Go Premium for a chance to win a PS4. Enter to Win


Rapid7 NeXpose & Acunetix

Posted on 2010-09-01
Medium Priority
Last Modified: 2012-05-10

I have a questionnaire on my site that a college student would like to use in his project.

However the IT department of his college must first run a web application vulnerability assessment. I was told that the scan will not target operating system and/or network vulnerabilities, but rather potential vulnerabilities in the web application.

Either Rapid7 NeXpose or Acunetix will be used to perform the scan.

For Rapid7 NeXpose does anything have to be installed on my server? From what I can tell, with Acunetix nothing has to be installed on my server, the scan can be made from any computer.

Could there be a security risk for me when other people run these programs and check my site's applications, or do I only stand to gain if they inform me of possible vulnerabilities?

If these programs can be run by anybody, why do you think I was asked to give permission? Is it because I can find evidence that these programs have been run from my logs?

thanks for your help!
Question by:netplus21
  • 2
LVL 11

Accepted Solution

slemmesmi earned 1000 total points
ID: 33583969
Dear netplus21,

please let me try to answer your questions:

1. You do not need to install anything on your server (being the target of the penetration test/vulnerability can) in regards of the Rapid7 neXpose. You can see the detailed architecture of the product described on http://www.rapid7.com/products/technology/architecture.jsp

2. Yes there is definately a (security) risk with a vulnerability scan/penetration test. E.g. a such might test for the servers potential vulnerability towards DOS attacks, and ("inadvertently") cause a DOS. Also other types of test (trying to exploit potential vulnerabilities) may negatively impact the availability of your server. You must thus be 100% certain you have the approval from the Business Process Owner (if not the Board of Directors) as well as the internal IT security officer and auditors, that they are ok with the test to come, and accept the related potential risk. Hence you must ensure you in advance know exactly what the "test" does, and agree to the timeslots (begin/end) during which the test is done (so you know during that time there  is a risk, and you may see reports/alarms of some malicious behaviour). Frankly, as this is to be done by a "college student", I'd NOT let this happen towards any productive system, at the most towards a test system!

3. I believe you were asked to give permission for the reasons detailed in '2' above. Also you may have an issue with internal/external auditors in terms of justifying that the test really was a test and not  a real "attack".

Hope this helps.

Kind regards,
LVL 65

Assisted Solution

btan earned 1000 total points
ID: 33605705
Agreed with Soren, both the product do not need to install agent but note that depending on the exploit used, "agent" may be planted to perform leapfrog testing to other interconnected devices. Hence, advice is do it on staging server with the predetermined test cases then proceed with the production at a convenient time (off peak hours). If best, production server need not be "touched" if staging can already revealed lots of flaws. The baseline has to be set.

The less intrusive approach can be via whitebox tesing. See below related comments. have a clear objective and not over scope it as there are two part to it web server and the web appl that should be considered in the pentest. It is not the server solely

Normally penetration testing can be blackbox testing (without knowing the internal architecture) or whitebox testing (with prior knowledge of target architecture). The key is the scope of the pentest work to be covered need to be understood by both the "customer" and "tester". This is to resolve unnecessary disagreements during and after the test phases. Typically there can be a neutral party to oversee the testing is done in accordance to the agreement test specification scopes. The objective for this is to establish the baseline security posture for the site and give customer assurance of the risk being exposed. In short, threat assessment can be done (in paper) and verify through the testing mentioned above. Note that there is no 100% secure website - it is susceptible to multiple factor e.g. host server platform, web server, appl server, web appl, etc.

Proposed to include whitebox testing - review the code of the website using static code analyser. There are some open one in link  @ http://samate.nist.gov/index.php/Source_Code_Security_Analyzers.html

LVL 11

Expert Comment

ID: 33626197
Dear netplus21,

did you get any further with the above, or do you need more from our side?

Kind regards,

Featured Post

Lessons on Wi-Fi & Recommendations on KRACK

Simplicity and security can be a difficult  balance for any business to tackle. Join us on December 6th for a look at your company's biggest security gap. We will also address the most recent attack, "KRACK" and provide recommendations on how to secure your Wi-Fi network today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like me and like multiple layers of protection, read on!
It’s a season to be thankful, and we’re thankful for users like you who engage on site, solve technology problems, and network with others in the industry. What tech are we most thankful for? Keep reading.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

783 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question