Do you scan your own website/server for vulnerabilities?

I can't say I've ever really used a scanner for my own website, but typically while creating my applications I'll do basic vulnerability testing while creating each part of it, then once it's complete attempt them again and some more harmful exploits and see what I come up with. Having never used a vulnerability scanner, I don't know how they work, so it would be a little interesting to see how it look at code validation and attempts to discover directories/files. I typically disallow indexes for my websites, and prevent direct file access with global constant(s) that would show a natural 404 page if they're not present.

I guess it would just be interesting to see how the scanner works in general and what it could find and what it couldn't.

While I'm working on a website, I definitely do. I use smth like Nikto or Vega to see what's vulnerable and fix it, and everyone should do the same too.

Nikto is good but i have found a lot of false positives from nikto. For instance, I have been scanning site and it keeps letting me know it has a shell uploaded which i know for a fact it does not. The directory doesn't even exist there.

But it still does give some good information that we can use to fix some issues with configuration.

Dirbuster is a nice tool that can brute force test directories and files based off wordlist which i have used many times and actually found shells and many other things in which i was able to back track into root of a server and had access to over 300 domains. (Hosting company gave me the ok and paid me to look through all this)

The problem with most hosting companies ( smaller resellers) they don't have the knowledge of this and or the knowhow to prevent it from happening. Its a huge risk for hosting companies when you have people creating and building sites that have no control or knowledge on security and that site can possibly leave the entire server wide open.Which is actually a reason I started hosting sites. It gives me an oppertunity to keep my sites live and any extra clients get the same level of protection i give myself at no cost to them.

I should have a good write up done either today or tomorrow on dirbuster and get it posted up here.

This is why you can't trust small hosting providers typically, they don't know what their doing or know how to properly secure and manage their servers and it can ruin it for everyone. I look forward to your write up about this vulnerability scanner, I'm still interested in how effective it is and it's limitations.

Just run a local copy with the same configurations.

Even if it's your website and domain, I'm pretty positive you are NOT allowed to scan it.

10-03-2019, 04:05 PM

lickmcluvin Wrote: Just run a local copy with the same configurations.

Even if it's your website and domain, I'm pretty positive you are NOT allowed to scan it.

you are not allowed to on shared hosting. If you are running a dedicated or vps and you have root access then yes you can scan it because you own it.

I prefer scanning with Wordfence and Sucuri at both ends. Because it is a great wordpress plugin for just let viruses sucks out.

I try to do it every week, or at least whenever i integrate new addon or a new code, this way i know i stay safe, i do use alot of 3rd party apps and of course i have my own anti virus integrated in my hosting

I never do that... But i can do, so i look for that...