渗透性扫描测试报告

《渗透性扫描测试报告》由会员分享，可在线阅读，更多相关《渗透性扫描测试报告（12页珍藏版）》请在装配图网上搜索。

1、渗透性扫描测试报告1. 测试目标利用现有的 webtool 对目标 WebGoat-5.1，insecure 进行善意渗透扫描测试，找出的操作 漏洞所在,并提交一份详细的测试报告2. 测试配置测试环境：CPU Pentium（R） 2.8GHz内存 1GB网卡 100Mbps操作系统 Windows XP Service Pack2测试版本：WebTooll.O测试对象：WebGoat-5.l： http:/localhost:8080/WebGoat-5.l/attack登陆前 insecure ：http:/localhost:8080/insecure/public/index.jsp登

2、陆后 insecure： http:/localhost:8080/insecure/secure/index.jsp3. 测试 WebGoat测试步骤：3.l 安装 WebGoat：3.1.1 到 tomcat 的安装目录的 webapps 目录，将 WebGoat-5.1.war复制到 webapps 目录下3.1.2 重启 tomcat 后打开浏览器，输入 http:/localhost:8080/WebGoat-5.1/attack 出现 WebGoat的用户登录窗口3.1.3在登录窗口输入用户名guest密码guest点击“确定进入WebGoat开始页面3.1.4点击页面下部中央的“

3、Start WebGoat”进入WebGoat页面3.2打开WebTool系统，进入web tool工作界面 方式一：双击桌面 WebTool 图标 方式二：开始- 所有程序-WebTool-WebTool3.3在任务名称栏输入“WebGoatl”，在URL栏输入要扫描的站点http:/localhost:8080/WebGoat-5.1/attack3.4 点击主界面右下角“高级”按钮，输入扫描参数，其中 本地代理地址： localhost本地代理端口： 8080其他默认，点击确定应用此次配置进入主界面3.5 点击 “下一步”，进入下一步界面3.6点击中间“浏览器登录”按钮，打开WebToo

4、l Browser窗口，在弹出的登录窗口中 输入用户名密码“gues t”，点击登录,WebTool Browser窗口出现OWASP WebGoa t V5.1 的页面3.7 在 OWASP WebGoat V5.1 的页面下方中央点击 “St art WebGoa t” 进入 St art WebGoat 页面3.8 在 WebTool 界面点击“开始扫描”按钮，进入扫描页面并且在预扫描窗口的待扫描 站点显示要扫描的站点3.9 开始预扫描：选中预扫描窗口中的待扫描站点，然后点击右侧的“开始预扫描”按钮3.10 开始扫描：右侧显示“预扫描完成”“开始扫描”按钮显示可用，单击“开始扫 描”3.

5、11 查看结果：当扫描完成后，点击导航栏“任务管理”按钮,进入任务管理界面,点 击“查看结果文件”，就会打开结果文件 result 可以查看结果信息3.12 导出结果：选中刚才完成的扫描任务，点击“导出扫描结果”，弹出导出结果保 存窗口，选择保存结果文件的目地目录和文件名，点击“Save”保存结果文件。4.测试WebGoat结果分析存在漏洞页面类型描述规则http:/localhost:8080/WebGoat-5.1/attackSQL Injection test 20that the application is redirecting your request to another r

6、esource on the serverform1112_1616.xmlhttp:/localhost:8080/WebGoat-5.1/attack?Screen=50&m enu=50SQL Injection test 30that the application is redirecting your request to another resource on the serverform1112_162O.xmlhttp:/localhost:8080/WebGoat-5.1/attack?Screen=75 &m enu=10SQL Injection test 20that

7、 the application is redirecting your request to another resource on the serverform1_1616.xmlhttp:/localhost:8080/WebGoat-5.1/attack?Screen=2&m enu=50Cross site scripting 13The user could be able to execute any command on the hosting OSform1_13.xmlhttp:/localhost:8080/WebGoat-5.1/attack?Screen=2&m en

8、u=50SQL Injection test 24that the application is redirecting your request to another resource on the serverform1112_1648.xmlhttp:/localhost:8080/WebGoat-5.1/attack?Screen=2&m enu=50UncheckedLink Tag 36The user could be able to send and obnoxious email message.form1_1632.xmlhttp:/localhost:8080/WebGo

