WebCruiser Web Vulnerability Scanner User Guide

Transcription

1 WebCruiser Web Vulnerability Scanner User Guide Content 1. Software Introduction Key Features POST Data Resend Vulnerability Scanner SQL Injection POST SQL Injection Cookie SQL Injection Demo Cross Site SQL Injection Cross Site Scripting XPath Injection Multi-functional Web Browser POST Web Browser Cookie Web Browser Fill in Forms Report Escape Special Character Filter Order/Registration FAQ...26 V2.5 by Janus Security

2 1. Software Introduction WebCruiser - Web Vulnerability Scanner WebCruiser - Web Vulnerability Scanner, it is a powerful web security penetration test software that will aid you in auditing your site! It has a Vulnerability Scanner and a series of security tools. It can support scanning website as well as POC (Proof of concept) for web vulnerabilities: SQL Injection, Cross Site Scripting, XPath Injection etc. So, WebCruiser is also an automatic SQL injection tool, an XPath injection tool, and a Cross Site Scripting tool! Key Features: * Crawler(Site Directories And Files); * Vulnerability Scanner: SQL Injection, Cross Site Scripting, XPath Injection etc.; * SQL Injection Scanner; * SQL Injection Tool: GET/Post/Cookie Injection POC(Proof of Concept); * SQL Injection for SQL Server: PlainText/Union/Blind Injection; * SQL Injection for MySQL: PlainText/Union/Blind Injection; * SQL Injection for Oracle: PlainText/Union/Blind/CrossSite Injection; * SQL Injection for DB2: Union/Blind Injection; * SQL Injection for Access: Union/Blind Injection; * Post Data Resend;

3 * Cross Site Scripting Scanner and POC; * XPath Injection Scanner and POC; * Auto Get Cookie From Web Browser For Authentication; * Report Output. System Requirement:.Net Framework 2.0 or higher Software Disclaimer: * Authorization must be obtained from the web application owner; * This program will try to get each link and post any data when scanning; * Backup the database before scanning so as to avoid disaster. * Using this software at your own risk. janusecurity@gmail.com Key Features 2.1. POST Data Resend When you Post any data, WebCruiser will capture the Post data automatically. First, let's login a demo application:

4 Switch to tabpage "Resend", the Post data has been captured here : Now, you can modify the post data and resend them. Let's try to use it for SQL Injection: First, modify the value of username to admin' and '1'='1

5 Second, modify the value of username to admin' and '1'='2 We got different response. It means that this application has a vulnerability of SQL Injection.

6 2.2. Vulnerability Scanner Scan your web application for vulnerabilities. 1. Open Web application and click Scan Site" for whole site scanning or "Scan URL" only for current URL. Or, select "Vulnerability Scanner" tool, and click "Scan Current Site":

7 3. Scan Result(Above is Site Structure, and the following table is vulnerabilities): 4. Right click each vulnerabilities, then you can launch SQL Injection or Cross Site Scripting POC( Proof of Concept):

8 2.3. SQL Injection Scanning is not necessary for SQL Injection POC, you can launch POC by input the URL directly, or launch from the Scanner. WebCruiser support: * GET/Post/Cookie Injection; * SQL Server: PlainText/FieldEcho(Union)/Blind Injection; * MySQL/DB2/Access: FieldEcho(Union)/Blind Injection; * Oracle: FieldEcho(Union)/Blind/CrossSite Injection; POST SQL Injection Take the above scanner for example, right click a Vulnerability, select SQL Injection POC. It will launch the SQL Injection POC tool and fill the relevant information. This is a POST SQL Injection Demo. Click Get Environment Information.

9 3. If you need more information, switch to DataBase :

10 Cookie SQL Injection Demo * Similar to POST, Now you know this application has a user which username=admin, Input username=admin and press "Enter" key to navigate it :

11 View Cookie: Try to get environment information:

12 Advanced: Input the following at Data box: username=111' union all select 1,current server,chr(97) from sysibm.sysdummy1-note: 111 is a username that not exist. Press "Enter":

13 Cross Site SQL Injection WebCruiser support Cross Site SQL Injection for Oracle Cross Site Scripting There are two types of XSS: * Cross Site Scripting(URL); * Cross Site Scripting(Form); Scanning is not necessary for XSS, you can use this function directly. Take launching XSS from the scanner for example: 1. Right Click a Vulnerability in Scanner, select Cross Site Scripting(Form) POC or Cross Site Scripting(URL) POC :

14 2. Replace XSS code and Click "Manual XSS Test". 3. Usually your input will occur in the Response Code or in the refer page:

15 2.5. XPath Injection Similar to SQL Injection, XPath Injection attacks occur when a web site uses usersupplied information to construct an XPath query for XML data. By sending intentionally malformed information into the web site, an attacker can find out how the XML data is structured, or access data that he may not normally have access to. He may even be able to elevate his privileges on the web site if the XML data is being used for authentication (such as an XML based user file). Querying XML is done with XPath, a type of simple descriptive statement that allows the XML query to locate a piece of information. Like SQL, you can specify certain attributes to find, and patterns to match. When using XML for a web site it is common to accept some form of input on the query string to identify the content to locate and display on the page. This input must be sanitized to verify that it doesn't mess up the XPath query and return the wrong data. XPath is a standard language; its notation/syntax is always implementation independent, which means the attack may be automated. There are no different dialects as it takes place in requests to the SQL databeses. Because there is no level access control it's possible to get the entire document. We won't encounter any limitations as we may know from SQL injection attacks. Example:

16

17 More information about XPath Injection, please refer to: Multi-functional Web Browser POST Web Browser Specify the POST data for web browser, just input the URL and POST data, and press "Enter" key.

18

19 Cookie Web Browser You can specify the cookie simply as follow:

20

21 You can modify the cookie at yourself Fill in Forms WebCruiser can fill in a form according to your input even the field is read only. Switch the request type to "POST", input the expression in the data input box[1], and click the Fill button[2], then it will fill the form[3].

22 Usually, it is not necessary to do so. It is useful for these scenarios: A. Input box is read only; B. Copy and paste is disabled; C. Hidden or invisible input box; And so on Report You can get the scan report by the report tool:

23 Here is part style of report:

24 2.9. Escape Special Character Filter When operating SQL Injection, you will find some web application will escape single quotes, for example, the Oracle SQL is: Select COLUMN_NAME FROM user_tab_columns WHERE table_name='admin' Because there is single quotes in the SQL, so common injection will not work. Escape Filter can help you test the application, WebCruiser has a string tool which can encode the string. SQL Server: MySQL:

25 Oracle: The above SQL can be instead by: Select COLUMN_NAME FROM user_tab_columns WHERE table_name= chr(97) chr(100) chr(109) chr(105) chr(110)

26 3. Order/Registration WebCruiser - Web Vulnerability Scanner Order page: (Pay by RegNow) (Pay by PayPal) If you like it, you can order it from RegNow or PayPal: Personal Edition (Non-Commercial License): Enterprise Edition (Commercial License): RegNow will send you the Registration Code. Alternative Payment by PayPal: Thank you for choosing WebCruiser. 4. FAQ Q: Why I can not run WebCruiser on my computer? A: It need Windows with.net Framework 2.0 or above, if you have not installed.net Framework, please download it from Microsoft web site. Usually, Windows XP and earlier has not.net Framework installed, but Windows Vista and Windows 7 has.net Framework Integrated already. The URL for.net Framework 2.0 is: Q: What is the difference between the Professional and Enterprise Edition? A: They are different in License type. Personal Edition is for security professionals, masters of individual websites etc., non-commercial purpose, 12-month update and support service; Enterprise Edition is for enterprises, institution, or commercial organizations, 12month update and support service with top priority. Function \ Edition Commercial License Personal No Enterprise Directories Crawler Vulnerabilities Scanning SQL Server Injection MySQL Injection Oracle Injection DB2 Injection Advanced Injection

27 Access Injection Access Dictionary Edit Cross-Site Scripting XPath Injection Post Resend Multi-Site Scanning Sensitive WebSites Scanning Cookie Tool 12-month 12-month Report Technical Support Support Web Site: