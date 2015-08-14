WebVulScan is a web application vulnerability scanner that can be used to test remote, or local, web applications for security issues. This tool is actually a web application itself.

It requires the following:

Now, import the database named " webvulscan.sql ", which is contained in the source code folder into your MySQL database.

Then, using your browser, request " localhost/webvulscan_vx.xx ", where " webvulscan_vx.xx " is the folder containing the source code, and you will be brought to the homepage of the web application vulnerability scanner.

First, download WebVulScan, and place the folder containing the source code into the folder that your web server looks for to serve on your domain. In Apache this is the " htdocs " folder.





Note: The database credentials that the scanner is using are the "root" user with no password.

If you want to change this it can be edited in "webvulscan_vx.xx/ scanner/ functions/ databaseFunctions.php" in the connectToDb() function. The second and third parameter passed into the mysqli constructor are the username and password of a MySQL database user. e.g. "root" and "".





For whatever user you are using in the connectToDb() function, you must ensure there is a corresponding database user in the database and they have sufficient privileges to read/write from/to the webvulscan database.





If you are running this on Linux, you must ensure the application has permissions to write to the logs folders and the reports folder.

This can be done using the "chmod” command. Using the terminal, cd (change directory) to the "crawler" folder and enter "sudo chmod -R 777 logs/". Then cd to the "scanner" folder and enter "sudo chmod -R 777 logs/". Also, when in the scanner folder, enter "sudo chmod -R 777 reports/".

If users are to receive PDF reports by email, PHP’s mail() function must be able to send emails. If you do not have email functionality setup on your web server, this step will guide you on how to route the emails through a Gmail account. This is not an essential requirement as users can view and download PDF reports using the scan history feature.

Setting up an email server can be quite complex and time consuming so a simpler solution is to use Gmail. A Gmail account can be used by the web application to send emails from. Visit gmail.com and create an account. Users of the web application will then receive scan reports from this email address. Take note of your email address and password. Now the application "sendmail", with TLS support, must be installed and configured to route outgoing emails through the Gmail account. The sendmail zip file can be downloaded here: http://www.glob.com.au/sendmail/sendmail.zip Once sendmail is installed, open the sendmail.ini file. You need to change the settings to the following: smtp_server=smtp.gmail.com

smtp_port=587

smtp_ssl=auto

error_logfile=error.log

auth_username=youremail@gmail.com

auth_password=yourpassword

pop3_server=

pop3_username=

pop3_password=

force_sender= youremail@gmail.com

force_recipient=

hostname= All other settings should be commented by default with a semi colon. Now open the file your "php.ini" file with a text editor and edit the following: Under the "[mail function]" section, comment everything out in that section, using a semi colon, apart from " sendmail_path " and " mail.add_x_header ".

" and " ". Therefore you should probably have to comment out " SMTP = ... " and " smtp_port = ... " and you should have to uncomment " sendmail_path = ... ".

" and " " and you should have to uncomment " ". Set " sendmail_path " equal to the location of your sendmail.exe file (e.g. "\"C:\xampp\sendmail\sendmail.exe\" -t") if it is not already set to that.

" equal to the location of your sendmail.exe file (e.g. "\"C:\xampp\sendmail\sendmail.exe\" -t") if it is not already set to that. Set " mail.add_x_header " equal to Off if it is not already set to Off.

" equal to Off if it is not already set to Off. Save php.ini Restart the web server. You should now be able to send emails using PHP’s mail function.





Other PHP settings also need to be configured by editing the php.ini file.