SlideShare a Scribd company logo
1 of 36
Challenges of Automated Web Application Scanning
"Why automated scanning only solves half the problem."
                                                         Black Hat Federal
                                                          Washington D.C.
                                                           October 2, 2003


                                                         © 2003 by WhiteHat Security, Inc.
Speaker

        Jeremiah Grossman (Chief Executive Officer)
        •         Founded WhiteHat Security in 2001
        •         Former Yahoo! Information Security Officer
        •         Performed over 400 web application assessments
        •         Primary developer of WhiteHat Arsenal, Web Server
                  Fingerprinter, CIS Apache Benchmark Tool, and
                  platform for Sentinel
        •         Frequent conference speaker at
                  BlackHat, AFITC, Defcon, WSA, ISSA, ToorCon, etc.
        •         Whitepapers on Web Application Security, Cross-Site
                  Scripting, and Cross-Site Tracing
        •         Credited on several major web application vulnerability
                  advisories

© 2003 by WhiteHat Security, Inc.        www.whitehatsec.com
Types of Security




© 2003 by WhiteHat Security, Inc.   www.whitehatsec.com
Web applications are vulnerable!


         The Gartner Group

         75% of the cyber attacks today are at the
         application level.

         97% of the over 300 Web sites audited were found
         vulnerable to Web application attack.

               The WhiteHat team has witnessed similar results though
                               its work experience.


© 2003 by WhiteHat Security, Inc.     www.whitehatsec.com
Attractive targets

        Web applications control the data that is most valuable.

                                       Credit Cards Numbers
                                       Bank Account Information
                                       Classified Information
                                       Personally Identifiable Information
                                       Medical History
                                       Personal Email

                                       There is a web application for everything!


© 2003 by WhiteHat Security, Inc.   www.whitehatsec.com
Compounding the problem

      Conventional security solutions do not properly
      address the problem. Firewalls and SSL are not
      adequate security for a web application.

      Frequent software updates and new web site
      functionality increase the potential for new web
      application vulnerabilities.

      Web application security assessments require a
      tremendous amount of time,money, skill and
      diligence.
© 2003 by WhiteHat Security, Inc.   www.whitehatsec.com
Automating vulnerability discovery

           halting problem

           The halting problem is a decision problem which
           can be informally stated as follows:

           “Given a description of an algorithm and a
           description of its initial arguments, determine
           whether the algorithm, when executed with
           these arguments, ever halts.”

          undecidable problem

          “Not all problems can be solved. An undecidable problem is one that
          cannot be solved by any algorithm, even given unbounded time and
          memory.”

© 2003 by WhiteHat Security, Inc.          www.whitehatsec.com
Humans vs. Scanners

                                    Humans, as well as automated scanners,
                                    are best suited for identifying different types
                                    of security issues.
                                    Scanners can be expected to be very thorough
                                    in their testing process and only identify easily
                                    identified “technical” vulnerabilities.
      These automated scanners will not uncover multi-step
      procedure problems that often occur in complex web
      application. These procedural problems are referred to as
      “logical issues”.

      A human possess the ability to analyze a large set of
      circumstances and determine, reasonably quickly, if a
      weakness in a process exists.
© 2003 by WhiteHat Security, Inc.                www.whitehatsec.com
Logical vs. Technical

              Technical Flaws                                              Logical Flaws
              Cross Site Scripting                                         Manipulation of application
              SQL Injection                                                business logic
              Directory Traversal
              Command Injection                                            Price List Modification
              Frame Spoofing                                               Account Privilege Expansion
              Buffer Overflows                                             False Account Creation
              Directory Indexing                                           User Impersonation
              Backup Files/Directories                                     Unauthorized Funds
              Configuration File                                           Transfer
              Disclosure




                                    Action requires a human intelligence.
© 2003 by WhiteHat Security, Inc.                    www.whitehatsec.com
Technical Vulnerability

             String of code or repeatable pattern that a computer can be
             programmed to recognize


            If I put a single quote there and get a ODBC error
                  then there is a SQL Injection vulnerability.




© 2003 by WhiteHat Security, Inc.         www.whitehatsec.com
Logical Vulnerability




           “At step 3 of the wire transfer process, change the
           account parameter to point to the account you wish to
           transfer funds from. Continue changing the parameter
           on the next 2 steps of the transfer process.”




