Can (Automated) Testing Tools Really Find the OWASP Top 10? Erwin Geirnaert Partner & Co-founder, ZI O N SECURITY [email_a...
Agenda <ul><ul><li>Introduction </li></ul></ul><ul><ul><li>Testing  </li></ul></ul><ul><ul><li>Automated Tools </li></ul><...
Introduction <ul><ul><li>In order to find vulnerabilities in web applications we need to identify them: </li></ul></ul><ul...
Existing studies  <ul><ul><li>Arian Evans – Tools Taxonomy – OWASP 2005  </li></ul></ul><ul><ul><ul><li>Personal experienc...
Testing  <ul><ul><li>There is no standard to test web applications </li></ul></ul><ul><ul><ul><li>How to test for vulnerab...
Testing <ul><ul><li>OWASP Testing Guide is a framework and a guideline, not a technical step-by-step guide </li></ul></ul>...
Testing <ul><ul><li>People have different backgrounds: </li></ul></ul><ul><ul><ul><li>Network security: how experienced ar...
Automated Tools – Open-source <ul><ul><li>For free </li></ul></ul><ul><ul><li>Run on multi-platforms, thank you Java </li>...
Automated Tools - Commercial <ul><ul><li>Not cheap: license is application, server or network based </li></ul></ul><ul><ul...
OWASP Top Ten Most Critical Web Application Security Vulnerabilities <ul><ul><li>A1. Unvalidated Input </li></ul></ul><ul>...
Some questions  <ul><ul><li>Is the Top 10 about vulnerabilities, attacks or bad coding practices? </li></ul></ul><ul><ul><...
A1. Unvalidated Input <ul><ul><li>Definition: Information from web requests is not validated before being used by a web ap...
A1. Unvalidated Input <ul><ul><li>How to detect: examine result (and NOT error codes) and identify vulnerabilities </li></...
A2. Broken Access Controls <ul><ul><li>Definition: Restrictions on what authenticated users are allowed to do are not prop...
A2. Broken Access Controls <ul><ul><li>What I want: expected output should be an authorization matrix: user A can access U...
A3. Broken Authentication and Session Management <ul><ul><li>Definition: Account credentials and session tokens are not pr...
A4. Cross Site Scripting Flaws <ul><ul><li>Definition: The web application can be used as a mechanism to transport an atta...
A5. Buffer Overflows <ul><ul><li>Definition: Web application components in some languages that do not properly validate in...
A6. Injection Flaws <ul><ul><li>Definition: Web applications pass parameters when they access external systems or the loca...
A7. Improper Error Handling <ul><ul><li>Definition: Error conditions that occur during normal operation are not handled pr...
A8. Insecure Storage <ul><ul><li>Definition: Web applications frequently use cryptographic functions to protect informatio...
A9. Denial of Service <ul><ul><li>Definition: Attackers can consume web application resources to a point where other legit...
A10. Insecure Configuration Management <ul><ul><li>Definition: Having a strong server configuration standard is critical t...
Conclusions <ul><ul><li>Automated Tools are not the silver-bullet to test for the OWASP Top 10 </li></ul></ul><ul><ul><li>...
Upcoming SlideShare
Loading in...5
×

OWASPAppSecEU2006_CanTestingToolsReallyFindOWASPTop10

1,288

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,288
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
22
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

OWASPAppSecEU2006_CanTestingToolsReallyFindOWASPTop10

  1. 1. Can (Automated) Testing Tools Really Find the OWASP Top 10? Erwin Geirnaert Partner & Co-founder, ZI O N SECURITY [email_address] +32478289466
  2. 2. Agenda <ul><ul><li>Introduction </li></ul></ul><ul><ul><li>Testing </li></ul></ul><ul><ul><li>Automated Tools </li></ul></ul><ul><ul><li>OWASP Top 10 </li></ul></ul>OWASP AppSec Europe 2006
  3. 3. Introduction <ul><ul><li>In order to find vulnerabilities in web applications we need to identify them: </li></ul></ul><ul><ul><ul><li>Via code audit: a lot of work </li></ul></ul></ul><ul><ul><ul><li>Via testing: manual or automated </li></ul></ul></ul><ul><ul><li>Manual testing: a human being attacks a web application using his experience, knowledge and tools (open-source, self-made, IE ) </li></ul></ul><ul><ul><li>Automated testing: a human being uses an automated vulnerability scanner to attack a web application </li></ul></ul>OWASP AppSec Europe 2006
