SiteDigger 2.0 is another tool that queries Google to discover possible vulnerable applications on your Web site. The tool comes with 175 custom URL query strings, and it can also use GHDB. To get started, you'll need your Google API key, which you must enter into the license key box in SiteDigger's GUI.
Before you start your queries, use the Update menu to update the Foundstone and GHDB databases. Then, click the Options tab and select the Foundstone database or GHDB. In either case, you select and clear check boxes to choose which queries you want to perform. Select the Search tab to enter your Web site address and click Search.
After the search process is finished, you can click Export Results on the Search tab to export the results. SiteDigger produces a clear HTML-based report, as Figure 3 shows. Although the SiteDigger report isn't as detailed as the report that NTOinsight produces, it presents a useful summary of possible problems, explanations, and links to suspect URLs on your site. (Foundstone also provides vulnerability assessment services based on term agreements or on demand.)
A Hybrid Tool
Because it offers more features, Wikto is a bit more complicated to use. Wikto crawls your Web sites, makes copies of them on the local disk, queries Google (using the Google API) to find other possible URLs linked in your sites, and works with the Nikto database as well as with GHDB. The Nikto database queries your Web servers directly, whereas GHDB queries Google for URL patterns related to your Web servers.
Although Witko is basically an all-in-one scanner and analyzer, its reporting capabilities require exporting data to comma-separated value (CSV) format, then importing the data into a spreadsheet or database for report generation and further analysis.
Before you can download Wikto, you must sign up for a free account at the SensePost Web site. A link to register is near the top of the Wikto Web page. After you register, your ID and password are emailed to the address you provide.
To use Wikto, you also need two third-party tools—HTTrack (http:// www.httrack.com) and httprint (http://net-square.com/httprint)— both of which are free. HTTrack creates complete copies of Web sites, and httprint determines the server software that the Web site uses by analyzing Internet Control Message Protocol (ICMP) packets. Wikto uses these two tools to refine its scanning process.
After you install all three tools, configure Wikto and update its databases. Begin by clicking the SystemConfig tab to ensure that the path names for HTTrack, httprint, and the Nikto and GHDB databases are correct. You also need to enter your Google API key in the appropriate field. Click Save to save your configuration to disk. Next, click Update NiktoDB and follow the prompts. After that download is complete, click Update GHDB and again follow the prompts. At this point, you're ready to start an audit of your Web site.
The first step in the Web site audit process is to create a mirror of your Web site. Wikto uses the mirror to determine embedded links and directory paths that might not show up otherwise. Click the Mirror & Fingerprint tab, enter your Web site's home page address in the Target box, and click Start. Wikto will use HTTrack to make a complete copy of your Web site on the local system. When the mirror process is complete, you'll see a list of discovered directories in the Directories Mined box on the right-hand side of the display.
The second step is to go to the Googler tab, make sure the Site/Domain field and Google Keyword fields contain the URL for your site's home page, and click Start. Doing so will send a series of queries to Google that look for various file types identified as existing on your Web site. This process helps reveal additional directory paths on your Web site. When the process has finished, you might find that this step reveals far more directories than the first step revealed.
Next, go to the BackEnd tab. Click Import from Google and Import from Mirror to import the data gathered in step 1 and step 2. Below Update from SensePost, select Full from the dropdown menu, then click Update from SensePost. Doing so updates the full list of directories by importing that data from the SensePost Web site. Make sure you have your Web site home page in the IP/DNS name field, then click Start Mining. This step could take a long time to finish, depending on the number of directories and files, so be patient. It will reveal any directories and files that users can access. If this step exposes any administrative interfaces or other sensitive areas of the site, make sure you secure them with some authentication method.
After the process is finished, you can move on to the Wikto tab and the GoogleHacks tab, both of which are relatively self-explanatory. Make sure you have your Web site URL entered correctly, click Load to load each respective database, then click Start. Results are shown in the window on each tab.
After you finish the scanning, you can review the results and export them to CSV format, which you can then import into a spreadsheet or database for further analysis and report generation, as I mentioned previously. (In addition to Wikto, SensePost also provides a subscription-based online scanning service.)
Scanning Your Web Apps for Security
I've discussed several useful tools and described how to use them to assess the security of your Web-based applications. By using tools that scan your servers directly and tools that scan Internet search engines, you can find areas of vulnerability and remediate them to stay a step ahead of the average intruder. Best of all, because the tools I've discussed are free, you can start using them immediately and continue using them regularly!
End of Article
Prev. page
1
2
[3]
next page -->
