About

why we do what we do

About
As developers we know the struggle! Due to tight deadlines there is no time or budget left at the end of a project for in depth analysis of what we actually delivered. While official pentesting by a real person is always adviced to find out some logic errors, the least you can do is automatically scan your site for known configuration mistakes and programming errors.

If it ain't broke dont fix it...

While this is true for many cases, for websites it is'nt!. Especially when using a standard CMS, framework or library. The better ones get updates and bugfixes regularly. It is important to keep your systems up to date. The bigger the framework the more bugs are found and exploited.

Used tools

We gathered a couple of frequently used open source tools and tweaked them with our own experience. But lets give credit where credit is due. We couldn't have build our project without using (a part of) the following tools.

Arachni

Arachni is a feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators evaluate the security of modern web applications.

Arachni provides first-class coverage, vulnerability detection and accuracy for modern web application technologies.

JoomlaVS

JoomlaVS is a Ruby application that can help automate assessing how vulnerable a Joomla installation is to exploitation. It supports basic finger printing and can scan for vulnerabilities in components, modules and templates as well as vulnerabilities that exist within Joomla itself.

Nikto

Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/programs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software. Scan items and plugins are frequently updated and can be automatically updated.

Nmap

Nmap ("Network Mapper") is a free and open source (license) utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.

WPScan

WPScan is a black box WordPress vulnerability scanner.