Vulnerability scanning project

MISY367 Security Tool Project

Matthew Coyle

Hunter Crozier

Chirag Dhamecha

Joshua Vogel

Vulnerability Scanning: An IntroductionEvery night before leaving his store to go home, a business owner makes sure that his

valuable assets are properly secured, money is put away in a safe, all windows and doors are

closed and locked, and the alarm system is turned on. These precautions are put into place to

minimize the threat of a person breaking into the building. If a vandal were to gain access to the

store after hours, the likelihood or him or her being able to steal or damage precious assets is

greatly reduced due to the established safeguards. This business owner is aware of threats and

vulnerabilities that could be present in his store (i.e. leaving money is an unlocked cash register

overnight) and minimizes them in order to prevent others from taking advantage of them.

Similarly, to this scenario, information security professionals should be aware of the weaknesses

that exist within their organization so that they can fix them and significantly reduce the

possibility of damage being caused to their organizations. One way to find weaknesses in an IT

environment is to utilize a vulnerability scanner.

A vulnerability scanner is a program that checks computers, networks, applications, and

websites for weaknesses and problems. It utilizes a database of known security flaws to find if

and where a system can be exploited. By uncovering these vulnerabilities, information security

professionals can remediate them in order to prevent them from being exploited by threat sources

(i.e. malware). While typically used to scan systems that are connected in some way to the

Internet, vulnerability scanners can also be used as to a tool to audit internal systems that do not

utilize the Internet (“What Is Vulnerability Scanning?”). Businesses of all sizes should run

vulnerability scans on a regular basis, as all organizations run the risk of being attacked.

Multiple studies have shown that over 75 percent of information securities professionals know of

and use vulnerability scanners, however many organizations are using old scanner programs or

do not make scanning a part of their regular routine (Robinson).

Vulnerability scanners have several benefits and drawbacks. By regularly scanning,

organizations can easily identify security vulnerabilities and find a solution to fix them before

1


any problems occur. Vulnerability scanners also enable information security professionals to

take inventory of all systems on a network and verify that these systems are properly updated and

configured (“An Overview of Vulnerability Scanners”). On the other hand, vulnerability

scanners can only find and report vulnerabilities based upon scanner databases. These scanning

tools are unable to determine whether the results are accurate, or if they are false positives or

false negatives, which means that people must be able properly read and analyze these reports.

Additionally, vulnerability scanners are only able to provide results as a certain period of time

when a system is scanned (“An Overview of Vulnerability Systems”). Being that systems are

often updated and reconfigured, which can introduce new security weaknesses and holes,

vulnerability scanners must be used often in order for information to remain accurate and up to

date.

Qualys FreeScanQualys is a company based out of Redwood City, CA that bills itself as the leading

provider of cloud solutions for compliance and information security. The company attempts to

keep information security simple and make it available at a low cost by delivering each of its

services and systems individually on demand. Whereas many other information security

companies require that users download software and computer programs, Qualys offers its

services online. According to its website, Qualys solutions include “continuous monitoring,

vulnerability management, policy compliance, PCI compliance, security assessment

questionnaire, web application scanning, web application firewall, malware detection and

SECURE Seal for security testing of websites” (“Company Overview & About Qualys”).

Qualys FreeScan provides information security professionals with a way to scan their

networks, servers, and websites for security vulnerabilities. It is available as a free trial to

display its services that can be purchased for a nominal cost. FreeScan users are given the ability

to scan up to 10 different systems within this trial. This online platform is automated and very

simple of someone to use. All one must do is create an account, provide a URL or IP address to

scan, and choose a type of scan (either Vulnerability Scan, OWASP Risk Scan, Patch Tuesday

Authenticated Scan, or SCAP Compliance Scan). During the scan, Qualys devotes its efforts

within three main areas: vulnerability scan, malware detection, and web application scan. Once

Qualys FreeScan has completed its scan, it will provide the user with a report of found security

2


vulnerabilities on the system. The report can be printed, exported, or viewed online within the

interactive platform. Vulnerabilities are grouped as either high risk, medium risk, low risk, or

just as an informative tidbit that the user should know about based on the severity of the

vulnerability. For each vulnerability, Qualys FreeScan provides detailed information about the

threat, impact, and solutions to fix the vulnerability. Within the scan report, users can also

available patches and vulnerabilities grouped by OWASP category.

