Software per testare le vulnerabilità di XSS e di altri siti Web [chiuso]

4

Uno dei miei siti verrebbe sottoposto a test di vulnerabilità, non è sicuro che l'azienda esegua questo test manualmente.

Mi chiedevo se posso trovare qualsiasi software in cui specifichi tutti i nomi delle variabili utilizzati nel mio sito web e cerco automaticamente di inserire codice, script e altre cose nel mio modulo e nelle pagine per vedere se è aperta qualche vulnerabilità.

Non mi fido dei servizi online, quindi preferirei davvero qualcosa sul mio computer locale, questo mi permetterebbe anche di eseguire prima il test sull'ambiente locale.

    
posta al404IT 07.07.2017 - 12:27
fonte

2 risposte

3

Ecco alcuni scanner per vulnerabilità delle applicazioni Web Open Source che supportano la scansione XSS:

  • X5S

x5s is a Fiddler addon which aims to assist penetration testers in finding cross-site scripting vulnerabilities. This is not a point and shoot tool, it requires some understanding of how encoding issues lead to XSS, and it requires manual driving.

Documentazione: link
Scarica X5S: link

  • Grabber :

Grabber is a web application scanner. Basically it detects some kind of vulnerabilities in your website. Grabber is simple, not fast but portable and really adaptable. This software is designed to scan small websites such as personals, forums etc. absolutely not big application: it would take too long time and flood your network.

Scaricalo qui: link
Codice sorgente su Github: link

  • Vega:

Vega is a free and open source web security scanner and web security testing platform to test the security of web applications. Vega can help you find and validate SQL Injection, Cross-Site Scripting (XSS), inadvertently disclosed sensitive information, and other vulnerabilities. It is written in Java, GUI based, and runs on Linux, OS X, and Windows.

Documentazione: link
Scarica Vega: link

  • ZAP:

Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers*. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. Its also a great tool for experienced pentesters to use for manual security testing.

Documentazione: link
Scarica ZAP: link

  • Wapiti

Wapiti allows you to audit the security of your web applications.

It performs "black-box" scans, i.e. it does not study the source code of the application but will scans the webpages of the deployed webapp, looking for scripts and forms where it can inject data.

Once it gets this list, Wapiti acts like a fuzzer, injecting payloads to see if a script is vulnerable.

Documentazione: link
Scarica Wapiti: link

- W3af:

w3af is a Web Application Attack and Audit Framework. The project’s goal is to create a framework to help you secure your web applications by finding and exploiting all web application vulnerabilities.

Documentazione: link
Scarica W3af: link

- WebScarab:

WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms. WebScarab has several modes of operation, implemented by a number of plugins. In its most common usage, WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser. WebScarab is able to intercept both HTTP and HTTPS communication. The operator can also review the conversations (requests and responses) that have passed through WebScarab.

Documentazione: link Scarica WebScarab: link Plugin XSS: link

Buona fortuna!

    
risposta data 07.07.2017 - 16:42
fonte
0

Controlla XSSer:

link

È una trama automatica per rilevare, sfruttare e segnalare vulnerabilità XSS in applicazioni basate su web

    
risposta data 07.07.2017 - 13:20
fonte

Leggi altre domande sui tag