DenyAll Vulnerability Manager Cloud Edition – v5.6

Precautions for website testing

DenyAll Edge Tester integrates an active web application scanner automating thousands of requests on every web page identified. The effects of such a test totally depend on the logical behavior of the web application and may be unpredictable. Hence, DenyAll Edge Tester may test an unprotected contact form (used to send an email containing all the input fields, without using a captcha) and trigger thousands of emails. DenyAll Edge Tester also tests for SQL injections vulnerabilities in the web application. The technique used to test this vulnerability (blind SQLi) pauses the underlying database, so if the test succeeds in exploiting a vulnerability, the database and eventually the web application may be slowed down. Last example: if the web application is a blog and this blog does not require any authentication, DenyAll Edge Tester may post thousands of comments by trying to identify vulnerabilities in the comment posting form.

The main recommendation is to first test the web application in a pre-production environment. The test can also be scheduled at a time that does not impact the users, and stopped in case the web application encounters any issue.

Changelog
v5.6 (2015/05/22)
  • Major OpenVAS upgrade,
  • Merge upstream sqlmap improvements,
  • Allow aggressive check per schedule,
  • Web scanner improvements (crash and performance fixes),
  • GUI enhancements,
  • Allow to manually rename assets,
  • Add a report mode without vulnerabilities details (only summary part),
  • Fix javascript bugs with Internet Explorer,
  • Add a syslog connector.
v5.5 (2014/10/13)
  • Fix of "ShellShock" Bash vulnerability (update of embedded bash),
  • Security update to detect "ShellShock" Bash vulnerability (CVE-2014-6271, CVE-2014-7169) in whitebox testing only.
v5.4 (2014/05/26)
  • Fix of Heartbleed vulnerability (update of OpenSSL used to display the GUI),
  • Security update to detect Heartbleed vulnerability (CVE-2014-0160).
v5.3 (2013/12/15)
  • Provide the ability to share web session cookies to bypass complex authentication schemes,
  • Automatically add identified names and accounts in wordlists,
  • Report on number of vulnerabilities instead of number of categories (which group missing patches),
  • Rotate logs to avoid filling the HDD,
  • Deactivate javascript crawler when too many errors or timeouts are encountered,
  • Added group definitions in audit logs,
  • The Forbidden URL wordlist is no longer case sensitive, so "logout" will also exclude "Logout".
v5.2 (2013/08/12)
  • Add per analyze license support ;
  • Add PCI DSS references ;
  • Allow to select web tests to perform when configuring a task (VM only) ;
  • Add a vulnerabilities view (VM seulement) ;
  • Allow to exclude logout pages per websites (VM et SaaS) ;
  • Add an option to define the maximum duration of a task (VM et SaaS) ;
  • Add to reports a list of forms and external URL found during external analyze ;
  • Add user's actions log (VM only).
v5.1 (2013/04/12)
  • Fix a bug when the netbios name resolution fails, resulting in the scanner scanning localhost.
v5.0 (2013/03/15)
  • Users groups management (VM only),
  • IPv6 support,
  • Improve OpenVAS startup performances
  • Add a passwords triviality test for white box scans,
  • Add a taskbar notifying the user when a scan is running in the background,
  • Add a scheduled and running tasks control pannel (SaaS only),
  • Add possibility to launch one shot analyses directly from the inventory and tickets (VM only),
  • Add autogrouping filters to automatically classify assets in groups when matching defined criteria (VM only),
  • Add optional gap analysis to PDF ans MHT reports (VM only),
  • Bugfixes.
v4.9 (2012/10/29)
  • XML export of results from DenyAll Edge Tester and DenyAll Auditor, XML import into DenyAll Vulnerability Manager to allow consolidation and ticket management,
  • Allow internal parameters configuration (timeouts, parallelization level...),
  • Allow custom report appearance (needs a specific deployment, contact DenyAll to use it),
  • SSH server (optional),
  • Bugfixes.
v4.8 (2012/09/04)
  • Migration to Ubuntu 12.04 LTS version,
  • Rebranding: VulnIT is now a DenyAll company,
  • SSH key support for whitebox testing on Unix environment,
  • WDSL discovering and parsing,
  • Webservices SQL injection detection,
  • Added a filter field in the inventory (VM product), in order to quickly select a device,
  • Many enhancements in the SaaS "Edge Tester" product (redundant architecture, report history, account management),
  • License format change (needs to contact the support team to update).
v4.7 (2012/05/22)
  • Added ticket reporting (ticket history and generation of exportable reports),
  • Added VulnIT data backup/restore functionality,
  • Added information gathering on OS and web banners,
  • Improved the web crawler (log in JS forms).
v4.6 (2012/03/26)
  • Added a new plugin targeting ACL review on Windows file shares,
  • Added new web tests (directory indexing on IIS and HTTP functions like DELETE),
  • Validating authentication credentials (for whitebox testing) when saving (used to be after the first test),
  • Fixing unreliable patch management tests (which could not start in particular environments),
  • Fixing uneffective interruption of the network scan.
v4.5 (2012/02/22)
  • Added DBMS configuration review (white box testing) on Oracle, SQL Server and MySQL,
  • Added a new plugin targeting DBMS passwords decryption offline (complexity check) on Oracle, SQL Server and MySQL,
  • Configuration of which service runs on each socket, enabling testing known services running on exotic sockets,
  • Added aggressive patch management tests, executed optionnally (through a hidden configuration page),
  • Fixing unwanted account lock while testing DCs.
v4.4 (2012/01/16)
  • Added new patch management tests of low and medium risk (CVSS<7). Risk rating change (low, medium, high, major, critical),
  • Added Windows configuration review (security policy, groups and accounts, firewall activation, up-to-date antivirus, etc),
  • Integration of new web tests (command and LDAP injections),
  • Added Unix configuration review (white box testing),