Getting Started with the Program

Qualys FreeScan is one of the best online vulnerability scanning tools available out there.

It helps companies audit and protect their networks and websites from security vulnerabilities

and malware infections. While performing the vulnerability scan, the tool goes through Network

Vulnerability Scans for servers and applications, patch PC audit, OWASP web application audit,

as well as a SCAP compliance audit.

Learning to use the program is a very clear and straightforward process, and also very

user friendly, we did not need any prior experience/training to get hang of the program. As broke

students, we chose to make a free account which allows for up-to ten free scans. The free trial

version and the subscribed version provide exactly the same results, they only difference is that

the free version limits the user to only ten scans. Below are some of the key steps illustrated of

how to use the program:

1. Make a free account and login (IMG 01)

2. Enter the URL or the IP address of the website you’d like to perform the test on, and

choose the type of scan you’d like to perform. If you do not choose a scan, it performs all four

types of scans on the website

3. Once the scan is complete, proceed to “view” under the “scan results” to take a look at

the outcomes. The results are categorized based on the type vulnerability scan – OWASP Report,

Patch Report, or Threat Report.

3


4


Common Vulnerabilities Protection on WebsitesMany of the popular websites that we scanned, such as LinkedIn and Amazon had a

significant number low risks. One of these risks was something Qualys refers to as “Sensitive

form field has not been disabled.” What this risk is essentially saying is that when a website

allows you to auto-complete what you are typing, this could be a security risk as it could allow

5


for someone to have access to information they might not have known. Many websites could

easily block this from happening, but have determined that it is more convenient for users to

have this feature, that the customer satisfaction outweighs the risk. The following is a direct copy

of what Qualys says about this vulnerability:

Threat:

An HTML form that collects sensitive information (such as a password field) does not prevent

the browser from prompting the user to save the populated values for later reuse. Stored

credentials should not be available to anyone but their owner.

Impact:

If the browser is used in a shared computing environment where more than one person may use

the browser, then "autocomplete" values may be submitted by an unauthorized user. For

example, if a browser saves the login name and password for a form, then anyone with access to

the browser may submit the form and authenticate to the site without having to know the victim's

password.

Solution:

Add the following attribute to the form or input element: autocomplete="off" This attribute

prevents the browser from prompting the user to save the populated form values for later reuse.

Another low risk vulnerability that occurred often was that the “Cookie does not contain

the ‘Secure’ attribute.” What was interesting about this vulnerability was that it is based off the

latest release of the PCI-DSS requirements. This means that this tool is constantly being updated

to help find new vulnerabilities that other downloadable tools may not. The following is a copy

of what Qualys says about this vulnerability:

Threat:

The cookie does not contain the "secure" attribute.

Based on the latest release of the PCI-DSS, this vulnerability is a PCI Fail.

PCI-DSSv3.1 requirement 6.5.10 is focused on secure session management, and refers to session

cookies needing to have the "secure" attribute set within the Cardholder Data Environment.

6


Refer to PCI-DSSv3.1 for details.

Impact:

Cookies with the "secure" attribute are only permitted to be sent via HTTPS. Session cookies

sent via HTTP expose an unsuspecting user to sniffing attacks that could lead to user

impersonation or compromise of the application account.

Solution:

If the associated risk of a compromised account is high, apply the "secure" attribute to cookies

and force all sensitive requests to be sent via HTTPS.

The final low level security vulnerability that was common throughout many of the

websites was one labeled as “Cookie does not contain the HTTPOnly attribute.” The

consequence of this is that someone could easily access the information in the cookies using

Javascript or a XSS attack. The following is a copy from the Qualys site:

Threat:

The cookie does not contain the "HTTPOnly" attribute.

Impact:

Cookies without the "HTTPOnly" attribute are permitted to be accessed via JavaScript. Cross-

site scripting attacks can steal cookies which could lead to user impersonation or compromise of

the application account.

Solution:

If the associated risk of a compromised account is high, apply the "HTTPOnly" attribute to

cookies.

One of the less common vulnerabilities was something called a Blind SQL Injection. This

is similar to a standard SQL injection attack, however it is different in the sense that it does not

rely on error messages, so it is more difficult to detect. I have included the detailed description

below, example included:

7


Threat:

Blind SQL injection is a specialized type of SQL injection that enables an attacker to modify the

syntax of a SQL query in order to retrieve, corrupt or delete data. A successful exploit

manipulates query criteria in a manner that affects the query's logic. The typical causes of this

vulnerability are lack of input validation and insecure construction of the SQL query.

Queries created by concatenating strings with SQL syntax and user-supplied data are prone to

this vulnerability. When any part of the string concatenation can be modified, an attacker has the

ability to change the meaning of the query.

Typical detection techniques for SQL injection vulnerabilities use a payload that attempts to

produce an error response from the web application. Detection based on blind SQL injection uses

inference based on the differences among the application's responses to various payloads. Blind

SQL does not rely on error messages, which is beneficial when testing web applications that trap

errors.

How It Works:

The WAS scanning engine uses a well-known methodology called "True and False" inference to

determine if there is a blind SQL injection vulnerability. Basically, it uses two payloads: one

with a "True condition" and another with a "False condition". If there is a blind SQL injection

vulnerability, the query with the "True condition" payload will cause the web application to

return a different response than the "False condition".

A good example of a "True condition" payload would be ' AND 1=1 . Since 1 always equals 1,

the condition is true. An example of a "False condition" payload would be ' AND 1=2 . Since 1

does not equal 2, the condition is false.

For example, let's say there is a web application with a textbox that searches for customer names

and displays the results inside a table. Let's assume that if someone searches for John there is

one result only. When scanning for the blind SQL injection vulnerability, the WAS scanning

engine uses two payloads:

8


- True condition payload: This injects the string John' AND 1=1 to issue the query "return John

only if 1=1". Since 1 always equals 1 the condition is true. The result is John, which is the same

result as using the string John.

- False condition payload: This injects the string John' AND 1=2 to issue the query "return John

only if 1=2". Since 1 is never equal to 2, the condition is false. The result is nothing or "No

results found".

With the results from the two payloads, the WAS scanning engine draws the conclusion that

there is a blind SQL injection vulnerability. Even though there is no one called "John' AND

1=1" in the database, web application displays information for "John" if a search is done with

that query string.

Example:

These few lines demonstrate an insecure query that is created by appending user-supplied data

(name):

On Error Resume Next ' Page traps error and do not display it

Set oRSu = oCONv.Execute("SELECT fname, name FROM customers WHERE name = '" &

Request("txtSearch") & "'")

If oRSu.BOF Or Err.Number <> 0 Then

Response.Write "No results found!"

End If

If no checks are performed against the name parameter, then the query may be arbitrarily

modified and sent to database as shown in these two examples of a completed query:

SELECT fname, name FROM customers WHERE name='John' AND 1=1

SELECT fname, name FROM customers WHERE name= 'John'; SHUTDOWN WITH

NOWAIT

In the first case the database will return "John" since the condition AND 1=1 is always true.

9


Impact:

The scope of a SQL injection exploit varies greatly. If any SQL statement can be injected into

the query, then the attacker has the equivalent access of a database administrator. This access

could lead to theft of data, malicious corruption of data, or deletion of data.

Solution:

SQL injection vulnerabilities can be addressed in three areas: input validation, query creation,

and database security.

All input received from the web client should be validated for correct content. If a value's type or

content range is known beforehand, then stricter filters should be applied. For example, an email

address should be in a specific format and only contain characters that make it a valid address; or

numeric fields like a USA zip code should be limited to five digit values.

Prepared statements (sometimes referred to as parameterized statements) provide strong

protection from SQL injection. Prepared statements are precompiled SQL queries whose

parameters can be modified when the query is executed. Prepared statements enforce the logic of

the query and will fail if the query cannot be compiled correctly. Programming languages that

support prepared statements provide specific functions for creating queries. These functions are

more secure than string concatenation for assigning user-supplied data to a query.

Stored procedures are precompiled queries that reside in the database. Like prepared statements,

they also enforce separation of query data and logic. SQL statements that call stored procedures

should not be created via string concatenation, otherwise their security benefits are negated.

SQL injection exploits can be mitigated by the use of Access Control Lists or role-based access

within the database. For example, a read-only account would prevent an attacker from modifying

data, but would not prevent the user from viewing unauthorized data. Table and row-based

access controls potentially minimize the scope of a compromise, but they do not prevent exploits.

Example of a secure query created with a prepared statement:

PreparedStatement ps = "SELECT name,email FROM users WHERE userid=?"; ps.setInt(1,

userid);

10


The final High risk vulnerability that was common in the websites with high

vulnerabilities was one called “Reflected Cross Site Scripting.” There was another type of XSS

called Persistent XSS, but they were only slightly different in their definitions. So the reflected

XSS allows the user to edit the HTML to allow for the access sensitive information. The

information from Qualys on this vulnerability is included below:

Threat:

XSS vulnerabilities occur when the Web application echoes user-supplied data in an HTML

response sent to the Web browser. For example, a Web application might include the user's name

as part of a welcome message or display a home address when confirming a shipping destination.

If the user-supplied data contain characters that are interpreted as part of an HTML element

instead of literal text, then an attacker can modify the HTML that is received by the victim's Web

browser.

The XSS payload is echoed in HTML document returned by the request. An XSS payload may

consist of HTML, JavaScript or other content that will be rendered by the browser. In order to

exploit this vulnerability, a malicious user would need to trick a victim into visiting the URL

with the XSS payload.

Impact:

XSS exploits pose a significant threat to a Web application, its users and user data. XSS exploits

target the users of a Web application rather than the Web application itself. An exploit can lead

to theft of the user's credentials and personal or financial information. Complex exploits and

attack scenarios are possible via XSS because it enables an attacker to execute dynamic code.

Consequently, any capability or feature available to the Web browser (for example HTML,

JavaScript, Flash and Java applets) can be used to as a part of a compromise.

Solution:

Filter all data collected from the client including user-supplied content and browser content such

as Referrer and User-Agent headers.

Any data collected from the client and displayed in a Web page should be HTML-encoded to

ensure the content is rendered as text instead of an HTML element or JavaScript.

11


Websites We Scanned and Breakdown ReportsAs a group, we scanned a variety of websites ranging from Amazon to a small home

security business, to see which sites would be the most vulnerable to attacks from threat agents.

Little did we know that most of the smaller businesses had more secure websites compared to the

larger e-commerce websites such as Amazon. Some of the reasons why that statement is true is

because many smaller business’ websites are hosted by larger companies, such as Google and

GoDaddy. These smaller websites also do not offer as many credit and goods that hackers are

after due to the smaller customer base. All in all, we scanned eight websites and out of those

eight we chose to breakdown the vulnerability reports of the University of Delaware’s website,

Amazon’s website, International Association of NLP Institute’s website and Preferred Security

Inc’s website. Let's start by analyzing the University of Delaware’s website.

University of Delaware’s Diagnostic Report

After being scanned by Qualys FreeScan, www.udel.edu seems pretty secure and well

maintained. According to the results of the University of Delaware's website, there were only

two medium risks and one low risk to the website. The two medium risks are that the services

12


listening on certain ports will stop listening for TCP requests. This can be problematic because

all the connection attempts to the server failed making the system open to a DDoS attack as the

TCP requests are being ignored taking up more and more resources from actual users. This can

slow down and even crash and knock the site offline if a DDoS attack would occur. The

solutions to help resolve this issue are check to see if your Qualys scanner crashed and call

technology support, if it’s a bandwidth problem lower Qualys bandwidth settings or the port

ignoring the traffic is dynamic. The low threat was that there was scan interference because of

Udel’s IDS and antivirus software. This interference exists because the scanner is scanning the

website and packets being processed by it. IDS and antivirus software can distort and change the

packets, which affects the accuracy of the scanner to detect vulnerabilities. The solution to this

problem is to whitelist Qualys FreeScan in the IDS and antivirus software.

Amazon’s Diagnostic Report

After scanning Amazon.com, the group was shocked to see that it was highly vulnerable

compared to the website of Preferred Security Inc. People would assume this larger e-commerce

site would be more secure than a small security business. Amazon had ten high risks, three

medium risks and forty-four low risks on their website. This was shocking to the group because

the highest risk was cross-site scripting, which is when a hacker tries to directly communicate

with the web server in order to get the customer's transaction information. This style of attack

goes after the customer instead of the web page itself in order to gain personal information and

credit card numbers. The solution for this is to filter all traffic coming from user supplied content

and this information should be encrypted in order protect the privacy of the user. Another

13


vulnerability is a predictable web server session id, which means that the session key for the SSL

are easy for a program to break down the algorithm and gain access to the purchase session. The

solution to this problem is to use stronger cryptographic algorithms to encrypt the data with.

