How Does It Work?
If security industry's terminology is your cup of tea, then the best way to
describe XSSOOPS would be a penetration scanner. Another words, an
application designed to emulate a potential attacker, hacker if you will
that is trying to find a way to compromise your data or gain unauthorized
access. By taking this approach XSSOOPS can provide a quick overview of the
security situation of any given web application and provide information on
the points of weakness an attacker may exploit.
The scanner itself takes an "outside looking in" approach to scanning; it is
given an address (URL) of the application and then crawls through all the
pages found in the given location. While on this crawl it tries to attack
the application by mangling and altering data in the same way a hacker
would. If at any point in time it sees that it was successful in performing
an attack all data is logged and then offered in a form of a detailed
report. This report is what is provided to the client, who can use it close
any of the discovered problems.
XSSOOPS is aware of nearly all forms of attacks that can be launched against
web application and is quite capable of emulating them with a harmless
payload. While it is the intent of the utility to find vulnerabilities it
does not try to cause any harm to the site being scanned, all 'attack'
payloads are quite benign, intended simply identify the problem and nothing
more. It also uses a single-thread approach, which ensures that the site
being scanned is not overloaded by the testing process, making it safe to
use on live production sites.
While at this point XSSOOPS is a universal tool capable of scanning any web
application regardless of the language it is written in, it is still
particularly well suited for scanning programs written in PHP. As such it is
a aware of many PHP specific mistakes and caveats and as part of its scan
will focus on these issue in addition to the standard set of attacks.
To ensure that no page if left unscanned, XSSOOPS take a very verbose page
literally scanning every page and submitting every form, sometimes many
times over with different input parameters. Consequently there is data
available on the size (bytes) and the load time (seconds) of every page
scanned. Generated reports include summary of this information, providing
both an overall picture for an entire site as well as identifying the
slowest and fastest portions of the application.
While performance information is very valuable for improving the user
experience, it is important to remember that slow portions of the site can
be used by attackers to launch
denial of service
that would try to exhaust all available resource by continually accessing
the slow pages. Thus taking up all processing or bandwidth resources of the
site and preventing genuine users from accessing it.
