The hybrid module Crystal provide the combinaison of two types of tests: With a JavaScript engine (spidermonkey in progress.). Really bad for the XSS since I can only try to say that the script will be executed or not. It should be quite good for Blind SQL Injection, SQL Injection and File Inclusion. Results will be save in the local directory and will be use at the next run of Grabber (until you erase it). The script create two directories ( local and results) and will put some data in there. $ python grabber.py -spider 1 -sql -xss -url
![grabber grabber](https://content.instructables.com/ORIG/FVF/LFIZ/I0TV1K5G/FVFLFIZI0TV1K5G.jpg)
Or you can use the command line parameters: You can configure the run with a configuration file like this: You can download the packages on the websites given above. The executable version produced by py2exeįor using Grabber you only need Python 2.4, BeautifulSoup and PyXML. You have a main script grabber.py which execute the modules (xss.py, sql.py, etc.). Provide solution for the given vulnerabilities? (not quite sure about this)ĭefinitely, playing with the differents encodings types. Plug a JavaScript engine for real XSS detection Multi site support (which is not too hard to do due to the XML structure) There are couple of things I want to fix/do:Ĭookies/Http Auth/Login Page authentification systems
![grabber grabber](https://cdnimg.webstaurantstore.com/images/products/large/20043/437354.jpg)
#Grabber pdf
It's a small tool, does not provide any GUI or PDF report! There is XML reports (you can easily create a XSLT to and a huge amount of information given by lots of tools (Pantera, Paros, Wapiti, WebInspect, Hailstorm, AppScan etc.).You can also do all the test on a single page. You can also focus of a kind of vulnerability then do a massive test. Yes! It can handle the JavaScript files, parse it to retrieve the server sides scripts names and try to get some parameters name.īecause every patterns are in a "quite standard" XML file, you can add, or test what ever you want. Generation of a file for next stats analysis. JavaScript source code analyzer: Evaluation of the quality/correctness of the JavaScript with JavaScript Lint Hybrid analysis/Crystal ball testing for PHP application using PHP-SAT Simple AJAX check (parse every JavaScript and get the URL and try to get the parameters) SQL Injection (there is also a special Blind SQL Injection module) not how toīecause it's a small tool, the set of vulnerabilities is small. Things about web vulnerabilities before using this soft because it only tell you what vulnerability it is.
#Grabber verification
Grabber is also for me a nice way to do some automatics verification on websites/scripts I do. Is to have a "minimum bar" scanner for the Samate Tool Evaluation Program at NIST. This is a very small application (currently 2.5kLOC in Python) and the first reason of this scanner This software is designed to scan small websites such as personals, forums etc.Ībsolutely not big application: it would take too long time and flood your network.
#Grabber portable
Grabber is simple, not fast but portable and really adaptable. Basically it detects some kind of vulnerabilities in your website.
![grabber grabber](http://i.ytimg.com/vi/aro5UKeg1HE/maxresdefault.jpg)
Grabber One who shamelessly pursues any overtime available as long as its for payment - a Mercenary.