Solved

How to assess web-server vulnerability if software versions are known and outdated.

Posted on 2016-09-24
5
134 Views
Last Modified: 2016-09-25
Dear Experts.

I have a friend who has outdated software on his web-server.
How can I prove to him that the server is vulnerable to attack?

My plan is to go to known vulnerability databases and demonstrate the attack.
But I cannot find tools, attack samples, even it is well known that the software has flaws.
Where and how to start this project?

For example, if the server is Apache 2.x and language is Ruby on Rails.
I am going to the database:
http://www.cvedetails.com/vulnerability-list/vendor_id-12043/product_id-22568/Rubyonrails-Ruby-On-Rails.html
but it does not lead to something practical to run penetration test.

In antivirus world, it is easy just to download signatures and run an antivirus. Why there seems nothing like that
in Web-security?

Where, for example, OWASP-ZAP takes its scripts or vulnerability signatures or vulnerability scripts to attack the URL?

Thank you.
0
Comment
Question by:Bitlab
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 64

Accepted Solution

by:
btan earned 350 total points
ID: 41814274
For the software, it is to check on
- Patch level of security fixes, look at the history of hotfixes esp those with CVE tags to it. This includes the dependencies like library linked and used as extension adds on.

- Proof of malicious codes or backdoor esp those with static admin login or remote access account or default account embedded within binary or with its config

- Run through bintext tool to retrieve strings from the binary to see any suspicious or revealing indicators the leads to above mentioned. Typically you can even drill deeper on dynamic and static analysis manually. See the summary and tool (Suggest you inform your friend or owner the intent to avoid misrepresentation of your doing)
https://zeltser.com/reverse-malware-cheat-sheet/

- Run the binary (or search its hash) within multi-AV and sandbox environment using VirusTotal, Malwr, or Joe Sandbox File Analyzer. See more in
https://zeltser.com/automated-malware-analysis/

This is just a snap shot but if you have the codes then running static codes analyser is pretty standard to sieve vulnerabilities likewise for dynamic scan using appscan or webinspect. Consider Nexpose too.

There is websecurity and you check out owasp which ZAP is one of the project spawn off under it as flagship project. Check out a listing
https://www.owasp.org/index.php/Phoenix/Tools

Also consider checking the ssl/TLS level using ssltest (if the services is Internet accessible) which will also surface past vulerability in SSL. https://www.ssllabs.com/ssltest/
0
 
LVL 83

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 50 total points
ID: 41814323
I have a friend who has outdated software on his web-server.
So does almost every shared hosting company in the world.  But yet... millions of web sites are running without problems.  

There needs to be a more specific reason before you start harassing your friend about his installation.  If there was a real danger because there was a lot of money at stake or industrial or state secrets, then he would need to hire real security experts to protect his site, not just upgrade his software to the latest versions.
0
 
LVL 28

Assisted Solution

by:Dr. Klahn
Dr. Klahn earned 100 total points
ID: 41814380
I have a friend who has outdated software on his web-server.

Yes, that's a problem with Apache, which advertises the server information in the header response fields.  You might suggest that he read a page on how to address that problem in Apache 2.2, if that's what he's running.
0
 
LVL 64

Assisted Solution

by:btan
btan earned 350 total points
ID: 41814410
if it is web server and the application package used, simply check the version update and by practice for security, it should be patched to workable version for running the services.

Exercise the risk assessment on the vulnerability of the older version - it will be explained in the patch revision of the server or application - your friend will know better unless he see that insignificant (which I suspect so). Pentest is one means but the vulnerability can also be truly surface if it is conducted with due informed decision to go ahead with it.

What I have proposed is passive and a snapshot of the health at that juncture. You need to check the infrastructure, host, appl level to have a complete assessment. Ideally consider Nexpose scan to cover the 3 level to see the hardening done and verified the security readiness of services.

It should not be just a tool scanning to conclude the assessment - I believe you know what I meant and really depending on what coverage and depth you needed to convince your friend to do a whitebox (have full info like codes) or blackbox (no full info like public info) or graybox (some info shared and found) testing.
0
 
LVL 2

Author Closing Comment

by:Bitlab
ID: 41815163
Thank you all.
... that's more work than cavalry attack ...
0

Featured Post

Is your NGFW recommended by NSS Labs?

Ours is! NSS Labs Next Generation Firewall Test gives the WatchGuard Firebox M4600 a "Recommended" rating! Curious where your NGFW landed on the  Security Value Map? See the map and download the full report today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A hard and fast method for reducing Active Directory Administrators members.
There is a lot to be said for protecting yourself and your accounts with 2 factor authentication.  I found to my own chagrin, that there is a big downside as well.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question