Login | Register   
RSS Feed
Download our iPhone app
Browse DevX
Sign up for e-mail newsletters from DevX


Web Server Scanners: Find Your Vulnerabilities Before Hackers Do  : Page 2

Robust firewall rules and strict router access control lists alone are not enough to protect a Web server. A strong Web server build policy is a must, and Web vulnerability scanners will address the security aspects of your build policy.

Ensure Strong Passwords
The hardest part of a build policy to implement (for anything other than HTTP Basic Authentication) is strong password creation. A good scanner will be able to perform rudimentary password guessing to ensure that no passwords can be easily deciphered. For example, form-based authentication such as mail.yahoo.com or www.hotmail.com is more difficult—but not impossible—to attack.

The Scanner Review
Whisker popularized web vulnerability scanning with its Perl implementation, which made extending the URL database easy. In fact, its most under-used capability is its ability to be run as a CGI script simply by placing it in the /cgi-bin/ on your web server. Whisker is best used as a URL scanner. It identifies web pages with known security problems or those pages that should be removed to make a clean web document root. It can also perform brute force attacks against sites using HTTP Basic Authentication.

The disadvantage of Whisker is that it has not been updated in a while, although the author is developing a major update that will add more checks and features. A current version of Whisker also has the capability to scan servers over SSL, but the scanner suffers the drawback of being primarily a URL checker. If it doesn't find a page, it reports it to the user, but vulnerability checks for recent IIS bugs such as the Unicode or Double Decode directory traversal or Netscape's PageServices bug are not in this version. They are not easy to implement using Whisker's current engine, but the following modifications of the /scan.db file serve as a temporary fix:

scan () / > > /?PageServices eval if( $D{'XXPageSrc'} =~ /index of/i) print "Vulnerable!\n"; else print "...false alarm ;(\n"; endeval

The next release, based on libWhisker, will address these bugs.

Stealth scanner trades the portability of Whisker for a Windows-style GUI presentation. Stealth is more actively maintained than the 1.x series of Whisker and consequently has a larger database of vulnerabilities. It has Unicode and PageServices checks, but has a high ratio of false positives (reports of vulnerabilities that don't exist). For example, it may return a false positive for the /?PageServices check if the server always returns a default page. All the scanners share this drawback due to the limited intelligence built into their engines.

Stealth is fast and comprehensive. The user can select a range of IP addresses to scan but cannot input a file list of IP addresses, which would be more helpful for administrators who wish to focus on a Web farm or specific servers.

Nessus is a vulnerability checker that does not limit itself to web servers. It takes more effort to set up than Whisker or Stealth does, but it is actively maintained and has up-to-date vulnerability checks. It also returns false positives, however.

The twwwscan/arirang combination is another vulnerability scanner. Twwwscan is a binary program for Windows systems. Arirang is the Unix version, which shares the twwwscan engine. These tools allow the user to specify hosts, networks, and IP address ranges, and to easily customize the CGI checks (through /.uxe text files). Twwwscan checks specific and known server vulnerabilities; but it also has an extensive list of security checks for common misconfigurations that might apply to any homegrown web server. These tools are actively updated.

All of the tools I have discussed share two positive attributes. They have relatively comprehensive lists of vulnerable URLs and they can perform brute force password attacks against HTTP Basic Authentication or rudimentary Form-based authentication. The source code for Whisker, Nessus, and Arirang is available for users who wish to get under the hood and tinker with the engine. The major drawbacks of each engine are the level of false positives and the lack of application-specific checks. The false positives can be reduced with better intelligence when interpreting the results. Stealth and twwwscan run only on Windows platforms, the other tools run on Unix or Windows. BSD users will find that Whisker, Nessus, and Arirang are only a ports update away!

I've Scanned My Server. What's Next?
Application-specific checks are a subset of vulnerability checking that cover input validation problems within the application. The next concern after removing unnecessary files is addressing possible vulnerabilities within the application. These could be attacks that inject SQL statements into data entry fields, embedded script attacks that launch social engineering attacks to collect passwords, or other input validation attacks that lead to arbitrary file retrieval or command execution.

The goal of an application-level scanner is to enumerate all user input fields. These fields can then be catalogued into potential vulnerabilities or functions. Potential vulnerabilities may range from database interaction to OS attacks, while the function of the field could range from login to database entry to search. Defining these categories and creating intelligence to check them is difficult. Whisker, Stealth, and Nessus do not even pretend to perform these types of checks. That's where Sanctum's Appscan application vulnerability assessment tool comes in. Its paradigm differs greatly from the file and URL checking of the other scanners, but its price, user interface, and configuration reflect this disparity in level of security.

Now, all you have to worry about is that your Web apps have been coded securely.

Mike Shema is a Principal Consultant and Trainer for Foundstone and brings his knowledge of networking, Unix, and Windows to the attack and penetration team. He has performed security testing for financial institutions, e-commerce sites, and Fortune 500 companies.
Comment and Contribute






(Maximum characters: 1200). You have 1200 characters left.



Thanks for your registration, follow us on our social networks to keep up-to-date