Spaghetti is an Open-source Web Application Security Scanner, it is designed to find various default and insecure files, configurations, and misconfigurations.
It is built on Python 2.7 and can run on any platform which has a Python environment.
Features of Spaghetti Web Application Security Scanner
- Fingerprints
- Server
- Web Frameworks (CakePHP, CherryPy,…)
- Web Application Firewall (Waf)
- Content Management System (CMS)
- Operating System (Linux, Unix,..)
- Language (PHP, Ruby,…)
- Cookie Security
- Bruteforce
- Admin Interface
- Common Backdoors
- Common Backup Directory
- Common Backup File
- Common Directory
- Common File
- Log File
- Disclosure
- Emails
- Private IP
- Credit Cards
- Attacks
- HTML Injection
- SQL Injection
- LDAP Injection
- XPath Injection
- Cross Site Scripting (XSS)
- Remote File Inclusion (RFI)
- PHP Code Injection
- Other
- HTTP Allow Methods
- HTML Object
- Multiple Index
- Robots Paths
- Web Dav
- Cross Site Tracing (XST)
- PHPINFO
- .Listing
- Vulns
- ShellShock
- Anonymous Cipher (CVE-2007-1858)
- Crime (SPDY) (CVE-2012-4929)
- Struts-Shock
Using Spaghetti Web Application Security Scanner
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 |
root@darknet:~/Spaghetti# python spaghetti.py _____ _ _ _ _ | __|___ ___ ___| |_ ___| |_| |_|_| |__ | . | .'| . | | -_| _| _| | |_____| _|__,|_ |_|_|___|_| |_| |_| |_| |___| v0.1.3 ~/# Spaghetti - Web Application Security Scanner ~/# Codename - MR.R0B0T ~/# Momo Outaadi (@M4ll0k) ~/# https://github.com/m4ll0k/Spaghetti Usage: -u --url Target URL (eg: http://example.com) -s --scan Scan Options (default=0): 0: Full Scan 1: Bruteforce (dirs,files,..) 2: Disclosure (ip,emails,..) 3: Attacks (sql,lfi,..) 4: Others (webdav,..) 5: Vulns (shellshock,..) 6: Fingerprint only --crawler Deep crawling (slow) --agent Use the specified user-agent --random-agent Use a random user-agent --redirect Redirect target URL, default=True --timeout Set timeout, default=None --cookie Set cookie, default=None --proxy Set proxy, (host:port) --verbose Verbose output --version Show version --help Show this help and exit Examples: spaghetti.py --url http://example.com spaghetti.py --url http://example.com --scan [0-6] spaghetti.py --url http://example.com --scan 1 --crawler |
Example:
1 |
python spaghetti.py --url site.com --scan 0 --random-agent --verbose |
Installation of Spaghetti Web Scanner
1 2 3 4 |
$ git clone https://github.com/m4ll0k/Spaghetti.git $ cd Spaghetti $ pip install -r requirements.txt $ python spaghetti.py |
There are also other options to check out like:
– Arachni v0.2.2.1 – Web Application Security Scanner Framework
– Vega – Open Source Cross Platform Web-Application Security Assessment Platform
You can download Spaghetti Web Application Security Scanner here:
Or read more here.