With Dynamic Reviewer Light-PenTest module, you can inspect your web application during running, directly using your Browser.
DAST-Penetration Testing made easy
The following installation options are available:
Web App on premise. It is using our own Core Engine.
Cloud. Our Web App offered in an high-performance European or American Secured Cloud Infrastructure
Its special lightweight PenTest features, allowing to explore vulnerabilities in your Web Applications at the same time to keeping the software securely in your own hands, at your premises. No need of Backups before PenTest, we guarantee our tool will keep your system and database integrity.
It is Powered By the following open source tools:
You can import third-party Security Scanners results. They will be correlated automatically.
Dynamic Reviewer DAST provides a robust and stable framework for Web Application Security Testing, suitable for all Security Analysts, QA and Developers with False Positives and False Negatives support. It is designed for optimum mix of Manual and Automated Testing and allows designing customised penetration tests, offering an easy-to-use GUI and advanced Scan capabilities.
Findings
Once Scan is terminated, you have a list of Findings. You can:
Suppress a Finding Category (example: all Blind SQL Injection issues)
Suppress one or more Findings inside a Category
Add Comments to the entire scan, to a Finding Category, to a single Finding
Modify, Delete, change Severity tag, Merge Findings
Import Results from third-party tools
Export Combined Results in PDF, HTML, JSON, CSV, Excel and Word format
Add Evidences to the Findings
Dynamic Reviewer provides its own Security Scan Engine, but you can also add results coming from third-party Security Scanners, both commercial and open source, in order to cover posssible False Negatives. Each Security Scanner makes different fields available.
In order to be able to combine output from multiple tools, our Plugin Manager lets you map between the fields provided by each Security Scanner and those you care about for your report.
Security Scanners
We currently support the following Security Scanners:
Acunetix (Commercial)
AppScan (Commercial)
Arachni (Commercial)
Burp (Commercial)
CORE Impact (Commercial)
Invicti, formerly NetSparker (Commercial)
AppSpider, formerly NTO Spider (Commercial)
Nexpose (Commercial)
Qualys (Commercial)
Retina (Commercial)
Saint (Commercial)
SureCheck (Commercial)
It is up to you to purchase and manage the required Security Scanner’s License in case of you are using a Commercial Product.
Our tool imports the results only, without running your Security Scanner.
Team Collaboration
Being powered by Dradis Framework, with Dynamic Reviewer you can:
Share a common view of the entire project so that the team can work together towards a common goal:
Each person can work on a different project or as part of a team. Changes made by any member of the team are automatically pushed to all the others:
Going offsite or offline with Dynamic Reviewer doesn't mean out of sync. Project import and export make it easy to sync up when you return:
Compare different versions of the Issues in your project. Use the line-by-line breakdown to quickly see what was changed:
With our auto-tracking feature, you’ll always know who did what with timestamps for each activity:
Get warned if someone else modifies the content you were working on. Take comfort in knowing that you're always working with the latest version of the project:
Always know what has been covered and what is still ahead - and never forget any steps:
Use one of these methodologies to ensure consistent results: OSSTMM v3, OWASP Top 10, SANS SWAT checklist, OWASP web testing v4:
Our built-in methodology editor makes maintaining and updating your methodologies simple and straightforward:
Our flexible systems lets you use different methodologies for different phases of the project:
Our Security Scan Engine
Main features:
Technology Discovery
Audit, Bruteforce, Evasion, grep ancd Mangle modes
Cookie-jar/cookie-string support.
Custom header support.
SSL support with fine-grained options.
User Agent spoofing.
Proxy support for SOCKS4, SOCKS4A, SOCKS5, HTTP/1.1 and HTTP/1.0.
Proxy authentication.
Site authentication (SSL-based, form-based, Cookie-Jar, Basic-Digest, NTLMv1, Kerberos and others).
Automatic log-out detection and re-login during the scan (when the initial login was performed via the
autologin,login_scriptorproxyplugins).Custom 404 page detection.
UI abstraction:
Command-line Interface.
Web User Interface.
Pause/resume functionality.
Hibernation support -- Suspend to and restore from disk.
High performance asynchronous HTTP requests.
With adjustable concurrency.
With the ability to auto-detect server health and adjust its concurrency automatically.
Support for custom default input values, using pairs of patterns (to be matched against input names) and values to be used to fill in matching inputs.
