Web application scanners are a rather popular category of software today. There are paid scanners, there are free. Each of them has its own set of parameters and vulnerabilities that can be detected. Some are limited only to those published in the OWASP Top Ten (Open Web Application Security Project), some go much further in their black-box testing.
In this post, we collected eight popular scanners, examined them in more detail and tried it out.
As the name suggests, the OWASP organization that we mentioned in the introduction is responsible for the release of the OWASP ZAP . This is a free tool for penetration testing and for finding vulnerabilities in web applications.
Main features of OWASP ZAP:
- Man-in-the-middle Proxy
- Traditional and AJAX spiders
- Automated scanner
- Passive scanner
- Forced browsing
- Fuzzer
Let’s move on to the tests. While scanning a site php.testsparker.com Blind SQL Injection was found. At this critical vulnerabilities end.
Full OWASP ZAP results on php.testsparker.com
H: Advanced SQL Injection – AND boolean-based blind – WHERE or HAVING clause
M: X-Frame-Options Header Not Set
L: X-Content-Type-Options Header Missing
L: Web browser xss protection is not enabled
At premium.bgabank.com we see more interesting results: the Server Side Include (SSI) and Reflected Cross Site Scripting feature was found.
Complete OWASP ZAP results on premium.bgabank.com
H: Server Side Include
H: Reflected Cross Site Scripting
M: X-Frame-Options Header Not Set
M: Application Error Disclosure
M: Directory Browsing
M: Secure Pages Include Mixed Content (Including Scripts)
L: X-Content-Type-Options Header Missing
L: Web browser xss protection is not enabled
L: Cross-Domain JavaScript Source File Inclusion
L: Incomplete or No Cache-control and Pragma HTTP Header Set
L: Cookie No HttpOnly Flag
L: Cookie Without Secure Flag
L: Content-Type Header Missing
L: Private IP Disclosure
I: Image Exposes Location or Privacy Data
In general, we liked working with OWASP ZAP. There are all the necessary tools for pentest web applications, simple and intuitive interface, quick scanning in one click. And at the same time flexible, deep settings for a more detailed scan, which can serve as a starting point for further manual search for vulnerabilities. Below we will talk about the Burp Suite Pro scanner, which has a lot in common with the OWASP ZAP. In terms of the quantity and quality of the vulnerabilities found, the first scanner we reviewed showed a very good result. Recommended for use in work.
W9scan is a free console site vulnerability scanner with over 1200 built-in plug-ins that can detect web page footprints, ports, analyze web site structure, find various popular vulnerabilities, scan for SQL Injection, XSS, etc.
W9scan automatically generates HTML scan reports. To start the scan, you only need to specify the URL of the site and the plugins to be used. You can select everything at once by adding “all”.
While scanning php.testsparker.com, W9scan found svn and possible payload download paths. Of the less critical, he determined the versions of the services used, the possible vectors for conducting the XXE, XXS attacks, found the server configuration files and conducted a search for subdomains.
On the website premium.bgabank.com nothing critical was found. But the scanner identified possible vectors for the attacks, the versions of services, directories and subdomains were determined.
Based on the scan results, W9scan automatically generates a report file in HTML format.
W9scan scanner is suitable for quick launch into one command and we recommend using it as an auxiliary tool for determining service versions as well as potential attack vectors.
Another good console scanner . As well as W9scan, it is ready to start in one team, while it has more different scan settings.
Wapiti searches for the following vulnerabilities:
- File disclosure (Local and remote include / require, fopen, readfile …)
- Database Injection (PHP / JSP / ASP SQL Injections and XPath Injections)
- XSS (Cross Site Scripting) injection (reflected and permanent)
- Command Execution detection (eval (), system (), passtru () …)
- CRLF Injection (HTTP Response Splitting, session fixation …)
- XXE (XML External Entity) injection
- SSRF (Server Side Request Forgery)
- Use of know potentially dangerous files
- Weak .htaccess configurations that can be bypassed
- Presence of backup files giving sensitive information
- Shellshock
In addition to all of the above, there is support for proxies (HTTP, HTTPs, and SOCKS5), various authentication methods (Basic, Digest, Kerberos, NTLM), support for SSL certificates, the ability to add various HTTP headers or user-agent settings.
