find_vhosts

This plugin uses the HTTP Host header to find new virtual hosts. For example, if the intranet page is hosted in the same server that the public page, and the web server is misconfigured, this plugin will discover that virtual host. Please note that this plugin doesnt use any DNS technique to find...

hash_analysis

This plugin identifies hashes in HTTP responses. Plugin type Grep Options This plugin doesnt have any user configured options. Source For more information about this plugin and the associated tests, theres always the source code to understand exactly whats under the hood: Plugin source code...

phishtank

This plugin searches the domain being tested in the phishtank database. If your site is in this database the chances are that you were hacked and your server is now being used in phishing attacks. Plugin type Crawl Options This plugin doesnt have any user configured options. Source For more...

ghdb

This plugin finds possible vulnerabilities using google. One configurable parameter exist: resultlimit Using the google hack database released by Exploit-DB.com, this plugin searches Google for possible vulnerabilities in the target domain. Special thanks go to the guys at...

hmap

This plugin fingerprints the remote web server and tries to determine the server type, version and patch level. It uses fingerprinting, not just the Server header returned by remote server. This plugin is a wrapper for Dustin Lees hmap. One configurable parameters exist: genFpF If genFpF is set t...

generic

This plugin finds all kind of bugs without using a fixed database of errors. This is a new kind of methodology that solves the main problem of most web application security scanners. Plugin type Audit Options Name | Type | Default Value | Description | Help ---|---|---|---|--- diffratio | float |...

dav

This plugin finds WebDAV configuration errors. These errors are generally server configuration errors rather than a web application errors. To check for vulnerabilities of this kind, the plugin will try to PUT a file on a directory that has WebDAV enabled, if the file is uploaded successfully, th...

blind_sqli

This plugin finds blind SQL injections using two techniques: time delays and true/false response comparison. Only one configurable parameters exists: eqlimit Plugin type Audit Options Name | Type | Default Value | Description | Help ---|---|---|---|--- eqlimit | float | 0.9 | String equal ratio 0...

error_pages

This plugin scans every page for error pages, and if possible extracts the web server or programming framework information. Plugin type Grep Options This plugin doesnt have any user configured options. Source For more information about this plugin and the associated tests, theres always the sourc...

find_captchas

This plugin finds any CAPTCHA images that appear on a HTML document. The crawl is performed by requesting the document two times, and comparing the image hashes, if they differ, then they may be a CAPTCHA. Plugin type Crawl Options This plugin doesnt have any user configured options. Source For...

backspace_between_dots

This evasion plugin inserts an A and a backspace control character between dots which cancel each other when they are processed and some filters that match ../ are bypassed. Example: Input: ../../etc/passwd Output: .%41%08./.%41%08./etc/passwd Plugin type Evasion Options This plugin doesnt have a...

http_auth_detect

This plugin greps every page and finds responses that indicate that the resource requires authentication. Plugin type Grep Options This plugin doesnt have any user configured options. Source For more information about this plugin and the associated tests, theres always the source code to understa...

preg_replace

This plugin will find pregreplace vulnerabilities. This PHP function is vulnerable when the user can control the regular expression or the content of the string being analyzed and the regular expression has the e modifier. Right now this plugin will only find pregreplace vulnerabilities when PHP ...

shift_out_in_between_dots

This evasion plugin insert between dots shift-in and shift-out control characters which are cancelled each other when they are below so some ".." filters are bypassed Example: Input: ../../etc/passwd Output: .%0E%0F./.%0E%0F./etc/passwd Plugin type Evasion Options This plugin doesnt have any user...

dom_xss

This plugin greps every page for traces of DOM XSS. An interesting paper about DOM XSS can be found here: http://www.webappsec.org/projects/articles/071105.shtml Plugin type Grep Options This plugin doesnt have any user configured options. Source For more information about this plugin and the...

user_defined_regex

This plugin greps every response for a user defined regex. You can specify a single regex or an entire file of regexes each line one regex, if both are specified, the singleregex will be added to the list of regular expressions extracted from the file. A list of example regular expressions can be...

strange_http_codes

Analyze HTTP response codes sent by the remote web application and report uncommon findings. Plugin type Grep Options This plugin doesnt have any user configured options. Source For more information about this plugin and the associated tests, theres always the source code to understand exactly...

favicon_identification

This plugin identifies software version using favicon.ico file. It checks MD5 of favicon against the MD5 database of favicons. See also: http://www.owasp.org/index.php/Category:OWASPFaviconDatabaseProject http://kost.com.hr/favicon.php Plugin type Infrastructure Options This plugin doesnt have an...

robots_txt

This plugin searches for the robots.txt file, and parses it. This file is used to as an ACL that defines what URLs a search engine can access. By parsing this file, you can get more information about the target web application. Plugin type Crawl Options This plugin doesnt have any user configured...

dot_net_errors

Request specially crafted URLs that generate ASP.NET errors in order to gather information like the ASP.NET version. Some examples of URLs that generate errors are: default|.aspx default.aspx Plugin type Infrastructure Options This plugin doesnt have any user configured options. Source For more...

php_eggs

This plugin tries to find the documented easter eggs that exist in PHP and identify the remote PHP version using the easter egg content. The easter eggs that this plugin verifies are: PHP Credits, Logo, Zend Logo, PHP Logo 2: http://php.net/?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000...

xpath

This plugin finds XPATH injections. To find this vulnerabilities the plugin sends the string "dz0" to every injection point, and searches the response for XPATH errors. Plugin type Audit Options This plugin doesnt have any user configured options. Source For more information about this plugin and...