© 2003 by WhiteHat Security, Inc.   www.whitehatsec.com
Logical Flaws in the News

                                       Hackers Shortcut Hotmail
                                      Password Reset Protections
           According to information obtained by Newsbytes, hackers
         recently discovered a way to skip the validation form and go
          directly to any user's "secret question" prompt. From there,
          the intruder is only one step away from resetting the user's
             password. Sources say that since the discovery of the
             security hole roughly two weeks ago, a small cadre of
            hackers has been patiently checking a long list of high-
              profile and desirable usernames for easily-guessed
                          answers to secret questions.
                                    http://www.computeruser.com/news/02/02/13/news2.html


© 2003 by WhiteHat Security, Inc.                       www.whitehatsec.com
We need a solution that makes sense!

                “If a scanner alone will not complete the job
                by itself, then a combination of software
                and security personnel is required.”

                •     Identify all technical and logical security issues.
                •     Be able to handle large web sites.
                •     Be able to maintain a logged-in state.
                •     Low volume of false positives
                •     Scheduled
                •     Consistently current
                •     Ability to scan remotely with no source code access


© 2003 by WhiteHat Security, Inc.          www.whitehatsec.com
Using and Building Scanners

       For years we tested all forms of free and commercial web application
       Scanning tools and utilities as consultants, developers and administrators.

       * Disappointed in all available solutions *

       WhiteHat formed a team of industry leading web application security
       professionals, web application developers, and statistical analysis
       engineers.

       WhiteHat’s team spent the last two years developing the latest in
       Web application scanning technology.

       In the process of developing web application scanners, a tremendous
       amount of R&D was required to handle unforeseen challenges.



© 2003 by WhiteHat Security, Inc.        www.whitehatsec.com
Remote Testing

              Automated web applications scanners use a remote
              black box approach. All web applications are different.
              Different software, platforms, and configuration.

              Network Security Scanning:
              “Identifying known vulnerabilities in known code.”


              Web Application Security:
              “Identifying known classes of vulnerabilities in
              unknown code.”


© 2003 by WhiteHat Security, Inc.      www.whitehatsec.com
Automated Scanning Challenges

                     Automated Login
                     Logout Detection

                     Infinite Web Sites
                     Authentication System Auditing
                     Errors and Responses
                     Multi-Step Processes
                     Strange URL Structure
                     Client-Side Generated Links

© 2003 by WhiteHat Security, Inc.         www.whitehatsec.com
Automated Login
                        The web application scanner must be able to
                        generically login to a web application on demand.




                   A scan is largely invalid if scanned while not properly
                   authenticated because full functionality cannot be
                   exercised.
© 2003 by WhiteHat Security, Inc.              www.whitehatsec.com
Automated Login

                        The login process must support:
                        •     Client-Side Scripting Languages.




© 2003 by WhiteHat Security, Inc.                   www.whitehatsec.com
Detecting Logout

                        A scanner will at some point become logged out.
                        How does the scanner know when its been
                        logged out?

                        Logout occurs by:
                        • Clicking logout links
                        • Timing out
                        • Application errors
                        • Session expiration
                        etc,etc,etc,…


© 2003 by WhiteHat Security, Inc.           www.whitehatsec.com
Detecting Logout

                   We used a system that performs preliminary tests on the
                   web application to learn the login/logout nuances.




© 2003 by WhiteHat Security, Inc.          www.whitehatsec.com
Infinite Web Sites

              The website is enormous and crawling the entire
              site in a reasonable amount of time is impossible.
              Must compile an accurate structural map.


              Dynamic Web Sites:
              • Rate of addition
              • Rate of decay
              • Very large database of
                items 500,000+ links
              • Dynamic URL creation




© 2003 by WhiteHat Security, Inc.        www.whitehatsec.com
Infinite Web Sites
                     Condense the amount of links we need to crawl
                     and create a complete structural map of the site.

                     Locate:
                     All web applications
                     All unique parameter name instances




© 2003 by WhiteHat Security, Inc.             www.whitehatsec.com
Authentication System Auditing

                  Many web application authentication systems are inherently
                  weak. They can be susceptible to session hi-jacking, session
                  replay, etc.

                  Cookie: T=user=admin

                  Or

                  Cookie: S=UID=ae5fad5ad6a8asd6as9

                  Even if the scanner could twiddle the bits, how does scanner know
                  when something works or does not work or what's good or what's bad?
                  How does a scanner know when it accesses another bank account?
                  “Scanner is not able to generically determine context of good or bad”



© 2003 by WhiteHat Security, Inc.                 www.whitehatsec.com
Response Codes and Errors

                        Not Found does not always mean, “Not Found”.


                        •     Not everyone is RFC compliant
                        •     Universal Error Catching
                        •     Error strings are different




© 2003 by WhiteHat Security, Inc.                  www.whitehatsec.com
Response Codes and Errors




© 2003 by WhiteHat Security, Inc.   www.whitehatsec.com
Response Strings

             Application Errors

             SQL Injections
             XSS
             Command Injection


   Removing response messages helps
   prevent against exploitation. However,
   prevents scanners from finding the
   vulnerbilities. Lots of false positives.




© 2003 by WhiteHat Security, Inc.        www.whitehatsec.com
Multi-Step Process

                        Websites will commonly have HTML Form flows with
                        multiple steps to completion. This application flow cannot
                        be traversed and mapped generically by a web application
                        scanner.




© 2003 by WhiteHat Security, Inc.              www.whitehatsec.com
Multi-Step Process (Anti-Automation)

                        If a computer is not supposed to
                        automate this process, then how can a
                        scanner?




© 2003 by WhiteHat Security, Inc.       www.whitehatsec.com
Strange URL Structure
                There are some very strange looking URLs these days. The
                normal web application url structure has a “?” delimiting the file
                name from the parameters. However, developers have realized
                that many web spiders will not index dynamic data so they have
                opted for some non-standard trickery.

                The goal is to identify:
                • Web application filename
                • Web application parameter names and values


                Even if:
                • There is no question mark
                • No “&” and uses strange delimiters.
                • Strange file extension (like .html)




© 2003 by WhiteHat Security, Inc.             www.whitehatsec.com
Normal URL Structure

                Normal:

                /articles/03/08/19/1748206.shtml?tid=109&tid=111&tid=126

                /news?hl=en&edition=us&q=a&btnG=Search+News

                /shopping/category.asp?categoryID=11

                /weeknight_survival.asp?wday=3&ww=this


                Inject into the name value pairs.




© 2003 by WhiteHat Security, Inc.            www.whitehatsec.com
Strange URL Structure

                Strange:

      /gp/browse.html/10217298046144934?node=1036592

      /exec/obidos/ASIN/B00009J5VW/ref=e_hp_cb_3_1/12-1729804-6144934

      /srs7/sid=030803095821064050032/g=home/search/detail/base_pid/271134/

      /catindex/computers.html?ssPageName=MOPS5:HEC03

      /exec/obidos/subst/home/home.html/102-17298046144934

      /shop/enter.asp?category=2378467~2378483




© 2003 by WhiteHat Security, Inc.     www.whitehatsec.com
Client Side Generated Links

                        Sometimes websites will have menus and style sheets
                        which create hyperlinks on the fly. In these cases, web
                        crawlers have a extremely difficult time traversing the site
                        since the links are not yet built and parseable.




                        “Unsolved problem by all web crawlers.”




© 2003 by WhiteHat Security, Inc.               www.whitehatsec.com
Fragile Web Application

                      Web applications can be extremely
                      fragile, especially where there is database
                      access.


                      Run the scans low and slow.




© 2003 by WhiteHat Security, Inc.             www.whitehatsec.com
What have we learned?

             “A web application scanner can alleviate a tremendous
             workload in a penetration test. However, software alone cannot
             be expected perform the entire task of securing a web
             application”.


             “All web application scanners find vulnerabilities using error
             messages. If error messages are suppressed, vulnerabilities are
             exponentially harder to detect using automated means.”


             “All web application scanners will produce a high volume of
             false positives.”



© 2003 by WhiteHat Security, Inc.       www.whitehatsec.com
Humans and Scanners
                        “Human assessments and scanners are required for complete
                        vulnerability coverage when it comes to web applications.”


                        Confidential Information Disclosure                     Session Management
                           Verbose Error Messages                                  Brute/Reverse Force
                           HTML Comments
                                                                                   Session Hi-Jacking
                           Known Directory
                           Known CGI File                                          Session Replay
                           Configuration File Disclosure                           Session Forging
                           Backup File Disclosure                                  Password Recovery

                        Application Input Manipulation
                                                                                Logical Vulnerabilities
                           SQL Injection
                                                                                   Logical Flaws (Manipulation of
                           Cross-Site/In-Line Scripting
                                                                                   application business logic)
                           Buffer Overflow
                           OS Command Injection
                                                                                   Account Privilege Escalation
                           Meta Character Injection                                Page Sequencing
                           Directory Traversal                                     User Impersonation
                           Null Injection                                          Improper Session Handling
                           User-Agent Manipulation
                           Referrer Manipulation
                           Debug Commands
                           Extension Manipulation
                           Frame Spoofing


© 2003 by WhiteHat Security, Inc.                         www.whitehatsec.com
Thank You - Questions?
                                 Jeremiah Grossman
                         Jeremiah@whitehatsec.com
                         http://www.whitehatsec.com


                                 © 2003 by WhiteHat Security, Inc.

More Related Content

More from Jeremiah Grossman

The Attack Surface of the Healthcare Industry
The Attack Surface of the Healthcare IndustryThe Attack Surface of the Healthcare Industry
The Attack Surface of the Healthcare IndustryJeremiah Grossman
 
Exploring the Psychological Mechanisms used in Ransomware Splash Screens
Exploring the Psychological Mechanisms used in Ransomware Splash ScreensExploring the Psychological Mechanisms used in Ransomware Splash Screens
Exploring the Psychological Mechanisms used in Ransomware Splash ScreensJeremiah Grossman
 
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareWhat the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareJeremiah Grossman
 
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareWhat the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareJeremiah Grossman
 
Next Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers GuideNext Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers GuideJeremiah Grossman
 
Can Ransomware Ever Be Defeated?
Can Ransomware Ever Be Defeated?Can Ransomware Ever Be Defeated?
Can Ransomware Ever Be Defeated?Jeremiah Grossman
 
Ransomware is Here: Fundamentals Everyone Needs to Know
Ransomware is Here: Fundamentals Everyone Needs to KnowRansomware is Here: Fundamentals Everyone Needs to Know
Ransomware is Here: Fundamentals Everyone Needs to KnowJeremiah Grossman
 
Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016Jeremiah Grossman
 
15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage YearsJeremiah Grossman
 
15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage YearsJeremiah Grossman
 
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)Jeremiah Grossman
 
WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015Jeremiah Grossman
 
No More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security GuaranteesNo More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security GuaranteesJeremiah Grossman
 
WhiteHat Security 2014 Statistics Report Explained
WhiteHat Security 2014 Statistics Report ExplainedWhiteHat Security 2014 Statistics Report Explained
WhiteHat Security 2014 Statistics Report ExplainedJeremiah Grossman
 
WhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics ReportWhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics ReportJeremiah Grossman
 
WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)Jeremiah Grossman
 
Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Jeremiah Grossman
 
WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]Jeremiah Grossman
 
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"Jeremiah Grossman
 

More from Jeremiah Grossman (20)

The Attack Surface of the Healthcare Industry
The Attack Surface of the Healthcare IndustryThe Attack Surface of the Healthcare Industry
The Attack Surface of the Healthcare Industry
 
Exploring the Psychological Mechanisms used in Ransomware Splash Screens
Exploring the Psychological Mechanisms used in Ransomware Splash ScreensExploring the Psychological Mechanisms used in Ransomware Splash Screens
Exploring the Psychological Mechanisms used in Ransomware Splash Screens
 
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareWhat the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
 
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareWhat the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
 
Next Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers GuideNext Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers Guide
 
Can Ransomware Ever Be Defeated?
Can Ransomware Ever Be Defeated?Can Ransomware Ever Be Defeated?
Can Ransomware Ever Be Defeated?
 
