OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Dennis Groves (dwguswest.net)
Date: Mon Sep 24 2001 - 15:34:53 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    > I've just been reading about Sanctum's AppScan, which appears to be on the
    > right track, but I've nothing to compare it to...
    >
    > Any advice/experience.
    >
    > FYI, AppScan breaks/subverts web applications - there are plenty of tools
    > to break web servers (apache/IIS), but it looks like appscan is on it's own
    > on the test-the-bespoke-web-app front.
    >
    > Thanks all, in advance,
    > Dom
    >
    >
    >
    > ----------------------------------------------------------------------------
    > This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
    > Service. For more information on SecurityFocus' SIA service which
    > automatically alerts you to the latest security vulnerabilities please see:
    > https://alerts.securityfocus.com/
    >

    Look else where. It is very interesting, however programs at this early
    stage of the game simply can not replace the human brain.

    To Quote Minga "earlier on this list"

    >>> In short there is a real lack of expertise in the field and a huge demand.
    >>> Some idiot running Nessus across your application is going to do nothing.
    >>
    >> Yes I agree with this. Most security audits are only automated scanners and
    >> are rarely detailed application audits.
    >
    > Be sure to highlight the word MOST there. I've been doing Web Application
    > penetration test/vulnerability assessments/ and generic best-practices checks
    > by hand for a security firm for over 2 years now. It is automatically included
    > in the general security methodology that we use for all clients. Along with
    > non-tool based penetration tests/vulnerability assessments.
    >
    > --
    >
    > As for the TOOLS discussion there are 4 three tools I am absolutely
    > dependant on for my web applications tests.
    >
    > 1) stunnel
    > 2) A Sniffer
    > 3) Perl
    > 4) A Brain
    >
    > MAYBE some sort of proxy to catch requests. But pretty much all of them are
    > lame and overly complicated or broken in some matter. (Tis' why I use
    > stunnel and a sniffer instead).
    >
    > I have used Sanctum's tool for a few weeks. They are headed in the correct
    > direction. but have a looooong way to go. On a test I performed, I ended up
    > with APPX 20 findings, 3 of which were High Risk. Sanctum's tool only found
    > about 4-5 of the findings. So if I (or anyone) was dependant on this type of
    > tool to be "secure", it would be a big waste of $5000. The tools does not
    > check for most "Best Practices" types of risks (SSL Key Strength For Example)
    > It does check for comments inside of HTML (and will return you about 200
    > findings associated with them). It also floodes all variables with long
    > bits of data. But not the RIGHT type of data. It will try 1000 1's (for
    > example). But not 1000 !'s or 1000 ;'s . Or for that matter 10000 1's.
    > It doesnt try (as data for a variable) things like
    > !#$%^&*()_+=-{}|\[;",./?><`~. When those usually wreck havok!

    I can not say it better myself...
    Appscan in particular has little to set it apart from other products that do
    web audits (Unless you consider 80% false positives to be a selling point).
    The company "slant" is application testing, but it is pure spin, the product
    does no more and perhaps less than many of the following products:

    (Gratuitously borrowed from various web databases, but compiled by me)

    NetRecon
    HackerShield
    Retina
    ISS
    Nessus
    CyberCop
    SARA
    SAINT
    AppScan

    Web application testing tools.

    Achilles www.digizen-security.com/
    Appscan www.sanctuminc.com
    CIS www.cerberus-infosec.co.uk/cis.shtml
    Curl curl.haxx.se
    ELZA www.einet.bg/~philip
    e-test tools www.rswsoftware.com
    nessus www.nessus.org
    PentaSafe tools www.pentasafe.com
    WAST webtool.rte.microsoft.com
    Whisker www.wiretrip.net/rfp/
    "Write you own scripts"
    "Contract out testing"

    Other Web Scanners (35 Little Boys)

    911 0.1
    by Erik Tayler
    < http://63.248.48.143 >
    < http://www.securityfocus.com/tools/1751 >
    Platforms: FreeBSD, Linux, NetBSD and OpenBSD
    Size: 29.17Kb
    Score: Not scored yet
    Simple code which will eventually be a very useful tool for performing
    vulnerability assessments. Currently includes the ability to set certain
    nmap and whisker options [scan type & evasive mode, respectively]. Will
    eventually incorporate more tools, and have a nice, clean, centralized
    output.

    Atlas 1.0
    by Digital Monkey, dmonkeyarctik.com
    < http://www.securityfocus.com/tools/923 >
    Platforms: Windows 95/98
    Size: 23.79Kb
    Score: Not scored yet
    A Windows/MS-DOS CGI scanner (binary only) which scans for 65 remote
    vulnerabilities.

    BASS - Bulk Auditing Security Scanner 1.0.7
    by Liraz Siri <lirazbigfoot.com>
    < http://www.securityfocus.com/tools/394 >
    Platforms: Linux
    Size: 61.50Kb
    Score: 3.00 / 4 (1 vote)
    BASS is a bulk auditing network scanner that features a highly-reliable,
    fail-safe architecture which efficiently utilizes the available bandwidth.
    It has a small memory and CPU footprint and can be easily extended.

    Cerberus Internet Scanner 5.0
    by David Litchfield
    < http://www.cerberus-infosec.co.uk/ >
    < http://www.securityfocus.com/tools/676 >
    Platforms: Windows 2000 and Windows NT
    Size: 298.77Kb
    Score: 3.00 / 4 (1 vote)
    CIS is a free security scanner written and maintained by Cerberus
    Information Security, Ltd and is designed to help administrators locate and
    fix security holes in their computer systems. This tool is a must! Runs on
    Windows NT and Windows 2000. Very comprehensive!

    Cerberus WebScan
    by Cerberus Information Security, servicescerberus-infosec.co.uk
    < http://www.cerberus-infosec.co.uk/ >
    < http://www.securityfocus.com/tools/695 >
    Platforms: Windows 2000, Windows 95/98 and Windows NT
    Size: 76.00Kb
    Score: 3.00 / 4 (1 vote)
    This is a web security scanner designed to find known web server security
    issues.

    cgi scanner 3.6
    by CKS
    < http://www.singnet.com.sg/~cksss/ >
    < http://www.securityfocus.com/tools/377 >
    Platforms: AIX, BSDI, Digital UNIX/Alpha, FreeBSD, HP-UX, IRIX, Linux,
    NetBSD, OpenBSD, SCO, Solaris, SunOS, True64 UNIX, UNIX, Ultrix and Unixware
    Size: 12.37Kb
    Score: 2.00 / 4 (1 vote)
    Cgi Scanner 3.6 is a simple program which facilitates the scanning of hosts
    on a network for known cgi vulnerabilities. Upon finding a given cgi
    program, the script will optionally download information from the authorıs
    web page, detailing the exploit. 3.6 includes a fix for a y2k problem in
    previous versions that would cause numerous false positives.

    Cgi Sonar 1.0
    by M.e.s.s.i.a.h
    < http://www.securityfocus.com/tools/1211 >
    Platforms: Perl (any system supporting perl)
    Size: 4.37Kb
    Score: Not scored yet
    A simple Cgi Scanner written in PERL ,scans for over 120 known
    vulnerabilities.

    cgi-check99 0.3
    by deepquest
    < http://www.deepquest.pf >
    < http://www.securityfocus.com/tools/626 >
    Platforms: BSDI, BeOS, DOS, FreeBSD, HP-UX, IRIX, Linux, MacOS, NetBSD,
    OS/2, OpenBSD, OpenVMS, PalmOS, Solaris, SunOS, UNIX, VMS, Windows 2000,
    Windows 3.x, Windows 95/98, Windows CE and Windows NT
    Size: 10.64Kb
    Score: 3.00 / 4 (1 vote)
    This is one of the worlds most cross platform cgi scanners, running on 37
    operating systems! Even Palmos soon! Will check for hundreds of common cgi
    and other remote issues. Plus it will report you the Bugtraq ID of some
    vulnerabilities. Get the rebol interpreter at http://www.rebol.com.

    CGI-Exploit Scanner (Japanese)
    by Shadow Penguin Security Team
    < http://shadowpenguin.backsection.net/ >
    < http://www.securityfocus.com/tools/368 >
    Platforms: UNIX
    Size: 6.42Kb
    Score: 3.00 / 4 (1 vote)
    This utility lists the servers which have certain security vulnerabilities
    via CGI scripts. This utility currently checks for the phf, test-cgi,
    nph-test-cgi, campas, htmlscript, service & pwd vulnerabilities . The
    addition of new vulnerabilities is very easy.

    cgichk 2.50
    by Toby Deshane
    < http://sourceforge.net/projects/cgichk/ >
    < http://www.securityfocus.com/tools/1645 >
    Platforms: FreeBSD and Linux
    Size: 14.04Kb
    Score: Not scored yet
    cgichk is a Web vulnerability tool that automatically searches for a series
    of interesting directories and files on a given site. It also includes a
    whois lookup.

    cgiscan
    by Bronc Buster
    < http://www.securityfocus.com/tools/378 >
    Platforms: AIX, BSDI, Digital UNIX/Alpha, FreeBSD, HP-UX, IRIX, Linux,
    NetBSD, OpenBSD, SCO, Solaris, SunOS, True64 UNIX and UNIX
    Size: 4.43Kb
    Score: 2.00 / 4 (1 vote)
    cgiscan.c is another simple program which facilitates the scanning of hosts
    on a network for known cgi vulnerabilities. It letıs the user know whether
    or not a given cgi was found on the host.

    Cold Fusion Scan 1.0
    by icosarez.com
    < http://www.securityfocus.com/tools/1046 >
    Platforms: Windows 95/98 and Windows NT
    Size: 172.22Kb
    Score: Not scored yet
    Cold Fusion vulnerability scanner is a program that will run down a list of
    words/domain names, and scan each one for an Allaire Cold Fusion
    misconfiguration.

    CUM Security Toolkit [CST]
    by toxic ocean, cumnirvanet.net
    < http://www.securax.org/cum/ >
    < http://www.securityfocus.com/tools/1799 >
    Platforms: Java
    Size: 12.70Kb
    Score: 4.00 / 4 (1 vote)
    This version contains a script scanner, that scans using a database of
    scripts (user editable). The sample databases included contains +350
    possibly vulnerable scripts/dirs. You can scan with or without a
    proxyserver. The scanner has 5 different Anti-IDS tactics (hex-values,
    double slashes, self-reference dirs, parameter hiding and session splicing),
    and sends fake ³X-Forwarded-For:², ³Referer:² and ³User-Agent:² headers to
    hide your scan even more. You can also specify a waittime between 2 script
    fetches. The scanner uses HEAD requests instead of GET for faster scanning,
    and has support for scanning virtual hosts. You can also specify another
    port to scan instead of the standard port 80. The scanner outputs the
    scripts/dirs that return a 200, 403 or 401 HTTP code and outputs the
    webserver software.
    Iım probably forgetting some options because there are alot in this new
    version - you have to try it to see...
    Also included is a portscanner. It can perform TCP scans, and it outputs the
    open ports, and their reply.
    A full and comprehensive manual is included, but if you have problems, you
    can always mail us.

    ELZA 1.4.3
    by philip_stoeviname.com
    < http://phiphi.hypermart.net/elza-entry.html >
    < http://www.securityfocus.com/tools/1127 >
    Platforms: Linux and Solaris
    Size: 40.36Kb
    Score: Not scored yet
    The ELZA is a scripting language aimed at automating requests on web pages.
    Scripts written in ELZA are capable of mimicing browser behavior almost
    perfectly, making it extremely difficult for remote servers to distinguish
    their activity from the activity generated by ordinary users and browsers.
    This gives those scripts the opportunity to act upon servers that will not
    respond to requests generated using netcat, rebol, telnet or similar tool.

    Grinder
    by Rhino9
    < http://207.98.195.250/software/grinder.htm >
    < http://www.securityfocus.com/tools/108 >
    Platforms: Windows 3.x, Windows 95/98 and Windows NT
    Size: 1.13Mb
    Score: 3.00 / 4 (1 vote)
    Grinder is a scanning tool for the Windows operating systems that scans
    ranges of ip addresses for IIS webservers containing certain urls.

    Guile CGI Scanner
    by ImperialS
    < http://www.securityfocus.com/tools/555 >
    Platforms: Linux
    Size: 8.19Kb
    Score: Not scored yet
    A CGI Scanner written in C. Checks for 44 known CGI problems.

    httptype 1.3.6
    by Philip Tellis, philip.tellisiname.com
    < http://members.nbci.com/philip3/downloads/httptype/INDEX.html >
    < http://www.securityfocus.com/tools/1269 >
    Platforms: Linux and Solaris
    Size: 14.36Kb
    Score: Not scored yet
    httptype reads a list of http hosts and optionally the port number for each
    of these. It queries each host, displaying the type of HTTP server running
    on that host, if any. It reads the http_proxy and no_proxy environment
    variables to determine whether to use a proxy or not. These options may also
    be specified through the command line.

    ISB
    by UndeF
    < http://undef.vr9.com/ >
    < http://www.securityfocus.com/tools/1430 >
    Platforms: Linux, Perl (any system supporting perl), Solaris and UNIX
    Size: 11.83Kb
    Score: Not scored yet
    Security auditing tool for unix systems. Port scan, remote services version
    detect, log facility.

    md-webscan 1.0.1
    by Mordrian, mordrianhotmail.com
    < http://www.internettrash.com/users/mordrian/ >
    < http://www.securityfocus.com/tools/1421 >
    Platforms: Linux, Solaris and UNIX
    Size: 7.69Kb
    Score: Not scored yet
    Allows system administrators to check for commonly known CGI vulnerabilities
    on machines they administrate. Scans for 180 vulnerabilities in total.

    Nessus 1.0.6
    by Renaud Deraison, deraisoncvs.nessus.org
    < http://www.nessus.org/ >
    < http://www.securityfocus.com/tools/201 >
    Platforms: FreeBSD, IRIX, Linux, NetBSD, OpenBSD and Solaris
    Score: 3.86 / 4 (7 votes)
    Nessus is a remote security scanner for Linux, BSD, Solaris, and other
    Unices. It is multi-threaded and plug-in-based, has a GTK interface, and
    performs over 470 remote security checks. It allows for reports to be
    generated in HTML, LaTeX, and ASCII text, and suggests solutions for
    security problems.

    Nsat 1.22
    by Mixter, mixternewyorkoffice.com
    < http://members.tripod.com/mixtersecurity/ >
    < http://www.securityfocus.com/tools/810 >
    Platforms: Linux and Solaris
    Size: 799.86Kb
    Score: 4.00 / 4 (1 vote)
    Nsat (Network Security Analysis Tool) is a fast, stable bulk security
    scanner designed to audit remote network services and check for versions,
    security problems, gather information about the servers and the machine, and
    much more. Unlike many other auditing tools, it can collect information
    about services independently of vulnerabilities, which makes it less
    dependent on frequent updates as new vulnerabilities are found.

    Perl CGI Checker
    by Epicurus (epicuruswilter.com)
    < http://www.securityfocus.com/tools/402 >
    Platforms: Perl (any system supporting perl)
    Size: 6.89Kb
    Score: Not scored yet
    A CGI vulnerability scanner written in PERL, checks for 62 CGI holes.

    rvscan (remote vulnerability scanner)
    by ben-z
    < ftp://portal.slacknet.org/pub/code/rvscan.v3-b1.tgz >
    < http://www.securityfocus.com/tools/1625 >
    Platforms: Linux
    Size: 102.81Kb
    Score: Not scored yet
    scans a unix system for just about every remote vulnerability currently
    being used by hackers.

    Shadow CGI check 1.00.007
    by RedShadow
    < http://www.rsh.kiev.ua >
    < http://www.securityfocus.com/tools/1229 >
    Platforms: Windows 2000, Windows 95/98 and Windows NT
    Size: 256.26Kb
    Score: Not scored yet
    CGI vulnerability scanner. Currently checks for over 129 vulnerabilities.

    twwwscan 0.7
    by pilot
    < http://search.iland.co.kr/twwwscan/ >
    < http://www.securityfocus.com/tools/1886 >
    Platforms: Windows 2000, Windows 95/98 and Windows NT
    Size: 127.32Kb
    Score: 4.00 / 4 (1 vote)
    Updated version of twwwscan with added -v option support html type report
    support CVE information included completed NT/2000 IIS detail patch
    information. Last(~2000/12/23) WWW Vulnerabilities 300 over bugs check

    UCGI Vulnerability Scanner 1.56
    by su1d sh3ll
    < http://infected.ilm.net/unlg/ >
    < http://www.securityfocus.com/tools/563 >
    Platforms: FreeBSD, IRIX, Linux and Windows 95/98
    Size: 147.18Kb
    Score: Not scored yet
    CGI vulnerability scanner version 1.56. Checks for over 90 CGI
    vulnerabilities. Tested on slackware linux with kernel 2.0.35-2.2.5, Freebsd
    2.2.1-3.2, IRIX 5.3, DOS, and windows.

    VoidEye CGI scanner Build 461
    by Duke
    < http://www.securityfocus.com/tools/556 >
    Platforms: Windows 2000, Windows 95/98 and Windows NT
    Size: 328.58Kb
    Score: Not scored yet
    VoidEye CGI scanner, build 461. Scans for 78 known vulnerabilities. Runs on:
    win9x, winNT, win2000. Features: user can add his own holes, editing
    ³exp.dat² in any text editor or via program interface, user can process a
    site list, editing it via the program interface or the file ³servers.dat²,
    scanner can work via a proxy, for more security. Multi-threaded and fast. By
    Duke.

    Weakness - Www Vulnerablity Scanner
    by John Bissell a.k.a. hight1mes
    < http://www.silcom.com/~royalblu/weakness.zip >
    < http://www.securityfocus.com/tools/672 >
    Platforms: DOS, Windows 95/98 and Windows NT
    Size: 29.92Kb
    Score: 4.00 / 4 (1 vote)
    Weakness is basically a CGI vulnerablity scanner coded for Windows/DOS.
    Weakness will scan up 94 vulnerablities and output the results of the scan
    to a text file. Source is included.

