?
Solved

How to assess web-server vulnerability if software versions are known and outdated.

Posted on 2016-09-24
5
Medium Priority
?
150 Views
Last Modified: 2016-09-25
Dear Experts.

I have a friend who has outdated software on his web-server.
How can I prove to him that the server is vulnerable to attack?

My plan is to go to known vulnerability databases and demonstrate the attack.
But I cannot find tools, attack samples, even it is well known that the software has flaws.
Where and how to start this project?

For example, if the server is Apache 2.x and language is Ruby on Rails.
I am going to the database:
http://www.cvedetails.com/vulnerability-list/vendor_id-12043/product_id-22568/Rubyonrails-Ruby-On-Rails.html
but it does not lead to something practical to run penetration test.

In antivirus world, it is easy just to download signatures and run an antivirus. Why there seems nothing like that
in Web-security?

Where, for example, OWASP-ZAP takes its scripts or vulnerability signatures or vulnerability scripts to attack the URL?

Thank you.
0
Comment
Question by:Bitlab
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 64

Accepted Solution

by:
btan earned 1400 total points
ID: 41814274
For the software, it is to check on
- Patch level of security fixes, look at the history of hotfixes esp those with CVE tags to it. This includes the dependencies like library linked and used as extension adds on.

- Proof of malicious codes or backdoor esp those with static admin login or remote access account or default account embedded within binary or with its config

- Run through bintext tool to retrieve strings from the binary to see any suspicious or revealing indicators the leads to above mentioned. Typically you can even drill deeper on dynamic and static analysis manually. See the summary and tool (Suggest you inform your friend or owner the intent to avoid misrepresentation of your doing)
https://zeltser.com/reverse-malware-cheat-sheet/

- Run the binary (or search its hash) within multi-AV and sandbox environment using VirusTotal, Malwr, or Joe Sandbox File Analyzer. See more in
https://zeltser.com/automated-malware-analysis/

This is just a snap shot but if you have the codes then running static codes analyser is pretty standard to sieve vulnerabilities likewise for dynamic scan using appscan or webinspect. Consider Nexpose too.

There is websecurity and you check out owasp which ZAP is one of the project spawn off under it as flagship project. Check out a listing
https://www.owasp.org/index.php/Phoenix/Tools

Also consider checking the ssl/TLS level using ssltest (if the services is Internet accessible) which will also surface past vulerability in SSL. https://www.ssllabs.com/ssltest/
0
 
LVL 84

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 200 total points
ID: 41814323
I have a friend who has outdated software on his web-server.
So does almost every shared hosting company in the world.  But yet... millions of web sites are running without problems.  

There needs to be a more specific reason before you start harassing your friend about his installation.  If there was a real danger because there was a lot of money at stake or industrial or state secrets, then he would need to hire real security experts to protect his site, not just upgrade his software to the latest versions.
0
 
LVL 28

Assisted Solution

by:Dr. Klahn
Dr. Klahn earned 400 total points
ID: 41814380
I have a friend who has outdated software on his web-server.

Yes, that's a problem with Apache, which advertises the server information in the header response fields.  You might suggest that he read a page on how to address that problem in Apache 2.2, if that's what he's running.
0
 
LVL 64

Assisted Solution

by:btan
btan earned 1400 total points
ID: 41814410
if it is web server and the application package used, simply check the version update and by practice for security, it should be patched to workable version for running the services.

Exercise the risk assessment on the vulnerability of the older version - it will be explained in the patch revision of the server or application - your friend will know better unless he see that insignificant (which I suspect so). Pentest is one means but the vulnerability can also be truly surface if it is conducted with due informed decision to go ahead with it.

What I have proposed is passive and a snapshot of the health at that juncture. You need to check the infrastructure, host, appl level to have a complete assessment. Ideally consider Nexpose scan to cover the 3 level to see the hardening done and verified the security readiness of services.

It should not be just a tool scanning to conclude the assessment - I believe you know what I meant and really depending on what coverage and depth you needed to convince your friend to do a whitebox (have full info like codes) or blackbox (no full info like public info) or graybox (some info shared and found) testing.
0
 
LVL 2

Author Closing Comment

by:Bitlab
ID: 41815163
Thank you all.
... that's more work than cavalry attack ...
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is written by John Gates, CISSP. Gates, the SNUG President-Elect, currently holds the position of Manager of Information Systems at Lake Park High School in Roselle, Illinois.
I don't pretend to be an expert at this, but I have found a few things that are useful. I hope that sharing them here will help others, so they will not have to face some rather hard choices. Since I felt this to be a topic of enough importance and…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question