Application security

Websecurify Walkthrough, Web Application Penetration Testing Tool

Pavitra Shankdhar
December 4, 2012 by
Pavitra Shankdhar

[caption id="" align="alignright" width="200"] Websecurify Logo[/caption]

Information security is a very important thing for the modern Internet world. So, proper care must be taken while launching a web application over the Internet. There are so many companies which never think of their users' privacy and security, and launch their web applications without proper testing. This makes user information vulnerable and cyber criminals can use that information to make money.

11 courses, 8+ hours of training

11 courses, 8+ hours of training

Learn cybersecurity from Ted Harrington, the #1 best-selling author of "Hackable: How to Do Application Security Right."

Hackers are always in search of vulnerabilities, so we cannot take any chance and leave a single place which can be exploited by hackers. All companies that have some sort of work on the Internet must test their applications against various kinds of security vulnerabilities to protect their applications from hackers. Thankfully, there are many testing methods and tools available for this. Most companies hire a penetration testing company or an ethical hacker for security testing. The cost of this process depends on the company's resources and the application itself, but using easy-to-run web application penetration testing tools can reduce it.

Websecurify is one of those popular web application penetration testing tools. Unlike other automatic penetration testing tools, it is not fully automatic and it only shows the possible vulnerable points of the application. Therefore, you need to have manual testing skills before deciding to use Websecurify.

In this complete walkthrough, we will show how to use Websecurify to get better results, and what we must be careful of while performing penetration testing with it.

Important Features of Websecurify

The major features of Websecurify are the following:

  • Nice, user-friendly interface which is simple and easy to use
  • Good testing and scanning technology
  • Strong testing engine to detect URLs automatically
  • Extensible with many available add-ons
  • Available for major desktop and mobile platforms
  • Free version also available on all major platforms

As I said, Websecurify is not a fully automatic tool; it will only generate the possible URLs and parameters where vulnerabilities can exist. You will need to verify all those possible URLs and test them manually to confirm the vulnerability. This may sometimes take a while, but the tool's performance is good.

Which Vulnerabilities Can It Detect?

These are the main vulnerabilities that Websecurify can detect:

  • Cross site scripting
  • Cross site request forgery
  • Path disclosure
  • Internal errors
  • SQL injection
  • URL redirection
  • HTTP response splitting
  • Local and remote file include
  • Session cookies problem
  • Information disclosure problems
  • And many other vulnerabilities

Almost all popular vulnerabilities can be detected with the help of this security tool. SQLI, XSS and CSRF are among the main vulnerabilities exploited by hackers.

Download and Installation

First of all, you need to download Websecurify from its Official Website. Although it is a commercial product, you can use the open source version of Websecurify to test your application for free. You can download the open source version from Google Code. This tool is available for all major desktop and mobile platforms, including:

  • Windows
  • Mac
  • Linux
  • iOS
  • Android
  • Web App

This nice penetration testing tool is also available for Google Chrome and Mozilla Firefox. One thing worth mentioning here is that WebSecurify is the first and only web application penetration testing tool that is also designed to run direct from the browser with support for both Google Chrome and Mozilla Firefox.

I personally recommend using the desktop app for better performance but using the web browser extension also works well.

Web Application Penetration Testing with Websecurify

In this section, I will demonstrate the free desktop version of the Websecurify app for Windows.

To start, run the tool. It will show something like the screenshot below. The main window of the tool will have a splash screen that shows the platforms supported

[caption id="" align="alignnone" width="606"] Websecurify Splash Screen[/caption]

Click on the outer part of the tool to bypass the splash screen. Now you will see a large URL box at the top of the screen along with three icons at the left side.

[caption id="" align="alignnone" width="606"] Websecurify Main Window[/caption]

Input the URL of the website you want to test for security vulnerabilities in the URL box, and then press Enter to start the test.

[caption id="" align="alignnone" width="490"] Websecurify Main Window with URL entry[/caption]

A warning message will appear saying that you are about to start testing which may damage the application. You need to tick on the checkbox and click on continue to start the test.

[caption id="" align="alignnone" width="605"] Websecurify Warning Message[/caption]

Now it will start testing the application and you will see a progress bar.

Websecurify has a strong testing engine that automatically detects the application scope based on the the target URL. If the target URL is http://testingurl/app/app1, it will include the following rules:

  • http://testingurl/app/app1*
  • http://testingurl/app/*
  • https://testingurl/app/app1*
  • https://testingurl/app/*

Here, * denotes wild card characters.

You can also scan more than one website at a time, but it will list the entire probable vulnerable URL from all websites being scanned without any kind of grouping, so you will have to filter all the URLs for different websites and write at one place. To make your work easy, scan one by one. However, it depends on you whether you wish to scan one by one or all at once.

See the Progress of the Scan

To see the progress of the Scan, click on the gear icon at the left side. You will see the progress of URLs being scanned. It shows the percentage of of completion and the remaining files to scan. You can pause or stop the scan any time. To pause, you can click on the pause button at the right side of the progress bar. To stop, you can click on the stop button. I am sure you know the icons for pause and stop. These are same as on video players.

[caption id="" align="alignnone" width="606"] Progress of URLs being scanned[/caption]

See the Scan Results

To see the scan results, click on the third icon which looks like stats. After clicking on this, you will see a list of suspicious URLs grouped together by their possible vulnerabilities. This list is also sorted, with the most dangerous at the top. For example, SQL Injection will be listed above XSS.

[caption id="" align="alignnone" width="608"] Scanned Results[/caption]

After the scan is completed, you will get all the suspicious URLs that may contain some vulnerability. Now you will have to manually verify whether those vulnerabilities exist or not.

The only thing that I feel is missing from the tool is report. It does not allow exporting the list of vulnerabilities to PDF or any document type. You can copy them one by one or you can use the option to select all vulnerabilities and then copy-paste it. To make it easier, go through them one by one and confirm whether the vulnerability exists. If yes, then write it in a report file. If not, ignore the vulnerability.

How to Confirm Vulnerabilities Found by Websecurify

After full scanning, you will have a list of vulnerabilities, but there are a few things which you must know about this scanner. A lot of the time, it detects false positives, which usually includes cross site request forgery vulnerability in all the forms. After working 2-3 times with the tool, you will know why these false positives exist. You should try your best to confirm all the vulnerabilities listed by this tool without thinking that the tool also lists false ones. It has difficulty most of the times in finding a CSRF vulnerability but for others, it detects true. So try to confirm by all ways. I saw many people who fail to confirm the vulnerability and blame the tool for the false reporting while the vulnerability still exists.

What to Do if You Use Proxy Settings

If you use proxy settings to connect to the Internet, you also need to set up proxy configuration within the tool. Otherwise it will not be able to connect to the Internet and you will not be able to use this tool. For this, click on "Tool" in the menu and then Preferences.

Here you will find a "Preferences" dialogue box with some settings. In the General tab, you can configure your proxy settings. Click on settings in front of it.

[caption id="" align="alignnone" width="608"] Configure proxy settings in Websecurify[/caption]

Who Should You Use This Tool?

I personally use Websecurify and have detected so many security vulnerabilities including XSS and SQLi in some popular web applications (I cannot list the name of those website due to privacy reasons). But not all penetration testers can use this tool. Websecurify is for those who are also good in manual testing methods. If you think that this tool detects false vulnerabilities so it is just a waste of time, you are wrong. Most of the vulnerabilities take time and effort to confirm. If you are not able to confirm, it does not mean that the tool is wrong. But I agree that it detects false CSRF. For other vulnerabilities though, this tool still works fine without any problem. And most of the time, I use more than one scanner for a website and found that Websecurify works better and detects so many more vulnerabilities that are not detected by other popular automatic vulnerability scanners.

If you think you are good in manual vulnerability testing methods and can confirm the vulnerability listed, you should give Websecurify a try.

Why and Where does Websecurify list False Vulnerabilities?

There are some legitimate reasons behind the false reporting by the tool. And if you know those reasons well, you will be able to use this tool well. Sometimes while trying for XSS, it finds an injection string on a web page but while trying for JavaScript functions, the application actually blocks JavaScript.

If it is testing for URL redirection with some manual injection, the application has default redirection to some internal page. In this situation, it lists URL redirection while it is actually an internal redirection.

In most of the forms, it lists CSRF even though in most cases, forms are not vulnerable to CSRF. But it will list them all so that the penetration tester can check to ensure that all forms are secure enough.

Conclusion:

Websecurify is an average scanner that is available on almost all the available platforms including desktop and mobile platforms. If it is not available in your desired platform, you can use the web app version. Although it detects all of the major vulnerabilities, you will also have a list of false vulnerabilities. It will be hard to find and confirm the vulnerabilities from the list for a beginner tester. Sometimes, it detects internal URLs as URL redirection and all forms are CSRF affected forms. So the free version of the tool is not recommended as a professional testing tool. The paid version of this tool works better though, with a few more options which are not available in the free.

Still, there are some penetration testers who have had good experience on it, but they only use it for some specific kinds of vulnerabilities.

If you are a beginner or want to penetrate a web application in less time, I will never recommend the free version of Websecurify. It's simply not for a beginner who cannot confirm hard vulnerabilities.

If you think you are good enough in testing vulnerabilities manually, you can surely try Websecurify.

Pavitra Shankdhar
Pavitra Shankdhar

Pavitra Shandkhdhar is an engineering graduate and a security researcher. His area of interest is web penetration testing. He likes to find vulnerabilities in websites and playing computer games in his free time. He is currently a researcher with InfoSec Institute.