ISP Planet - Technology - Security Tools for the Budget Conscious ISP - Part II: Web Vulnerability Assessment Tools

Sections

• Best of the Lists
• Business
• CLEC-Planet
• Equipment
• Executive
Perspectives
• Fixed Wireless
• Investor
• Marketing
• Market Research
• News
• Notable Quotes
• Politics
• Profiles
• Resources
• Technology
• Value-Added
Services
• Webhosting
Also ...
• About Us
• Authors
• Letters
• Site Map
• Technology Jobs

internet.com

IT
Developer
Internet News
Small Business
Personal Technology

Search internet.com
Advertise
Corporate Info
Newsletters
Tech Jobs
E-mail Offers

internet.commerce

Partner With Us

Security Tools for the Budget Conscious ISP, Part II: Web Vulnerability Assessment Tools

by Lisa Phifer
VP Core Competence, Inc.
[January 30, 2004]

Web Vulnerability Assessment Tools
According to last year's FBI/CSI annual survey, one in four organizations experienced Web site attacks last year—primarily vandalism (36 percent) and DoS attacks (35 percent). Given this and the fact that most ISPs offer Web hosting, your toolbox should probably include utilities to assess the security of Web services, related objects, and supported applications.

Web assessment tools are aimed at popular Web server platforms like Apache or IIS. They can scan servers themselves for CVEs, missing patches, and weak directory permissions, and/or assess Web applications for vulnerabilities like cross-site scripting, SQL injection, hidden form field manipulation, and cookie poisoning. To learn more about Web application vulnerabilities and penetration test methodologies, we recommend Penetration Testing for Web Applications by Jody Melbourne and David Jorm, published by SecurityFocus as parts One, Two, and Three.

A few representative commercial products in this category include:

If Web hosting is your business, you should probably invest in at least one commercial Web vulnerability assessment product. Products like these will save you time in the long run by automating thorough tests and facilitating test result analysis. Even so, you may want to add some free Web penetration test tools to your security toolbox:

Nikto is a popular open source Web server scanner based on Perl. Nikto can test for over 2600 potentially dangerous files and look for version-specific problems on over 230 Web servers. To learn more, check out the Nikto README.
N-Stalker's N-Stealth is available in a free version that runs on Win32 and WINE for Linux. N-Stealth tests Web servers for over 30,000 weaknesses that attackers could exploit to gain privileged server access. Unlike the commercial version, the free version does not support IP ranges, log analysis, or SSL/XML testing. To view sample N-Stealth output, click here.
SPIKE Proxy is a free Python-based Web test platform for Windows and Linux. SPIKE runs as an SSL-enabled Web proxy, letting you identify Web application vulnerabilities by examining and changing HTTP request variables, cookies, headers, and other fields mid-stream.
Webgoat is an open source Java/JVM-based tool that provides an interactive environment for teaching Web developers cross-site scripting, SQL injection, and other vulnerabilities. Hands-on lessons demonstrate sample Web exploits. Webgoat isn't really for testing your server—it teaches your Web developers what to avoid.
Whisker [.tar.gz] is a very popular open source vulnerability scanner, based on Perl, from the now-retired RainForestPuppy. Whisker is a script-driven command line tool that determines what kind of server software a target is running (e.g., IIS, Apache) and then runs server-specific penetration tests. Nikto builds upon Whisker.

Security Tools for the Budget Conscious ISP, Part II:
Introduction and Vulnerability Scan and Assessment Services

Security Tools for the Budget Conscious ISP, Part II:
Network Vulnerability Assessment Tools

Security Tools for the Budget Conscious ISP, Part II:
System Vulnerability Assessment Tools

Security Tools for the Budget Conscious ISP, Part II:
Web Vulnerability Assessment Tools

>Security Tools for the Budget Conscious ISP, Part II:
Security Administration Tools

Security Tools for the Budget Conscious ISP, Part II:
Security Audit Tools and Conclusion

ISP-Planet's RSS feed

The Network for Technology Professionals

About Internet.com

Legal Notices, Licensing, Permissions, Privacy Policy.
Advertise | Newsletters | E-mail Offers

Whitepapers and eBooks

Microsoft Personalized Whitepapers and Resources for You
Article: Why Migrating from MySQL to SQL Server 2008 Makes Sense
Articles: Build a More Agile Business with IBM
Articles: IBM Offers Enhanced Measurement and Management for Energy Usage
Microsoft Article: Windows 7 Features Your Clients Will Need on Day One

Articles: IBM Helps Transformation to an Information-Based Enterprise
Microsoft Articles: Visual Studio 2010
Adobe Article: Java Developers Finding a Home at Adobe Flex
MORE WHITEPAPERS, EBOOKS, AND ARTICLES

Webcasts

Webcast: Connecting PHP to Microsoft Technologies
Video: Windows Azure Debugging Tips

MORE WEBCASTS, PODCASTS, AND VIDEOS

Downloads and eKits

Ready. Set. Windows 7.
HP PartnerONE | SolutionsINFINITE Visit us at hp.com/partners/us
Microsoft Free Trials: Windows Server 2008 R2, Exchange Server 2010 and Windows 7
Get the Windows 7 SDK

Free Trial: Red Gate SQL Backup Pro 6
Iron Speed Designer Application Generator
MORE DOWNLOADS, EKITS, AND FREE TRIALS

Tutorials and Demos

Learn Unified Communications
BlackBerry Application Development Resources
Learn SQL Server 2008
Learn Windows Server 2008 R2
Internet.com Hot List: Get the Inside Scoop on IT and Developer Products

Learn Forefront
Learn System Center
All About Botnets
Learn SharePoint
MORE TUTORIALS, DEMOS AND STEP-BY-STEP GUIDES