Automating Web Applications Security Assessments through Scanners<br />
Agenda<br />Motivation<br />Web Scanners<br />Web Scanners Evaluation<br />Case Study<br />
Motivation<br />Lack of security awareness<br />Organizations don’t properly invest into security<br />Critical programmer...
Motivation<br />
Testing Methods<br />White box<br />Gray box<br />Source code access and internal infrastructure knowledge of some kind<br...
Web Scanners<br />“Try” to find applicational vulnerabilities <br />Perform  pre-defined tests  – active analysis through ...
Web Scanners<br />Very important in some scenarios<br />Point and Shot<br />Scan Vulnerabilities<br />
Web Scanners<br />
Web Scanners Evaluation<br />NIST SAMATE<br />Software Assurance Metrics and Tools Evaluation<br />WASSEC<br />Web Applica...
Web Scanners Evaluation<br />NIST SAMATE<br />Web Applications Issues<br />Technical vulnerabilities<br />Security Vulnera...
Web Scanners Evaluation<br />WASSEC<br />Protocol Support<br />Authentication<br />Session Management<br />Crawling<br />P...
Web Scanners Evaluation<br />Complementary evaluation method<br />Select vulnerability to test<br />Create exploitation le...
Web Scanners Evaluation<br />Ideally we would create a Web application to assess each level<br />Optionally we can just us...
Manual Analysis<br />Why?<br />Vulnerability analysis<br />There are always false positives<br />Understand how to test it...
Case Study<br />Related with my master thesis<br />17 Real Web Applications<br />Government<br />Education<br />Other rele...
Case Study<br />Choose Web Scanners<br />Apply Web Scanners to Web Applications<br />Evaluate Results<br />
Case Study – Choose Web Scanners<br />Overall Web scanners discovery on the Open Source community <br />Discard the less a...
Case Study – Choose Web Scanners<br />Overall Web scanners discovery on the Open Source community <br />Grabber<br />Grend...
Case Study – Choose Web Scanners<br />Discard the less accepted Web scanners <br />Grabber<br />Grendel-Scan<br />Paros Pr...
Case Study – Choose Web Scanners<br />Apply customized WASSEC <br />OWASP Top 10 coverage <br />Recent activity and update...
Case Study – Choose Web Scanners<br />
Case Study –Apply Web Scanners to Web Applications<br />PHP<br />Java<br />.NET/Aspx<br />8 Web Applications<br />1 Web Ap...
Tests Methodology<br />Select Web application<br />After legal authorization<br />Use Web scanner<br />[for each web scann...
Case Study –Apply Web Scanners to Web Applications<br />
Case Study –Apply Web Scanners to Web Applications<br />
Case Study –Apply Web Scanners to Web Applications<br />On a total of 1387 vulnerabilities found....<br />....~ 319 are fa...
Evaluate Results<br />Maybe these tools are not so bad<br />In the right context<br />Leverage security awareness<br />Fal...
Questions?<br />
Upcoming SlideShare
Loading in …5
×

Automating Web Applications Security Assessments Through Scanners

1,007 views
904 views

Published on

Presented on IBWAS\'10

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,007
On SlideShare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
27
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Automating Web Applications Security Assessments Through Scanners

