Automate WEB site vulnerabilities searching algorithm
WEB site vulnerabilities searching computerization is a very difficult task. We had to write an universal algorithm to search for various kind of WEB vulnerabilities. A computer is not a human and it thinks different. It is very difficult to analyze not structured data. Web pages could consist of various technology with different kind of mistakes. The algorithm has to know about HTML and other technologies.
The most widespread approach to the problem in is a searching for vulnerability signatures on the WEB page. The security testing program must send to the server wrong data and search for signatures in the result page. What if software developer or system administrator turned errors reporting off? The security testing software would failure. Good developer has to hide any errors in WEB scripts. The program could not find any errors on the page if developer turned errors reporting off, but vulnerabilities are exist on the page.
What if the original page would have the error signature "Database connection error is ...." in the page text? In this case the program will find the signature and report about vulnerability. But it is not vulnerability. It is a piece of text only.
We have to have something more powerful to search for vulnerabilities. There is another approach to search for WEB errors. We have to write software that will hack the website itself. The program has to hack website and analyze WEB server responses. The most difficult task is to find vulnerability signs. The program has to have some sort of AI (Artificial Intellect).
The CyD Network Utilities 2009 (network and security tools) program has improved algorithm to find any kind of SQL Injection errors. The program tries to hack website itself and allows you to automatize the website checking for vulnerabilities.