Web Application Security Series: WVS Vulnerability Scanning

Last time we talked about WVS password protection (Web Application Security Series: install and configure WVS (II). In fact, there is still a lot of content about WVS configuration, the first two articles can only serve as an example. If you have any questions, please contact me. Starting from this section, we will discuss WVS vulnerability scanning, which is about to enter the practical stage.

Add a vulnerability project

The vulnerability project is an additional parameter required during a Vulnerabilities Scan. The Vulnerability project is stored in the related Vulnerability. You can create it by following these steps:

1. In Vulnerability, you need to create a new Vulnerability parameter position, right-click, and select "Add Vulnerability item ".

　　

2. In Item Properties, define the project Name (Name) and file Name (value) that belong to this parameter ).

3. Click Save in the upper Toolbar of the vulnerability editor window. In this way, a new vulnerability project will be saved and used for future testing variables.

Example: Create a test that can search for a specific file

This section describes how to create a new vulnerability check. In this example, you also need to search for a file named "invalid passwords.txt.

Step 1: Create a Vulnerability

　　

Create a new vulnerability. We call it "Look for Passwords.txt file ".

1. Start the Vulnerability Editor from Acunetix WVS)

2. Because we want to search for a file in the site directory, we will use the directory check module. Right-click the "Directory Checks" node and select "Add vulnerability ".

3. For example, in the new vulnerability dialog, set the following details:

　　

· Name (Name): "Look for a Passwords.txt. file"

· Description: This test scans the target site and finds a file called passwords.txt.

· VulnXML: retain the default file name

· VulnXML support: Based on the default VulnXML

Click "Add" to create a new vulnerability. This vulnerability is listed in "Directory Checks" below. Step 2: Add a vulnerability project

We have created a test. Now we need to define the test parameters. This is done by creating a vulnerability project.

In this example, you need to create a loophole that includes the file name (passwords.txt) to be searched ).

1. Right-click "Look for Passwords.txt Vulnerability" and select "Add vulnerability item ".

2. In the Project Properties Section, set the following content:

　　

· Name: Password.txt

· Value:/Passwords.txt

The wvshole scanner will find a file named passwords.txt in the directory. For example, assume that the crawler finds two directories after scanning the target site: "/secured" and "/". Based on the value of the $ {path} variable and the corresponding vulnerability parameters, it looks for "/passwords.txt" and "/secured/passwords.txt ".

3. Click Save to save the vulnerability parameters. Step 3: Configure test attributes

Now, Alibaba wants to find the passwords.txt vulnerability.

1. Click "Look for the Passwords.txt Vulnerability ".

2. In the parameter section, retain the default values of Affects and BindAlertToFile, that is, "set_by_module" and "1 ".

　　

3. In the VulnXML section, set the following fields in the test description:

· Name: Look for Passwords.txt

· Affects: File

· Severity: High

· Alert: Success (I. e. alert is generated if file is found)

· Description: Search for passwords.txt file

· Impact: Contains sensitive information

· Recommendation: Delete the file

4. As a choice, on the "References" tab, set Web vulnerability parameters:

· Database: Link Title

· URL: Full URL to the reference

5. On the "Applicable" tab, retain the default value because it is independent of the Web server, operating system, or the technology check file used.

6. On the "variables" tab, set the variables to be tested. The Directory Check module uses three variables called File, Test, and Path.

· The File variable is automatically set for each directory discovered by the scanner.

· The Test variable is retrieved from the previously created vulnerability parameters. In our example, the "Test" variable will contain "/Passwords.txt", which is adding a new vulnerability parameter (in our example, the value set when The vulnerability parameter is called The Pword file to be searched.

· The Path variable value is set by combining $ file $ test values.

However, because we have created the vulnerability project involved in the Test variables, there is no need to change it here.

7. On the Connection tab, set the HTTP request and the success/failure criteria for this test. In this example, since there is no need to make any specific HTTP request, you can retain the default value of the "Connection" tab. Step 4: Save the test and restart WVS

8. Click the Save button to save the vulnerability check and close the vulnerability editor and WVS.

　　

9. Start WVS again and click "Scanning Profiles" in "Configuration" to check whether the new vulnerability has been added to the scan Configuration file.

10. To make the new test available in the next scan, select the check box on the left of the new test.

11. If the test confirms the file, it will be displayed in the warning Node during the next scan.

So far, the vulnerability scan is complete.