Professional Documents
Culture Documents
Software Requirements Specification: Prepared By
Software Requirements Specification: Prepared By
RequirementsSpecificationforViPER
Page1
SoftwareRequirements
Specification
for
ViPER
Preparedby,
PS.NarayananU314BCA043
AkhilMahendraU314BCA007
AnanthankrishnanNairU314BCA013
GokulGopinathPU314BCA025
College:AmritaViswaVidyapeetham,Amritapuri
August1stMonday
SoftwareRequirementsSpecificationforViPER
Page2
TableofContents
TableofContents
RevisionHistory
1. Introduction
1.1 Purpose
1.2 ProjectScope
1.3 References
2. OverallDescription
2.1
2.2
2.3
2.4
2.5
2.6
2.7
ProductPerspective
ProductFeatures
UserClassesandCharacteristics
OperatingEnvironment
DesignandImplementationConstraints
UserDocumentation
AssumptionsandDependencies
3. SystemFeatures
3.1 Reconnaissance
3.2 InformationDisclosure
3.3 Webvulnerabilitiescheck
4. ExternalInterfaceRequirements
4.1 UserInterfaces
4.2 SoftwareInterfaces
4.3 CommunicationsInterfaces
5. OtherNonfunctionalRequirements
5.1
5.2
5.3
5.4
PerformanceRequirements
SafetyRequirements
SecurityRequirements
SoftwareQualityAttributes
SoftwareRequirementsSpecificationforViPER
1.
Introduction
Page3
ThepurposeofthissectionistoprovidetheReaderwithageneral,backgroundinformationabout
thepenetrationtestingtoolViPER.
1.1
Purpose
ThisdocumentistheSoftwareRequirementSpecificationfortheViPERTool.ThisSRSdescribes
thefunctionsandperformancerequirementsoftheViPERTool.Thisprojectaimsatdevelopinga
toolforautomatingpenetrationtestingforwebapplications.Themainobjectiveofthistoolisto
analysealmosteverypartoftheapplicationandtogivetheuserafeedbackbasedontheanalysis.
1.2
ProjectScope
ViPERwillautomatethemanualreconnaissancetechniquesandalsochecksforanyweb
vulnerabilities.Thistoolcomeswithawebinterface,soitwillbemoreeasytoreadthedata
comparedtocommandlineinterface.
1.3
References
OWASPhttps://www.owasp.org/index.php/Crosssite_Scripting_(XSS)
SQLInjectionthroughHTTPheaders
http://resources.infosecinstitute.com/sqlinjectionhttpheaders/
Pathtravesalhttps://www.owasp.org/index.php/Path_Traversal
Pythonhttps://www.python.org/doc/
Djangohttps://docs.djangoproject.com/en/1.10/
SoftwareRequirementsSpecificationforViPER
2.
OverallDescription
2.1
ProductPerspective
Page4
ViPERisdesignedtoautomaticallydetectsecurityissuesinwebapplications.Allitexpectsisthe
URLofthetargetwebsiteandafterawhileitwillpresentyouwithitsfindings.Fromthesimple
commandlineutilityscannertotheintuitiveanduserfriendlyWebinterfaceandcollaboration
platform,ViPERfollowstheprincipleofleastsurpriseandprovidesyouwithplentyoffeedback
andguidance.Fromausersoracomponentdeveloperspointofvieweverythingappearssimple
andstraightforwardallthewhileprovidingpower,performanceandflexibility.
2.2
ProductFeatures
Viperscansawebsitefromtheusergivenurlandanalysealmosteverypartofthe
applicationandgenerateadetailedreporttotheuser.Itwillcoverallthebasicreconnaissanceand
alsochecksforwebapplicationvulnerabilities.
2.3
UserClassesandCharacteristics
Themajoruserclassesthatareexpectedtousethisproductareasfollows:
2.3.1 PenetrationTesters
Penetrationtestsersaretheactualusersofthistool.Theyusethesekindoftoolstoautomatetheir
pentestingwhichwillsavealotoftimeandeffort.
2.3.2 WebappTesters
Webapplicationtestersusethistooltocheckwhethertheirwebappishavinganyvulnerability.
2.3.3 SecurityEnthusiasts
Thegeekswilluseourproducttoincreasetheirunderstandingofthepenetrationtestingtoolsand
maycontributeonthesekindsofprojects.
SoftwareRequirementsSpecificationforViPER
2.4
Page5
OperatingEnvironment
Asthistoolisalsohavingawebinterface,itmakesthetoolacrossplatformappandcanbeusedin
anyoperatingsystem.However,thecommandlineinterfaceofthisappisavailabletoboth
windowsandlinux(providedpythoninstalled).
2.5
DesignandImplementationConstraints
Afterscanningaurlnoissuesdoesntmeanthewebappiscompletelysecured.Newthreatsare
borndailyso,thereisnoguarenteethatthistooloranyothertoolcancompletelysecureaweb
application.
2.6
UserDocumentation
Toassisttheuserinunderstandingtheproductbetterandtoassisttheminbetterutilizationofthe
productanditsfeatures,wewillbeprovidingausermanual.Wealsowillbegivingalinktothe
userswheretheycanpostqueriesandquestionsregardingtheproductanditsfunctionality.Auser
tutorialwillalsobeprovidedtoassisttheuseringettingstartedwiththeproduct.
2.7
AssumptionsandDependencies
Currentlyallthemodulesarewritteninpython.Thereforepythonisrequiredtoruncommandline
interfaceofthetool.
3.
SystemFeatures
Thetoolconsistof2userinterfaces,acommandlineinterfaceforadvancedusersandaweb
interfaceforallothers.Boththeseuserinterfacecontainallthemodules.
3.1
Reconnaissance
3.1.a HTTPHeaderchecks
3.1.b HTTPenabledmethodscheck(CrossSiteTracing)
3.1.c Cookiechecks(decodesbase64automatically)
3.1.1
DescriptionandPriority
Reconnaissanceorpreliminarysurveyingorresearchisdonefirst.Thisgivestheuserabasic
overviewoftheirwebappaswellassomebasicreconchecksmentionedabove.
Intotalthereconnaissncemodulewillgivetheuseranoverviewabouttheresponseheaderandalso
basicreconresultsincludingCSSchecksandcookiechecks.
SoftwareRequirementsSpecificationforViPER
3.1.2
Page6
Stimulus/ResponseSequences
Stimulus:
Response:
Stimulus:
Response:
Userinputsaurlofthewebapp.
Systemasksforreconnaissanceoptions.
Usergivesspecificoptions
Systemscanstheurlwiththeoptionsandgivesdetailedreportofthescan.
3.2
InformationDisclosure
3.2.a
3.2.b
3.2.c
3.2.d
Robots.txtAnalysis
.htaccesspublicaccesscheck
.svn/entriespublicaccesscheck
MicrosoftIIS,internalIPdisclosurecheck
3.2.1 DescriptionandPriority
Informationdisclosureenablesanattackertogainvaluableinformationaboutasystem.The
informationcollectedcanbeusedtoattackthewebsites.
3.2.2
Stimulus/ResponseSequences
Stimulus:
Response:
Stimulus:
Response:
Userinputsaurlofthewebapp.
SystemasksforInformationdisclosuresuboptions.
Usergivesspecificoptions
Systemscanstheurlwiththeoptionsandgivesdetailedreportofthescan.
3.3Webvulnerabilitiescheck
3.3.a ErrorbasedSQlinjection
3.3.bCrossSiteScripting
3.3.c OtherURLbasedattacks
3.3.1 DescriptionandPriority
Thismodulewillcheckforallpossiblewebbasedattacksandifanywebvulnerabilities
found,alinkabouthowtoexploitthevulnerabilityisgivenbacktouser.
3.2.2
Stimulus/ResponseSequences
Stimulus:
Userinputsaurlofthewebapp.
Response:
Systemasksforwebattacksuboptions.
Stimulus:
Usergivesspecificoptions
Response:
Systemperformsspecificattacksintheurlwiththeoptionsandgives
detailedreportofthescan.
SoftwareRequirementsSpecificationforViPER
Page7
4.
ExternalInterfaceRequirements
4.1
UserInterfaces
Basicallytherewillbetwointerfacesi.e.,acommandlineinterfaceandawebuserinterface.The
commandlineinterfaceisforadvanceduserswhichgivesthemmorecontroloverthetool.Theweb
interfacewillprovidethesamefunctionsbuttherewillbelesscontrolcomparedtothecommand
line.Thisismainlyforthenormalusers.
4.2
SoftwareInterfaces
Softwarewilldependonthesecurityfeaturesprovidedbytheoperatingsystemandthelanguage
python.
4.3
CommunicationsInterfaces
ThistooluseswebbrowsertodisplaythewebUI.Latestversionoffirefoxorgooglechromeis
recommended.
5.
OtherNonfunctionalRequirements
5.1
PerformanceRequirements
Inordertogetmaximumperformanceofthetool,thecommandlineuserinterfaceislimitedtouse
only3optionsatatime.
5.2
SafetyRequirements
Usingthistooltoscanwebsiteswithouttheirpriorknowledgeisconsideredasblackhatactivity
anddoingsoisacriminaloffence.
5.3
SecurityRequirements
ThesafetypartofthesystemwillbebasedonthefacilitiesprovidedbytheOSandtheinherent
securityfeaturesprovidedbythePythonlanguage.
SoftwareRequirementsSpecificationforViPER
5.4
SoftwareQualityAttributes
Page8
ThetoolisbasedonPython,whichmakesitscalableandeasytomaintain.Secondlythesystemwill
providetheuserwitheasytouseandunderstandableGUIinterface.Usercaneasilyinteractwith
thetoolwithmenusandtextareas.