    Webcracker 4.0
    by Daniel Flam, infowebcracker.net
    < http://www.webcracker.net >
    < http://www.securityfocus.com/tools/706 >
    Platforms: Windows 95/98 and Windows NT
    Size: 1.24Mb
    Score: Not scored yet
    This software will allow you to test your restricted-access website to make
    sure that only authorized users are able to get in. Webcracker is a security
    tool that allows you to attempt to test id and password combinations on your
    web site. If youıre able to guess a userıs password with this program,
    chances are some hacker will be able to also. Webcracker helps you find
    these vulnerablilities and fix them before theyıre exploited by some unknown
    attacker.

    WebDecoy
    by Mixter, mixternewyorkoffice.com
    < http://1337.tsx.org/ >
    < http://www.securityfocus.com/tools/832 >
    Platforms: Linux and Solaris
    Size: 2.22Kb
    Score: Not scored yet
    This is a simple script that examines your CGI folder, and can check for
    vulnerable scripts (-check), generate decoy scripts, which will log any
    access over the web as a possible exploit attempt (-create), or remove
    vulnerable scripts and previously installed decoy files (-clean).

    Whisker 1.2.0
    by Rain Forest Puppy
    < http://www.wiretrip.net/rfp >
    < http://www.securityfocus.com/tools/585 >
    Platforms: Perl (any system supporting perl)
    Size: 166.38Kb
    Score: 4.00 / 4 (2 votes)
    Whisker is an advanced CGI vulnerability scanner. It is scriptable and has
    many good features, such as querying for system type and basing scans on the
    information gathered (ie, determining between IIS and Apache webservers)

    Whisker 1.4
    by rain forest puppy, rfpwiretrip.net
    < http://www.wiretrip.net/rfp >
    < http://www.securityfocus.com/tools/727 >
    Platforms: Perl (any system supporting perl)
    Size: 166.38Kb
    Score: 4.00 / 4 (3 votes)
    Whisker is an advanced CGI vulnerability scanner. It is scriptable and has
    many good features, such as querying for system type and basing scans on the
    information gathered (ie, determining between IIS and Apache webservers)
    ³Multi-threaded² front end (Unix only).
    More updates to server.db and scan.db.
    Changed the Œsetı command to take .= (append) as well.
    Added multi-file scans
    Changed options around.
    whisker will internally Œreadı the output from a .cfm script and determine
    if it really exists, eliminating all false reports.
    Added support for variables and tabıs, crıs, and lfıs in strings.
    You can now use a variable for Œserverı and Œscanı matching
    Scan database files donıt have to be in the current directory
    Whisker defaults to scan.db, so itıs not required to specify -s <file>
    Whisker will automatically rescan servers with dumb.db if they need it
    NMAP information is now available inside the scripts
    Redid the bounce options
    Support for distributed proxies
    Ability to use other CGI scannersı databases
    Better timeout control (Unix only).
    Implemented ability to use ŒGETı method, but still close the connection
    after all the headers have arrived.
    EXPERIMENTAL SSL support.
    SamSpade bounce by Styx was added
    Other little tweaks to variable handling and new variables added
    Netcraft changed their output, so I had to change to match it.

    whisker 1.4+SSL
    by H.D. Moore, hdmdigitaloffense.net
    < http://www.digitaloffense.net:8000/ >
    < http://www.securityfocus.com/tools/1798 >
    Platforms: Perl (any system supporting perl)
    Size: 169.34Kb
    Score: Not scored yet
    This is a modified version of the whisker web scanning tool written by RFP.
    It adds native SSL support (the -x option) via the Net::SSLeay module and
    OpenSSL.

    Windows Nessus Client
    by Noam Rathaus, Aviram Jenik, Jordan Hrycaj, and Renaud Deraison
    < http://www.nessus.org/win32.html >
    < http://www.securityfocus.com/tools/1295 >
    Platforms: Windows 95/98 and Windows NT
    Score: Not scored yet
    Windows Nessus Client is an almost fully functional port of the UNIX Nessus
    Client and has the same look and feel.

    WWWHack 1.946
    by core
    < http://www.wwwhack.com >
    < http://www.securityfocus.com/tools/1785 >
    Platforms: Windows 2000, Windows 95/98 and Windows NT
    Size: 430.61Kb
    Score: Not scored yet
    A simple ³brute force² password guessing program. Includes dictionary files,
    support for HTTP Basic, HTTP Form, FTP, POP, and News.

    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
    Service. For more information on SecurityFocus' SIA service which
    automatically alerts you to the latest security vulnerabilities please see:
    https://alerts.securityfocus.com/