Maui Security Scanner

Maui Security Scanner is an innovative security assessment software suite for today's sophisticated Web application environments..

Maui Security Scanner ensures the security of Web applications by identifying vulnerabilities such as Cross-Site Scripting (XSS) and SQL Injection accross a site.

Maui Security Scanner allows web administrators to perform aggressive and comprehensive scans of an organization's web server to isolate vulnerabilities and identify security holes.

By using Maui Security Scanner, web-site admins and IT-professionals can see whether their web site(s) are hackable or vulnerable to attacks.

Maui Security Scanner gives you the opportunity of auditing your web site(s) as they are audited by external hackers on your behalf.

This suite provides a fully featured web security scanner, crawler, report analysis tool, as well as web security explanations, and an extensive database of security checks for all leading web server platforms.

Instead of manually searching for security defects, which is very hard, web-site admins and IT-professionals trust Maui Security Scanner to detect security defects and vulnerabilities automatically.

Maui Security Scanner is very configurable and can be used to automate a wide range of attacks against applications, including testing for common web application vulnerabilities such as SQL injection, cross-site scripting, buffer overflows and directory traversal.

In short, Maui Security Scanner; gives you an idea whether your website is secure against web attacks, Crawler feature automatically checks for web vulnerabilites, Audits all dynamic content including password fields, shopping carts and other web applications, and Generates penetration reports that give you a certain idea about your websites' security level.

￭ Cross Site Scripting Cross site scripting (also known as XSS) occurs when a web application gathers malicious data from a user. The data is usually gathered in the form of a hyperlink which contains malicious content within it. The user will most likely click on this link from another website, instant message, or simply just reading a web board or email message.

￭ SQL Injection SQL Injection attacks are another instantiation of an injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands.

￭ Blind SQL Blind SQL injection is identical to normal SQL injection, however, when such an attack is performed a handled error message is returned. This results in no generic database error messages and without disclosing such information the attacker is working 'blindly.'

￭ XPXPATH Injection Similar to SQL Injection, XML Injection attacks occur when a web site uses user supplied information to query XML data. By sending intentionally malformed information into the web site, an attacker can find out how the XML data is structured or access data that they may not normally have access to. They may even be able to elevate their privileges on the web site if the xml data is being used for authentication (such as an xml based user file).

￭ LDAP Injection LDAP (Lightweight Directory Access Protocol) Injection is an attack used to exploit web based applications that construct LDAP statements from user input. When an application fails to sufficiently sanatize user input, it may be possible for an attacker to alter the construction of an LDAP statement. Due to the nature of web based applications the process will be run with the same permissions as the web server itself. Thus this could result in the execution of the command. Such a scenario could result in granting permissions to query, modify or remove anything inside the LDAP tree.

￭ Remote File Inclusion An attacker's fondest wish is to be able to run their code on the target system; an RFI exploit does just that. By exploiting two very dubious 'features' of the PHP language, an attacker can inject their code into a PHP program on the server. Once they can do that, they can access anything that the PHP program could: databases, password files, etc. They can install their own shell running with the privileges of the web server user (such as 'apache' or 'httpd') and if the server has not been patched for some local user privilege escalation vulnerability, the shell could be used to become the root user.

Here are some key features of "Maui Security Scanner":

￭ Unlimited Scans ￭ Unlimited IP's / Hosts ￭ Checks for SQL Injection ￭ Checks for Blind SQL Injection ￭ Checks for Cross Site Scripting (XSS) ￭ Checks for Cross Frame Scripting ￭ Checks for File Inclusion ￭ Checks for PHP Code Injection ￭ Checks for Cross Site Scripting in URI ￭ Checks for directory traversal attacks ￭ Checks for directory listing ￭ Checks for file listing ￭ Checks for common files ( Logs / Backup etc. ) ￭ Checks for common directories ( admin etc. ) ￭ Checks for E-Mail addresses ￭ Checks for OS ( Linux / Windows �) ￭ Checks for Type : ( Apache / IIS �) ￭ Checks for Plattform ( PHP / CGI / Perl � ) ￭ Allows to store and review every HTTP request ￭ Allows to export in HTML ￭ Allows to save scans ￭ Allows to load scans ￭ Allows to set upstream proxys ￭ Allows to automaticly update the software ￭ Allows to set the number of parallel requests ￭ Allows to set the crawling depth ￭ Allows to set the links depth per server ￭ Allows to set the links depth per page ￭ Allows to use the protocol HTTP

Limitations:

￭ 7 days or 10 scans trial