
 • Prototype

 • DWR
 • GWT
 • Sajax 
 • Endpoint
Identification
 • 3rd
Party Resources

 • RSS
 • Atom
 • Misc.
Web Service oriented
 • Web
Admin Console Identification
 • JBoss

 • JRun
 • Web
Services
 • SOAP
 • WSDL
 • UDDI/Endpoint
Discovery Protocols

 • WS-Security
 • ReST
 • Flash/Flex
 • Java
 • ActiveX

 • User
identification (error messages, user dirs, etc) and customization
(ex. add to BF dictionary)
 • DB
Platform Identification
 • MSSQL
 • MySQL
 • Sybase

 • MS
Access
 • Oracle
 • DB2
 • DB/XML
store of files/dirs - grepable
_____________________________________________________________________________________

Platform
and Resource Requirements:
 • DB
Platform Identification
 • MSSQL
 • MySQL
 • Sybase

 • MS
Access
 • Oracle
 • DB2
 • Web
Platform Identification
 • IIS

 • Tomcat
 • ASP.NET
 • CFM
 • JSP
 • Apache

 • ActiveX
 • Java
Applets
 • Javascript
and JS Frameworks
 • Flex
 • Flash

 • ReST
 • SOAP/WSDL
 • WEBrick
 • Django
(python)
_____________________________________________________________________________________

Modules:
 • XSS

 • DOM
Injection Attacks
 • Stored
 • Reflected

 • Injection
Attacks
 • SQL
 • XML/XPATH/XMLRCP/SOAP
- DOM-based XSS - Difficult - can't grep sourcd
 • JSON
(Javascript Object Notation) 


 • Link
Injection/Insertion (eg. OWA)
 • Dir
Traversal
 • File
Include
 • XSRF
 • HTTP
Response Splitting

 • Cookie
Collector and Checks
 • Cookies
Enabled (Y/N)
 • Flags
Set in Cookies
 • HTTPOnly
 • Secure

 • Domain
 • Path
 • Expires
 • Cookie
Randomization
 • GUI
plotting

 • Web
Platform Specific Checks
 • IIS
 • IPP
 • IDA/IDQ
 • FrontPage

 • Anon
 • Files/Extensions
 • MSSQL
 • Microsoft
.NET
 • .NET
Version Enumeration

 • ViewState
 • Decoder
 • Value
collection
 • Value
comparison
 • Identification
of Repeating VS Unique Values

 • Identification
of Possibly Sensitive Values
 • Changes
in Relation to Application Logic
 • Apache
 • userdir
 • MySQL

 • Docs
 • Modules
installed
 • OpenSSL
 • ModSSL
 • Expect

 • ModSecurity
 • Mod_jk
 • Apache
Tomcat
 • mgmt/admin
interface
 • Docs

 • General
platform and hardware/device specific checks
 • Parameter
identification (Identify inputs)
 • Identify
ALL Resources that appear to accept "user-defined" input
 • HTTP
OPTIONS

 • HTTP
Track/XST
 • Comments
 • Internal
IP Disclosure
 • Mgmt
Interface Scanner 


 • /jmx-console
 • /web-console
 • Conf
File Scanner 

 • /WEB-INF/web.xml

 • /robots.txt
 • /.htaccess
 • /jmx-console
site enumeration (not just identify presence of web console)
 • /web-console
site enumeration (not just identify presence of web console)
 • File
Include/Insertion Scanner (esp PHP)

 • Authentication
Scanner
 • Basic/NTLM
Identification
 • Form-based
Authentication Identification
 • Username
Enumeration
 • User-dir

 • Page
Scraping 

 • Site
Mirroring
 • Google
– Email Scraper 

 • Brute-Forcer

 • Dictionary
attacker
 • Easy
"dictionary" customization
 • Default
Password Tester
 • By
Platform

 • Source
Code Disclosure (eg. %00, %20)
 • Page
pattern matcher (Page Structure VS <Diff> Page Content)
 • Incorrect
usage of eval()
 • OS
command shell


 • Software
Version Identification 

 • regex
values
 • window
<Title> names

 • comments


 • base
platform
 • Hidden
Fields/Links Enumerator
 • File
Upload Enumerator

 • Log
File Scanner
 • Temp
Files
 • Search
Function for associated Vulns and software versions
 • Ability
to Reference Common Security Sites for Vulnerability Information
 • Path
Case-sensitivity enumerator

 • Encodings
Supported
 • Servlet
Mapper
 • Local
Search Engine Enumeration
 • Google
File/DIR mapper
 • BackEnd
DB Type Enumerator

 • Application
logic enumerator
 • ActiveX,
Java object enumerator
 • LDAP
Checks
 • File
Ext and Dir Mapper 


 • System
Platform Type/Version Enumerator
 • Supported
File Types Enumerator
 • Unmapped
File Extensions
 • Identifying
"sensitive" data

 • Web
Framework and Application Fingerprinting 

 • Flash/Flex


 • J2EE
 • JBoss



 • JRun
 • Apache
Foundation
 • Web
Server
 • Tomcat

 • Axis


 • Ruby
on Rails
 • Zend
 • Django



 • Jakarta
Struts (and other MVC architectures)
 • Exposed
Source-Code analysis (VM-like environment to run in)
 • FireBug
(pop-out?)
_____________________________________________________________________________________
Reporting/Results:

 • Database/XML
compatible storage 

 • data
correlation with other (HTTP) tools
 • AUTO
TXT, DB, SQL, source file ARCHIVER/STORED DIRECTORY

Key Project Information:OWASP Web Application Scanner Specification Project

2009-02-24T03:00:51Z

Coreylebleu:

