COMPARATIVE STUDY OF WEB APPLICATION

PENETRATION TESTING TOOLS

Monika Pangaria Vivek Shrivastava Archita Bhatnagar

M.Tech(I.T.) Student,I.T.M. College Asst. Prof. (I.T.), I.T.M. College M.Tech.(I.T.) Student I.T.M. College
[email protected] [email protected] [email protected]

Abstract- Web application security is respect to their features, ease of use,

possibly today's most overlooked aspect of performance and resource consumption,
securing the enterprises and must be a processing speed. In short both are
priority in any organization. Malicious optimum tools but with the fact that
users are concentrating their efforts on reporting capability of accunetix is much
web-based applications - shopping carts, advanced than w3af an to the contrary
forms, login pages, dynamic content, etc. w3af is popular for its auditing
Web applications are accessible 24 hours a capabilities.
day, 7 days a week and maintain valuable
Keywords- Web Application Penetration
data since they often have direct access to
Testing, Vulnerability, .
backend data such as customer databases.

Web application penetration testing I. INTRODUCTION

includes injecting SQL injections in back Penetration Testing is a process including
end of companies along with utilization of imitation of methods used by malicious
XSS i.e. cross site scripting to dominate people to compromise organization’s
target anatomy and lot more. security. Maintaining a website is a very
tedious task. On the security point of view,
To achieve goal of web application
we usually patch web server and check logs
pentesting many tools are available in
for crucial issues. There are plenty of
market with different level of efficacies
automated tools to scan vulnerable web
providing quick and easy results.
server to circumvent.

The main objective of this paper is to test So the scene is can we blindly trust that
the widely used penetration testing tool attacker will not be able to attack our web
‘Accunetix and ‘w3af’ against certain server ? Here the tools Accunetix and w3af
vulnerabilities and compare them with comes in. They actually try to expose all the
vulnerabilities in our application by using <script>alert('Hello');</script> a pop-up with
familiar attack methods. the text "Hello" would be shown on that page
of the guest book. This type of vulnerability
The tools we have used in this context are
can also be exploited in a more serious way.
Accunetix and w3af.

4. CSRF –
II. TYPES OF VULNERABILITIES It means Cross site request forgery. It
actually compels a user's browser for loading
In order to use these tools to find loopholes.
a request that performs an action on a web
Firstly we must have prior knowledge of
application that user is currently
various vulnerabilities.
authenticated to.
They are :

1. SQL Injection – 5. Local File Inclusion -

These take place when invalidated user input Local file inclusion, also known as path
is used to construct SQL query and then run traversal or directory traversal ,means that a
by web server. For e.g. writing a query like file on the same server as the one where the
"SELECT * FROM users WHERE web application is running is included on the
username='x' OR '1'='1' AND password='x'
page. A commonexample would be a web
OR '1'='1' "
application with the URL
As 1 will be equal to 1 so always return true.
http://www.demo.com/index.php?
_file=filnamee.txt, by manipulating the file
2. XPATH Injection -
parameter the attacker might be able to load a
It is similar to SQL injection with a
file that he is not intended to see.
difference that it takes place in XML file as
XPath is a query language for XML data.
6. Remote File Inclusion –
It is similar to Local one with a differene file
3. XSS –
that is included is a file from a different
It stands for Cross site scripting. It happens
server than the one the web application is
when a malicious user can input HTML
running on.
code (i.e. Javascript), that will then be
executed for the visitors of the website. For
7. Buffer Overflow
example, a guest book that shows the text
In short, a buffer overflow occurs when an
that is entered in the guest book on the
application tries to store more data in a buffer
website. If an attacker enters the string
than the buffer can hold.
 Vulnerability Scanner. The automated tool
8. LDAP Injection helps companies scan their web applications
It is an attack where the attacker inputs for vulnerabilities. Acunetix Web
LDAP statements that are executed by the Vulnerability Scanner crawls the website for
server. There are two types of LDAP vulnerabilities to SQL injection, cross site
injection: "normal" LDAP injection and blind scripting and other web attacks before
LDAP injection. Just like with SQL injection hackers do.
and XPath injection ,difference between
these two types is that with blind LDAP
III. COMPARATIVE RESULT
injection no error messages are shown.
The results are gathered against a test bed to
find out how many vulnerabilities are
9. Session Management
detected by these two. Table below shows
Session management vulnerabilities can
the results about the vulnarabilities they
mean several things: session prediction,
claimed to detect.
session fixation or session hijacking.

