|
||
 
|
||
|
| ISP Resources |
| ISP-Lists ISP Glossary ISP News The List ISPCON Events Free Newsletters |
|
|
Security Tools for the Budget Conscious ISP, Part II: Web Vulnerability Assessment Tools
VP Core Competence, Inc. [January 30, 2004] |
 |
Web Vulnerability Assessment Tools
According to last year's FBI/CSI annual survey, one in four organizations experienced
Web site attacks last year—primarily vandalism (36 percent) and DoS attacks
(35 percent). Given this and the fact that most ISPs offer Web hosting, your
toolbox should probably include utilities to assess the security of Web services,
related objects, and supported applications.
Web assessment tools are aimed at popular Web server platforms like Apache or IIS. They can scan servers themselves for CVEs, missing patches, and weak directory permissions, and/or assess Web applications for vulnerabilities like cross-site scripting, SQL injection, hidden form field manipulation, and cookie poisoning. To learn more about Web application vulnerabilities and penetration test methodologies, we recommend Penetration Testing for Web Applications by Jody Melbourne and David Jorm, published by SecurityFocus as parts One, Two, and Three.
A few representative commercial products in this category include:- @Stake WebProxy
- bv-Control for Web Services
- N-Stalker's N-Stealth
- Sanctum AppScan Audit
- SPIDynamics WebInspect
- Syhunt TrustSite Security Scanner
If Web hosting is your business, you should probably invest in at least one commercial Web vulnerability assessment product. Products like these will save you time in the long run by automating thorough tests and facilitating test result analysis. Even so, you may want to add some free Web penetration test tools to your security toolbox:
- Nikto is a popular open source Web server scanner based on Perl. Nikto can test for over 2600 potentially dangerous files and look for version-specific problems on over 230 Web servers. To learn more, check out the Nikto README.
- N-Stalker's N-Stealth is available in a free version that runs on Win32 and WINE for Linux. N-Stealth tests Web servers for over 30,000 weaknesses that attackers could exploit to gain privileged server access. Unlike the commercial version, the free version does not support IP ranges, log analysis, or SSL/XML testing. To view sample N-Stealth output, click here.
- SPIKE Proxy is a free Python-based Web test platform for Windows and Linux. SPIKE runs as an SSL-enabled Web proxy, letting you identify Web application vulnerabilities by examining and changing HTTP request variables, cookies, headers, and other fields mid-stream.
- Webgoat is an open source Java/JVM-based tool that provides an interactive environment for teaching Web developers cross-site scripting, SQL injection, and other vulnerabilities. Hands-on lessons demonstrate sample Web exploits. Webgoat isn't really for testing your server—it teaches your Web developers what to avoid.
- Whisker [.tar.gz] is a very popular open source vulnerability scanner, based on Perl, from the now-retired RainForestPuppy. Whisker is a script-driven command line tool that determines what kind of server software a target is running (e.g., IIS, Apache) and then runs server-specific penetration tests. Nikto builds upon Whisker.
|
Security
Tools for the Budget Conscious ISP, Part II:
Web Vulnerability Assessment Tools |
|
|
|
| Best of ISP-Planet | ||
|---|---|---|
|
ISP-Planet
Guide
ISP-Planet's Principal Studies Directories:
Q4 2007 Top U.S. ISPs by Subscriber (Updated 04/10/2008)
ISP-Planet's Blogroll | ||
ISP-Planet's
RSS feed
| Solutions | ||||||
|
||||||
|
||||||
|
||||||
|
||||||