开源Web安全测试工具调研

skipfish
https://code.google.com/p/skipfish/

Google公司发布了一款称为“Skipfish”的自动Web安全扫描程序，以降低用户的在线安全威胁。

Google工程师迈克尔?扎勒维斯基（Michal Zalewski）称，尽管Skipfish与Nikto和Nessus等其他开源扫描工具有相

似的功能，但Skipfish还具备一些独特的优点。 Skipfish通过HTTP协议处理且占用较低的CPU资源，因此它的运行

速度比较快。Skipfish每秒钟可以轻松处理2000个请求。

Skipfish采用先进的逻辑安全，这将有助于减小产生误报的可能性。Skipfish的这项技术类似于Google于2008年发

布的另外一款安全工具——ratproxy。

2012年后好像没怎么更新了

下载：
https://code.google.com/p/skipfish/downloads/list

http://www.automationqa.com/forum.php?mod=viewthread&tid=3863&fromuid=2

开发skipfish的两个程序员也说这个工具不属于一个真正符合安全扫描标准的工具

BackTrack中有集成Skipfish：
BackTrack-Vulnerability Assessment-Web Application Assessment-Web Vulnerability Scanners-skipfish

帮助文档：
https://code.google.com/p/skipfish/wiki/SkipfishDoc
http://my.oschina.net/u/995648/blog/114321

字典对扫描的全面性起关键性作用
扫描结果存储到目录，形成html格式的报告，漏洞描述不详细

 

Vega
http://subgraph.com/products.html
https://github.com/subgraph/Vega/wiki

Vega是一个开放源代码的web应用程序安全测试平台，Vega能够帮助你验证SQL注入、跨站脚本（XSS）、敏感信息泄

露和其它一些安全漏洞。 Vega使用Java编写，有GUI，可以在Linux、OS X和windows下运行

BackTrack中有集成Vega
登陆认证的处理：
https://github.com/subgraph/Vega/wiki/Credential-Scanning
https://github.com/subgraph/Vega/wiki/Identities

Kali中集成的版本应该是更新的
http://rumyittips.com/how-to-use-vega-web-vulnerability-scanner-in-kali-linux/

好像没有命令行调用方式？！

 

Grendel-Scan
http://sourceforge.net/projects/grendel/
A tool for automated security scanning of web applications. Many features are also present for manual

penetration testing.

Java写的
GUI界面易用、HTML报告完善
好像缺乏命令行接口

 

w3af
http://w3af.org/
w3af is a Web Application Attack and Audit Framework. The project’s goal is to create a framework to

help you secure your web applications by finding and exploiting all web application vulnerabilities.
Our framework is proudly developed using Python to be easy to use and extend, and licensed under

GPLv2.0.
w3af是一个Web应用程序攻击和检查框架.该项目已超过130个插件,其中包括检查网站爬虫,SQL注入(SQL

Injection),跨站(XSS),本地文件包含(LFI),远程文件包含(RFI)等.该项目的目标是要建立一个框架,以寻找和开发

Web应用安全漏洞,所以很容易使用和扩展.

帮助文档：
http://docs.w3af.org/en/feature-module/

可按需加载插件使用

有GUI和命令行，命令行交互式使用模式貌似不利于自动化调用，但可以做成脚本运行，例如：
https://www.owasp.org/index.php/Automated_Audit_using_W3AF

指定只扫描某个URL目录（跟discovery的设置有关系）

 

uniscan
http://dougpoer.users.sourceforge.net/index.php
Uniscan is a simple Remote File Include, Local File Include and Remote Command Execution

vulnerability scanner.
老外写的一款基于Perl编写的web漏洞扫描器，目前版本为6.2

UNISCAN特点： 
通过爬虫识别网站页面
多线程
可控制线程的最大数量
可控制爬虫爬取的页面
可忽略指定文件扩展名
可设置GET、POST方式
支持SSL
支持代理
支持google搜索的站点列表
支持bing搜索的站点列表
支持扩展插件（动态测试、静态测试、压力测试）
多语言支持
支持GUI界面
目录检查，类似wwwscan,可发现隐藏的目录
检查robots.txt文件

BackTrack中有集成V5.3版本

支持命令行和GUI

基本使用方法：
root@bt:/pentest/web/uniscan# perl ./uniscan.pl -u http://192.168.80.133/dvwa/ -qweds

帮助文档：
http://dougpoer.users.sourceforge.net/documentacao.php

测试结果输出到uniscan.log文件中
Test results are displayed on the screen and written to the file uniscan.log.

在登陆认证处理上好像弱一点，有两种方式：
- Enable basic authentication
To enable basic authentication you need open the configuration file uniscan.conf and change the value

of use_basic_auth from 0 to 1, set the basic_login to your username and set basic_pass to your

password.
- Enable cookie based authentication
To enable cookie based authentication you need open the configuration file uniscan.conf and change

the value of use_cookie_auth from 0 to 1, set the url_cookie_auth to the page login,

method_cookie_login to the method used on form(POST or GET) and setinput_cookie_login here you need

write all input names and their values.
Exmple: input_cookie_login = ""input_name1=value1"input_name2=value2"input_nameN=valueN"

 

 

wapiti
Web application vulnerability scanner / security auditor
http://www.ict-romulus.eu/web/wapiti/home
http://wapiti.sourceforge.net/

Wapiti is a vulnerability scanner for web applications. It currently search vulnerabilities like XSS,

SQL and XPath injections, file inclusions, command execution, XXE injections, CRLF injections... It

use the Python programming language.

Features
Fast and easy to use
Generates vulnerability reports in various formats (HTML, XML, JSON, TXT...)
Can suspend and resume a scan or an attack
Can give you colors in the terminal to highlight vulnerabilities
Different levels of verbosity
Adding a payload can be as easy as adding a line to a text file
Support HTTP and HTTPS proxies
Authentication via several methods : Basic, Digest, Kerberos or NTLM
Ability to restrain the scope of the scan (domain, folder, webpage)
Safeguards against scan endless-loops (max number of values for a parameter)
Can exclude some URLs of the scan and attacks (eg: logout URL)
Extract URLs from Flash SWF files
Try to extract URLs from javascript (very basic JS interpreter)
...

帮助文档：
http://www.ict-romulus.eu/web/wapiti/wiki/-/wiki/Main/Users%20Guide

 

 

websecurify
https://code.google.com/p/websecurify/

Websecurify is a powerful web application security testing platform designed from the ground up to

provide the best combination of automatic and manual vulnerability testing technologies. It is

available for all major desktop platforms including mobile devices and web via our online security

suite.

BackTrack中有集成websecurify：
BackTrack - Exploitation - Web Exploitation Tools - websecurify

不支持form预登陆和auth登陆，操作太过傻瓜
命令行调用好像不是很方便

有针对Firefox的扩展

基于浏览器来操作