The Future Of
Automated W b Application
A t   t d Web A li ti
        Testing
              g
Preview

  • Web 1 0
        1.0
      • Application architecture and it’s traditional
        analysis methodology
      ...
Web 1.0

   Application behavior and it’s
                            it s
traditional analysis methodology
Web 1.0 Application Architecture


                       HTTP             Firewall                 SQL
                  ...
Web 1.0 Application Architecture

  • Works with page refresh
  • Form submitting model
      • Inputs submitted via query...
Web 1.0 Application Architecture

  • Server & Web Application
      • Parses http request and map URL with web
        ap...
Web 1.0

Traditional Analysis methodology
Traditional Analysis methodology

  • Information gathering
      • Http Response Code – 2xx, 4xx, 5xx
      • Htt content...
Traditional Analysis methodology

  • Manipulate field with malicious characters
    and send request
  • L k at the ht l ...
Web 1.0

Automated web application testing and
     It's Challenges & limitation
Automated web application testing

  • Input – index page or list of stored URLS
  • Configurations – depth, within domain...
Automated web application testing

  • Popular Web Application Scanners
      • NTObjective’s NTOSpider
      • IBM/W t hf...
It's Challenges & Limitations

  • Building correct attack request
      • Forms submission by “onclick” event
           ...
It's Challenges & Limitations

  • Executing java script like a Browser
      • Dynamic menus and css
      • URL d
      ...
It's Challenges & Limitations

  • False positive/negative and duplication
      • Detects vulnerability through http resp...
It's Challenges & Limitations

  • Authenticated scanning
      • Login automatically on authenticated URL,
           • W...
Scanners are also getting smarter

  • Page Signature technology being used to
    identify obfuscated 200, random 404 pag...
Web 2.0

How it works !!
Web 2.0 Technology

  • Web 2 0 Applications are on the rise
         2.0
  • Rich Internet Applications (RIA) – reshaping...
Web 2.0 Technology

  • Web Services is forming back end and accessible
    on SOAP
  • AJAX – empowering browsers
  • XML...
Ajax model
    Classic web application model                                 Ajax-enabled web application model
          ...
AJAX introduction

    x




Source : http://www.adaptivepath.com/publications/essays/archives/000385.php
© net-square
Win32 APP vs Web 2.0
    Win32 GUI application model                    Ajax-enabled web application model
               ...
Web 2.0

Challenges and limitation of web 2 0
                                 2.0
        application testing
Impact of Web 2.0

  • Application Infrastructure

       Changing dimension             Web 1.0
                         ...
Impact of Web 2.0

  • Security Threats

      Changing dimension
          g g                        Web 1.0            ...
Impact of Web 2.0

  • Methodology

         Changing dimension            Web 1.0                      Web 2.0
          ...
Impact of Web 2.0

  • Countermeasure

        Changing dimension              Web 1.0                       Web 2.0

    ...
Challenges and Limitation

  •   No success with http response parsing
  •   Everything is generated run time
  •   Path o...
Future Approach

Automated Web Application Testing
Future Approach

  • "only about half of the required tests for a
     only
    security assessment can be performed on a
...
Future Approach

  • Browser based toolbar Advantages
      • Hybrid – Automated + Manual both
      • U
        Uses BBro...
Future Approach

  • Authenticated scanning – login first and then
    start testing, context will be managed
    automati...
Future Approach

  • The field value manipulation will be in a
    DOM itself.
      • Following challenges get resolved
 ...
Future Approach

  • False positive will be reduced by real html
    view,
      • Following challenges get resolved
     ...
Future Approach

  • So only approach is browser based tool i e
    So,                                 tool, i.e
    tool...
Thanks!!

umesh@net square.com
umesh@net-square com
amish@net-square.com
Upcoming SlideShare
Loading in …5
×

Amish Umesh - Future Of Web App Testing - ClubHack2007

1,489 views

Published on

Published in: Technology, Design
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,489
On SlideShare
0
From Embeds
0
Number of Embeds
24
Actions
Shares
0
Downloads
18
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Amish Umesh - Future Of Web App Testing - ClubHack2007

