Spaghetti, scan the security of your Web applications

logo spaghetti web analyzer

In the next article we are going to take a look at Spaghetti. This is an open source application. It has been developed in Python and it will allow us to scan web applications in search of vulnerabilities in order to correct them. The application is designed to find various default or insecure files, as well as to detect misconfigurations.

Today, any user with minimal knowledge can create web applications, that's why thousands of web applications are created daily. The problem is that many of them are created without following basic security lines. To avoid leaving doors open, we can use this program to analyze that our web applications are at a high or at least acceptable level of security. Spaghetti is a very interesting and easy to use vulnerability scanner.

General characteristics of Spaghetti 0.1.0

As it has been developed in python this tool will be able to run on any operating system make it compatible with python version 2.7.

The program contains a powerful “fingerprinting”That will allow us to collect information from a web application. Between all the information you can collect This application highlights the information related to the server, the framework used for development (CakePHP, CherryPy, Django, ...), it will notify us if it contains an active firewall (Cloudflare, AWS, Barracuda, ...), if it has been developed using a cms ( Drupal, Joomla, Wordpress, etc.), the operating system in which the application runs and the programming language used.

spaghetti analysis result

We can also obtain information from the administration panel of the web application, back doors (if there are any) and many other things. Furthermore, this program comes equipped with some series of useful functionalities. All this we can carry out from the terminal and in a simple way.

The operation of this program for the terminal, in general, has been the following. Every time we run the tool we will simply have to choose the URL of the web application that we want to analyze. We will also have to enter the parameters corresponding to the functionality that we want to apply. Then the tool will be in charge of making the corresponding analysis and will show the results obtained.

We can access the application code and its characteristics from the page of Github of the project. The utility is quite powerful and easy to use. It must also be said that it has a very active developer, who specializes in tools related to computer security. So I guess a next update is a matter of time.

Install Spaghetti 0.1.0

In this article we are going to install on Ubuntu 16.04, but Spaghetti can be installed in any distribution. We simply have to have python 2.7 installed (at a minimum) and run the following commands:

git clone https://github.com/m4ll0k/Spaghetti.git
cd Spaghetti
pip install -r doc/requirements.txt
python spaghetti.py -h

Once the installation is finished, we can use the tool in all the web applications that we want to scan.

Use Spaghetti

It is important to note that the best use we can make of this tool is to find open security gaps in our web applications. With the program, after finding the security flaws, it should be easy for us to solve them (if we are the developers). This way we can make our applications more secure.

To use this program, as I have said previously, from the terminal (Ctrl + Alt + T) we will have to write something like the following:

python spaghetti.py -u “objetivo” -s [0-3]

or we can also use:

python spaghetti.py --url “objetivo” --scan [0-3]

Where you read "objective" you will have to place the URL to analyze. With the -uo –url options it refers to the scan target, the -so –scan will give us different possibilities from 0 to 3. You can check the more detailed meaning from the help of the program.

If we want to know what options it makes available to us, we can use the help that it will show us on the screen.

It would be foolish not to find that other users could take advantage of this tool to try to access web applications that they do not own. This will depend on the ethics of each user.


2 comments, leave yours

Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.

  1.   Jimmy olano said

    As incredible as it may seem, the installation fails me when I want to install the "Beautiful soup", it does not support Python3 at all and because of the nonsense of the captions in "print" they should have used "import from __future___":

    Collecting Beautiful Soup
    Downloading BeautifulSoup-3.2.1.tar.gz
    Complete output from command python setup.py egg_info:
    Traceback (most recent call last):
    File «», line 1, in
    File "/tmp/pip-build-hgiw5x3b/BeautifulSoup/setup.py", line 22
    print "Unit tests have failed!"
    ^
    SyntaxError: Missing parentheses in call to 'print'

    1.    Damian Amoedo said

      I think BeautifulSoup can be installed using sudo apt install python-bs4. Hope it solves your problem. Salu2.