Neurohazard
暮雲煙月,皓首窮經;森羅萬象,如是我聞。

常见扫描器(Web漏扫)评测:AWVS, Nessus, AppScan 等扫描器的扩展开发

wpadmin~June 6, 2018 /InfoSec

常见 web 漏扫评测

Contents

Web 应用漏扫

常见漏扫

  1. AWVS (Acunetix Web Vulnerability Scanner)
  2. Tenable Nessus
  3. IBM AppScan
  4. Rapid7 AppSpider
  5. Rapid7 Nexpose

国产漏扫

  1. NSFocus RSAS (绿盟 极光)
  2. Dbappsecurity MatriXay (安恒 明鉴WEB应用弱点扫描器)
  3. Yxlink (铱迅)
  4. gatling (加特林)

开源

  1. OpenVAS (高误报,不推荐)
  2. Nikto (比较轻量)

扩展功能

burpsuite, nmap 的脚本都有部分 web 漏扫的功能,不过他们并非为此专门设计。

  1. burpsuite
  2. nmap

AppScan

扫描 payload 比较足,但是也有重复和误报的情况。

AppScan Client

相关附件参考 Evernote

扫描不能停之Appscan批量扫描 – dacAIniao
AppScanCMD.exe

AWVS

AWVS Client

相关附件参考 Evernote

Acunetix11-API接口开发利用 – dacAIniao
https://mp.weixin.qq.com/s?timestamp=1528253028&src=3&ver=1&signature=GYbZ25o25PVSCNbwGbIeaREyxb8Aoy37YneNPNrB4diFvEslxq2LaMHJujlZk7-khwgYqZwM7Q-I4TVqJkvrfSMq9iDanh-v1pgRTa3WrNxmB4Il3x1hMu5MP-OhHUcWJt72b0xa20D988XxuAPaF5UP2HFs8B8BF*iY2FM=

整合了一个wvs11的扫描
http://0cx.cc/wvs_console_scan.jspx

https://github.com/0xa-saline/acunetix-api
https://github.com/jenkinsci/acunetix-plugin

扫描插件开发

从AWVS插件到伪代理扫描 – 71SRC(爱奇艺安全应急响应中心)
clickme

Nessus

API Documentation

https://127.0.0.1:8834/api#/overview
相关附件参考 Evernote

Nessus NASL

NASL脚本语言
https://blog.csdn.net/weixin_41010318/article/details/79291004

参考资料

OWASP: Category:Vulnerability Scanning Tools
https://www.owasp.org/index.php/Category:Vulnerability_Scanning_Tools

Leave a Reply

Your email address will not be published. Required fields are marked *