  1. 1. The Future Of Automated W b Application A t t d Web A li ti Testing g
  2. 2. Preview • Web 1 0 1.0 • Application architecture and it’s traditional analysis methodology • Automated web application testing and it's limitation • Web 2.0 • H How it works k • Challenges and limitation of web 2.0 application testing • Next generation auditing tool © net-square
  3. 3. Web 1.0 Application behavior and it’s it s traditional analysis methodology
  4. 4. Web 1.0 Application Architecture HTTP Firewall SQL request Database (cleartext or SSL) Web app DB Web app Web Web Client Server Web app DB Web app HTTP reply (HTML, Javascript, •Apache Written in: Database VBscript, •IIS •ASP connection: etc) •Netscape •JSP •ADO, etc… •Perl, etc •ODBC, etc. © net-square
  5. 5. Web 1.0 Application Architecture • Works with page refresh • Form submitting model • Inputs submitted via query string or form parameters • Browser generates http requests for images, js, etc. while rendering html response through DOM • Request also can be sent by javascript, ActiveX, Applets, Flash, etc. directly © net-square
  6. 6. Web 1.0 Application Architecture • Server & Web Application • Parses http request and map URL with web application physical resource • Generates HTML Response based on the supplied resource query and input parameters © net-square
  7. 7. Web 1.0 Traditional Analysis methodology
  8. 8. Traditional Analysis methodology • Information gathering • Http Response Code – 2xx, 4xx, 5xx • Htt contents Http t t • Extract forms and query string parameters. • Hidden fields comments mail ids fields, comments, ids, • Cookie name / value • Java scripts, • ActiveX and Applets • Find injection point suspicious field or query point, string parameters © net-square
  9. 9. Traditional Analysis methodology • Manipulate field with malicious characters and send request • L k at the ht l response, get some clue, Look t th html t l modify parameters and send request. • Do same again and again until…. Bingo !! • Resources used, , • Browser • Plug-ins (livehttp header or web browser Plug ins toolbar) • Sniffer © net-square
  10. 10. Web 1.0 Automated web application testing and It's Challenges & limitation
  11. 11. Automated web application testing • Input – index page or list of stored URLS • Configurations – depth, within domain, max links, include li k i l d / exclude, user-agent, etc. l d t t • Testing methodology • Crawls web application recursively and collects URLS • Find injection point or attack vector for URL • Query String parameters • It’s Html response form fields • Cookie © net-square
  12. 12. Automated web application testing • Popular Web Application Scanners • NTObjective’s NTOSpider • IBM/W t hfi ’ A S IBM/Watchfire’s AppScan • HP/SPI Dynamics’ WebInspect • Demo • NTOInsight © net-square
  13. 13. It's Challenges & Limitations • Building correct attack request • Forms submission by “onclick” event • Wrong action or target picked up by automated tool • Manage context through out the session • Logout innocently • C Crawl a site in certain order – logical action • Infinite crawl – Dynamic URL creation © net-square
  14. 14. It's Challenges & Limitations • Executing java script like a Browser • Dynamic menus and css • URL d decryption on th fl b j ti the fly by java scripts i t • Identify correct attack vector in URL • No question mark in a URL • Strange extension • Custom techniques to supply inputs. © net-square
  15. 15. It's Challenges & Limitations • False positive/negative and duplication • Detects vulnerability through http response code • O regex pattern search in html response Or tt h i ht l • How to detect persistent XSS?? • Custom response code (obfuscated 200) • Random 404 pages © net-square
  16. 16. It's Challenges & Limitations • Authenticated scanning • Login automatically on authenticated URL, • Where to go after authentication ? • Form based authentication • Success or fail how to decide ? fail, • Captcha, how to handle ? • Broken access controls • Information leakage • Design issues © net-square
  17. 17. Scanners are also getting smarter • Page Signature technology being used to identify obfuscated 200, random 404 pages and Form based authentication • Java scripts based URLs can be fetched by regex bbased search d h • Most of the scanners identify technical vulnerabilities like SQL Injection, XSS, etc. j , , © net-square
  18. 18. Web 2.0 How it works !!
  19. 19. Web 2.0 Technology • Web 2 0 Applications are on the rise 2.0 • Rich Internet Applications (RIA) – reshaping application front • Web Services on the rise – forming backend of applications • Gartner is advising companies to take up Web services now, or risk losing out to competitors , g p embracing the technology. © net-square
  20. 20. Web 2.0 Technology • Web Services is forming back end and accessible on SOAP • AJAX – empowering browsers • XML based services • Rich Internet Applications are consuming back end web services • Search engines and mechanisms for web services publishing and accessing • Security evolving around web services © net-square
  21. 21. Ajax model Classic web application model Ajax-enabled web application model Browser user interface JavaScript call HTML + CSS data Browser user interface Ajax engine HTTP request HTTP request Transport layer HTML + CSS data XML Data web server web and/or XMLserver Data stores, Data stores, backend processing, backend processing, legacy systems legacy systems server-side systems server-side systems © net-square Source : http://www.adaptivepath.com/publications/essays/archives/000385.php
