Welcome, Hacker.
Join the community to take advantage of all its opportunities
Sign up

Method Automated Web Vulnerability Scan: Applications




Aug 4, 2019
Many people ask about automatic vulnerability search, which software exists at the moment, out of a large number I chose “mast-head”
Independent points on two platforms (.NET and php) were selected as training targets: To view the link, you must: Sign In or Sign Up and To view the link, you must: Sign In or Sign Up .

I'll start from the very beginning, with some axiom

XSS vulnerabilities in the Belarusian Sberbank web interface



Burp suite pro

Burp Suite is a complete web application review solution. It includes a variety of utilities to improve and speed up the search for vulnerabilities in web applications.

Burp Suite has the following utilities:

  • Proxy - a proxy server that intercepts traffic passing through the HTTP (S) protocol in man-in-the-middle mode. Between the browser and the target web application, this utility allows you to intercept, examine and change traffic going in both directions.
  • Spider is a web spider that automatically collects information about the contents and functionality of an application (web resource).
  • Scanner (only in Burp Suite Pro) - a scanner for automatically searching for vulnerabilities in web applications.
  • Intruder - a flexible utility that allows you to automatically carry out attacks of various kinds. For example, iterating through identifiers, collecting important information, and more.
  • Repeater is a tool for manually modifying and resending individual HTTP requests, as well as for analyzing application responses.
  • Sequencer - a utility for analyzing random application data for the ability to predict the algorithm for generating them.
  • Decoder is a utility for manually or automatically encoding and decoding application data.
  • Comparer is a tool for finding visual differences between two data variations.
  • Extender - a tool for adding extensions to Burp Suite

The Scanner utility is presented in the eponymous tab of the main window of the Burp Suite program. The interface is English-speaking, but who can this scare off now?


The Issue Definition tab provides a complete list of all vulnerabilities that this scanner can identify. It should be noted that the list is very impressive.


All vulnerabilities are divided into 3 categories: high, medium, low. There is also a category of information, which includes mechanisms for collecting various useful information about the scanned resource.
When starting a scan in the Scan queue window, we can observe the progress in stages. "Color differentiation of pants" is present.


On the Options tab, the basic settings for scanning parameters are performed.


For convenience, the options are divided into categories. If necessary, you can get help for each category directly from the settings window.


In general, Burp Suite Pro showed a good result. When scanning php.testsparker.com , enough vulnerabilities were found and classified to gain full control over the web application and its data - these are OS command injection, SSTI, and File path traversal.

Burp Suite Pro full results at php.testsparker.com
H: OS command injection
H: File path traversal
H: Out-of-band resource load (HTTP)
H: Server-side template injection
H: Cross-site scripting (reflected)
H: Flash cross-domain policy
H: Silverlight cross-domain policy
H: Cleartext submission of password
H: External service interaction (DNS)
H: External service interaction (HTTP)

M: SSL certificate (not trusted or expired)
L: Password field with autocomplete enabled
L: Form action hijacking (reflected)
L: Unencrypted communications
L: Strict transport security not enforced

On premium.bgabank.com website were found:

H: Cross-site scripting (reflected)
M: SSL cookie without secure flag set
M: SSL certificate (not trusted or expired)
L: Cookie without HttpOnly flag set
L: Password field with autocomplete enabled
L: Strict transport security not enforced


A very good commercial To view the link, you must: Sign In or Sign Up . It is very actively promoted through advertising, but Acutenix would not have been successful without its extensive functionality. Among the vulnerabilities available to him for detection are all types of SQL injection, Cross site scripting, CRLF injection and other pleasures of the pentester of web applications. It should be noted that for high-quality scanning, you need to select the correct profile.

The dashboard interface is nice:


All identified vulnerabilities are traditionally divided into four categories: High, Medium, Low. Well, and where without the Information category, which includes all the interesting data, according to the scanner.


On the Scans tab, we can observe the progress of scanning and other diagnostic information.


After the scan is completed, on the Vulnerabilities tab, we can get acquainted with what and in what quantity was found. Color differentiation in place.

In the test on php.testsparker.com the scanner showed a good result, but with premium.bgabank.com frankly let us down .

Full Acunetix Results

H: Apache 2.2.14 mod_isapi Dangling Pointer
H: Blind SQL Injection
H: Cross site scripting
H: Cross site scripting (verified)
H: Directory traversal
H: file inclusion
H: PHP code injection
H: Server-side template injection
H: SVN repository found
H: User controllable script source

M: Access database found
M: Apache 2.x version older than 2.2.9
M: Apache httpd remote denial of service
M: Apache httpOnly cookie disclosure
M: Application error message
M: Backup files
M: Directory listing
M: HTML form without CSRF protection
M: Insecure clientaccesspolicy.xml file
M: Partial user controllable script source
M: PHP hangs on parsing particular strings as floating point number
M: PHP preg_replace used on user input
M: Source code disclosure
M: User credentials are sent in clear text
L: Apache 2.x version older than 2.2.10
L: Apache mod_negotiation filename bruteforcing
L: Clickjacking: X-Frame-Options header missing
L: Login page password-guessing attack
L: Possible relative path overwrite
L: Possible sensitive directories
L: Possible sensitive files
L: TRACE method is enabled


L: Clickjacking: X-Frame-Options header missing

Acunetix has great features and is suitable if you are looking for a stand-alone solution . The web interface is simple and clear, infographics and reports look quite digestible. Misfires are possible during scanning, but, as Tony Stark said: “This happens to men. Infrequently. One out of five. "


A powerful free processor for testing web application security and vulnerability search. It has a graphical interface and huge functionality, which can be found in more detail on the To view the link, you must: Sign In or Sign Up .

Active testing:
  • SQL injection - Error based detection
  • Blind SQL injection using differential analysis
  • Blind SQL injection using timing attacks
  • NoSQL injection - Error based vulnerability detection
  • Blind NoSQL injection using differential analysis

Full list of features for active testing
  • CSRF detection
  • Code injection
  • Blind code injection using timing attacks
  • LDAP injection
  • Path traversal
  • File inclusion
  • Response splitting
  • OS command injection
  • Blind OS command injection using timing attacks
  • Remote file inclusion
  • Unvalidated redirects
  • Unvalidated DOM redirects
  • XPath injection
  • Xss
  • Path xss
  • XSS in event attributes of HTML elements
  • XSS in HTML tags
  • XSS in script context
  • DOM XSS script context
  • Source code disclosure
  • XML External Entity [
Passive testing:
  • Allowed HTTP methods
  • Backup files
  • Backup directories
  • Common administration interfaces
  • Common directories
  • Common files
Complete list of passive testing features
  • Insufficient Transport Layer Protection for password forms
  • WebDAV detection (webdav).
  • HTTP TRACE detection
  • Credit card number disclosure
  • CVS / SVN user disclosure
  • Private IP address disclosure
  • Common backdoors
  • .htaccess LIMIT misconfiguration
  • Interesting responses
  • HTML object grepper
  • Email address disclosure
  • US Social Security Number disclosure
  • Forceful directory listing
  • Mixed resource / scripting
  • Insecure cookies
  • HttpOnly cookies
  • Auto-complete for password form fields.
  • Origin Spoof Access Restriction Bypass
  • Form-based upload
  • localstart.asp
  • Cookie set for parent domain
  • Missing Strict-Transport-Security headers for HTTPS sites
  • Missing x-frame-options headers
  • Insecure CORS policy
  • Insecure cross-domain policy
  • Insecure cross-domain policy
  • Insecure client-access policy
Impressive, isn't it? But that is not all. A bunch of plug-ins are also wrapped in the web, for example Passive Proxy, Dictionary attacker for HTTP Auth, Cookie collector, WAF Detector, etc.

The scanner has a nice and concise web interface:


And this is what Arachni found on our test sites. Php.testsparker.com :
  • Cross-Site Scripting (XSS) in script context
  • Blind SQL Injection (differential analysis)
  • Code injection
  • Code injection (timing attack)
  • Operating system command injection (timing attack)
  • Operating system command injection
Other vulnerabilities on php.testsparker.com
H: File Inclusion
H: Cross-Site Scripting (XSS) in HTML tag
H: Cross-Site Scripting (XSS)
H: Path Traversal

M: Backup file
M: Common directory
L: Missing 'X-Frame-Options' header
L: Password field with auto-complete
L: Insecure client-access policy
L: Insecure cross-domain policy (allow-access-from)
L: Common sensitive file

On premium.bgabank.com , only the possibility of cross-site request forgery (CSRF) was discovered from the critical one.

Arachni full results at premium.bgabank.com
H: Cross-Site Request Forgery

M: Mixed Resource
M: Common directory
M: Missing 'Strict-Transport-Security' header
L: Private IP address disclosure

Separately, we note what nice reports Arachni gives us. Many formats are supported - HTML, XML, text, JSON, Marshal, YAML, AFR.


In general, Arachni leaves only positive impressions after work.

Members, viewing this thread

No members online now.