Product Evaluation: Syhunt Sandcat VA Tools
Courtesy of Core Competence, Inc.
Secure web site administration has become increasingly challenging and labor intensive. Web applications are now the preferred vector for attackers for several reasons. Web applications change frequently. Web applications often accommodate access to sensitive information, including e-merchant transactions, credit card, personnel, and medical information databases. Perhaps the most troubling reason is that IT organizations rarely have adequate time to review web application code and server configuration changes before they are put into production. The result is predictable: web sites are vulnerable to unvalidated input parameters, broken access controls, weak authentication, and configurations resulting in unsecured file systems, leaving web sites vulnerable to privilege escalation attacks ("got root?"), cross site scripting and data injection attacks, denial of service attacks, and more.
The Open Web Application Security Project (OWASP) recommends that web application code be part of your security perimeter. I've commented in a LOOP article that "Unless your organization is on the bleeding edge and deploying one of the many forms of application protection, the security measures you apply to your web application code are quite possibly all that stands between your sensitive data and attackers." But many small and medium businesses struggle to staff IT departments and purchase basic security systems, let alone invest in the kinds of application protection and web vulnerability assessment technologies and services large enterprises can afford. Consequently, SMBs are left to protect web applications with whatever tools they can acquire at little or no cost.
Affordable web server vulnerability assessment is a trial and error exercise for SMBs: try what you can afford (typically, free and shareware tools) and hope the tools you find are worth the time and effort. The problem with this approach is that free- and shareware scanners were written to as target acquisition tools for attackers. They typically don't provide more than an enumeration of possible vulnerabilities because the attacker expects to apply his personal filters and individual skills in deciding what attack vectors to pursue. These tools don't typically provide information to help the user understand the nature, complexity, and priority of the vulnerability identified. Another problem with such tools is that they are only vulnerability scanners. Scanning is but one aspect of web security assessment. Evaluating web server configurations; identifying what data can be mined from the pages that comprise a web site; and analyzing logs to assess whether the intended web security policy is implemented and enforced properly are equally important tasks. Fewer free- and shareware tools are available to perform these tasks, and accumulating a toolkit is time-consuming.
One modest-priced and nicely featured solution SMBs must consider is Syhunt's Sandcat Suite. This security software suite includes a security hardening tool, a vulnerability scanner, data mining and log analysis tools, and more. Together, they offer the SMB something affordable and admirably functional.
|
The security hardening tool offers a proactive way to reduce vulnerabilities associated with web server misconfiguration. This tool may help web administrators avoid security incidents that result from the all too common use of default settings in configuration files. The tool analyzes Apache and PHP configuration files and identifies modules that may leak server information (e.g., mod_info.c); modules that are unnecessary and potentially exploitable (e.g., mod_autoindex.c, which enables directory indexing); and modules like mod_security.c, that could be enabled to help protect web servers against cross site scripting. The HTML report identifies the module in question, and provides a brief recommendation, and in some instances, refers the administrator to a more definitive source for information about the threat or problem. |
|
|
The vulnerability scanner has database of over 29,000 security checks and many features I've appreciated on more expensive vulnerability assessment products. The annual subscription entitles you to application and database updates as Syhunt makes them available. Sheer numbers of security checks do not impress me. A single patch or UrlScan filter will block thousands of malicious URLs; here as elsewhere, quantity isn't as important as quality. From my tests, it appears Syhunt's VA Tool covers the same categories of threats as many enterprise-class scanners and many more than most free- and shareware tools. Several scanning methods and tuning adjustments allow web administrators to perform basic (e.g., SANS Top 20) scans or very aggressive and comprehensive scans using IDS evasion tactics and including denial of service attacks. Vulnerability details are reported in a window and saved in an HTML or XML report. From the report window, administrators can review the vulnerabilities, experienced administrators can use an Exploit Terminal to try the exact request, or they can modify the request to learn how a web server might respond with different input. The vulnerability report identifies vulnerabilities discovered, the vulnerability location (URL), a brief explanation of the each vulnerability. The report also provides a hyperlink to Common Vulnerability and Exposure (CVE) information about this exposure, if it exists. The reports, while not as comprehensive as some enterprise class products, are better than the free- and shareware products. You will get more detailed and customizable reporting from a product like SPIDynamic's WebInspect, but I think it's fair to say that, in general, the more expensive products offer more reporting features. If you are the type who will follow a hyperlink to the CVE web site and google to learn about a vulnerability or exposure, the reports will suffice. If you want volumes of information easily fetched or referenced from your VA application, you may need to consider a different product. |
|
The data mining tool maps an entire web site and helps administrators identify pages with information leaks in HTML comments; pages that disclose sensitive files; pages with commonly used scripts with known vulnerabilities. The mapping is recursive: if you use a script from another web site (a counter or news feed, for example), the data miner will crawl that site and evaluate scripts and pages it finds as well. During one of my mining expeditions, I discovered visitors to the site I scanned could access an etc/password file of a news site through a newsfeed javascript the site provides to web site builders. This test not only illustrates the power of a data mining tool, but also illustrates how the scope of web application security can extend well beyond an SMB's own web site. You may not be accountable for vulnerabilities outside your adminstrative domain, but who wants to run a script that can abet an attack on another site?
Many weblog analysis tools will generate reports that provide a statistical breakdown of traffic: e.g., number of requests per time period, page popularity ranking, referring links (good and broken), etc. Sandcat Suite's log analyzer tool examines web log entries and identifies requests that were potential attacks, and most importantly, indicates whether the request was successful. In this sample, we see requests representing possible attacks and sources extrapolated from an Apache web log. In a second example, the tool helps confirm that the filters implemented using UrlScan on an Microsoft IIS server are blocking access to sensitive files and command execution; rejecting malformed URLs; and returning appropriate status codes. Note that the analyzer cannot definitively identify a source as an intruder - spiders and bots, for example, may appear to be issuing suspicious requestsit - but the tool does greatly reduce the time an administrator would have to spend analyzing log files manually. As a strong advocate of logging and log analysis, I find this tool especially helpful and have already used it to correct several minor errors in sites I host.
No tool is perfect, and none will satisfy every need of every administrator. One of the difficult aspects of evaluating VA products and services is that no two products offer the same suite of functions and features. Some provide risk management to help organizations prioritize vulnerabilities based on the asset value. Others integrate patch management processes alongside vulnerability assessment. Some drill well beyond vulnerability identification and pursue the course an attacker might given the information gathered during a scan. Ultimately, each organization has to judge how they can derive the most from an investment in web vulnerability assessment. For organizations that have modest budgets, Syhunt's Sandcat Suite offers an affordable set of applications that can satisfy many SMB web application security assessment needs. Single server annual subscriptions begin at under $300.00 US. Perpetual and unlimited host licenses are similarly modestly priced. These applications can serve as educational as well as administrative aids, and are valuable complements to any practitioner's or consultant's security toolkit.