Introduction

The launch of the World Wide Web has elevated the possibilities and expectations of communications to new heights. With Web servers, chat applications, peer-to-peer file transfer programs, and various other Web-enabled projects has changed our world. But with the arrival of these new technologies come security implications involving user privacy, data storage, and user integrity that incorporate authentication controls and encryption standards, to mention but two. Web servers, applications, sites, and data (obviously the most popular and oft-used part of the Internet) are the biggest concern of most security practitioners.

Whisker, a complex Perl script written to assess Web-based vulnerabilities, was the de facto standard for Web application tools for nearly three years. Rain Forest Puppy (RFP) wrote Whisker to fulfill the need for a comprehensive tool that searched through Web server indexes looking for potentially vulnerable applications or injection points to launch an attack. RFP then started a new project entitled LibWhisker, which encompassed most of the functionality required to run the advanced queries within Whisker. LibWhisker soon became the backend technology that drove the development of nearly all Web assessment tools with the clear winner of freeware static scanners being CIRT s Nikto. Nikto has a Perl front-end that utilizes the LibWhisker modules for complex back-end functions. In addition to the front-end, Nikto had a new custom text database that encompassed a great deal of attack requests, potentially vulnerable CGI applications, and Web server banner identification techniques.

Our Web server scanner, SP-Rebel, has a new parsing engine to...