Failproof website security audit with ESDS VTMScan
Website security
ESDS VTMScan is a web application security scanner having the ability to detect weakness of website’s code, errors and ?nd vulnerabilities which may lead to website’s data problem and security issues. In other words, it is a program which communicates with a web application through the web front-end in order to identify potential security vulnerabilities in the web application and architectural weaknesses.
ESDS VTMScan Scan OWASP Top 10 vulnerabitlies. The Open Web Application Security Project (OWASP), an online community, produces freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security.
ESDS VTMScan has various scanning options like SQL, LFI, RFI, XSS, and MALWARE. ESDS VTMScan also keeps an eye on your website’s health by checking if it is black listed on Google, Real Time Black Hole List check (RBL), Cleanmx, Surbl, Mpatrol, Phistank (Phishing website) and generates reports for the same.
ESDS VTMScan has a simple and easy to use scheduler which allows users to schedule a scan on daily, weekly, semi-monthly, monthly, quarterly, semiannually and annually basis with scheduled start time. Also it has a provision to manually scan the website at any desired time.
ESDS VTMScan only scans the website and provides all vulnerability reports with recommended actions to solve or ?x those issues.
ESDS VTMScan Features:
1. Domain reputation in Google, SURBL, Malware Patrol, Clean-Mx, Phishtank:
Check whether a domain is listed with above databases. These databases and organizations stores IP address and domains which are involved in malware, spamming and phishing activities.
2. Mail server IP Check in 58 RBL repositories:
RBL (Real-time Black hole List) or DNSBL (DNS-based Blackhole List) is a list of IP addresses, whose owners refuse to stop the proliferation of spam. The RBL usually lists server IP addresses from ISPs whose customers are responsible for the spam and from ISPs whose servers are hijacked for spam relay.
3. Scan SQL Injections for MySQL, MSSQL, PGSQL, Oracle databases:
It is a trick that exploits poorly filtered or not correctly escaped SQL queries into parsing variable data from user input.
4. Scan Local file injections (LFI):
It injects files on a server through the web browser. This vulnerability occurs when a page is not properly sanitized and allows directory traversal characters to be injected.
5. Scan Remote file inclusion (RFI):
It allows an attacker to include a remote file, usually through a script on the web server. The vulnerability occurs due to the use of user-supplied input without proper validation which can cause code execution on the web server. Code execution on the client-side such as JavaScript can lead to other attacks such as cross site scripting (XSS), DoS, Data Theft etc.
6. Scan XSS – Cross Site Scripting:
- It is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to inject client-side script into Web pages viewed by other users.
- Detects form on the Webpages and scans for GET and POST requests.
- Currently it scans for reflected XSS and we have future plans for Stored XSS. Stored XSS occurs when a web application gathers input from a user which might be malicious, and then stores that input in a data store for use at some point in the future.
7. Scan Malware:
- Unique feature – Website defacement check: Website defacement is an attack on a website that changes the visual appearance of the site or a webpage.
- Forceful redirect injection test.
- Scans JavaScript code snippets against generic signatures: Checks for critical JavaScript functions like eval, base64_decode, char, etc (checks for Iframes).
- Special algorithm developed to detect JavaScript Obfuscation: Obfuscation used to convert vulnerable codes into unreadable format.
- Third party links check: It checks third party links with reputation databases.
- Malware Monitoring primarily focuses on detection of JavaScript, iFrame & Defaced keywords. JavaScript is scanned for malicious codes. The site is also scanned for deface keywords like- Hacked by etc.
8. Detect and Scan CMS:
- Very few scanners provide this feature.
- Detect WordPress, Joomla, vBulletine, Drupal.
- Scan Themes, Plug-ins, unprotected admin area.
- User enumeration.
- Brut forcing for simple password detection.
- FPD – File Path Disclosure scanning.
- Detects CMS in all directories.
9. Open Port Application Vulnerability detection:
Administrators can use this application to switch repository of the systems and services on their network. An intruder can use banner grabbing in order to find network hosts that are running versions of applications and operating systems with known exploits.
10. Directory Scanning:
The goal of this scan is to order an application to detect a computer file that is not intended to be accessible. This happens due to lack of security for directory access on the web server.
11. Detect open sensitive / admin area of the site:
Scan for sensitive area of the sites which could not be accessible to all. e.g. Admin login pages.
12. Scan for Directory Indexing:
When a user types in a request for a page on a website, the web server processes the request, searches the web document root directory for the default file name, and then sends this page to the user. If the server cannot find the page, it issues a directory listing and sends the output in HTML format to the user.
This action allows the contents of unintended directory listings to be disclosed to the user because of software vulnerabilities that are combined with a specific web request. This information leak can provide an attacker with the information necessary to launch further attacks against the system.
13. Scan Full Path disclosure in the pages:
Full Path Disclosure (FPD) vulnerabilities enable the attacker to see the path to the webroot/file. e.g.: /home/omg/htdocs/file/. Certain vulnerabilities, such as using the load_file () (within a SQL Injection) query to view the page source, require the attacker to have the full path to the file they wish to see.
