Educause Security Discussion mailing list archives
Re: External link checks
From: "Jenkins, Matthew" <matthew.jenkins () FAIRMONTSTATE EDU>
Date: Wed, 9 Apr 2008 10:45:29 -0400
Thanks everyone for the ideas. The AppScan and WebInspect products look like they would be great to have for internal security testing; however, I am not sure they would test for security issues outside of the organization that would affect the end user's workstation. They appear to be more geared towards finding holes in the web apps themselves. Let me know if I am wrong on that. I had thought about using wget to fetch things, and then run it through an AV such as Sophos and/or an IPS such as Snort. As well I suppose custom scripts could be written to somewhat check for content we may want to be aware of. The two concerns I see with pages hosted directly on our *.edu servers are direct links to pages that would contain malware that could harm an end-user's computer and direct links to pages containing inappropriate content (pornography, racial slurs, phishing, etc.). User pages are a different story as that does get into the grey legal area that bring headaches to us all. My target focus is institutional webpages (offices, departments, clubs, etc.) that contain links to external sites. Obviously there isn't any way to control what is linked from pages directly linked from our webpages. For example, on a student organization's page at www.school.edu/stuorg/related.html a link is made to www.relatedorg.org/bulletinboard.php which links to www.someotherorg.org/comments.html. There is no control over the link to someotherorg.org; however, if the page at relatedorg.org becomes compromised and ends up with a security threat or inappropriate content then we can remove the link off of our servers to the relatedorg.org page. Matt Matthew Jenkins Network/Server Administrator Fairmont State University Visit us online at www.fairmontstate.edu <http://www.fairmontstate.edu/> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Alex Sent: Monday, April 07, 2008 4:42 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] External link checks Matthew: Most of the web-based assessment tools would support creating custom checks for assessment. I checked, and both IBM AppScan and HP WebInspect would allow for what you described. You could also look at general/OS assessment tools like Nessus, which one could write a script for to perform some type of a check. I can see how the checks would be useful. Many times, the content has been posted without authorization on some of these types of sites. Sincerely, Alex Everett, CISSP University of North Carolina ________________________________ From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jenkins, Matthew Sent: Monday, April 07, 2008 2:27 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] External link checks Does anyone know of a tool that would scan a website for external links, and then check each of those links to a specified depth for specific content? Example use: Someone has a weblink on the organization's website. The page the weblink points at is compromised and malware, inappropriate content, etc. are placed on the site. If there was a tool to scan the external links to check content, this would be caught and an administrator noticed so the link could be removed from the organization's website. Thanks all, Matt Matthew Jenkins Network/Server Administrator Fairmont State University Visit us online at www.fairmontstate.edu <http://www.fairmontstate.edu/>
Current thread:
- External link checks Jenkins, Matthew (Apr 07)
- <Possible follow-ups>
- Re: External link checks Tye Stallard (Apr 07)
- Re: External link checks Valdis Kletnieks (Apr 07)
- Re: External link checks Alex (Apr 07)
- Re: External link checks Halliday,Paul (Apr 07)
- Re: External link checks Isac Balder (Apr 08)
- Re: External link checks Jenkins, Matthew (Apr 09)