  4. 4. Existing studies <ul><ul><li>Arian Evans – Tools Taxonomy – OWASP 2005 </li></ul></ul><ul><ul><ul><li>Personal experience with tools </li></ul></ul></ul><ul><ul><ul><li>Conclusion: still a lot of work </li></ul></ul></ul><ul><ul><li>Dr. Holger Peine – Fraunhofer IESE </li></ul></ul><ul><ul><ul><li>Test of AppScan, Acunetix & WebInspect on WebGoat and proprietary application </li></ul></ul></ul><ul><ul><ul><li>Conclusion: </li></ul></ul></ul><ul><ul><ul><ul><li>A lot of false positives </li></ul></ul></ul></ul><ul><ul><ul><ul><li>A lot of false negatives </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Not one tool did what it should do: find the easy vulnerabilities in WebGoat </li></ul></ul></ul></ul><ul><ul><ul><ul><li>(they can’t read the lesson hints ) </li></ul></ul></ul></ul><ul><ul><li>Reviews by Infoworld & eWeek </li></ul></ul>OWASP AppSec Europe 2006
  5. 5. Testing <ul><ul><li>There is no standard to test web applications </li></ul></ul><ul><ul><ul><li>How to test for vulnerabilities </li></ul></ul></ul><ul><ul><ul><li>Different type of payloads that must be used e.g. <script>alert(document.cookie)</script vs <body onload=alert(document.cookie)> </li></ul></ul></ul><ul><ul><ul><li>What should be the result of a test: how to detect a pop-up window in an HTML stream? </li></ul></ul></ul><ul><ul><ul><li>What should not be the result of a test: will a script tag embedded in another script tag really get executed? </li></ul></ul></ul>OWASP AppSec Europe 2006
  6. 6. Testing <ul><ul><li>OWASP Testing Guide is a framework and a guideline, not a technical step-by-step guide </li></ul></ul><ul><ul><li>OSSTMM - Open Source Security Testing Methodology Manual: more detailed but not on an web app level more on a network/OS level </li></ul></ul><ul><ul><li>No education or recognized certifications for security testing </li></ul></ul>OWASP AppSec Europe 2006
  7. 7. Testing <ul><ul><li>People have different backgrounds: </li></ul></ul><ul><ul><ul><li>Network security: how experienced are they in XML parsing, AJAX, SQL,… </li></ul></ul></ul><ul><ul><ul><li>Functional testers: how do they know what a security vulnerability is? How can they exploit a vulnerability? </li></ul></ul></ul><ul><ul><ul><li>Developers: hate to test or audit code </li></ul></ul></ul><ul><ul><ul><li>Application security expert: has the experience and the knowledge of the three groups above but are a rare species </li></ul></ul></ul><ul><ul><li>Conclusion: </li></ul></ul><ul><ul><ul><li>Everyone has a different approach to testing </li></ul></ul></ul><ul><ul><ul><li>Automated tools also have a different approach </li></ul></ul></ul>OWASP AppSec Europe 2006
  8. 8. Automated Tools – Open-source <ul><ul><li>For free </li></ul></ul><ul><ul><li>Run on multi-platforms, thank you Java </li></ul></ul><ul><ul><li>No or very limited reporting </li></ul></ul><ul><ul><li>Usage-mode: expert security tester </li></ul></ul><ul><ul><li>Examples: Oedipus, Paros, Burp Intruder, WebScarab Fuzzer, Spike, E-Or, … </li></ul></ul>OWASP AppSec Europe 2006
  9. 9. Automated Tools - Commercial <ul><ul><li>Not cheap: license is application, server or network based </li></ul></ul><ul><ul><li>Very good reporting capabilities </li></ul></ul><ul><ul><li>Run only on Windows </li></ul></ul><ul><ul><li>Usage-mode: typical Next – Next clicking usage but expert in application security and the tool is required for optimal results </li></ul></ul><ul><ul><li>Examples: Cenzic HailStorm, SPIDynamics WebInspect, Sanctum AppScan, Acunetix, NTOspider, … </li></ul></ul>OWASP AppSec Europe 2006
  10. 10. OWASP Top Ten Most Critical Web Application Security Vulnerabilities <ul><ul><li>A1. Unvalidated Input </li></ul></ul><ul><ul><li>A2. Broken Access Controls </li></ul></ul><ul><ul><li>A3. Broken Authentication and Session Management </li></ul></ul><ul><ul><li>A4. Cross Site Scripting Flaws </li></ul></ul><ul><ul><li>A5. Buffer Overflows </li></ul></ul><ul><ul><li>A6. Injection Flaws </li></ul></ul><ul><ul><li>A7. Improper Error Handling </li></ul></ul><ul><ul><li>A8. Insecure Storage </li></ul></ul><ul><ul><li>A9. Denial of Service </li></ul></ul><ul><ul><li>A10. Insecure Configuration Management </li></ul></ul>OWASP AppSec Europe 2006
  11. 11. Some questions <ul><ul><li>Is the Top 10 about vulnerabilities, attacks or bad coding practices? </li></ul></ul><ul><ul><li>How to differentiate the different classifications? </li></ul></ul><ul><ul><ul><li>Invalidated input (A1) is a vulnerability, XSS (A4) is an attack against this vulnerability </li></ul></ul></ul><ul><ul><ul><li>Same for A5, A6 and A7 </li></ul></ul></ul><ul><ul><li>How to define a test plan for the OWASP Top 10? </li></ul></ul><ul><ul><li>What are the payloads to discover the Top 10? Eg. 10000000 X or 10000000 A for buffer overflow? </li></ul></ul>OWASP AppSec Europe 2006
