How can I utilize Java to build a simple vulnerability scanner for web applications

+1 vote
I’m interested in building a basic vulnerability scanner using Java that can test web applications for common security flaws like SQL injection, XSS, and directory traversal. I’ve worked with HTTP requests in Java before, but I’m unsure how to structure a tool that automatically scans web pages for vulnerabilities.

What libraries and frameworks would be helpful for sending HTTP requests, analyzing responses, and testing for these security issues in Java? I’d appreciate any guidance on how to start building a simple vulnerability scanner, as well as tips on how to implement basic security checks programmatically.
Oct 21 in Cyber Security & Ethical Hacking by Anupam
• 6,890 points
85 views

1 answer to this question.

+1 vote

In order to build a simple vulnerability scanner for web applications using Java, we can use libraries like HttpClient for sending requests and parsing responses.

1. We have to keep these points in our mind before we start building the scanner:

  • We can use HttpClient to send HTTP requests to target web pages.
  • We can inject payloads (for example SQL payloads) into form fields or query parameters.
  • And then, we can analyze these errors in the response to identify any vulnerability.

2. Here's an example where I've used the HttpClient to send requests:

import java.net.http.HttpClient;
import java.net.http.HttpRequest;
import java.net.http.HttpResponse;
import java.net.URI;

public class VulnerabilityScanner {
    public static void main(String[] args) throws Exception {
        HttpClient client = HttpClient.newHttpClient();
        HttpRequest request = HttpRequest.newBuilder()
                .uri(new URI("http://target-site.com/vulnerable-page?input=' OR '1'='1"))
                .build();
        HttpResponse<String> response = client.send(request, HttpResponse.BodyHandlers.ofString());

        if (response.body().contains("SQL syntax")) {
            System.out.println("Potential SQL injection vulnerability detected!");
        }
    }
}
  • In the above script, we're sending a request with a basic SQL injection payload to check the response for SQL errors.
  • Here, the target website is set to "http://target-site.com/vulnerable-page", which you can replace with the website you're testing for.
  • Also, I've only inserted only one payload as ' OR '1'='1 as a part of the URL query.

3. Similarly, we can add more payloads to this script and check for various vulnerabilities:

public class VulnerabilityScanner {
    public static void main(String[] args) throws Exception {
        HttpClient client = HttpClient.newHttpClient();

        // Array of URLs with different vulnerability payloads
        String[] payloads = {
            "http://target-site.com/login?username=' OR '1'='1&password=' OR '1'='1", // SQL Injection
            "http://target-site.com/search?query=<script>alert('XSS')</script>",      // XSS
            "http://target-site.com/command?input=; ls -la",                         // Command Injection (Linux)
            "http://target-site.com/command?input=&& dir",                           // Command Injection (Windows)
            "http://target-site.com/download?file=../../etc/passwd"                  // Path Traversal (Linux)
        };

        for (String url : payloads) {
            HttpRequest request = HttpRequest.newBuilder().uri(new URI(url)).build();
            HttpResponse<String> response = client.send(request, HttpResponse.BodyHandlers.ofString());
            String responseBody = response.body();

            // SQL Injection detection
            if (url.contains("login") && (responseBody.contains("SQL syntax") || responseBody.contains("SQL error") || responseBody.contains("database error"))) {
                System.out.println("Potential SQL injection vulnerability detected at: " + url);
            }

            // XSS detection
            else if (url.contains("search") && (responseBody.contains("<script>alert('XSS')</script>") || responseBody.contains("alert"))) {
                System.out.println("Potential XSS vulnerability detected at: " + url);
            }

            // Command Injection detection
            else if (url.contains("command") && (responseBody.contains("total") || responseBody.contains("bin") || responseBody.contains("Directory of") || responseBody.contains("Volume in drive"))) {
                System.out.println("Potential Command Injection vulnerability detected at: " + url);
            }

            // Path Traversal detection
            else if (url.contains("download") && (responseBody.contains("root:x:0:0") || responseBody.contains("[boot loader]") || responseBody.contains("127.0.0.1"))) {
                System.out.println("Potential Path Traversal vulnerability detected at: " + url);
            }

            // Message for unknown or no detected vulnerabilities
            else {
                System.out.println("No specific vulnerability detected at: " + url);
            }
        }
    }
}
answered Oct 23 by CaLLmeDaDDY
• 9,600 points
This looks fantastic! How would you recommend handling authentication for pages that require a login before testing for vulnerabilities?

Related Questions In Cyber Security & Ethical Hacking

0 votes
0 answers
+1 vote
1 answer

How do you decrypt a ROT13 encryption on the terminal itself?

Yes, it's possible to decrypt a ROT13 ...READ MORE

answered Oct 17 in Cyber Security & Ethical Hacking by CaLLmeDaDDY
• 9,600 points
133 views
+1 vote
1 answer
+1 vote
1 answer
+1 vote
1 answer

What is the best way to use APIs for DNS footprinting in Node.js?

There are several APIs that can help ...READ MORE

answered Oct 17 in Cyber Security & Ethical Hacking by CaLLmeDaDDY
• 9,600 points
179 views
+1 vote
1 answer
+1 vote
1 answer
webinar REGISTER FOR FREE WEBINAR X
REGISTER NOW
webinar_success Thank you for registering Join Edureka Meetup community for 100+ Free Webinars each month JOIN MEETUP GROUP