Grendel-Scan: A New Web Application Scanning Tool

Presented at DEF CON 16 (2008), Aug. 9, 2008, 5 p.m. (50 minutes).

While commercial web application scanners have been available for quite a while, the selection of open source tools has been limited. Grendel-Scan is a new tool that aims to provide in-depth application assessment. Written entirely in Java and featuring an easy to use GUI, the tool is intended to be useful to a wide variety of technical backgrounds: from IT security managers, to experienced penetration testers. Grendel-Scan can test for authentication and authorization bypass, SQL injection (blind and error-based), XSS, CRLF injection / response splitting, session key strength, session fixation, file/directory/backup enumeration, directory indexing, web server mis-configuration, and other vulnerabilities. Exploration of the web application can be accomplished through an embedded proxy server, via automated spidering, or search engine reconnaissance. The accuracy of the testing is increased by powerful features such as automatic detection and correction of logged out sessions, heuristic file-not-found detection, and an embedded HTML DOM parser and JavaScript engine for full page analysis. Grendel-Scan was architected with extensibility in mind. Powerful libraries offering features such as input/output tracing, session tracking, or HTML DOM comparisons make the development of new test modules much easier. The presentation will feature an overview of the application's design, results of comparative analysis against similar tools, and a live demonstration of the tool using a real application (not an intentionally vulnerable app).

Presenters:

  • David Byrne - Security Consultant, Trustwave
    David Byrne is a penetration tester in Trustwave's SpiderLabs division. David was also the founder of the Denver chapter of the Open Web Application Security Project (OWASP).
  • Eric Duprey - Senior Security Engineer, Dish Network
    Eric Duprey is a Senior Security Engineer with Dish Network and leader of the Denver chapter of OWASP.

Links:

Similar Presentations: