Since programs, from business applications to operating systems involve hundreds, thousands or even millions of manually entered computer instructions, it is highly likely that the programs contain errors that can allow a malicious individual to access and compromise the system. Additionally, when a software product is implemented, it usually must be configured and administered by an authorized system administrator. If the program is configured or administered incorrectly, a malicious individual could exploit that misconfiguration as well.
When a program is implemented, the unit, system and user testing that we do may catch some of these errors, but it probably will not detect them all. Even if the test plan is complete from a program functionality standpoint, there are many attacks that can be executed by someone who has an in-depth knowledge of subtle vulnerabilities that may exist, or who possesses a program that has been programmed to recognize these subtle conditions.
Fortunately, the program logic that is used by malicious hackers to detect program flaws and configuration errors can also be used by us so that we can see what they see, and hopefully address any issues before an attacker realizes the vulnerabilities are there.
Types of vulnerability scanners
System scanners (a.k.a. Network security scanners)
System scanners are designed to detect system configuration and administration issues within commercial software products or “open source” software. The primary conditions that system scanners detect include:
- Unsupported versions of operating systems, database, server and network software, etc.,
- Software for which some system updates or "patches" have not been applied,
- Software that is not configured in a manner consistent with industry “best practices”.
System scanners can be configured to run with or without an administrator’s ID and password defined to it. If it is configured to run without the administrator’s ID and password, the tests will be limited. To perform a more comprehensive test that may include password strength checking, an Administrator’s ID and password should be provided. However, the more comprehensive tests will significantly increase the time necessary for each system to be evaluated.
System scanners are executed on a single workstation that probes each computer in a range of IP addresses for each of the above conditions. System scanner reports provide a high level overview of its findings, a description of each vulnerability found and recommendations for correcting each vulnerability.
Since system scanners can only evaluate software and conditions that have been defined to it by its vendor, you should ask the vendor for a list of supported software products when deciding to purchase a system scanner.
Web application scanners
Web application scanners attempt to find vulnerabilities in a targeted web site’s application program code. It does this by “crawling” the targeted web site, i.e., bringing up page after page by following each of the web site’s links to the next page. If it finds any web page that permits data entry, the scanner enters data into each of the page’s data entry fields to determine if they are subject to known exploits, such as:
- SQL injection, where a user could insert SQL code into a data entry field that is executed by the web application. These could be used to extract, modify and/or destroy information in the database.
- Cross-site scripting, where a user could add web scripting commands to a data entry field that the web application would store in the application database and, when another user requests the compromised data element, his or her computer will execute the web scripting commands.
- Cross-site request forgery, where links on a web page could be modified by a malicious individual to cause a user to execute malicious application transactions under his or her authority by clicking the link.
- Path disclosure, where the web site could be made to display information about the files in the application’s directories.
- Denial of service, where a site could be disabled due to excessive traffic.
- Susceptibility to code execution, elevation of privileges, memory corruption, buffer overflow, etc.
A more in-depth description of the two main web application attacks, SQL injection and cross-site scripting, can be found in the “Building ‘attack-resistant’ application software” web page.
When a web application scanner is run against an application, you must provide the web site’s home address and, if the site is authenticated, a valid user ID and password. Without the user ID and password, the scanner will only be able to evaluate web pages that do not require authentication.
Web application scanning reports provide a high-level overview, a description of each vulnerability found, and ways to correct each vulnerability across a wide variety of programming languages.