This is at least partially an appeal for information – if anyone knows of a web application scanner that does what I describe here, please let me know!
All the web application scanners I have come across so far seem to only try “online” scanning where the work is done by connecting to a web server using the same method as someone with a web browser would use. Or in other words the scanning tools replicate what an attacker might do. Hardly the wrong thing to do – it is probably the best method given that so much can only be determined by going through the web server.
In addition, there are also tools to scan the source code of web applications that you have written yourself. These pick out bits of the application that could do with looking at. Fair enough for a web developer, but I’m after something a bit different.
What I want is a tool that will when given the directory containing the website, will go through it looking for weaknesses like the following :-
- Look for problems with the permissions – such as directories and files writeable by the web server owner.
- Look for common applications and components – such as WordPress – and identify them, and indicate whether they’re out of date or not.
- Look for signs of exploits – PHP ‘shells’ and the like.
- Look for content that isn’t linked to as an indication that it shouldn’t be present.
Of course most people could think of a few more things to add to that list! It would be a handy additional source of information when it comes to securing a website.