Attacks & Vulnerabilities

By

Dr. Bhupendra Singh

An attack to compromise a particular target is often carried out through a progression of steps, analogous
to the steps of a physical attack (Chirillo, 2002; McClure, Scambray, & Kutz, 2001; Skoudis, 2002)
February, 2024 Attacks & Vulnerabilities Dr. Bhupendra Singh (Assistant Professor, Dept. of CSE, IIIT Pune)
Introduction to Cyber Attack
Computer systems or digital devices are now very important for business and personal
uses.

These devices store valuable corporate and personal information while computer networks
provide convenient data access and processing services.

Attackers are well aware that virtually all computers are interconnected by the Internet or
private networks.

Mobile and handheld devices with Internet connectivity have steadily grown in popularity.

Networks make attacks easier to carry out remotely and more difficult to track to their
sources.
February, 2024 Attacks & Vulnerabilities Dr. Bhupendra Singh (Assistant Professor, Dept. of CSE, IIIT Pune)
General Discussion: Cyber Attacks

Cybercrimes were not that frequent before

2013.

The rise in internet usage has resulted in rise

of cybercrimes.

The rise in cyber crimes resulted in an

increased awareness of the importance of
cybersecurity.

But, a single successful attack can be enough

to cause a loss of multi-billion dollars.

Companies know it and hence are working

towards making their products safer.

February, 2024 Attacks & Vulnerabilities Dr. Bhupendra Singh (Assistant Professor, Dept. of CSE, IIIT Pune)
Types of Attackers and Motives
There are as many different types of attackers as there are different types of attacks.

Attackers can be categorized in a number of different ways.

Attackers may be either internal or external, depending on their relationship to the target.

Attackers are well aware that virtually all computers are interconnected by the Internet or private
networks.

Insiders are worrisome because they have certain advantages such as trust and knowledge of the
target organization that can increase the chances of a successful attack.

Insiders do not have to overcome perimeter defences designed for external attackers.

February, 2024 Attacks & Vulnerabilities Dr. Bhupendra Singh (Assistant Professor, Dept. of CSE, IIIT Pune)
Types of Attackers and Motives
The motivations for electronic attacks depend on the attacker.

Motivations can be almost anything ranging from

Fun and fame to extortion: The practice of obtaining something, especially money, through force or
threats.
Profit: Financial gain
Espionage: Act of spying or the use of spies by a government or a company.
Revenge: The desire to repay an injury or wrong.
Political agenda: Set of issues that are the subject of decision making and debate in political system.

Stereotypical teenage hacker is believed to be usually interested in gaining fame or

notoriety. (Stereotypical = relating to a widely held but fixed and oversimplified image or idea of a particular type of
person or thing.)

February, 2024 Attacks & Vulnerabilities Dr. Bhupendra Singh (Assistant Professor, Dept. of CSE, IIIT Pune)
Types of Attackers and Motives

Organized crime and APTS are more interested in profit.

Attacks oriented towards invasion of privacy or theft of confidential data is a growing

trend, as evidenced by an escalation in spyware and phishing attacks.

Cyber attacks for political purposes have become a growing concern since international
attention has turned to terrorism. For example:
Sony incident: Targeted a private company with the hope of causing massive economic harm.

February, 2024 Attacks & Vulnerabilities Dr. Bhupendra Singh (Assistant Professor, Dept. of CSE, IIIT Pune)
Taxonomy of Attacks

February, 2024 Attacks & Vulnerabilities Dr. Bhupendra Singh (Assistant Professor, Dept. of CSE, IIIT Pune)
Basic Steps In Attacks Against Specific Targets
The first step is reconnaissance to collect intelligence in
preparation for attack.
Knowledge of a target and its vulnerabilities can be critical to
the success of an attack.

The second step is gaining access, which could have many

different goals such as control, theft, or destruction.

