Re: web application scanning

[Seth Hall <seth () ICIR ORG>]

On Feb 7, 2012, at 2:44 PM, Michael Sheinberg wrote:

> Does anyone here have any recommendations for tools (preferably
> open-source) that will scan web-servers for vulnerable application
> frameworks + plug-ins?

We've been seeing people have great success with Bro-IDS by monitoring their network traffic.  Bro 2.0 has a script 
that it ships with that does web application detection too.  I wouldn't have terribly high hopes at large-ish 
universities of actually *finding* most of the applications on the network by scanning.

At OSU (Ohio) I used Bro to detect SQL injection attacks with the idea that what the attackers attacked was most 
important.  It turns out that you have attackers hitting sql injection vulnerabilities on your sites all the time.  It 
ended up changing the way I approached web application scanning because there were so many actively attacked sites that 
I rarely had to go and find sites to test.

There are some other universities taking this approach now and it seems to be fairly successful for networks with large 
numbers of non-centrally controlled web sites.  I view out-of-date open source web applications as a fairly similar 
situation where *finding* them is a surprisingly large part of the problem and just discovering them makes it possible 
to clean up the whole network.

  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/