vulnerability scan

Posted on 2006-03-20
Last Modified: 2012-10-24
Hello.  Can anyone suggest some software that does a good vulnerability scan for a webserver?  including a scan looking for vulnerable php and cgi scrpts etc etc?  i'd like to use something that keeps an updated database of vulnerable scripts that it scans for.  I'd like to find something that also scanned for cross-site scripting!
Thank You!
Question by:linuxrox
    LVL 3

    Accepted Solution

    There is a good list at

    It's hard to pick the "best" one as it depends on what OS and web server you are running. Different combinations can have different vulnerabilities.

    Probably the best thing to test for with 3rd party or custom scripts is buffer overflows.  How well does the script handle being pounded by long strings of 'useless' data.

    If you have written the software yourself or it was written internally, good white box and black box testing techniques will be your biggest ally.

    Hope this helps.

    LVL 4

    Expert Comment

    Download this and scan Web box..Works really well and its from Microsoft
    LVL 4

    Expert Comment

    I am surprised Nessus has not yet been mentioned...

    Nessus is probably the best or close to it.

    They recently changed their 'licensing model' (that is corporate speak for "trying to make things more confusing"...)
    But basically nessus is free, and has a HUGE amount of plugins.
    nessus can be configured to do scans just against the web servers, but can scan databases, workstations, etc. etc.
    trust me, download nessus and run it against your servers.

    Author Comment

    thanks guys, i'm gonna look at these and see what happens.  i definately would like to have an easy way to test for buffer overflows and things like that, especially on php scripts i've written.
    bdetchevery: what did you say was good for testing for buffer overflows and whatnot?

    Author Comment

    also, wanted to point out that i'm only really focussed on scanning script and program vulnerabilities....PHP scripts, perl forum software and all that kind of thing.  the server i'll test against is a linux server with apache...php and perl scripts.
    LVL 3

    Assisted Solution

    There are two "levels" to look at:

    First, if you are running your own server, you want to make sure you PHP program is kept up to date, as well as any mods that you might be using.  Regarldess of how well you write your code, an overflow in php itself or a mod can make you vulnerable.

    From the code itself (PH), you could use a product like  SimpleTest to generate various unit tests that attempt to inject large amounts of data into your script. Or you could try PHPUnit2

    INMO - It's best to design a custom test plan that's specific to the functions within your script. Automated Test tools will run the basics but do not know the specific details about your script. They are certainly a good quick indicator of problems, but should not be used as your ONLY security method.

    Some more tools that might help can be found at

    LVL 3

    Assisted Solution


    If you are interested in test just web applications, I sugest you to use the famous Nikto (

    "Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 3200 potentially dangerous files/CGIs, versions on over 625 servers, and version specific problems on over 230 servers. Scan items and plugins are frequently updated and can be automatically updated (if desired).

    Nikto is not designed as an overly stealthy tool. It will test a web server in the shortest timespan possible, and it's fairly obvious in log files. However, there is support for LibWhisker's anti-IDS methods in case you want to give it a try (or test your IDS system).

    Not every check is a security problem, though most are. There are some items that are "info only" type checks that look for items that may not have a security flaw, but the webmaster or security engineer may not know are present on the server. These items are usually marked appropriately in the information printed. There are also some checks for unknown items which have been seen scanned for in log files.

    # Uses rfp's LibWhisker as a base for all network funtionality
    # Main scan database in CSV format for easy updates
    # Determines "OK" vs "NOT FOUND" responses for each server, if possible
    # Determines CGI directories for each server, if possible
    # Switch HTTP versions as needed so that the server understands requests properly
    # SSL Support (Unix with OpenSSL or maybe Windows with ActiveState's Perl/NetSSL)
    # Output to file in plain text, HTML or CSV
    # Generic and "server type" specific checks
    # Plugin support (standard PERL)
    # Checks for outdated server software
    # Proxy support (with authentication)
    # Host authentication (Basic)
    # Watches for "bogus" OK responses
    # Attempts to perform educated guesses for Authentication realms
    # Captures/prints any Cookies received
    # Mutate mode to "go fishing" on web servers for odd items
    # Builds Mutate checks based on robots.txt entries (if present)
    # Scan multiple ports on a target to find web servers (can integrate nmap for speed, if available)
    # Multiple IDS evasion techniques
    # Users can add a custom scan database
    # Supports automatic code/check updates (with web access)
    # Multiple host/port scanning (scan list files)
    # Username guessing plugin via the cgiwrap program and Apache ~user methods

    Changes (new this version)
    # Added -config option to specify a config file (from Pavel Kankovsky)
    # Added enhanced content checking to reduce false positives (from Pavel Kankovsky)
    # Added more explicit licensing to code/databases
    # Other bugfixes, please see the CHANGES file for more details

    Unix Requirements
    PERL module NET::SSLeay
    PERL module LibWhisker ( is included with source)
    OpenSSL (only required if SSL scans are needed)"

    If you use Windows, you can try a port with some modifications called Wikto (

    Hope this help,

    LVL 3

    Expert Comment

    Ahh forgot, if your company really care about security, you should search for a expecialized Security Company, with will have a much more refined job and help your company at the Challenge of security.

    If you are in Brazil like me, I can suggest:

    Probabilitty all of then make Security Services from companys out of Brazil, maybe you should give it a try...


    Author Comment

    bdetchevery :
    I'm very new to actually testing the security of the things i've written; which i'm not proud of.  but i would really like to learn how to test for these things on my own scripts.  also, a question about this.  if my source isn't revealed are the scripts still just as vulnerable to buffer overflows and other exploits versus if the source was revealed?  i'm going to check out the links you submitted there but i didn't know if there was a special process for learning how to actually try and write a custom exploit for your own source for a specific function.  what are the most common exploits for php scripts that are considered a real security risk for a server and it's system files?  a big thanks to you all.  i tried to be as fair as i could!
    LVL 3

    Expert Comment


    You can learn much about common web applications flaws at OWSAP (Open Web Application Security Project):

    I suggest you start reading the Guide:

    So check the TOP 10 most commonw web flaws:

    Check also the FAQ (probabilitty you will have doubts that other had in the past):

    Check even the Paper Sections, where you can get some more in depth details about a specific class of flaw:

    So, you can use the WebGoat:

    "WebGoat is a full J2EE web application designed to teach web application security lessons. In each lesson, users must demonstrate their understanding by exploiting a real vulnerability on the local system. The system is even clever enough to provide hints and show the user cookies, parameters and the underlying Java code if they choose. Examples of lessons include SQL injection to a fake credit card database, where the user creates the attack and steals the credit card numbers.

    The WebGoat project goals are simply to create the de-facto interactive teaching environment for web security. Eventually the project may consider extending WebGoat to become an assessment tools benchmarking platform and a Java based Web site HoneyPot."

    off: If you are not native english speaker, you can look in the OWASP site for translations in several languages. :)

    Hope this help,


    Author Comment

    thanks zgrp.  yes i speak english.  i'm going to check all of these things out for certain!
    thanks a bunch!!
    LVL 3

    Expert Comment

    Wow ! You asked a very interesting question  regarding the 'revealing source code' and not revealing the source code.

    If I might be so humble as to rephrase, this is like asking is 'open source' software more secure then non open-source (mostly commercial) software.

    I will refrain for giving my own opinion directly except to say the following:

    1) Proper peer source code review is considered a good quality practice among many software developers. The review of source code by multiple "trusted" people, and the implementation of suggested fixes helps to improve both the quality of the software, and helps the programmer avoid similar mistakes in the future.

    2) I have never met a cracker (ethical or otherwise) that cared about what the source code looks like. The basic principle employed is to "hit as many computers as possible..and see what stuff falls out"..and then later analyze the "stuff" that fell out to figure out where to go from here. That's not to say they are not knowledgeable of common vulnerabilities, it's just a matter of efficiency. Since computers are so fast, it's easier to hit multiple machines with multiple attacks then to bother to sit down and try specific attacks at a specific PHP script that someone wrote.

    If I can be so blunt I would say 99% of all attacks are black box attacks, the person doing the attack doesn't really care about what the code looks like. Most crackers

    I don't have any specific statistics but I would defer to zgrp and say one thing to watch out for is called SQL Injection. If your PHP script is accessing an SQL database It's probably the most common mistake made and makes it pretty easy to gain unauthorized information from a server.

    Hope this helps

    Author Comment

    ahh, i see.  i gotta learn about these blackbox techniques and whatnot ;)  i'm inexperienced with all this.  and i'm not interested in harming someone else's scripts or anything, i just want to test my own to make sure i'm doing things correctly.  i've lived long enough to know I'll pay in the end for trying to hurt someone else's property!  so i wanna just stick to my own stuff!  i've heard of sql injection and need to learn how to test my scripts because most of my php stuff is backended by mysql! :)
    thanks once again!

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Why You Should Analyze Threat Actor TTPs

    After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

    By default, Carbonite Server Backup manages your encryption key for you using Advanced Encryption Standard (AES) 128-bit encryption. If you choose to manage your private encryption key, your backups will be encrypted using AES 256-bit encryption.
    Healthcare providers, insurance companies and other covered entities trust eFax Corporate to transmit their most sensitive documents. eFax Corporate can help your organization implement a HIPAA compliant cloud faxing solution.
    It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now