Site scanning/probing is the initial phase of any attack on Web applications. During this phase, the attacker gathers information about the structure of the Web application (pages, parameters, etc.) and the supporting infrastructure (operating system, databases, etc.). Target Web sites are scanned for known vulnerabilities in infrastructure software (such as IIS) as well as unknown vulnerabilities in the custom code developed for the specific target application.

Detailed Description

Site scanning/probing is the main technique attackers use to gather as much information as possible about a Web application and the supporting infrastructure. A standard site scan is composed of several steps. First, the attacker detects the operating system installed on the server. This can be done using automatic tools like nmap, by identifying the Web Server type in the HTTP Request (for example, IIS runs on Windows-based sites) or by guessing according to file extensions. (Usually, Windows-based sites use ".htm" and ".jpg" files, whereas UNIX sites use .html and .jpeg files).

Identifying which Web server runs on the target machine is very useful to the attacker. Knowing the specific type of Web server (and by extension its default configuration), an attacker may try to exploit known vulnerabilities, access sample files, and try default user accounts. There are three common ways of detecting the Web server: by using automatic tools such as Nikto, by identifying the Web server type in the HTTP Request, or by guessing according to files suffixes (ASP Pages normally indicate an IIS Server whereas PHP Pages normally indicate an Apache server).

Additional important information about the infrastructure of the target server can be gathered using probing techniques such as path revealing, Directory Traversal and remote execution (may allow mapping the entire site and its source). The attacker can complete the Infrastructure knowledge base by identifying database server types, content infrastructure types (WebSphere, BroadVision and Vignette), and so on.

After the attacker analyzes the infrastructure, the entire application can be scanned. Application scanning provides a map of the entire site including: all pages, parameters used by dynamic pages, cookies used by the site and transactions flow. This information leads the attacker to an understanding of the application's authentication, authorization, logic, and transactional mechanisms. This body of information provides the basis of a strategy to attack the target site.

Solution Blocks site probing?
Imperva SecureSphere YES (known and unknown attacks)
Firewalls Some/Partial (known attacks only)
Intrusion Detection Systems Partial detection only, known attacks only
Intrusion Prevention Systems Partial (known attacks only)

During site probing the attacker performs several operations: