Scribd
Upload
5 views

5. Vulnerabilities (EN)

The document discusses vulnerability scanning, highlighting the importance of identifying and correcting programming errors or configuration mistakes that can lead to security breaches. It provides statistics on reported vulnerabilities from 1995 to 2008, mentions key tools for vulnerability scanning such as Nessus and MBSA, and outlines common web application vulnerabilities. Additionally, it emphasizes the prevalence of vulnerabilities at the application layer and lists various web application scanners available.

Uploaded by

Kushner Serge
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
5 views

5. Vulnerabilities (EN)

The document discusses vulnerability scanning, highlighting the importance of identifying and correcting programming errors or configuration mistakes that can lead to security breaches. It provides statistics on reported vulnerabilities from 1995 to 2008, mentions key tools for vulnerability scanning such as Nessus and MBSA, and outlines common web application vulnerabilities. Additionally, it emphasizes the prevalence of vulnerabilities at the application layer and lists various web application scanners available.

Uploaded by

Kushner Serge
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 21

5.

Vulnerability scanning
Vulnerabilities
 Programming error or configuration mistake which can lead to
security breaches
 If not detected and corrected in time, may be exploited by a
potential attacker
 Correction methods
– installing patches recommended by vendors
– system hardening

2
Vulnerabilities (cont.)
Total number of reported vulnerabilities (1995-Q3,2008): 44,074
Source: CERT (http://www.cert.org )

Year 2000 2001 2002 2003 2004 2005 2006 2007

Vulnerabilities 1,090 2,437 4,129 3,784 3,780 5,990 8,064 7,236

9,000
8,000
7,000
6,000
5,000
4,000
3,000
2,000
1,000
0
2000 2001 2002 2003 2004 2005 2006 2007 2008

3
Vulnerabilities (cont.)

10 companies are responsible for 38% of reported vulnerabilities!

Source: Secunia (http://www.secunia.com)

4
Vulnerabilities (cont.)

Only 20% of the vulnerabilities are critical!

Source: Secunia (http://www.secunia.com)

5
Vulnerabilities (cont.)
 Common Vulnerabilities and Exposures (CVE)
– list containing the standardized names of all known vulnerabilities
– vulnerabilities dictionary (not database)
– http://cve.mitre.org/
 Open Vulnerability and Assessment Language (OVAL)
– standard which describes the way of verifying the existence of a
vulnerability in a computer system
– http://oval.mitre.org/

6
Vulnerability scanners
 Automates the process of vulnerability identification and
correction
 Classification
– by scanning location
• network based
• host based
– by credentials used during the scanning
• with administrative privileges
• without administrative privileges
– by the type of the tested systems/applications
• general purpose scanner
• Web application scanner

7
General purpose scanners
 Nessus (http://www.nessus.org )
– the best security tool!
 SARA - Security Auditor's Research Assistant (http://www-arc.com/sara/ )
 X-scan (http://www.xfocus.com)
 MBSA (http://www.microsoft.com )

 GFI LANGuard (http://www.gfi.com )


 Retina (http://www.eeye.com )
 CORE IMPACT (http://www.coresecurity.com )
 Proventia Network Enterprise Scanner (http://www.ibm.com )
 QualysGuard (http://www.qualys.com/ )
 SAINT - System Administrator’s Integrated Network Tool
(http://www.saintcorporation.com/ )
 …

8
Nessus
 Client / server architecture
– server (scanning engine)
– client (user interface)
– user authentication + secure connection (SSL)
 Modular
– plugins based (scripts)
– over 40.000 plugins for scanning vulnerabilities
– NASL (Nessus Attack Scripting Language)
 Uses port scanning techniques to detect the services running on target
system
– ping, TCP connect(), SYN scan
 Scanning methods: safe / destructive
 Reports generator (HTML)
 CVE compatible
 2 types of subscription:
– ProfessionalFeed (1200 USD / year)
– HomeFeed (free)

9
Nessus (cont.)
1. Connection to the system (authentication)
2. Select target (computer / subnetwork)
3. Select scanning policy (plugins)
4. Target scanning
5. Analyze the results

10
Nessus (cont.)

11
MBSA
 Microsoft Baseline Security Analyzer
 Detects vulnerabilities specific to Microsoft products:
– Security updates
– Weak passwords
– Windows configuration
– IIS vulnerabilities
– SQL vulnerabilities
 Requires administrative privileges on target computer
 Reports generator

12
MBSA (cont.)

13
Web application vulnerabilities
“Over 70% of security vulnerabilities exist at the application layer,
not the network or system layer.”
– Gartner 2004-2006

14
Web application vulnerabilities (cont.)
 Unvalidated Input
 Cookie Poisoning
 CGI Parameters
 SQL Injection
 Cross site scripting (XSS)
 Directory Traversal
 Buffer Overflow
 …

15
Web application scanners
 Nikto (http://www.cirt.net/nikto2 )
 Paros proxy (http://www.parosproxy.org )
 Burpsuite (http://portswigger.net/suite/ )

 WebInspect (http://www.spidynamics.com )
 Acunetix WVS (http://www.acunetix.com )
 Rational AppScan (http://www.ibm.com )
 N-Stealth (http://www.nstalker.com/nstealth/ )

 Open Web Application Security Project (OWASP)


– http://www.owasp.org/

16
Nikto
 Open Source (GPL)
 Command line tool
 Tests performed on target system:
– server and software misconfigurations
– default files and programs
– insecure files and programs
– outdated servers and programs
 Identifies software modules installed on the Web server (php,
perl, etc)
 SSL support
 LibWhisker's IDS encoding techniques
 Save reports in different formats (text, CSV, HTML, XML, NBE )
 Integrates with Nessus
– automatic launch of Nikto when Nessus detects a Web server
17
Nikto (cont.)

18
Acunetics WVS
 Tests performed on target system:
– CGI testing
– parameter manipulation (SQL Injection, XSS, …)
– text search
– port scanning
– Google Hacking Database
 Generates custom reports
 AJAX / Web 2.0 support
 CAPTCHA, Single Sign-On and two factor authentication
support
 Additional tools
– HTTP Editor, HTTP Sniffer, HTTP Fuzzer, Scripting tool, Blind SQL
Injector
 1500 USD (Single User Single URL Perpetual License)

19
Acunetics WVS (cont.)

20
21

You might also like