Web Application Vulnerability Scanners

Web Application Vulnerability Scanners are tools designed toautomatically scan web applications for potential vulnerabilities.These tools differ from general vulnerability assessment tools in thatthey do not perform a broad range of checks on a myriad of software andhardware. Instead, they perform other checks, such as potential fieldmanipulation and cookie poisoning, which allows a more focusedassessment of web applications by exposing vulnerabilities of whichstandard VA tools are unaware.

Web Application Security

Web Applications Issues

-Scripting issues
-Sources of input: forms, text boxes, dialog windows, etc.
-Multiple Charset Encodings (UTF-8, ISO-8859-15, UTF-7, etc.)
-Regular expression checks
-Header integrity (e.g. Multiple HTTP Content Length, HTTP Response Splitting)
-Session handling/fixation
-Cookies
-Framework vulnerabities(Java Server Pages, .NET, Ruby On Rails, Django, etc.)
-Success control: front door, back door vulnerability assessment
-Penetration attempts versus failures

Technical vulnerabilities

-Unvalidated input:
.Tainted parameters - Parameters users in URLs, HTTP headers,and forms are often used to control and validate access to sentitiveinformation.
.Tainted data

-Cross-Site Scripting flaws:
.XSS takes advantage of a vulnerable web site to attack clientswho visit that web site. The most frequent goal is to steal thecredentials of users who visit the site.

-Content Injection flaws:
.Data injection
.SQL injection - SQL injection allows commands to be executeddirectly against the database, allowing disclosure and modification ofdata in the database
.XPath injection - XPath injection allows attacker to manipulate the data in the XML database
.Command injection - OS and platform commands can often beused to give attackers access to data and escalate privileges onbackend servers.
.Process injection

-Cross-site Request Forgeries

Security Vulnerabilities

-Denial of Service
-Broken access control
-Path manipulation
-Broken session management (synchronization timing problems)
-Weak cryptographic functions, Non salt hash

Architectural/Logical Vulnerabilities

-Information leakage
-Insufficient authentification
-Password change form disclosing detailed errors
-Session-idle deconstruction not consistent with policies
-Spend deposit before deposit funds are validated

Other vulnerabilities

-Debug mode
-Thread Safety
-Hidden Form Field Manipulation
-Weak Session Cookies: Cookies are often used to transitsensitive credentials, and are often easily modified to escalate accessor assume another user's identify.
-Fail Open Authentication
-Dangers of HTML Comments

Commercial tools

• Acunetix WVS by Acunetix
• AppScan DE by IBM/Watchfire, Inc.
• Hailstorm by Cenzic
• N-Stealth by N-Stalker
• NTOSpider by NTObjectives
• WebInspect by HP/SPI-Dynamics
• WebKing by Parasoft
• elanize's Security Scanner by Elanize KG
• MileScan Web Security Auditor by MileSCAN Tech

Free/OpenSource Tools

• Grabber by Romain Gaucher
• Grendel-Scan by David Byrne and Eric Duprey
• Nikto by Sullo
• Pantera by Simon Roses Femerling (OWASP Project)
• Paros by Chinotec
• Spike Proxy by Immunity (Now as OWASP Pantera)
• WebScarab by Rogan Dawes of Aspect Security (OWASP Project)
• Wapiti by Nicolas Surribas
• W3AF by Andres Riancho

A more complete list of tools is available in the OWASP Phoenix/Tools

Extraído de http://unlugarsinfin.blogspot.es