Vanguard Web App Scanner – Detect XSS and SQL Injection

By | 2012/03/22

Vanguard is a web app vulnerability scanner that checks your website for SQL injection and XSS. Vanguard is entirely in perl, so it is easy to modify for your needs. Vanguard works by first doing a port scan with nmap to determine if the host has available HTTP ports, next crawls the entire site, and finally attempts a huge library of payloads.

I’ll show you how to get started with Vanguard!

First, on Debian/Ubuntu, install these required dependencies:

$ sudo apt-get install libyaml-perl libclone-perl nmap

Next, grab a copy of Vanguard.

$ wget

$ tar xvf vanguard-public.tgz

$ cd vanguard-public

Here is the usage:

Usage: -h [host/root]
  -c [conf path] Load config files from an alternate path
  -e [evasion]   IDS evasion technique to use
  -o [outfile]   File to output results to
  -v             Verbose

The options for evasion are the same as nikto. Multiple can be used.


    1 - Random URI encoding (non-UTF8)
    2 - Directory self-reference (/./)
    3 - Premature URL ending
    4 - Prepend long random string
    5 - Fake parameter
    6 - TAB as request spacer
    7 - Change the case of the URL
    8 - Use Windows directory separator (\)
    A - Use a carriage return (0x0d) as a request spacer
    B - Use binary value 0x0b as a request spacer

[Note: on Debian, I had to modify this nmap config file:

$ nano modules/recon/NMAP/conf.yml

flags: "-P0 --defeat-rst-ratelimit -sS -sV -F"

And remove the -sV so it now looks like:]

flags: "-P0 --defeat-rst-ratelimit -sS -F"

And finally, here is an example scan. You must run with sudo so nmap can run.

$ sudo perl -h -v -o scanlog.txt

While that is running, you can tail your log file at another terminal window:

$ tail -f scanlog.txt 
2012-03-22 20:41:33 INFO: NMAP: Scanning Ports...
2012-03-22 20:41:33 INFO: NMAP: nmap -P0 --defeat-rst-ratelimit -sS -F -oG -
2012-03-22 20:41:36 INFO: NMAP: Port Scan found ssh listener on 22 in state open
2012-03-22 20:41:36 INFO: NMAP: Port Scan found smtp listener on 25 in state open
2012-03-22 20:41:36 INFO: NMAP: Port Scan found http listener on 80 in state open
2012-03-22 20:41:36 INFO: NMAP: Port Scan found https listener on 443 in state open
2012-03-22 20:41:36 INFO: CRAWL: Crawling

Vanguard will first crawl your site which can take some time. Then it will try various sql injections and XSS payloads. If you have a very large site this can take some time (many hours).

Only scan your own sites or sites that you have permission to scan! This scanner will light up various IDS/IPS and firewall logs with your ip address.

Results are extremely good – much better than most commercial web app scanners. If you need to audit a website for sql injection and XSS with ease from the command line, Vanguard is the tool for you!