Web Site Vulnerability Scanning
When organizations think of hackers and external security threats, they immediately focus on firewalls, access rules, and intrusion detection. However, defense at the network security level will provide no protection against web application attacks since they are launched on ports 80 and 443 – which have to remain open to allow people to visit your web site.
In addition, web site functionality is often custom-made and therefore tested less than off-the-shelf software. Web sites, as such, are more likely to have undiscovered vulnerabilities.
Web site security must be a priority in any organization but remains overlooked. Hackers continue to concentrate on web-based applications – electronic forms, login pages, dynamic content, etc. Web applications are accessible 24/7 and control valuable data since they often have direct access to back-end data.
Firewalls, SSL, and Hardened Networks Are Futile Against Web Application Hacking
Cyber criminals are focusing their efforts on exploiting weaknesses in web applications such as forms, blogs, content management systems, login pages, and other dynamic content. Insecure web applications and web services not only provide attackers access to back-end databases but also allow them to perform illegal activities using compromised sites.
Web application attacks are carried out over HTTP and HTTPS, the same protocols that are used to deliver content to legitimate users. Yet web application attacks—both on free open-source software, such as WordPress, Drupal and Joomla!, as well as commercial or custom-built applications—can have repercussions that are the same, or worse, than traditional network-based attacks.
Crawling and Detection
Our deep scanning engine allows accurate crawling of web sites that leverage complex technologies and programming standards. Our solution offers the industry’s most advanced and robust SQL Injection and cross-site scripting testing, even DOM-based cross-site scripting.
At the heart of our vulnerability scanning engine is a fully automated web browser that can understand and interact like a regular browser would with complex web technologies such as AJAX, SOAP/WSDL, SOAP/WCF, REST/WADL, XML, JSON, Google Web Toolkit (GWT), and CRUD operations. This allows our scanner to test any web application as though it is running inside of a user’s browser, allowing the engine to seamlesly interact with complex controls just as a user would, significantly increasing the scanner’s coverage of the web application.
Testing authenticated areas of your web sites and web applications is absolutely crucial to ensure full testing coverage. LKCS can automatically test authenticated areas by recording a login sequence to authenticate to a page.
Accurate vulnerability detection lies in the ability to detect anything from the most obvious to the most obscure SQL Injection, XSS weakness and over 500 other types of web application vulnerabilities.
Lowest False Positive Rates
Detection of vulnerabilities that don't really exist are a nightmare to deal with. False positives reduce confidence in the scanner and waste the time of pen-testers and developers alike in trying to find and fix vulnerabilities. Our tools provide the lowest false positive rate in the industry, saving valuable time for your security and development teams.
Detect Critical Vulnerabilities with 100% Accuracy
Accurate vulnerability detection lies in the ability to detect anything from the most obvious to the most obscure threats. LKCS' web site vulnerability scanner finds over 500 types of web application weaknesses including:
- SQL Injection
- Cross-site Scripting
- Code Execution
- CRLF Injection
- Directory Traversal
- Arbitrary File Creation
- Arbitrary File Deletion
- Email Injection
- File Upload
- File Inclusion
- File Tampering
- PHP Code Injection
- PHP SuperGlobals Overwrite
WordPress Security Scan Features
With more than 24% of web sites on the internet running WordPress, and a 60% share of the Content Management System (CMS) market; WordPress security is becoming an increasingly important factor in an organization’s security posture.
While WordPress’ core is designed with security in mind, the same cannot be said for the thousands of plugins which extend the WordPress ecosystem. Unfortunately, thousands of WordPress plugins contain high-severity vulnerabilities. Unless vulnerable plugins are updated or disabled, they could allow attackers to easily compromise the integrity and availability of the site, gain access to the WordPress administrative interface and the database, deface the site and trick users into phishing attacks, or use the site to distribute malware.
Our vulnerability scanner identifies WordPress installations, and will launch security tests for over 1,200 popular WordPress plugins, as well as several other vulnerability tests for WordPress core vulnerabilities.
Reporting and Remediation
In order to keep track of the vulnerabilities detected in your web applications, LKCS provides extensive reports to help manage escalation and remediation of vulnerabilities while assisting in task prioritization. We include a set of Internal Management reports to enable you to share security findings internally with developers and management, as well as a range of Compliance and Classification reports for regulatory standards and best practice guidelines.
The Developer report provides a comprehensive summary of a scan. It will display scan details, server details, alert summary and alert details, pages with a long response time, a list of external links, email addresses, client scripts and external hosts, together with remediation examples and best practice recommendations for fixing the vulnerabilities detected during a scan.
FFIEC Cybersecurity Assessment Maturity
Financial institutions must now scrutinize their exposure and ability to manage cybersecurity risks through the FFIEC Cybersecurity Assessment.
LKCS’ web site vulnerability scanning solution will demonstrate your institution is able to detect threats and vulnerabilities. Specifically, LKCS will help you comply with the following assessment guidelines:
- Conduct independent testing and vulnerability scanning of critical Web-facing applications
- Perform these tests routinely to identify security control gaps
- Execute tests on internet-facing applications or systems before they are launched or undergo significant change
LKCS offers different subscription levels for Web Site Vulnerability Scanning.
Quarterly Subscription: LKCS will scan your web site for vulnerabilities every 3 months and provide detailed reporting of the test results.
Semi-Annual Subscription: We will scan your web site for vulnerabilities every 6 months and provide detailed reporting of the test results.
As-Needed Web Site Scanning: Schedule a web site vulnerability assessment whenever you need it. Be prepared for annual IT audits or regulatory exams.