vulnerability scan

Hello.  Can anyone suggest some software that does a good vulnerability scan for a webserver?  including a scan looking for vulnerable php and cgi scrpts etc etc?  i'd like to use something that keeps an updated database of vulnerable scripts that it scans for.  I'd like to find something that also scanned for cross-site scripting!
Thank You!
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

There is a good list at

It's hard to pick the "best" one as it depends on what OS and web server you are running. Different combinations can have different vulnerabilities.

Probably the best thing to test for with 3rd party or custom scripts is buffer overflows.  How well does the script handle being pounded by long strings of 'useless' data.

If you have written the software yourself or it was written internally, good white box and black box testing techniques will be your biggest ally.

Hope this helps.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Download this and scan Web box..Works really well and its from Microsoft
I am surprised Nessus has not yet been mentioned...

Nessus is probably the best or close to it.

They recently changed their 'licensing model' (that is corporate speak for "trying to make things more confusing"...)
But basically nessus is free, and has a HUGE amount of plugins.
nessus can be configured to do scans just against the web servers, but can scan databases, workstations, etc. etc.
trust me, download nessus and run it against your servers.
ON-DEMAND: 10 Easy Ways to Lose a Password

Learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees in this on-demand webinar. We cover the importance of multi-factor authentication and how these solutions can better protect your business!

linuxroxAuthor Commented:
thanks guys, i'm gonna look at these and see what happens.  i definately would like to have an easy way to test for buffer overflows and things like that, especially on php scripts i've written.
bdetchevery: what did you say was good for testing for buffer overflows and whatnot?
linuxroxAuthor Commented:
also, wanted to point out that i'm only really focussed on scanning script and program vulnerabilities....PHP scripts, perl forum software and all that kind of thing.  the server i'll test against is a linux server with apache...php and perl scripts.
There are two "levels" to look at:

First, if you are running your own server, you want to make sure you PHP program is kept up to date, as well as any mods that you might be using.  Regarldess of how well you write your code, an overflow in php itself or a mod can make you vulnerable.

From the code itself (PH), you could use a product like  SimpleTest to generate various unit tests that attempt to inject large amounts of data into your script. Or you could try PHPUnit2

INMO - It's best to design a custom test plan that's specific to the functions within your script. Automated Test tools will run the basics but do not know the specific details about your script. They are certainly a good quick indicator of problems, but should not be used as your ONLY security method.

Some more tools that might help can be found at


If you are interested in test just web applications, I sugest you to use the famous Nikto (

"Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 3200 potentially dangerous files/CGIs, versions on over 625 servers, and version specific problems on over 230 servers. Scan items and plugins are frequently updated and can be automatically updated (if desired).

Nikto is not designed as an overly stealthy tool. It will test a web server in the shortest timespan possible, and it's fairly obvious in log files. However, there is support for LibWhisker's anti-IDS methods in case you want to give it a try (or test your IDS system).

Not every check is a security problem, though most are. There are some items that are "info only" type checks that look for items that may not have a security flaw, but the webmaster or security engineer may not know are present on the server. These items are usually marked appropriately in the information printed. There are also some checks for unknown items which have been seen scanned for in log files.

# Uses rfp's LibWhisker as a base for all network funtionality
# Main scan database in CSV format for easy updates
# Determines "OK" vs "NOT FOUND" responses for each server, if possible
# Determines CGI directories for each server, if possible
# Switch HTTP versions as needed so that the server understands requests properly
# SSL Support (Unix with OpenSSL or maybe Windows with ActiveState's Perl/NetSSL)
# Output to file in plain text, HTML or CSV
# Generic and "server type" specific checks
# Plugin support (standard PERL)
# Checks for outdated server software
# Proxy support (with authentication)
# Host authentication (Basic)
# Watches for "bogus" OK responses
# Attempts to perform educated guesses for Authentication realms
# Captures/prints any Cookies received
# Mutate mode to "go fishing" on web servers for odd items
# Builds Mutate checks based on robots.txt entries (if present)
# Scan multiple ports on a target to find web servers (can integrate nmap for speed, if available)
# Multiple IDS evasion techniques
# Users can add a custom scan database
# Supports automatic code/check updates (with web access)
# Multiple host/port scanning (scan list files)
# Username guessing plugin via the cgiwrap program and Apache ~user methods

Changes (new this version)
# Added -config option to specify a config file (from Pavel Kankovsky)
# Added enhanced content checking to reduce false positives (from Pavel Kankovsky)
# Added more explicit licensing to code/databases
# Other bugfixes, please see the CHANGES file for more details

Unix Requirements
PERL module NET::SSLeay
PERL module LibWhisker ( is included with source)
OpenSSL (only required if SSL scans are needed)"

If you use Windows, you can try a port with some modifications called Wikto (

Hope this help,

Ahh forgot, if your company really care about security, you should search for a expecialized Security Company, with will have a much more refined job and help your company at the Challenge of security.

If you are in Brazil like me, I can suggest:

Probabilitty all of then make Security Services from companys out of Brazil, maybe you should give it a try...

linuxroxAuthor Commented:
bdetchevery :
I'm very new to actually testing the security of the things i've written; which i'm not proud of.  but i would really like to learn how to test for these things on my own scripts.  also, a question about this.  if my source isn't revealed are the scripts still just as vulnerable to buffer overflows and other exploits versus if the source was revealed?  i'm going to check out the links you submitted there but i didn't know if there was a special process for learning how to actually try and write a custom exploit for your own source for a specific function.  what are the most common exploits for php scripts that are considered a real security risk for a server and it's system files?  a big thanks to you all.  i tried to be as fair as i could!

You can learn much about common web applications flaws at OWSAP (Open Web Application Security Project):

I suggest you start reading the Guide:

So check the TOP 10 most commonw web flaws:

Check also the FAQ (probabilitty you will have doubts that other had in the past):

Check even the Paper Sections, where you can get some more in depth details about a specific class of flaw:

So, you can use the WebGoat:

"WebGoat is a full J2EE web application designed to teach web application security lessons. In each lesson, users must demonstrate their understanding by exploiting a real vulnerability on the local system. The system is even clever enough to provide hints and show the user cookies, parameters and the underlying Java code if they choose. Examples of lessons include SQL injection to a fake credit card database, where the user creates the attack and steals the credit card numbers.

The WebGoat project goals are simply to create the de-facto interactive teaching environment for web security. Eventually the project may consider extending WebGoat to become an assessment tools benchmarking platform and a Java based Web site HoneyPot."

off: If you are not native english speaker, you can look in the OWASP site for translations in several languages. :)

Hope this help,

linuxroxAuthor Commented:
thanks zgrp.  yes i speak english.  i'm going to check all of these things out for certain!
thanks a bunch!!
Wow ! You asked a very interesting question  regarding the 'revealing source code' and not revealing the source code.

If I might be so humble as to rephrase, this is like asking is 'open source' software more secure then non open-source (mostly commercial) software.

I will refrain for giving my own opinion directly except to say the following:

1) Proper peer source code review is considered a good quality practice among many software developers. The review of source code by multiple "trusted" people, and the implementation of suggested fixes helps to improve both the quality of the software, and helps the programmer avoid similar mistakes in the future.

2) I have never met a cracker (ethical or otherwise) that cared about what the source code looks like. The basic principle employed is to "hit as many computers as possible..and see what stuff falls out"..and then later analyze the "stuff" that fell out to figure out where to go from here. That's not to say they are not knowledgeable of common vulnerabilities, it's just a matter of efficiency. Since computers are so fast, it's easier to hit multiple machines with multiple attacks then to bother to sit down and try specific attacks at a specific PHP script that someone wrote.

If I can be so blunt I would say 99% of all attacks are black box attacks, the person doing the attack doesn't really care about what the code looks like. Most crackers

I don't have any specific statistics but I would defer to zgrp and say one thing to watch out for is called SQL Injection. If your PHP script is accessing an SQL database It's probably the most common mistake made and makes it pretty easy to gain unauthorized information from a server.

Hope this helps
linuxroxAuthor Commented:
ahh, i see.  i gotta learn about these blackbox techniques and whatnot ;)  i'm inexperienced with all this.  and i'm not interested in harming someone else's scripts or anything, i just want to test my own to make sure i'm doing things correctly.  i've lived long enough to know I'll pay in the end for trying to hurt someone else's property!  so i wanna just stick to my own stuff!  i've heard of sql injection and need to learn how to test my scripts because most of my php stuff is backended by mysql! :)
thanks once again!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.