During and after the attack, the attacker may take actions to try
to avoid detection, such as changing system logs or installing a
rootkit

February, 2024 Attacks & Vulnerabilities Dr. Bhupendra Singh (Assistant Professor, Dept. of CSE, IIIT Pune)
Reconnaissance
In order to prepare for a successful attack, the attacker first try to learn as much as
possible about the target.
The reconnaissance phase can reveal a surprising amount of information:
Account names, addresses, operating systems, and passwords.
Most reconnaissance techniques are not viewed as malicious or illegal, and can be
carried out relatively safely.
Reconnaissance activities are so common that potential targets may not be alarmed.
Many different reconnaissance techniques are possible, and attackers do not follow a
unique sequence of steps.
Here, three general steps are considered information discovery about a potential target.
1. Foot printing attempts to learn the location and nature of a potential target from public
directories.
2. Identifying the active machines
3. Scanning provides more detailed information about a target by active probing.
February, 2024 Attacks & Vulnerabilities Dr. Bhupendra Singh (Assistant Professor, Dept. of CSE, IIIT Pune)
Reconnaissance

February, 2024 Attacks & Vulnerabilities Dr. Bhupendra Singh (Assistant Professor, Dept. of CSE, IIIT Pune)
 Footprinting/Fingerprinting/Enumeration
Footprinting may be viewed as similar to looking up names and numbers in a telephone book.
The primary objective is locating and learning the nature of potential targets.
E.g., an attacker will want to know how many potential hosts are available and their IP
addresses.
In general, the information gained in footprinting is common, easily found, and presents a very
low risk to corporate, government, and military entities.
An abundant amount of information is readily available on the Web in large public databases.
Open source intelligence (OSINT) is the act of gathering and analyzing publicly available data
for intelligence purposes.
Database interrogation utilities:
nslookup https://centralops.net/co/NsLookup.aspx
Whois https://whois.domaintools.com/
Talos, https://talosintelligence.com/
MX Record: https://mxtoolbox.com/
February, 2024 Attacks & Vulnerabilities Dr. Bhupendra Singh (Assistant Professor, Dept. of CSE, IIIT Pune)
OSINT Techniques
• Whois
The whois databases contain data about the assignment of IP addresses, registration of domain
names, ownership information, domain name servers, contact information etc.
For a given domain name, the whois database can provide the registrant’s name and address,
domain servers, and contact information.
American Registry for Internet Numbers (ARIN) database provides information about
ownership of ranges of IP addresses.
It allows lookup of contact and registration information including IP addresses,
autonomous system numbers, and registered organizations in the Americas.
European IP address assignments can be discovered from Réseaux IP Euoropéens
Network Coordination Centre (RIPE NCC).
Asian IP address assignments are maintained by the Asia Pacific Network Information
Center (APNIC).

February, 2024 Attacks & Vulnerabilities Dr. Bhupendra Singh (Assistant Professor, Dept. of CSE, IIIT Pune)
OSINT Framework

Source: https://osintframework.com/

February, 2024 Attacks & Vulnerabilities Dr. Bhupendra Singh (Assistant Professor, Dept. of CSE, IIIT Pune)
OSINT Tools
Maltego: A powerful tool for link analysis and gathering data such as domain names, IP
addresses, and social media profiles.
theHarvester: Collects emails, subdomains, IPs, and other data from public sources like search
engines and social networks.
Shodan: A search engine for discovering internet-connected devices, including servers,
webcams, and IoT devices.
Recon-ng: A modular reconnaissance framework for gathering information like DNS records,
WHOIS data, and social media profiles.
Social-Searcher: Monitors mentions and activities across various social media platforms.
Twint: A Twitter scraping tool that collects tweets and user data without requiring API access.
Spyse: A search engine for internet assets, providing information about domains, IPs, and SSL
certificates.
DNSDumpster: Visualizes DNS records to identify domain infrastructure and potential
vulnerabilities.
February, 2024 Attacks & Vulnerabilities Dr. Bhupendra Singh (Assistant Professor, Dept. of CSE, IIIT Pune)
OSINT Tools: theHarvester
theHarvester: It collects emails, subdomains, IPs, and other data from public sources like
search engines and social networks.
Installation: git clone https://github.com/laramies/theHarvester
cd theHarvester
python3 -m pip install -r requirements/base.txt
pip install censys
python3 theHarvester.py -h

February, 2024 Attacks & Vulnerabilities Dr. Bhupendra Singh (Assistant Professor, Dept. of CSE, IIIT Pune)
OSINT: Shodan
Shodan (https://www.shodan.io) is the Hacker’s search engine.
Shodan (Sentient Hyper-Optimised Data Access Network) is a search engine designed to map
and gather information about internet-connected devices and systems.

