Adam Caudill

Security Leader, Researcher, Developer, Writer, & Photographer

YAWAST 0.5 Released

Today, I’ve released the latest version of YAWAST, a security scanner for web applications that provides basic information about the application, and performs common checks so that you can move on to the fun part of testing more quickly. YAWAST also remains the only tool I’ve found that can perform an accurate test for SWEET32.

Here is the change log for version 0.5.0:

  • #35 – Add check for SameSite cookie attribute
  • #53 – Added checks for .well-known URLs
  • #75 – Use internal SSL scanner for non-standard ports
  • #84 – Improve the display of ct_precert_scts
  • #86 – Add check for Tomcat Manager & common passwords
  • #87 – Tomcat version detection via invalid HTTP verb
  • #88 – Add IP Network Info via api.iptoasn.com
  • #90 – Add HSTS Preload check via HSTSPreload.com
  • #91 – Enhanced file search
  • #96 – Scan for known SRV DNS Records
  • #97 – Search for Common Subdomains
  • #100 – Check for missing cipher suite support
  • #102 – Use SSLShake to power cipher suite enumeration
  • #76 – Bug: Handle error for OpenSSL version support error
  • #98 – Bug: SWEET32 Test Fails if 3DES Not Support By Latest Server Supported TLS Version
  • #99 – Bug: Cloudflare SWEET32 False Positive
  • #101 – Bug: SWEET32 False Negative
  • #103 – Bug: Scan fails if HEAD isn’t supported
  • Various code and other improvements.

Adam Caudill


Related Posts

  • The (Questionable) Future of YAWAST

    The last release of YAWAST was on January 1, 2020; while the release history was sometimes unpredictable, the goal was a new release each month with new features and bug fixes. I intentionally took January off from the project. In February, I left the company I was at; the team of penetration testers there had helped to inspire new features while looking for ways to make them more productive. But something else happened in February, an issue was opened – something that appeared to be simple, but in fact, made me realize that the entire project was in doubt.

  • YAWAST: News & Mission

    It’s been some time since I last wrote about YAWAST on here, it was actually back in April when I posted the last update – that was for the release of YAWAST v0.7.0. Currently, it’s at version 0.11.0 and a lot has changed. It’s been rewritten from scratch, more people have become involved, it has moved to a (fairly) regular release cycle, and has expanded a fair bit in terms of functionality.

  • YAWAST v0.7 Released

    It has now been over a year since the last major release of YAWAST, but today I am happy to release version 0.7, which is one of the largest changes to date. This is the result of substantial effort to ensure that YAWAST continues to be useful in the future, and add as much value as possible to those performing security testing of web applications. If you are using the Gem version, simply run gem update yawast to get the latest version.

  • Testing for SWEET32 with YAWAST

    Testing for SWEET32 isn’t simple – when the vulnerability was announced, some argued that the best solution was to assume that if a TLS server supported any of the 3DES cipher suites, consider it vulnerable. The problem is, it’s not that simple. On my employer’s corporate blog, I wrote about practical advice for dealing with SWEET32 – and pointed out that there are ways around the vulnerability, and some are quite simple.

  • Ruby + GCM Nonce Reuse: When your language sets you up to fail…

    A couple hours ago, Mike Santillana posted to oss-security about a rather interesting find in Ruby’s OpenSSL library; in this case, the flaw is subtle – so much so that it’s unlikely that anyone would notice it, and it’s a matter of a seemingly insignificant choice that determines if your code is affected. When performing AES-GCM encryption, if you set the key first, then the IV, and you are fine – set the IV first, you’re in trouble.