Hello Ladies & Gentleman,

Here we came with the new topic `Web Application Vulnerabilities` and how do we scan it using the tool. So without any delay lets get to the topic

What is Web Application Vulnerability ?

The vulnerability is a weakness which can be exploited by a Threat Actor, such as an attacker, to perform unauthorized actions within the web application. To exploit a vulnerability in the web application, an attacker must have at least one applicable tool or technique that can exploit the web application.

There we have many types of attack and vulnerability which could exploit the web application, and so do we have the prevention mechanism and technics. There is no language in the development which is secure, we only have prevention measure which could help us in securing the web application.

Few Common Vulnerability :

There are few common Vulnerabilities that exists around 90% web applications in the world.

• SQL INJECTION.
  

• CROSS SITE SCRIPTING (XSS).
  

• BROKEN AUTHENTICATION & SESSION MANAGEMENT.
  

• SECURITY MISCONFIGURATION
  

• CROSS-SITE REQUEST FORGERY (CSRF)
  

How can we find out the Web Application Vulnerabilities ?

We can find the vulnerabilities of Web Application by two methods,

1. Static Code Analysis.
   
2. Dynamic Analysis.
   

Static Code Review :

Static Code Analysis (also known as Source Code Analysis) is usually performed as part of a Code Review (also known as white-box testing) and is carried out at the Implementation phase of a Security Development Life cycle . Static Code Analysis commonly refers to the running of Static Code Analysis tools that attempt to highlight possible vulnerabilities within ‘static’ (non-running) source code by using techniques such as Taint Analysis and Data Flow Analysis.

Dynamic Analysis :

Dynamic analysis describes finding vulnerabilities in a running application, as opposed to Static Analysis. There are two main types of dynamic analysis:

• Vulnerability Scanning.
  

• Penetration Testing.
  

Vulnerability Scanning :

The process of searching for software vulnerabilities in applications using an automated security program is called vulnerability scanning. Vulnerability scanning can be used either to find holes and plug them before they are exploited or to find holes and exploit them.

 Vooki – Web Application Scanner

Vooki is the one of the powerful web application vulnerability scanner.  Vooki provides GUI where user can scan their websites to find out security vulnerabilities.

How to use Vooki for scanning Web Application Vulnerability ?

In the Vooki application, we have several steps for scanning the web application:

• Start Application.
  

• Connect the browser proxy to Vooki port.
  

• Visit all the pages of your web application.
  

• Right click on node appearing on Vooki tool and click on the scan.
  

• After scan gets completed click on generate report from the menu bar.
  

There is video tutorial about using the Vooki tool, you can see it for more details.

Advantages in Vooki tool :

• Free Dynamic Security Scanner
  

• Scans Web Application and REST API.
  

• Provides Vulnerability Details.
  

• Generates Vulnerability Report.
  

• Available in Windows.
  

• Easy to use.
  

• CVSS score based on attack.