February, 2024 Attacks & Vulnerabilities Dr. Bhupendra Singh (Assistant Professor, Dept. of CSE, IIIT Pune)
From Face to Social Media
PimEyes is an online face search engine that goes through the Internet to find pictures
containing given faces.
FaceCheck.ID's facial recognition AI technology is scary good.

February, 2024 Attacks & Vulnerabilities Dr. Bhupendra Singh (Assistant Professor, Dept. of CSE, IIIT Pune)
DNS Footprinting
Another Database: Domain Name
System (DNS).

DNS is a hierarchy of servers used to

associate domain names, IP
addresses, and mail servers. E.g., it
resolves a domain name such as
www.company.com to the IP address
of the corresponding server.

https://centralops.net/
(Whois + DNS + Network)

February, 2024 Attacks & Vulnerabilities Dr. Bhupendra Singh (Assistant Professor, Dept. of CSE, IIIT Pune)
DNS Query Resolution - Steps
[DNS Query] When you type a domain (e.g., iitb.ac.in) into your browser, your device first
checks its local DNS cache. [Display Cahce: ipconfig /displaydns][Flush: ipconfig /flushdns].
[Query to Recursive Resolver] If the IP isn’t cached, the request goes to a Recursive DNS
Resolver (usually provided by your ISP or a public DNS like Google 8.8.8.8 or Cloudflare
1.1.1.1).
[Root Name Server Lookup] If the IP isn’t cached at the Recursive DNS Resolver, it queries
one of the 13 Root Name Servers that further directs the resolver to the TLD (Top-Level
Domain) name server.
[TLD Name Server Lookup] The resolver contacts the TLD name server (e.g., .ac.in) which
directs the resolver to the authoritative name server for the domain.
[Authoritative Name Server Lookup] The authoritative name server (e.g., dns1.iitb.ac.in)
hosts “zone files,” which include DNS records (e.g. A, CNAME, MX etc.). It returns the correct
IP address (e.g., 103.21.127.250) for the requested domain.
[Final Response] The resolver caches the IP for future requests and sends it to your browser.
February, 2024 Attacks & Vulnerabilities Dr. Bhupendra Singh (Assistant Professor, Dept. of CSE, IIIT Pune)
DNS Query Resolution

February, 2024 Attacks & Vulnerabilities Dr. Bhupendra Singh (Assistant Professor, Dept. of CSE, IIIT Pune)
DNS Spoofing
DNS Spoofing (DNS Cache Poisoning) DNS spoofing is a cyberattack where an attacker
corrupts the DNS cache or redirects DNS queries to malicious IP addresses.
The attacker injects malicious DNS records into a resolver's cache, causing incorrect domain-
to-IP mappings.
TTL (Time-to-Live) and Its Role in DNS Spoofing: TTL is a field in DNS records that
determines how long a DNS resolver should cache a record before discarding it and querying
the authoritative server again.
How TTL Affects DNS Spoofing:
Lower TTL Values:
• Reduce the lifespan of malicious DNS entries if cache poisoning occurs.
• Increase the frequency of legitimate DNS lookups, making detection easier.
Higher TTL Values:
• Help attackers maintain poisoned records in a resolver’s cache for longer periods.
• Make it harder for administrators to quickly remove malicious entries from DNS caches.

February, 2024 Attacks & Vulnerabilities Dr. Bhupendra Singh (Assistant Professor, Dept. of CSE, IIIT Pune)
DNS Footprinting
nslookup is network administrator command-line tool available for many desktop
operating system. It can be used for troubleshooting DNS related problems.

Server: Displays the DNS server that is being queried.

