Scan Website For Vulnerabilities Inwards Kali Linux Using Grabber

Grabber is a spider web application scanner. Basically it detects roughly variety of vulnerabilities inwards your website. Grabber is simple, non fast only portable in addition to actually adaptable. This software is designed to scan small-scale websites such equally personals, forums etc. absolutely non big application: it would accept also long fourth dimension in addition to inundation your network.

Why this variety of application ?

This is a real small-scale application (currently 2.5kLOC inwards Python) in addition to the starting fourth dimension argue of this scanner is to receive got a “minimum bar” scanner for the Samate Tool Evaluation Program at NIST.

Grabber is also for me a prissy mode to practise roughly automatics verification on websites/scripts I do. Users should know roughly things nigh spider web vulnerabilities earlier using this soft because it entirely state y'all what vulnerability it is… non how to solve it.

Current features

Because it’s a small-scale tool, the laid of vulnerabilities is small…

1. Cross-Site Scripting


2. SQL Injection (there is also a particular Blind SQL Injection module)


3. File Inclusion


4. Backup files check


5. Simple AJAX banking concern friction match (parse every JavaScript in addition to larn the URL in addition to essay to larn the parameters)


6. Hybrid analysis/Crystal ball testing for PHP application using PHP-SAT


7. JavaScript source code analyzer: Evaluation of the quality/correctness of the JavaScript amongst JavaScript Lint


8. Generation of a file [session_id, time(t)] for side yesteryear side stats analysis.

Does it scan the JavaScript ?

Yes! It tin grip the JavaScript files, parse it to recall the server sides scripts names in addition to essay to larn roughly parameters name…

What’s prissy amongst Grabber ?

Because every patterns are inwards a “quite standard” XML file, y'all tin add, or examination what always y'all want. You tin also focus of a variety of vulnerability in addition to thus practise a massive test. You tin also practise all the examination on a unmarried page…

What are y'all using ?

This application is based on:

1. Researchs from famous websites/guys:
   
   
   
   • ha.ckers.org (the XSS vector at least)
   
   
   • SPI-Dynamics lab/portal
   
   
   • Whitehatsec
   
   
   • cgisecurity.com
   
   
   • OWASP etc.
   
   
   • and a huge sum of data given yesteryear lots of tools (Pantera, Paros, Wapiti, WebInspect, Hailstorm, AppScan etc.)
   
   
   
   


2. Python:
   
   
   
   • BeautifulSoup
   
   
   • PyXML
   
   
   
   

Grabber aim to endure simple. It’s a small-scale tool, does non supply whatever GUI or PDF report! There is XML reports (you tin easily practise a XSLT to homecoming the XML for y'all manager).

What needs to endure done on Grabber ?

There are duet of things I desire to fix/do:

1. Cookies/Http Auth/Login Page authentification systems


2. Multi site back upwardly (which is non also difficult to practise due to the XML structure)


3. Fix the parsers


4. Make a real/better detection system


5. Plug a JavaScript engine for existent XSS detection


6. Make a existent output


7. Provide solution for the given vulnerabilities? (not quite certain nigh this)


8. Definitely, playing amongst the differents encodings types.

How practise I role Grabber ?

Grabber comes per-installed amongst Kali Linux.

Grabber Help Menu - Press to expand

Grabber Help Menu - Press to expand

root@kali: # grabber -h
Usage: grabber [options]

Options:
  -h, --help            demonstrate this assistance message in addition to exit
  -u ARCHIVES_URL, --url=ARCHIVES_URL
                        Adress to investigate
  -s, --sql             Look for the SQL Injection
  -x, --xss             Perform XSS attacks
  -b, --bsql            Look for blind SQL Injection
  -z, --backup          Look for backup files
  -d SPIDER, --spider=SPIDER
                        Look for every files
  -i, --include         Perform File Insertion attacks
  -j, --javascript      Test the javascript code ?
  -c, --crystal         Simple crystal ball test.
  -e, --session         Session evaluations

Grabber usage

Spider the spider web application to a depth of 1 (–spider 1) in addition to travail SQL (–sql) in addition to XSS (–xss) attacks at the given URL (–url http://kali-test-random-gen.com):

Grabber Output - Click to expand

Grabber Output - Click to expand

root@kali: # grabber --spider 1 --sql -xss --url http://kali-test-random-gen.com/
Start scanning... http://kali-test-random-gen.com/
runSpiderScan @  http://kali-test-random-gen.com/  |   # 1
runSpiderScan @  http://kali-test-random-gen.com/  |   # 0
runSpiderScan @  http://kali-test-random-gen.com/category/genel/  |   # 0
runSpiderScan @  http://kali-test-random-gen.com/category/android/  |   # 0
runSpiderScan @  http://kali-test-random-gen.com/category/ios/  |   # 0
Start investigation...
Method = GET  http://kali-test-random-gen.com
[Cookie]    0   :   
[Cookie]    1   :   
Method = GET  http://kali-test-random-gen.com
[Cookie]    0   :   
[Cookie]    1   :   

 

Source: Grabber Homepage

Buat lebih berguna, kongsi: