It has now been over a year since the last major release of YAWAST, but today I am happy to release version 0.7, which is one of the largest changes to date. This is the result of substantial effort to ensure that YAWAST continues to be useful in the future, and add as much value as possible to those performing security testing of web applications.
If you are using the Gem version, simply run
gem update yawast to get the latest version.
One of the headline features is that YAWAST now supports producing JSON output via the new
--output=<file> parameter. This will create a JSON file that can be used to record the actions of YAWAST in more detail, and be used in reporting automation. The goal of this feature is to capture all of the information that is needed to produce a report automatically.
If you specify
--output=/path/., YAWAST will automatically generate a file name based on the domain name and current time.
The overall structure of the JSON output shouldn’t change, but the details included may change over time as the output is refined to make it as useful as possible.
Enhanced Vulnerability Scanner
The other major change in this version is the new vulnerability scanner, which adds a number of new checks, and opens the door to more easily adding checks in the future. This is currently accessed via the
--vuln_scan parameter, as this is seen as a beta-level feature; when used without that parameter, YAWAST behaves as it has in the past. In the future, this will become of the default behavior, once it’s clear that it is stable.
It is recommended that you use
--vuln_scan unless it is causing issues for you (and if it does cause issues, please open an issue).
One behavioral change is that the new
--spider option works differently in each mode;
--vuln_scan will always spider the site, so in that mode,
--spider simply adds printed output to the UI listing the URLs found.
This new scanner leverages Chrome via an automated interface to perform certain tasks, that can only be properly tested by browser interaction; this adds some new dependencies, though the application should fail gracefully if these aren’t present.
The YAWAST Docker image has been updated to work with this new feature, making it the easiest way to use it.
User Enumeration via Password Reset Form (Timing & Response)
One new experimental feature that I would like to point out is that YAWAST will attempt to use the target application’s Password Reset Form (specified via
--pass_reset_page) using Chrome automation to capture the difference between a valid user (specified via
--user) and a randomly generated invalid user. It will compare the responses and display a diff of the changes between the two.
YAWAST will attempt to automatically identify the form field that captures the username / email address, if it fails to find the field, it will prompt you to provide the name or id.
It will run this procedure a total of 5 times, and capture of the timing that each request took, to determine if timing information can be used to determine valid users.
[V] Password Reset: Possible User Enumeration - Response Timing (see below for details)
Difference in average: 368.6ms Valid user: 736.15ms Invalid user: 367.55ms
Valid Users Invalid Users
Here is a list of the changes included in this version:
- #38 – JSON Output Option via
--output=(work in progress)
- #133 – Include a Timestamp In Output
- #134 – Add options to DNS command
- #135 – Incomplete Certificate Chain Warning
- #137 – Warn on TLS 1.0
- #138 – Warn on Symantec Roots
- #139 – Add Spider Option
- #140 – Save output on cancel
- #141 – Flag –internalssl as Deprecated
- #147 – User Enumeration via Password Reset Form
- #148 – Added
--vuln_scanoption to enable new vulnerability scanner
- #151 – User Enumeration via Password Reset Form Timing Differences
- #152 – Add check for 64bit TLS Cert Serial Numbers
- #156 – Check for Rails CVE-2019-5418
- #157 – Add check for Nginx Status Page
- #158 – Add check for Tomcat RCE CVE-2019-0232
- #161 – Add WordPress WP-JSON User Enumeration
- #130 – Bug: HSTS Error leads to printing HTML
- #132 – Bug: Typo in SSL Output
- #142 – Bug: Error In Collecting DNS Information