Re: Web Application Testers.

From: Dennis Groves (
Date: 09/24/01

Date: Mon, 24 Sep 2001 13:34:53 -0700
Subject: Re: Web Application Testers.
From: Dennis Groves <>
To: Dom De Vitto <>, <>, <>
Message-ID: <>

> I've just been reading about Sanctum's AppScan, which appears to be on the
> right track, but I've nothing to compare it to...
> Any advice/experience.
> FYI, AppScan breaks/subverts web applications - there are plenty of tools
> to break web servers (apache/IIS), but it looks like appscan is on it's own
> on the test-the-bespoke-web-app front.
> Thanks all, in advance,
> Dom
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
> Service. For more information on SecurityFocus' SIA service which
> automatically alerts you to the latest security vulnerabilities please see:

Look else where. It is very interesting, however programs at this early
stage of the game simply can not replace the human brain.

To Quote Minga "earlier on this list"

>>> In short there is a real lack of expertise in the field and a huge demand.
>>> Some idiot running Nessus across your application is going to do nothing.
>> Yes I agree with this. Most security audits are only automated scanners and
>> are rarely detailed application audits.
> Be sure to highlight the word MOST there. I've been doing Web Application
> penetration test/vulnerability assessments/ and generic best-practices checks
> by hand for a security firm for over 2 years now. It is automatically included
> in the general security methodology that we use for all clients. Along with
> non-tool based penetration tests/vulnerability assessments.
> --
> As for the TOOLS discussion there are 4 three tools I am absolutely
> dependant on for my web applications tests.
> 1) stunnel
> 2) A Sniffer
> 3) Perl
> 4) A Brain
> MAYBE some sort of proxy to catch requests. But pretty much all of them are
> lame and overly complicated or broken in some matter. (Tis' why I use
> stunnel and a sniffer instead).
> I have used Sanctum's tool for a few weeks. They are headed in the correct
> direction. but have a looooong way to go. On a test I performed, I ended up
> with APPX 20 findings, 3 of which were High Risk. Sanctum's tool only found
> about 4-5 of the findings. So if I (or anyone) was dependant on this type of
> tool to be "secure", it would be a big waste of $5000. The tools does not
> check for most "Best Practices" types of risks (SSL Key Strength For Example)
> It does check for comments inside of HTML (and will return you about 200
> findings associated with them). It also floodes all variables with long
> bits of data. But not the RIGHT type of data. It will try 1000 1's (for
> example). But not 1000 !'s or 1000 ;'s . Or for that matter 10000 1's.
> It doesnt try (as data for a variable) things like
> !@#$%^&*()_+=-{}|\[;",./?><`~. When those usually wreck havok!

I can not say it better myself...
Appscan in particular has little to set it apart from other products that do
web audits (Unless you consider 80% false positives to be a selling point).
The company "slant" is application testing, but it is pure spin, the product
does no more and perhaps less than many of the following products:

(Gratuitously borrowed from various web databases, but compiled by me)


Web application testing tools.

e-test tools
PentaSafe tools
"Write you own scripts"
"Contract out testing"

Other Web Scanners (35 Little Boys)

911 0.1
by Erik Tayler
< >
< >
Platforms: FreeBSD, Linux, NetBSD and OpenBSD
Size: 29.17Kb
Score: Not scored yet
Simple code which will eventually be a very useful tool for performing
vulnerability assessments. Currently includes the ability to set certain
nmap and whisker options [scan type & evasive mode, respectively]. Will
eventually incorporate more tools, and have a nice, clean, centralized

Atlas 1.0
by Digital Monkey,
< >
Platforms: Windows 95/98
Size: 23.79Kb
Score: Not scored yet
A Windows/MS-DOS CGI scanner (binary only) which scans for 65 remote

BASS - Bulk Auditing Security Scanner 1.0.7
by Liraz Siri <>
< >
Platforms: Linux
Size: 61.50Kb
Score: 3.00 / 4 (1 vote)
BASS is a bulk auditing network scanner that features a highly-reliable,
fail-safe architecture which efficiently utilizes the available bandwidth.
It has a small memory and CPU footprint and can be easily extended.

Cerberus Internet Scanner 5.0
by David Litchfield
< >
< >
Platforms: Windows 2000 and Windows NT
Size: 298.77Kb
Score: 3.00 / 4 (1 vote)
CIS is a free security scanner written and maintained by Cerberus
Information Security, Ltd and is designed to help administrators locate and
fix security holes in their computer systems. This tool is a must! Runs on
Windows NT and Windows 2000. Very comprehensive!

Cerberus WebScan
by Cerberus Information Security,
< >
< >
Platforms: Windows 2000, Windows 95/98 and Windows NT
Size: 76.00Kb
Score: 3.00 / 4 (1 vote)
This is a web security scanner designed to find known web server security

cgi scanner 3.6
by CKS
< >
< >
Platforms: AIX, BSDI, Digital UNIX/Alpha, FreeBSD, HP-UX, IRIX, Linux,
NetBSD, OpenBSD, SCO, Solaris, SunOS, True64 UNIX, UNIX, Ultrix and Unixware
Size: 12.37Kb
Score: 2.00 / 4 (1 vote)
Cgi Scanner 3.6 is a simple program which facilitates the scanning of hosts
on a network for known cgi vulnerabilities. Upon finding a given cgi
program, the script will optionally download information from the authorıs
web page, detailing the exploit. 3.6 includes a fix for a y2k problem in
previous versions that would cause numerous false positives.

Cgi Sonar 1.0
by M.e.s.s.i.a.h
< >
Platforms: Perl (any system supporting perl)
Size: 4.37Kb
Score: Not scored yet
A simple Cgi Scanner written in PERL ,scans for over 120 known

cgi-check99 0.3
by deepquest
< >
< >
Platforms: BSDI, BeOS, DOS, FreeBSD, HP-UX, IRIX, Linux, MacOS, NetBSD,
OS/2, OpenBSD, OpenVMS, PalmOS, Solaris, SunOS, UNIX, VMS, Windows 2000,
Windows 3.x, Windows 95/98, Windows CE and Windows NT
Size: 10.64Kb
Score: 3.00 / 4 (1 vote)
This is one of the worlds most cross platform cgi scanners, running on 37
operating systems! Even Palmos soon! Will check for hundreds of common cgi
and other remote issues. Plus it will report you the Bugtraq ID of some
vulnerabilities. Get the rebol interpreter at

CGI-Exploit Scanner (Japanese)
by Shadow Penguin Security Team
< >
< >
Platforms: UNIX
Size: 6.42Kb
Score: 3.00 / 4 (1 vote)
This utility lists the servers which have certain security vulnerabilities
via CGI scripts. This utility currently checks for the phf, test-cgi,
nph-test-cgi, campas, htmlscript, service & pwd vulnerabilities . The
addition of new vulnerabilities is very easy.

cgichk 2.50
by Toby Deshane
< >
< >
Platforms: FreeBSD and Linux
Size: 14.04Kb
Score: Not scored yet
cgichk is a Web vulnerability tool that automatically searches for a series
of interesting directories and files on a given site. It also includes a
whois lookup.

by Bronc Buster
< >
Platforms: AIX, BSDI, Digital UNIX/Alpha, FreeBSD, HP-UX, IRIX, Linux,
NetBSD, OpenBSD, SCO, Solaris, SunOS, True64 UNIX and UNIX
Size: 4.43Kb
Score: 2.00 / 4 (1 vote)
cgiscan.c is another simple program which facilitates the scanning of hosts
on a network for known cgi vulnerabilities. It letıs the user know whether
or not a given cgi was found on the host.

Cold Fusion Scan 1.0
< >
Platforms: Windows 95/98 and Windows NT
Size: 172.22Kb
Score: Not scored yet
Cold Fusion vulnerability scanner is a program that will run down a list of
words/domain names, and scan each one for an Allaire Cold Fusion

CUM Security Toolkit [CST]
by toxic ocean,
< >
< >
Platforms: Java
Size: 12.70Kb
Score: 4.00 / 4 (1 vote)
This version contains a script scanner, that scans using a database of
scripts (user editable). The sample databases included contains +350
possibly vulnerable scripts/dirs. You can scan with or without a
proxyserver. The scanner has 5 different Anti-IDS tactics (hex-values,
double slashes, self-reference dirs, parameter hiding and session splicing),
and sends fake ³X-Forwarded-For:², ³Referer:² and ³User-Agent:² headers to
hide your scan even more. You can also specify a waittime between 2 script
fetches. The scanner uses HEAD requests instead of GET for faster scanning,
and has support for scanning virtual hosts. You can also specify another
port to scan instead of the standard port 80. The scanner outputs the
scripts/dirs that return a 200, 403 or 401 HTTP code and outputs the
webserver software.
Iım probably forgetting some options because there are alot in this new
version - you have to try it to see...
Also included is a portscanner. It can perform TCP scans, and it outputs the
open ports, and their reply.
A full and comprehensive manual is included, but if you have problems, you
can always mail us.

