2015.09.09 / 13:05

ťƽ WVS V5 -1

autodev
õ 146

Acunetix WVS V5 Review

Jason Lee

2007 6 15

ťƽ ˵ WVS?

˵ WVS ڰ ý۰ ͷ ҹ ȹϱ ǿ ִ ø̼ ãƳ Դϴ. ̴ SQL Injection, Cross Site Scripting, ȣ WebDev ɼ Ȳ ø̼ Ʈó ãƳ ݴϴ.

ǰ ø̼ ϵ ̿ ְ, Ȯε ħ׽ ϵ ̿ ֽϴ. ߰ߵ Ǵ ǰ ˻ ø̼ǰ Ʈó ȼ ۵ ֽϴ.

ø̼ ϴ Jason Lee پ ׽Ʈ Ʈ ťƽ ȮϿϴ. 򰡿 ħ ׽Ʈ Ÿ ˻縦 Ͽϴ.

׽Ʈ г Ϳ ؼ Ÿ ϰ , ش Ÿ ǰ 񱳸 ؼ 󸶳 Ž(False Positive) Ž(False Negative) ߻ϴ Ȯν ɰ Ǽ Ȯ ְ Դϴ. ش ׽Ʈ ťƽ ׽Ʈ Ʈ ̴̳ͽ ׽Ʈ Ʈ ׸ ġ̾ ׽Ʈ Ʈ ؼ Ǿ, ťƽ м 1-5 ô ǥð Ǿ, 5 ǰڽϴ.

ġ Ʈ

ġ ٷ ˴ϴ. ġ ϵ ˴ϴ. ġ ʿ Է° ߱޵ ̼ Ű Դϴ. α׷ Ʈ ϰ , ťƽ Ʈ Ȯϰų Ʈ ʿ ÿ Ȯ ֵ ֽϴ.

̽ ɿ йϰ ֽϴ. Ͱ , , ٿ , ش ̽ ø̼ Բ Ǿ óϴ ̰ ȿ ֽϴ. ϴ.

׸ 1. WVS ʱ ȭ

(Scan Wizard):

ťƽ ϴ ս ִ մϴ. ش Է, Է Ȯ , Ʈ ɼ , ɼ , α , Ȯ ֵ Ǿ ֽϴ.

ȭ ؼ ϰ ش ȮϽñ ٶϴ.

׸ 2. Է

׸ 2. Է ִ ̸ܰ, ϱ ϴ پ Ǹ ֽϴ.

l Scan single website: ̴ ϳ ̿ ֽϴ. Ȥ IP ּҸ Է ֽϴ. () http://testasp.acunetix.com Ǵ http://80.237.198.237

l Scan using saved crawling results: ̴ Ʈ (.cwl) ҷ鿩 ֽϴ.

l Scan a list of websites from a file: ̴ ѹ ϴ ̿ ֽϴ. ؽƮ Ͽ, ˴ Ǵ Ȥ IP ּҸ ϰ ̸ Ͽ, ̰ . txt ҷ鿩 ֽϴ.

l Scan a range of computer looking for websites: ̴ Ϸ Ʈũ 񽺸 ϰ ִ ϰ ̿ ֽϴ. , Ư ټ 񽺸 Ͽ ϴ. () IP range: 192.168.0.1-30, List of Ports: 80,443,8080

׸ 3. Է ˴ ݱ Ȯ

׸ 3 Է Ȥ Ʈ Ȯ , Է Ȯϰ ߰ , Ȯε ֽϴ. ó, ̺ Ȯ, Ȯ, ü Ȯ, ׸ Ǵ Ȯϰ ֽϴ.

߰ Ȥ Ȯ ֽϴ. ֽ , Ȯ Ȥ úκ ߰Ǿ ־, ð Ȯ ֽϴ.

׸ 4. Ʈ ɼ

׸ 4 Ʈ ũ ϴ ũ﷯ ȭԴϴ. ̶ ĵɼǿ ִ Ʈ ɼ иǾٴ Ͱ и Ʈɼǿ Ʈ ִ ɼ ߰Ǿٴ Դϴ.

׸ 5. ɼǼ â

׸ 5 ɼ ִ â, ռ ׸ 4 ش ܰ Ϻ ܰ Բ Ǿϴ. ̰ ϰų, ɼ ְ Ǿֽϴ.

Scan Option 5 ߰ κμ, Quick, Heuristic, Extensive 3ܰ û ֽϴ. HTTP ϰų XSS Ե κ ִ Ȯ ִ ɼ ߰Ǿϴ.

(Scanning Mode)

* Quick: ĶͿ ù° ϰ ˴ϴ.

* Heuristic: м  ĶͰ ˻簡 䱸Ǵ ڵ ϰ õϰ ˴ϴ.

* Extensive: ĶͿ ˻ǰ ˴ϴ. ĶͿ Ķ ְԵȴٸ, ش 忡 HTTPû ϰ ˴ϴ.

˼ӵ: Quick>Heuristic>Extensive

˱: Quick<Heuristic<Extensive

׸ 6. α

̴ ܼ ̳ ʿ Ʈ ˿ Ǵ α û ϴ μ αο ø̼ κ óϵ ̿ǰ ֽϴ. ϰ α׾ƿ κ ó ־߸ մϴ.

