Vulnerability Scanning
Vulnerability Scanning
Vulnerability Scanning
Copyright © by EC-Council
Copyright by EC-Council
All©Rights Reserved by the Author. Reproduction is Strictly Prohibited. 01
All Rights Reserved. Reproduction is Strictly Prohibited.
TABLE OF CONTENTS
Introduction 01
Vulnerability Assessment 02
Research Motivation 06
The Tools 08
Experiment 09
Analysis 10
Conclusion 11
Copyright © by EC-Council
02
All Rights Reserved. Reproduction is Strictly Prohibited.
INTRODUCTION
No enterprise is simply too small to avoid a cyber attack or information breach. Unfortunately, smaller
organizations might not have the finances and in-house expertise to harden their systems and networks
towards cyber threats.
Most companies are already implementing vulnerability scans in their enterprise, understanding the
importance of doing so before reaching out to the public. The obvious advantage to using an open source
tool of any kind is that it usually lacks any type of price tag. The free nature of the tools makes open source
an easy choice for those who have no budget to spare or those with a minimal budget. There are other
financial and resource considerations to be considered while implementing the tool in their specific
environment, but overall, the lack of expenditure makes open source tools the most sought-after option
for the cash-strapped.
Some organizations choose open source tools because of the ability to alter the tool to their specific needs,
as they possess the source code. Once they have obtained the open source tool code, the organization is
free to modify it for their organization’s needs.
This white paper examines three open source web application software vulnerability scanning tools
(Vega, ZEB proxy, and Paros) and one commercial web application software vulnerability scanning tool
(Netsparker). This has been done to compare and demonstrate the vulnerability detection functionality
and effectiveness of the various tools.
Copyright © by EC-Council
03
All Rights Reserved. Reproduction is Strictly Prohibited.
VULNERABILITY ASSESSMENT
Vulnerability scanning is a security technique used by organizations to find the flaws in a targeted system.
This means that the organization can discover any holes in the web application and system before the
malicious user does. This activity is generally executed before deploying web applications on the internet
. Web application security is the method of defending websites and online services against different
security threats that exploit vulnerabilities in an application’s code. Nowadays web applications are more
attractive for cyber attacks as the complexity and integration of different software with web applications
provide a great attack surface for attackers. Integrally web applications are much harder to protect versus
traditional applications that have the advantage from the security infrastructure that has already been
deployed. To detect and appropriately protect against web application threats, organizations must first
have the capacity to identify these vulnerabilities. This includes performing web application vulnerability
assessment scanning.
• Network-based vulnerability scanning can help an organization identify weaknesses in their network
security before the bad guys can mount an attack. The goal of running a vulnerability scanner or
conducting external vulnerability assessments is to identify devices on your network that are open to
known vulnerabilities without actually compromising your systems.
• Host-based scans are secondary to understand the vulnerabilities in servers, workstations, and different
network hosts. It scans the host or system in order to diagnose the security weaknesses in the wireless
network. The wireless network scans of an enterprise’s wifi networks are required to bring to attention
the points of attack in the wireless network infrastructure. Apart from discovering rogue access points,
a wireless network scan can also validate that an organization’s network is securely configured.
• Application scans are imperative to web sites to discover recognized software vulnerabilities and
unwarranted configurations in the network or web application.
• Database scans can detect the susceptible factors in a database, that can cause malicious attacks,
such as a SQL injection attack.
Copyright © by EC-Council
04
All Rights Reserved. Reproduction is Strictly Prohibited.
OPEN SOURCE WEB APPLICATION
VULNERABILITY SCANNERS
An plethora of tools is available to software testers to help detect software vulnerabilities. However, some
tools are more powerful than others.
RESEARCH MOTIVATION
Picking a vulnerability discovery tool for those organizations that have no security expert may be a crucial
downside. There is some disadvantage of automatic vulnerability scanning tools have false positive and
false negative results. Thus, exploiting the system using the wrong tool can lead to the preparation of web
application/services with unseen vulnerabilities.
The OWASP zed attack proxy (zap) is one of the globe’s most famous free security tool and is actively used
by masses around the world. It helps find security vulnerabilities on applications. It is used by penetration
testers while conducting manual tests.
