• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 180
  • Last Modified:

How to assess web-server vulnerability if software versions are known and outdated.

Dear Experts.

I have a friend who has outdated software on his web-server.
How can I prove to him that the server is vulnerable to attack?

My plan is to go to known vulnerability databases and demonstrate the attack.
But I cannot find tools, attack samples, even it is well known that the software has flaws.
Where and how to start this project?

For example, if the server is Apache 2.x and language is Ruby on Rails.
I am going to the database:
http://www.cvedetails.com/vulnerability-list/vendor_id-12043/product_id-22568/Rubyonrails-Ruby-On-Rails.html
but it does not lead to something practical to run penetration test.

In antivirus world, it is easy just to download signatures and run an antivirus. Why there seems nothing like that
in Web-security?

Where, for example, OWASP-ZAP takes its scripts or vulnerability signatures or vulnerability scripts to attack the URL?

Thank you.
0
Bitlab
Asked:
Bitlab
4 Solutions
 
btanExec ConsultantCommented:
For the software, it is to check on
- Patch level of security fixes, look at the history of hotfixes esp those with CVE tags to it. This includes the dependencies like library linked and used as extension adds on.

- Proof of malicious codes or backdoor esp those with static admin login or remote access account or default account embedded within binary or with its config

- Run through bintext tool to retrieve strings from the binary to see any suspicious or revealing indicators the leads to above mentioned. Typically you can even drill deeper on dynamic and static analysis manually. See the summary and tool (Suggest you inform your friend or owner the intent to avoid misrepresentation of your doing)
https://zeltser.com/reverse-malware-cheat-sheet/

- Run the binary (or search its hash) within multi-AV and sandbox environment using VirusTotal, Malwr, or Joe Sandbox File Analyzer. See more in
https://zeltser.com/automated-malware-analysis/

This is just a snap shot but if you have the codes then running static codes analyser is pretty standard to sieve vulnerabilities likewise for dynamic scan using appscan or webinspect. Consider Nexpose too.

There is websecurity and you check out owasp which ZAP is one of the project spawn off under it as flagship project. Check out a listing
https://www.owasp.org/index.php/Phoenix/Tools

Also consider checking the ssl/TLS level using ssltest (if the services is Internet accessible) which will also surface past vulerability in SSL. https://www.ssllabs.com/ssltest/
0
 
Dave BaldwinFixer of ProblemsCommented:
I have a friend who has outdated software on his web-server.
So does almost every shared hosting company in the world.  But yet... millions of web sites are running without problems.  

There needs to be a more specific reason before you start harassing your friend about his installation.  If there was a real danger because there was a lot of money at stake or industrial or state secrets, then he would need to hire real security experts to protect his site, not just upgrade his software to the latest versions.
0
 
Dr. KlahnPrincipal Software EngineerCommented:
I have a friend who has outdated software on his web-server.

Yes, that's a problem with Apache, which advertises the server information in the header response fields.  You might suggest that he read a page on how to address that problem in Apache 2.2, if that's what he's running.
0
 
btanExec ConsultantCommented:
if it is web server and the application package used, simply check the version update and by practice for security, it should be patched to workable version for running the services.

Exercise the risk assessment on the vulnerability of the older version - it will be explained in the patch revision of the server or application - your friend will know better unless he see that insignificant (which I suspect so). Pentest is one means but the vulnerability can also be truly surface if it is conducted with due informed decision to go ahead with it.

What I have proposed is passive and a snapshot of the health at that juncture. You need to check the infrastructure, host, appl level to have a complete assessment. Ideally consider Nexpose scan to cover the 3 level to see the hardening done and verified the security readiness of services.

It should not be just a tool scanning to conclude the assessment - I believe you know what I meant and really depending on what coverage and depth you needed to convince your friend to do a whitebox (have full info like codes) or blackbox (no full info like public info) or graybox (some info shared and found) testing.
0
 
BitlabAuthor Commented:
Thank you all.
... that's more work than cavalry attack ...
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now