Application security

Free Web Application Scanners, Part 2

Rorot
October 31, 2012 by
Rorot

In the first part of this article, we have seen the need for free web application scanners and also we have looked into a few tools which are available in the market. We have also seen the features available in those tools, steps to use them and their limitations. In this part, we will continue looking at the other free tools which are of great help to both web developers and also to security professionals as well.

XSS Me:

XSS Me is a tool used to test reflected cross site scripting attacks in the web applications. It needs to be installed as an add-on to the Mozilla browser. It is very helpful if you are concerned only about the cross site scripting vulnerabilities in your site. It is easy to use and also very effective.

This tool basically identifies the entry points in a webpage, mainly the available form fields, and supplies each field with an XSS attack vector. It looks at the response to identify the presence of a vulnerability. It is from SecurityCompass and can be downloaded from the below link:

https://addons.mozilla.org/en-US/firefox/addon/xss-me/

Main Features of XSS Me:

  • It looks only for reflected cross site scripting attacks and not for stored XSS.
  • The power of this tool comes from the easy-to-use interface.

Steps to Scan:

  1. Download the add-on in Mozilla and restart the browser after installing it.
  2. Now go to Tools XSS Me Open XSS Me sidebar. Once this is done you will be able to see a small window appearing on the left side of your browser. (Press F10 if you are unable to find the 'Tools' menu).
  1. Open a demo site say http://demo.testfire.net/ in the browser and notice that the form fields available in the web page are shown in the XSS Me window as shown below. (In this case the parameters are txtSearch and go). The current values entered in the web page will be shown in the XSS Me.

  2. Now you can select the form fields which you want to test and select either 'Run all tests' or 'Run top 9 tests' (this can be modified to any number under XSS Me Options) from the drop down and click on 'Execute'.
  1. 'Run top 9 tests' has been selected in this demo and when 'Execute' is clicked, new tabs open in the browser as shown below and a window pops up saying that the XSS tests are running.

  1. In a few seconds, the Results page opens, listing out the vulnerable parameters in the web application.

Each result for a field falls under one of the 3 categories - Failures, Warnings and Passes. As seen above there were 3 Failures – 0 warnings – 15 Passes. Failures indicate that the values sent are found without proper encoding. The tested values which resulted in the failure will be shown in red colour in the below format. The same can be tested by manually entering these payloads into the fields.


Additional Information:

The XSS payloads which are sent are derived from the famous RSnake XSS cheat sheet. You can also import your own list if you are interested to. To view them go to XSS Me Options XSS Strings. Similarly you can change the number of attacks to test in the 'General' tab under the Options. Overall it's a simple tool which you can try to identify the reflected XSS vulnerabilities in you web application.

Websecurify:

Websecurify scanner tool is a part of WebSuite project which aims to provide comprehensive security coverage to web applications. This tool is entirely web based and can be tested for your applications. But it works only in Mozilla and Google Chrome browsers when required extensions are installed. The vendor says that IE and Opera will be supported in future.

Main Features of Websecurify:

  • Provides good scan coverage.
  • Very easy to understand and provides a simple user interface to scan the applications.

Steps to Scan:

  1. Visit the website : http://www.websecurify.com/
  2. Enter the URL of the site to be scanned in the box which appears in the homepage as shown below and click the enter button.

  1. As explained earlier, this tool works only in Mozilla and Chrome browsers and the required extensions/add-ons need to be installed. So at the first visit the below message will be displayed in the Mozilla browser. Click on the 'Websecurify Browser Extension' and install the add-on and then visit the same page again.

  1. The below screen is shown. Select the check box corresponding to 'I understand the risk' and click on continue.

  1. The scan should start immediately and the scan progress would be shown to the user.

  1. At the end of the scan process, the results are displayed in the browser itself as shown below.

So as shown, along with the vulnerability, it provides details about the issue, request and the vulnerable parameter, and looking at the various issues identified by the tool, it has to be agreed that the scan coverage is really good. Below is the sample list of vulnerabilities identified by scanning the demo site explained above.

List of Vulnerabilities Identified by the Tool:

SQL Injection, Cross-site Scripting, Carriage Return Linefeed Injection, Cross-site Request Forgery, Directory Listing Denied, Directory Listing Enabled, Email Disclosure, SQL Error, File Upload, WWW Authentication, Banner Disclosure, Session Cookie not HTTPOnly, IP Disclosure, Session Cookie not Secure, Discovered SOAP Service, Path Disclosure, Error Disclosure, Local File Include, User Disclosure, Open Redirect, Source Leakage.

Additional Information:

The Websecurify browser extensions cannot identify whether the test is carried out as an authenticated user or as an unauthenticated user. If you have logged in to the target application, the test will run as authenticated because all the requests would carry the necessary information, such as session cookies. If you want to run an authenticated test (scan the pages present after logging in) then make sure that you login to the target application during the test.

PowerFuzzer:

Powerfuzzer is an automated fuzzing tool which can be used to test for XSS, SQLi, CRLF issues, etc. Fuzzing basically involves sending automated invalid requests or input to the application to observe the response (crash, information leakage etc.). The tool can be downloaded from the below link under the download section.

Link: http://www.powerfuzzer.com/

Once downloaded, double click the setup file to install the tool.

