Home > security > اسماء ادوات الفحص ثغرات الويب

اسماء ادوات الفحص ثغرات الويب

05/30/2023 Leave a comment Go to comments

 اسماء الادوات مفيدة لفحص لكل انواع الثغرات الويب وحسب تصنيفات.

 

1. Injection Flaws:

 

A- SQL InjectionTools: SQLmap, Burp Suite

Techniques: Manipulating data inputs to exploit poorly secured values that are interpretable as SQL commands.

 

B- Command InjectionTools: Burp Suite, custom scripts

Techniques: Exploiting inputs that are used in the creation of OS commands, especially when they’re poorly sanitized.

 

C- XSS (Cross-Site Scripting)Tools: Burp Suite, OWASP ZAP, XSSer

Techniques: Exploiting inputs to inject malicious scripts, often targeting another user.

 

2. Authentication and Session Management Flaws:

 

Tools: Burp Suite, custom scripts

Techniques: Exploiting weak password policies, predictable session tokens, insecure account recovery methods, etc.

 

3. Insecure Direct Object References (IDOR):

 

Tools: Burp Suite, OWASP ZAP

Techniques: Manipulating references to internal implementation objects to gain unauthorized access.

 

4. Security Misconfigurations:

 

Tools: Nmap, Nikto, Nessus

Techniques: Exploiting default configurations, unnecessary services, unprotected files and directories, etc.

 

5. Sensitive Data Exposure:

 

Tools: Wireshark, Burp Suite

Techniques: Intercepting traffic to extract data, exploiting weak encryption, etc.

 

6. Missing Function Level Access Control:

 

Tools: Burp Suite, OWASP ZAP

Techniques: Accessing unauthorized functions by manipulating requests.

 

7. Cross-Site Request Forgery (CSRF):

 

Tools: Burp Suite, OWASP ZAP

Techniques: Forcing an end user to execute unwanted actions on a web application in which they’re authenticated.

 

8. Unvalidated Redirects and Forwards:

 

Tools: Burp Suite, OWASP ZAP

Techniques: Redirecting users to malicious websites or tricking users into performing actions they do not intend.

 

9. Server-side Request Forgery (SSRF):

 

Tools: Burp Suite, custom scripts

Techniques: Exploiting the ability to create requests from the vulnerable server to intra/extranet applications.

 

10. XML External Entity (XXE) Injection:

Tools: Burp Suite, custom scripts

Techniques: Exploiting poorly configured XML parsers to disclose internal files, execute remote requests, carry out DoS attacks, etc.

Tags:
  1. No comments yet.