A Web Application Scanner Tool Functional Specification is available.
Web Applications Issues
- Scripting issues
- Sources of input: forms, text boxes, dialog windows, etc.
- Multiple Charset Encodings (UTF-8, ISO-8859-15, UTF-7, etc.)
- Regular expression checks
- Header integrity (e.g. Multiple HTTP Content Length, HTTP Response Splitting)
- Session handling/fixation
- Framework vulnerabilities(Java Server Pages, .NET, Ruby On Rails, Django, etc.)
- Success control: front door, back door vulnerability assessment
- Penetration attempts versus failures
- Unvalidated input:
- Tainted parameters - Parameters users in URLs, HTTP headers, and forms are often used to control and validate access to sentitive information.
- Tainted data
- Cross-Site Scripting flaws:
- XSS takes advantage of a vulnerable web site to attack clients who visit that web site. The most frequent goal is to steal the credentials of users who visit the site.
- Content Injection flaws:
- Data injection
- SQL injection - SQL injection allows commands to be executed directly against the database, allowing disclosure and modification of data in the database
- XPath injection - XPath injection allows attacker to manipulate the data in the XML database
- Command injection - OS and platform commands can often be used to give attackers access to data and escalate privileges on backend servers.
- Process injection
- Cross-site Request Forgeries
- Denial of Service
- Broken access control
- Path manipulation
- Broken session management (synchronization timing problems)
- Weak cryptographic functions, Non salt hash
- Information leakage
- Insufficient authentification
- Password change form disclosing detailed errors
- Session-idle deconstruction not consistent with policies
- Spend deposit before deposit funds are validated
- Debug mode
- Thread Safety
- Hidden Form Field Manipulation
- Weak Session Cookies: Cookies are often used to transit sensitive credentials, and are often easily modified to escalate access or assume another user's identify.
- Fail Open Authentication
- Dangers of HTML Comments
- The Web Application Security Consortium (WASC) has a list of web application security scanners.
- The Open Web Application Security Project (OWASP) Phoenix has a list of various web application testing tools.
- Shay Chen's article has a list of test cases for web application scanners.