When scanning a site php.testsparker.com vulnerabilities were found Blind SQL Injection, Cross Site Scripting, Commands execution. On premium.bgabank.com Wapiti compared with other scanners shows not such outstanding results: only Cross Site Scripting was detected.
The results of the scanner also generate a report in HTML format, which contains the categories and number of found vulnerabilities, their description, requests, commands for curl, and tips on how to close the found security holes.
As expected, the Wapiti does not reach the level of the OWASP ZAP, of course.Nevertheless, it worked better than W9scan , although no directories, subdomains, or versioning of services were searched.
Powerful free combine for web application security testing and vulnerability search. It has a graphical interface and great functionality, which you can read more about on the official website .
Active Testing:
- SQL injection – Error based detection
- Blind SQL injection using differential analysis
- Blind SQL injection using timing attacks
- NoSQL injection – Error based vulnerability detection
- Blind NoSQL injection using differential analysis
Passive testing:
- Allowed HTTP methods
- Backup files
- Backup directories
- Common administration interfaces
- Common directories
- Common files
Impressive, isn’t it? But that’s not all. A bunch of plugins are wrapped in the web, for example, Passive Proxy, Dictionary attacker for HTTP Auth, Cookie collector, WAF Detector, etc.
The scanner has a nice and concise web interface.
And that’s what found Arachni on our test sites. Php.testsparker.com :
- Cross-Site Scripting (XSS) in script context
- Blind SQL Injection (differential analysis)
- Code injection
- Code injection (timing attack)
- Operating system command injection (timing attack)
- Operating system command injection
On premium.bgabank.com , only the possibility of intersite request forgery (CSRF) was discovered from critical.
Separately, we note what kind of reports Arachni gives us. Many formats are supported – HTML, XML, text, JSON, Marshal, YAML, AFR.
In general, Arachni leaves only positive impressions after work. Our opinion: this is the “Must have” in the arsenal of any self-respecting specialist.
Another web vulnerability scanner with a graphical interface. By default, it is included in the Kali Linux distribution and installed locally there. It has a built-in proxy, through which sites are added for analysis, an embedded web spider capable of analyzing a site and building a map of requests.
To scan a user’s personal account, you need to log in to the browser with traffic redirection through the Paros proxy enabled. The scanner will use authorized cookies during the scan. Work report can be exported to HTML. It is saved to the root / paros / session / LatestScannedReport.htm file and is overwritten later. If you want to save the result of the previous scan, before starting the next scan you need to create a copy of the existing file.
Key features (with an eye on OWASP TOP 10 2017):
- A1: Injection – SQLinjection, SQLinjection Fingerprint (places where SQLinj could potentially be)
- A6: Security Misconfiguration – Directory browsing, ISS default file, Tomcat source file disclosure, IBM WebSphere default files and some other standard or obsolete files (Obsolete file) containing source code and more.
- A7: XSS
Additional features:
- Search for included autocomplete for password forms. Moreover, if the input field has an attribute type = “password”, a false positive is obtained.
- CRLF injection
- Secure page browser cache (caching pages in the browser with important information)
- Ability to scan the user’s protected area (personal account)
- Ability to scan web applications on the local network
In our testing, Paros showed rather weak results. On php.testsparker.com were found:
H: SQL injection
M: XSS
M: Legacy source files
M: Use autocomplete in forms with important information (passwords, etc.).
L: Internal IP discovery
On premium.bgabank.com and even less:
M: Directory browsing
M: Use autocomplete in forms with important information (passwords, etc.).
As a result, although the Paros scanner is simple and easy to use, weak scan results force it to be abandoned.
Paid multifunctional cloud scanner that can find a large number of web vulnerabilities and almost completely covers OWASP TOP 10 2017.
The service has a built-in web spider. If you specify authorization data in the scan settings (authorization request, login and password, authorized cookies), then the scanner will also check your personal account (authorized user zone).
In addition to scanning web applications, Tenable.io can scan the network, both for known vulnerabilities and to search for hosts. It is possible to connect agents to scan the internal network. It is possible to export the report to various formats: * .nessus, * .csv, * .db, * .pdf.
