In order to build a simple vulnerability scanner for web applications using Java, we can use libraries like HttpClient for sending requests and parsing responses.
1. We have to keep these points in our mind before we start building the scanner:
- We can use HttpClient to send HTTP requests to target web pages.
- We can inject payloads (for example SQL payloads) into form fields or query parameters.
- And then, we can analyze these errors in the response to identify any vulnerability.
2. Here's an example where I've used the HttpClient to send requests:
import java.net.http.HttpClient;
import java.net.http.HttpRequest;
import java.net.http.HttpResponse;
import java.net.URI;
public class VulnerabilityScanner {
public static void main(String[] args) throws Exception {
HttpClient client = HttpClient.newHttpClient();
HttpRequest request = HttpRequest.newBuilder()
.uri(new URI("http://target-site.com/vulnerable-page?input=' OR '1'='1"))
.build();
HttpResponse<String> response = client.send(request, HttpResponse.BodyHandlers.ofString());
if (response.body().contains("SQL syntax")) {
System.out.println("Potential SQL injection vulnerability detected!");
}
}
}
- In the above script, we're sending a request with a basic SQL injection payload to check the response for SQL errors.
- Here, the target website is set to "http://target-site.com/vulnerable-page", which you can replace with the website you're testing for.
- Also, I've only inserted only one payload as ' OR '1'='1 as a part of the URL query.
3. Similarly, we can add more payloads to this script and check for various vulnerabilities:
public class VulnerabilityScanner {
public static void main(String[] args) throws Exception {
HttpClient client = HttpClient.newHttpClient();
// Array of URLs with different vulnerability payloads
String[] payloads = {
"http://target-site.com/login?username=' OR '1'='1&password=' OR '1'='1", // SQL Injection
"http://target-site.com/search?query=<script>alert('XSS')</script>", // XSS
"http://target-site.com/command?input=; ls -la", // Command Injection (Linux)
"http://target-site.com/command?input=&& dir", // Command Injection (Windows)
"http://target-site.com/download?file=../../etc/passwd" // Path Traversal (Linux)
};
for (String url : payloads) {
HttpRequest request = HttpRequest.newBuilder().uri(new URI(url)).build();
HttpResponse<String> response = client.send(request, HttpResponse.BodyHandlers.ofString());
String responseBody = response.body();
// SQL Injection detection
if (url.contains("login") && (responseBody.contains("SQL syntax") || responseBody.contains("SQL error") || responseBody.contains("database error"))) {
System.out.println("Potential SQL injection vulnerability detected at: " + url);
}
// XSS detection
else if (url.contains("search") && (responseBody.contains("<script>alert('XSS')</script>") || responseBody.contains("alert"))) {
System.out.println("Potential XSS vulnerability detected at: " + url);
}
// Command Injection detection
else if (url.contains("command") && (responseBody.contains("total") || responseBody.contains("bin") || responseBody.contains("Directory of") || responseBody.contains("Volume in drive"))) {
System.out.println("Potential Command Injection vulnerability detected at: " + url);
}
// Path Traversal detection
else if (url.contains("download") && (responseBody.contains("root:x:0:0") || responseBody.contains("[boot loader]") || responseBody.contains("127.0.0.1"))) {
System.out.println("Potential Path Traversal vulnerability detected at: " + url);
}
// Message for unknown or no detected vulnerabilities
else {
System.out.println("No specific vulnerability detected at: " + url);
}
}
}
}