Upcoming Events

Cloud Connect
Santa Clara
Feb 13-16, 2012

Cloud Connect brings together the entire cloud eco-system to better understand the transformation we're experiencing and promises to be the defining event of the cloud computing industry. Learn about the latest cloud technologies and platforms from thought leaders in Cloud Connect’s comprehensive conference.

Register Now!

S N E A K P R E V I E W

WebInspect Detects Site Defects

March 21, 2003
By Mike DeMaria

	Issue TOC
	Print full article
	Download as PDF
	E-Mail this URL
	Discuss this article
	Flame the author

Keeping your Web servers up to date with the latest patches is vital to your network security, especially as attackers become more adept at using Web applications to breach Web sites. SPI Dynamics' WebInspect is a plug-and-play Web site vulnerability tool designed to discover potential site problems.

WebInspect 2.8 manipulates forms and checks for hidden parameters being passed between pages, investigates and tests the code coming from the client side, and tests for database errors. It can identify and test all the forms on a site just by looking at the HTML, and it identifies applications by signature or file name. Finally, WebInspect not only scans for vulnerabilities, such as known buffer-overflow exploits, it also inspects client-side scripts for potential bugs and security problems, such as SQL injections.

Scanning Options

WebInspect lets you run a safe scan, a full scan or an assault scan. The safe scan checks for database errors and other nonthreatening problems, and performs attacks that aren't likely to cause your server to crash. The full scan includes some attacks that may cause a crash. The assault scan shoots off attacks that can cause a DoS (denial of service) failure--not a good idea if you can't afford the downtime. You can customize the tests and view every test being performed for each scan. Or you can write your own attacks.

I installed WebInspect on a Microsoft Windows 2000 workstation--no agents or additional software needed. I ran a full scan against five production Web servers that are part of our Syracuse University Real-World Labs®, four running Microsoft IIS and one running Apache. I also ran an assault scan on a test machine.

No matter which scan you run, the software crawls through the site first, indexing every page and directory. I scanned relatively small sites and each scan took at least an hour. WebInspect then examined each directory, looking for problematic files, such as email_list.txt, old versions of applications and backup files.

Good

• Discovers coding bugs
• Provides excellent report information
• Easy to use

Bad

• Full scan takes a long time to complete
• License is hard-coded to test Web server IP address

Vendor Info
WebInspect, starts at $4,995. SPI Dynamics, (866) 774-2700, (678) 781-4800. www.spidynamics.com

With an attack scan, WebInspect does a combination of Web server testing and client-side script inspection. In my tests, it discovered the test systems all had unpatched buffer-overflow vulnerabilities. It also found bugs in several Web applications, including Microsoft FrontPage. The software tests parameter manipulation, cross-site scripting and pages or parameters that produce database error messages. It does not check or inspect any code or scripts on the server that aren't accessible by a Web user.

Problem Solved

In the full scan I ran against a site that used a SQL database, WebInspect looked at the parameters in a Web form. It then manipulated them and performed a SQL command injection, where client-supplied data makes its way into an SQL query string. The site had a bug that would let an attacker perform session hijacking with a hidden user ID parameter being passed in the form. A few minutes after the Webmaster's coders saw the report, they were able to issue a fix with a single line of JavaScript. The report helped the coders understand the problem--an improper parameter verification--so they could devise a solution.

WebInspect Test Bed

click to enlarge

I ran the assault scan on an unpatched default IIS server installation. You can see a report from the assault test here. It shows the output of the assault scan, including a detailed description of the vulnerability and how to patch it. Among other things, WebInspect found an Internet Printing Protocol buffer overflow. The report included a link to source code of a program that could execute this attack, and the original Microsoft and eEye advisory pages. The report also showed every e-mail address found (spam address harvesting), hidden pages and fields, comments in the code, forms and JavaScripts on the page.

WebInspect's advanced features include support for basic and NTML authentication and tools to encode or decode hex, unicode, base64 and md5.

Michael J. DeMaria is an associate technology editor based at Network Computing's Syracuse University's Real-World Labs®. Write to him at mdemaria@nwc.com.

Post a comment or question on this story.