׸ 7. Ȯ

ij(Web Scanner):

, ťƽ ̿Ǵ ϱ ˻縦 մϴ. ̸ ؼ ASP ̿ǰ ִٰ ȮεǸ, ťƽ ASP õ մϴ. ťƽ ؾ ϴ ϱ ؼ ϰų å ٽ ϸϿ ѵ ̷ ۾ ֽϴ.

׸ 8. ij ȭ

SQL Injection , Cross Site Scripting Ȥ ħȮ ˰ Ϲ ( manuals, test ) ߸ (, TRACK, TRACE Enable) Ȯմϴ. ťƽ Ǵ ˵ Ϲ ˿ ̿Ǵ , ܼ ˵ ̻ ֽϴ. ٸ ˵ ãƳ ϴ ϵ ťƽ ãƳ⵵ մϴ. ǰ ťƽ SQL Injection Cross Site Scripting ã Ȯ ְ ϴ ְ ϳ ֽϴ.

, ޴ Ƽ Ȥ ü Ư ְ ϴ ؼ ڵȭ м Ž ֽϴ. ̴ ִ پ Դϴ. ڸ ּҿ ũ Ϲ Ʈ ߰ϰ з ֽϴ. Ϲ ħ ׽Ʈ ϴ ڸ ּҸ ϴ ó, ϰ ڸ ּҸ ֽϴ.

ijʴ Ӽӵ ø̼ ϰ ٸ ˵ ã Ư ִ ֽϴ.

, ذ , ͺ̽ ٷ α׸ ų, Ϸ ٷ ߼۰ α ٷ ߻Ͽ, ٵ ӵ ߰ Ǿϴ.

3.0

Ʈ (Web Crawler):

׸ 9. Ʈ ȭ

Ʈ Ʈ ִ ũ ϰ Ʈ ְ ˴ϴ. ׸, ̿Ǵ ̴ referrer , , ׸ ϰ ˴ϴ. ü Ʈ Ѵٰ , ϴ κи ϰų ȮϿ ϴ ֽϴ. ؼ ش α׿ ó, WVS Ʈ ü ̾ƿ ϴµ ִ شٴ ߽߰ϴٸ, ϰ, Ư Ʈ ߸ κп ̸ ɷ ߱⵵ ߽ϴ. ٽ Ȯϱ ٸ ø̼ Ư Ʈ ߴµ, ϳ ٽ ѷ ɷȽϴ. ش ذϱ ° ̷ ߻ Ȯ , ش Ʈ DFS(Depth Focus Search) ˰ ϱ ̷ ߻ ִٰ ϴ. , ٸ ø̼ ƹ Ʈ Ǿ Ǻ ϴ.

ٸ Ʈ , ˿ ִ â Ǿ Ǹ ´ٴ ϴ.

׸ 10. â

̿ ֿ ɰ Ǹ , ׸ ɷ ߰ ߻ κ ұϰ ־ϴ.

: 4.0

˴ã (Target Finder):

׸ 11. ˴ ã ȭ

ã ־ ּ Ʈ ã ְ Ʈ ijԴϴ. ̴ Ǵ Ͱ ɰ ֽϴ. ̴ ּ ʾҰ, ǥƮ ʴ Ʈ ߰ ְ ϴ Ʈ ãƺ ֵ Ư ֽϴ. Ǻϱ õ մϴ.

̷ ߻Ű, ̸ ϴٸ, ذ ϴ. CŬ ּ ־ , װ ̹ ϰ ִ ˰ ־, Ȯ Ǻ ϴ. ּ ҽŲ , ϴ Ȯϰ Ǻ߽ϴٸ, ׷ ذس ϴ. Ը ּ ִٴ , ش ɻ Բ ־ϴ.

4.0


ã (Subdomain Scanner):

׸ 12. ã ȭ

׸ 12 ̴ ã پ Ϲ ̸ Ͽ ֵ մϴ. ش ã DNS ̿Ͽ ְ, ڿ ƯϿ ֽϴ.

ش ã ҷ , ǸԵ IP ּ, ʿ õ ҷ ߽ϴ. 󼭴 , ҷ 󵵰 , Ǽ ұϰ ְ Ǿϴ.

: 2.0


HTTP (HTTP Editor) HTTP (HTTP Sniffer):

׸ 13. HTTP ȭ

׸ 14. HTTP ȭ

ش HTTP û ų ϰų ֽϴ. ̷ ̿Ͽ ŷ ٷų ϴ Ŭ̾Ʈ Ʈ мϰų ̿ϴ ˴ϴ. ̷ ؼ SQL Injection Cross Site Scripting ü ϴ մϴ.

۴ Ǵ ͸ ޱ Ǵ ͸ ϰų ϴ Ͽ Ŭ̾Ʈ ȸ ֵ ֽϴ. ̷ ijʰ ڵ óϱ ø̼ǿ ɵ ִ ˰ ϵ մϴ.

Ȯ ̷ ó ش ǰ ̿ ִ ġ ִ ̶ Ǵܵ˴ϴ. ̽ ȭ ְ, ٸ ̴ ִ ̶ Ǵܵ˴ϴ.

: 4

Ʈ ׸ ö󰡴 ֳ׿. ˼... ̾ ٸ Ʈ ؼ ش 並 ϵ ϰڽϴ. ǻ ôٸ... Jason Lee(jaisonyi@hotmail.com) Ǹ ֽñ ٶϴ. Ϸ ǽñ... ^^