Posted inProjects

WebWisdom: Web Security & Vulnerability Assessment Tool

No Comments
WebWisdom: Web Security & Vulnerability Assessment Tool

Summary

A full-stack Fast-API and React tool for automated penetration testing of publicly available websites. Backend allows for the addition of any penetration test no matter the language.

Disclaimer: Only use this tool on websites and domains that you own!

Code

Capabilities and Test Results

  • Universal Penetration Test Management
  • Score for Overall Security Posture
  • Server Side Software Recognition
  • CVE Vulnerability Check for Recognized Server Side Software
  • ZAP Penetration Test
  • Open Ports Check
  • Proper SSL Implementation Check
  • A Record IP Check
Detected Server Side Software and Their Version
CVE
Detection of Server Side Software Vulnerabilities and Their Corresponding CVE Severity

User Authentication

The user uses the frontend to register/login a user account. This information is passed onto the backend and after all validation checks pass then the backend responds with a JWT token. The frontend will now use this JWT token for any future user related tasks such as starting new penetration test of retrieving past penetration tests. The frontend will also store this JWT token in a HttpOnly (Prevent XSS attacks) and Secure Cookie.

Backend Explained

The project uses Fast-API which is written in Python. It allows for very quick API implementation and validation. Python also helps to easily execute operating system commands, for example the “nmap” command on Linux to find open ports. This massively aids with the addition of tried and tested penetration programs. And if there is no available program then it can simply be written from scratch in Python.

Object Oriented Programming is used to allow the ability of adding or removing penetration tests. After a penetration test is done, it returns the test results as a fixed structure JSON response so that it can easily be rendered on the React Frontend.

Vulnerability score is calculated on the backend and is out of 10. The higher the better the security and the lower the worse the security. There is the base test which gives key background information and then there are the other penetration tests that can be added. They must provide their own score.

Test Scores

Base test with a low security score of 2.2/10 and the ZAP security test with a higher and better security score of 7/10. The reason for the lower security score on our base test is because it could find critical level vulnerabilities that the ZAP test could not find. This highlights the importance of having more than one penetration test implemented.

Frontend Explained

The frontend uses React to handle the user session and rendering of penetration test.

User specific past penetration tests.
Rendering of ZAP penetration test
Tags:
Leave a Comment

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *