Vulnerability scanners can help an enterprise to identify the possible weaknesses/vulnerabilities throughout its network, such as ports that could be accessed by unauthorized users and software lacking the latest security patches, helping to ensure network compliance with the organization’s security policy.
Passive scanners emphasize monitoring network activity, while active scanners can simulate attacks and repairing weak ports. Both types of scanner can co-exist within a network, complementing each other’s capabilities
Passive scanning is one of the safe vulnerability detection method. The tool automatically runs a passive scan in the background thread against all responses from the application.
Passive scanning does not change the requests nor the responses in any way and is therefore safe to use. Scanning is performed in a background thread to ensure that it does not slow down the exploration of an application.
Some of the issues passive scanning look for:
- Incomplete or no cache-control and HTTP Header set
- Cross-Site Request Forgery
- Password Autocomplete in browser
- Weak Authentication
Active scanning attempts to find other vulnerabilities by using known attacks against the selected targets. Active scanning attacks the targets and can put the targets at risk.
- Though this technique selects the site to be attacked under the ‘Attack’ section
- Tool attacks the application in all possible ways to find out all possible vulnerabilities
Some of the issues active scanning looks for:
- Cross site scripting
- SQL Injection
- External Redirect
- Parameter tampering
- Directory browsing
Open Source Tools:
There are many open source tools in the market to perform Passive and Active scans on the target website. Most widely or commonly used web vulnerability scanners are ‘ZAP-Zed Attack Proxy’ and ‘Burp suite’
ZAP (Zed Attack Proxy):
ZAP is one of the famous penetration testing tools which is actively updated by hundreds of volunteers worldwide. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications.
Key Features of ZAP Tool:
- Intercepting Proxy
- Traditional and Ajax Spider
- Active and Passive scanners
- WebSocket’s supports
- Report Generation
- Authentication and session support
- Port scanner and many more…
Active scanning attempts to find potential vulnerabilities by using known web attacks against the selected targets. Active scanning is an attack on those targets. ZAProxy emulates known attacks when the active mode is used.
Performing Active Scan with ZAP tool:
When you startup ZAP, a proxy server is started in the background that you can direct your browser to use.
- Download & Install OWASP ZAP
- Startup ZAP
- Startup Firefox (yes you can use other browsers), we will need to force all traffic through the ZAP proxy that is now running in the background. All of these sub items are in Firefox.
- Open Menu (Tools)
- Advanced (top tab)
- Network (sub tab)
- Connection – Settings (button)
- Change your settings here to the following
4. Click OK to get out of Firefox Options
Run Active Scan by below steps:
- To open a browser, click on ‘Launch Browser’ button in the ‘Quick Start’ tab
- Provide the target site URL in Firefox Address bar
- While navigating on the site, you should see your requests pulled into ZAP under Sites tab, as shown below.
- Select the site request from ‘Sites’ tab, right click on it and choose the Active scan from ‘Attack’ (Right click on request–> Attack –> Active Scan…) As shown below.
- Click on ‘Start Scan’ button in ‘Active Scan’ popup
Once the active scan has finished, the results will be displayed in the Alerts tab. This will contain all the security issues found during both the Active scan. They will be flagged according to their risk – red for High Priority. green, yellow for Medium and Low Priorities respectively.
ZAP can generate reports in multiple formats. To generate an HTML report, use the Menu option Reports -> Generate HTML Report.