Showing posts with label web_security. Show all posts
Showing posts with label web_security. Show all posts

Saturday, November 4, 2017

Janusec - WebCruiser Ultimate Web Penetration Testing Tool

                   Web Vulnerability Scanner for Windows, Mac OS, and iOS (iPhone/iPad) , HTTP Replay/Repeater for iPhone and iPad, SQL Injection, XSS. Also an effective and powerful web penetration testing tool that will aid you in auditing your website! It can support scanning website as well as POC (Proof of concept) for web vulnerabilities: SQL Injection, Cross Site Scripting, Local File Inclusion, Remote File Inclusion, Redirect, Obsolete Backup etc.

The most typical feature of WebCruiser comparing with other Web Vulnerability Scanners is that WebCruiser Web Vulnerability Scanner focuses on high risk vulnerabilities, and WebCruiser can scan a designated vulnerability type, or a designated URL, or a designated page separately, while the others usually will not.

WebCruiser v3.4.0 is available, new feature: support scanning absolete backup files which may cause potential information leakage.

User Guide :


Tuesday, December 18, 2012

Arachni - Web Application Security Scanner Framework

Arachni :
            is a feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators evaluate the security of web applications. Arachni is smart, it trains itself by learning from the HTTP responses it receives during the audit process.
Unlike other scanners, Arachni takes into account the dynamic nature of web applications and can detect changes caused while travelling through the paths of a web application’s cyclomatic complexity.

This way attack/input vectors that would otherwise be undetectable by non-humans are seamlessly handled by Arachni.

Currently available modules:

  • Audit:
    • SQL injection
    • Blind SQL injection using rDiff analysis
    • Blind SQL injection using timing attacks
    • CSRF detection
    • Code injection (PHP, Ruby, Python, JSP, ASP.NET)
    • Blind code injection using timing attacks (PHP, Ruby, Python, JSP, ASP.NET)
    • LDAP injection
    • Path traversal
    • Response splitting
    • OS command injection (*nix, Windows)
    • Blind OS command injection using timing attacks (*nix, Windows)
    • Remote file inclusion
    • Unvalidated redirects
    • XPath injection
    • Path XSS
    • URI XSS
    • XSS
    • XSS in event attributes of HTML elements
    • XSS in HTML tags
    • XSS in HTML ‘script’ tags
  • Recon:
    • Allowed HTTP methods
    • Back-up files
    • Common directories
    • Common files
    • HTTP PUT
    • Insufficient Transport Layer Protection for password forms
    • WebDAV detection
    • HTTP TRACE detection
    • Credit Card number disclosure
    • CVS/SVN user disclosure
    • Private IP address disclosure
    • Common backdoors
    • .htaccess LIMIT misconfiguration
    • Interesting responses
    • HTML object grepper
    • E-mail address disclosure
    • US Social Security Number disclosure
    • Forceful directory listing

Sample Report :

To scan via the user-friendlier Web User Interface, just run:

This will setup a Dispatcher and fire-up the WebUI server for you.

Then, point your browser to http://localhost:4567, accept the default settings and start the scan.

Download Link : Click Here