yawast

YAWAST is an application meant to simplify initial analysis and information gathering for penetration testers and security auditors. It performs basic checks in these categories:

  • TLS/SSL – Versions and cipher suites supported; common issues.
  • Information Disclosure – Checks for common information leaks.
  • Presence of Files or Directories – Checks for files or directories that could indicate a security issue.
  • Common Vulnerabilities
  • Missing Security Headers

This is meant to provide a easy way to perform initial analysis and information discovery. The idea is to provide a quick way to perform initial data collection, which can then be used to better target further tests.

Installing YAWAST

Kali Rolling

To install on Kali, just run the following command (all of the dependentcies are already installed).

gem install yawast

Ubuntu 16.04

sudo apt-get install ruby ruby-dev
sudo gem install yawast

Mac OSX

The version of Ruby shipped with Mac OSX 10.11 is too old, so the recommended solution is to use RVM:

gpg --keyserver hkp://keys.gnupg.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3
\curl -sSL https://get.rvm.io | bash -s stable
source ~/.rvm/scripts/rvm
rvm install 2.2
rvm use 2.2 --default
gem install yawast

Updating YAWAST

Once you install Ruby, run the following command to update YAWAST:

gem update yawast

YAWAST Tests

The following tests are performed:

(Generic) Info Disclosure: X-Powered-By header present
(Generic) Info Disclosure: X-Pingback header present
(Generic) Info Disclosure: X-Backend-Server header present
(Generic) Info Disclosure: X-Runtime header present
(Generic) Info Disclosure: Via header present
(Generic) Info Disclosure: PROPFIND Enabled
(Generic) TRACE Enabled
(Generic) X-Frame-Options header not present
(Generic) X-Content-Type-Options header not present
(Generic) Content-Security-Policy header not present
(Generic) Public-Key-Pins header not present
(Generic) X-XSS-Protection disabled header present
(Generic) SSL: HSTS not enabled
(Generic) Source Control: Common source control directories present
(Generic) Presence of crossdomain.xml or clientaccesspolicy.xml
(Generic) Presence of sitemap.xml
(Generic) Presence of WS_FTP.LOG
(Generic) Presence of RELEASE-NOTES.txt
(Generic) Presence of readme.html
(Generic) Missing cookie flags (Secure & HttpOnly)
(Generic) Search for common directories
(Apache) Info Disclosure: Module listing enabled
(Apache) Info Disclosure: Server version
(Apache) Info Disclosure: OpenSSL module version
(Apache) Presence of /server-status
(Apache) Presence of /server-info
(IIS) Info Disclosure: Server version
(ASP.NET) Info Disclosure: ASP.NET version
(ASP.NET) Info Disclosure: ASP.NET MVC version
(ASP.NET) Presence of Trace.axd
(ASP.NET) Presence of Elmah.axd
(ASP.NET) Debugging Enabled
(nginx) Info Disclosure: Server version
(PHP) Info Disclosure: PHP version

CMS Detection:

Generic (Generator meta tag)

SSL Information:

Certificate details
Certificate chain
Supported ciphers
Maximum requests in a single connection

Checks for the following SSL issues are performed:

Expired Certificate
Self-Signed Certificate
MD5 Signature
SHA1 Signature
RC4 Cipher Suites
Weak (< 128 bit) Cipher Suites SWEET32 More information can be found at GitHub.