Packages and Binaries:

web-cache-vulnerability-scanner

Web Cache Vulnerability Scanner (WCVS) is a fast and versatile CLI scanner for web cache poisoning and web cache deception developed by Hackmanit and Maximilian Hildebrand.

The scanner supports many different web cache poisoning and web cache deception techniques, includes a crawler to identify further URLs to test, and can adapt to a specific web cache for more efficient testing. It is highly customizable and can be easily integrated into existing CI/CD pipelines.

Installed size: 6.02 MB
How to install: sudo apt install web-cache-vulnerability-scanner

Dependencies:
  • libc6
Web-Cache-Vulnerability-Scanner
root@kali:~# Web-Cache-Vulnerability-Scanner -h

__/\\____/\\___/\\_____/\\\\\\\\__/\\\____/\\\__/\\\\\\\\\\_     
 _\/\\\__/\\\\_/\\\___/\\\//////__\//\\\__/\\\__\/\\\//////__    
  _\//\\\/\\\\\/\\\___/\\\__________\//\\\/\\\___\/\\\\\\\\\\_   
   __\//\\\\\/\\\\\___\//\\\__________\//\\\\\____\////////\\\_  
    ___\//\\\\//\\\_____\///\\\\\\\\____\//\\\______/\\\\\\\\\\_ 
     ____\///__\///________\////////______\///______\//////////__
WCVS - the Web Cache Vulnerability Scanner. (v1.2.1)

Published by Hackmanit under http://www.apache.org/licenses/LICENSE-2.0
Author: Maximilian Hildebrand
Repository: https://github.com/Hackmanit/Web-Cache-Vulnerability-Scanner
Blog Post: https://hackmanit.de/en/blog-en/145-web-cache-vulnerability-scanner-wcvs-free-customizable-easy-to-use
Usage: Web-Cache-Vulnerability-Scanner(.exe) [options]

General Options:
--help				-h	Show this help and quit
--verbosity			-v	Set verbosity. 0 = quiet, 1 = normal, 2 = verbose
--reqrate			-rr	Requests per second. Float value. Has to be greater than 0. Default value is infinite
--threads			-t	Threads to use. Default value is 20
--timeout			-to	Seconds until timeout. Default value is 15
--onlytest			-ot	Choose which tests to run. Use the , separator to specify multiple ones. Example: -onlytest 'deception,cookies,css,forwarding,smuggling,dos,headers,parameters,fatget,cloaking,splitting'
--skiptest			-st	Choose which tests to not run. Use the , separator to specify multiple ones. Example: -skiptest 'deception,cookies,css,forwarding,smuggling,dos,headers,parameters,fatget,cloaking,splitting'
--proxycertpath			-ppath	Path to the cert of the proxy you want to use. The cert has to have the PEM Format. Burp e.g. is in the DER Format. Use the following command to convert it: openssl x509 -inform DER -outform PEM -text -in cacert.der -out certificate.pem
--proxyurl			-purl	Url for the proxy. Default value is http://127.0.0.1:8080
--force				-f	Perform the tests no matter if there is a cache or even the cachebuster works or not
--ignorestatus			-is	Specify a custom cache header
--contentlengthdifference	-cldiff	Threshold for reporting possible Finding, when 'poisoned' response differs more from the original length. Default is 0 (don't check)
--hitmissdifference		-hmdiff	Threshold for time difference between cache hit and cache miss responses. Default is 30
--cacheheader			-ch	Specify a custom cache header
--nocolor			-nc	Disable color output

Generate Options:
--generatepath		-gp	Path all files (log, report, completed) will be written to. Example: -gp '/p/a/t/h/'. Default is './'
--generatereport	-gr	Do you want a report to be generated?
--escapejson		-ej	Do you want HTML special chars to be encoded in the report?
--generatecompleted	-gc	Do you want a list with completed URLs to be generated?

Request Options:
--url			-u	Url to scan. Has to start with http:// or https://. Otherwise use file: to specify a file with (multiple) urls. E.g. -u https://www.example.com or -u file:/usr/share/web-cache-vulnerability-scanner/templates/url_list
--usehttp		-http	Use http instead of https for URLs, which doesn't specify either one
--declineCookies	-dc	Do you don't want to use cookies, which are received in the response of the first request?
--cachebuster		-cb	Specify the cachebuster to use. The default value is cachebuster
--setcookies		-sc	Set a Cookie. Otherwise use file: to specify a file with urls. E.g. -sc uid=123 or -sc file:/usr/share/web-cache-vulnerability-scanner/templates/cookie_list
--setheaders		-sh	Set a Header. Otherwise use file: to specify a file with urls. E.g. -sh 'User-Agent: Safari/1.1' or -sh file:/usr/share/web-cache-vulnerability-scanner/templates/header_list
--setparameters		-sp	Set a Query Parameter. Otherwise use file: to specify a file with urls. E.g. -sp user=admin or -sp file:/usr/share/web-cache-vulnerability-scanner/templates/parameter_list
--setbody		-sb	Set the requests' body. Otherwise use file: to specify a file with urls. E.g. -sb 'admin=true' or -sh file:/usr/share/web-cache-vulnerability-scanner/templates/body_file
--post			-post	Do a POST request instead of a GET request
--contenttype		-ct	Set the contenttype for a POST Request. Default is application/x-www-form-urlencoded. If you don't want a content-type to be used at all use -ct ''
--parameterseparator	-ps	Specify the separator for parameters. The default value is &
--useragentchrome	-uac	Set chrome as User-Agent. Default is WebCacheVulnerabilityScanner v1.2.1

Crawl Options:
--recursivity	-r	Put (via href or src specified) urls at the end of the queue if the domain is the same. Specify how deep the recursivity shall go. Default value is 0 (no recursivity)
--reclimit	-rl	Define a limit, how many files shall be checked recursively. Default is 0 (unlimited)
--recinclude	-rin	Choose which links should be included. Separate with a space. E.g: -rin '.js .css'
--recexclude	-rex	Use -cp (-completedpath) or -gc (-generatecompleted) to generate a list of already completed URLs. Use -rex path/to/file so the already completed URLs won't be tested again recursively.
--recdomains	-red	Define an additional domain which is allowed to be added recursively. Otherwise use file: to specify a file with urls. E.g. -sh 'api.example.com' or -sh file:/usr/share/web-cache-vulnerability-scanner/templates/recdomains_list

Wordlist Options:
--headerwordlist	-hw	Wordlist for headers to test. Default path is 'wordlists/top-headers'
--parameterwordlist	-pw	Wordlist for query parameters to test. Default path is 'wordlists/top-parameters'
wcvs
root@kali:~# wcvs -h

__/\\____/\\___/\\_____/\\\\\\\\__/\\\____/\\\__/\\\\\\\\\\_     
 _\/\\\__/\\\\_/\\\___/\\\//////__\//\\\__/\\\__\/\\\//////__    
  _\//\\\/\\\\\/\\\___/\\\__________\//\\\/\\\___\/\\\\\\\\\\_   
   __\//\\\\\/\\\\\___\//\\\__________\//\\\\\____\////////\\\_  
    ___\//\\\\//\\\_____\///\\\\\\\\____\//\\\______/\\\\\\\\\\_ 
     ____\///__\///________\////////______\///______\//////////__
WCVS - the Web Cache Vulnerability Scanner. (v1.2.1)

Published by Hackmanit under http://www.apache.org/licenses/LICENSE-2.0
Author: Maximilian Hildebrand
Repository: https://github.com/Hackmanit/Web-Cache-Vulnerability-Scanner
Blog Post: https://hackmanit.de/en/blog-en/145-web-cache-vulnerability-scanner-wcvs-free-customizable-easy-to-use
Usage: Web-Cache-Vulnerability-Scanner(.exe) [options]

General Options:
--help				-h	Show this help and quit
--verbosity			-v	Set verbosity. 0 = quiet, 1 = normal, 2 = verbose
--reqrate			-rr	Requests per second. Float value. Has to be greater than 0. Default value is infinite
--threads			-t	Threads to use. Default value is 20
--timeout			-to	Seconds until timeout. Default value is 15
--onlytest			-ot	Choose which tests to run. Use the , separator to specify multiple ones. Example: -onlytest 'deception,cookies,css,forwarding,smuggling,dos,headers,parameters,fatget,cloaking,splitting'
--skiptest			-st	Choose which tests to not run. Use the , separator to specify multiple ones. Example: -skiptest 'deception,cookies,css,forwarding,smuggling,dos,headers,parameters,fatget,cloaking,splitting'
--proxycertpath			-ppath	Path to the cert of the proxy you want to use. The cert has to have the PEM Format. Burp e.g. is in the DER Format. Use the following command to convert it: openssl x509 -inform DER -outform PEM -text -in cacert.der -out certificate.pem
--proxyurl			-purl	Url for the proxy. Default value is http://127.0.0.1:8080
--force				-f	Perform the tests no matter if there is a cache or even the cachebuster works or not
--ignorestatus			-is	Specify a custom cache header
--contentlengthdifference	-cldiff	Threshold for reporting possible Finding, when 'poisoned' response differs more from the original length. Default is 0 (don't check)
--hitmissdifference		-hmdiff	Threshold for time difference between cache hit and cache miss responses. Default is 30
--cacheheader			-ch	Specify a custom cache header
--nocolor			-nc	Disable color output

Generate Options:
--generatepath		-gp	Path all files (log, report, completed) will be written to. Example: -gp '/p/a/t/h/'. Default is './'
--generatereport	-gr	Do you want a report to be generated?
--escapejson		-ej	Do you want HTML special chars to be encoded in the report?
--generatecompleted	-gc	Do you want a list with completed URLs to be generated?

Request Options:
--url			-u	Url to scan. Has to start with http:// or https://. Otherwise use file: to specify a file with (multiple) urls. E.g. -u https://www.example.com or -u file:/usr/share/web-cache-vulnerability-scanner/templates/url_list
--usehttp		-http	Use http instead of https for URLs, which doesn't specify either one
--declineCookies	-dc	Do you don't want to use cookies, which are received in the response of the first request?
--cachebuster		-cb	Specify the cachebuster to use. The default value is cachebuster
--setcookies		-sc	Set a Cookie. Otherwise use file: to specify a file with urls. E.g. -sc uid=123 or -sc file:/usr/share/web-cache-vulnerability-scanner/templates/cookie_list
--setheaders		-sh	Set a Header. Otherwise use file: to specify a file with urls. E.g. -sh 'User-Agent: Safari/1.1' or -sh file:/usr/share/web-cache-vulnerability-scanner/templates/header_list
--setparameters		-sp	Set a Query Parameter. Otherwise use file: to specify a file with urls. E.g. -sp user=admin or -sp file:/usr/share/web-cache-vulnerability-scanner/templates/parameter_list
--setbody		-sb	Set the requests' body. Otherwise use file: to specify a file with urls. E.g. -sb 'admin=true' or -sh file:/usr/share/web-cache-vulnerability-scanner/templates/body_file
--post			-post	Do a POST request instead of a GET request
--contenttype		-ct	Set the contenttype for a POST Request. Default is application/x-www-form-urlencoded. If you don't want a content-type to be used at all use -ct ''
--parameterseparator	-ps	Specify the separator for parameters. The default value is &
--useragentchrome	-uac	Set chrome as User-Agent. Default is WebCacheVulnerabilityScanner v1.2.1

Crawl Options:
--recursivity	-r	Put (via href or src specified) urls at the end of the queue if the domain is the same. Specify how deep the recursivity shall go. Default value is 0 (no recursivity)
--reclimit	-rl	Define a limit, how many files shall be checked recursively. Default is 0 (unlimited)
--recinclude	-rin	Choose which links should be included. Separate with a space. E.g: -rin '.js .css'
--recexclude	-rex	Use -cp (-completedpath) or -gc (-generatecompleted) to generate a list of already completed URLs. Use -rex path/to/file so the already completed URLs won't be tested again recursively.
--recdomains	-red	Define an additional domain which is allowed to be added recursively. Otherwise use file: to specify a file with urls. E.g. -sh 'api.example.com' or -sh file:/usr/share/web-cache-vulnerability-scanner/templates/recdomains_list

Wordlist Options:
--headerwordlist	-hw	Wordlist for headers to test. Default path is 'wordlists/top-headers'
--parameterwordlist	-pw	Wordlist for query parameters to test. Default path is 'wordlists/top-parameters'

Updated on: 2024-Nov-17