9、at-5.1/attack?Screen=2&m enu=50HTTPSplitting 19that the application is redirecting your request toform1568.xanother resource on the servermlhttp:/localhost:8080/WebGoat-5.1/attack?Screen=112&m enu=50SQL Injection test 28that the application is redirecting your request to another resource on the serv

10、erform1112_1624.xmlhttp:/localhost:8080/WebGoat-5.1/attack?Screen=105 &m enu=70SQL Injection test 28that the application is redirecting your request to another resource on the serverform1112_1624.xmlhttp:/localhost:8080/WebGoat-5.1/attack?Screen=105 &m enu=70Clues in theHTML 3Developers are notoriou

11、s for leaving statements like FIXMEs, Code Broken, Hack, etc. inside the source code. Review the source code for any comments denoting passwords, backdoors, or something doesnt work right.form1_3.xmlhttp:/localhost:8080/WebGoat-5.1/attack?Screen=6 8&m enu=80SQL Injection test 20that the application

12、is redirecting your request to another resource on the serverform1112_1616.xmlhttp:/localhost:8080/WebGoat-5.1/attack?Screen=6 8&m enu=80Exploit Thread Safety Problems18The user should be able to exploit the concurrency error in this web application and view login information for another user that i

13、s attempting the same function at the same time.form1_567.xmlhttp:/localhost:8080/WebGoat-5.1/attack?Screen=6 8&m enu=80Cross site scripting 8The user could be able to execute any command on the hosting OS.form1_8.xmlhttp:/localhost:8080/WebGoat-5.1/attack?Screen=49 &m enu=80SQL Injection test 24tha

14、t the application is redirecting your request to another resource on the serverform1112_1620.xmlhttp:/localhost:8080/WebGoat-5.1/attack?Screen=88 &m enu=110SQL Injection test 20that the application is redirecting your request to another resource on the serverform1112_1616.xmlhttp:/localhost:8080/Web

15、Goat-5.1/attack?Screen=7&m enu=110SQL Injection test 24that the application is redirecting your request to another resource on the serverform1112_1620.xmlhttp:/localhost:8080/WebGoat-5.1/attack?Screen=52&m enu=110SQL Injection test 20that the application is redirecting your request to another resour

16、ce on the serverform1112_1616.xmlhttp:/localhost:8080/WebGoat-5.1/attack?Screen=52&m enu=110Cross site scripting 12The user could be able to execute any command on the hosting OS.form1_12.xmlhttp:/localhost:8080/WebGoat-5.1/attack?Screen=52&m enu=110HTTPSplitting 19that the application is redirectin

17、g your request toform1568.xanother resource on the servermlhttp:/localhost:8080/WebGoat-5.1/attack?Screen=17 &m enu=210SQL Injection test 30that the application is redirecting your request to another resource on the serverform1112_1626.xmlhttp:/localhost:8080/WebGoat-5.1/attack?Screen=17 &m enu=210C

18、ross site scripting 11The user could be able to execute any command on the hosting OS.form1_11.xmlhttp:/localhost:8080/WebGoat-5.1/attack?Screen=17 &m enu=210UncheckedLink Tag 36The user could be able to send and obnoxious email message.form1_1632.xmlhttp:/localhost:8080/WebGoat-5.1/attack?Screen=17

19、 &m enu=210HTTPSplitting 19that the application is redirecting your request to another resource on the serverform1_568.xmlhttp:/localhost:8080/WebGoat-5.1/attack?Screen=27&m enu=210SQL Injection test 30that the application is redirecting your request to another resource on the serverform1112_1626.xm

20、lhttp:/localhost:8080/WebGoat-5.1/a ttack?Screen=63 &m enu=210&stage =2SQL Injection test 311that the application is redirecting your request to another resource on the serverform1112_1643.xmlhttp:/localhost:8080/WebGoat-5.1/a ttack?Screen=63 &m enu=210&stage =3SQL Injection test 28that the applicat

21、ion is redirecting your request to another resource on the serverform1_1624.xmlhttp:/localhost:8080/WebGoat-5.1/a ttack?Screen=63 &m enu=210&stage =4SQL Injection test 29that the application is redirecting your request to another resource on the serverform1112_1625.xmlhttp:/localhost:8080/WebGoat-5.

22、1/attack?Screen=2 8&m enu=210SQL Injection test 29that the application is redirecting your request to another resource on the serverform1112_1625.xmlhttp:/localhost:8080/WebGoat-5.1/attack?Screen=46&m enu=310SQL Injection test 31that the application is redirecting your request to another resource on

23、 the serverform1112_1627.xmlhttp:/localhost:8080/WebGoat-5.1/attack?Screen=93 &m enu=310SQL Injection test 24that the application is redirecting your request to another resource on the serverform1112_1620.xmlhttp:/localhost:8080/WebGoat-5.1/attack?Screen=95 &m enu=320SQL Injection test 24that the ap

24、plication is redirecting your request to another resource on the serverform1112_1620.xmlhttp:/localhost:8080/WebGoat-5.1/attack?Screen=97&m enu=320SQL Injection test 311that the application is redirecting your request to another resource on the serverform1112_1643.xmlhttp:/localhost:8080/WebGoat-5.1

25、/attack?Screen=21 &m enu=410Cross site scripting 13The user could be able to execute any command on the hosting OS.form1_13.xmlhttp:/localhost:8080/WebGoat-5.1/aSQLthat the application isform1ttack?Screen=21 &m enu=410Injectiontest 24redirecting your request to another resource on the server112_1648

26、.xmlhttp:/localhost:8080/WebGoat-5.1/attack?Screen=21 &m enu=410UncheckedLink Tag 36The user could be able to send and obnoxious email message.form1_1632.xmlhttp:/localhost:8080/WebGoat-5.1/attack?Screen=21 &m enu=410HTTPSplitting 19that the application is redirecting your request to another resourc

27、e on the serverform1_568.xmlhttp:/localhost:8080/WebGoat-5.1/a ttack?Screen=57&m enu=410&stage =1SQL Injection test 31that the application is redirecting your request to another resource on the serverform1112_1627.xmlhttp:/localhost:8080/WebGoat-5.1/a ttack?Screen=57&m enu=410&stage =2SQL Injection

28、test 28that the application is redirecting your request to another resource on the serverform1112_1624.xmlhttp:/localhost:8080/WebGoat-5.1/a ttack?Screen=57&m enu=410&stage =3SQL Injection test 241that the application is redirecting your request to another resource on the serverform1112_1652.xmlhttp

29、:/localhost:8080/WebGoat-5.1/a ttack?Screen=57&m enu=410&stage =4SQL Injection test 241that the application is redirecting your request to another resource on the serverform1112_1636.xmlhttp:/localhost:8080/WebGoat-5.1/a ttack?Screen=57&m enu=410&stage =5SQL Injection test 20that the application is

30、redirecting your request to another resource on the serverform1_1616.xmlhttp:/localhost:8080/WebGoat-5.1/a ttack?Screen=57&m enu=410&stage =6SQL Injection test 291that the application is redirecting your request to another resource on the serverform1112_1641.xmlhttp:/localhost:8080/WebGoat-5.1/attac

31、k?Screen=86 &m enu=410SQL Injection test 20that the application is redirecting your request to another resource on the serverform1112_1616.xmlhttp:/localhost:8080/WebGoat-5.1/attack?Screen=85 &m enu=410SQL Injection test 24that the application is redirecting your request to another resource on the s

32、erverform1112_1620.xmlhttp:/localhost:8080/WebGoat-5.1/attack?Screen=12&m enu=410SQL Injection test 24that the application is redirecting your request to another resource on the serverform1112_1646.xmlhttp:/localhost:8080/WebGoat-5.1/attack?Screen=85 &m enu=410Cross site scripting 10The user could b

33、e able to execute any command on the hosting OS.form1_10.xmlhttp:/localhost:8080/WebGoat-5.1/attack?Screen=12&m enu=410Exploit Thread Safety Problems18The user should be able to exploit the concurrency error in this web application and view login information for another user that is attempting the s

34、ame function at the same time.form1_567.xmlhttp:/localhost:8080/WebGoat-5.1/attack?Screen=85 &m enu=410HTTPSplitting 19that the application is redirecting your request to another resource on the serverform1_568.xmlhttp:/localhost:8080/WebGoat-5.1/attack?Screen=111 &m enu=410SQL Injection test 24that

35、 the application is redirecting your request to another resource on the serverform1112_162O.xmlhttp:/localhost:8080/WebGoat-5.1/attack?Screen=111 &m enu=410Cross site scripting 10The user could be able to execute any command on the hosting OS.form1_10.xmlhttp:/localhost:8080/WebGoat-5.1/attack?Scree

