Difference between revisions of "OWASP HA Vulnerability Scanner Project"

From OWASP
Jump to: navigation, search
(Created page with "=Main= Project Leader’s content goes here =Project About= {{:Projects/OWASP_HA_Vulnerability_Scanner_Project}} Category:OWASP Project")
 
 
(8 intermediate revisions by one other user not shown)
Line 1: Line 1:
 +
{|
 +
|-
 +
! width="700" align="center" | <br>
 +
! width="500" align="center" | <br>
 +
|-
 +
| align="right" | [[Image:OWASP Inactive Banner.jpg|800px| link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Inactive_Projects]]
 +
| align="right" |
 +
 +
|}
 
=Main=
 
=Main=
Project Leader’s content goes here
+
'''If you wish to be a part of this Project Team , contact Project Leader'''
 +
 
 +
 
 +
Spider Module Completed.Added Random time interval between requests and proxy.
 +
--[[User:Dhruv Jain|Dhruv Jain]] ([[User talk:Dhruv Jain|talk]]) 03:59, 8 September 2013 (CDT)
 +
 
 +
 
 +
 
 +
 
 +
'''EXPECTED FEATURES:'''
 +
 
 +
''Note: Some of these features maybe scraped off depending on the feasibility of application''
 +
 
 +
 
 +
'''»Web Spider Module'''
 +
 
 +
 
 +
'''»Custom Design Errors'''
 +
 
 +
Cross-site Script Injection Module
 +
 
 +
Database Tampering – SQL Injection Module, including:
 +
 
 +
- Direct mode
 +
 
 +
- Blind mode
 +
 
 +
Buffer & Integer Overflow attack Module
 +
 
 +
Format String attack Module
 +
 
 +
File & Directories Tampering Module, including:
 +
 
 +
- Backup Files Discovery
 +
 
 +
- Configuration Files Discovery
 +
 
 +
- Password Files Discovery
 +
 
 +
- Information Leakage Discovery
 +
 
 +
Parameter Tampering Module, including:
 +
 
 +
- Special Parameter Addition attacks
 +
 
 +
- Boolean Parameter Tampering attacks
 +
 
 +
- Hidden Parameter Discovery
 +
 
 +
- Parameter Deletion attacks
 +
 
 +
- Remote Execution attacks
 +
 
 +
- File & Directory traversal attacks
 +
 
 +
- Header Splitting & CRLF Injection attacks
 +
 
 +
- Remote File Include PHP-based attacks
 +
 
 +
Check for Suspicious Values in Web Form Hidden Fields
 +
 
 +
Custom Signature Check (via Signature Editor)
 +
 
 +
 
 +
'''»Web Server Exposure'''
 +
 
 +
Web Server structure Analysis Module, including:
 +
 
 +
- Web Server & Platform version vulnerabilities
 +
 
 +
- SSL encryption and X.509 certificate vulnerabilities
 +
 
 +
- HTTP Method Discovery Module
 +
 
 +
- HTTP Fingerprint Module, including:
 +
 
 +
- Web Server Fingerprint Module
 +
 
 +
- Web Server technology Discovery Module
 +
 
 +
- Directory Brute-Force
 +
 
 +
- HTTP Protocol vulnerabilities
 +
 
 +
 
 +
'''»Web Signature Attacks'''
 +
 
 +
Web Attack Signatures Module, including:
 +
 
 +
- IIS CGI Decode Test
 +
 
 +
- IIS Extended Unicode Test
 +
 
 +
- IIS File Parsing Test
 +
 
 +
- FrontPage Security Test
 +
 
 +
- Lotus Domino Security Test
 +
 
 +
- General CGI Security Test
 +
 
 +
- HTTP Devices Security Test (routers, switches)
 +
 
 +
- Windows-based CGI Security Test
 +
 
 +
- Windows-based CGI Security Test
 +
 
 +
- PHP Web Application Security Test
 +
 
 +
- ASP Web Application Security Test
 +
 
 +
- J2EE Web Application Security Test
 +
 
 +
- Coldfusion Web Application Security Test
 +
 
 +
Attack templates such as:
 +
 
 +
- Complete, SANS/FBI Top10, Top20
 +
 
 +
 
 +
'''»Confidentiality Exposure Checks'''
 +
 
 +
Look for Web forms vulnerabilities, including:
 +
 
 +
- Password cache feature
 +
 
 +
- Insecure method for sending data
 +
 
 +
- Lack of Encryption for sensitive data
 +
 
 +
- Insecure location to send data (leakage)
 +
 
 +
- Find directory listing
 +
 
 +
- Find available objects to download
 +
 
 +
- Find meta-tag leakage
 +
 
 +
- Find sensitive keywords in comments and scripts
 +
 
 +
Compliance analysis, including:
 +
 
 +
- Find Copyright statements
 +
 
 +
- Find content rating statements
 +
 
 +
- Find custom content on web pages and forms
 +
 
 +
 
 +
'''»Cookie Exposure Checks'''
 +
 
 +
Cookie Security Analysis Module, including:
 +
 
 +
- Find weakness in cookie information
 +
 
 +
- Find cookies sent without encryption
 +
 
 +
- Find information leakage in cookie information
 +
 
 +
- Find cookies vulnerable to malicious client-side script
 +
 
 +
 
 +
'''»File & Directory Exposure Checks'''
 +
 
 +
Search for backup files
 +
 
 +
Search for information leakage files
 +
 
 +
Search for configuration files
 +
 
 +
Search for password files
 +
 
 +
 
 +
--[[User:Dhruv Jain|Dhruv Jain]] ([[User talk:Dhruv Jain|talk]]) 19:45, 17 August 2013 (CDT)
 +
 
 +
----
 +
 
 +
 
  
 
=Project About=
 
=Project About=
 +
 
{{:Projects/OWASP_HA_Vulnerability_Scanner_Project}}  
 
{{:Projects/OWASP_HA_Vulnerability_Scanner_Project}}  
 +
  
 
[[Category:OWASP Project]]
 
[[Category:OWASP Project]]

Latest revision as of 16:51, 9 May 2014



OWASP Inactive Banner.jpg

Main

If you wish to be a part of this Project Team , contact Project Leader


Spider Module Completed.Added Random time interval between requests and proxy. --Dhruv Jain (talk) 03:59, 8 September 2013 (CDT)



EXPECTED FEATURES:

Note: Some of these features maybe scraped off depending on the feasibility of application


»Web Spider Module


»Custom Design Errors

Cross-site Script Injection Module

Database Tampering – SQL Injection Module, including:

- Direct mode

- Blind mode

Buffer & Integer Overflow attack Module

Format String attack Module

File & Directories Tampering Module, including:

- Backup Files Discovery

- Configuration Files Discovery

- Password Files Discovery

- Information Leakage Discovery

Parameter Tampering Module, including:

- Special Parameter Addition attacks

- Boolean Parameter Tampering attacks

- Hidden Parameter Discovery

- Parameter Deletion attacks

- Remote Execution attacks

- File & Directory traversal attacks

- Header Splitting & CRLF Injection attacks

- Remote File Include PHP-based attacks

Check for Suspicious Values in Web Form Hidden Fields

Custom Signature Check (via Signature Editor)


»Web Server Exposure

Web Server structure Analysis Module, including:

- Web Server & Platform version vulnerabilities

- SSL encryption and X.509 certificate vulnerabilities

- HTTP Method Discovery Module

- HTTP Fingerprint Module, including:

- Web Server Fingerprint Module

- Web Server technology Discovery Module

- Directory Brute-Force

- HTTP Protocol vulnerabilities


»Web Signature Attacks

Web Attack Signatures Module, including:

- IIS CGI Decode Test

- IIS Extended Unicode Test

- IIS File Parsing Test

- FrontPage Security Test

- Lotus Domino Security Test

- General CGI Security Test

- HTTP Devices Security Test (routers, switches)

- Windows-based CGI Security Test

- Windows-based CGI Security Test

- PHP Web Application Security Test

- ASP Web Application Security Test

- J2EE Web Application Security Test

- Coldfusion Web Application Security Test

Attack templates such as:

- Complete, SANS/FBI Top10, Top20


»Confidentiality Exposure Checks

Look for Web forms vulnerabilities, including:

- Password cache feature

- Insecure method for sending data

- Lack of Encryption for sensitive data

- Insecure location to send data (leakage)

- Find directory listing

- Find available objects to download

- Find meta-tag leakage

- Find sensitive keywords in comments and scripts

Compliance analysis, including:

- Find Copyright statements

- Find content rating statements

- Find custom content on web pages and forms


»Cookie Exposure Checks

Cookie Security Analysis Module, including:

- Find weakness in cookie information

- Find cookies sent without encryption

- Find information leakage in cookie information

- Find cookies vulnerable to malicious client-side script


»File & Directory Exposure Checks

Search for backup files

Search for information leakage files

Search for configuration files

Search for password files


--Dhruv Jain (talk) 19:45, 17 August 2013 (CDT)



Project About

PROJECT INFO
What does this OWASP project offer you?
RELEASE(S) INFO
What releases are available for this project?
what is this project?
Name: OWASP HA Vulnerability Scanner Project (home page)
Purpose: It is a vulnerability scanner written in PHP. It is able to scan URLs requested and run variety of tests to find security flaws.
License: Apache 2.0 License (fewest restrictions, even allowing proprietary modifications and proprietary forks of your project)
who is working on this project?
Project Leader(s):
  • Dhruv Jain @
how can you learn more?
Project Pamphlet: Not Yet Created
Project Presentation:
Mailing list: Mailing List Archives
Project Roadmap: View
Key Contacts
  • Contact Dhruv Jain @ to contribute to this project
  • Contact Dhruv Jain @ to review or sponsor this project
  • Contact the GPC to report a problem or concern about this project or to update information.
current release
Not Yet Published
last reviewed release
Not Yet Reviewed


other releases