----
{| style="width:100%" border="0" align="center"
! colspan="8" align="center" style="background:#4058A0; color:white"|'''PROJECT INFORMATION'''
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Project Name'''
| colspan="7" style="width:85%; background:#cccccc" align="left"|'''OWASP Web Application Scanner Specification Project'''
|-
| style="width:15%; background:#7B8ABD" align="center"| '''Short Project Description'''
| colspan="7" style="width:85%; background:#cccccc" align="left"|
There will always be a "gap" between the types of attacks that can be performed and those which can be found by an automated scanner. This project will attempt to outline some of those shortcomings and offer a plan for comparing and/or building web application vulnerability scanners. The project will also include feature suggestions beneficial to advanced users.
|-
| style="width:15%; background:#7B8ABD" align="center"|
'''Key Project Information'''
| style="width:14%; background:#cccccc" align="center"|
Project Leader [mailto:coreylebleu@gmail.com '''Corey LeBleu''']
| style="width:15%; background:#cccccc" align="center"|
Project Contibutors (if any)
| style="width:10%; background:#cccccc" align="center"|
Mailing List [https://lists.owasp.org/mailman/admin/owasp-web-app-scanner-specification-project '''Subscribe here'''] [mailto:owasp-web-app-scanner-specification-project@lists.owasp.org '''Use here''']
| style="width:17%; background:#cccccc" align="center"|
License [http://creativecommons.org/licenses/by-sa/3.0/ '''Creative Commons Attribution Share Alike 3.0''']
| style="width:14%; background:#cccccc" align="center"|
Project Type [[:Category:OWASP_Project#Alpha_Status_Projects|'''Document''']]
| style="width:15%; background:#cccccc" align="center"|
Sponsors if any, add link
|}
{| style="width:100%" border="0" align="center"
! align="center" style="background:#7B8ABD; color:white"|'''Release Status'''
! align="center" style="background:#7B8ABD; color:white"|'''Main Links'''
! align="center" style="background:#7B8ABD; color:white"|'''Related Projects'''
|-
| style="width:29%; background:#cccccc" align="center"|
'''[[:Category:OWASP Project Assessment#Alpha Quality Documentation Criteria|Apha Quality]]''' [[:OWASP Web Application Scanner Specification Project - Assessment Frame|Please see here for complete information.]]
| style="width:42%; background:#cccccc" align="center"|
* add link(s)
| style="width:29%; background:#cccccc" align="center"|
* if any, add link(s)
|}
----

== About ==
This project will attempt to outline some of the shortcomings of currently available web application vulnerability scanners and offer a plan for comparing and/or building web application vulnerability scanners.

== Content ==
 

Dynamic
Analysis of Web Application Security in Respect to Current Web
Application Vulnerability Scanners: Specification of Needs in
Comparison to Current Offerings
Introduction/Scope:
There
will always be a "gap" between the types of attacks that
can be performed and those which can be found by an automated
scanner. This paper will attempt to outline some of those
shortcomings and offer a plan for comparing/building a web
application vulnerability scanner.
 • Need
for analysis by attack type

 • Coverage
and integration with other tools and/or scripting support
 • Need
to assist "technical" attacker to perform "custom"
checks
 • Support
for "custom" reporting

_____________________________________________________________________________________
General
Topics:
 • Automated
vs. Manual Discovery – The Need for Integration Between Tools
 • Web
Application Security – The Need for Automated Testing Tools 


 • Integrated
Threat Modeling Feature – Identifying API Exposures and
Assigning Risk
_____________________________________________________________________________________
Ideal
Baseline - Needs For Scanner:
 • Integration
with Std. VA scanner
 • Integration
with HTTP Proxies

 • Exportable
Storage of Results
 • XML
Format
 • Database
Formats
 • Scanners
and Tools to Integrate With
 • OWASP
WebScarab

 • XXXcommercialXXX
 • XXXcommercialXXX
 • XXXcommercialXXX
 • XXXcommercialXXX
 • OWASP
DIRBuster

 • Google
harvester module
 • Ability
to Document/Flag Good and Bad Results
 • Limit
scan to specified IPs/Hosts, Domains, and Ports Discovered on Host
running HTTP(s) 

 •
checksum content b/t ports, hosts, etc. for same content

 • Be
able to accurately reproduce results (ex. AppScan -- reply request
and show in browser)
 • Spidering
and Resource Identification 

 • User
defined optimization of scan threads, timeouts, etc
 • Virtual
host identification - edit cost, diff btw pages –

 •
HDM idea - Intranet hostname exposure, etc.....over 512 bytes, insane
overhead
 • DNS
grinding, etc 

 • http://www.owasp.org/index.php/Testing_for_Application_Discovery_(OWASP-IG-005)
 • Auth
vs UnAuth forced Browsing 


 • checkout
step bypass, etc
 • Accurately
identify directories and files present (and supported extensions)
 • Ability
to add checks for permeation based dir checks
 • User
is able to specify and retest extra files, dirs, and attacks as well
as add to test "template"

 • (retest/add
this dir for all vulns/files, retest this dir for XSS, rerun all SQL
injection, etc)
 • Ability
to specify custom HTTP requests and form templates based on HTTP
requests and errors
 • Fuzzer


 • ability
to model after "stored" requests,

 • pop
out?
 • HTTP
 • WSDL
 • Iteration
based fuzzing and discovery - ie, Pornzilla
 • Cookies/Session
testing and analysis 


 • automated
analysis and manual analysis replay idea (my idea kinda......need to
elaborate)
 • Platform
Specific tests and customization/AI (MS, .Net, Java, Apache)
 • Path,
Error Path and Verbose errors Identification 

 • Tomcat

 • ASP.NET
 • CFM
 • JSP
 • Apache
 • Request
Comparison

 • Cookies
 • Collection
 • Encoder/Decoder
 • Comparison
 • Authentication
Tester/Brute Forcer

 • Form
 • Basic
 • NTLM
 • Cookies/Sessions
 • SSL/Encryption
strength analysis

 • Easy
"dictionary" customization
 • Application
Servers/Frameworks
 • Apache
Tomcat
 • Ruby
on Rails

 • Django
 • JavaScript
Framework Identification
 • Dojo
 • script.aculo.us
 • Prototype

 • DWR
 • GWT
 • Sajax 
 • Endpoint
Identification
 • 3rd
Party Resources

 • RSS
 • Atom
 • Misc.
Web Service oriented
 • Web
Admin Console Identification
 • JBoss

 • JRun
 • Web
Services
 • SOAP
 • WSDL
 • UDDI/Endpoint
Discovery Protocols

 • WS-Security
 • ReST
 • Flash/Flex
 • Java
 • ActiveX

 • User
identification (error messages, user dirs, etc) and customization
(ex. add to BF dictionary)
 • DB
Platform Identification
 • MSSQL
 • MySQL
 • Sybase

 • MS
Access
 • Oracle
 • DB2
 • DB/XML
store of files/dirs - grepable
_____________________________________________________________________________________

Platform
and Resource Requirements:
 • DB
Platform Identification
 • MSSQL
 • MySQL
 • Sybase

 • MS
Access
 • Oracle
 • DB2
 • Web
Platform Identification
 • IIS

 • Tomcat
 • ASP.NET
 • CFM
 • JSP
 • Apache

 • ActiveX
 • Java
Applets
 • Javascript
and JS Frameworks
 • Flex
 • Flash

 • ReST
 • SOAP/WSDL
 • WEBrick
 • Django
(python)
_____________________________________________________________________________________

Modules:
 • XSS

 • DOM
Injection Attacks
 • Stored
 • Reflected

 • Injection
Attacks
 • SQL
 • XML/XPATH/XMLRCP/SOAP
- DOM-based XSS - Difficult - can't grep sourcd
 • JSON
(Javascript Object Notation) 


 • Link
Injection/Insertion (eg. OWA)
 • Dir
Traversal
 • File
Include
 • XSRF
 • HTTP
Response Splitting

 • Cookie
Collector and Checks
 • Cookies
Enabled (Y/N)
 • Flags
Set in Cookies
 • HTTPOnly
 • Secure

 • Domain
 • Path
 • Expires
 • Cookie
Randomization
 • GUI
plotting

 • Web
Platform Specific Checks
 • IIS
 • IPP
 • IDA/IDQ
 • FrontPage

 • Anon
 • Files/Extensions
 • MSSQL
 • Microsoft
.NET
 • .NET
Version Enumeration

 • ViewState
 • Decoder
 • Value
collection
 • Value
comparison
 • Identification
of Repeating VS Unique Values

 • Identification
of Possibly Sensitive Values
 • Changes
in Relation to Application Logic
 • Apache
 • userdir
 • MySQL

 • Docs
 • Modules
installed
 • OpenSSL
 • ModSSL
 • Expect

 • ModSecurity
 • Mod_jk
 • Apache
Tomcat
 • mgmt/admin
interface
 • Docs

 • General
platform and hardware/device specific checks
 • Parameter
identification (Identify inputs)
 • Identify
ALL Resources that appear to accept "user-defined" input
 • HTTP
OPTIONS

 • HTTP
Track/XST
 • Comments
 • Internal
IP Disclosure
 • Mgmt
Interface Scanner 


 • /jmx-console
 • /web-console
 • Conf
File Scanner 

 • /WEB-INF/web.xml

 • /robots.txt
 • /.htaccess
 • /jmx-console
site enumeration (not just identify presence of web console)
 • /web-console
site enumeration (not just identify presence of web console)
 • File
Include/Insertion Scanner (esp PHP)

 • Authentication
Scanner
 • Basic/NTLM
Identification
 • Form-based
Authentication Identification
 • Username
Enumeration
 • User-dir

 • Page
Scraping 

 • Site
Mirroring
 • Google
– Email Scraper 

 • Brute-Forcer

 • Dictionary
attacker
 • Easy
"dictionary" customization
 • Default
Password Tester
 • By
Platform

 • Source
Code Disclosure (eg. %00, %20)
 • Page
pattern matcher (Page Structure VS <Diff> Page Content)
 • Incorrect
usage of eval()
 • OS
command shell


 • Software
Version Identification 

 • regex
values
 • window
<Title> names

 • comments


 • base
platform
 • Hidden
Fields/Links Enumerator
 • File
Upload Enumerator

 • Log
File Scanner
 • Temp
Files
 • Search
Function for associated Vulns and software versions
 • Ability
to Reference Common Security Sites for Vulnerability Information
 • Path
Case-sensitivity enumerator

 • Encodings
Supported
 • Servlet
Mapper
 • Local
Search Engine Enumeration
 • Google
File/DIR mapper
 • BackEnd
DB Type Enumerator

 • Application
logic enumerator
 • ActiveX,
Java object enumerator
 • LDAP
Checks
 • File
Ext and Dir Mapper 


 • System
Platform Type/Version Enumerator
 • Supported
File Types Enumerator
 • Unmapped
File Extensions
 • Identifying
"sensitive" data

 • Web
Framework and Application Fingerprinting 

 • Flash/Flex


 • J2EE
 • JBoss



 • JRun
 • Apache
Foundation
 • Web
Server
 • Tomcat

 • Axis


 • Ruby
on Rails
 • Zend
 • Django



 • Jakarta
Struts (and other MVC architectures)
 • Exposed
Source-Code analysis (VM-like environment to run in)
 • FireBug
(pop-out?)
_____________________________________________________________________________________
Reporting/Results:

 • Database/XML
compatible storage 

 • data
correlation with other (HTTP) tools
 • AUTO
TXT, DB, SQL, source file ARCHIVER/STORED DIRECTORY

Key Project Information:OWASP Web Application Scanner Specification Project

2009-02-24T02:46:29Z

Coreylebleu: /* Content */

----
{| style="width:100%" border="0" align="center"
! colspan="8" align="center" style="background:#4058A0; color:white"|'''PROJECT INFORMATION'''
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Project Name'''
| colspan="7" style="width:85%; background:#cccccc" align="left"|'''OWASP Web Application Scanner Specification Project'''
|-
| style="width:15%; background:#7B8ABD" align="center"| '''Short Project Description'''
| colspan="7" style="width:85%; background:#cccccc" align="left"|
There will always be a "gap" between the types of attacks that can be performed and those which can be found by an automated scanner. This project will attempt to outline some of those shortcomings and offer a plan for comparing and/or building web application vulnerability scanners. The project will also include feature suggestions beneficial to advanced users.
|-
| style="width:15%; background:#7B8ABD" align="center"|
'''Key Project Information'''
| style="width:14%; background:#cccccc" align="center"|
Project Leader [mailto:coreylebleu@gmail.com '''Corey LeBleu''']
| style="width:15%; background:#cccccc" align="center"|
Project Contibutors (if any)
| style="width:10%; background:#cccccc" align="center"|
Mailing List [https://lists.owasp.org/mailman/admin/owasp-web-app-scanner-specification-project '''Subscribe here'''] [mailto:owasp-web-app-scanner-specification-project@lists.owasp.org '''Use here''']
| style="width:17%; background:#cccccc" align="center"|
License [http://creativecommons.org/licenses/by-sa/3.0/ '''Creative Commons Attribution Share Alike 3.0''']
| style="width:14%; background:#cccccc" align="center"|
Project Type [[:Category:OWASP_Project#Alpha_Status_Projects|'''Document''']]
| style="width:15%; background:#cccccc" align="center"|
Sponsors if any, add link
|}
{| style="width:100%" border="0" align="center"
! align="center" style="background:#7B8ABD; color:white"|'''Release Status'''
! align="center" style="background:#7B8ABD; color:white"|'''Main Links'''
! align="center" style="background:#7B8ABD; color:white"|'''Related Projects'''
|-
| style="width:29%; background:#cccccc" align="center"|
'''[[:Category:OWASP Project Assessment#Alpha Quality Documentation Criteria|Apha Quality]]''' [[:OWASP Web Application Scanner Specification Project - Assessment Frame|Please see here for complete information.]]
| style="width:42%; background:#cccccc" align="center"|
* add link(s)
| style="width:29%; background:#cccccc" align="center"|
* if any, add link(s)
|}
----

== About ==
This project will attempt to outline some of the shortcomings of currently available web application vulnerability scanners and offer a plan for comparing and/or building web application vulnerability scanners. Check back in one day for first draft.

