Tools To Scan For Security Vulnerabilities and Malware

Web security is something we should all be doing nowadays, because there are literally hundreds of different potential ways that any site can become compromised. You should regularly scan security vulnerabilities to stay safe from these sorts of potential problems – cross site scripting,  vulnerable components, DOM-based vulnerabilities, SQL injections, cross site request forgery and crlf/xxe/http injections

Let’s face it, we don’t always scan security vulnerabilities as much as we should. It’s an easy task to overlook because so much needs to go into designing, testing, and marketing a website. We’re often more focused on success than safety, but that really is a false economy. It’s like building a fabulous house but forgetting to put a lock on the front door. Security underpins everything else you do with your property, so you can’t afford to let it slip. If you don’t scan security vulnerabilities, then the chances are good that someone, somewhere will find a way in and cause havoc. If you feel put off from thinking about security because it seems complicated, don’t worry. There are plenty of tools out there that will scan website security vulnerabilities for you. Some of them even offer free trials so you can road test them to see if they’re going to work for you:

SUCURI

SUCURI is free and its used widely to scan website for malware. It’s great at tracking down malware and scanning for security issues, and it will report on malware blacklisting status, show you points where SPAM has been injected, and point out instances where someone has made unwelcome changes to your site. If you’re using popular platforms such as WordPress, Joomla, Magento, Drupal, phpBB, then it’s going to work just fine for you.

Quttera

Quttera can scan website for malware and possible exploits. It combs your website for potentially malicious and suspicious files, using PhishTank, Safe Browsing (Google, Yandex), and Malware domain list.

Qualys

SSL Server Test by Qualys looks for SSL/TLS that has been configured wrongly and also for inherent weaknesses on your site. It can check your https:// URL including the date expires, its overall rating, cipher, SSL/TLS version, do a handshake simulation, look for protocol details, BEAST and other things too.

It’s important to run the Qualys test every time you make a change to SSL/TLS. It can scan security vulnerabilities or scan website for malware, so you’ll be assured that any changes you’ve made are safe.

Intruder

Intruder is based in the cloud and it looks for weaknesses in the whole web app set-up. It’s engineered to deliver a level of security protection that makes it suitable for governments, banks and similar enterprises that call for high-end safety, and its scanning engine is simple to use as well.

Its comprehensive security features allow it to identify:

  • absent patches
  • incorrect configurations
  • web application issues including SQL injection and cross-site scripting
  • CMS problems

Intruder can scan website security vulnerabilities and put results in order of priority according to their context to save you time. It can also proactively scan your systems for the most recently identified weaknesses. It can integrate with major cloud providers (AWS, GCP, Azure) as well as Slack and Jira.

Detectify

Ethical hackers lend their expertise to ensure Detectify keeps your website and web apps secure with automatic security and monitoring of assets. It can identify upwards of 1500 potential threats.

It can scan for vulnerable points with OWASP Top 10, CORS, Amazon S3 Bucket, and misconfigured DNS. It has Asset Monitoring and it keeps a non-stop eye on your subdomains, searching for takeovers and alerting you if anything anomalous is picked up.

Detectify’s pricing plans come in three flavors, called Starter, Professional, and Enterprise and they all come with a two-week free trial, no credit card needed.

UpGuard

UpGuard Web Scan can assess risk using information that’s publicly available. It can organize test results into these groupings:

  • website threats
  • email threats
  • network security
  • malware and phishing
  • brand defense

It’s great at quickly giving you insights about where your website is at the moment, security-wise.

Pentest-Tools

This scanner is just one of many tools on offer from Pentest-Tools. It can gather information, test web apps, CMS, infrastructure, and SSL. Its main purpose is to find the most frequently-occurring web app vulnerabilities and problems with server configuration.

There’s a basic version that does passive web security scanning, and it’s adept at finding things like unsafe cookie settings, unsafe HTTP headers, and out-of-date server software. It will grant you two full scans for free, and that will be enough to give you a very good overview of any problems with things like local file inclusion, SQL injection, OS command injection, and XSS, for example.

Observatory

Mozilla has launched Observatory, which can scan website for malware and has other security features. It validates the security of OWASP headers, checks TLS best practices and carries out third-party tests from SSL Labs, High-Tech Bridge, Security Headers, HSTS Preload, and others.

Conclusion

All of these powerful tools can give you a great deal of insight into the kind of vulnerabilities that might affect your website, and enough of them have free offers that you’ll be able to decide which of them will serve you best.

Three New Web Application Threats and their Solutions

Web Application Threats

Malicious users will try to access your web application without your consent. Therefore, you should implement the necessary security features to protect yourself from new web application threats: Spoofing, information disclosure and data tampering. Let’s see how together we can mitigate threats using Plesk security tools.

1. Spoofing

Spoofing

Spoofing is one of the modern web application threats, despite security measures you may implement back-end to protect users’ credentials. It’s pretending to be someone or something other than yourself. And it can happen in many ways.

Fake User Authentication

Attackers can create a fake login page similar to that of a web application to trick users to log in. So that they can steal users’ login credentials. For spoofing, attackers can even use SET (social engineering tools) to clone a login page of a popular web application.

Fake User Authentication

Cross-Site Request Forgery (CSRF)

Cross-site request forgery tricks a web browser into executing an unwanted action. Like transferring funds from one account to another account in a web application where a user is already logged in. Attackers usually use social engineering tricks to implement CSRF by sending links to authenticated users on social media. In other words, those already logged into a web application.

Then unsuspecting users end up sending a forged request to a server on behalf of a malicious user. Though it’s quite difficult to prevent this, below is how you can mitigate cross-site request forgery.

How to Prevent Spoofing Threats

  • Implement an SSL/TLS Certificate

To defend against authentication spoofing, make sure that a web application such as banking portal has an SSL/TLS certificate in place. Plesk lets customers get these certificates for free in just a few clicks.

Spoofing Threat Prevention

Even less technical customers can use the Let’s encrypt extension on Plesk platform to easily create SSL certificates for their domains. And make it difficult for attackers to create spoofing attacks.

Generate Random Tokens  

Otherwise, to prevent forged requests, you can even use tokens to validate GET/POST requests from users. For example, to enable csrf protection in Flask-based applications, you can use the Flask extension CSRFProtect by enabling it globally.

from flask_wtf.csrf  import  CSRFProtect

csrf =  CSRFProtect(app)

Alternatively, you can use FlaskForm to prevent forgery request in flask web applications. However, the standard way of preventing CSRF threats in Java or PHP web applications is by implementing an anti-CSRF token only visible to the user’s browser and web application inside a session variable with a request. If the value of the session variable and hidden form field match, the user’s request is accepted.

2. Information Disclosure

Information Disclosure Threat

Allowing unauthenticated users to access documents restricted to only authenticated users can be defined as information disclosure. The following describe diverse ways information disclosure can take place.

IDOR – Indirect Object Reference

IDOR attack is possible when a web application provides direct access to the object based on a user-supplied input. It makes it possible for unauthorized users to access resources restricted to them. Let’s assume user A logs in to a banking web portal, then the user is redirected to the following url:

https://mybank.com/acc=00012345

In this case, 00012345 is user A’s account number. If the user wants to access other customers’ account details, user A just needs to change acc=00012345 to acc=000112367.

Therefore, the above action allows a user to access account details of another user without the owner’s consent.

How to prevent

There are different ways to prevent indirect object reference.  Another way to prevent exposure of real identifier to an internal object, like database record, is using a salted hash value to replace the identifier.

https://mybank.com/acc=00012345

https://mybank.com/acc=12eryrxhwgq

SQL Injection

SQL injection is one of the most common ways malicious users use to disclose information restricted from public view.  Attackers can send commands such as SELECT to download an entire database, CREATE to create new users in the database or UPDATE to modify accounts.

How to prevent

You can use prepared statements to prevent an attacker from changing the purpose of a query. A prepared statement separates the query from the data. Thus, the data submitted by an attacker can’t be used to modify the query. Moreover, for flask developers, you can also prevent SQL injection by using SQLAchelmy to interface with the database. It comes with features to prevent SQL injection threats.

3. Data Tampering

Data tampering is the act of intentionally modifying data through unauthorized channels. There can be two states of data: in transit and at rest. In both instances, malicious users can intercept and tamper with data. Here’s how data tampering can take place.

Parameter Pollution

Let’s assume a web application allows users to send sensitive data. Like login credentials or transact funds via GET and POST methods. In this case, an attacker can tamper with URL parameters and modify data.

To prevent parameter pollution threats in a web application, you need to encode user-supplied input whenever a user sends a GET/POST request to the backend server.

Session hijacking

Session hijacking

Session hijacking is also another type of attack where malicious users steal session cookies. Each user is assigned a session when they log into a web application. The sessionID is usually stored in a cookie. Attackers use session hijacking to modify data in transit from the client (web browser) to the web server.   

How to prevent: Generate Random Session IDs.

Moreover, Plesk also provides loads of security extensions for customers to prevent or mitigate threats not mentioned above. For example, the Sucuri Security Scanner extension on Plesk to remotely detect website security issues and weaknesses in the source code.

Sucuri Security Scanner on Plesk - Screenshot

Avoiding these new web application threats

Having said that, don’t just rely on Plesk extensions to protect web applications from web attacks. You also need to use your own secure coding practices to mitigate these threats. So, equip yourself, but stay vigilant.

New Plesk Extensions on the Loose: May Edition

New Plesk Extensions

Reporting the latest additions to the Plesk extensions catalog. All the extensions you see here are available to download or purchase as of the time of writing – May 2018. Inside this month’s edition, we highlight new ways you can improve speed and security of your websites and servers. In order to give you both peace of mind and better performance out of your web domains.

Juggernaut Security and Firewall

First of all, we have the latest member of the gang – Juggernaut Security and Firewall. An all-in-one security extension that Danami designed especially for the needs of power users and server-providers. This extension adds an extra layer of security. One that goes beyond the default settings that most users usually optimize for themselves.

Offering experienced sysadmins a wider range of features and increased flexibility. These advanced features include SPI firewall, brute-force protection, real-time connection tracking, intrusion detection, dynamic block lists and geo-blocking.

Juggernaut is a paid extension. And version 2.05 is now available in the Plesk catalog. You can try it for free for 15 days. Then you’ll get two free months when you sign up for annual billing.

Speed Kit

As a result of recent studies, we know that lower page load times directly link to an increase in traffic. Not to mention lower bounce rates. And hence, higher visitor retention on your website. All these things will eventually lead to higher conversion rates.

Speed Kit promises to boost your page loading speed by 50-300%. How? By re-routing web traffic through its caching infrastructure. Even more, it takes just one click to improve your website’s performance with Speed Kit.

After you install, the extension performs an in-depth speed analysis, determining the improvements that you should implement to boost your site’s metrics. When you store a copy of your site in the accelerated framework, users can access your page in an instant from their browser. Even when they’re offline.

Sucuri Security Scanner

Seems like Sucuri Security Scanner uses the public API of Sucuri SiteCheck to detect malicious elements on your website. In an effective way. This extension will let you schedule regular scans effortlessly. Thus, helping you monitor for malware all the time and receive timely notifications about your site’s status.

Sucuri Security Scanner includes the following features:

  • Detecting website malware infections.
  • Monitoring blacklist status.
  • Setting up scans as a scheduled task.
  • Receiving email notifications for security issues.
  • Viewing website security details and information.

Nimbusec Webhosting Security

And finally, we have Nimbusec. Another security monitoring extension for websites that you can find in our catalog. It will scan your website domains over and over again. And then report any potential threats on a centralized dashboard.

Nimbusec Webhosting Security can detect the following online threats:

  • Backdoors and web shells.
  • Overdue CMS updates.
  • Malware.
  • Defacement.
  • Blacklisting.
  • SSL certificate problems.

All in all, security should be a number one priority when maintaining your servers. So if you feel overwhelmed by all our security extension options, feel free to get in touch and chat.

And that’s all the extension news this month. Stay tuned for our next overview of latest available extensions in our June edition. Meanwhile, are you curious for more? Check out the 100+ more Plesk extensions we’ve got available in our catalog.