How Web Application Scanners Work:
Interaction between a web client and a web server is deceptively simple. There are a small number of commands that a web server will respond to, each taking some data from the client to better describe what the client wants. Generally speaking a web client sends a GET to a server requesting some resource and the server replies with the appropriate information. Alternatively the client can PUT some information to the server for processing and receive a reply in return.
Most web scanners rely on a database of constantly growing known exploits. This database contains all the information required to check a web server for a vulnerability including paths, file names, mechanisms for modifying urls, and expected responses for each.
Below is a description of the mechanisms used by a scanner to learn as much as possible about the targeted web server.
Web application vulnerability scanners do not rely as heavily on known exploits to attack a web application, rather they execute a number Invalid Input Attacks rapidly on the remote server. An invalid input attack consists of the following types:
Impersonating a Web Browser
The most common and easiest way to create a scanner is to impersonate a web browser. This application can quickly scan for many different vulnerabilities types on the HTTP port by sending a request packet to the server and interpreting the response. A good scanner will recognize when it is possible to send parameterized data in the packet and will generate specific tests to cover this functionality. This type of scan is commonly called a challenge-response scan, because the scanner sends a challenge and waits to see the response. This type of scan often returns false positives when the server returns an unexpected error message. More advanced scanners will recognize all possible error responses and therefore greatly reduce their false positives.
Some web applications do not handle less common web browsers properly and the browser specific web page might be less secure than the well tested version for the common browser.
Web-form Input
Web Vulnerability scanners have the ability to scan for many different types of vulnerabilities through the use of input boxes on forms contained with the web application. For more information on exploitable web-form input see the Web Application Vulnerability Scanners Section.
Scanning for Vulnerable Scripts and Executables
A vulnerability scanner simply checks for the existence of the script by sending an HTTP request to the location of the known vulnerable script. If the server returns anything but a standard 404 File Not Found error the scanner will report the server to be vulnerable. Some scanners use other methods to report fewer false positives.
| <<Previous | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | Next>> |
Provided by: Security Innovation, The Application Security Company