Vulnerability Accunetix W3af

III. TOOLS
Sql Injection Y Y
W3af –
w3af is the short form of the Web application Xpath Y Y

Attack and Audit Framework. It is an open- XSS Y Y

source program, written in Python. It uses CSRF Y Y
various plugins to execute the attacks on the
Local File Inclusion Y Y
web applications. A description of the
Remote file inclusion Y Y
vulnerabilities these plugins are able to
expose can be found on the tool's website. It Buffer overflow Y Y

make use of menu-driven text-based LDAP Y Y

structure, also has a GUI. Results are then Session Management Y N
outputted to the console or to an XML-file,
Table 1 Summary of common vulnerability
text-, or HTML-file.
accunetix and w3af can detect

Accunetix – Reporting –
In July 2005, Acunetix came into limelight Report generated by w3af and accunetix.
with a powerful tool called the Web
 Extensive reporting facilities including
VISA PCI compliance reports. Multi-
threaded and lightning fast scanner
crawls hundreds of thousands of pages
with ease Intelligent crawler detects web
server type and application language.
Acunetix crawls and analyzes websites
including flash content, SOAP and
AJAX. Port scans a web server and runs
Fig 1. W3af Report security checks against network services
running on the server.

IV. FUTURE SCOPE AND CONCLUSION

Future Scope:

Obvious idea would be testing other tools

against certain other test beds. A task to find
out most efficient web penetration testing
which is better in all the areas like scanning,
Fig 2. Accunetix Report session management, auditing, discovery and
reporting.
Report generated by Accunetix is better than Conclusion:
w3af as An automatic client script analyzer
To be concluded, yet w3af is able to detect
allowing for security testing of Ajax and maximum common vulnerabilities but still
Web 2.0 applications Industries' most session management vulnerability is missing.
Accunetix report is best of all pentest tools.
advanced and in-depth SQL injection and
Cross site scripting testing. Advanced
REFERENCES
penetration testing tools, such as the HTTP
[1] Palmer, S.: Web Application
Editor and the HTTP Fuzzer Visual macro
vulnerabilities: Detect, Exploit,
recorder makes testing web forms and
Prevent.Syngress Publishing (2007)
password protected areas easy Support for
pages with CAPTHCA, single sign-on and
[2] Sutton, M., Greene, A., Amini, P.:
Two Factor authentication mechanisms
Fuzzing: Brute Force Vulnerability
Discovery. Addison-Wesley Professional Scanning Tools for SQL Injection and XSS
(2007) [3] Bechtsoudis, A. "Aiming at Attacks. Paci_c Rim
Higher Network Security through Extensive International Symposium on Dependable
Computing, IEEE 0 (2007) 365_
Penetration Tests".

372
[3] Mcallister, S., Kirda, E., Kruegel, C.:
Leveraging User Interactions for In-Depth
Testing of Web Applications. In: roceedings
of the 11th international symposium on
Recent Advances in Intrusion Detection.
RAID '08, Berlin, Heidelberg, Springer-
Verlag (2008) 191_210

[4] Riancho, A.: w3af (2011)

http://w3af.sourceforge.net.

[5] Vieira, M., Antunes, N., Madeira, H.:

Using Web Security Scanners to Detect
Vulnerabilities in Web Services. 2009
IEEEIFIP International Conference on
Dependable Systems Networks (2009)
566_571.

[6] Bau, J., Bursztein, E., Gupta, D.,

Mitchell, J.: State of the Art: Automated
Black-Box Web Application Vulnerability
Testing. In: Proceedings of the 2010 IEEE
Symposium on Security and Privacy. SP '10,
Washington, DC, USA, IEEE Computer
Society (2010) 332_345

[7] Fonseca, J., Vieira, M., Madeira, H.:

Testing and Comparing Web Vulnerability