Security Threats

G.1440's Web Vulnerability Scan uses the latest tools to thoroughly check your web site and applications for security threats and hacking vulnerabilities including:

Version Check

  • Vulnerable Web Servers
  • Vulnerable Web Server Technologies – such as “PHP 4.3.0 file disclosure and possible code execution.

PCI Compliance

  • Identifies potential holes in the 12 Payment Card Industry (PCI) Data Security Standard (DSS) requirements

Parameter Manipulation

  • Cross-Site Scripting (XSS) – We test over 40 different XSS variations
  • SQL Injection
  • Code Execution
  • Directory Traversal
  • File Inclusion
  • Script Source Code Disclosure
  • CRLF Injection
  • Cross Frame Scripting (XFS)
  • PHP Code Injection
  • XPath Injection
  • Full Path Disclosure
  • LDAP Injection
  • Cookie Manipulation
  • Arbitrary File creation
  • Arbitrary File deletion
  • Email Injection
  • File Tampering
  • URL redirection
  • Remote XSL inclusion

CGI Tester

  • Checks for Web Servers Problems – Determines if dangerous HTTP methods are enabled on the web server (e.g. PUT, TRACE, DELETE)
  • Verify Web Server Technologies

MultiRequest Parameter Manipulation

  • Blind SQL/XPath Injection

File Checks

  • Checks for Backup Files or Directories - Looks for common files (such as logs, application traces, CVS web repositories)
  • Cross Site Scripting in URI
  • Checks for Script Errors

Directory Checks

  • Look for Common Files (such as logs, traces, CVS)
  • Discover Sensitive Files/Directories
  • Discover Directories with Weak Permissions
  • Cross Site Scripting in Path and PHPSESSID Session Fixation.
  • Web Applications
  • HTTP Verb Tampering  

Text Search

  • Directory Listings
  • Source Code Disclosure
  • Check for Common Files
  • Check for Email Addresses
  • Microsoft Office Possible Sensitive Information
  • Local Path Disclosure
  • Error Messages
  • Trojan shell scripts (such as popular PHP shell scripts like r57shell, c99shell etc)

Weak Passwords

  • Weak HTTP Passwords

GHDB Google Hacking Database

  • Over 1200 GHDB Search Entries in the Database

Port Scanner and Network Alerts

  • Port scans the web server and obtains a list of open ports with banners
  • Performs complex network level vulnerability checks on open ports such as:
    • DNS Server vulnerabilities (Open zone transfer, Open recursion, cache poisoning)
    • FTP server checks (list of writable FTP directories, weak FTP passwords, anonymous access allowed)
    • Security and configuration checks for badly configured proxy servers
    • Checks for weak SNMP community strings and weak SSL cyphers
    • and many other network level vulnerability checks!

Other vulnerability tests may include:

  • Input Validation
  • Authentication attacks
  • Buffer overflows
  • Blind SQL injection
  • Sub domain scanning