RE: nikto, n-stealth can crash the web-server?

From: Evans, Arian (Arian.Evans@fishnetsecurity.com)
Date: Fri Jul 14 2006 - 17:04:16 EDT


Matthias,

> -----Original Message-----
> From: Matthias Heinrich [mailto:matze-heinrich@gmx.de]
>
> I'm trying to find out if web-scanners like n-stealth or
> nikto can crash the web-server and why.

I've seen nikto in particular cause crashes, and Nessus
plugins, but it always depends on the webserver & the
check, and usually it's not too hard to hunt down.

Examples:

+ Chunked encoding tests on older IIS & apache versions

+ There's a Cisco ACS BoF check through a long URL string
that I've seen crash custom webservers due to the character
sets used to create the URL payload, or the size, not being
handled properly.

+ Threads: on custom web servers, poorly coded threading
can thread-lock the thing.

+ Sockets: I ran into Tomcat implemented with some custom
sockets programming that choked on multi-threaded tests
due to inability to close & recycle TCP connections fast
enough (would simply run out of proc, then mem).

+ TCP/IP stack: this is mostly old news, but I've seen
www and db servers fail due to the stack crashing on
several OSes, like old HPUX, and OpenVMS stuff back when
you had vendor-supplied custom stacks, and same with
some older Unisys systems that they customized the IP stack.

You couldn't even port-scan some of those old systems
w/out them crashing; see Sockets: above.

Then there is simply resource exhaustion, possibly due
to system limitations or web server misconfiguration.

Hope that gives you some ideas,

Arian J. Evans
FishNet Security
913.710.7085 [mobile]
816.701.2045 [office]

 

------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@cenzic.com for details.
------------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:17 EDT