error_500

This plugin greps every page for error 500 pages that havent been caught by other plugins. By enabling this, you are enabling a "safety net" that will catch all interesting HTTP responses which might lead to a bug or vulnerability. Plugin type Grep Options This plugin doesnt have any user...

lfi

This plugin will find local file include vulnerabilities. This is done by sending to all injectable parameters file paths like "../../../../../etc/passwd" and searching in the response for strings like "root:x:0:0:". Plugin type Audit Options This plugin doesnt have any user configured options...

form_auth

This plugin bruteforces form authentication logins. Eleven configurable parameters exist: usersFile stopOnFirst passwdFile passEqUser useLeetPasswd useMailUsers useSvnUsers useMails useProfiling profilingNumber comboFile comboSeparator This plugin will take users from the file pointed by...

find_jboss

This plugin identifies JBoss installation directories and possible security vulnerabilities. Plugin type Infrastructure Options This plugin doesnt have any user configured options. Source For more information about this plugin and the associated tests, theres always the source code to understand...

svn_users

This plugin greps every page for users of the versioning system. Sometimes the HTML pages are versioned using CVS or SVN, if the header of the versioning system is saved as a comment in this page, the user that edited the page will be saved on that header and will be added to the knowledge base...

response_splitting

This plugin will find response splitting vulnerabilities. The detection is done by sending "w3af\r\nVulnerable: Yes" to every injection point, and reading the response headers searching for a header with name "Vulnerable" and value "Yes". Plugin type Audit Options This plugin doesnt have any user...

un_ssl

This plugin verifies that URLs that are available using HTTPS arent available over an insecure HTTP protocol. To detect this, the plugin simply requests "https://abc/a.asp" and "http://abc.asp" and if both are equal, a vulnerability is found. Plugin type Audit Options This plugin doesnt have any...

shared_hosting

This plugin tries to find out if the web application under test is stored in a shared hosting. The procedure is pretty simple, using bing search engine, the plugin searches for "ip:1.2.3.4" where 1.2.3.4 is the IP address of the webserver. One configurable option exists: resultlimit Fetch the fir...

private_ip

This plugin greps every page body and headers for private IP addresses. Plugin type Grep Options This plugin doesnt have any user configured options. Source For more information about this plugin and the associated tests, theres always the source code to understand exactly whats under the hood:...

rnd_path

This evasion plugin adds a random path to the URI. Example: Input: /bar/foo.asp Output : /aflsasfasfkn/../bar/foo.asp Plugin type Evasion Options This plugin doesnt have any user configured options. Source For more information about this plugin and the associated tests, theres always the source...

html_comments

This plugin greps every page for HTML comments, special comments like the ones containing the words "password" or "user" are specially reported. Plugin type Grep Options This plugin doesnt have any user configured options. Source For more information about this plugin and the associated tests,...

http_in_body

This plugin searches for HTTP responses that contain other HTTP request/responses in their response body. This situation is mostly seen when programmers enable some kind of debugging for the web application, and print the original request in the response HTML as a comment. Plugin type Grep Option...

ajax

This plugin greps every page for traces of Ajax code. Plugin type Grep Options This plugin doesnt have any user configured options. Source For more information about this plugin and the associated tests, theres always the source code to understand exactly whats under the hood: Plugin source code...

wsdl_finder

This plugin finds new web service descriptions and other web service related files by appending "?WSDL" to all URLs and checking the response. Plugin type Crawl Options This plugin doesnt have any user configured options. Source For more information about this plugin and the associated tests,...

detailed

This authentication plugin can login to web application with more detailed and complex authentication schemas where the generic plugin does not work. Nine configurable parameters exist: username password usernamefield passwordfield dataformat authurl method checkurl checkstring Plugin type Auth...

bing_spider

This plugin finds new URLs in Bing search engine. One configurable parameters exist: resultlimit This plugin searches Bing for : "site:domain.com", requests all search results and parses them in order to find new URLs. Plugin type Crawl Options Name | Type | Default Value | Description | Help...

basic_auth

This plugin bruteforces basic authentication logins. Nine configurable parameters exist: usersFile stopOnFirst passwdFile passEqUser useLeetPasswd useSvnUsers useEmails useProfiling profilingNumber This plugin will take users from the file pointed by "usersFile", mail users found on the site and...

frontpage

This plugin audits the frontpage extension configuration by trying to upload a file to the remote server using the author.dll script provided by FrontPage. Plugin type Audit Options Name | Type | Default Value | Description | Help ---|---|---|---|--- stopOnFirst | boolean | True | Stop on the fir...

http_vs_https_dist

This plugin analyzes the network distance between the HTTP and HTTPS ports giving a detailed report of the traversed hosts in transit to target:port. You should have root/admin privileges in order to run this plugin succesfully. Explicitly declared ports on the entered target override those...

zone_h

This plugin searches the zone-h.org defacement database and parses the result. The information stored in that database is useful to know about previous defacements to the target website. In some cases, the defacement site provides information about the exploited vulnerability, which may be still...

web_diff

This plugin tries to do a diff of two directories, a local and a remote one. The idea is to mimic the functionality implemented by the linux command "diff" when invoked with two directories. Four configurable parameter exist: localdir remoteurlpath bannedext content This plugin will read the file...

fingerprint_os

This plugin fingerprints the remote web server and tries to determine the Operating System family Windows, Unix, etc.. The fingerprinting is at this moment really trivial, because it only uses one technique: windows path separator in the URL. For example, if the input URL is...

file_upload

This plugin greps every page for forms with file upload capabilities. Plugin type Grep Options This plugin doesnt have any user configured options. Source For more information about this plugin and the associated tests, theres always the source code to understand exactly whats under the hood:...