Tool Unmasks Web Server Vulnerabilities

In response to increasingly militant attacks carried out by hackers, system administrators across the spectrum of IT have worked diligently in recent months to remove telltale signs that can classify their Web servers. However, this may fashion a false sense of confidence.

All it takes to pin the tail on a Web server is a trip to netcraft.com, where a specialized service identifies what type of Web server a target site is running by examining its nuances. From Apache, to IPlanet to IIS, servers are an open book – often by default.

While a clever system administrator may think their site is safe behind the shroud of secrecy, in reality, they are not.

A proof of concept tool surfaced in a presentation delivered by Jeremiah Grossman earlier this month at the Black Hat security conference in Singapore, which can do for Web server what NMap does for operating systems. Utilizing a method called "Web server fingerprinting," the tool can identify what specific software the server is running and disclose potential vulnerabilities.

Web server fingerprinting makes it possible to get information on: supported HTTP request methods, current service packs, patch levels, and configurations. For example, the technology can be used by administrators to determine if an outdated Apache server suffers from a "chunked" vulnerability.

Grossman assures BetaNews that he wears a white hat however, and his Web site, White Hat Security, discusses these new ideas and techniques as well as suggested countermeasures. The tool developed by Grossman allows an administrator to determine which version of software a server platform is running remotely without having to login to each and every box individually.

"This is simply another example of why 'security by ignorance' has never been effective," said David Freund, senior server analyst at Illuminata.

Tools such as the one developed by Grossman may sound ominous, but they are designed promote the adoption of better security practices.

"Preventing a web server from advertising its functional makeup does not protect it. If its functions are offered to a network, they can be used. And if those functions have unique features -- or vulnerabilities -- they can be discovered and exploited," said Freund. "The only way to secure a web server, or any other server, is to secure all of its externally-offered functions."

Even though the concept of "fingerprinting" a server is relatively new, it is certain to gain prominence in the cat and mouse game of security on the Web.