Apache Security - Ivan Ristic [207]
Nessus relies heavily on its plug-in architecture. Plug-ins can be written in C, or in its custom NASL (short for Nessus Attack Scripting Language). A GUI-based client is available for Nessus (NessusWX, http://nessuswx.nessus.org), which makes it a bit easier to use. This client is shown in Figure A-8.
Figure A-8. Nessus, the open source vulnerability scanner
The problem with Nessus (from our web security point of view) is that it is designed as a generic security scanner, but the test categorization does not allow us to turn off the tests that are not web-related.
Web Application Security Tools
Web security tools provide four types of functionality, and there is a growing trend to integrate all the types into a single package. The four different types are:
Scanners
Execute a predetermined set of requests, analyzing responses to detect configuration errors and known vulnerabilities. They can discover vulnerabilities in custom applications by mutating request parameters.
Crawlers
Map the web site and analyze the source code of every response to discover "invisible" information: links, email addresses, comments, hidden form fields, etc.
Assessment proxies
Standing in the middle, between a browser and the target, assessment proxies record the information that passes by, and allow requests to be modified on the fly.
Utilities
Utilities used for brute-force password attacks, DoS attacks, encoding and decoding of data.
Many free (and some open source) web security tools are available:
Paros (http://www.parosproxy.org)
Burp proxy (http://www.portswigger.net/proxy/)
Brutus (password cracker; http://www.hoobie.net/brutus/)
Burp spider (http://portswigger.net/spider/)
Sock (http://portswigger.net/sock/)
WebScarab (http://www.owasp.org/software/webscarab.html)
These tools are rich in functionality but lacking in documentation and quality control. Some functions in their user interfaces can be less than obvious (this is not to say commercial tools are always user friendly), so expect to spend some time figuring out how they work. The trend is to use Java on the client side, making the tools work on most desktop platforms.
Paros and WebScarab compete for the title of the most useful and complete free tool. The Burp tools show potential, but lack integration and polish.
Paros
Paros (see Figure A-9) will probably fill most of your web security assessment needs. It can be used to do the following:
Work as a proxy with support for HTTP and HTTPS
Crawl the site to discover links
Visualize the application
Intercept (and optionally modify) requests and responses
Run filters on requests and responses
Examine recorded traffic
Perform automated tests on dynamic pages
Figure A-9. Paros allows for web site visualization
Commercial Web Security Tools
If you are more interested in commercial tools than in open source ones, many are available. Categorizing them is sometimes difficult because they often include all features of interest to web security professionals in one single package. Most tools are a combination of scanner and proxy, with a bunch of utilities thrown in. So, unlike the open source tools where you have to use many applications from different authors, with a commercial tool you are likely to find all you need in one place. Commercial web security tools offer many benefits:
Integration
You get all the tools you need in a single, consistent, often easy-to-use package.
A collection of base signatures
Base signatures cover common configuration problems and web security vulnerabilities. These signatures can be very important if you are just starting to do web security and you do not know where