A piece of software and or hardware designed to detect the presence of vulnerabilities in an IT system.
Questions tagged [vulnerability-scanners]
395 questions
6
votes
2 answers
What should a Vulnerability Management System scan on a large scale
On a large scale (~1500 workstations, ~100 servers, ~50 network routers and switches, etc), what should a vulnerability management system be scanning? Should it scan everything, or just samples?
I know that ideally the VMS have to scan everything,…
lisa17
- 1,958
- 7
- 21
- 43
6
votes
1 answer
Safely Experimenting With Sockets
I'm learning about TCP/IP and (Berkeley/UNIX) socket programming. Let's say I have two scenarios:
1) I write two programs in C, a client and a server, and bind them each to a non-well-known port on the same (Linux) host, and experiment with…
Vale132
- 305
- 1
- 5
5
votes
3 answers
External cross domain include script
One of my web application underwent a vulnerability assessment recently, and one of the findings is about cross domain include script. Our web app uses addthis_widget.js from AddThis to bookmark Facebook/Twitter etc. It was recommended that we copy…
dorothy
- 715
- 1
- 7
- 18
5
votes
1 answer
Burp Suite Active Scanning Wizard options
I have been making use of Burp Suite's active scanning functionality for some of my recent web application assessments and I had some questions about the active scanners ability to remove urls from the scan queue that have particular characteristics…
Bryan
- 61
- 1
- 5
5
votes
1 answer
How does this shellshock scan work?
My server is obviously up to date and not vulnerable to shellshock exploits.
However I am still curious to know how the following shellshock scan work:
/var/log/apache2 # cat access.log | grep bash
209.126.230.72 - - [25/Sep/2014:00:52:03 +0000]…
augustin
- 185
- 2
- 8
5
votes
2 answers
Tools for analyzing Perl 5 code?
I'm looking for good tools for analyzing and/or detecting security issues in a large software project written in Perl 5. It could be static or dynamic analysis. I know that Perl is undecidable, but I'm decided to try any tool that allow me to reduce…
user1234299
- 171
- 1
- 5
5
votes
1 answer
NGINX / HTTP TRACE
I have a http server Nginx with HTTP TRACE Enabled.
A single nmap --script=http-methods.nse host.name give this result :
Not shown: 988 closed ports
PORT STATE SERVICE VERSION
[...]
80/tcp open http nginx
|…
flydev
- 153
- 1
- 6
5
votes
1 answer
Is it possible to invoke OS commands from a NASL script in OpenVAS?
I was wondering if it is possible to run a command like cat, w3m or any other Operating System (Linux) utility from inside a NASL script and use its output. Do you know any examples? I know you can use the tools that OpenVAS uses like nikto, etc…
MacKinnon360
- 53
- 4
5
votes
2 answers
Why are the CVSS scores differ so much between Redhat and NVD page?
take CVE-2016-7872 for example.
in National Vulnerability Database webpage, we can see that the cvss2 and cvss3 score are 9.8 and 10.0 respectively.
but in the redhat security advisory page, they are 6.8 and 8.8.
To my understanding, cvss score are…
Sajuuk
- 271
- 3
- 11
5
votes
1 answer
Reliability of Padding Oracle vulnerability testers
I recently ran my website through the Qualsys SSL Labs SSL Test. My website got a grade "F" with this message attached:
This server is vulnerable to the OpenSSL Padding Oracle vulnerability (CVE-2016-2107) and insecure. Grade set to F.
Being…
Alex
- 709
- 5
- 7
5
votes
1 answer
Configuring socat to pentest an IPv6-only remote web server from an IPv4 host
I need to pentest an IPv6-only web server situated in a remote network from my IPv4 host (Kali Linux VM). I have a 6-to-4 tunnel up between the two hosts (configured using Hurricane Electric). I'm trying to do a vulnerability scan using Nikto, but…
Salcybercat
- 75
- 2
- 5
5
votes
2 answers
Human vs. Vulnerability Scanners
When would a human outperform a scripting tool when testing for vulnerabilities? For example, would a human ever find something that SQLmap wouldn't? In what cases would it be preferable/are there any examples?
For example consider the url:…
user3364161
- 63
- 3
5
votes
2 answers
Patterns for searching a source repository for private data
I recently discovered a case where a colleague had accidentally committed their login credentials (host, username, and password) to a local source code repository, and then pushed these changes to a public repository on GitHub. Of course, this was…
Psychonaut
- 615
- 4
- 14
5
votes
0 answers
How could I train a ML system to identify vulnerabilities in code?
Apologies if this is not as much of a "question" as it is a discussion. I've been thinking about this for a while.
How could I train a machine learning system to identify (new) vulnerabilities in open source code bases? Or even closed binaries? Is…
pandemic
- 103
- 6
5
votes
2 answers
Scanning DVWA with w3af - Unable to detect SQLi when security on low
I've been messing around with DVWA (Damn vulnerable web application) and w3af. I've been scanning DVWA with w3af, and have used the spiderMan proxy and http config to setup auth credentials to get past the login screen of DVWA, but w3af still…
DJSunny
- 403
- 4
- 9