Ransomware is Here: Fundamentals Everyone Needs to Know
Ransomware is Here: Fundamentals Everyone Needs to KnowRansomware is Here: Fundamentals Everyone Needs to Know
Ransomware is Here: Fundamentals Everyone Needs to Know
 
Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016
 
15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years
 
15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years
 
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
 
WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015
 
No More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security GuaranteesNo More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security Guarantees
 
WhiteHat Security 2014 Statistics Report Explained
WhiteHat Security 2014 Statistics Report ExplainedWhiteHat Security 2014 Statistics Report Explained
WhiteHat Security 2014 Statistics Report Explained
 
WhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics ReportWhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics Report
 
Million Browser Botnet
Million Browser BotnetMillion Browser Botnet
Million Browser Botnet
 
WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)
 
Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012
 
WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]
 
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"
 

Recently uploaded

New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024TopCSSGallery
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesManik S Magar
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Kaya Weers
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Nikki Chapple
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS:  6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS:  6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integrationmarketing932765
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 

Recently uploaded (20)

New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS:  6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS:  6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 

Challenges of Automated Web Application Scanning

  • 1. Challenges of Automated Web Application Scanning "Why automated scanning only solves half the problem." Black Hat Federal Washington D.C. October 2, 2003 © 2003 by WhiteHat Security, Inc.
  • 2. Speaker Jeremiah Grossman (Chief Executive Officer) • Founded WhiteHat Security in 2001 • Former Yahoo! Information Security Officer • Performed over 400 web application assessments • Primary developer of WhiteHat Arsenal, Web Server Fingerprinter, CIS Apache Benchmark Tool, and platform for Sentinel • Frequent conference speaker at BlackHat, AFITC, Defcon, WSA, ISSA, ToorCon, etc. • Whitepapers on Web Application Security, Cross-Site Scripting, and Cross-Site Tracing • Credited on several major web application vulnerability advisories © 2003 by WhiteHat Security, Inc. www.whitehatsec.com
  • 3. Types of Security © 2003 by WhiteHat Security, Inc. www.whitehatsec.com
  • 4. Web applications are vulnerable! The Gartner Group 75% of the cyber attacks today are at the application level. 97% of the over 300 Web sites audited were found vulnerable to Web application attack. The WhiteHat team has witnessed similar results though its work experience. © 2003 by WhiteHat Security, Inc. www.whitehatsec.com
  • 5. Attractive targets Web applications control the data that is most valuable. Credit Cards Numbers Bank Account Information Classified Information Personally Identifiable Information Medical History Personal Email There is a web application for everything! © 2003 by WhiteHat Security, Inc. www.whitehatsec.com
  • 6. Compounding the problem Conventional security solutions do not properly address the problem. Firewalls and SSL are not adequate security for a web application. Frequent software updates and new web site functionality increase the potential for new web application vulnerabilities. Web application security assessments require a tremendous amount of time,money, skill and diligence. © 2003 by WhiteHat Security, Inc. www.whitehatsec.com
  • 7. Automating vulnerability discovery halting problem The halting problem is a decision problem which can be informally stated as follows: “Given a description of an algorithm and a description of its initial arguments, determine whether the algorithm, when executed with these arguments, ever halts.” undecidable problem “Not all problems can be solved. An undecidable problem is one that cannot be solved by any algorithm, even given unbounded time and memory.” © 2003 by WhiteHat Security, Inc. www.whitehatsec.com
  • 8. Humans vs. Scanners Humans, as well as automated scanners, are best suited for identifying different types of security issues. Scanners can be expected to be very thorough in their testing process and only identify easily identified “technical” vulnerabilities. These automated scanners will not uncover multi-step procedure problems that often occur in complex web application. These procedural problems are referred to as “logical issues”. A human possess the ability to analyze a large set of circumstances and determine, reasonably quickly, if a weakness in a process exists. © 2003 by WhiteHat Security, Inc. www.whitehatsec.com