Preferred Security Inc.’s Diagnostic Report

After scanning Preferred Security Inc.’s website, our group was surprised to see that a

website for such a small mom and pop business is very secure compared to an e-commerce giant

like Amazon.com. Preferred Security Inc. had only one medium security risk and two low risks.

The medium risk, TCP port pass firewall, occurs when certain requests can pass through the

firewall in this case, ports 20 and 1027. These are the ports used for File Transfer Protocol,

which is unencrypted when being sent out over the Internet. The solution to fix this risk is to

close that port on the firewall and block all traffic coming to port 20. The other vulnerabilities

are related to insecure cookies used by the web server. One can fix this by only allowing the

cookies to gather information on certain fields of data.

14


International Association of NLP Institute’s Diagnostic Report

After scanning International Association of NLP Institute’s website, the group was

shocked to see just how vulnerable it was. This website had thirty-one high risk vulnerabilities,

nineteen medium risk vulnerabilities and twenty-nine low risk vulnerabilities. The most

interesting high risk vulnerabilities to the group were blind sql injection and cross-site scripting.

A blind sql injection is when a hacker is able to modify the database attached to the website in

order to delete and add records. The solution to this issue is to have input validation, query

creation and database security. Input validation is when you make inputs have certain length and

types of characters can be entered. An example of input validation would be limiting a zip code

to only 5 numbers and verifying that the zip code meets this criteria. Query creation should be

pre-created and have a catch statement to make them false if someone tries to edit the query from

the outside. Database security includes strong passwords and credentials to edit or use the

database. Cross-site scripting as the group has mentioned before is when a hacker targets the user

by communicating with the web server in order to gain credit cards and personal information.

15


One way to resolve this issue is to have the user input traffic monitored for suspicious behavior

and that data should be encrypted.

16


Resources (Scanned Sites)

● www.google.com

● http://old.cageprisoners.com/articles.php?id=22926

● http://www.nlp-institutes.net/show.php?id=620

● http://www.tunesoman.com/product.php?id=200

● http://coda.cc/product/product.php?id=4

● http://www.dipintoguitars.com/product.php?id=2

● http://www.ampak.com.tw/product.php?id=21

● http://store7.geomerx.com/mayflower/index.cfm?fuseaction=

● http://www.preferredsecurityinc.com/

Is the Tool Worth the Money?Based on results from the scans, we would strongly recommend the tool. One of the best aspects

is that it’s web based, and therefore the user does not have to be on site while performing the

scans, you could get the scan started and get back to it later to check on its progress or check on

the results if it has completed the scan. Having said that the tool is online based greatly benefits

the user since all the protocols will always be up-to-date hence the user doesn’t have to manually

keep checking for new protocols. The “subscription” to Qualys is based on the type of business

and the specifics needs on what the business will primarily be using the tool for. Once you

submit an application for a subscription to the tool, the subscription fees are calculated and the

business receives a quote from them. The tools embedded in Qualys pay off for themselves,

since it breaks down the scans into what the threats, impacts, solutions, and results are.

17


Works Cited

"An Overview of Vulnerability Scanners." GovHK: Information Security. The Government of the

Hong Kong Special Administrative Region, Feb. 2008. Web. 8 May 2016.

<http://www.infosec.gov.hk/english/technical/files/vulnerability.pdf>.

"Company Overview & About Qualys." Qualys. Qualys, Inc., 2016. Web. 8 May 2016.

<https://www.qualys.com/company/>.

Robinson, Brian. "Vulnerability Scanning for Business." IT Security. PCMag Digital Group, 2016.

Web. 8 May 2016. <http://www.itsecurity.com/interviews/amer-deeba-interview-qualsys-

040507/>.

"What Is Vulnerability Scanning?" Webopedia. QuinStreet Inc., 2016. Web. 8 May 2016.

<http://www.webopedia.com/TERM/V/vulnerability_scanning.html>.

18

Vulnerability scanning project

Technology