This is the third (and final for now) in a series of short demonstrations of how to use the Oedipus Web Scanner available from http://oedipus.rubyforge.org. You can find the first installment, Generating a log file using Burp, here, and the second installment, Running the Oedipus Analyzer from the Command Line, here.
In this lesson, we will look at how to run the Oedipus Scanner from the command line in order to perform dynamic web application testing using the input file generated by Oedipus Analyzer in Lesson 2.
- The Oedipus Scanner takes the following command line options:
- As for the Oedipus Analyzer, the -e option prints an example command line for reference, and the -n option prints out notes on the default options and behaviour of the tool
- The -v option enables verbose output
- The -f option is the Oedipus input file. This is the input.oedipus file generated previously by the Oedipus Anayzer, or is a file in the same format generated by another tool such as IEnterceptor
- The -w option specifies what plugins will be executed for the scan. By default the type of scan is "basic", which runs the Directory Listing, SQL Injection and Cross Site Scripting (HTML Injection) plugins. The "moderate" setting enables the basic plugins and adds the File Extension (looking for backup files), File Download (for detecting file download issues) and File Rooter (for forceful browsing/finding files) plugins. The "all" setting will run all of the plugins in the plugin directory, and is recommended for thoroughness. If you specify a particular plugin (by name, usually the plugin file name in ./scanner/plugins without the trailing ".rb"), only that plugin will be used for testing
- The -p option specifies which port the target system should be tested on. This is for when the web application is not on port 80 for HTTP, or port 443 for HTTPS.
- The -c option is for supplying Oedipus with a cookie or cookies that will be needed to access the pages of the application. This should be obtained each time the Oedipus Scanner is run in order to ensure that the application is tested properly. This is demonstrated in the flash movie for this lesson (see above) where Burp Proxy is used to obtain the cookie after we have authenticated to the application
- The -q option specifies a variable that will be added to the application's URL. This is commonly used for where an application uses a variable on the querystring for maintaining session instead of using a cookie. Note that if you don't want Oedipus to fuzz this variable, add the variable to the list of ignored variables with the -i option (see below)
- The -i option allows us to specify variables that Oedipus will not fuzz during testing (i.e. that will be ignored)
- The -y option allows us to specify an HTTP proxy that will be used by Oedipus for issuing requests to the target host
- The -b and -r options allow us to specify Basic Authentication credentials for the web server and proxy server respectively for when this is required
- And finally, the -x option allows us to specify an SSL client certificate (in PEM format) to be used by Oedipus when issuing requests to the application
- The Oedipus Scanner will generate two report files that can be opened in a Web browser. oedipus-scanner-stats.xml has statistics and overall information about the run of the tool, whereas oedipus-scanner.xml contains the details from the scanner plugins
- Where a plugin reported an issue that can be reproduced with a GET or POST to the application, the report will contain a clickable link and an input box for customising the testing value. This will cause a separate browser to pop up, hopefully demonstrating the issue
And we're done with our quick tour of the Oedipus Scanner. Enjoy!
Found this useful? Then Digg It.