ELZA 1.4.3
< >
< >
Platforms: Linux and Solaris
Size: 40.36Kb
Score: Not scored yet
The ELZA is a scripting language aimed at automating requests on web pages.
Scripts written in ELZA are capable of mimicing browser behavior almost
perfectly, making it extremely difficult for remote servers to distinguish
their activity from the activity generated by ordinary users and browsers.
This gives those scripts the opportunity to act upon servers that will not
respond to requests generated using netcat, rebol, telnet or similar tool.

by Rhino9
< >
< >
Platforms: Windows 3.x, Windows 95/98 and Windows NT
Size: 1.13Mb
Score: 3.00 / 4 (1 vote)
Grinder is a scanning tool for the Windows operating systems that scans
ranges of ip addresses for IIS webservers containing certain urls.

Guile CGI Scanner
by ImperialS
< >
Platforms: Linux
Size: 8.19Kb
Score: Not scored yet
A CGI Scanner written in C. Checks for 44 known CGI problems.

httptype 1.3.6
by Philip Tellis,
< >
< >
Platforms: Linux and Solaris
Size: 14.36Kb
Score: Not scored yet
httptype reads a list of http hosts and optionally the port number for each
of these. It queries each host, displaying the type of HTTP server running
on that host, if any. It reads the http_proxy and no_proxy environment
variables to determine whether to use a proxy or not. These options may also
be specified through the command line.

by UndeF
< >
< >
Platforms: Linux, Perl (any system supporting perl), Solaris and UNIX
Size: 11.83Kb
Score: Not scored yet
Security auditing tool for unix systems. Port scan, remote services version
detect, log facility.

md-webscan 1.0.1
by Mordrian,
< >
< >
Platforms: Linux, Solaris and UNIX
Size: 7.69Kb
Score: Not scored yet
Allows system administrators to check for commonly known CGI vulnerabilities
on machines they administrate. Scans for 180 vulnerabilities in total.

Nessus 1.0.6
by Renaud Deraison,
< >
< >
Platforms: FreeBSD, IRIX, Linux, NetBSD, OpenBSD and Solaris
Score: 3.86 / 4 (7 votes)
Nessus is a remote security scanner for Linux, BSD, Solaris, and other
Unices. It is multi-threaded and plug-in-based, has a GTK interface, and
performs over 470 remote security checks. It allows for reports to be
generated in HTML, LaTeX, and ASCII text, and suggests solutions for
security problems.

Nsat 1.22
by Mixter,
< >
< >
Platforms: Linux and Solaris
Size: 799.86Kb
Score: 4.00 / 4 (1 vote)
Nsat (Network Security Analysis Tool) is a fast, stable bulk security
scanner designed to audit remote network services and check for versions,
security problems, gather information about the servers and the machine, and
much more. Unlike many other auditing tools, it can collect information
about services independently of vulnerabilities, which makes it less
dependent on frequent updates as new vulnerabilities are found.

Perl CGI Checker
by Epicurus (
< >
Platforms: Perl (any system supporting perl)
Size: 6.89Kb
Score: Not scored yet
A CGI vulnerability scanner written in PERL, checks for 62 CGI holes.

rvscan (remote vulnerability scanner)
by ben-z
< >
< >
Platforms: Linux
Size: 102.81Kb
Score: Not scored yet
scans a unix system for just about every remote vulnerability currently
being used by hackers.

Shadow CGI check 1.00.007
by RedShadow
< >
< >
Platforms: Windows 2000, Windows 95/98 and Windows NT
Size: 256.26Kb
Score: Not scored yet
CGI vulnerability scanner. Currently checks for over 129 vulnerabilities.

twwwscan 0.7
by pilot
< >
< >
Platforms: Windows 2000, Windows 95/98 and Windows NT
Size: 127.32Kb
Score: 4.00 / 4 (1 vote)
Updated version of twwwscan with added -v option support html type report
support CVE information included completed NT/2000 IIS detail patch
information. Last(~2000/12/23) WWW Vulnerabilities 300 over bugs check

UCGI Vulnerability Scanner 1.56
by su1d sh3ll
< >
< >
Platforms: FreeBSD, IRIX, Linux and Windows 95/98
Size: 147.18Kb
Score: Not scored yet
CGI vulnerability scanner version 1.56. Checks for over 90 CGI
vulnerabilities. Tested on slackware linux with kernel 2.0.35-2.2.5, Freebsd
2.2.1-3.2, IRIX 5.3, DOS, and windows.

