Automating Web Applications Security Assessments Through Scanners
Upcoming SlideShare
Loading in...5
×
 

Automating Web Applications Security Assessments Through Scanners

on

  • 923 views

Presented on IBWAS\'10

Presented on IBWAS\'10

Statistics

Views

Total Views
923
Views on SlideShare
918
Embed Views
5

Actions

Likes
0
Downloads
22
Comments
0

1 Embed 5

http://www.linkedin.com 5

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Automating Web Applications Security Assessments Through Scanners Automating Web Applications Security Assessments Through Scanners Presentation Transcript

  • Automating Web Applications Security Assessments through Scanners
  • Agenda
    Motivation
    Web Scanners
    Web Scanners Evaluation
    Case Study
  • Motivation
    Lack of security awareness
    Organizations don’t properly invest into security
    Critical programmers don’t understand security issues
    Finish my master thesis....
  • Motivation
  • Testing Methods
    White box
    Gray box
    Source code access and internal infrastructure knowledge of some kind
    Black box
    - Testing with automatic tools (Web scanners)
    - Confirm scanners results
    Online access to the Web Application
  • Web Scanners
    “Try” to find applicational vulnerabilities
    Perform pre-defined tests – active analysis through atacks simulation
    HTTP messages manipulation
    HTTP messagens inspection
    Find weird attributes
    fuzzing
    Code analysis

    Scan web application
    Content analysis
    Specific crafted requests
    Results generation
  • Web Scanners
    Very important in some scenarios
    Point and Shot
    Scan Vulnerabilities
  • Web Scanners
  • Web Scanners Evaluation
    NIST SAMATE
    Software Assurance Metrics and Tools Evaluation
    WASSEC
    Web Application Security Scanner Evaluation Criteria
  • Web Scanners Evaluation
    NIST SAMATE
    Web Applications Issues
    Technical vulnerabilities
    Security Vulnerabilities
    Architectural/Logical Vulnerabilities
    Other vulnerabilities
    1st January 2010 – no longer supported
  • Web Scanners Evaluation
    WASSEC
    Protocol Support
    Authentication
    Session Management
    Crawling
    Parsing
    Testing
    Command and Control
    Reporting
    <Customized>
  • Web Scanners Evaluation
    Complementary evaluation method
    Select vulnerability to test
    Create exploitation levels based on information on how to protect against it
    Explore Web scanner behavior for each level
  • Web Scanners Evaluation
    Ideally we would create a Web application to assess each level
    Optionally we can just use pre defined available ones
    Cenzic
    Watchfire
    WebMaven / Buggy Bank
    Updated HackmeBank
    OWASP WebGoat
    Stanford SecuriBench
  • Manual Analysis
    Why?
    Vulnerability analysis
    There are always false positives
    Understand how to test it
    [For each vulnerability]
    Impacts
    Mitigation
    Manual confirmation needed
    Documentation
    [end]
  • Case Study
    Related with my master thesis
    17 Real Web Applications
    Government
    Education
    Other relevant service providers
  • Case Study
    Choose Web Scanners
    Apply Web Scanners to Web Applications
    Evaluate Results
  • Case Study – Choose Web Scanners
    Overall Web scanners discovery on the Open Source community
    Discard the less accepted Web scanners
    Apply customized WASSEC
  • Case Study – Choose Web Scanners
    Overall Web scanners discovery on the Open Source community
    Grabber
    Grendel-Scan
    Paros Proxy
    Powerfuzzer
    SecurityQA Toolbar
    Skipfish
    W3AF
    Wapiti
    Watcher
    Websecurify
    Netsparker
    OpenAcunetix
    RatProxy
  • Case Study – Choose Web Scanners
    Discard the less accepted Web scanners
    Grabber
    Grendel-Scan
    Paros Proxy
    Powerfuzzer
    SecurityQA Toolbar
    Skipfish
    W3AF
    Wapiti
    Watcher
    Websecurify
    Netsparker
    OpenAcunetix
    RatProxy
  • Case Study – Choose Web Scanners
    Apply customized WASSEC
    OWASP Top 10 coverage
    Recent activity and updates
    New technologies support
    Fast bugs solving (easy to interact with developers)
  • Case Study – Choose Web Scanners
  • Case Study –Apply Web Scanners to Web Applications
    PHP
    Java
    .NET/Aspx
    8 Web Applications
    1 Web Application
    8 Web Applications
  • Tests Methodology
    Select Web application
    After legal authorization
    Use Web scanner
    [for each web scanner]
    [for each web scanner]
    Create detailed report
    Document found vulnerabilities
    Using different tools and live CDs
    [test’s end]
    Delivr the report to the organization
    Manual verification
  • Case Study –Apply Web Scanners to Web Applications
  • Case Study –Apply Web Scanners to Web Applications
  • Case Study –Apply Web Scanners to Web Applications
    On a total of 1387 vulnerabilities found....
    ....~ 319 are false positives
  • Evaluate Results
    Maybe these tools are not so bad
    In the right context
    Leverage security awareness
    False positives are also good (am I crazy?)
  • Questions?