Grendel Web Vulnerability Scanner |
Description:
Grendel-Scan is an open source tool for testing the security of web applications. It incorporates modules for automated test to detect vulnerabilities classics which can be sensitive web applications, and its features are designed to assist in penetration testing manuals. The only pre-requisite system is the presence of Java 5 (minimum) versions of the tool are available for Windows, Linux and Macintosh.
Among the features offered by Grendel-Scan, here are a few:
Internal test proxy / interception
Fuzzer HTTP requests
manual queries
HTML authentication (form-based) multiple user accounts
Blocking parameters in queries
Whitelist and blacklist of URLs
names known session ID
In addition, it has modules for the following test:
SQL Injection
Error control
SQL tautologies (experimental)
CRLF injection
Cross-site request forgery
generic fuzzing
robots.txt
Cross-site tracing
...
Opinion of the contributor
Grendel-scan runs smoothly on the test platform. The test setup has no particular difficulty.
At the pertinence of the results, it varies depending on modules (little detection of SQL injection, XSS, for example) that still limits the interest of the scanner with respect to some of its "competitors".
Yellow on the report that is not "user-friendly" and no possibility to know at the beginning the different blocks that compose it. We also regret having to generate the report to view the results, because it is the only way of presentation.
However, we can use this tool consolidation results by example.
NB: It is possible to use Grendel-Scan as an application proxy classical capture, alteration, generation of HTTP requests.
Commands :
cd /pentest/web/grendel-scan
/pentest/web/grendel-scan# ls
/pentest/web/grendel-scan# sh grendel.sh
Video TUTO :
Enjoy!