  12. 12. A1. Unvalidated Input <ul><ul><li>Definition: Information from web requests is not validated before being used by a web application. Attackers can use these flaws to attack backend components through a web application. </li></ul></ul><ul><ul><li>Test: insert all possible values for parameters: GET, POST, hidden fields, cookies, HTTP Headers,... </li></ul></ul><ul><ul><li>Automated tools: do this very good, but lack classification of the errors returned </li></ul></ul>OWASP AppSec Europe 2006
  13. 13. A1. Unvalidated Input <ul><ul><li>How to detect: examine result (and NOT error codes) and identify vulnerabilities </li></ul></ul><ul><ul><ul><li>SQL Injection: parse for SQL error codes :S </li></ul></ul></ul><ul><ul><ul><li>No exception handling: parse for stacktraces? </li></ul></ul></ul><ul><ul><ul><li>Authorization bypass: is that a Admin-button? </li></ul></ul></ul><ul><ul><ul><li>Buffer overflow (Denial-of-Service?): empty HTML-page? </li></ul></ul></ul><ul><ul><ul><li>LDAP Injection: different user attributes? </li></ul></ul></ul><ul><ul><ul><li>... </li></ul></ul></ul><ul><ul><li>Ultimate test: exploit vulnerability MANUALLY -> THIS REQUIRES THE TESTER TO KNOW THE ATTACK PAYLOAD </li></ul></ul><ul><ul><li>What about non-English web applications? </li></ul></ul>OWASP AppSec Europe 2006
  14. 14. A2. Broken Access Controls <ul><ul><li>Definition: Restrictions on what authenticated users are allowed to do are not properly enforced. Attackers can exploit these flaws to access other users' accounts, view sensitive files, or use unauthorized functions. </li></ul></ul><ul><ul><li>Test: login with valid accounts with different privileges and attempt to access protected parts like URLs, Struts actions, hidden fields,... </li></ul></ul><ul><ul><li>Automated tools: can guess known URIs like /admin but do this within the existing user context or as an anonymous user </li></ul></ul>OWASP AppSec Europe 2006
  15. 15. A2. Broken Access Controls <ul><ul><li>What I want: expected output should be an authorization matrix: user A can access URI A, user B cannot access URI B, ... like a sitemap but with authorization levels </li></ul></ul>OWASP AppSec Europe 2006
  16. 16. A3. Broken Authentication and Session Management <ul><ul><li>Definition: Account credentials and session tokens are not properly protected. Attackers that can compromise passwords, keys, session cookies, or other tokens can defeat authentication restrictions and assume other users' identities. </li></ul></ul><ul><ul><li>Test: analyse the authentication mechanism: is HTTPS used, secure cookie, random session-ID,... </li></ul></ul><ul><ul><li>Automated tools: do this out-of-the-box </li></ul></ul>OWASP AppSec Europe 2006
  17. 17. A4. Cross Site Scripting Flaws <ul><ul><li>Definition: The web application can be used as a mechanism to transport an attack to an end user's browser. A successful attack can disclose the end user’s session token, attack the local machine or spoof content to fool the user. </li></ul></ul><ul><ul><li>Test: use RSnake’s cheat sheet for XSS filter evasion (http://ha.ckers.org/xss.html) </li></ul></ul><ul><ul><li>Automated tools: some tools inject a limited XSS pattern and for some tool you don’t know what they inject and you CAN’T change it. But if you have a web site with 1000 forms they are very useful to automate the injection. But ... If you find 1 XSS, you probably find more  </li></ul></ul>OWASP AppSec Europe 2006
  18. 18. A5. Buffer Overflows <ul><ul><li>Definition: Web application components in some languages that do not properly validate input can be crashed and, in some cases, used to take control of a process. These components can include CGI, libraries, drivers, and web application server components. </li></ul></ul><ul><ul><li>Test: replace every parameter with a lot of data: integers, strings, binary data,... </li></ul></ul><ul><ul><li>Automated tools: some tools inject a buffer-overflow patterns but with some tools you don’t know what they inject or you’re unable to change it. But if you have a web site with 1000 forms they are very useful to automate the injection </li></ul></ul><ul><ul><li>Results: crash of the web application, corrupt database, crash of the server so be very careful on a production environment </li></ul></ul><ul><ul><li>Automated tools: detect database corruption? </li></ul></ul>OWASP AppSec Europe 2006