  • Added a new plugin targeting Unix passwords decryption offline (using a remote SSH access),
  • Improved test parallelization (significant time saved on SSH and Oracle testing),
  • Fixing unwanted printings during port scanning,
  • Fixing a memory leak bug in web testing.
v4.3 (2011/11/22)
  • Added task monitoring and manual start/stop/delete (VulnIT-VM),
  • Weighting of vulnerability risks by the asset value attributed to each device (VulnIT-VM),
  • Improvement of the display delay of the user interface (VulnIT-VM),
  • Creation of task by group of assets or websites (VulnIT-VM),
  • Email alerts, on task termination and ticket follow-up (VulnIT-VM),
  • Crawling of websites with JS events/frameworks (by integrating a browser with javascript support),
  • Added network filtering in the Windows shares console,
  • Improvement of port scanning reliability (by integrating nmap).
v4.2 (2011/09/28)
  • Improvement of the user experience (through numerous functionalities added in VulnIT-VM user interface),
  • Added 2 new tests of web vulnerabilities (CSRF and XSS),
  • Added support for offline activation (in case the user has no access to the Internet),
  • Fixing a few bugs (VulnIT-VM first boot screen, VulnIT-KEY report saving).
v4.1 (2011/08/05)
  • 3 major functionalities have been added to the VulnIT-VM software : test automation (through task programming), remediation follow-up (using tickets) and advanced monitoring (dashboards),
  • Creation of groups of assets (for instance, web servers or printers) to provide consolidated views in dashboards and reports,
  • Significant improvement of web testing speed and reliability,
  • Added support for HTTPS and AD authentication in web applications,
  • New dictionaries for authentication testing on websites and MySQL databases,
  • Fixing a few bugs (on Oracle testing mostly).
v4.0 (2011/06/09)
  • The software interface has been completely renewed, greatly improving the user experience,
  • Integration of the new Ubuntu 11.04 in order to support the latest hardware,
  • Migration to OpenVAS 4 in order to perform white box testing of patch management and integrate the latest plugins,
  • Split the vulnerabilities - in the technical report - whether they have been identified in white box or black box testing,
  • Improvement of Internet connection (by adding Kerberos authentication support),
  • Adding in the report a summary of every tested device,
  • Fixing a dozen minor bugs.
v3.1 (2011/03/03)
  • The software has been ported to a virtual machine called VulnIT-VM,
  • Adding a new specific console dedicated to Windows file sharing (optional module),
  • Report export available in new formats: CSV (for easy integration in Microsoft Excel for instance), and MHT (in order to modify the report in Microsoft Word for isntance), provided as an optional module,
  • Enabling adding the workstation running the software to a Windows domain in order to facilitate access to the Internet and to the updates provided online,
  • Improving website crawler (following redirections, detecting all the ports hosting a web service, limitating the crawler to an alias or even a specific folder of the website),
  • Adding references to the web vulnerabilities,
  • Fixing a bug in the patch management testing (wrong management of the Windows administrator account),
  • Enhancement of open relay (spam) and MSSQL authentication tests.
v3.0 (10/02/2011)
  • Integration of website testing (optionnal feature),
  • The 'ping' test is not performed when a single target is specified (to avoid any firewall filtering),
  • Bug fix (report layout),
  • Improvement in cleaning the workspace, when starting a new check.
v2.3 (2011/01/03)
  • The new Ubuntu 10.10 kernel has been stabilized,
  • The wordlists (used for dictionary attacks) can be configured,
  • Bug fix (regarding authentication tests using medusa).
v2.1 et v2.2 (october-november 2010)
  • Instable versions (when integrating the new Ubuntu 10.10 kernel).
v2.0b (2010/09/24)
  • Reliability improvement of OpenVAS execution (in particular in its final phase),
  • Fix of the license file error at boot time,
  • Enhancement of SSH and Windows file shares tests.
v2.0a (2010/09/20)
  • openvas-libraries update (version 3.1.3), improving testing performace by about 40%,
  • Fix of download progress bar during updates,
  • Medusa and net-snmp recompilation.
v2.0 (2010/09/06)
  • Integration of OpenVAS to address patch management, with or without providing a local access to the target,
  • Integration of aircrack (to add a wifi testing console),
  • Improvement of the post scan (previously performed by propecia, which has been replaced by a TCP half-open scan using synscan),
  • Test depth parameter added (number of scanned services).
v1.0 (2010/05/22)
  • First version of VulnIT integrating about fifteen tools.

Intellectual property

DenyAll may not be held responsible for errors or emissions in the information disseminated or technical problems encountered on the Site and on all the other sites to which it establishes links, or any interpretation of the information published on these sites, or the consequences of their use.

More generally, DenyAll accepts no responsibility for any damage, direct or indirect, whatever the cause, origin, nature or consequence, caused by the access of anyone to the Site or the impossibility of accessing it, or by the use of the Site and/or the credit given to any information coming directly or indirectly from this Site.

Unless otherwise stated, the intellectual property rights in the documents on the Site and in each element created for this Site are the sole property of DenyAll, who grant no license or right other than that of consulting the Site. The reproduction of all documents published on the Site (notably, the photographs, films and animations) is solely authorized for information purposes only for personal and private use, any reproduction and any use of copies made for other purposes being expressively prohibited. The corporate names, logos, products, brands and domain names mentioned on this Site are the property of DenyAll and must not be used without prior and written authorization from the company concerned.

License agreement

See the license agreement