VoidEye CGI scanner Build 461
by Duke
< >
Platforms: Windows 2000, Windows 95/98 and Windows NT
Size: 328.58Kb
Score: Not scored yet
VoidEye CGI scanner, build 461. Scans for 78 known vulnerabilities. Runs on:
win9x, winNT, win2000. Features: user can add his own holes, editing
³exp.dat² in any text editor or via program interface, user can process a
site list, editing it via the program interface or the file ³servers.dat²,
scanner can work via a proxy, for more security. Multi-threaded and fast. By

Weakness - Www Vulnerablity Scanner
by John Bissell a.k.a. hight1mes
< >
< >
Platforms: DOS, Windows 95/98 and Windows NT
Size: 29.92Kb
Score: 4.00 / 4 (1 vote)
Weakness is basically a CGI vulnerablity scanner coded for Windows/DOS.
Weakness will scan up 94 vulnerablities and output the results of the scan
to a text file. Source is included.

Webcracker 4.0
by Daniel Flam,
< >
< >
Platforms: Windows 95/98 and Windows NT
Size: 1.24Mb
Score: Not scored yet
This software will allow you to test your restricted-access website to make
sure that only authorized users are able to get in. Webcracker is a security
tool that allows you to attempt to test id and password combinations on your
web site. If youıre able to guess a userıs password with this program,
chances are some hacker will be able to also. Webcracker helps you find
these vulnerablilities and fix them before theyıre exploited by some unknown

by Mixter,
< >
< >
Platforms: Linux and Solaris
Size: 2.22Kb
Score: Not scored yet
This is a simple script that examines your CGI folder, and can check for
vulnerable scripts (-check), generate decoy scripts, which will log any
access over the web as a possible exploit attempt (-create), or remove
vulnerable scripts and previously installed decoy files (-clean).

Whisker 1.2.0
by Rain Forest Puppy
< >
< >
Platforms: Perl (any system supporting perl)
Size: 166.38Kb
Score: 4.00 / 4 (2 votes)
Whisker is an advanced CGI vulnerability scanner. It is scriptable and has
many good features, such as querying for system type and basing scans on the
information gathered (ie, determining between IIS and Apache webservers)

Whisker 1.4
by rain forest puppy,
< >
< >
Platforms: Perl (any system supporting perl)
Size: 166.38Kb
Score: 4.00 / 4 (3 votes)
Whisker is an advanced CGI vulnerability scanner. It is scriptable and has
many good features, such as querying for system type and basing scans on the
information gathered (ie, determining between IIS and Apache webservers)
³Multi-threaded² front end (Unix only).
More updates to server.db and scan.db.
Changed the Œsetı command to take .= (append) as well.
Added multi-file scans
Changed options around.
whisker will internally Œreadı the output from a .cfm script and determine
if it really exists, eliminating all false reports.
Added support for variables and tabıs, crıs, and lfıs in strings.
You can now use a variable for Œserverı and Œscanı matching
Scan database files donıt have to be in the current directory
Whisker defaults to scan.db, so itıs not required to specify -s <file>
Whisker will automatically rescan servers with dumb.db if they need it
NMAP information is now available inside the scripts
Redid the bounce options
Support for distributed proxies
Ability to use other CGI scannersı databases
Better timeout control (Unix only).
Implemented ability to use ŒGETı method, but still close the connection
after all the headers have arrived.
SamSpade bounce by Styx was added
Other little tweaks to variable handling and new variables added
Netcraft changed their output, so I had to change to match it.

whisker 1.4+SSL
by H.D. Moore,
< >
< >
Platforms: Perl (any system supporting perl)
Size: 169.34Kb
Score: Not scored yet
This is a modified version of the whisker web scanning tool written by RFP.
It adds native SSL support (the -x option) via the Net::SSLeay module and

Windows Nessus Client
by Noam Rathaus, Aviram Jenik, Jordan Hrycaj, and Renaud Deraison
< >
< >
Platforms: Windows 95/98 and Windows NT
Score: Not scored yet
Windows Nessus Client is an almost fully functional port of the UNIX Nessus
Client and has the same look and feel.

WWWHack 1.946
by core
< >
< >
Platforms: Windows 2000, Windows 95/98 and Windows NT
Size: 430.61Kb
Score: Not scored yet
A simple ³brute force² password guessing program. Includes dictionary files,
support for HTTP Basic, HTTP Form, FTP, POP, and News.