Web Application Security Scanner Framework
This tool is high-performance Ruby framework aimed towards helping penetration testers and administrators evaluate the security of web applications.
It is designed to automatically detect security issues in web applications. All it expects is the URL of the target website and after a while it will present you with its findings.
A stable, efficient, high-performance framework
Check, report and plugin developers are allowed to easily and quickly create and deploy their components with the minimum amount of restrictions imposed upon them, while provided with the necessary infrastructure to accomplish their goals.
Furthermore, they are encouraged to take full advantage of the Ruby language under a unified framework that will increase their productivity without stifling them or complicating their tasks.
Moreover, that same framework can be utilized as any other Ruby library and lead to the development of brand new scanners or help you create highly customized scan/audit scenarios and/or scripted scans.
Very simple and straightforward API.
Easy interoperability with non-Ruby systems.
Operates over HTTP.
Uses JSON to format messages.
Stateful scan monitoring.
Unique sessions automatically only receive updates when polling for progress, rather than full data.
High-performance/low-bandwidth communication protocol.
MessagePack serialization for performance, efficiency and ease of integration with 3rd party systems.
Grid:
Self-healing.
Scale up/down by hot-plugging/hot-unplugging nodes.
Can scale up infinitely by adding nodes to increase scan capacity.
(Always-on) Load-balancing -- All Instances are automatically provided by the least burdened Grid member.
With optional per-scan opt-out/override.
(Optional) High-Performance mode -- Combines the resources of multiple nodes to perform multi-Instance scans.
Enabled on a per-scan basis.
WVSF is a highly modular system, employing several components of distinct types to perform its duties. In addition to enabling or disabling the bundled components so as to adjust the system's behavior and features as needed, functionality can be extended via the addition of user-created components to suit almost every need.
In order to make efficient use of the available bandwidth, WVSF performs rudimentary platform fingerprinting and tailors the audit process to the server-side deployed technologies by only using applicable payloads.
Currently, the following platforms can be identified:
BSD
Linux
Unix
Windows
Solaris
Apache
IIS
Nginx
Tomcat
Jetty
Gunicorn
PHP
ASP
ASPX
Java
Python
Ruby
Rack
CakePHP
Rails
Django
ASP.NET MVC
JSF
CherryPy
Nette
Symfony
Active checks engage the web application via its inputs.
SQL injection (sql_injection) -- Error based detection.
Oracle
InterBase
PostgreSQL
MySQL
MSSQL
EMC
SQLite
DB2
Informix
Firebird
SaP Max DB
Sybase
Frontbase
Ingres
HSQLDB
MS Access
Blind SQL injection using differential analysis (sql_injection_differential).
Blind SQL injection using timing attacks (sql_injection_timing).
MySQL
PostgreSQL
MSSQL
NoSQL injection (no_sql_injection) -- Error based vulnerability detection.
MongoDB
Blind NoSQL injection using differential analysis (no_sql_injection_differential).
CSRF detection (csrf).
Code injection (code_injection).
PHP
Ruby
Python
Java
ASP
Blind code injection using timing attacks (code_injection_timing).
PHP
Ruby
Python
Java
ASP
LDAP injection (ldap_injection).
Path traversal (path_traversal).
*nix
Windows
Java
File inclusion (file_inclusion).
*nix
Windows
Java
PHP
Perl
Response splitting (response_splitting).
OS command injection (os_cmd_injection).
*nix
*BSD
IBM AIX
Windows
Blind OS command injection using timing attacks (os_cmd_injection_timing).
Linux
*BSD
Solaris
Windows
Remote file inclusion (rfi).
Unvalidated redirects (unvalidated_redirect).
Unvalidated DOM redirects (unvalidated_redirect_dom).
XPath injection (xpath_injection).
Generic
PHP
Java
dotNET
libXML2
XSS (xss).
Path XSS (xss_path).
XSS in event attributes of HTML elements (xss_event).
XSS in HTML tags (xss_tag).
XSS in script context (xss_script_context).
DOM XSS (xss_dom).
DOM XSS script context (xss_dom_script_context).
Source code disclosure (source_code_disclosure)
XML External Entity (xxe).
Linux
*BSD
Solaris
Windows
Passive checks look for the existence of files, folders and signatures.
Allowed HTTP methods (allowed_methods).
Back-up files (backup_files).
Backup directories (backup_directories)
Common administration interfaces (common_admin_interfaces).
Common directories (common_directories).
Common files (common_files).
HTTP PUT (http_put).
Insufficient Transport Layer Protection for password forms (unencrypted_password_form).
WebDAV detection (webdav).
HTTP TRACE detection (xst).
Credit Card number disclosure (credit_card).
CVS/SVN user disclosure (cvs_svn_users).
Private IP address disclosure (private_ip).
Common backdoors (backdoors).
.htaccess LIMIT misconfiguration (htaccess_limit).
Interesting responses (interesting_responses).
HTML object grepper (html_objects).
E-mail address disclosure (emails).
US Social Security Number disclosure (ssn).
Forceful directory listing (directory_listing).
Mixed Resource/Scripting (mixed_resource).
Insecure cookies (insecure_cookies).
HttpOnly cookies (http_only_cookies).
Auto-complete for password form fields (password_autocomplete).
Origin Spoof Access Restriction Bypass (origin_spoof_access_restriction_bypass)
Form-based upload (form_upload)
localstart.asp (localstart_asp)
Cookie set for parent domain (cookie_set_for_parent_domain)
Missing Strict-Transport-Security headers for HTTPS sites (hsts).
Missing X-Frame-Options headers (x_frame_options).
Insecure CORS policy (insecure_cors_policy).
Insecure cross-domain policy (allow-access-from) (insecure_cross_domain_policy_access)
Insecure cross-domain policy (allow-http-request-headers-from) (insecure_cross_domain_policy_headers)
Insecure client-access policy (insecure_client_access_policy)
HTML (zip) (html).
XML (xml).
JSON (json)