Yahoo! launches free web application security scanner
- Ngoc Huynh
Yahoo! has open-sourced Gryffin – a Web Application Security Scanner – in an aim to improve the safety of the Web for everyone.
Currently in its beta, Project Gryffin has made available on Github under the BSD-style license that Yahoo! has been using for a number of its open-sourced projects.
Gryffin is basically a Go & JavaScript platform that helps system administrators scan URLs for malicious web content and common security vulnerabilities, including SQL Injection and Cross-Site Scripting (XSS).
Yahoo! describes Gryffin as a large-scale Web security scanning platform, which is more than just a scanner, as it is designed to address two specific problems:
1. Coverage
2. Scale
Scale is obviously implied for large Web, while Coverage has two dimensions – Crawl and Fuzzing.
Crawl’s ability is to find as much of the Web application’s footprint as possible, whereas Fuzzing involves testing each part of the application’s components for an applied set of vulnerabilities.
Gryffin’s Crawler is designed to search “millions of URLs” that might be driven by a single template from just one of the URLs to work.
Moreover, the crawler also includes a de-duplication engine for comparing a new page with an existing one and thus allowing it to avoid crawling the same page twice.
Gryffin’s Crawler also has PhantomJS, which is used to handle DOM rendering in client-side JavaScript applications.
Gryffin’s Requirements
The requirements for Gryffin are as listed below:
. Go
. PhantomJS v2
. The NSQ distributed messaging system
. Sqlmap for fuzzing SQL injection
. Arachni for fuzzing XSS and Web vulnerabilities
. Kibana and Elastic Search for dashboarding
Besides Yahoo!, many major companies have released their own web application vulnerability scanners to make Internet experience safe for users.
Back in February, Google released its own free web application vulnerability scanner tool, dubbed Google Cloud Security Scanner, which potentially scans developers’ applications for common security vulnerabilities on its cloud platform more effectively.
Source : http://thehackernews.com/