== Content ==
 

Dynamic
Analysis of Web Application Security in Respect to Current Web
Application Vulnerability Scanners: Specification of Needs in
Comparison to Current Offerings
Introduction/Scope:
There
will always be a "gap" between the types of attacks that
can be performed and those which can be found by an automated
scanner. This paper will attempt to outline some of those
shortcomings and offer a plan for comparing/building a web
application vulnerability scanner.
 • Need
for analysis by attack type

 • Coverage
and integration with other tools and/or scripting support
 • Need
to assist "technical" attacker to perform "custom"
checks
 • Support
for "custom" reporting

_____________________________________________________________________________________
General
Topics:
 • Automated
vs. Manual Discovery – The Need for Integration Between Tools
 • Web
Application Security – The Need for Automated Testing Tools 


 • Integrated
Threat Modeling Feature – Identifying API Exposures and
Assigning Risk
_____________________________________________________________________________________
Ideal
Baseline - Needs For Scanner:
 • Integration
with Std. VA scanner
 • Integration
with HTTP Proxies

 • Exportable
Storage of Results
 • XML
Format
 • Database
Formats
 • Scanners
and Tools to Integrate With
 • OWASP
WebScarab

 • XXXcommercialXXX
 • XXXcommercialXXX
 • XXXcommercialXXX
 • XXXcommercialXXX
 • OWASP
DIRBuster

 • Google
harvester module
 • Ability
to Document/Flag Good and Bad Results
 • Limit
scan to specified IPs/Hosts, Domains, and Ports Discovered on Host
running HTTP(s) 

 •
checksum content b/t ports, hosts, etc. for same content

 • Be
able to accurately reproduce results (ex. AppScan -- reply request
and show in browser)
 • Spidering
and Resource Identification 

 • User
defined optimization of scan threads, timeouts, etc
 • Virtual
host identification - edit cost, diff btw pages –

 •
HDM idea - Intranet hostname exposure, etc.....over 512 bytes, insane
overhead
 • DNS
grinding, etc 

 • http://www.owasp.org/index.php/Testing_for_Application_Discovery_(OWASP-IG-005)
 • Auth
vs UnAuth forced Browsing 


 • checkout
step bypass, etc
 • Accurately
identify directories and files present (and supported extensions)
 • Ability
to add checks for permeation based dir checks
 • User
is able to specify and retest extra files, dirs, and attacks as well
as add to test "template"

 • (retest/add
this dir for all vulns/files, retest this dir for XSS, rerun all SQL
injection, etc)
 • Ability
to specify custom HTTP requests and form templates based on HTTP
requests and errors
 • Fuzzer


 • ability
to model after "stored" requests,

 • pop
out?
 • HTTP
 • WSDL
 • Iteration
based fuzzing and discovery - ie, Pornzilla
 • Cookies/Session
testing and analysis 


 • automated
analysis and manual analysis replay idea (my idea kinda......need to
elaborate)
 • Platform
Specific tests and customization/AI (MS, .Net, Java, Apache)
 • Path,
Error Path and Verbose errors Identification 

 • Tomcat

 • ASP.NET
 • CFM
 • JSP
 • Apache
 • Request
Comparison

 • Cookies
 • Collection
 • Encoder/Decoder
 • Comparison
 • Authentication
Tester/Brute Forcer

 • Form
 • Basic
 • NTLM
 • Cookies/Sessions
 • SSL/Encryption
strength analysis

 • Easy
"dictionary" customization
 • Application
Servers/Frameworks
 • Apache
Tomcat
 • Ruby
on Rails

 • Django
 • JavaScript
Framework Identification
 • Dojo
 • script.aculo.us
 • Prototype

 • DWR
 • GWT
 • Sajax 
 • Endpoint
Identification
 • 3rd
Party Resources

 • RSS
 • Atom
 • Misc.
Web Service oriented
 • Web
Admin Console Identification
 • JBoss

 • JRun
 • Web
Services
 • SOAP
 • WSDL
 • UDDI/Endpoint
Discovery Protocols

 • WS-Security
 • ReST
 • Flash/Flex
 • Java
 • ActiveX

 • User
identification (error messages, user dirs, etc) and customization
(ex. add to BF dictionary)
 • DB
Platform Identification
 • MSSQL
 • MySQL
 • Sybase

 • MS
Access
 • Oracle
 • DB2
 • DB/XML
store of files/dirs - grepable
_____________________________________________________________________________________

Platform
and Resource Requirements:
 • DB
Platform Identification
 • MSSQL
 • MySQL
 • Sybase

 • MS
Access
 • Oracle
 • DB2
 • Web
Platform Identification
 • IIS

 • Tomcat
 • ASP.NET
 • CFM
 • JSP
 • Apache

 • ActiveX
 • Java
Applets
 • Javascript
and JS Frameworks
 • Flex
 • Flash

 • ReST
 • SOAP/WSDL
 • WEBrick
 • Django
(python)
_____________________________________________________________________________________

Modules:
 • XSS

 • DOM
Injection Attacks
 • Stored
 • Reflected

 • Injection
Attacks
 • SQL
 • XML/XPATH/XMLRCP/SOAP
- DOM-based XSS - Difficult - can't grep sourcd
 • JSON
(Javascript Object Notation) 


 • Link
Injection/Insertion (eg. OWA)
 • Dir
Traversal
 • File
Include
 • XSRF
 • HTTP
Response Splitting

 • Cookie
Collector and Checks
 • Cookies
Enabled (Y/N)
 • Flags
Set in Cookies
 • HTTPOnly
 • Secure

 • Domain
 • Path
 • Expires
 • Cookie
Randomization
 • GUI
plotting

 • Web
Platform Specific Checks
 • IIS
 • IPP
 • IDA/IDQ
 • FrontPage

 • Anon
 • Files/Extensions
 • MSSQL
 • Microsoft
.NET
 • .NET
Version Enumeration

 • ViewState
 • Decoder
 • Value
collection
 • Value
comparison
 • Identification
of Repeating VS Unique Values

 • Identification
of Possibly Sensitive Values
 • Changes
in Relation to Application Logic
 • Apache
 • userdir
 • MySQL

 • Docs
 • Modules
installed
 • OpenSSL
 • ModSSL
 • Expect

 • ModSecurity
 • Mod_jk
 • Apache
Tomcat
 • mgmt/admin
interface
 • Docs

 • General
platform and hardware/device specific checks
 • Parameter
identification (Identify inputs)
 • Identify
ALL Resources that appear to accept "user-defined" input
 • HTTP
OPTIONS