  22. 22. AJAX introduction x Source : http://www.adaptivepath.com/publications/essays/archives/000385.php © net-square
  23. 23. Win32 APP vs Web 2.0 Win32 GUI application model Ajax-enabled web application model Desktop Browser Win32 GUI user interface Win32 Msg JavaScript call User Data HTML + CSS data Win32 WndProc Msg handler AJAX (JS) Library RPC Request XHR call RPC Response XML Data RPC Services Web Services Data t D t stores, Data t D t stores, backend processing, backend processing, legacy systems legacy systems © n e t - s q u a r eserver-side systems server-side systems
  24. 24. Web 2.0 Challenges and limitation of web 2 0 2.0 application testing
  25. 25. Impact of Web 2.0 • Application Infrastructure Changing dimension Web 1.0 10 Web 2.0 20 (AI1) Protocols HTTP & HTTPS SOAP, XML-RPC, REST etc. over HTTP & HTTPS (AI2) Information HTML transfer XML, JSON, JS Objects etc. structures (AI3) Communication Synchronous Asynchronous & Cross- methods th d Postback domains (proxy) Refresh and Redirect (AI4) Information Single place information Multiple sources (Urge for sharingg (No urge for integrated information integration) i i ) platform) l f ) © net-square
  26. 26. Impact of Web 2.0 • Security Threats Changing dimension g g Web 1.0 Web 2.0 (T1) Entry points Structured Scattered and multiple (T2) Dependencies Limited • Multiple technologies • Information sources • Protocols (T3) Vulnerabilities Server side [Typical injections] • Web services [Payloads] • Cli t side [XSS & XSRF] Client id (T4) Exploitation Server side exploitation Both server and client side exploitation © net-square
  27. 27. Impact of Web 2.0 • Methodology Changing dimension Web 1.0 Web 2.0 Typical with "Host" and Footprinting DNS Empowered with search Discovery Simple Difficult with hidden calls Enumeration Structured Several streams Scanning Structured and simple Difficult with extensive Ajax Difficult with Ajax and web Automated attacks Easy after discovery services On the server-side Reverse engineering g g [Difficult] Client-side with Ajax & Flash Code reviews Focus on server-side only Client-side analysis needed © net-square
  28. 28. Impact of Web 2.0 • Countermeasure Changing dimension Web 1.0 Web 2.0 Multiple places [Mashups & Owner of information Single place RSS] Browser security Simple DOM usage Complex DOM usage Validations Server side Client side [incoming content] Logic shift Only on server Client side shift Secure coding Structured and single place Multiple places and scattered © net-square
  29. 29. Challenges and Limitation • No success with http response parsing • Everything is generated run time • Path of execution is dynamic • Cannot predict next URL p • Need to grab data in runtime through DOM • cannot use anything other than browser • human element is must © net-square
  30. 30. Future Approach Automated Web Application Testing
  31. 31. Future Approach • "only about half of the required tests for a only security assessment can be performed on a purely automated basis The other half basis. require human involvement, typically for identifying vulnerabilities in business logic “ logic. • Jeremiah Grossman (CTO, Whitehat Security) • So finally you need a tool which will have So, both the things at one place.. • B Browser based W b A li ti S b d Web Application Scanner © net-square
  32. 32. Future Approach • Browser based toolbar Advantages • Hybrid – Automated + Manual both • U Uses BBrowser DOM directly di tl • Crawling is possible but it is not required because It’s allow you to test per page basis so basis, test as you traverse normally, • Following challenges get resolved resolved, – Infinite crawl – Crawl a site in particular order © net-square
  33. 33. Future Approach • Authenticated scanning – login first and then start testing, context will be managed automatically by browser • Following challenges get resolved, • Manage context through out the session • Logout innocently • Where to go after authentication ? • Form based authentication, Success or fail, how to decide ? • Captcha. © net-square
  34. 34. Future Approach • The field value manipulation will be in a DOM itself. • Following challenges get resolved resolved, – Building correct attack request – Forms submission by “onclick” event – Wrong action or target picked up by automated tool – Dynamic URL creation • Java scripts execution automatically automatically, • Following challenges get resolved, • Dynamic menus and css • URL decryption on the fly by java scripts © net-square
  35. 35. Future Approach • False positive will be reduced by real html view, • Following challenges get resolved resolved, – False positives – XSS detection with no false positives, popup will be there. – Information leakage can be identified by html view. © net-square
  36. 36. Future Approach • So only approach is browser based tool i e So, tool, i.e toolbar, like human clicks and automation together!! • Security QA Toolbar http://www.isecpartners.com/SecurityQAToolbar.html © net-square
  37. 37. Thanks!! umesh@net square.com umesh@net-square com amish@net-square.com

×