If you like NTOinsight, you might also like NT OBJECTives' NTOSpider, a commercial Web application vulnerability scanner. NTOSpider goes well beyond the abilities of NTOinsight to perform scans for a wide range of potential problems related to Secure Sockets Layer (SSL), Java, proxy servers, user sessions, and more. In addition, the tool can test your applications against SQL injection and cross-site scripting attacks.
Originating years ago at DEFCON 5, screamingCobra is a simple Perl script developed as part of a challenge to create an algorithm to detect script vulnerabilities. Despite its age, screamingCobra offers reasonable value. The script has four basic command-line options: show a status bar (-s), don't ignore any files (-i), use extra techniques to discover cbugs (-e), and verbose mode (-v). (Note: To learn about cbugs, see The Bugs Project Web site at http://www.mrc-bsu.cam.ac.uk/bugs.) Of course, you also need to specify the Web site address to scan. I recommend that you run the script with the -i, -e, and -v options enabled, as the following command shows:
perl screamingcobra.pl -e -i -v
http://www.mysite.nul
When it runs, the script moves from page to page, gathering URLs from the Web site. When it encounters a URL that might be vulnerable, screamingCobra prints a message prefaced by "BUG FOUND". You can use the following command to gather screamingCobra's output and pipe it to a report.txt file:
perl screamingcobra.pl -e -i -v
http://www.mysite.nul >
report.txt
If you have the grep utility installed, you can use it to save only reported bugs to a text file. To save reported bugs only, use the following command:
perl screamingcobra.pl -e -i -v
http://www.mysite.nul > grep
"BUG FOUND" > report.txt
Overall, screamingCobra is an effective way to test application security, particularly if you use Linux as a Web platform. (Most of the checks screamingCobra performs relate to weaknesses commonly found in applications that run on Linux.) However, you should use it in addition to the other tools discussed in this article.
Using Search Engines
MET works in conjunction with Google's API to query Google for links to your site that might represent possible vulnerabilities. You can use MET to construct specialized queries, or you can work with the Google Hacking Database (GHDB—http://johnny .ihackstuff.com), another publicly available database of URL suffixes known to be related to vulnerable Web applications. For simplicity, I'll show you how to use MET with GHDB.
Note: Google's API (http://www.google.com/apis/index.html) lets you use tools such as MET that are designed to perform a large number of queries in Google's databases. To use the API, you must obtain a license from Google, a simple process that involves filling out a form and waiting for your API key to arrive by email. The API key lets you perform up to 1000 automated queries per day. (If you try to perform a large number of successive queries to Google directly without the API key, Google will eventually detect that activity and block your access for some period of time.)
Google hacking permits querying for specifics about a Web site without actually sending traffic to that Web site. This capability makes Google hacking a double-edged sword: Although attackers can probe your Web site by stealth, you can do the same to find potential vulnerabilities and unwanted exposure of information. Because Google does all the Web crawling, you must query Google to discover what its databases contain about your sites.
MET is written in the Python scripting language; to use MET, you'll need a copy of Python, which you can download at http://python.org. Install Python, then MET, then download a copy of GHDB and put it in a subdirectory of your Python directory. For example, extract GHDB to the folder python\etc (a folder that exists after you install Python). With that done, you're ready to go. If you used the MSI Installer version of MET, you'll find its script installed in the python\scripts directory, and you can use the following sample command to try it:
python scripts\google ghdb -v
--database=etc\ghdb.xml
--key=XYZ --output=mysite.txt
'site:mysite.dom'
The -v option instructs MET to run in verbose mode, which lets you monitor its progress. Replace XYZ with your Google API key. The last parameter, 'site:mysite.dom', is the query filter. Be sure to leave that item as the last parameter on the command line, and change mysite.dom to your domain name. The command causes MET to try to find each URL listed in GHDB on your Web site, as Figure 2 shows, and write the results to the mysite.txt output file.
Note that because the Google API lets you make up to only 1000 queries per day, you'll need to pace the queries. Here's why: At the time of this writing, the version of GHDB at http://johnny.ihackstuff.com contains more than 1100 queries. If you use this version, you'll need to split the file in two and use the resulting two files on different days. If you split the file, pay special attention to the XML format. You need to have a correct set of headers in each file for the process to work.
Prev. page
1
[2]
3
next page 
