Solved

How to assess web-server vulnerability if software versions are known and outdated.

Posted on 2016-09-24
5
93 Views
Last Modified: 2016-09-25
Dear Experts.

I have a friend who has outdated software on his web-server.
How can I prove to him that the server is vulnerable to attack?

My plan is to go to known vulnerability databases and demonstrate the attack.
But I cannot find tools, attack samples, even it is well known that the software has flaws.
Where and how to start this project?

For example, if the server is Apache 2.x and language is Ruby on Rails.
I am going to the database:
http://www.cvedetails.com/vulnerability-list/vendor_id-12043/product_id-22568/Rubyonrails-Ruby-On-Rails.html
but it does not lead to something practical to run penetration test.

In antivirus world, it is easy just to download signatures and run an antivirus. Why there seems nothing like that
in Web-security?

Where, for example, OWASP-ZAP takes its scripts or vulnerability signatures or vulnerability scripts to attack the URL?

Thank you.
0
Comment
Question by:Bitlab
5 Comments
 
LVL 62

Accepted Solution

by:
btan earned 350 total points
ID: 41814274
For the software, it is to check on
- Patch level of security fixes, look at the history of hotfixes esp those with CVE tags to it. This includes the dependencies like library linked and used as extension adds on.

- Proof of malicious codes or backdoor esp those with static admin login or remote access account or default account embedded within binary or with its config

- Run through bintext tool to retrieve strings from the binary to see any suspicious or revealing indicators the leads to above mentioned. Typically you can even drill deeper on dynamic and static analysis manually. See the summary and tool (Suggest you inform your friend or owner the intent to avoid misrepresentation of your doing)
https://zeltser.com/reverse-malware-cheat-sheet/

- Run the binary (or search its hash) within multi-AV and sandbox environment using VirusTotal, Malwr, or Joe Sandbox File Analyzer. See more in
https://zeltser.com/automated-malware-analysis/

This is just a snap shot but if you have the codes then running static codes analyser is pretty standard to sieve vulnerabilities likewise for dynamic scan using appscan or webinspect. Consider Nexpose too.

There is websecurity and you check out owasp which ZAP is one of the project spawn off under it as flagship project. Check out a listing
https://www.owasp.org/index.php/Phoenix/Tools

Also consider checking the ssl/TLS level using ssltest (if the services is Internet accessible) which will also surface past vulerability in SSL. https://www.ssllabs.com/ssltest/
0
 
LVL 83

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 50 total points
ID: 41814323
I have a friend who has outdated software on his web-server.
So does almost every shared hosting company in the world.  But yet... millions of web sites are running without problems.  

There needs to be a more specific reason before you start harassing your friend about his installation.  If there was a real danger because there was a lot of money at stake or industrial or state secrets, then he would need to hire real security experts to protect his site, not just upgrade his software to the latest versions.
0
 
LVL 24

Assisted Solution

by:Dr. Klahn
Dr. Klahn earned 100 total points
ID: 41814380
I have a friend who has outdated software on his web-server.

Yes, that's a problem with Apache, which advertises the server information in the header response fields.  You might suggest that he read a page on how to address that problem in Apache 2.2, if that's what he's running.
0
 
LVL 62

Assisted Solution

by:btan
btan earned 350 total points
ID: 41814410
if it is web server and the application package used, simply check the version update and by practice for security, it should be patched to workable version for running the services.

Exercise the risk assessment on the vulnerability of the older version - it will be explained in the patch revision of the server or application - your friend will know better unless he see that insignificant (which I suspect so). Pentest is one means but the vulnerability can also be truly surface if it is conducted with due informed decision to go ahead with it.

What I have proposed is passive and a snapshot of the health at that juncture. You need to check the infrastructure, host, appl level to have a complete assessment. Ideally consider Nexpose scan to cover the 3 level to see the hardening done and verified the security readiness of services.

It should not be just a tool scanning to conclude the assessment - I believe you know what I meant and really depending on what coverage and depth you needed to convince your friend to do a whitebox (have full info like codes) or blackbox (no full info like public info) or graybox (some info shared and found) testing.
0
 
LVL 2

Author Closing Comment

by:Bitlab
ID: 41815163
Thank you all.
... that's more work than cavalry attack ...
0

Featured Post

New! My Passport Wireless Pro Wi-Fi Mobile Storage

Portable wireless storage to offload, edit, and stream anywhere.

High-capacity, wireless mobile storage designed to accompany professional photographers and videographers in the field to easily offload, edit and stream captured photos and high-definition videos.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Find out what Office 365 Transport Rules are, how they work and their limitations managing Office 365 signatures.
How important is it to take extra precautions to protect your online business? These are some steps you can take to make sure you're free of any cyber crime.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

861 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now