Types of Mainstream WEB Vulnerability Scanners and Their Fingerprint Analysis

0x01 Webvulnerability scan device

domestic:

Green League ( WVSS): 
https://www.nsfocus.com.cn/html/2019/206_0911/8.html

An Heng (Ming Jian):
https://www.dbappsecurity.com.cn/show-63-38-1.html

Know Chuangyu ( websoc): 
https://scanv.yunaq.com/websoc/index.html

Venus Star (Sky Mirror):
https://www.venustech.com.cn/article/type/1/253.html

Qi Anxin (Net God SecVSS 3600): 
https://www.qianxin.com/product/detail/pid/1

Tianrongxin:
http://www.topsec.com.cn/product/63.html

Pavilion:
https://www.chaitin.cn/zh/xray

foreign:

AWVS: 
http://wvs.evsino.com/

Nessus: 
https://www.tenable.com/downloads/nessus

Appscan: 
https://ibm-security-appscan-standard.software.informer.com/8.7/

Netsparker: 
https://www.netsparker.com/

Webinspect: 
https://www.microfocus.com/en-us/products/webinspect-dynamic-analysis-dast/download?utm_campaign=00173365&utm_content=Search-NB-DSA-ESP-Fortify-X-APJ-X-GGL&gclid=EAIaIQobChMIrLqP4-P86QIVg2kqCh2_tApXEAAYASAAEgJzqvD_BwE

WebReaver: 
https://webreaver.com/

comprehensive:

Nexpose:

Windows/Linux Version:
https://www.rapid7.com/info/nexpose-trial/

Virtual machine version:
https://www.rapid7.com/info/nexpose-virtual-appliance/

Community version:( One year free trial )
https://www.rapid7.com/info/nexpose-community/

Note: Among the above WEB vulnerability scanner products, there are paid and free ones. Most of the domestic ones are charged, except for Changting’s X-ray, but the advanced version of Changting’s Xray is also charged, and it is open to the community version, and the WEB vulnerability scanners commonly used in our daily penetration may be AWVS, Nessus, and APPScan. Next, we will analyze the advantages and disadvantages of mainstream scanners and their fingerprint characteristics.

0x02 Scanner advantages and disadvantages analysis

The quality of a WEB vulnerability scanner depends on the number of crawled pages, the number of vulnerability databases, scanning efficiency, false positive rate, etc. Vulnerability scanning is also divided into active scanning and passive scanning. Xray and w13scan use passive scanning, and AWVS uses active scanning. scan. Usually in an enterprise, if the enterprise has its own vulnerability scanner, use the one provided by the enterprise. If not, we use two easy-to-use, mainstream WEB vulnerability scanners for vulnerability scanning, and generate reports for comparison after scanning And merged, the same goes for the system.

0x03 Scanner feature analysis

  1. AWVS

The AWVS scanner randomly includes characteristic information that can represent itself in the requested URL, Headers, and Body

<1> Url:
acunetix-wvs-test-for-some-inexistent-file
by_wvs
acunetix_wvs_security_testacunetix
acunetix_wvs
acunetix_test
<2> Headers:
Acunetix-Aspect-Password:
Cookie: acunetixCookie
Location: acunetix_wvs_security_testX-Forwarded-Host: acunetix_wvs_security_testX-Forwarded-For: acunetix_wvs_security_testHost: acunetix_wvs_security_testCookie: acunetix_wvs_security_testCookie: acunetix
Accept: acunetix/wvs
Origin: acunetix_wvs_security_testReferer: acunetix_wvs_security_testVia: acunetix_wvs_security_testAccept-Language: acunetix_wvs_security_testClient-IP: acunetix_wvs_security_testHTTP_AUTH_PASSWD: acunetix
User-Agent: acunetix_wvs_security_testAcunetix-Aspect-Queries:any value
Acunetix-Aspect:any value
<3> Body (requested post information)
acunetix_wvs_security_testacunetix
  1. Nessus

The feature information of the Nessus scanner is also in the requested URL, Headers, and Body

<1> Url
nessus
Nessus
<2> Headers
x_forwarded_for: nessus
referer: nessus
host: nessus
<3> Body
nessus
Nessus
  1. APPScan

Appscan still randomly includes characteristic information that can represent itself in the requested URL, Headers, and Body

<1>Url
Appscan
<2> Headers
Content-Type: Appscan
Content-Type: AppScanHeader
Accept: Appscan
User-Agent:Appscan
<3> Body
Appscan

The above three WEB vulnerability scanners are currently mainstream vulnerability scanners. Each scanner is actually its fingerprint feature. According to the fingerprint feature, it is easy to identify whether the attacker is using the vulnerability scanner to scan his website. It must be mentioned here that some friends accidentally set the target server It was wiped out, anyway, I tried it once, so use it with caution. At the same time, many websites now have access restrictions set up. Once its access restriction rules are triggered, your IP will be banned. Of course, there is a solution to this, that is, to use proxy pools. In fact, with the growth of experience, I use the vulnerability scanner less and less, and I will rely on it very much when I first get started.

< img src="https://hnxx.oss-cn-shanghai.aliyuncs.com/official/1678694737820.png?t=0.6334725112165747" />

Tags: network security

Posted by jlaperch on Thu, 16 Mar 2023 06:41:30 +1030