Address: Shows the IP address of the DNS resolver (e.g., Google DNS 8.8.8.8).
Non-authoritative answer means the response is coming from a cached record in the
DNS server, not directly from the authoritative DNS server.
February, 2024 Attacks & Vulnerabilities Dr. Bhupendra Singh (Assistant Professor, Dept. of CSE, IIIT Pune)
Active Scanning

February, 2024 Attacks & Vulnerabilities Dr. Bhupendra Singh (Assistant Professor, Dept. of CSE, IIIT Pune)
Active Scanning
Scanning is a more active step to learn
about potential targets from their responses
to various probes.

There are many different ways to conduct

scans, and most of them are automated for
convenience and speed.

During a postmortem digital forensic

examination of an attacker’s host, it is
important to look for tools similar to those
used for scanning.
February, 2024 Attacks & Vulnerabilities Dr. Bhupendra Singh (Assistant Professor, Dept. of CSE, IIIT Pune)
Active Scanning
This will help an experienced examiner
understand the probable skill level of the
attacker.

This step increases in importance when

trying to understand the extent of a
possible enterprise-wide compromise.

Attackers generally like using the same

tools over again, and in this early stage the
attacker is likely to load some of these
tools on other compromised hosts.
February, 2024 Attacks & Vulnerabilities Dr. Bhupendra Singh (Assistant Professor, Dept. of CSE, IIIT Pune)
Active Scanning

February, 2024 Attacks & Vulnerabilities Dr. Bhupendra Singh (Assistant Professor, Dept. of CSE, IIIT Pune)
Ping Sweep
The Internet Control Message Protocol (ICMP) is an essential part of the Internet
protocol to enable notification of troubles and other control functions.

Whereas a single ping will tell whether one specified host computer exists
on the network, a ping sweep consists of ICMP echo requests sent to
multiple hosts.

Ping uses ICMP and works by sending an echo request to a system and
waiting for the target to send an echo reply back.
A host that receives an ICMP Echo Request message should reply with an ICMP
Echo Reply.
Other tools: Angry IP Scanner, Hping, Pinger
February, 2024 Attacks & Vulnerabilities Dr. Bhupendra Singh (Assistant Professor, Dept. of CSE, IIIT Pune)
Ping Sweep

February, 2024 Attacks & Vulnerabilities Dr. Bhupendra Singh (Assistant Professor, Dept. of CSE, IIIT Pune)
Ping Sweep
Ping is frequently used by attackers to sweep or scan a block of IP addresses for
active hosts.
Many tools can easily perform a ping sweep.

However, ping sweeps have two drawbacks for attackers.

Ping sweeps can be noticed and alert potential targets of an imminent attack.

Organizations will sometimes block ICMP messages as a matter of policy.

To avoid this problem, TCP packets to well-known ports will also work.
An initial TCP SYN packet (used to request a new TCP connection) to a target will
prompt a TCP SYN-ACK reply.

February, 2024 Attacks & Vulnerabilities Dr. Bhupendra Singh (Assistant Professor, Dept. of CSE, IIIT Pune)
Network Mapping

February, 2024 Attacks & Vulnerabilities Dr. Bhupendra Singh (Assistant Professor, Dept. of CSE, IIIT Pune)
Network Mapping
Ping sweeps will reveal the addresses of active hosts but no information
about the networks.
Traceroute is used to view the path a packet follows from its source to its
destination.
The time-to-live (TTL) value, also known as hop limit, is used in determining
the intermediate routers being traversed towards the destination.
Routers decrement TTL values of packets by one when routing and discard
packets whose TTL value has reached zero, returning the ICMP error message
ICMP Time Exceeded.
GeoTraceroute (https://geotraceroute.com) is probably the most well-
known GUI traceroute program. Along with a graphical map, it also displays
information on each node contact information, and location.
February, 2024 Attacks & Vulnerabilities Dr. Bhupendra Singh (Assistant Professor, Dept. of CSE, IIIT Pune)
Tracert on Windows