Main Features of Websecurify:

- Cross Site Scripting (XSS)

- Injections (SQL, LDAP, code, commands, and XPATH)

- CRLF

- HTTP 500 statuses (misconfiguration/security flaw/buffer overflow)

Steps to Scan:

  1. Open the tool by clicking on the 'Powerfuzzer' application.
  2. Enter the target URL and click on the scan button to start the scan.
  3. You can also enter the credential values and the cookie value if you would like to.
  4. Once the scan starts, Powerfuzzer would list the URLs crawled by it. As the scan progresses, more links will be added to this list. This is how the tool looks after initiating the scan.

  1. If there are any links to be excluded, they can be mentioned under the exclude URL option.
  2. At the end of the scan, a new window would automatically open and present the Scan Report, which lists the identified vulnerabilities. Below is the sample format:

  • XSS (txtSearch) in http://demo.testfire.net/search.aspx

    Vulnerable URL: http://demo.testfire.net/search.aspx?txtSearch=<script>var+pf_687474703a2f2f64656d6f2e74657374666972652e6e65742f7365617263682e61737078_747874536561726368=new+Boolean();</script>

  • 500 HTTP Error code inhttp://demo.testfire.net/bank/login.aspx

    with params =btnSubmit=Login&passw=%2Fetc%2Fpasswd%00&uid=on

    coming from http://demo.testfire.net/bank/login.aspx

  • Webscarab:

    Webscarab is one of the open source tools which can be used for the purpose of web application security testing. Apart from its role as intercepting proxy, Webscarab also offers other useful functionalities like Spidering, XSS/CSRF, session ID Analysis etc. An intercepting proxy is one which should be mastered by any web application security professional in order to perform security analysis. Many things can be done between intercepting the request and sending the modified request. It is implemented in Java and thus it is portable to any platform. Webscarab can be downloaded from the below link.

    Link: http://www.net-security.org/software.php?id=504

    To start Webscarab you just need to double click the jar file which you have downloaded. Note that Webscarab opens by default in 'Lite' mode. Full mode can be selected under the 'Tools' section, and make sure you restart the program. By default Webscarab listens on port 8008 but this can be changed if required.

    For the first look the tool looks simple and interface may not be catchy but it has lot of interesting features to explore. Let's have an overview of all the options present in this tool. This is how Webscarab looks when opened.


    Main Features of Webscarab:

    • Serves as an intercepting proxy.
    • Detects XSS/CRLF – comes with a plugin that searches for user supplied data in HTTP response headers and body to identify CRLF injection (HTTP response splitting) and reflected cross-site scripting vulnerabilities.
    • Fuzzer: can be used to fuzz the data to detect improper input validation etc.
    • Web Services scanning: This tool can be used to analyse the web service vulnerabilities.
    • SessionID Analysis: Helps in analysing the randomness of the session identifiers present in a web application.

    The below lines explain about using Webscarab as an intercepting proxy and in the analysis of session ID's. Any questions regarding the usage of other functionalities are welcome.

    Intercepting Proxy:

    This is the main purpose of this tool. Configure the settings on your browser (say IE) to use a proxy server with address 127.0.0.1 and port 8008. Now type a URL and click enter. You will notice that your request (Edit request pops up as shown below) has been intercepted by the Webscarab.

    As shown above you can edit any content that you want to and forward the request to server by clicking on the 'Accept all changes' button. Thus you can analyse the traffic, modify the parameters and observe the response using this tool.

    Spidering:

    All the sites which are visited by you will be listed under the summary section. Right click on a site of your choice and select 'spider tree' to view the list of URLs present under that site. Webscarab would start Spidering the site immediately and presents you with the list of available links on that site. Below is the sample Spidering screenshot on the site demo.testfire.net.


    Manual Request sending:

    You can send manual requests to a site under the 'Manual Request' section. This is similar to repeater in the Burp proxy tool. Request can be sent and the corresponding response is displayed below.

    SessionID Analysis:

    You can use Webscarab to estimate the strength of the session ID's generated by a web application. It collects the samples and analyses them to see how random the session ID's are. Start the Webscarab and login to a site to analyse the session ID strength. Navigate inside the application to generate a few requests and responses. You can analyse the traffic to notice when the cookies are set etc. Once this is done, logout of the application. In Webscarab go to Session ID Analysis-->Collection. Notice the drop down list named 'Previous Requests'. Under this you can select a particular request from your history to analyse. The 'test' button can be used to verify the session identifiers associated with the selected request. Enter the number to samples to be collected (usually the greater the number the better the analysis). Click on 'Fetch' to fetch the data.

    After this go to the "Analysis" tab. Here you need to select your session ID from the 'Session Identifier' drop down list. The table will be populated with the samples collected by the tool. Webscarab now compares the data collected in these samples to estimate the randomness of the session identifiers.

    The 'Visualization' tab gives a visual representation of the strength of the session ID's collected. This Webscarab is a great open source tool to analyse the strength of the session ID's. Similarly this tool can be used for testing many other critical security vulnerabilities.

    This completes the second and last part of the 'Free Web Application Scanners' series. Happy scanning!!

    Rorot
    Rorot

    Rorot (@rorot333) is an Information Security Professional with 5.5 years of experience in Penetration testing & Vulnerability assessments of web and mobile applications. He is currently a security researcher at Infosec Institute. Twitter: @rorot333 Email: rorot33@gmail.com