 • HTTP
Track/XST
 • Comments
 • Internal
IP Disclosure
 • Mgmt
Interface Scanner 


 • /jmx-console
 • /web-console
 • Conf
File Scanner 

 • /WEB-INF/web.xml

 • /robots.txt
 • /.htaccess
 • /jmx-console
site enumeration (not just identify presence of web console)
 • /web-console
site enumeration (not just identify presence of web console)
 • File
Include/Insertion Scanner (esp PHP)

 • Authentication
Scanner
 • Basic/NTLM
Identification
 • Form-based
Authentication Identification
 • Username
Enumeration
 • User-dir

 • Page
Scraping 

 • Site
Mirroring
 • Google
– Email Scraper 

 • Brute-Forcer

 • Dictionary
attacker
 • Easy
"dictionary" customization
 • Default
Password Tester
 • By
Platform

 • Source
Code Disclosure (eg. %00, %20)
 • Page
pattern matcher (Page Structure VS <Diff> Page Content)
 • Incorrect
usage of eval()
 • OS
command shell


 • Software
Version Identification 

 • regex
values
 • window
<Title> names

 • comments


 • base
platform
 • Hidden
Fields/Links Enumerator
 • File
Upload Enumerator

 • Log
File Scanner
 • Temp
Files
 • Search
Function for associated Vulns and software versions
 • Ability
to Reference Common Security Sites for Vulnerability Information
 • Path
Case-sensitivity enumerator

 • Encodings
Supported
 • Servlet
Mapper
 • Local
Search Engine Enumeration
 • Google
File/DIR mapper
 • BackEnd
DB Type Enumerator

 • Application
logic enumerator
 • ActiveX,
Java object enumerator
 • LDAP
Checks
 • File
Ext and Dir Mapper 


 • System
Platform Type/Version Enumerator
 • Supported
File Types Enumerator
 • Unmapped
File Extensions
 • Identifying
"sensitive" data

 • Web
Framework and Application Fingerprinting 

 • Flash/Flex


 • J2EE
 • JBoss



 • JRun
 • Apache
Foundation
 • Web
Server
 • Tomcat

 • Axis


 • Ruby
on Rails
 • Zend
 • Django



 • Jakarta
Struts (and other MVC architectures)
 • Exposed
Source-Code analysis (VM-like environment to run in)
 • FireBug
(pop-out?)
_____________________________________________________________________________________
Reporting/Results:

 • Database/XML
compatible storage 

 • data
correlation with other (HTTP) tools
 • AUTO
TXT, DB, SQL, source file ARCHIVER/STORED DIRECTORY

Key Project Information:OWASP Web Application Scanner Specification Project

2009-02-24T02:38:52Z

Coreylebleu:

----
{| style="width:100%" border="0" align="center"
! colspan="8" align="center" style="background:#4058A0; color:white"|'''PROJECT INFORMATION'''
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Project Name'''
| colspan="7" style="width:85%; background:#cccccc" align="left"|'''OWASP Web Application Scanner Specification Project'''
|-
| style="width:15%; background:#7B8ABD" align="center"| '''Short Project Description'''
| colspan="7" style="width:85%; background:#cccccc" align="left"|
There will always be a "gap" between the types of attacks that can be performed and those which can be found by an automated scanner. This project will attempt to outline some of those shortcomings and offer a plan for comparing and/or building web application vulnerability scanners. The project will also include feature suggestions beneficial to advanced users.
|-
| style="width:15%; background:#7B8ABD" align="center"|
'''Key Project Information'''
| style="width:14%; background:#cccccc" align="center"|
Project Leader [mailto:coreylebleu@gmail.com '''Corey LeBleu''']
| style="width:15%; background:#cccccc" align="center"|
Project Contibutors (if any)
| style="width:10%; background:#cccccc" align="center"|
Mailing List [https://lists.owasp.org/mailman/admin/owasp-web-app-scanner-specification-project '''Subscribe here'''] [mailto:owasp-web-app-scanner-specification-project@lists.owasp.org '''Use here''']
| style="width:17%; background:#cccccc" align="center"|
License [http://creativecommons.org/licenses/by-sa/3.0/ '''Creative Commons Attribution Share Alike 3.0''']
| style="width:14%; background:#cccccc" align="center"|
Project Type [[:Category:OWASP_Project#Alpha_Status_Projects|'''Document''']]
| style="width:15%; background:#cccccc" align="center"|
Sponsors if any, add link
|}
{| style="width:100%" border="0" align="center"
! align="center" style="background:#7B8ABD; color:white"|'''Release Status'''
! align="center" style="background:#7B8ABD; color:white"|'''Main Links'''
! align="center" style="background:#7B8ABD; color:white"|'''Related Projects'''
|-
| style="width:29%; background:#cccccc" align="center"|
'''[[:Category:OWASP Project Assessment#Alpha Quality Documentation Criteria|Apha Quality]]''' [[:OWASP Web Application Scanner Specification Project - Assessment Frame|Please see here for complete information.]]
| style="width:42%; background:#cccccc" align="center"|
* add link(s)
| style="width:29%; background:#cccccc" align="center"|
* if any, add link(s)
|}
----

== About ==
This project will attempt to outline some of the shortcomings of currently available web application vulnerability scanners and offer a plan for comparing and/or building web application vulnerability scanners. Check back in one day for first draft.

== Content ==
 

Dynamic
Analysis of Web Application Security in Respect to Current Web
Application Vulnerability Scanners: Specification of Needs in
Comparison to Current Offerings
Introduction/Scope:
There
will always be a "gap" between the types of attacks that
can be performed and those which can be found by an automated
scanner. This paper will attempt to outline some of those
shortcomings and offer a plan for comparing/building a web
application vulnerability scanner.
 • Need
for analysis by attack type

 • Coverage
and integration with other tools and/or scripting support
 • Need
to assist "technical" attacker to perform "custom"
checks
 • Support
for "custom" reporting

_____________________________________________________________________________________
General
Topics:
 • Automated
vs. Manual Discovery – The Need for Integration Between Tools
 • Web
Application Security – The Need for Automated Testing Tools 


 • Integrated
Threat Modeling Feature – Identifying API Exposures and
Assigning Risk
_____________________________________________________________________________________
Ideal
Baseline - Needs For Scanner:
 • Integration
with Std. VA scanner
 • Integration
with HTTP Proxies

 • Exportable
Storage of Results
 • XML
Format
 • Database
Formats
 • Scanners
and Tools to Integrate With
 • OWASP
WebScarab

 • Burp
Suite
 • AppScan
 • WebInspect
 • Accunix
 • OWASP
DIRBuster

 • Google
harvester module
 • Ability
to Document/Flag Good and Bad Results
 • Limit
scan to specified IPs/Hosts, Domains, and Ports Discovered on Host
running HTTP(s) 

 •
checksum content b/t ports, hosts, etc. for same content

 • Be
able to accurately reproduce results (ex. AppScan -- reply request
and show in browser)
 • Spidering
and Resource Identification 

 • User
defined optimization of scan threads, timeouts, etc
 • Virtual
host identification - edit cost, diff btw pages –

 •
HDM idea - Intranet hostname exposure, etc.....over 512 bytes, insane
overhead
 • DNS
grinding, etc 

 • http://www.owasp.org/index.php/Testing_for_Application_Discovery_(OWASP-IG-005)
 • Auth
vs UnAuth forced Browsing 


 • checkout
step bypass, etc
 • Accurately
identify directories and files present (and supported extensions)
 • Ability
to add checks for permeation based dir checks
 • User
is able to specify and retest extra files, dirs, and attacks as well
as add to test "template"

 • (retest/add
this dir for all vulns/files, retest this dir for XSS, rerun all SQL
injection, etc)
 • Ability
to specify custom HTTP requests and form templates based on HTTP
requests and errors
 • Fuzzer


 • ability
to model after "stored" requests,

 • pop
out?
 • HTTP
 • WSDL
 • Iteration
based fuzzing and discovery - ie, Pornzilla
 • Cookies/Session
testing and analysis 


 • automated
analysis and manual analysis replay idea (my idea kinda......need to
elaborate)
 • Platform
Specific tests and customization/AI (MS, .Net, Java, Apache)
 • Path,
Error Path and Verbose errors Identification 

 • Tomcat

 • ASP.NET
 • CFM
 • JSP
 • Apache
 • Request
Comparison

 • Cookies
 • Collection
 • Encoder/Decoder
 • Comparison
 • Authentication
Tester/Brute Forcer

 • Form
 • Basic
 • NTLM
 • Cookies/Sessions
 • SSL/Encryption
strength analysis

 • Easy
"dictionary" customization
 • Application
Servers/Frameworks
 • Apache
Tomcat
 • Ruby
on Rails

 • Django
 • JavaScript
Framework Identification
 • Dojo
 • script.aculo.us
 • Prototype

 • DWR
 • GWT
 • Sajax 
 • Endpoint
Identification
 • 3rd
Party Resources

 • RSS
 • Atom
 • Misc.
Web Service oriented
 • Web
Admin Console Identification
 • JBoss

 • JRun
 • Web
Services
 • SOAP
 • WSDL
 • UDDI/Endpoint
Discovery Protocols

 • WS-Security
 • ReST
 • Flash/Flex
 • Java
 • ActiveX

 • User
identification (error messages, user dirs, etc) and customization
(ex. add to BF dictionary)
 • DB
Platform Identification
 • MSSQL
 • MySQL
 • Sybase

 • MS
Access
 • Oracle
 • DB2
 • DB/XML
store of files/dirs - grepable
_____________________________________________________________________________________

Platform
and Resource Requirements:
 • DB
Platform Identification
 • MSSQL
 • MySQL
 • Sybase

 • MS
Access
 • Oracle
 • DB2
 • Web
Platform Identification
 • IIS

 • Tomcat
 • ASP.NET
 • CFM
 • JSP
 • Apache

 • ActiveX
 • Java
Applets
 • Javascript
and JS Frameworks
 • Flex
 • Flash

 • ReST
 • SOAP/WSDL
 • WEBrick
 • Django
(python)
_____________________________________________________________________________________

Modules:
 • XSS

 • DOM
Injection Attacks
 • Stored
 • Reflected

 • Injection
Attacks
 • SQL
 • XML/XPATH/XMLRCP/SOAP
- DOM-based XSS - Difficult - can't grep sourcd
 • JSON
(Javascript Object Notation) 


 • Link
Injection/Insertion (eg. OWA)
 • Dir
Traversal
 • File
Include
 • XSRF
 • HTTP
Response Splitting

 • Cookie
Collector and Checks
 • Cookies
Enabled (Y/N)
 • Flags
Set in Cookies
 • HTTPOnly
 • Secure

 • Domain
 • Path
 • Expires
 • Cookie
Randomization
 • GUI
plotting

 • Web
Platform Specific Checks
 • IIS
 • IPP
 • IDA/IDQ
 • FrontPage

 • Anon
 • Files/Extensions
 • MSSQL
 • Microsoft
.NET
 • .NET
Version Enumeration

 • ViewState
 • Decoder
 • Value
collection
 • Value
comparison
 • Identification
of Repeating VS Unique Values

 • Identification
of Possibly Sensitive Values
 • Changes
in Relation to Application Logic
 • Apache
 • userdir
 • MySQL

 • Docs
 • Modules
installed
 • OpenSSL
 • ModSSL
 • Expect

 • ModSecurity
 • Mod_jk
 • Apache
Tomcat
 • mgmt/admin
interface
 • Docs

 • General
platform and hardware/device specific checks
 • Parameter
identification (Identify inputs)
 • Identify
ALL Resources that appear to accept "user-defined" input
 • HTTP
OPTIONS

 • HTTP
Track/XST
 • Comments
 • Internal
IP Disclosure
 • Mgmt
Interface Scanner 


 • /jmx-console
 • /web-console
 • Conf
File Scanner 

 • /WEB-INF/web.xml

 • /robots.txt
 • /.htaccess
 • /jmx-console
site enumeration (not just identify presence of web console)
 • /web-console
site enumeration (not just identify presence of web console)
 • File
Include/Insertion Scanner (esp PHP)

 • Authentication
Scanner
 • Basic/NTLM
Identification
 • Form-based
Authentication Identification
 • Username
Enumeration
 • User-dir

 • Page
Scraping 

 • Site
Mirroring
 • Google
– Email Scraper 

 • Brute-Forcer

 • Dictionary
attacker
 • Easy
"dictionary" customization
 • Default
Password Tester
 • By
Platform

 • Source
Code Disclosure (eg. %00, %20)
 • Page
pattern matcher (Page Structure VS <Diff> Page Content)
 • Incorrect
usage of eval()
 • OS
command shell


 • Software
Version Identification 

 • regex
values
 • window
<Title> names

 • comments


 • base
platform
 • Hidden
Fields/Links Enumerator
 • File
Upload Enumerator

 • Log
File Scanner
 • Temp
Files
 • Search
Function for associated Vulns and software versions
 • Ability
to Reference Common Security Sites for Vulnerability Information
 • Path
Case-sensitivity enumerator

