Adding New Vulnerabilities

I found a few oddities. None were product-breaking, just interesting.

For example, Web Vulnerability Scanner includes a check for the PHP and Apache product versions, but not for IIS and ASP.NET. Curious about the omission, I consulted with company representative Nick Galea who explained, "IIS version information is not available as it is for Apache. For IIS, one would have to check if the product is completely patched up or not. However, Microsoft provides plenty of tools to do this automatically, as well as tools to check that all patches are installed (MBSA). So there really is no need for a check on IIS."

However, I still wanted to check the actual version of IIS to locate old servers. For example, seeing an IIS version older than 5.0 indicates a pre-Windows 2000 setup. You might want to look for this vulnerability when searching your network for unauthorized Web sites. To check the versions for these Microsoft products, you need to add a new vulnerability check with the Vulnerability Editor, shown in Figure 6. You access this tool using the "Tools | Vulnerability Editor" command.

Figure 6: Use the Vulnerability Editor to create new scanning rules.

Creating a new vulnerability isn't difficult, but it can become time consuming. You must define specifically what the software should look for and how it should look for it. Creating the two rules I needed (to scan for versions of IIS older than 5.0 and older versions of ASP.NET) required about an hour. I imagine that task would become easier after you created a few vulnerabilities, but the learning curve is a tad steep for first timers.

This Isn't a Complete Solution

Before you attempt to use Web Vulnerability Scanner as your only tool for checking Web sites, it's important to consider what this product does for you. You use this tool to see how the Web page looks from the cracker's perspective. Web Vulnerability Scanner focuses its attention on the Web page, not on your server or the code used to create the Web page.

Using this tool doesn't tell you whether your Web server has a missing security update, and it won't tell you whether you have a port opened that crackers can use to invade your Web site. In addition, you can't use Web Vulnerability Scanner to determine how to fix your code.

I like Acunetix Web Vulnerability Scanner. However, it's probably not a very good deal for someone with a smaller Web site, as the price is a bit steep for a small shop. I would, however, recommend this software to companies with a larger development department, or at least those with a larger budget.

The main use of Web Vulnerability Scanner is to tell you that there is a problem, one that a cracker can exploit. Consequently, even the vendor will tell you that you shouldn't make this your only security tool. I'm still looking for the silver bullet that kills every security vulnerability. Until that solution appears, you'll need to combine two or three products to obtain the results you want.