36、n=111 &m enu=410UncheckedLink Tag 36The user could be able to send and obnoxious email message.form1_1632.xmlhttp:/localhost:8080/WebGoat-5.1/attack?Screen=111 &m enu=410HTTPSplitting 19that the application is redirecting your request to another resource on the serverform1_568.xmlhttp:/localhost:808

37、0/WebGoat-5.1/attack?Screen=10&m enu=510SQL Injection test 28that the application is redirecting your request to another resource on the serverform1112_1624.xmlhttp:/localhost:8080/WebGoat-5.1/attack?Screen=34&m enu=610SQL Injection test 29that the application is redirecting your request to another

38、resource on the serverform1112_1625.xmlhttp:/localhost:8080/WebGoat-5.1/attack?Screen=34&m enu=610Cross site scripting 10The user could be able to execute any command on the hosting OS.form1_10.xmlhttp:/localhost:8080/WebGoat-5.1/attack?Screen=44&m enu=610SQL Injection test 30that the application is

39、 redirecting your request to another resource on the serverform1112_1626.xmlhttp:/localhost:8080/WebGoat-5.1/attack?Screen=44&m enu=610Cross site scripting 14The user could be able to execute any command on the hosting OS.form1_14.xmlhttp:/localhost:8080/WebGoat-5.1/attack?Screen=44&m enu=610Uncheck

40、edLink Tag 36The user could be able to send and obnoxious email message.form1_1632.xmlhttp:/localhost:8080/WebGoat-5.1/attack?Screen=44&m enu=610HTTPSplitting 19that the application is redirecting your request to another resource on the serverform1_568.xmlhttp:/localhost:8080/WebGoat-5.1/attack?Scre

41、en=114&m enu=610SQL Injection test 24that the application is redirecting your request to another resource on the serverform1112_1620.xmlhttp:/localhost:8080/WebGoat-5.1/attack?Screen=114&m enu=610Cross site scripting 15The user could be able to execute any command on the hosting OS.form1_15.xmlhttp:

42、/localhost:8080/WebGoat-5.1/attack?Screen=114&m enu=610UncheckedLink Tag 36The user could be able to send and obnoxious email message.form11632.xmlhttp:/localhost:8080/WebGoat-5.1/attack?Screen=114&m enu=610HTTPSplitting 19that the application is redirecting your request to another resource on the s

43、erverform1_568.xmlhttp:/localhost:8080/WebGoat-5.1/attack?Screen=5 &m enu=610SQL Injection test 24that the application is redirecting your request to another resource on the serverform1112_1646.xmlhttp:/localhost:8080/WebGoat-5.1/a ttack?Screen=91&m enu=610&stage =1SQL Injection test 201that the app

44、lication is redirecting your request to another resource on the serverform1112_1632.xmlhttp:/localhost:8080/WebGoat-5.1/a ttack?Screen=91&m enu=610&stage =2SQL Injection test 29that the application is redirecting your request to another resource on the serverform1112_1625.xmlhttp:/localhost:8080/Web

45、Goat-5.1/a ttack?Screen=91&m enu=610&stage =3SQL Injection test 28that the application is redirecting your request to another resource on the serverform1112_1624.xmlhttp:/localhost:8080/WebGoat-5.1/a ttack?Screen=91&m enu=610&stage =4SQL Injection test 311that the application is redirecting your req

46、uest to another resource on the serverform1112_1643.xmlhttp:/localhost:8080/WebGoat-5.1/attack?Screen=100&m enu=610SQL Injection test 241that the application is redirecting your request to another resource on the serverform1112_1636.xmlhttp:/localhost:8080/WebGoat-5.1/attack?Screen=100&m enu=610Cros

47、s site scripting 11The user could be able to execute any command on the hosting OS.form1_11.xmlhttp:/localhost:8080/WebGoat-5.1/attack?Screen=100&m enu=610UncheckedLink Tag 36The user could be able to send and obnoxious email message.form1_1632.xmlhttp:/localhost:8080/WebGoat-5.1/attack?Screen=42&m

48、enu=610SQL Injection test 24that the application is redirecting your request to another resource on the serverform1112_1620.xmlhttp:/localhost:8080/WebGoat-5.1/attack?Screen=42&m enu=610Cross site scripting 13The user could be able to execute any command on the hosting OS.form1_13.xmlhttp:/localhost

