Web Application Vulnerability Scanners

Web Application Vulnerability Scanners are tools designed to automatically scan web applications for potential vulnerabilities. These tools differ from general vulnerability assessment tools in that they do not perform a broad range of checks on a myriad of software and hardware. Instead, they perform other checks, such as potential field manipulation and cookie poisoning, which allows a more focused assessment of web applications by exposing vulnerabilities of which standard VA tools are unaware.
A Web Application Scanner Tool Functional Specification is available.

Contents [hide] Web Applications Issues Technical vulnerabilities Security Vulnerabilities Architectural/Logical Vulnerabilities Other vulnerabilities Related Links

Web Applications Issues

• Scripting issues
• Sources of input: forms, text boxes, dialog windows, etc.
• Multiple Charset Encodings (UTF-8, ISO-8859-15, UTF-7, etc.)
• Regular expression checks
• Header integrity (e.g. Multiple HTTP Content Length, HTTP Response Splitting)
• Session handling/fixation
• Cookies
• Framework vulnerabilities(Java Server Pages, .NET, Ruby On Rails, Django, etc.)
• Success control: front door, back door vulnerability assessment
• Penetration attempts versus failures

Technical vulnerabilities

• Unvalidated input:
  • Tainted parameters - Parameters users in URLs, HTTP headers, and forms are often used to control and validate access to sentitive information.
  • Tainted data
• Cross-Site Scripting flaws:
  • XSS takes advantage of a vulnerable web site to attack clients who visit that web site. The most frequent goal is to steal the credentials of users who visit the site.
• Content Injection flaws:
  • Data injection
  • SQL injection - SQL injection allows commands to be executed directly against the database, allowing disclosure and modification of data in the database
  • XPath injection - XPath injection allows attacker to manipulate the data in the XML database
  • Command injection - OS and platform commands can often be used to give attackers access to data and escalate privileges on backend servers.
  • Process injection
• Cross-site Request Forgeries

Security Vulnerabilities

• Denial of Service
• Broken access control
• Path manipulation
• Broken session management (synchronization timing problems)
• Weak cryptographic functions, Non salt hash

Architectural/Logical Vulnerabilities

• Information leakage
• Insufficient authentification
• Password change form disclosing detailed errors
• Session-idle deconstruction not consistent with policies
• Spend deposit before deposit funds are validated

Other vulnerabilities

• Debug mode
• Thread Safety
• Hidden Form Field Manipulation
• Weak Session Cookies: Cookies are often used to transit sensitive credentials, and are often easily modified to escalate access or assume another user's identify.
• Fail Open Authentication
• Dangers of HTML Comments

Related Links

• The Web Application Security Consortium (WASC) has a list of web application security scanners.
• The Open Web Application Security Project (OWASP) Phoenix has a list of various web application testing tools.
• Shay Chen's article has a list of test cases for web application scanners.