We scan php.testsparker.com . High priority vulnerabilities:
H: Component Vulnerabilities
– PHP version out of support
– out of support version of Apache
H: Code injection
H: SQLinj
H: XSS
H: LFI
H: Path Traversal
Now premium.bgabank.com . High priority vulnerabilities:
H: Component Vulnerabilities
- out of support php version
- Apache vulnerabilities
- Bootstrap vulnerabilities
- jQuery vulnerabilities
Scanner Tenable.io proved to be good, found many vulnerabilities . Work with him simplifies user-friendly graphical interface and data presentation. Another plus is the presence of additional scanning profiles, in which we have decided not to dig in yet. An important feature is the cloud structure of the service. On the one hand, the service does not use the local computing resources of the working computer.On the other hand, it will not be able to scan web applications on the local network.
Burp Suite is a complete web application verification solution . It includes a variety of utilities to improve and speed up the search for vulnerabilities in web applications.
The Burp Suite includes the following utilities:
- Proxy is a proxy server that intercepts HTTP (S) traffic in man-in-the-middle mode. Located between the browser and the target web application, this utility allows you to intercept, examine and modify traffic going in both directions.
- Spider is a web spider that automatically collects information about the content and functionality of the application (web resource).
- Scanner (only in Burp Suite Pro) – a scanner to automatically search for vulnerabilities in web applications.
- Intruder is a flexible utility that allows you to automatically perform attacks of various types. For example, enumeration of identifiers, collection of important information and so on.
- Repeater is a tool for manually changing and re-sending individual HTTP requests, as well as for analyzing application responses.
- Sequencer is a utility for analyzing random application data on the ability to predict the algorithm of their generation.
- Decoder is a utility for manual or automatic encoding and decoding application data.
- Comparer is a tool for finding visual differences between two data variations.
- Extender – tool to add extensions to Burp Suite
The Scanner utility is presented in the tab of the Burp Suite main window of the same name.
All vulnerabilities are divided into 3 categories: high, medium, low. There is also a category of information, which includes mechanisms for collecting various useful information about the scanned resource.
When we run the scan in the Scan queue window, we can monitor the progress in stages. “Color differentiation of pants” is present.
In general, Burp Suite Pro showed a good result. When scanning php.testsparker.com , enough vulnerabilities were found and classified to gain complete control over the web application and its data – this is both OS command injection, and SSTI, and File path traversal.
The site premium.bgabank.com found:
H: Cross-site scripting (reflected)
M: SSL cookie without secure flag set
M: SSL certificate (not trusted or expired)
L: Cookie without HttpOnly flag set
L: Password field with autocomplete enabled
L: Strict transport security not enforced
If you often use Burp Suite for web pentest , you like its ecosystem, but I would like to somehow automate the process of searching for vulnerabilities, then this utility will perfectly fit into your arsenal .
In conclusion – another very good commercial scanner . It is very actively promoted through advertising, but Acutenix would not succeed without its extensive functionality. Among the vulnerabilities available to him for detecting vulnerabilities are all types of SQL injection, Cross site scripting, CRLF injection and other pleasures of the web application pentester. It is worth noting that for high-quality scanning is required to select the correct profile.
All identified vulnerabilities traditionally fall into four categories: High, Medium, Low. Well and where without the category Information, which includes all the interesting, according to the scanner, data.
After the scan is completed on the Vulnerabilities tab, we can familiarize yourself with what and how much was found. Color differentiation in place.
In the test for php.testsparker.com the scanner showed a good result, but with premium.bgabank.com frankly let us down.
Acunetix has great features and is suitable if you are looking for a stand-alone solution . The web interface is simple and straightforward, infographics and reports look quite digestible. There may be misfires when scanning, but, as Tony Stark said: “This happens to men. Infrequently. One time out of five.
Grand total
And now the findings for all tested scanners.
- OWASP ZAP we liked. Recommended for use.
- We recommend using W9scan as an auxiliary tool for determining versions and services, as well as potential attack vectors.
- Wapiti to OWASP ZAP does not reach, but we have worked better than W9scan.
- Arachni is just a “must-have”.
- Paros scans poorly and we do not recommend it.
- Tenable.io is good, finds a lot of vulnerabilities. But it is worth considering that it is cloudy.
- Burp Suite Pro we advise those who like the Burp Suite ecosystem, but lack automation.
- Acunetix is suitable for those who are looking for a scanner as a stand-alone application.
About The Author: Yotec Team
More posts by Yotec Team