Analysis of Four Web vulnerability scanning technologies

The openness of the Web is widely welcomed, but at the same time, the Web system will face the threat of intrusion attacks. We have always wanted to build a secure Web system, but full security is almost impossible, but relative security can be achieved. Web vulnerability scanning is an important guarantee for Web security.
 
Four Web vulnerability scanning technologies
 
Web vulnerability scanning usually adopts two policies: passive and active. The so-called passive policy is based on the host, the system is not suitable for setup, weak passwords to check and other objects that conflict with security rules; and the active policy is based on the network, it simulates attacks on the system by executing some script files and records the system's response to discover the holes. Passive policy scanning is called system security scanning, and active policy scanning is called network security scanning.
 
WTI has the following four detection technologies:
1. Application-based detection technology. It uses a passive and non-destructive method to check Application Software Package settings and detect security vulnerabilities.

2. host-based detection technology. It uses a passive and non-destructive method to detect the system. Generally, it involves system kernel, file attributes, operating system patches, etc. This technology also includes password decryption and removal of some simple passwords. Therefore, this technology can accurately locate system problems and discover system vulnerabilities. Its disadvantage is that it is related to the platform and the upgrade is complicated.

3. Target-based vulnerability detection technology. It uses passive and non-destructive methods to check system and file attributes, such as databases and registration numbers. The message digest algorithm is used to verify the number of encrypted files. The implementation of this technology is to run in a closed loop, constantly process files, system objectives, and system target attributes, and then generate the number of tests, which is compared with the original number of tests. Once a change is detected, the Administrator is notified.
 
4. Network-based detection technology. It uses a positive and non-destructive method to test whether the system may be attacked or crashed. It uses a series of scripts to simulate system attacks and then analyzes the results. It also checks known network vulnerabilities. Network detection technology is often used for penetration experiments and security review. This technology can detect a series of platform vulnerabilities and is easy to install. However, it may affect the network performance.
 
Web vulnerability scan
 
Among the above four methods, WTI is most suitable for the risk assessment of our Web Information System. The scan principle and working principle are as follows: by remotely detecting services of different ports of the target host TCP/IP, record the target response. In this way, various information about the target host can be collected (for example, whether anonymous logon is enabled, whether there is a writable FTP directory, whether Telnet is enabled, and whether httpd is running as root ).
 
After obtaining information about the TCP/IP port of the target host and its corresponding network access service, it matches the vulnerability library provided by the network vulnerability scan system. If the matching conditions are met, the vulnerability is stored. In addition, scanning the target host system for attacking security vulnerabilities, such as weak passwords, by simulating hacker attack techniques is also one of the implementation methods of the scanning module. If the attack is successfully simulated, the vulnerability exists.
 
In terms of matching principle, the network vulnerability scanner uses rule-based matching technology, that is, according to the analysis of security experts on Network System Security Vulnerabilities and hacker attack cases and the actual experience of system administrators on network system security configuration, a set of standard system vulnerability libraries are formed, then, based on the matching rules, the program automatically performs system vulnerability scan analysis.
 
Rules-based systems are a matching system based on rules pre-defined by experts. For example, if you find/cgi-bin/phf/cgi-bin/Count in the scanning of port TCP80. cgi: based on the experience of experts and the sharing and standardization of CGI programs, we can infer that the WWW Service has two CGI vulnerabilities. At the same time, it should be noted that rules-based matching systems have their own limitations, because the basic reasoning rules of such systems are generally arranged and planned based on known security vulnerabilities, many dangerous threats to network systems come from unknown security vulnerabilities, which are similar to PC anti-virus.
 
This Web vulnerability scanner is based on the browser/server (B/S) structure. It works as follows: after a user sends a scan command through the control platform, the control platform sends a scan request to the scanning module, the scan module immediately starts the corresponding sub-function module after receiving the request to scan the scanned host. By analyzing the information returned by the scanned host, the scan module returns the scan result to the control platform, and then the control platform displays the result to the user.
 
Another structure of the scanner is the plug-in program structure. You can write external test scripts for a specific vulnerability. Call the service detection plug-in to check services with different TCP/IP ports on the target host, save the results in the information library, call the corresponding plug-in program, and send the constructed data to the remote host, the detection results are also stored in the information library to provide the required information for other script operations, which improves the detection efficiency. For example, in an FTP service attack, you can first view the results returned by the Service detection plug-in. Only when you confirm that the target host server has enabled the FTP service, the corresponding Attack Script For an FTP service can be executed. A scanner using this plug-in structure allows anyone to construct their own attack test scripts without having to understand the principles of the scanner too much. This scanner can also be used as a platform to simulate hacker attacks. Scanners using this structure have a strong vitality. For example, the famous Nessus adopts this structure. This type of Web vulnerability scanner is based on the Client/Server (C/S) structure, in which the client mainly sets scan parameters on the server side and collects scan information. The specific scanning work is completed by the server.
 
Source: infosec