Web Vulnerability Scanner Tools
Abstract
Cybersecurity is now increasingly threatened by numerous attacks on web applications,
therefore it has become necessary to perform automated vulnerability assessment as part of a
company's overall security program. In this paper we describe how a modular web
vulnerability scanner was created to detect several forms of vulnerabilities that exist in web
based (or web hosted) applications. A modular web vulnerability scanner has two different
modalities to perform both Passive and Active assessment techniques, including: passive
reconnaissance (Passive Data Collection) in subdomain enumeration from publicly available
sources and URL parameter collection; and Active Assessment methodologies such as
Directory Brute force Testing to find web directories, and to test for path traversal vulnerability
with a Targeted Payload. This scanner can also identify security-related Misconfiguration
Errors such as Secure Cookie settings, Clickjacking, and sensitive information exposed via
robots.txt and Sitemap.xml. This scanner will also provide an Automated Credential Testing
Module using Selenium (a widely used open-source web automation tool) that allows the
Automated Detection of weak or default usernames and passwords. The core scanning engine
was created using the Python Programming Language and we used Selenium libraries to
automate a web browser to test credentials. The output produced by this scanner includes
reports with structured information on all vulnerabilities organized by their severity (High
Medium Low) to facilitate remediation decisions. Dedicated Testing Environments have been
set up to test the capability of this scanner to detect both Configuration Errors and Coding
Errors, thus providing a concrete means by which to improve the security of web applications.
This project provides an opportunity to gain hands-on experience with conducting penetration
tests for this type of security issue.
Keywords: Web Vulnerability Scanner, Path Traversal, Credential Testing, Cybersecurity,
Automated Reconnaissance
Collections
- 2021 - 2025 [184]