Solved

How to assess web-server vulnerability if software versions are known and outdated.

Posted on 2016-09-24
5
75 Views
Last Modified: 2016-09-25
Dear Experts.

I have a friend who has outdated software on his web-server.
How can I prove to him that the server is vulnerable to attack?

My plan is to go to known vulnerability databases and demonstrate the attack.
But I cannot find tools, attack samples, even it is well known that the software has flaws.
Where and how to start this project?

For example, if the server is Apache 2.x and language is Ruby on Rails.
I am going to the database:
http://www.cvedetails.com/vulnerability-list/vendor_id-12043/product_id-22568/Rubyonrails-Ruby-On-Rails.html
but it does not lead to something practical to run penetration test.

In antivirus world, it is easy just to download signatures and run an antivirus. Why there seems nothing like that
in Web-security?

Where, for example, OWASP-ZAP takes its scripts or vulnerability signatures or vulnerability scripts to attack the URL?

Thank you.
0
Comment
Question by:Bitlab
5 Comments
 
LVL 61

Accepted Solution

by:
btan earned 350 total points
Comment Utility
For the software, it is to check on
- Patch level of security fixes, look at the history of hotfixes esp those with CVE tags to it. This includes the dependencies like library linked and used as extension adds on.

- Proof of malicious codes or backdoor esp those with static admin login or remote access account or default account embedded within binary or with its config

- Run through bintext tool to retrieve strings from the binary to see any suspicious or revealing indicators the leads to above mentioned. Typically you can even drill deeper on dynamic and static analysis manually. See the summary and tool (Suggest you inform your friend or owner the intent to avoid misrepresentation of your doing)
https://zeltser.com/reverse-malware-cheat-sheet/

- Run the binary (or search its hash) within multi-AV and sandbox environment using VirusTotal, Malwr, or Joe Sandbox File Analyzer. See more in
https://zeltser.com/automated-malware-analysis/

This is just a snap shot but if you have the codes then running static codes analyser is pretty standard to sieve vulnerabilities likewise for dynamic scan using appscan or webinspect. Consider Nexpose too.

There is websecurity and you check out owasp which ZAP is one of the project spawn off under it as flagship project. Check out a listing
https://www.owasp.org/index.php/Phoenix/Tools

Also consider checking the ssl/TLS level using ssltest (if the services is Internet accessible) which will also surface past vulerability in SSL. https://www.ssllabs.com/ssltest/
0
 
LVL 82

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 50 total points
Comment Utility
I have a friend who has outdated software on his web-server.
So does almost every shared hosting company in the world.  But yet... millions of web sites are running without problems.  

There needs to be a more specific reason before you start harassing your friend about his installation.  If there was a real danger because there was a lot of money at stake or industrial or state secrets, then he would need to hire real security experts to protect his site, not just upgrade his software to the latest versions.
0
 
LVL 23

Assisted Solution

by:Dr. Klahn
Dr. Klahn earned 100 total points
Comment Utility
I have a friend who has outdated software on his web-server.

Yes, that's a problem with Apache, which advertises the server information in the header response fields.  You might suggest that he read a page on how to address that problem in Apache 2.2, if that's what he's running.
0
 
LVL 61

Assisted Solution

by:btan
btan earned 350 total points
Comment Utility
if it is web server and the application package used, simply check the version update and by practice for security, it should be patched to workable version for running the services.

Exercise the risk assessment on the vulnerability of the older version - it will be explained in the patch revision of the server or application - your friend will know better unless he see that insignificant (which I suspect so). Pentest is one means but the vulnerability can also be truly surface if it is conducted with due informed decision to go ahead with it.

What I have proposed is passive and a snapshot of the health at that juncture. You need to check the infrastructure, host, appl level to have a complete assessment. Ideally consider Nexpose scan to cover the 3 level to see the hardening done and verified the security readiness of services.

It should not be just a tool scanning to conclude the assessment - I believe you know what I meant and really depending on what coverage and depth you needed to convince your friend to do a whitebox (have full info like codes) or blackbox (no full info like public info) or graybox (some info shared and found) testing.
0
 
LVL 2

Author Closing Comment

by:Bitlab
Comment Utility
Thank you all.
... that's more work than cavalry attack ...
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
Never store passwords in plain text or just their hash: it seems a no-brainier, but there are still plenty of people doing that. I present the why and how on this subject, offering my own real life solution that you can implement right away, bringin…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now