This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Category:OWASP Web Application Scanner Specification Project

From OWASP
Jump to: navigation, search

Click here to see (& edit, if wanted) the project's template.


PROJECT INFORMATION
Project Name OWASP Web Application Scanner Specification Project
Short Project Description

There will always be a "gap" between the types of attacks that can be performed and those which can be found by an automated scanner. This project will attempt to outline some of those shortcomings and offer a plan for comparing and/or building web application vulnerability scanners. The project will also include feature suggestions beneficial to advanced users.

Key Project Information

Project Leader
Corey LeBleu

Project Contibutors
(if any)

Mailing List
Subscribe here
Use here

License
Creative Commons Attribution Share Alike 3.0

Project Type
Document

Sponsors
if any, add link

Release Status Main Links Related Projects

Apha Quality
Please see here for complete information.

  • add link(s)
  • if any, add link(s)

About

This project will attempt to outline some of the shortcomings of currently available web application vulnerability scanners and offer a plan for comparing and/or building web application vulnerability scanners.

Goals & Roadmap

In the near future, we will be focused on the following goals...

1. Clean up feature redundancy

2. Further categorize and document modules

3. Add to platform specific checks (ex. file extensions, )

4. Adding additional "check" modules

Content


Dynamic Analysis of Web Application Security in Respect to Current Web Application Vulnerability Scanners: Specification of Needs in Comparison to Current Offerings

Introduction/Scope:

There will always be a "gap" between the types of attacks that can be performed and those which can be found by an automated scanner. This paper will attempt to outline some of those shortcomings and offer a plan for comparing/building a web application vulnerability scanner.

• Need for analysis by attack type

• Coverage and integration with other tools and/or scripting support

• Need to assist "technical" attacker to perform "custom" checks

• Support for "custom" reporting

_____________________________________________________________________________________

General Topics:

• Automated vs. Manual Discovery – The Need for Integration Between Tools

• Web Application Security – The Need for Automated Testing Tools

• Integrated Threat Modeling Feature – Identifying API Exposures and Assigning Risk

_____________________________________________________________________________________

OWASP_Web_Application_Scanner_Specification_Project_Baseline

Ideal Baseline - Needs For Scanner:

• Integration with Std. VA scanner

• Integration with HTTP Proxies

• Exportable Storage of Results

• XML Format

• Database Formats


• Search Engine Harvester Modules

• Ability to Document/Flag Good and Bad Results

• Limit scan to specified IPs/Hosts, Domains, and Ports Discovered on Host running HTTP(s)

• checksum content b/t ports, hosts, etc. for same content

• Be able to accurately reproduce results (ex. -- reply request and show in browser)

• Spidering and Resource Identification

• User defined optimization of scan threads, timeouts, etc

• Virtual host identification - edit cost, diff btw pages –

• HDM idea - Intranet hostname exposure, etc.....over 512 bytes, insane overhead

• DNS grinding, etc

http://www.owasp.org/index.php/Testing_for_Application_Discovery_(OWASP-IG-005)

• Auth vs UnAuth forced Browsing

• checkout step bypass, etc

• Accurately identify directories and files present (and supported extensions)

• Ability to add checks for permeation based dir checks

• User is able to specify and retest extra files, dirs, and attacks as well as add to test "template"

• (retest/add this dir for all vulns/files, retest this dir for XSS, rerun all SQL injection, etc)

• Ability to specify custom HTTP requests and form templates based on HTTP requests and errors

• Fuzzer

• ability to model after "stored" requests,

• pop out?

• HTTP

• WSDL

• Iteration based fuzzing and discovery - ie, Pornzilla

• Cookies/Session testing and analysis

• automated analysis and manual analysis replay idea (my idea kinda......need to elaborate)

• Platform Specific tests and customization/AI (MS, .Net, Java, Apache)

• Path, Error Path and Verbose errors Identification

• Tomcat

• ASP.NET

• CFM

• JSP

• Apache

• Request Comparison

• Cookies

• Collection

• Encoder/Decoder

• Comparison

• Authentication Tester/Brute Forcer

• Form

• Basic

• NTLM

• Cookies/Sessions

• SSL/Encryption strength analysis

• Easy "dictionary" customization

• Application Servers/Frameworks

• Apache Tomcat

• Ruby on Rails

• Django

• JavaScript Framework Identification

• Dojo

• script.aculo.us

• Prototype

• DWR

• GWT

• Sajax

• Endpoint Identification

• 3rd Party Resources

• RSS

• Atom

• Misc. Web Service oriented

• Web Admin Console Identification

• JBoss

• JRun

• Web Services

• SOAP

• WSDL

• UDDI/Endpoint Discovery Protocols

• WS-Security

• ReST

• Flash/Flex

• Java

• ActiveX

• User identification (error messages, user dirs, etc) and customization (ex. add to BF dictionary)

• DB Platform Identification

• MSSQL

• MySQL

• Sybase

• MS Access

• Oracle

• DB2

• DB/XML store of files/dirs - grepable

_____________________________________________________________________________________

Platform and Resource Requirements:

• DB Platform Identification

• MSSQL

• MySQL

• Sybase

• MS Access

• Oracle

• DB2

• Web Platform Identification

• IIS

• Tomcat

• ASP.NET

• CFM

• JSP

• Apache

• ActiveX

• Java Applets

• Javascript and JS Frameworks

• Flex

• Flash

• ReST

• SOAP/WSDL

• WEBrick

• Django (python)

_____________________________________________________________________________________

Modules:

• XSS

• DOM Injection Attacks

• Stored

• Reflected

• Injection Attacks

• SQL

• XML/XPATH/XMLRCP/SOAP - DOM-based XSS - Difficult - can't grep sourcd

• JSON (Javascript Object Notation)

• Link Injection/Insertion (eg. OWA)

• Dir Traversal

• File Include

• XSRF

• HTTP Response Splitting

• Cookie Collector and Checks

• Cookies Enabled (Y/N)

• Flags Set in Cookies

• HTTPOnly

• Secure

• Domain

• Path

• Expires

• Cookie Randomization

• GUI plotting

• Web Platform Specific Checks

• IIS

• IPP

• IDA/IDQ

• FrontPage

• Anon

• Files/Extensions

• MSSQL

• Microsoft .NET

• .NET Version Enumeration

• ViewState

• Decoder

• Value collection

• Value comparison

• Identification of Repeating VS Unique Values

• Identification of Possibly Sensitive Values

• Changes in Relation to Application Logic

• Apache

• userdir

• MySQL

• Docs

• Modules installed

• OpenSSL

• ModSSL

• Expect

• ModSecurity

• Mod_jk

• Apache Tomcat

• mgmt/admin interface

• Docs

• General platform and hardware/device specific checks

• Parameter identification (Identify inputs)

• Identify ALL Resources that appear to accept "user-defined" input

• HTTP OPTIONS

• HTTP Track/XST

• Comments

• Internal IP Disclosure

• Mgmt Interface Scanner

• /jmx-console

• /web-console

• Conf File Scanner

• /WEB-INF/web.xml

• /robots.txt

• /.htaccess

• /jmx-console site enumeration (not just identify presence of web console)

• /web-console site enumeration (not just identify presence of web console)

• File Include/Insertion Scanner (esp PHP)

• Authentication Scanner

• Basic/NTLM Identification

• Form-based Authentication Identification

• Username Enumeration

• User-dir

• Page Scraping

• Site Mirroring

• Google – Email Scraper

• Brute-Forcer

• Dictionary attacker

• Easy "dictionary" customization

• Default Password Tester

• By Platform

• Source Code Disclosure (eg. %00, %20)

• Page pattern matcher (Page Structure VS <Diff> Page Content)

• Incorrect usage of eval()

• OS command shell

• Software Version Identification

• regex values

• window <Title> names

• comments

• base platform

• Hidden Fields/Links Enumerator

• File Upload Enumerator

• Log File Scanner

• Temp Files

• Search Function for associated Vulns and software versions

• Ability to Reference Common Security Sites for Vulnerability Information

• Path Case-sensitivity enumerator

• Encodings Supported

• Servlet Mapper

• Local Search Engine Enumeration

• Google File/DIR mapper

• BackEnd DB Type Enumerator

• Application logic enumerator

• ActiveX, Java object enumerator

• LDAP Checks

• File Ext and Dir Mapper

• System Platform Type/Version Enumerator

• Supported File Types Enumerator

• Unmapped File Extensions

• Identifying "sensitive" data

• Web Framework and Application Fingerprinting

• Flash/Flex

• J2EE

• JBoss

• JRun

• Apache Foundation

• Web Server

• Tomcat

• Axis

• Ruby on Rails

• Zend

• Django

• Jakarta Struts (and other MVC architectures)

• Exposed Source-Code analysis (VM-like environment to run in)

• FireBug (pop-out?)

_____________________________________________________________________________________

Reporting/Results:

• Database/XML compatible storage

• data correlation with other (HTTP) tools

• AUTO TXT, DB, SQL, source file ARCHIVER/STORED DIRECTORY






This category currently contains no pages or media.