search close

Testing With Attack Tooling

access_time Updated Nov 23, 2022

After installing Signal Sciences, we recommend testing your setup by running attack tooling against your site to verify that attack data is being captured and blocking is working correctly.

While you can use any attack tooling for testing, we recommend using Nikto which tests a wide variety of vulnerabilities. While Nikto is running, Signal Sciences agents will identify any malicious or anomalous requests and send relevant metadata to our backend, after redacting any sensitive information.

This guide explains how to set up Nikto and run three different testing scenarios:

  1. Testing attack tooling detection
  2. Testing attack detection
  3. Testing attack blocking

Before you begin

  • Nikto requires Perl to be installed. Run perl -v to check if you have Perl installed on your system. If Perl is not found, you can download and install it from the Perl website.
  • Be sure you know how to access the web interface controls and familiarize yourself with the Site Overview page to understand the metrics you’ll observe while running the tests.

Setting up Nikto

Nikto is a common open source tool used for running security tests against web servers. It can run on Linux, OS X, and Windows platforms. To set up Nikto:

  1. Download the latest version of Nikto.
  2. Using command prompt, navigate to the directory where you downloaded Nikto.
  3. Enter unzip nikto-master.zip to unzip the file.
  4. Enter cd nikto-master/program/ to change directories to the program directory.
  5. Run ./nikto.pl to verify you are able to run Nikto. A default help message appears.

If you receive a permission denied error message, you can resolve the error by running chmod +x nikto.pl which makes the script executable. Then run ./nikto.pl again.

Testing attack tooling detection

Using Nikto, you can test Signal Sciences’ attack tooling detection capability.

To run this test:

  1. Log in to the Signal Sciences console.

  2. From the corp navigation bar, use the site menu to select the site you are conducting testing on. The site menu appears as two parallel arrows that are facing opposite directions. The Site Overview page appears.

  3. Ensure the agent mode indicator in the site navigation bar displays Not blocking. In this mode, the agent logs requests but does not block anything. If the agent mode indicator displays Blocking or Off, update the behavior by clicking the agent mode indicator and then clicking the Manage link.

  4. Using command prompt, enter cd nikto-master/program/ to change directories to the program directory.

  5. In a command prompt, run the following command to initiate the first Nikto scan of your site:

    ./nikto.pl -h http://www.example.com
    

While the attack is running, return to the Site Overview page in the Signal Sciences console and select the Overview dashboard from the dashboards menu. The Overview dashboard will display the attacks and anomalies within 30 seconds.

Testing attack detection

After verifying that Signal Sciences is detecting attack tooling, you can use Nikto to modify an attack to demonstrate an IP address being flagged due to injection attacks. You can do this by modifying the User-Agent string that is sent with each request.

To run this test:

  1. Log in to the Signal Sciences console.

  2. From the corp navigation bar, use the site menu to select the site you are conducting testing on. The site menu appears as two parallel arrows that are facing opposite directions. The Site Overview page appears.

  3. From the Events card, click the View link on the IP address associated with the Nikto scanner host. The Events page appears.

  4. Click the Remove flag now button on the flagged IP.

  5. Click the Remove flag button.

  6. Using command prompt, enter cd nikto-master/program/ to change directories to the program directory.

  7. Run the following command to initiate the Nikto scan:

    ./nikto.pl -useragent “MyAgent (Demo/1.0)” -h http://www.example.com
    

While the attack is running, return to the Site Overview page in the Signal Sciences console and select the Overview dashboard from the dashboards menu. The Overview dashboard will display the attacks and anomalies within 30 seconds. Unlike in the previous test, you should see signals from a variety of attacks, not just attack tooling. This means modifying the User-Agent string worked and the IP address will eventually be flagged based on the various attacks.

Testing attack blocking

Signal Sciences lets you take a different approach to blocking compared to other products. Instead of being limited to blocking individual requests that match a particular signature, you can implement threshold-based blocking. With threshold-based blocking, we look for spikes in malicious traffic from a particular IP (aggregated across all of our agents) and flag that IP if it exceeds specific thresholds in a 1, 10, or 60 minute window. Once an IP is flagged, we block all malicious traffic from that IP for the next 24 hours. This means that requests that don’t contain an attack will be allowed, preventing Signal Sciences from breaking normal traffic.

For the final test, enable blocking mode and use Nikto to demonstrate how Signal Sciences allows legitimate traffic to continue accessing the site while blocking malicious traffic from the same IP address. To perform this test, you will need to use a web browser that is on the same system you are running the scan from.

Note: Before continuing, make sure to remove the scanning IP address from the flagged list.

To run this test:

  1. Log in to the Signal Sciences console.

  2. From the corp navigation bar, select the site you are conducting testing on. The Site Overview page appears.

  3. Click on the agent mode indicator in the site navigation bar and click the Manage link. The Agent Configurations page appears.

  4. Update the agent behavior to Blocking.

  5. Click the Update button.

  6. In a browser, access your website.

  7. Using command prompt, enter cd nikto-master/program/ to change directories to the program directory.

  8. Run the following command to initiate the Nikto scan:

    ./nikto.pl -useragent “MyAgent (Demo/1.0)” -D V -T 9 -h http://www.example.com
    

While the scan is running:

  • use the browser window to navigate your site to confirm that legitimate user traffic is not blocked.
  • observe from the command shell window that requests containing attacks are blocked with a 406 response code. An HTTP 406 is used so as to not trigger operational alarms as a 500 or 404 would. Additionally, by using a unique code like 406, you can customize the error message that the server returns.

Repeat the scan as many times as desired.

You can also manually verify blocking by visiting your site with a malicious payload (e.g., https://www.example.com/?q=<script>alert('xss')</script>).