Basic Website Vulnerability Assessments 101

It has been several years since taking my CEH courses and I’ve been tinkering again with various open source vulnerability discovery tools. I thought I’d share what I’ve re-learned.

This is probably fairly basic for you experienced vulnerability assessors, but I figured it could be useful for smaller organizations who want to run some quick checks on their own sites every now and again to see if something new has cropped up.

The target for this assessment would be for a basic website, hosting general information and perhaps a contact form. It is not meant for an in-depth assessment of a merchant-based transactional system with known access/storage/processing of sensitive information. This process does not test the exploitability of the vulnerabilities discovered.

Last but not least… Use it at your own risk, hire a professional when needed, seek legal advice before performing any assessments, and, scans should be performed "after hours" if at all possible as there is always a slight risk of impact (outages). Thoughts expressed are solely my own and do not express the views or opinions of my employer.

Step 1: Setup an assessment system, install the operating system and update it. I recommend at least a 2- or 4-CPU machine with 4GB RAM and 100GB or more hard drive. Physical or virtual is fine. My assessment machine is virtual, using Oracle VirtualBox on my laptop. VirtualBox is a professional actively-developed virtualization solution that is free and available as Open Source Software. It runs on Windows, Linux, Macintosh, and Solaris, and supports a large number of guest operating systems. It can be downloaded directly from https://www.virtualbox.org/wiki/Downloads.

For the operating system/assessment toolbox, I use Kali Linux. From their site, “Kali Linux is an open-source, Debian-based Linux distribution geared towards various information security tasks, such as Penetration Testing, Security Research, Computer Forensics and Reverse Engineering.” Kali can be downloaded as an ISO (which can be attached to the virtual machine for setup) from https://www.kali.org/get-kali/.

Once you have Kali installed and functioning, you should update it. You can do this by following the instructions here: https://www.kali.org/docs/general-use/updating-kali/ which basically consists of the following two commands:

sudo apt update

sudo apt full-upgrade -y

Step 2: If you are doing this from behind your home/personal Internet connection, you should probably install a VPN first. See https://www.cnet.com/tech/services-and-software/best-vpn/ for several options.

Step 3: Get legal permission/approval to perform any testing on the target, unless it is one that you personally own and manage. This should be a legal document, documenting the target(s), the goal(s) the times and include some NDA/confidentiality clause, and it should be signed by both parties, preferably with a witness. I am not a lawyer, so you should seek legal counsel to ensure what you have is good-to-go.

Step 4: Assess. I generally start with an nmap sweep to identify open ports on the target host. This is obviously valuable to discover what services might be running. The command for this is: 

nmap -v -A -sV {host IP address}

• The -v option increases the verbosity level. You can use -vv for even more output.
• The -A option enables the operating system detection, version detection, script scanning, and traceroute.
• The -sV option tells nmap to determine the version of the service running on the port.
• And {host IP address} can also be {domain name} such as www.website.com.

While the above is working, I will generally do a few other checks on the host address to include a blacklist check, DNS (domain name service) check, and MX (mail exchange) record check. These tools can be found at https://mxtoolbox.com. 

There are a few tools to perform malware detection of websites as well to include:

• https://sitecheck.sucuri.net
• https://scanner.pcrisk.com
• https://virustotal.com

And if the website is SSL secured [as it should be], you should perform an SSL certificate check at https://www.sslshopper.com/ssl-checker.html.

And for determining the site server and code (HTML) vulnerabilities, here is the command I use in a Kali terminal window:

nikto -h {www.domain.com} -ssl -o {output file} -F txt

• The -h option tells nikto to scan the host address provided next.
• The -ssl option tells nikto that you’re scanning an HTTPS site.
• The -o option allows nikto to save the results to the {output file}.
• The -F txt option tells nikto to save the results as a plain text file format.

Step 5: Report. Collect your findings from the above tools and commands, do your homework on the vulnerabilities, the risk, and the mitigation/remediation steps; and put it into a document for delivery and discussion. OWASP (https://owasp.org)  is a great site for help with determining website vulnerability details and remediation steps, as is the CVE database (https://cvedetails.com).

Step 7: Fix your issues, if you own/manage the host in question, or recommend that the site owner resolve them in some priority order.

I hope this is helpful to some. I would greatly appreciate your feedback, additional tips, suggestions and criticisms. Last and most importantly, I hope you have fun finding and fixing those vulnerabilities, and I hope you find and fix them before they are exploited. Stay safe!