Page 1 of 1

Software for security auditing for web applications

Posted: Fri Sep 14, 2007 8:12 am
by VladSun
Recently, I've started using Acunetix Web Vulnerability Scanner. It works pretty good and I've found several security holes in my sites (most of them XSS actually).

Latter, I found this: Top 10 Web Vulnerability Scanners.

So, does anybody have experience with this type of applications and what are the advantages and disadvantages ?

Thank you for answering me :)

Posted: Fri Sep 14, 2007 8:25 am
by Maugrim_The_Reaper
I suppose the main disadvantage is that they are unlikely to catch all of the possible exploits of your specific application. Assuming you are practicing standard security prevention, they're a useful checkup - take their findings as symptoms of course. If there's a security issue - check not just the specific issue reported, but whether you need to add another security to close off any future/past similar problems more easily.

Re: Software for security auditing for web applications

Posted: Fri Sep 14, 2007 7:02 pm
by jeffery
VladSun wrote:Recently, I've started using Acunetix Web Vulnerability Scanner. It works pretty good and I've found several security holes in my sites (most of them XSS actually).

Latter, I found this: Top 10 Web Vulnerability Scanners.

So, does anybody have experience with this type of applications and what are the advantages and disadvantages ?

Thank you for answering me :)
I have recently have had the experience of using one similar such service provided by https://www.scanalert.com . From my experience I should say that it has helped me in identifying some of the things I was doing wrong in my Code. And more importantly Scan Alert has scheduled scans which help in reminding you about doing updates to your webserver when there is a problem.

Also after tailing some logs I suspect what ScanAlert uses is the Nikto scanning tool but I think they put in a little bit more effort to make it detect the newest and most critical vulnerabilities. For example the other day I got a report saying there were a few vulnerabilities in the PHP5 version which was running on the server. I quick update and re-running the scan helped me in patching the vulnerabilities. I woudn't have known about the vulnerabilities unless I knew there was a new version of PHP released within the last few days.

But in the end if you know what to do to keep your system clean and healthy, then you don't require these services. I am about to write an Article about my experiences with scan alert and how to make your server PCI compliant. I will post here when I am done.

cheers,
Jeffery

Posted: Fri Sep 14, 2007 8:37 pm
by VladSun
I've seen scanalert site too, but it's a paid service, isn'it?

I want to use a scanner focused on finding security holes in the web application itself, not the environment. I use nessus, tripwire and snort, so the environmental security is OK :)

The Acunetix scanner found many XSS holes and a few SQL injection exploits in my sites. This can't be done with the security tools I've used till now. Today I've installed Nikto too, but it didn't find most of the exploits found by Acutenix scanner. Well, I still learn how to use it (configuration files, plugins etc.) but it doesn't impress me so much for now.

I was hoping to see more posts about peoples' experience with this kind of applications.

Posted: Fri Sep 14, 2007 9:15 pm
by jeffery
VladSun wrote:I've seen scanalert site too, but it's a paid service, isn'it?
Yes it is a paid service. The client I was dealing with is a security freak so he insisted we use the scan alert services.

Posted: Tue Oct 02, 2007 1:57 pm
by boo
I have recently started using ScanAlert for my Renttropolis site. My main reason was to check for web application holes that could cause trouble for me as the site grows.

My second reason was for the warm and fuzzy I can give my customer as they view my site. Internet security is a big thought on everyones mind as they are looking for services to use on the internet, by showing my customers that I have a 3rd party check to see if my server is vulnerable, I think that puts me one up on my competition.

And the last thing was for future compliance. With recent high profile web application security breaches, the federal and state lawmakers are going to shortly be requiring e-businesses to have a 3rd party perform security scans of your site. So I figured why not start now and be ahead of the curve. (Also for the people that are storing credit card information I believe this is currently a requirement to be PCI compliant.)

Now I am not saying that this was a little pricey and I also prefer free but I believe that I will be able to recoup my cost with increased sales and also with not having to clean up from a successful hack (which can be very pricey).

Posted: Tue Oct 02, 2007 4:55 pm
by jeffery
boo,
I am Interested to know if you have managed to eliminate the "Trace & Track" Vulnerabilities? I have been banging my head to fix it without success. I have tried their suggestion but it just doesn't work :(.

Posted: Tue Oct 02, 2007 5:22 pm
by mrkite
I use Nessus for all my network security needs.

edit: nessus does have a whole package of web security tests.. checking for sql injection etc. It's not as complete as nikto, but it's a good tool for anyone who runs a large webserver and forgets that they had installed phpbb somewhere :)

Posted: Wed Oct 03, 2007 7:02 am
by boo
jeffery wrote:boo,
I am Interested to know if you have managed to eliminate the "Trace & Track" Vulnerabilities? I have been banging my head to fix it without success. I have tried their suggestion but it just doesn't work :(.
I have not received this vulnerabilities at this time, but if you care to send me the information that they have on it I would be more than happy to see if I can assist you with it.

Posted: Wed Oct 03, 2007 8:31 am
by jeffery
ok this is the Description of the vulnerability:
Your Web server appears to support the TRACE and/or TRACK methods.

It has been shown that servers supporting these methods are subject to cross-site-scripting attacks, dubbed XST for 'Cross-Site-Tracing'.
They suggest to add an .htaccess rule like:

Code: Select all

  RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
  RewriteRule .* - [F]
but that never seems to work.

Posted: Wed Oct 03, 2007 8:53 am
by VladSun
Also, you may try to add in httpd.conf:

TraceEnable Off

Posted: Wed Oct 03, 2007 11:38 am
by boo
I would go with VladSun suggestion if you can, since I believe that if you are in a hosted environment the htaccess file is only good on your site and every other site on the server is a risk, which in turn puts your site at risk.