  • 9. Logical vs. Technical Technical Flaws Logical Flaws Cross Site Scripting Manipulation of application SQL Injection business logic Directory Traversal Command Injection Price List Modification Frame Spoofing Account Privilege Expansion Buffer Overflows False Account Creation Directory Indexing User Impersonation Backup Files/Directories Unauthorized Funds Configuration File Transfer Disclosure Action requires a human intelligence. © 2003 by WhiteHat Security, Inc. www.whitehatsec.com
  • 10. Technical Vulnerability String of code or repeatable pattern that a computer can be programmed to recognize If I put a single quote there and get a ODBC error then there is a SQL Injection vulnerability. © 2003 by WhiteHat Security, Inc. www.whitehatsec.com
  • 11. Logical Vulnerability “At step 3 of the wire transfer process, change the account parameter to point to the account you wish to transfer funds from. Continue changing the parameter on the next 2 steps of the transfer process.” © 2003 by WhiteHat Security, Inc. www.whitehatsec.com
  • 12. Logical Flaws in the News Hackers Shortcut Hotmail Password Reset Protections According to information obtained by Newsbytes, hackers recently discovered a way to skip the validation form and go directly to any user's "secret question" prompt. From there, the intruder is only one step away from resetting the user's password. Sources say that since the discovery of the security hole roughly two weeks ago, a small cadre of hackers has been patiently checking a long list of high- profile and desirable usernames for easily-guessed answers to secret questions. http://www.computeruser.com/news/02/02/13/news2.html © 2003 by WhiteHat Security, Inc. www.whitehatsec.com
  • 13. We need a solution that makes sense! “If a scanner alone will not complete the job by itself, then a combination of software and security personnel is required.” • Identify all technical and logical security issues. • Be able to handle large web sites. • Be able to maintain a logged-in state. • Low volume of false positives • Scheduled • Consistently current • Ability to scan remotely with no source code access © 2003 by WhiteHat Security, Inc. www.whitehatsec.com
  • 14. Using and Building Scanners For years we tested all forms of free and commercial web application Scanning tools and utilities as consultants, developers and administrators. * Disappointed in all available solutions * WhiteHat formed a team of industry leading web application security professionals, web application developers, and statistical analysis engineers. WhiteHat’s team spent the last two years developing the latest in Web application scanning technology. In the process of developing web application scanners, a tremendous amount of R&D was required to handle unforeseen challenges. © 2003 by WhiteHat Security, Inc. www.whitehatsec.com
  • 15. Remote Testing Automated web applications scanners use a remote black box approach. All web applications are different. Different software, platforms, and configuration. Network Security Scanning: “Identifying known vulnerabilities in known code.” Web Application Security: “Identifying known classes of vulnerabilities in unknown code.” © 2003 by WhiteHat Security, Inc. www.whitehatsec.com
  • 16. Automated Scanning Challenges Automated Login Logout Detection Infinite Web Sites Authentication System Auditing Errors and Responses Multi-Step Processes Strange URL Structure Client-Side Generated Links © 2003 by WhiteHat Security, Inc. www.whitehatsec.com
  • 17. Automated Login The web application scanner must be able to generically login to a web application on demand. A scan is largely invalid if scanned while not properly authenticated because full functionality cannot be exercised. © 2003 by WhiteHat Security, Inc. www.whitehatsec.com
  • 18. Automated Login The login process must support: • Client-Side Scripting Languages. © 2003 by WhiteHat Security, Inc. www.whitehatsec.com
  • 19. Detecting Logout A scanner will at some point become logged out. How does the scanner know when its been logged out? Logout occurs by: • Clicking logout links • Timing out • Application errors • Session expiration etc,etc,etc,… © 2003 by WhiteHat Security, Inc. www.whitehatsec.com
  • 20. Detecting Logout We used a system that performs preliminary tests on the web application to learn the login/logout nuances. © 2003 by WhiteHat Security, Inc. www.whitehatsec.com
  • 21. Infinite Web Sites The website is enormous and crawling the entire site in a reasonable amount of time is impossible. Must compile an accurate structural map. Dynamic Web Sites: • Rate of addition • Rate of decay • Very large database of items 500,000+ links • Dynamic URL creation © 2003 by WhiteHat Security, Inc. www.whitehatsec.com
  • 22. Infinite Web Sites Condense the amount of links we need to crawl and create a complete structural map of the site. Locate: All web applications All unique parameter name instances © 2003 by WhiteHat Security, Inc. www.whitehatsec.com
  • 23. Authentication System Auditing Many web application authentication systems are inherently weak. They can be susceptible to session hi-jacking, session replay, etc. Cookie: T=user=admin Or Cookie: S=UID=ae5fad5ad6a8asd6as9 Even if the scanner could twiddle the bits, how does scanner know when something works or does not work or what's good or what's bad? How does a scanner know when it accesses another bank account? “Scanner is not able to generically determine context of good or bad” © 2003 by WhiteHat Security, Inc. www.whitehatsec.com
  • 24. Response Codes and Errors Not Found does not always mean, “Not Found”. • Not everyone is RFC compliant • Universal Error Catching • Error strings are different © 2003 by WhiteHat Security, Inc. www.whitehatsec.com
  • 25. Response Codes and Errors © 2003 by WhiteHat Security, Inc. www.whitehatsec.com
  • 26. Response Strings Application Errors SQL Injections XSS Command Injection Removing response messages helps prevent against exploitation. However, prevents scanners from finding the vulnerbilities. Lots of false positives. © 2003 by WhiteHat Security, Inc. www.whitehatsec.com
  • 27. Multi-Step Process Websites will commonly have HTML Form flows with multiple steps to completion. This application flow cannot be traversed and mapped generically by a web application scanner. © 2003 by WhiteHat Security, Inc. www.whitehatsec.com
  • 28. Multi-Step Process (Anti-Automation) If a computer is not supposed to automate this process, then how can a scanner? © 2003 by WhiteHat Security, Inc. www.whitehatsec.com
  • 29. Strange URL Structure There are some very strange looking URLs these days. The normal web application url structure has a “?” delimiting the file name from the parameters. However, developers have realized that many web spiders will not index dynamic data so they have opted for some non-standard trickery. The goal is to identify: • Web application filename • Web application parameter names and values Even if: • There is no question mark • No “&” and uses strange delimiters. • Strange file extension (like .html) © 2003 by WhiteHat Security, Inc. www.whitehatsec.com
  • 30. Normal URL Structure Normal: /articles/03/08/19/1748206.shtml?tid=109&tid=111&tid=126 /news?hl=en&edition=us&q=a&btnG=Search+News /shopping/category.asp?categoryID=11 /weeknight_survival.asp?wday=3&ww=this Inject into the name value pairs. © 2003 by WhiteHat Security, Inc. www.whitehatsec.com
  • 31. Strange URL Structure Strange: /gp/browse.html/10217298046144934?node=1036592 /exec/obidos/ASIN/B00009J5VW/ref=e_hp_cb_3_1/12-1729804-6144934 /srs7/sid=030803095821064050032/g=home/search/detail/base_pid/271134/ /catindex/computers.html?ssPageName=MOPS5:HEC03 /exec/obidos/subst/home/home.html/102-17298046144934 /shop/enter.asp?category=2378467~2378483 © 2003 by WhiteHat Security, Inc. www.whitehatsec.com
  • 32. Client Side Generated Links Sometimes websites will have menus and style sheets which create hyperlinks on the fly. In these cases, web crawlers have a extremely difficult time traversing the site since the links are not yet built and parseable. “Unsolved problem by all web crawlers.” © 2003 by WhiteHat Security, Inc. www.whitehatsec.com
  • 33. Fragile Web Application Web applications can be extremely fragile, especially where there is database access. Run the scans low and slow. © 2003 by WhiteHat Security, Inc. www.whitehatsec.com
  • 34. What have we learned? “A web application scanner can alleviate a tremendous workload in a penetration test. However, software alone cannot be expected perform the entire task of securing a web application”. “All web application scanners find vulnerabilities using error messages. If error messages are suppressed, vulnerabilities are exponentially harder to detect using automated means.” “All web application scanners will produce a high volume of false positives.” © 2003 by WhiteHat Security, Inc. www.whitehatsec.com
  • 35. Humans and Scanners “Human assessments and scanners are required for complete vulnerability coverage when it comes to web applications.” Confidential Information Disclosure Session Management Verbose Error Messages Brute/Reverse Force HTML Comments Session Hi-Jacking Known Directory Known CGI File Session Replay Configuration File Disclosure Session Forging Backup File Disclosure Password Recovery Application Input Manipulation Logical Vulnerabilities SQL Injection Logical Flaws (Manipulation of Cross-Site/In-Line Scripting application business logic) Buffer Overflow OS Command Injection Account Privilege Escalation Meta Character Injection Page Sequencing Directory Traversal User Impersonation Null Injection Improper Session Handling User-Agent Manipulation Referrer Manipulation Debug Commands Extension Manipulation Frame Spoofing © 2003 by WhiteHat Security, Inc. www.whitehatsec.com
  • 36. Thank You - Questions? Jeremiah Grossman Jeremiah@whitehatsec.com http://www.whitehatsec.com © 2003 by WhiteHat Security, Inc.