 tracert –h
 tracert zonetransfer.me

February, 2024 Attacks & Vulnerabilities Dr. Bhupendra Singh (Assistant Professor, Dept. of CSE, IIIT Pune)
Network Mapping
Routers typically forward packets quickly and then must decrement the TTL
value by the minimum unit of one.
If the TTL field reaches a value of zero, a router should discard the packet
and send an ICMP Time Exceeded message back to the source IP address in
the discarded packet.
Traceroute utility sends out a sequence of UDP packets, starting with a TTL
field value of one and incrementing the value by one for each successive
packet.
When ICMP Time Exceeded messages are returned, they reveal the
addresses of routers at incremental distances.
PathPing – a Windows NT network utility that combines the functionality
of ping with that of traceroute (or tracert).
February, 2024 Attacks & Vulnerabilities Dr. Bhupendra Singh (Assistant Professor, Dept. of CSE, IIIT Pune)
Port Scanning

February, 2024 Attacks & Vulnerabilities Dr. Bhupendra Singh (Assistant Professor, Dept. of CSE, IIIT Pune)
Port Scanning
Port numbers are conveyed in the TCP and UDP packet headers.
The headers allow a range of 65,535 TCP and 65,535 UDP ports.
Certain port numbers are “well known” and pre-assigned to common
protocols. E.g., Web servers listen for HTTP requests on TCP port 80.
An attacker is almost always interested to discover which ports are open
(or services are active) on a potential target.
An open port means that the target will be receptive on that port.
Also, exploits are often targeted to the vulnerabilities of a specific service.
However, probing every possible port manually would be very tedious.
A port scanner is an automated tool for sending probes to a set of specific
ports in order to see which ports are open.
February, 2024 Attacks & Vulnerabilities Dr. Bhupendra Singh (Assistant Professor, Dept. of CSE, IIIT Pune)
Most Popular Port Numbers

The Internet Assigned

Numbers Authority (IANA)
has assigned port numbers
to commonly used services
like SSH, FTP, HTTP,
HTTPS, and others. Here
are some of the most
common ones:

February, 2024 Attacks & Vulnerabilities Dr. Bhupendra Singh (Assistant Professor, Dept. of CSE, IIIT Pune)
Port Scanning Tools
Nmap is free & open-source utility which is perhaps the most capable port
scanner, providing options for many different types of scans which vary in
degree of stealthiness and ability to pass through firewalls.
Other popular tools:
Unicornscan
Angry IP Scan
Netcat
Zenmap (GUI version of nmap)
Foundstone’s superscan,
Hping, and
Nemesis
Nmap is available at https://nmap.org/download.html
February, 2024 Attacks & Vulnerabilities Dr. Bhupendra Singh (Assistant Professor, Dept. of CSE, IIIT Pune)
Port Scanning Tools
Nmap can be used to determine what hosts are available on the network,
what services (application name and version) those hosts are offering, what
operating systems (and OS versions) they are running, what type of packet
filters/firewalls are in use, and dozens of other characteristics.
Usage:
Ping Scanning -- $ nmap –v -sn 192.168.1.0/24
Port Scanning-- $ nmap –v -sS 192.168.1.2 (single/multiple/range of ports)
Host Scanning-- $ nmap –v -sp 192.168.1.2 (detailed info on a particular host)
OS Scanning-- $ nmap –v -O 192.168.1.2 (a database of 2600 operating systems)
Scan most popular ports-- $ nmap –v --top-ports 10 192.168.1.2
Output to a file-- $ nmap –v --top-ports 10 192.168.1.2 -oN output.txt
Detection of Service-- $ nmap -v -sV diat.ac.in
February, 2024 Attacks & Vulnerabilities Dr. Bhupendra Singh (Assistant Professor, Dept. of CSE, IIIT Pune)
OS Detection

February, 2024 Attacks & Vulnerabilities Dr. Bhupendra Singh (Assistant Professor, Dept. of CSE, IIIT Pune)
OS Detection
An attacker may attempt to discover a target computer’s operating system
because specific vulnerabilities are known for different operating systems (and
their different versions).

Eavesdropping on network traffic with a sniffer can find clues about a host’s
operating system.