14. Scan Password auto complete enabled fields:
Many websites have a login form where users provide username and password. The default behavior for browsers is to allow users to store these credentials locally in the browser. Thereby, the next time a similar form appears, the username and password are already populated. With this it’s easy to steal the stored passwords from user’s browser.
15. Information disclosure:
It checks for email address, IP addresses in the page.
16. ViewState decoder:
It detects and tries to decode viewstates.
17. Scan password submission method:
If passwords are submitted from form using plain text, these passwords can be easily captured by sniffer utilities.
18. Authenticated area scanning:
Scan restricted areas like admin panels, supports HTTP and Web-form based authentications.
19. Reports:
User receives scan completion status and reports on email. A user can also check detail reports in user control panel. Users are provided with two types of reports viz. Scan Report & Domain Performance Report. Scan report shows scan details of individual domains like the number of vulnerable links found out of the total number of links. The Domain Performance Report shows several performance metrics of individual domains.
20. Robust Link Crawler:
Crawls links from web pages, robots.txt, iframes, hacker’s favorite search engines, directory indexes and directory traversals.
21. SSL Certificate checking:
Scans a HTTPS service to enumerate what protocols and what ciphers the HTTPS service supports. It checks for weak ciphers and valid period for the certificate.
22. Backdoor WebShell Locater (Client Side – Unique Feature):
- Scans for shells from client’s side for commonly injected locations with their usual file names.
.e.g. http://www.example.com/uploads/cmd99.php
23. WebShell Finder:
- Scans each web page for particular keyword so it is able to detect webshell if renamed to some other name.
e.g. http://www.example.com/uploads/myname.php ( myname.php is webshell )
24. Reverse IP domain check:
- Find out all other domains hosted on the same server (Server on which scanning domain is hosted).
- Check these domains for black list.
25. Deep Application Testing:
In deep application scanning/ testing, the entire website is crawled for URL’s. All the URL’s are completely scanned, except the ones that contain images.
26. OWASP Top 10:
OWASP stands for ‘Open Web Application Security Project’. OWASP releases a list of top 10 vulnerabilities every year. ESDS VTMScan detects each of those vulnerabilities and follows the rules laid out by OWASP.
27. Botnet Monitoring:
Attackers may hide malicious code within JS files. In Botnet Monitoring, these JS files are scanned. ESDS VTMScan also attempts to detect undetectable Java Code.
28. Defaced Keyword Monitoring:
Attackers use different deface keywords while hacking a particular site. These deface keywords can be anything like- Pawned by, Owned by etc. These keywords can be inserted by an attacker anywhere in the site content.
29. Content Change Monitoring:
In Content Change Monitoring, the entire website is monitored for any changes in content. ESDS VTMScan creates a snapshot of the website and if any change in content is found, it is reported along with the percentage of change and the URL where the change were found.
30. Schedule based Scan:
ESDS VTMScan allows users to set scan schedules for their sites on daily, weekly and monthly basis according to their requirements.
31. SSL Check:
In SSL Check, the following areas are checked:
- NULL Cipher used less than 128 bits.
- Domain uses an invalid security certificate.
- Domain uses an expired security certificate.
- Domain uses a security certificate which expires today (EOD).
32. Managed by Security Experts:
ESDS VTMScan has been developed & managed by security experts who have combined experience of over 5 years.
33. ESDS VTM Scanner Dashboard:
ESDS VTMScan dashboard is provided to clients, where they can perform functions like- domain addition, viewing reports etc.
34. Manual Scan:
In Manual Scan, the security experts will manually test your website for vulnerabilities (OWASP Top 10). A manual scan usually takes 4-5 days depending on the size of the site.
35. WAF Detection:
It checks if WAF (Website Application Firewall) exists or not. It’s recommended to have WAF on the webserver to filter malicious traffic on the website.
36. CSRF Detection:
Detects CSRF (Cross Site Request Forgery) in websites. This vulnerability comes with XSS. This vulnerability allows the hacker to transmit malicious commands to execute on other users machine who is browsing the same site.
37. ClickJack Protection Check:
Checks whether page is protected against clickjack. Clickjacking (UI redressing and IFRAME overlay) is an exploit in which malicious code is hidden beneath apparently legitimate buttons or other clickable content on a website.
38. Page Source Scan:
The main purpose is to scan each page and find critical information or malwares on page. Checks for any information leakage or disclosure. Disclosure can be in form of important email id, IP address or robots.txt file. It also checks for shell files, incomplete password fields and file uploads.
39. OS Detection:
Detects web server operating system and version. Lists down all the vulnerabilities present on that particular version of operating system.
40. DNS Misconfiguration:
Tests whether DNS setting has been properly configured or not. Misconfigured DNS may lead to critical information disclosure like lists of subdomain and other important IP Address.
- Failproof website security audit with ESDS VTMScan - March 9, 2018