 • Encodings
Supported
 • Servlet
Mapper
 • Local
Search Engine Enumeration
 • Google
File/DIR mapper
 • BackEnd
DB Type Enumerator

 • Application
logic enumerator
 • ActiveX,
Java object enumerator
 • LDAP
Checks
 • File
Ext and Dir Mapper 


 • System
Platform Type/Version Enumerator
 • Supported
File Types Enumerator
 • Unmapped
File Extensions
 • Identifying
"sensitive" data

 • Web
Framework and Application Fingerprinting 

 • Flash/Flex


 • J2EE
 • JBoss



 • JRun
 • Apache
Foundation
 • Web
Server
 • Tomcat

 • Axis


 • Ruby
on Rails
 • Zend
 • Django



 • Jakarta
Struts (and other MVC architectures)
 • Exposed
Source-Code analysis (VM-like environment to run in)
 • FireBug
(pop-out?)
_____________________________________________________________________________________
Reporting/Results:

 • Database/XML
compatible storage 

 • data
correlation with other (HTTP) tools
 • AUTO
TXT, DB, SQL, source file ARCHIVER/STORED DIRECTORY

Key Project Information:OWASP Web Application Scanner Specification Project

2009-02-24T02:37:36Z

Coreylebleu:

----
{| style="width:100%" border="0" align="center"
! colspan="8" align="center" style="background:#4058A0; color:white"|'''PROJECT INFORMATION'''
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Project Name'''
| colspan="7" style="width:85%; background:#cccccc" align="left"|'''OWASP Web Application Scanner Specification Project'''
|-
| style="width:15%; background:#7B8ABD" align="center"| '''Short Project Description'''
| colspan="7" style="width:85%; background:#cccccc" align="left"|
There will always be a "gap" between the types of attacks that can be performed and those which can be found by an automated scanner. This project will attempt to outline some of those shortcomings and offer a plan for comparing and/or building web application vulnerability scanners. The project will also include feature suggestions beneficial to advanced users.
|-
| style="width:15%; background:#7B8ABD" align="center"|
'''Key Project Information'''
| style="width:14%; background:#cccccc" align="center"|
Project Leader [mailto:coreylebleu@gmail.com '''Corey LeBleu''']
| style="width:15%; background:#cccccc" align="center"|
Project Contibutors (if any)
| style="width:10%; background:#cccccc" align="center"|
Mailing List [https://lists.owasp.org/mailman/admin/owasp-web-app-scanner-specification-project '''Subscribe here'''] [mailto:owasp-web-app-scanner-specification-project@lists.owasp.org '''Use here''']
| style="width:17%; background:#cccccc" align="center"|
License [http://creativecommons.org/licenses/by-sa/3.0/ '''Creative Commons Attribution Share Alike 3.0''']
| style="width:14%; background:#cccccc" align="center"|
Project Type [[:Category:OWASP_Project#Alpha_Status_Projects|'''Document''']]
| style="width:15%; background:#cccccc" align="center"|
Sponsors if any, add link
|}
{| style="width:100%" border="0" align="center"
! align="center" style="background:#7B8ABD; color:white"|'''Release Status'''
! align="center" style="background:#7B8ABD; color:white"|'''Main Links'''
! align="center" style="background:#7B8ABD; color:white"|'''Related Projects'''
|-
| style="width:29%; background:#cccccc" align="center"|
'''[[:Category:OWASP Project Assessment#Alpha Quality Documentation Criteria|Apha Quality]]''' [[:OWASP Web Application Scanner Specification Project - Assessment Frame|Please see here for complete information.]]
| style="width:42%; background:#cccccc" align="center"|
* add link(s)
| style="width:29%; background:#cccccc" align="center"|
* if any, add link(s)
|}
----

== About ==
This project will attempt to outline some of the shortcomings of currently available web application vulnerability scanners and offer a plan for comparing and/or building web application vulnerability scanners. Check back in one day for first draft.

 

Dynamic
Analysis of Web Application Security in Respect to Current Web
Application Vulnerability Scanners: Specification of Needs in
Comparison to Current Offerings
Introduction/Scope:
There
will always be a "gap" between the types of attacks that
can be performed and those which can be found by an automated
scanner. This paper will attempt to outline some of those
shortcomings and offer a plan for comparing/building a web
application vulnerability scanner.
 • Need
for analysis by attack type

 • Coverage
and integration with other tools and/or scripting support
 • Need
to assist "technical" attacker to perform "custom"
checks
 • Support
for "custom" reporting

_____________________________________________________________________________________
General
Topics:
 • Automated
vs. Manual Discovery – The Need for Integration Between Tools
 • Web
Application Security – The Need for Automated Testing Tools 


 • Integrated
Threat Modeling Feature – Identifying API Exposures and
Assigning Risk
_____________________________________________________________________________________
Ideal
Baseline - Needs For Scanner:
 • Integration
with Std. VA scanner
 • Integration
with HTTP Proxies

 • Exportable
Storage of Results
 • XML
Format
 • Database
Formats
 • Scanners
and Tools to Integrate With
 • OWASP
WebScarab

 • Burp
Suite
 • AppScan
 • WebInspect
 • Accunix
 • OWASP
DIRBuster

 • Google
harvester module
 • Ability
to Document/Flag Good and Bad Results
 • Limit
scan to specified IPs/Hosts, Domains, and Ports Discovered on Host
running HTTP(s) 

 •
checksum content b/t ports, hosts, etc. for same content

 • Be
able to accurately reproduce results (ex. AppScan -- reply request
and show in browser)
 • Spidering
and Resource Identification 

 • User
defined optimization of scan threads, timeouts, etc
 • Virtual
host identification - edit cost, diff btw pages –

 •
HDM idea - Intranet hostname exposure, etc.....over 512 bytes, insane
overhead
 • DNS
grinding, etc 

 • http://www.owasp.org/index.php/Testing_for_Application_Discovery_(OWASP-IG-005)
 • Auth
vs UnAuth forced Browsing 


 • checkout
step bypass, etc
 • Accurately
identify directories and files present (and supported extensions)
 • Ability
to add checks for permeation based dir checks
 • User
is able to specify and retest extra files, dirs, and attacks as well
as add to test "template"

 • (retest/add
this dir for all vulns/files, retest this dir for XSS, rerun all SQL
injection, etc)
 • Ability
to specify custom HTTP requests and form templates based on HTTP
requests and errors
 • Fuzzer


 • ability
to model after "stored" requests,

 • pop
out?
 • HTTP
 • WSDL
 • Iteration
based fuzzing and discovery - ie, Pornzilla
 • Cookies/Session
testing and analysis 


