2 cissp ® Official Study Guide Eighth Edition

Chapter 15 ■ Security Assessment and Testing Web Vulnerability Scanning

Download 19,3 Mb.

Pdf ko'rish

bet	629/881
Sana	08.04.2023
Hajmi	19,3 Mb.
	#925879

1 ... 625 626 627 628 629 630 631 632 ... 881

Bog'liq
(CISSP) Mike Chapple, James Michael Stewart, Darril Gibson - CISSP Official Study Guide-Sybex (2018)

676
Chapter 15
■
Security Assessment and Testing
Web Vulnerability Scanning
Web applications pose signifi cant risk to enterprise security. By their nature, the servers
running many web applications must expose services to internet users. Firewalls and other
security devices typically contain rules allowing web traffi c to pass through to web servers
unfettered. The applications running on web servers are complex and often have privileged
access to underlying databases. Attackers often try to exploit these circumstances using
Structured Query Language (SQL) injection and other attacks that target fl aws in the
security design of web applications.
You’ll find complete coverage of SQL injection attacks, cross-site scripting
(XSS), cross-site request forgery (XSRF), and other web application vulner-
abilities in Chapter 21, “Malicious Code and Application Attacks.”
Web vulnerability scanners
are special-purpose tools that scour web applications for
known vulnerabilities. They play an important role in any security testing program because
they may discover fl aws not visible to network vulnerability scanners. When an adminis-
trator runs a web application scan, the tool probes the web application using automated
techniques that manipulate inputs and other parameters to identify web vulnerabilities. The
tool then provides a report of its fi ndings, often including suggested vulnerability remedia-
tion techniques. Figure 15.5 shows an example of a web vulnerability scan performed using
the Nessus vulnerability scanning tool. This scan ran against the web application running
on the same server as the network discovery scan in Figure 15.1 and the network vulner-
ability scan in Figure 15.4 . As you read through the scan report in Figure 15.5 , notice that
it detected vulnerabilities that did not show up in the network vulnerability scan.
F I G u r e 15 . 5
Web application vulnerability scan of the same web server that was port
scanned in Figure 15.1 and network vulnerability scanned in Figure 15.2 .

Performing Vulnerability Assessments
677
Do network vulnerability scans and web vulnerability scans sound simi-
lar? That’s because they are! Both probe services running on a server for
known vulnerabilities. The difference is that network vulnerability scans
generally don’t dive deep into the structure of web applications whereas
web application scans don’t look at services other than those supporting
web services. Many network vulnerability scanners do perform basic web
vulnerability scanning tasks, but deep-dive web vulnerability scans require
specialized, dedicated web vulnerability scanning tools.
You may have noticed that the Nessus vulnerability scanner performed
both the network vulnerability scan shown in Figure 15.4 and the web vul-
nerability scan shown in Figure 15.5 . Nessus is an example of a hybrid tool
that can perform both types of scan.
As with most tools, the capabilities for various vulnerability scanners vary
quite a bit. Before using a scanner, you should research it to make sure it
meets your security control objectives.
Web vulnerability scans are an important component of an organization’s secu-
rity assessment and testing program. It’s a good practice to run scans in the following
circumstances:
■
Scan all applications when you begin performing web vulnerability scanning for the
first time. This will detect issues with legacy applications.
■
Scan any new application before moving it into a production environment for the
first time.
■
Scan any modified application before the code changes move into production.
■
Scan all applications on a recurring basis. Limited resources may require scheduling these
scans based on the priority of the application. For example, you may wish to scan web
applications that interact with sensitive information more often than those that do not.
In some cases, web application scanning may be required to meet compliance require-
ments. For example, the Payment Card Industry Data Security Standard (PCI DSS),
discussed in Chapter 4, “Laws, Regulations, and Compliance,” requires that organi-
zations either perform web application vulnerability scans at least annually or install
dedicated web application fi rewalls to add additional layers of protection against web
vulnerabilities.
In addition to Nessus, other tools commonly used for web application vulnerability
scanning include the commercial Acunetix scanner, the open-source Nikto and Wapiti
scanners, and the Burp Suite proxy tool.

Download 19,3 Mb.

Do'stlaringiz bilan baham:

1 ... 625 626 627 628 629 630 631 632 ... 881