  1. 1. Automating Web Applications Security Assessments through Scanners<br />
  2. 2. Agenda<br />Motivation<br />Web Scanners<br />Web Scanners Evaluation<br />Case Study<br />
  3. 3. Motivation<br />Lack of security awareness<br />Organizations don’t properly invest into security<br />Critical programmers don’t understand security issues<br />Finish my master thesis....<br />
  4. 4. Motivation<br />
  5. 5. Testing Methods<br />White box<br />Gray box<br />Source code access and internal infrastructure knowledge of some kind<br />Black box<br />- Testing with automatic tools (Web scanners)<br />- Confirm scanners results<br />Online access to the Web Application<br />
  6. 6. Web Scanners<br />“Try” to find applicational vulnerabilities <br />Perform pre-defined tests – active analysis through atacks simulation<br />HTTP messages manipulation<br />HTTP messagens inspection<br />Find weird attributes<br />fuzzing<br />Code analysis<br />…<br />Scan web application<br />Content analysis<br />Specific crafted requests<br />Results generation<br />
  7. 7. Web Scanners<br />Very important in some scenarios<br />Point and Shot<br />Scan Vulnerabilities<br />
  8. 8. Web Scanners<br />
  9. 9. Web Scanners Evaluation<br />NIST SAMATE<br />Software Assurance Metrics and Tools Evaluation<br />WASSEC<br />Web Application Security Scanner Evaluation Criteria<br />
  10. 10. Web Scanners Evaluation<br />NIST SAMATE<br />Web Applications Issues<br />Technical vulnerabilities<br />Security Vulnerabilities<br />Architectural/Logical Vulnerabilities<br />Other vulnerabilities<br />1st January 2010 – no longer supported<br />
  11. 11. Web Scanners Evaluation<br />WASSEC<br />Protocol Support<br />Authentication<br />Session Management<br />Crawling<br />Parsing<br />Testing<br />Command and Control<br />Reporting<br /><Customized> <br />
  12. 12. Web Scanners Evaluation<br />Complementary evaluation method<br />Select vulnerability to test<br />Create exploitation levels based on information on how to protect against it<br />Explore Web scanner behavior for each level<br />
  13. 13. Web Scanners Evaluation<br />Ideally we would create a Web application to assess each level<br />Optionally we can just use pre defined available ones<br />Cenzic<br />Watchfire<br />WebMaven / Buggy Bank<br />Updated HackmeBank<br />OWASP WebGoat<br />Stanford SecuriBench<br />
  14. 14. Manual Analysis<br />Why?<br />Vulnerability analysis<br />There are always false positives<br />Understand how to test it<br />[For each vulnerability]<br />Impacts<br />Mitigation<br />Manual confirmation needed<br />Documentation<br />[end]<br />
  15. 15. Case Study<br />Related with my master thesis<br />17 Real Web Applications<br />Government<br />Education<br />Other relevant service providers<br />
  16. 16. Case Study<br />Choose Web Scanners<br />Apply Web Scanners to Web Applications<br />Evaluate Results<br />
  17. 17. Case Study – Choose Web Scanners<br />Overall Web scanners discovery on the Open Source community <br />Discard the less accepted Web scanners <br />Apply customized WASSEC <br />
  18. 18. Case Study – Choose Web Scanners<br />Overall Web scanners discovery on the Open Source community <br />Grabber<br />Grendel-Scan<br />Paros Proxy<br />Powerfuzzer<br />SecurityQA Toolbar<br />Skipfish<br />W3AF<br />Wapiti<br />Watcher<br />Websecurify<br />Netsparker<br />OpenAcunetix<br />RatProxy<br />
  19. 19. Case Study – Choose Web Scanners<br />Discard the less accepted Web scanners <br />Grabber<br />Grendel-Scan<br />Paros Proxy<br />Powerfuzzer<br />SecurityQA Toolbar<br />Skipfish<br />W3AF<br />Wapiti<br />Watcher<br />Websecurify<br />Netsparker<br />OpenAcunetix<br />RatProxy<br />
  20. 20. Case Study – Choose Web Scanners<br />Apply customized WASSEC <br />OWASP Top 10 coverage <br />Recent activity and updates <br />New technologies support <br />Fast bugs solving (easy to interact with developers)<br />
  21. 21. Case Study – Choose Web Scanners<br />
  22. 22. Case Study –Apply Web Scanners to Web Applications<br />PHP<br />Java<br />.NET/Aspx<br />8 Web Applications<br />1 Web Application<br />8 Web Applications<br />
  23. 23. Tests Methodology<br />Select Web application<br />After legal authorization<br />Use Web scanner<br />[for each web scanner]<br />[for each web scanner]<br />Create detailed report<br />Document found vulnerabilities<br />Using different tools and live CDs<br />[test’s end]<br />Delivr the report to the organization<br />Manual verification<br />
  24. 24. Case Study –Apply Web Scanners to Web Applications<br />
  25. 25. Case Study –Apply Web Scanners to Web Applications<br />
  26. 26. Case Study –Apply Web Scanners to Web Applications<br />On a total of 1387 vulnerabilities found....<br />....~ 319 are false positives<br />
  27. 27. Evaluate Results<br />Maybe these tools are not so bad<br />In the right context<br />Leverage security awareness<br />False positives are also good (am I crazy?)<br />
  28. 28. Questions?<br />

×