  19. 19. A6. Injection Flaws <ul><ul><li>Definition: Web applications pass parameters when they access external systems or the local operating system. If an attacker can embed malicious commands in these parameters, the external system may execute those commands on behalf of the web application. </li></ul></ul><ul><ul><li>Test: replace every parameter with command injection strings which depend on the operating system in use </li></ul></ul><ul><ul><li>Automated tools: some tools inject command injection patterns but with some tools you don’t know what they inject and it is impossible to change them. But if you have a web site with 1000 forms they are very useful to automate the injection </li></ul></ul><ul><ul><li>Results: output of the command injection must be obtained, how to automate this? E.g. Net user /add Erwin </li></ul></ul>OWASP AppSec Europe 2006
  20. 20. A7. Improper Error Handling <ul><ul><li>Definition: Error conditions that occur during normal operation are not handled properly. If an attacker can cause errors to occur that the web application does not handle, they can gain detailed system information, deny service, cause security mechanisms to fail, or crash the server. </li></ul></ul><ul><ul><li>Test: corrupt parameters and look for propagating exceptions </li></ul></ul><ul><ul><li>Automated tools: by default </li></ul></ul><ul><ul><li>Result: how to classify an uncaught exception, this depends on the exception </li></ul></ul>OWASP AppSec Europe 2006
  21. 21. A8. Insecure Storage <ul><ul><li>Definition: Web applications frequently use cryptographic functions to protect information and credentials. These functions and the code to integrate them have proven difficult to code properly, frequently resulting in weak protection. </li></ul></ul><ul><ul><li>Test: attempt to access configuration files via forceful browsing like web.xml, examine cookies and parameters, dump passwords from database via SQL Injection </li></ul></ul><ul><ul><li>Automated tools: are unable to exploit vulnerabilities in order to find passwords </li></ul></ul>OWASP AppSec Europe 2006
  22. 22. A9. Denial of Service <ul><ul><li>Definition: Attackers can consume web application resources to a point where other legitimate users can no longer access or use the application. Attackers can also lock users out of their accounts or even cause the entire application to fail. </li></ul></ul><ul><ul><li>Test: attempt to brute-force accounts, performance test,… </li></ul></ul><ul><ul><li>Automated tools: have no problem to attack accounts and they don’t execute performance tests but when attacking a site with full force it can have some unexpected side-effects </li></ul></ul>OWASP AppSec Europe 2006
  23. 23. A10. Insecure Configuration Management <ul><ul><li>Definition: Having a strong server configuration standard is critical to a secure web application. These servers have many configuration options that affect security and are not secure out of the box. </li></ul></ul><ul><ul><li>Test: use Google to retrieve vulnerabilities about SUT and try to exploit them </li></ul></ul><ul><ul><li>Automated tools: can test automatically for these vulnerabilities and when they have a built-in update function these are very useful </li></ul></ul>OWASP AppSec Europe 2006
  24. 24. Conclusions <ul><ul><li>Automated Tools are not the silver-bullet to test for the OWASP Top 10 </li></ul></ul><ul><ul><li>They can help a security tester to assess a web application faster </li></ul></ul><ul><ul><li>Security tester must master the tools and know the limitations </li></ul></ul><ul><ul><li>Combine open-source tools with commercial tools </li></ul></ul><ul><ul><li>But automated tools will have difficulties with the latest technologies: </li></ul></ul><ul><ul><ul><li>AJAX: asynchronous XML requests </li></ul></ul></ul><ul><ul><ul><li>One-time tokens like in Struts, SAP BSP, … </li></ul></ul></ul><ul><ul><ul><li>Thick clients e.g. Java Web Start </li></ul></ul></ul><ul><ul><ul><li>Web services </li></ul></ul></ul>OWASP AppSec Europe 2006
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×