Discovery Mode
Discovery of: Host OS, Web Server, Application Server, DB type, CMS, Directory bruteforce, DNS WildCard, domain_dot, .NET Errors, Favicon identification, Backdoors, Captchas, DVCS, GIt/Svn files, Fingerprint BING, Fingerprint Google, Fingerprint PKS, Fingerprint WAF, GHDB, Google Spider, Halberd, HMAP, HTTPS over HTTP, Import Results, Oracle discovery, Phish Tank, phpeggs, phpinfo, pykto, RIA Enumerator, robots.txt reader, Server Header, Server Status, Shared Hosting, SiteMap Reader, Splash, spiderMan, URL Fuzzer, urllist.txt Reader, userDir, webDiff, webSpider, wordNet, Wordpress Fingerprint, Laravel Vulnerabilities, WDSL Finder, XSSedDotCom, Yahoo Site Explorer, zone_h
Audit mode
Audit of LDAP, Blind SQL Injection. Buffer Overflow, webDAV, eval, file Upload, format String vulnerability, legagy FrontPage web apps, Global Redirect, HTA Access Methods, Local File Include, mx Injection, OS Command Injection, Phishing attack vector, preg_replace, re-DoS, Remote File Include, Respnse Splitting, SQL Injection, Server-Side Injection, Weak SSL Certificate, Unsecure Connection, Xpath Injection, XSRF, Cross-Site Scripting (XSS), XST.
Bruteforce Mode
Usage of Bruteforce for: Basic Authentication and Web Form Authentication
Evasion Mode
Seeking for: backSpace Between Dots, full Width Encode, modsecurity, reversed Slashes, rndCase, rndHexEncode, rndParam, rndPath, sel Reference, shift out-shift in Beteween Dots
Grep Mode
Find: Ajax, blank Body, Code Disclosure, Collect Cookies, Credit Cards, Directory Indexing, DOM XSS, .NET Event Validation, Error 500, Error Pages, Feeds, File Upload, Comments, Form Autocomplete, e-mails. Hashes, HTTP Auth detect, HTTP in Body, language, Meta Tags, motw, Objects, Oracle, Password Profiling, Path Disclosure, Private IPs, SSN, Strage HTTP Code, Strange Headers, Strange Reason, SVN Users, User-defined Regex, WDSL Grepper
Mangle Mode
Usage of sed for pattern matching
Client-Side scanning
Dynamic Reviewer includes an integrated, real browser environment in order to provide sufficient coverage to modern web applications which make use of technologies such as HTML5, JavaScript, DOM manipulation, AJAX, etc.
In essence, this turns Dynamic Reviewer into a DOM and JavaScript debugger, allowing it to monitor DOM events and JavaScript data and execution flows. As a result, not only can the system trigger and identify DOM-based issues, but it will accompany them with a great deal of information regarding the state of the page at the time.
Relevant information include:
Page DOM, as HTML code.
With a list of DOM transitions required to restore the state of the page to the one at the time it was logged.
Original DOM (i.e. prior to the action that caused the page to be logged), as HTML code.
With a list of DOM transitions.
Data-flow sinks -- Each sink is a JS method which received a tainted argument.
Parent object of the method (ex.:
DOMWindow).Method signature (ex.:
decodeURIComponent()).Arguments list.
With the identified taint located recursively in the included objects.
Method source code.
JS stacktrace.
Execution flow sinks -- Each sink is a successfully executed JS payload, as injected by the security checks.
Includes a JS stacktrace.
JavaScript stack-traces include:
Method names.
Method locations.
Method source codes.
Argument lists.
Compatible with ES5 and ES6
Integrated with Wapplyzer
A bunch of frameworks are supported, like Cordova/Phonegap and Node.js
In essence, you have access to roughly the same information that your favorite debugger (for example, FireBug) would provide, as if you had set a breakpoint to take place at the right time for identifying an issue.
DOM Security Issues
The list of DOM Security Issues found by Dynamic Reviewer are:
# | Issue | Type | Category |
1 | Code Injection - Client Side | Error | Code Execution |
2 | Code Injection - PHP input wrapper | Error | Code Execution |
3 | Code injection - Timing | Error | Code Execution |
4 | File Inclusion - Client Side | Error | Code Execution |
5 | OS Command Injection - Client Side | Error | Code Execution |
6 | OS Command Injection - Timing | Error | Code Execution |
7 | Remote File Inclusion Client Side | Error | Code Execution |
8 | Session Fixation | Error | Code Execution |
9 | XSS - DOM | Error | Code Execution |
10 | XSS - DOM - Script Context | Error | Code Execution |
11 | XSS - Event | Error | Code Execution |
12 | Data from attacker controllable navigation based DOM properties is executed as HTML | Error | Code Execution |
13 | Data from attacker controllable navigation based DOM properties is executed as JavaScript | Error | Code Execution |
14 | Data from attacker controllable URL based DOM properties is executed as HTML | Error | Code Execution |
15 | Data from attacker controllable URL based DOM properties is executed as JavaScript | Error | Code Execution |
16 | Non-HTML format Data from DOM storage is executed as HTML | Warning | Code Execution |
17 | Non-JavaScript format Data from DOM storage is executed as JavaScript | Warning | Code Execution |
18 | HTML format Data from DOM storage is executed as HTML | Info | Code Execution |
19 | JavaScript format Data from DOM storage is executed as JavaScript | Info | Code Execution |
20 | Data from user input is executed as HTML | Warning | Code Execution |
21 | Data from user input is executed as JavaScript | Warning | Code Execution |
22 | Non-HTML format Data taken from external site(s) (via Ajax, WebSocket or Cross-Window Messages) is executed as HTML | Error | Code Execution |
23 | Non-JavaScript format Data taken from external site(s) (via Ajax, WebSocket or Cross-Window Messages) is executed as JavaScript | Error | Code Execution |
24 | HTML format Data taken from external site(s) (via Ajax, WebSocket or Cross-Window Messages) is executed as HTML | Warning | Code Execution |
25 | JavaScript format Data taken from external site(s) (via Ajax, WebSocket or Cross-Window Messages) is executed as JavaScript | Warning | Code Execution |
26 | Non-HTML format Data taken from across sub-domain (via Ajax, WebSocket or Cross-Window Messages) is executed as HTML | Warning | Code Execution |
27 | Non-JavaScript format Data taken from across sub-domain (via Ajax, WebSocket or Cross-Window Messages) is executed as JavaScript | Warning | Code Execution |
28 | HTML format Data taken from across sub-domain (via Ajax, WebSocket or Cross-Window Messages) is executed as HTML | Info | Code Execution |
29 | JavaScript format Data taken from across sub-domain (via Ajax, WebSocket or Cross-Window Messages) is executed as JavaScript | Info | Code Execution |
30 | Non-HTML format Data taken from same domain (via Ajax, WebSocket or Cross-Window Messages) is executed as HTML | Warning | Code Execution |
31 | Non-JavaScript format Data taken from same domain (via Ajax, WebSocket or Cross-Window Messages) is executed as JavaScript | Warning | Code Execution |
32 | HTML format Data taken from same domain (via Ajax, WebSocket or Cross-Window Messages) is executed as HTML | Info | Code Execution |
33 | JavaScript format Data taken from same domain (via Ajax, WebSocket or Cross-Window Messages) is executed as JavaScript | Info | Code Execution |
34 | Weak Hashing algorithms are used | Error | Cryptography |
35 | Weak Encryption algorithms are used | Error | Cryptography |
36 | Weak Decryption algorithms are used | Error | Cryptography |
37 | Cryptographic Hashing Operations were made | Info | Cryptography |
38 | Encryption operations were made | Info | Cryptography |
39 | Decryption operations were made | Info | Cryptography |
40 | Potentially Sensitive Data is leaked (via HTTP, Ajax, WebSocket or Cross-Window Messages) | Error | Data Leakage |
41 | Potentially Sensitive Data is leaked through Referrer Headers | Error | Data Leakage |
42 | Data is leaked through HTTP | Warning | Data Leakage |
43 | Data is leaked through WebSocket | Warning | Data Leakage |
44 | Data is leaked through Cross-Window Messages | Warning | Data Leakage |
45 | Data is leaked through Referrer Headers | Warning | Data Leakage |
46 | Potentially Sensitive Data is stored on Client-side Storage (in LocalStorage, SessionStorage, Cookies or IndexedDB) | Warning | Data Storage |
47 | Data is stored on Client-side Storage (in LocalStorage, SessionStorage, Cookies or IndexedDB) | Info | Data Storage |
48 | Cross-window Messages are sent insecurely | Error | Communication |
49 | Cross-site communications are made | Warning | Communication |
50 | Communications across sub-domains are made | Warning | Communication |
51 | Same Origin communications are made | Info | Communication |
52 | JavaScript code is loaded from Cross-site Sources | Warning | JS Code |
53 | JavaScript code is loaded from across sub-domains | Info | JS Code |
54 | JavaScript code is loaded from Same Origin | Info | JS Code |
Configuration options include:
Adjustable pool-size, i.e. the amount of browser workers to utilize.
Timeout for each job.
Worker TTL counted in jobs -- Workers which exceed the TTL have their browser process re-spawned.
Ability to disable loading images.
Adjustable screen width and height.
Can be used to analyze responsive and mobile applications.
Ability to wait until certain elements appear in the page.
Configurable local storage data.
Coverage
The system can provide great coverage to modern web applications due to its integrated browser environment. This allows it to interact with complex applications that make heavy use of client-side code (like JavaScript) just like a human would.
In addition to that, it also knows about which browser state changes the application has been programmed to handle and is able to trigger them programmatically in order to provide coverage for a full set of possible scenarios.
By inspecting all possible pages and their states (when using client-side code) Dynamic Reviewer is able to extract and audit the following elements and their inputs:
Forms
Along with ones that require interaction via a real browser due to DOM events.
User-interface Forms
Input and button groups which don't belong to an HTML
<form>element but are instead associated via JS code.
User-interface Inputs
Orphan
<input>elements with associated DOM events.
Links
Along with ones that have client-side parameters in their fragment, i.e.:http://example.com/#/?param=val¶m2=val2
With support for rewrite rules.
Link Templates -- Allowing for extraction of arbitrary inputs from generic paths, based on user-supplied templates -- useful when rewrite rules are not available.
Along with ones that have client-side parameters in their URL fragments, i.e.:http://example.com/#/param/val/param2/val2
Cookies
Headers
Generic client-side elements which have associated DOM events.
AJAX-request parameters.
JSON request data.
XML request data.
REST API
Very simple and straightforward API.
Easy interoperability with non-Ruby systems.
Operates over HTTP.
Uses JSON to format messages.
Best Performances
Scan-times using traditional tools can range between a few hours to a couple of weeks – maybe even more. This means that wasted time can easily pile up, even when we’re talking about mere milliseconds per request/response.
Dynamic Reviewer benefits from great network performance due to its asynchronous HTTP request/response model. In this case – and from a high-level perspective –, asynchronous I/O means that you can schedule operations in such a way that they appear like they’re happening at the same time, which in turn means higher efficiency and better bandwidth utilization. That means:
Faster hyperlink processing
Faster numbering processing
Faster screenshot processing
It provides a high-performance environment for the tests that need to be executed while making adding new tests very easy. Thus, you can rest assured that the scan will be as fast as possible and performance will only be limited by your or the audited server’s physical resources.
Avoiding useless technical details, the gist is the following:
Every type of resource usage has been massively reduced — CPU, RAM, bandwidth.
CPU intensive code has been rewritten and key parts of the system are now 2 to 55 times faster, depending on where you look.
The scheduling of all scan operations has been completely redesigned.
DOM operations have been massively optimized and require much less time and overall resources.
Suspension to disk is now near instant.
Previously browser jobs could not be dumped to disk and had to be completed, which could cause large delays depending on the amount of queued jobs.
Default configuration is much less aggressive, further reducing the amount of resource usage and web application stress.
Talk is cheap though, so let’s look as some numbers under Linux:
Duration | RAM | HTTP requests | HTTP requests/second | Browser jobs | Seconds per browser job | |
|---|---|---|---|---|---|---|
Dynamic Reviewer | 00:02:14 | 150MB | 14,504 | 113.756 | 211 | 1.784 |
Best Competitor | 00:06:33 | 210MB | 34,109 | 101.851 | 524 | 3.88 |
Large real production site (cannot disclose) | ||||||
|---|---|---|---|---|---|---|
Duration | RAM | HTTP requests | HTTP requests/second | Browser jobs | Seconds per browser job | |
Dynamic Reviewer | 00:45:31 | 617MB | 60,024 | 47.415 | 9404 | 2.354 |
Best Competitor | 12:27:12 | 1,621MB | 123,399 | 59.516 | 9180 | 48.337 |
As you can see, the impact of the Performances' improvements becomes more substantial as the target’s complexity and size increases, especially when it comes to scan duration and RAM usage — and for the production site the new engine consistently yielded better coverage, which is why it performed more browser jobs.
End result:
Runs fast on under-powered machines.
You can run many more scans at the same time.
You can complete scans many times faster than before.
If you’re running scans in the “cloud”, it means that it’ll cost you many, many times less than before.
Machine Learning
The ML is what enables Dynamic Reviewer to learn from the scan it performs and incorporate that knowledge, on the fly, for the duration of the audit.
It uses various techniques to compensate for the widely heterogeneous environment of web applications. This includes a combination of widely deployed techniques (taint-analysis, fuzzing, differential analysis, timing/delay attacks) along with novel technologies (rDiff analysis, modular meta-analysis) developed specifically for the framework.
This allows the system to make highly informed decisions using a variety of different inputs; a process which diminishes false positives and even uses them to provide human-like insights into the inner workings of web applications.
Dynamic Reviewer is aware of which requests are more likely to uncover new elements or attack vectors and adapts itself accordingly.
Also, components have the ability to individually force the Core Engine to learn from the HTTP responses they are going to induce thus improving the chance of uncovering a hidden vector that would appear as a result of their probing.
DISCLAIMER: Due we make use of open source components (w3af, pWeb, dradis, wXf, OSVDB), we do not sell the product, but we offer a yearly subscription-based Commercial Support to selected Customers, plus our Commercial Security Scanner.
COPYRIGHT (C) 2014-2022 SECURITY REVIEWER SRL. ALL RIGHTS RESERVED.