0x01 Webvulnerability scan device
Green League ( WVSS): https://www.nsfocus.com.cn/html/2019/206_0911/8.html An Heng (Ming Jian): https://www.dbappsecurity.com.cn/show-63-38-1.html Know Chuangyu ( websoc): https://scanv.yunaq.com/websoc/index.html Venus Star (Sky Mirror): https://www.venustech.com.cn/article/type/1/253.html Qi Anxin (Net God SecVSS 3600): https://www.qianxin.com/product/detail/pid/1 Tianrongxin: http://www.topsec.com.cn/product/63.html Pavilion: https://www.chaitin.cn/zh/xray
AWVS: http://wvs.evsino.com/ Nessus: https://www.tenable.com/downloads/nessus Appscan: https://ibm-security-appscan-standard.software.informer.com/8.7/ Netsparker: https://www.netsparker.com/ Webinspect: https://www.microfocus.com/en-us/products/webinspect-dynamic-analysis-dast/download?utm_campaign=00173365&utm_content=Search-NB-DSA-ESP-Fortify-X-APJ-X-GGL&gclid=EAIaIQobChMIrLqP4-P86QIVg2kqCh2_tApXEAAYASAAEgJzqvD_BwE WebReaver: https://webreaver.com/
Windows/Linux Version: https://www.rapid7.com/info/nexpose-trial/ Virtual machine version: https://www.rapid7.com/info/nexpose-virtual-appliance/ Community version:( One year free trial ) https://www.rapid7.com/info/nexpose-community/
Note: Among the above WEB vulnerability scanner products, there are paid and free ones. Most of the domestic ones are charged, except for Changting’s X-ray, but the advanced version of Changting’s Xray is also charged, and it is open to the community version, and the WEB vulnerability scanners commonly used in our daily penetration may be AWVS, Nessus, and APPScan. Next, we will analyze the advantages and disadvantages of mainstream scanners and their fingerprint characteristics.
0x02 Scanner advantages and disadvantages analysis
The quality of a WEB vulnerability scanner depends on the number of crawled pages, the number of vulnerability databases, scanning efficiency, false positive rate, etc. Vulnerability scanning is also divided into active scanning and passive scanning. Xray and w13scan use passive scanning, and AWVS uses active scanning. scan. Usually in an enterprise, if the enterprise has its own vulnerability scanner, use the one provided by the enterprise. If not, we use two easy-to-use, mainstream WEB vulnerability scanners for vulnerability scanning, and generate reports for comparison after scanning And merged, the same goes for the system.
0x03 Scanner feature analysis
The AWVS scanner randomly includes characteristic information that can represent itself in the requested URL, Headers, and Body
<1> Url: acunetix-wvs-test-for-some-inexistent-file by_wvs acunetix_wvs_security_testacunetix acunetix_wvs acunetix_test
<2> Headers: Acunetix-Aspect-Password: Cookie: acunetixCookie Location: acunetix_wvs_security_testX-Forwarded-Host: acunetix_wvs_security_testX-Forwarded-For: acunetix_wvs_security_testHost: acunetix_wvs_security_testCookie: acunetix_wvs_security_testCookie: acunetix Accept: acunetix/wvs Origin: acunetix_wvs_security_testReferer: acunetix_wvs_security_testVia: acunetix_wvs_security_testAccept-Language: acunetix_wvs_security_testClient-IP: acunetix_wvs_security_testHTTP_AUTH_PASSWD: acunetix User-Agent: acunetix_wvs_security_testAcunetix-Aspect-Queries:any value Acunetix-Aspect:any value
<3> Body (requested post information) acunetix_wvs_security_testacunetix
The feature information of the Nessus scanner is also in the requested URL, Headers, and Body
<1> Url nessus Nessus
<2> Headers x_forwarded_for: nessus referer: nessus host: nessus
<3> Body nessus Nessus
Appscan still randomly includes characteristic information that can represent itself in the requested URL, Headers, and Body
<2> Headers Content-Type: Appscan Content-Type: AppScanHeader Accept: Appscan User-Agent:Appscan
<3> Body Appscan
The above three WEB vulnerability scanners are currently mainstream vulnerability scanners. Each scanner is actually its fingerprint feature. According to the fingerprint feature, it is easy to identify whether the attacker is using the vulnerability scanner to scan his website. It must be mentioned here that some friends accidentally set the target server It was wiped out, anyway, I tried it once, so use it with caution. At the same time, many websites now have access restrictions set up. Once its access restriction rules are triggered, your IP will be banned. Of course, there is a solution to this, that is, to use proxy pools. In fact, with the growth of experience, I use the vulnerability scanner less and less, and I will rely on it very much when I first get started.
< img src="https://hnxx.oss-cn-shanghai.aliyuncs.com/official/1678694737820.png?t=0.6334725112165747" />