HTTPS://WWW.OWASP.ORG/INDEX.PHP/OWASP_ZED_ATTACK_PROXY_PROJECT
Paros is a free of cost web proxy tool that is written solely in Java. Through Paros’ proxy nature, all http and
https data among server and client, along with cookies and form fields, can be intercepted and modified.
HTTP://SECTOOLS.ORG/TOOL/PAROS/
C. Vega Tool
Vega is a platform for testing the security of web applications. It is GUI based, written in Java, and runs on
Linux, OS X, and Windows. It can be easily extended with modules written in Javascript.
HTTPS://SUBGRAPH.COM/VEGA/
Netsparker Desktop is an easy-to-use, yet powerful web application security scanner that scans websites,
web applications, and web services automatically identifying vulnerabilities and security flaws in them.
HTTPS://WWW.NETSPARKER.COM/
Copyright © by EC-Council
05
All Rights Reserved. Reproduction is Strictly Prohibited.
EXPERIMENT
In this white paper, we selected web based applications that handle various types of loan disbursements
(house loan, car loan etc) processes. We conducted two different scanning policies: Default Scanning
Policy and Custom Scanning Policy.
Scanning Conducted
• Scan web application using three open source web security scanners and one commercial web
security scanner.
• Scan different scanning policy.
• Compare the vulnerability scanning results.
ANALYSIS
Default Scan Policy:
On analyzing the first experiment, it was found that Vega detected five high and zero medium
vulnerabilities (Figure 1), ZEB attack proxy detected one high and two medium vulnerabilities (Figure 2),
and Paro detected two high and four medium vulnerabilities (Figure 3).
5
4.5
4
Vulnerability
3.5
3
2.5
2
1.5 High
1 Medium
0.5 Low
0 Info
Copyright © by EC-Council
06
All Rights Reserved. Reproduction is Strictly Prohibited.
ZEB Attack Praxy Vulnerability Detection Graph
with Default Scan Policy
9
8
Vulnerability
7
6
5
4
3 High
2 Medium
1 Low
0 Info
4
Vulnerability
3.5
3
2.5
2
1.5 High
1 Medium
0.5 Low
0 Info
Copyright © by EC-Council
07
All Rights Reserved. Reproduction is Strictly Prohibited.
Custom Scan Policy:
On analysing the second experiment, it was found that Vega detected eight high and three medium
vulnerabilities (Figure 4), ZEB attack proxy detected one high, three medium, and 11 low vulnerabilities
(Figure 5), and Paro detected two critical, three important, three medium, and nine low vulnerabilities
(Figure 6).
8
7
Vulnerability
6
5
4
3 High
2 Medium
1 Low
0 Info
12
10
Vulnerability
6
High
4
Medium
2 Low
0 Info
Copyright © by EC-Council
08
All Rights Reserved. Reproduction is Strictly Prohibited.
Netsparker Vulnerability Detection Graph
with Custom Scan Policy
9
8
Vulnerability 7
6
5
4 Critical
3 Important
2 Medium
1 Low
Info
0
Critical Important Medium Low Info
8
7
High Vulnerability
6
5
4
3
2
1
0
Vega ZEB Attack proxy Netsparker
Copyright © by EC-Council
09
All Rights Reserved. Reproduction is Strictly Prohibited.
Comparing all scanner Medium vulnerability
result (custom policy)
1.5
0.5
0
Vega ZEB Attack proxy Netsparker
Copyright © by EC-Council
10
All Rights Reserved. Reproduction is Strictly Prohibited.
CONCLUSION
In this white paper, we ran three open source web application security scanners and one commercial
web application security scanner with default and custom scanning policies to compare the result. We
end with the distinctive coverage result that the custom policy scan came across extra vulnerabilities
than the default policy scan.
This shows that the scanners do not show equal results, but that, a combination of two or more scanners
can help you detect more vulnerabilities. However, a penetration test is strongly recommended to receive
an accurate scan with zero false negative and positive responses.
Copyright © by EC-Council
11
All Rights Reserved. Reproduction is Strictly Prohibited.