OWASP HA Vulnerability Scanner Project

Revision as of 06:40, 1 August 2013 by Dhruv Jain (talk | contribs) (Added Decided Features)

Jump to: navigation, search


Project has been started.Developed scan initiator.

1.8.2013 --> Spider nearly completed


Note: Some of these features maybe scraped off depending on the feasibility of application

»Web Spider Module

»Custom Design Errors

Cross-site Script Injection Module

Database Tampering – SQL Injection Module, including:

- Direct mode

- Blind mode

Buffer & Integer Overflow attack Module

Format String attack Module

File & Directories Tampering Module, including:

- Backup Files Discovery

- Configuration Files Discovery

- Password Files Discovery

- Information Leakage Discovery

Parameter Tampering Module, including:

- Special Parameter Addition attacks

- Boolean Parameter Tampering attacks

- Hidden Parameter Discovery

- Parameter Deletion attacks

- Remote Execution attacks

- File & Directory traversal attacks

- Header Splitting & CRLF Injection attacks

- Remote File Include PHP-based attacks

Check for Suspicious Values in Web Form Hidden Fields

Custom Signature Check (via Signature Editor)

»Web Server Exposure

Web Server structure Analysis Module, including:

- Web Server & Platform version vulnerabilities

- SSL encryption and X.509 certificate vulnerabilities

- HTTP Method Discovery Module

- HTTP Fingerprint Module, including:

- Web Server Fingerprint Module

- Web Server technology Discovery Module

- Directory Brute-Force

- HTTP Protocol vulnerabilities

»Web Signature Attacks

Web Attack Signatures Module, including:

- IIS CGI Decode Test

- IIS Extended Unicode Test

- IIS File Parsing Test

- FrontPage Security Test

- Lotus Domino Security Test

- General CGI Security Test

- HTTP Devices Security Test (routers, switches)

- Windows-based CGI Security Test

- Windows-based CGI Security Test

- PHP Web Application Security Test

- ASP Web Application Security Test

- J2EE Web Application Security Test

- Coldfusion Web Application Security Test

Attack templates such as:

- Complete, SANS/FBI Top10, Top20

»Confidentiality Exposure Checks

Look for Web forms vulnerabilities, including:

- Password cache feature

- Insecure method for sending data

- Lack of Encryption for sensitive data

- Insecure location to send data (leakage)

- Find directory listing

- Find available objects to download

- Find meta-tag leakage

- Find sensitive keywords in comments and scripts

Compliance analysis, including:

- Find Copyright statements

- Find content rating statements

- Find custom content on web pages and forms

»Cookie Exposure Checks

Cookie Security Analysis Module, including: - Find weakness in cookie information - Find cookies sent without encryption - Find information leakage in cookie information - Find cookies vulnerable to malicious client-side script

»File & Directory Exposure Checks

Search for backup files

Search for information leakage files

Search for configuration files

Search for password files

--Dhruv Jain (talk) 07:39, 1 August 2013 (CDT)

Project About

What does this OWASP project offer you?
What releases are available for this project?
what is this project?
Name: OWASP HA Vulnerability Scanner Project (home page)
Purpose: It is a vulnerability scanner written in PHP. It is able to scan URLs requested and run variety of tests to find security flaws.
License: Apache 2.0 License (fewest restrictions, even allowing proprietary modifications and proprietary forks of your project)
who is working on this project?
Project Leader(s):
  • Dhruv Jain @
how can you learn more?
Project Pamphlet: Not Yet Created
Project Presentation:
Mailing list: Mailing List Archives
Project Roadmap: View
Key Contacts
  • Contact Dhruv Jain @ to contribute to this project
  • Contact Dhruv Jain @ to review or sponsor this project
  • Contact the GPC to report a problem or concern about this project or to update information.
current release
Not Yet Published
last reviewed release
Not Yet Reviewed

other releases