Web漏洞扫描工具 - 安全工具篇

针对Web应用程序的漏洞扫描其实就是每个扫描器读取自己的Payload进行探测。每个扫描器都有各自不同的Payload进行探测，探测结果也可能不尽相同。因此，做漏洞扫描的时候，需要多个扫描器一起使用，获取最终较为准确的结果。

Web漏洞常用扫描器有：1、Owasp-zap；2、AWVS；3、Appscan；4、Nikto；5、Burpsuite

Owasp-zap漏洞扫描器

OWASP-ZAP是OWASP组织开发的用于Web应用程序漏洞扫描器。免费开源，不断更新维护。OWASP-ZAP主要拥有以下重要功能：本地代理、主动扫描、被动扫描、Fuzzy、暴力破解

OWASP-ZAP扫描器

这篇文章写的很详细：OWASP ZAP下载、安装、使用（详解）教程

Skipfish漏洞扫描器

Skipfish是由google出品的一款自动化的网络安全扫描工具，该工具可以安装在linux、freebsd、MacOS X系统和windows(cygwin)。Skipfish通过HTTP协议处理且占用较低的CPU资源，因此它的运行速度比较快。Skipfish每秒钟可以轻松处理2000个请求。

缺点：没有代理功能，骚起来还挺久。

root@kali:~# skipfish -o test  -I mutillidae  http://10.0.2.5/mutillidae
skipfish web application scanner - version 2.10b
[!] WARNING: Wordlist '/dev/null' contained no valid entries.
Welcome to skipfish. Here are some useful tips:

1) To abort the scan at any time, press Ctrl-C. A partial report will be written
   to the specified location. To view a list of currently scanned URLs, you can
   press space at any time during the scan.

2) Watch the number requests per second shown on the main screen. If this figure
   drops below 100-200, the scan will likely take a very long time.

3) The scanner does not auto-limit the scope of the scan; on complex sites, you
   may need to specify locations to exclude, or limit brute-force steps.

4) There are several new releases of the scanner every month. If you run into
   trouble, check for a newer version first, let the author know next.

More info: http://code.google.com/p/skipfish/wiki/KnownIssues

Press any key to continue (or wait 60 seconds)... 
skipfish version 2.10b by lcamtuf@google.com

  - 10.0.2.5 -

Scan statistics:

      Scan time : 2:05:04.272
  HTTP requests : 741204 (99.0/s), 3855563 kB in, 353001 kB out (560.8 kB/s)  
    Compression : 0 kB in, 0 kB out (0.0% gain)    
    HTTP faults : 153 net errors, 0 proto errors, 0 retried, 0 drops
 TCP handshakes : 7652 total (98.2 req/conn)  
     TCP faults : 0 failures, 153 timeouts, 4 purged
 External links : 1490405 skipped
   Reqs pending : 10531        

Database statistics:

         Pivots : 2435 total, 1751 done (71.91%)    
    In progress : 68 pending, 7 init, 486 attacks, 123 dict    
  Missing nodes : 511 spotted
     Node types : 1 serv, 246 dir, 335 file, 639 pinfo, 451 unkn, 755 par, 8 val
   Issues found : 2148 info, 23 warn, 1029 low, 510 medium, 2 high impact
      Dict size : 1526 words (1526 new), 23 extensions, 256 candidates
     Signatures : 77 total
        
[!] Scan aborted by user, bailing out!
[+] Copying static resources...
[+] Sorting and annotating crawl nodes: 2435
[+] Looking for duplicate entries: 2435
[+] Counting unique nodes: 1363
[+] Saving pivot data for third-party tools...
[+] Writing scan description...
[+] Writing crawl tree: 2435
[+] Generating summary views...
[+] Report saved to 'test/index.html' [0x165f661f].
[+] This was a great day for science!

最后，打开指定目录的index.html页面，就可以查看报告了。

skipfish报告页

高级点的用法：

1、扫描一个txt文本：

root@kali:~# skipfish -0 test @url.txt

2、指定字典扫描：

# medium中等，minimal最小，extensions-only扩展的，complete完整
root@kali:~# dpkg -L skipfish | grep wl
/usr/share/skipfish/dictionaries/medium.wl
/usr/share/skipfish/dictionaries/minimal.wl
/usr/share/skipfish/dictionaries/extensions-only.wl
/usr/share/skipfish/dictionaries/complete.wl

root@kali:~# skipfish -o test  -S /usr/share/skipfish/dictionaries/complete.wl -W newdic.wl  -I mutillidae  http://10.0.2.5/mutillidae

3、过滤字符串： -X logout
4、身份认证

认证方式	参数
Basic认证	-A username:password
Cookie认证	-C "security=low" -C "PHPSESSID=e4a1e91e806ff991e05323df9b4914a9"
表单认证	--auth-form http://10.0.2.5/dvwa/login.php --auth-user-field username --auth-user admin --auth-pass-field password --auth-pass password --auth-verify-url http://10.0.2.5/dvwa/index.php

nikto2漏洞扫描器

https://cirt.net/nikto2-docs/usage.html

其他的工具：

Burpsuite：免费版不支持主动扫描；
Appscan：收费的，要破解
AWVS ：收费的，要破解