49、:8080/WebGoat-5.1/attack?Screen=42&m enu=610HTTPSplitting 19that the application is redirecting your request to another resource on the serverform1_568.xmlhttp:/localhost:8080/WebGoat-5.1/attack?Screen=103 &m enu=710SQL Injection test 28that the application is redirecting your request to another res

50、ource on the serverform1_1624.xmlhttp:/localhost:8080/WebGoat-5.1/attack?Screen=38 &m enu=810SQL Injection test 20that the application is redirecting your request to another resource on the serverform1112_1616.xmlhttp:/localhost:8080/WebGoat-5.1/aCross siteThe user could be able toform1ttack?Screen=

51、38 &m enu=810scripting 15execute any command on the hosting OS._15.xmlhttp:/localhost:8080/WebGoat-5.1/attack?Screen=38 &m enu=810UncheckedLink Tag 36The user could be able to send and obnoxious email message.form1_1632.xmlhttp:/localhost:8080/WebGoat-5.1/attack?Screen=38 &m enu=810HTTPSplitting 19t

52、hat the application is redirecting your request to another resource on the serverform1_568.xmlhttp:/localhost:8080/WebGoat-5.1/a ttack?Screen=41 &m enu=910SQL Injection test 29that the application is redirecting your request to another resource on the serverform1112_1625.xmlhttp:/localhost:8080/WebG

53、oat-5.1/a ttack?Screen=41 &m enu=910Cross site scripting 13The user could be able to execute any command on the hosting OS.form1_13.xmlhttp:/localhost:8080/WebGoat-5.1/a ttack?Screen=41 &m enu=910UncheckedLink Tag 36The user could be able to send and obnoxious email message.form1_1632.xmlhttp:/local

54、host:8080/WebGoat-5.1/a ttack?Screen=41 &m enu=910HTTPSplitting 19that the application is redirecting your request to another resource on the serverform1_568.xmlhttp:/localhost:8080/WebGoat-5.1/attack?Screen=98 &m enu=1010SQL Injection test 31that the application is redirecting your request to anoth

55、er resource on the serverform1112_1627.xmlhttp:/localhost:8080/WebGoat-5.1/attack?Screen=5 4&m enu=1110SQL Injection test 20that the application is redirecting your request to another resource on the serverform1112_1616.xmlhttp:/localhost:8080/WebGoat-5.1/attack?Screen=64&m enu=1110SQL Injection tes

56、t 30that the application is redirecting your request to another resource on the serverform1112_1626.xmlhttp:/localhost:8080/WebGoat-5.1/attack?Screen=15 &m enu=1110SQL Injection test 241that the application is redirecting your request to another resource on the serverform1112_1652.xmlhttp:/localhost

57、:8080/WebGoat-5.1/attack?Screen=36&m enu=1110SQL Injection test 24that the application is redirecting your request to another resource on the serverform1112_1620.xmlhttp:/localhost:8080/WebGoat-5.1/attack?Screen=36&m enu=1110Cross site scripting 12The user could be able to execute any command on the

58、 hosting OS.form1_12.xmlhttp:/localhost:8080/WebGoat-5.1/attack?Screen=36&m enu=1110UncheckedLink Tag 36The user could be able to send and obnoxious email message.form1_1632.xmlhttp:/localhost:8080/WebGoat-5.1/attack?Screen=36&m enu=1110HTTPSplitting 19that the application is redirecting your reques

59、t to another resource on the serverform1_568.xmlhttp:/localhost:8080/WebGoat-5.1/attack?Screen=9&m enu=1150SQL Injection test 24that the application is redirecting your request to another resource on the serverform1112_162O.xmlhttp:/localhost:8080/WebGoat-5.1/attack?Screen=25 &m enu=1150SQL Injectio

60、n test 311that the application is redirecting your request to another resource on the serverform1112_1643.xmlhttp:/192.168.100.64:8080/WebGoat-5.1/attack?Screen=107 &m enu=1150SQL Injection test 31that the application is redirecting your request to another resource on the serverform1_1627.xml结果分析：类型个数SQL Injection50HTTP Splitting11Unchecked Link Tag9Cross site scripting13总数945. 测试登陆前的 insecure测试步骤：5.