3 Opensource Tools for DAST
DAST or Dynamic Application Security Testing is a method of black-box penetration testing. To understand why DAST is preferred over SAST, let’s take an example. Let’s assume you bought a new car, and you are ready for a test drive. You start the engine, it works, but when you try to stop the vehicle, the brake doesn’t work. You now know that you have a problem, you don’t know what it is, but there is a problem. The DAST approach will comprise of testing the brakes and related parts whereas the SAST approach will completely disassemble the car to look for a flaw. Although, SAST approach might look more precise at the same time is very overwhelming, but on the other hand, the DAST approach is more practical and real-world.
What is DAST?
Put simply, in the DAST approach, an application is tested from the outside. A tester using DAST examines an application when it’s running and tries to hack it just like an attacker. DAST scanners are technology-independent. This is because DAST scanners interact with the applications from outside and rely on HTTP. It makes them work with any programming languages and frameworks, both off-the-shelf and custom-built ones.
Open Source DAST Tools
1. ZED Attack Proxy or ZAP
It is an open source tool which is offered by OWASP for performing security testing. It helps in finding the security vulnerabilities in applications.
1.1 How does it work?
ZAP creates a proxy server and makes the website traffic pass through that server. It comprises of auto scanners that can help to intercept the vulnerabilities in web applications.
1.2 How to Install ZAP?
The first thing to do to install ZAP is to download the tool from GitHub and execute the installer. ZAP requires Java 8+ to run. Hence, you need to make sure that Java is already installed on your system. The Mac OS/X installer includes an appropriate version of Java, but you must install Java 8+ separately for Windows, Linux, and other cross-platform versions. The Docker versions do not require you to install Java. Once the installation is done, read the license terms. Click on the Agree button to accept the terms, and ZAP will finish installing, and automatically start.
1.3 ZAP Interface
Let’s take look at ZAP’s UI first. For this article, we have divided the panel into 5 parts numbered 1 to 5.
Modes: On the upper-left corner of your screen, there are four modes:
a. Standard Mode – Allows you to do anything on any website.
b. Attack Mode – Performs scans on any website.
c. Safe Mode – Turns off all the harmful features while scanning.
d. Protected Mode – Allows you to scan websites within a defined scope so that you do not end up scanning an unwanted website.
2. Scope and Content: You should toggle this option on because the section of the site gets ugly after some test. To focus your target website in the sites you should create a new context of your website and keep In Scope option checked. By doing this you will no longer see other websites that you are not interested in.
3. Sites: All the sites you access via the ZAP Proxy will be listed here. If your website makes a request to another website, you’ll see that under a separate site.
4.Workspace Windows: It displays requests, responses, and scripts along with allowing you to edit them.
5. Information Window: It displays details of automated and manual tools.
Nitko is an Open Source web server scanner that performs scans against web servers for potentially dangerous files/programs, outdated versions and other version specific problems. It also scans for server configurations such as HTTP server options and will try to identify installed web servers and software.
2.1 How to Install Nikto for Windows
Although Nikto is available in Kali Linux by default, and there is a way to install it for Windows platform as well. Nikto is written in Perl. You can download the distribution of Nikto 2.1.5 conveniently packaged with Strawberry Perl, that should run on Microsoft Windows as well. The distribution is portable and no installation is needed.
Step 1: Browse to the following link https://projects.giacomodrago.com/nikto-win/ and download the zip file.
Step 2: Unzip the file and browse to the extracted location, browse to nikto-2.1.5-win\nikto-2.1.5\perl and open portableshell.bat, which will act as a shell for nikto.
Step 3: You will get a command prompt where you will have to change the directory to nikto-2.1.5 and then execute command nikto.bat
If you get the result as shown in the red rectangular box, then Nikto is ready for work.
2.2 Input and Output of Nikto
A classic input for Nikto looks something like :
nikto -h <target>
which will give the following result:
If you might have noticed in the above output, the port specified is 80 which is a default port. You can change to any port you desire by just adding a command –port <number>. The output also provides you Allowed Methods as well as the Headers missing to zero down on the vulnerabilities to test for. You can use -Tuning to perform specific attacks.
For any further Help, just use the command -Help or -H to see the extended help option.
GoLismero has a wide list of vulnerabilities, as shown in the snippet given below. It is an open source tool for security testing.
Few of the most interesting features of this tool are:
1)Platform independence – It’s tested on Windows, Linux, BSD and OS X.
2) Golismero is written in Python.
3) It also collects and unifies the results of well-known tools such as sqlmap, openvas, dnsrecon, theharvester, nmap.
In short, GoLismero can be considered a one-man-army where we can get results of multiple tools with just a single tool.
3.1 How to Install GoLismero
Download and extract the compressed file from here. GoLismero already ships all its dependencies except python. You can also download it from GitHub here or use the following command –
git clone https://github.com/golismero/golismero.git
3.2 Input and Output of GoLismero
A Classic input in GoLismero looks something like:
Golismero scan <target>
You can also add different options before the <target> such as “scan.”
GoLismero gives an extensive output by gathering results from multiple tools such as nmap.
Although these tools do help in analyzing a Web Application for common vulnerabilities but at the same time, they do not provide complete security which brings out the need for constant improvement and regular manual penetration testing activities. The automated tools can only help you to an extent, and in order to achieve the maximum possible level of security, manual testing cannot be avoided. As Tim Cook once said
“In the world of cyber security,
the last thing you want is to have a target painted on you.”
Penetration Testing for ISO 27001 Control A.12.6.110 Sep, 2019