E.g. Different operating systems exhibit specific behavior in setting TTL values in
IP packet headers and TCP window sizes. (TCP stack finerprinting: Provided by
NMAP.)
Operating systems can differ in their implementations of responses to illegal
TCP packets.
February, 2024 Attacks & Vulnerabilities Dr. Bhupendra Singh (Assistant Professor, Dept. of CSE, IIIT Pune)
Steps of the Pre-attack Phase

February, 2024 Attacks & Vulnerabilities Dr. Bhupendra Singh (Assistant Professor, Dept. of CSE, IIIT Pune)
Vulnerability Scanning

February, 2024 Attacks & Vulnerabilities Dr. Bhupendra Singh (Assistant Professor, Dept. of CSE, IIIT Pune)
Vulnerability Scanning
Active scanning is invaluable to an attacker for knowing information such as
host addresses, network topology, open ports, and operating systems.
The next step in reconnaissance is to scan for specific vulnerabilities that might
be exploitable for an attack.
Vulnerability assessments are often conducted as a credential scan (inside
outlook of the network) while penetration testing (pentest) tests n/w
vulnerabilities from the outside (to simulate attack just like a real hacker).
Scanners evaluate several types of vulnerabilities, searching for one of three
general system weaknesses:
Faulty operating system code,
Faulty application code, or
Faulty configurations.
February, 2024 Attacks & Vulnerabilities Dr. Bhupendra Singh (Assistant Professor, Dept. of CSE, IIIT Pune)
System Vulnerabilities
 The most critical vulnerabilities are often published by vendors along with a
software patch. (Windows 10: https://www.cvedetails.com/vulnerability-
list/vendor_id-26/product_id-32238/Microsoft-Windows-10.html).
 Practically organizations find it hard to dedicate the time and effort needed to

keep up regularly with security bulletins and patches.

 A “Window of Opportunity" for cyber criminals refers to the limited time

period between when a software vulnerability is discovered and when a patch
is released to fix it.
 The most critical window of opportunity occurs when a vulnerability is
completely unknown to the vendor, allowing attackers to exploit it before any
patch is available (known as a "zero-day" attack).
February, 2024 Attacks & Vulnerabilities Dr. Bhupendra Singh (Assistant Professor, Dept. of CSE, IIIT Pune)
Application Vulnerabilities
Applications introduce new risks to operating systems by opening up new
ports, installing new services, and otherwise privileged processes that are
sometimes faulty and susceptible to hijacking or buffer overflows.
[Buffer overflow occurs when data written to a buffer also corrupts data values in memory addresses adjacent to the
destination buffer due to insufficient bounds checking.]

Commonly targeted applications include Web browsers and desktop

applications such as Microsoft Word and Excel, which are capable of
running downloaded code.
A Web browser, for example, can be made to execute Javascript from an
untrusted server that could make the client download and execute a
malicious program. (IE:https://www.cvedetails.com/vulnerability-
list/vendor_id-26/product_id-9900/Microsoft-Internet-Explorer.html )
February, 2024 Attacks & Vulnerabilities Dr. Bhupendra Singh (Assistant Professor, Dept. of CSE, IIIT Pune)
CVE (Common Vulnerabilities and Exposures)
A vulnerability is a weakness which can be exploited to gain unauthorized access to or
perform unauthorized actions on a computer system.
Once a vulnerability is identified, it is registered by MITRE (https://cve.mitre.org/) as a CVE
(Common Vulnerabilities and Exposures). The mission of the CVE® Program is to identify,
define, and catalog publicly disclosed cyber security vulnerabilities (Total records: 2,40,830).
Every CVE is assigned a number known as a CVE Identifier. A CVE identifier takes the form of
CVE-[Year]-[Number]. CVE identifiers are assigned by one of around 436 CVE Numbering
Authorities (CNAs).
The full list of CNAs (https://www.cve.org/ProgramOrganization/CNAs) includes many household
names, including MITRE, Adobe, Apple, Cisco, Dell, Facebook, Google, IBM, Intel, and more.
For each CVE, a Common Vulnerability Scoring System (CVSS) score is associated to reflect its
severity. CVSS score of a vulnerability is constant over time and across user environments.
Additional information on each CVE can be found directly on vendor websites, as well as in
the NIST National Vulnerability Database (https://nvd.nist.gov/).
February, 2024 Attacks & Vulnerabilities Dr. Bhupendra Singh (Assistant Professor, Dept. of CSE, IIIT Pune)
CVSS vs EPSS
Started in 2019, Exploit Prediction Scoring System (EPSS) is an open community-driven effort
to model and manage vulnerability risk from a probabilistic perspective.

EPSS measures how likely a particular vulnerability is to be exploited in the wild. EPSS scores
range from 0% (the lowest probability of exploitation) to 100% (the highest probability of
exploitation). The score is intended to communicate the “probability of exploitation activity
in the next 30 days.”

Where EPSS attempts to measure the probability of a vulnerability being used in an exploit,
CVSS attempts to assess the potential impact and severity of a given vulnerability.

CVSS assigns severity scores on a 0 (lowest) to 10 (highest) basis. The ranges are as follows:
None: 0, Low: 0.1 - 3.9, Medium: 4.0 - 6.9, High: 7.0 - 8.9 & Critical: 9.0 - 10.0
As an example, the vulnerability CVE-2025-24958 was assigned a severity rating of 9.4.
February, 2024 Attacks & Vulnerabilities Dr. Bhupendra Singh (Assistant Professor, Dept. of CSE, IIIT Pune)
Web Application Vulnerability Scanner
It’s important to keep your website or web applications foolproof against
malicious activities. What you need to do is to use some security testing
tools to identify and measure the extent of security issues with your web
application(s).
A web application vulnerability scanner is a software program which
performs automatic black-box testing on a web application and identifies
security vulnerabilities.
These tools scan web applications, to look for security vulnerabilities such as
Cross-site scripting, SQL Injection, Command Injection, Path Traversal and
insecure server configuration etc.
This category of tools is frequently referred to as Dynamic Application
Security Testing (DAST) tools (as apposed to SAST).
February, 2024 Attacks & Vulnerabilities Dr. Bhupendra Singh (Assistant Professor, Dept. of CSE, IIIT Pune)
SAST vs DAST
Static Application Security Testing (SAST) tools are used early in the software
development process to test the application from the inside out (white-box
testing tools).
These tools test the source code, the byte code, or the binaries line-by-line, to
expose weaknesses in the software before it is deployed.
Dynamic Application Security Testing (DAST) tools identify potential
vulnerabilities, including those outside the code and in third-party interfaces.
Source code, byte code, and binaries are not required with DAST, and it is
easier to use and less expensive than SAST tools.
By providing the outside in perspective, DAST tools can provide valuable
insight and are ideal to be used after an application goes live and when
source code is not available to be tested.
February, 2024 Attacks & Vulnerabilities Dr. Bhupendra Singh (Assistant Professor, Dept. of CSE, IIIT Pune)
Web Application Vulnerability Scanner
Tool License Platform Functionalities
Name
Zed Attack Open source Windows, Unix/Linux Application error disclosure, Cookie not HttpOnly flag, Missing
Proxy (ZAP) and Mac OS, Docker anti-CSRF tokens and security headers, Private IP disclosure,
Session ID in URL rewrite, SQL injection, XSS injection
Grabber Open Source Python 2.4, Cross-site scripting, SQL injection, Ajax testing, File inclusion, JS
BeautifulSoup and source code analyser, Backup file check
PyXML
Wapiti Open Source Windows, Unix/Linux File disclosure, File inclusion, Cross-site scripting, Command
and Mac execution detection, CRLF injection, SEL injection and XPath
injection, Weak .htaccess configuration, Backup file disclosure
W3af Open Source Linux and Mac OS More than 200 kind of vulnerabilities including Blind SQL
injection, Buffer overflow, Cross-site scripting, CSRF, Insecure DAV
configurations
SQLMap Open Source Linux and Mac OS Supports Six SQL injection techniques: time-based blind, Boolean-
based blind, error-based, UNION query, stacked queries and out-
of-band.

February, 2024 Attacks & Vulnerabilities Dr. Bhupendra Singh (Assistant Professor, Dept. of CSE, IIIT Pune)