The Uniscan is a vulnerability scanner for Web applications written in perl and Linux environment. Was developed as finish work of the course of computer science at the universidade federal do pampa. Currently the Uniscan is at version 6.2. Below are listed the features of Uniscan.
Checking directories:
The use of directory checking is useful to discover hidden directories, namely, that it does not contain any link to them. Directories that are not found by the crawler are not tested, this checking feeds the crawler Uniscan and prevents this problem
occur.
Checking files:
Checking files follows the same principle of checking directories.
Check robots.txt file
Checking robots.txt file serves to feed the crawler with directories and files that may not be found by the crawler. This ignores the Allow and Disallow checking standard of this file type, any directory and file found here will be added to the crawler.
Sitemap.xml file check
The sitemap.xml file check follows the same principles of file checking robots.txt
Crawler:
The function of the crawler is to navigate the site target to search for pages that are subsequently tested by the tests and collect sensitive information.
Settings:
* max_threads: maximum number of concurrent threads browsing at target.
* max_reqs: maximum number of requests that the crawler should do.
* variation: this setting refers to the maximum number of variations of a page that the crawler must obey.
* extensions: here we put all extentions of files that do not wish to download the Web server, this saves memory and bandwidth.
* show_ignored: If set to 1, it will show the files that were skipped by the crawler according to the configuration extensions.
* show_images: When set to 1, it will show the url of all the images that the crawler found in the target site.
Plug-ins:
Many sensitive information and even vulnerabilities can be identified during this phase of the scan, so the Uniscan account with a
system of specific plug-ins for the crawler.
* checkUploadForm.pm: this plug-in identifies file upload forms, often uploaded files are not validated, and therefore can cause a serious risk to the server that hosts the target site.
* codeDisclosure.pm: this plug-in searches for snippets of programming languages in HTML code sent by the Web application.
A code left as HTML comment is potentially harmful to the security of a Web application, because, in a small piece of code,
It is possible to identify variables and values relevant to the system, such as old passwords for database and etc.
* emailColect.pm: this plug-in has the function to collect emails that are in the HTML sent by the target application. Often the e-mail alias matches the user name used in other services, such as for example, in SSH. Thus, much simpler a brutecorce for this service.
* externalHost.pm: this plug-in identifies links to websites that are not the target. With this plug-in we discover applications or connections with other organizations targeted site.
* FCKeditor.pm: this plug-in tries to upload a txt file to the target site when it finds a directory that contains the FCKEditor scripts. The vulnerability of upload arbitrary files is extremely harmful to the server that hosts the Web application.
* phpinfo.pm: the plug-in phpinfo.pm identifies pages that use the PHP function phpinfo (). This function shows many sensitive information to an attacker server environment. Such information should not be accessible to anyone but the development team of Web applications.
* Timthumb.pm: this plug-in identifies vulnerable files with lower versions vulnerability Timthumb version 1.33. From this vulnerability it is possible to perform the upload files to run commands on the target server.
* webShellDisclosure.pm: this plug-in attempts to identify possible Webshells hidden in the Web application's directories in analysis, it is recommended to use this plug-in when you identified some form of uploading files without authentication or when the target host has been compromised in any way.
All plug-ins above are performed during the execution of the crawler, its results are presented to the user only after the end of the sweep of the crawler.
motor tests:
the Uniscan test engine is responsible for all testing conducted by tool, divided into dynamic tests and static tests.
Dynamic testing: dynamic tests methodology serves to test all files and variables that were found by the crawler.
Static tests: static methodology utilizes information repositories of vulnerable files to scan. This methodology is interesting to be used when the target site is using a system ready, such as wordpress, drupal, joomla and etc. So it is possible to register files and known variables and that would not be found by the crawler to be tested.
Dynamic Plug-ins:
* 9_directoryAdd.pm: This plug-in receives a list of all the urls found by the crawler and checks if there is any directory on this list that does not exist in the Directtory file. If it does not exist it will be added to the file so that in future scans these directories can be tested.
* checkBackup.pm: this plug-in receives the list of urls that the crawler found and searches for backup files in the target site. Backup files are generated by text editors when a file is changed. Some times they are forgotten on the web server, this represents a huge risk for safety, since these files may contain information such as user name and password for the Web application's database.
* checkBlindSQLI.pm: this plug-in tests all variables and pages returned by the crawler searches for blind sql injection of type integer and string. This vulnerability is common to be found in Web applications because it is not made the correct validation of parameters passed to the pages of the Web application.
* checkLFI.pm: receives the list of urls of crawler and tests the local file inclusion. In addition to including settings files and expose sensitive data, this vulnerability also allows you to run commands on the server that hosts the Web application.
* checkPHPCGI.pm: this plug-in tests all PHP pages it receives from the source code search crawler, this vulnerability allows in addition to displaying the source code of php page executing commands on the server that hosts the application vulnerable.
* checkRCE.pm: tests all variables and pages received from the crawler searches for vulnerabilities that execute commands on the server host.
* checkRFI.pm: this plug-in tests the remote file inclusion in each variable of each page. It tries to include the c.txt file that is hosted on the website of the Uniscan. If the file is included, it means that the Web application is vulnerable.
* checkSQLI.pm: this plug-in tests all variables of the pages that were found by the crawler searches sql injection vulnerability. In each value of the variables is injected some data, in order to generate syntax errors in SQL requests, to detect the vulnerability.
* checkXSS.pm: this plug-in tests the pages looking for the vulnerability coss-site scripting.
* FCKeditor.pm: based on the urls received from the crawler this plug-in will search directories that might contain the fckeditor scripts, when it finds the directory, try to upload a txt file to the server, if you get hit, it is shown the vulnerability.
* Timthumb.pm: the plug-in does a search by the timthumb.php file in every directory of the web application. If found some with lower version 1.33 version, is shown the url of the file.
* webShell.pm: this plug-in does a search for multiple files in all directories of web application looking for webshells. When it encounters, shows the url of the likely webshell.
Static Plug-ins:
* checkLFI.pm: this plug-in tests Local File Include vulnerability using the LFI file repository.
* checkPUT.pm: This plug-in uses the PUT method to try to send a text file to the root of the target site, if the file is created will be vulnerable.
* checkRCE.pm: This plug-in uses the same principle of checkLFI.pm plug-in, but it is Remote command execution vulnerability and your repository is the CER file.
* checkRFI.pm: This plug-in uses the same principle of the checkLFI.pm plugin, however is for Remote File Include vulnerability and your repository is the RFI file.
Motor stress
The motor stress is responsible for loading and executing the plug-ins stress test.
Currently the motor stress contemplates only one plug-in.
Plug-ins of stress:
* miniStress.pm: This plug-in receives the list of urls found by the crawler and calculates the cost of each one of your pages, the cost can vary depending on the processing time of the page or the amount of data sent by her. The url with the biggest cost will be chosen for the tests. The test consists of firing 50 threads in the url with higher cost during a predetermined time so, check the stability of the server that hosts the Web application.
