Educause Security Discussion mailing list archives
Re: web application scanning
From: Seth Hall <seth () ICIR ORG>
Date: Tue, 7 Feb 2012 15:21:18 -0500
On Feb 7, 2012, at 2:44 PM, Michael Sheinberg wrote:
Does anyone here have any recommendations for tools (preferably open-source) that will scan web-servers for vulnerable application frameworks + plug-ins?
We've been seeing people have great success with Bro-IDS by monitoring their network traffic. Bro 2.0 has a script that it ships with that does web application detection too. I wouldn't have terribly high hopes at large-ish universities of actually *finding* most of the applications on the network by scanning. At OSU (Ohio) I used Bro to detect SQL injection attacks with the idea that what the attackers attacked was most important. It turns out that you have attackers hitting sql injection vulnerabilities on your sites all the time. It ended up changing the way I approached web application scanning because there were so many actively attacked sites that I rarely had to go and find sites to test. There are some other universities taking this approach now and it seems to be fairly successful for networks with large numbers of non-centrally controlled web sites. I view out-of-date open source web applications as a fairly similar situation where *finding* them is a surprisingly large part of the problem and just discovering them makes it possible to clean up the whole network. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/
Current thread:
- web application scanning Michael Sheinberg (Feb 07)
- Re: web application scanning Paul Lepkowski (Feb 07)
- Re: web application scanning Indir Avdagic (Feb 07)
- Re: web application scanning Greg Williams (Feb 07)
- Re: web application scanning randy marchany (Feb 07)
- Re: web application scanning Chris Green (Feb 08)
- Re: web application scanning Seth Hall (Feb 07)
- Re: web application scanning Seth Hall (Feb 07)
- Re: web application scanning Brian J Smith-Sweeney (Feb 07)
- Re: web application scanning David Pirolo (Feb 07)
- Re: web application scanning Paul Lepkowski (Feb 07)