Page 38 - info_oct_2021_draft13
P. 38

In Focus                          Comprehensive Security                              Detecting Web Infra
                         AVART                 Assessment                Web Shells              Vulnerabilities













         Detecting Web


         Infra Vulnerabilities


          The imperative facet to secure a
          software






              eb infrastructure consists of Server in-  these leads to high attack success for attackers.   the structure and display of these systems/live
              frastructure and Application code. If the   Malicious users continuously scan internet for   Websites are publicly available.
         WWeb-infrastructure is vulnerable, applica-  vulnerable applications to deface/leak critical
          tion also becomes vulnerable to attackers, even   data/ phishing etc.   Tools to detect lower version
          if application is audited/ hardened. As time pro-  Malicious users also perform supply chain   Opensource Scanners (such as whatweb and
          gresses Penetration Testers find vulnerabilities in   attack on software before release to make them   wappalyzer) allow filtering of Web-Infrastructure
          web infrastructure components (Software compo-  use by production systems, example of one such   details by scraping the headers, default
          nents include Operating system, Content Manage-  release is php8.1.0.-dev [zerodium vulnerability].  installations. Open source Scanners , specific
          ment System (CMS), Plugins, Vendor specific soft-   Third party libraries are extensively in   to CMS tries  to identify vulnerable themes and
          ware  etc.).  These  vulnerabilities  are  published/  application usage due to ease of use. These   Plugins. Examples of such scanners are wpscan,
          reported in security forums. These vulnerabilities   libraries usage, testing and maintaining is very   droopescan. Open source scanners altogether
          are called known Component vulnerabilities in   difficult for production environments because of   gives full initial assessment of web applications.
          software.                          sole dependency of third party groups.   These Scanners after modifying the source codes
             Software vulnerabilities publishing is still    Software vendors/publishers component   can also be used as full-fledged fuzzing tools for
          process for disclosing vulnerabilities publicly.   security releases are common if software is   particular vulnerabilities. Enterprise scanners
          National vulnerability database (NVD) is one such   prone  to  security  issues.  Popular web CMS   provide full security scan of applications including
          database which publishes Common vulnerability   Drupal, Joomla and WordPress had multiple   CMS and other applications. These scanners have
          enumeration (CVE) for vulnerabilities including   security releases in the past. Identifying these   also support from respective vendors
          web infrastructure, CMS etc.       CMS components were very easy to identify as
           Old version software contains vulnerabilities,
          which need to be patched or updated to latest   Patching Web infrastructure
          versions/patches.  Metadata  information
          of Webservers, CMS and errors gives web
          infrastructure  information.  Attackers  perform                           Patches should be incorporated for
          identification  of  web-infrastructure  information   Server hardening is one such process   Critical Security updates of software
          from website using fingerprinting tools from   to stop disclosing server technical   releases on regular basis. Minor patches
          different metadata (headers, default installation   metadata  for  finger  printers/  applying to software is less difficult
          file comments, and configuration files) handlers.   scrappers. It  may not stop fully, if   when compared to major version(s),
          Vulnerable Scanners have database of all CVE   attacker uses automated exploits on   in the production systems, as any
          and privileged (undisclosed vulnerabilities) for   applications.           downtime in production environment,
          different platforms. Insecure libraries and plugins                        may not be feasible.
          are continuously published in security forums. All


                                                  Organizations  should  know  patch
                                                  requirement  applications  based   Applying updates and configuration
                                                  on asset collection for updating/  changes are required throughout the
                                                  upgrading/virtual patching (through   application lifetime to make it free from
                                                  Web Application Firewall-WAF).Virtual   vulnerabilities.
                        Kasi Viswanath            patching can be applied by putting the
                        Kethineni
                        Scientist-C               website behind WAF.
                        kasiviswanath.k@nic.in



          38
          38 informatics.nic.in  October 2021
                           October 2021
             informatics.nic.in
   33   34   35   36   37   38   39   40   41   42   43