| |
|
Web Server Scanners: Find Your Vulnerabilities Before Hackers Do
Robust firewall rules and strict router access control lists alone are not enough to protect a Web server. A strong Web server build policy is a must, and Web vulnerability scanners will address the security aspects of your build policy.
by Mike Shema
|
 hen deploying a Web server and Web applications, you must defend against malicious attackers who can identify and exploit the vulnerabilities in these servers and apps. The nimda worm and its predecessors painfully reminded us of that. After all, robust firewall rules and strict router access control lists alone will not protect a Web server, which is why Web vulnerability scanners are useful tools.
Running a Web vulnerability scanner against your Web servers will:
- Identify default files and directories that hackers could exploit
- Detect inadequate patch levels
- Point out poor passwords
In this article I show how scanners achieve this level of defense and how you can utilize them to strengthen the build policy of your Web servers. I also offer a review of some of the better known scanners that are currently available.
Anatomy of a Web Vulnerability Scanner
Most Web vulnerability scanners consist of an engine and a database. The database contains a list of directories, file names, CGI scripts, and URLs that have known security risks. Name-your-hat hackers cull Bugtraq postings, vendor advisories, application documentation, or personal favorites to create these lists. The final database usually contains the A, B, and C lists of well-known vulnerabilities, such as the IIS Unicode string exploit (/msadc/..%c0%af..%c0%af..), the Netscape PageServices bug (?wp-html-rend), and /wwwboard/passwd.txt (perhaps running on Apache).
The vulnerabilities can be server-specific like the PageServices bug, which displays a directory listing, or they can be OS-agnostic and target CGI scripts, such as WWWBoard or PHP-Nuke, which expose any server (even Apache) to attacks.
The scanner's engine is merely a glorified method for making HTTP GET requests for each entry in the vulnerability database. A good engine, however, has some extra techniques for customizing requests. The homebrew crowd, for example, can put together a vulnerability scan using only the 'echo' and 'nc' (netcat) commands (e.g., echo -e "GET /wwwboard/passwd.txt HTTP/1.0\n\n" | nc -vv <target> 80).
|
Introduction 
Web Vulnerability Scanner in Your Build Policy 
The Scanner Review 