 • automated
analysis and manual analysis replay idea (my idea kinda......need to
elaborate)
 • Platform
Specific tests and customization/AI (MS, .Net, Java, Apache)
 • Path,
Error Path and Verbose errors Identification 

 • Tomcat

 • ASP.NET
 • CFM
 • JSP
 • Apache
 • Request
Comparison

 • Cookies
 • Collection
 • Encoder/Decoder
 • Comparison
 • Authentication
Tester/Brute Forcer

 • Form
 • Basic
 • NTLM
 • Cookies/Sessions
 • SSL/Encryption
strength analysis

 • Easy
"dictionary" customization
 • Application
Servers/Frameworks
 • Apache
Tomcat
 • Ruby
on Rails

 • Django
 • JavaScript
Framework Identification
 • Dojo
 • script.aculo.us
 • Prototype

 • DWR
 • GWT
 • Sajax 
 • Endpoint
Identification
 • 3rd
Party Resources

 • RSS
 • Atom
 • Misc.
Web Service oriented
 • Web
Admin Console Identification
 • JBoss

 • JRun
 • Web
Services
 • SOAP
 • WSDL
 • UDDI/Endpoint
Discovery Protocols

 • WS-Security
 • ReST
 • Flash/Flex
 • Java
 • ActiveX

 • User
identification (error messages, user dirs, etc) and customization
(ex. add to BF dictionary)
 • DB
Platform Identification
 • MSSQL
 • MySQL
 • Sybase

 • MS
Access
 • Oracle
 • DB2
 • DB/XML
store of files/dirs - grepable
_____________________________________________________________________________________

Platform
and Resource Requirements:
 • DB
Platform Identification
 • MSSQL
 • MySQL
 • Sybase

 • MS
Access
 • Oracle
 • DB2
 • Web
Platform Identification
 • IIS

 • Tomcat
 • ASP.NET
 • CFM
 • JSP
 • Apache

 • ActiveX
 • Java
Applets
 • Javascript
and JS Frameworks
 • Flex
 • Flash

 • ReST
 • SOAP/WSDL
 • WEBrick
 • Django
(python)
_____________________________________________________________________________________

Modules:
 • XSS

 • DOM
Injection Attacks
 • Stored
 • Reflected

 • Injection
Attacks
 • SQL
 • XML/XPATH/XMLRCP/SOAP
- DOM-based XSS - Difficult - can't grep sourcd
 • JSON
(Javascript Object Notation) 


 • Link
Injection/Insertion (eg. OWA)
 • Dir
Traversal
 • File
Include
 • XSRF
 • HTTP
Response Splitting

 • Cookie
Collector and Checks
 • Cookies
Enabled (Y/N)
 • Flags
Set in Cookies
 • HTTPOnly
 • Secure

 • Domain
 • Path
 • Expires
 • Cookie
Randomization
 • GUI
plotting

 • Web
Platform Specific Checks
 • IIS
 • IPP
 • IDA/IDQ
 • FrontPage

 • Anon
 • Files/Extensions
 • MSSQL
 • Microsoft
.NET
 • .NET
Version Enumeration

 • ViewState
 • Decoder
 • Value
collection
 • Value
comparison
 • Identification
of Repeating VS Unique Values

 • Identification
of Possibly Sensitive Values
 • Changes
in Relation to Application Logic
 • Apache
 • userdir
 • MySQL

 • Docs
 • Modules
installed
 • OpenSSL
 • ModSSL
 • Expect

 • ModSecurity
 • Mod_jk
 • Apache
Tomcat
 • mgmt/admin
interface
 • Docs

 • General
platform and hardware/device specific checks
 • Parameter
identification (Identify inputs)
 • Identify
ALL Resources that appear to accept "user-defined" input
 • HTTP
OPTIONS

 • HTTP
Track/XST
 • Comments
 • Internal
IP Disclosure
 • Mgmt
Interface Scanner 


 • /jmx-console
 • /web-console
 • Conf
File Scanner 

 • /WEB-INF/web.xml

 • /robots.txt
 • /.htaccess
 • /jmx-console
site enumeration (not just identify presence of web console)
 • /web-console
site enumeration (not just identify presence of web console)
 • File
Include/Insertion Scanner (esp PHP)

 • Authentication
Scanner
 • Basic/NTLM
Identification
 • Form-based
Authentication Identification
 • Username
Enumeration
 • User-dir

 • Page
Scraping 

 • Site
Mirroring
 • Google
– Email Scraper 

 • Brute-Forcer

 • Dictionary
attacker
 • Easy
"dictionary" customization
 • Default
Password Tester
 • By
Platform

 • Source
Code Disclosure (eg. %00, %20)
 • Page
pattern matcher (Page Structure VS <Diff> Page Content)
 • Incorrect
usage of eval()
 • OS
command shell


 • Software
Version Identification 

 • regex
values
 • window
<Title> names

 • comments


 • base
platform
 • Hidden
Fields/Links Enumerator
 • File
Upload Enumerator

 • Log
File Scanner
 • Temp
Files
 • Search
Function for associated Vulns and software versions
 • Ability
to Reference Common Security Sites for Vulnerability Information
 • Path
Case-sensitivity enumerator

 • Encodings
Supported
 • Servlet
Mapper
 • Local
Search Engine Enumeration
 • Google
File/DIR mapper
 • BackEnd
DB Type Enumerator

 • Application
logic enumerator
 • ActiveX,
Java object enumerator
 • LDAP
Checks
 • File
Ext and Dir Mapper 


 • System
Platform Type/Version Enumerator
 • Supported
File Types Enumerator
 • Unmapped
File Extensions
 • Identifying
"sensitive" data

 • Web
Framework and Application Fingerprinting 

 • Flash/Flex


 • J2EE
 • JBoss



 • JRun
 • Apache
Foundation
 • Web
Server
 • Tomcat

 • Axis


 • Ruby
on Rails
 • Zend
 • Django



 • Jakarta
Struts (and other MVC architectures)
 • Exposed
Source-Code analysis (VM-like environment to run in)
 • FireBug
(pop-out?)
_____________________________________________________________________________________
Reporting/Results:

 • Database/XML
compatible storage 

 • data
correlation with other (HTTP) tools
 • AUTO
TXT, DB, SQL, source file ARCHIVER/STORED DIRECTORY

Key Project Information:OWASP Web Application Scanner Specification Project

2009-02-24T01:51:59Z

Coreylebleu: /* About */

Key Project Information:OWASP Web Application Scanner Specification Project

2009-02-23T20:06:12Z

Coreylebleu: