I have a friend who has outdated software on his web-server.
How can I prove to him that the server is vulnerable to attack?
My plan is to go to known vulnerability databases and demonstrate the attack.
But I cannot find tools, attack samples, even it is well known that the software has flaws.
Where and how to start this project?
For example, if the server is Apache 2.x and language is Ruby on Rails.
I am going to the database:
but it does not lead to something practical to run penetration test.
In antivirus world, it is easy just to download signatures and run an antivirus. Why there seems nothing like that
Where, for example, OWASP-ZAP takes its scripts or vulnerability signatures or vulnerability scripts to attack the URL?