There are many threats to the Security of a Website, even the most experienced IT guy expert must stay always vigilant to guard against the bad guys that try to attack your website. The important thing here, is not what to do after an attack occurs (tipically) but to discover them, before someone else does. For it, you can use different tools that help you to identify possible flaws on your system.
In this article you will learn how to scan for vulnerabilities on a website using GoLismero in Kali Linux, running GoLismero can be a great help in identifying possible failures in the security of your server.
What is GoLismero?
GoLismero, the "Web Knife" is a free software framework for security testing currently geared towards web security, but it can easily be expanded to other kinds of scans. It can run their own security tests and manage a lot of well known security tools (OpenVas, Wfuzz, SQLMap, DNS recon, robot analyzer...) take their results, feedback to the rest of tools and merge all of results completely automatically. The most interesting features of the framework are:
- Real platform independence. Tested on Windows, Linux, *BSD and OS X.
- No native library dependencies. All of the framework has been written in pure Python.
- Good performance when compared with other frameworks written in Python and other scripting languages.
- Plugin development is extremely simple.
- The framework also collects and unifies the results of well known tools: sqlmap, xsser, openvas, dnsrecon, theharvester...
- Integration with standards: CWE, CVE and OWASP.
GoLismero is has been written in pure Python and it's pretty easy to use, with very few commands, or even a single command, you can launch scans and report vulnerabilities. Visit the homepage of the project and its Github Repository for more information.
Searching for vulnerabilities
To use GoLismero in Kali Linux, just open a new terminal and execute any of the following commands according to what you want to do:
GoLismero can't be stopped as you tipically do with tools in the terminal (ctrl + c), instead you need to use ctrl+ z.
To scan a website and show al the possible security flaws, just run the following command:
golismero scan <website-target>
The website-target argument is the domain of the website that you want to analyze, for example:
golismero scan sdkcarlos.github.io
From the output of this command you should get relevant information about the status of the security of your website against different flaws or bugs like Heartbleed:
You can produce reports in different file formats with GoLismero, you just need to add the -o argument that will create the report (whose format is guessed from the file extension):
golismero scan <website-target> -o - -o securityreport.html
For example, to create a report in the reports folder of the system with the name
securityreport.html of the website
sdkcarlos.github.io, we could simply run the following command:
golismero scan sdkcarlos.github.io -o - -o /root/reports/securityreport.html
As you surely noticed, the layout remains consistent across all platforms as the design of the report is totally responsive. The HTML report is completely self contained in a single
.html file, making it very easy to share and it should look like:
Happy security review !