Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Automating Web Applications Security Assessments through Scanners<br />
Agenda<br />Motivation<br />Web Scanners<br />Web Scanners Evaluation<br />Case Study<br />
Motivation<br />Lack of security awareness<br />Organizations don’t properly invest into security<br />Critical programmer...
Motivation<br />
Testing Methods<br />White box<br />Gray box<br />Source code access and internal infrastructure knowledge of some kind<br...
Web Scanners<br />“Try” to find applicational vulnerabilities <br />Perform  pre-defined tests  – active analysis through ...
Web Scanners<br />Very important in some scenarios<br />Point and Shot<br />Scan Vulnerabilities<br />
Web Scanners<br />
Web Scanners Evaluation<br />NIST SAMATE<br />Software Assurance Metrics and Tools Evaluation<br />WASSEC<br />Web Applica...
Web Scanners Evaluation<br />NIST SAMATE<br />Web Applications Issues<br />Technical vulnerabilities<br />Security Vulnera...
Web Scanners Evaluation<br />WASSEC<br />Protocol Support<br />Authentication<br />Session Management<br />Crawling<br />P...
Web Scanners Evaluation<br />Complementary evaluation method<br />Select vulnerability to test<br />Create exploitation le...
Web Scanners Evaluation<br />Ideally we would create a Web application to assess each level<br />Optionally we can just us...
Manual Analysis<br />Why?<br />Vulnerability analysis<br />There are always false positives<br />Understand how to test it...
Case Study<br />Related with my master thesis<br />17 Real Web Applications<br />Government<br />Education<br />Other rele...
Case Study<br />Choose Web Scanners<br />Apply Web Scanners to Web Applications<br />Evaluate Results<br />
Case Study – Choose Web Scanners<br />Overall Web scanners discovery on the Open Source community <br />Discard the less a...
Case Study – Choose Web Scanners<br />Overall Web scanners discovery on the Open Source community <br />Grabber<br />Grend...
Case Study – Choose Web Scanners<br />Discard the less accepted Web scanners <br />Grabber<br />Grendel-Scan<br />Paros Pr...
Case Study – Choose Web Scanners<br />Apply customized WASSEC <br />OWASP Top 10 coverage <br />Recent activity and update...
Case Study – Choose Web Scanners<br />
Case Study –Apply Web Scanners to Web Applications<br />PHP<br />Java<br />.NET/Aspx<br />8 Web Applications<br />1 Web Ap...
Tests Methodology<br />Select Web application<br />After legal authorization<br />Use Web scanner<br />[for each web scann...
Case Study –Apply Web Scanners to Web Applications<br />
Case Study –Apply Web Scanners to Web Applications<br />
Case Study –Apply Web Scanners to Web Applications<br />On a total of 1387 vulnerabilities found....<br />....~ 319 are fa...
Evaluate Results<br />Maybe these tools are not so bad<br />In the right context<br />Leverage security awareness<br />Fal...
Questions?<br />
Upcoming SlideShare
Loading in …5
×

Automating Web Applications Security Assessments Through Scanners

1,136 views

Published on

Presented on IBWAS\'10

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Automating Web Applications Security Assessments Through Scanners

  1. 1. Automating Web Applications Security Assessments through Scanners<br />
  2. 2. Agenda<br />Motivation<br />Web Scanners<br />Web Scanners Evaluation<br />Case Study<br />
  3. 3. Motivation<br />Lack of security awareness<br />Organizations don’t properly invest into security<br />Critical programmers don’t understand security issues<br />Finish my master thesis....<br />
  4. 4. Motivation<br />
  5. 5. Testing Methods<br />White box<br />Gray box<br />Source code access and internal infrastructure knowledge of some kind<br />Black box<br />- Testing with automatic tools (Web scanners)<br />- Confirm scanners results<br />Online access to the Web Application<br />
  6. 6. Web Scanners<br />“Try” to find applicational vulnerabilities <br />Perform pre-defined tests – active analysis through atacks simulation<br />HTTP messages manipulation<br />HTTP messagens inspection<br />Find weird attributes<br />fuzzing<br />Code analysis<br />…<br />Scan web application<br />Content analysis<br />Specific crafted requests<br />Results generation<br />
  7. 7. Web Scanners<br />Very important in some scenarios<br />Point and Shot<br />Scan Vulnerabilities<br />
  8. 8. Web Scanners<br />
  9. 9. Web Scanners Evaluation<br />NIST SAMATE<br />Software Assurance Metrics and Tools Evaluation<br />WASSEC<br />Web Application Security Scanner Evaluation Criteria<br />
  10. 10. Web Scanners Evaluation<br />NIST SAMATE<br />Web Applications Issues<br />Technical vulnerabilities<br />Security Vulnerabilities<br />Architectural/Logical Vulnerabilities<br />Other vulnerabilities<br />1st January 2010 – no longer supported<br />
  11. 11. Web Scanners Evaluation<br />WASSEC<br />Protocol Support<br />Authentication<br />Session Management<br />Crawling<br />Parsing<br />Testing<br />Command and Control<br />Reporting<br /><Customized> <br />
  12. 12. Web Scanners Evaluation<br />Complementary evaluation method<br />Select vulnerability to test<br />Create exploitation levels based on information on how to protect against it<br />Explore Web scanner behavior for each level<br />
  13. 13. Web Scanners Evaluation<br />Ideally we would create a Web application to assess each level<br />Optionally we can just use pre defined available ones<br />Cenzic<br />Watchfire<br />WebMaven / Buggy Bank<br />Updated HackmeBank<br />OWASP WebGoat<br />Stanford SecuriBench<br />
  14. 14. Manual Analysis<br />Why?<br />Vulnerability analysis<br />There are always false positives<br />Understand how to test it<br />[For each vulnerability]<br />Impacts<br />Mitigation<br />Manual confirmation needed<br />Documentation<br />[end]<br />
  15. 15. Case Study<br />Related with my master thesis<br />17 Real Web Applications<br />Government<br />Education<br />Other relevant service providers<br />
  16. 16. Case Study<br />Choose Web Scanners<br />Apply Web Scanners to Web Applications<br />Evaluate Results<br />
  17. 17. Case Study – Choose Web Scanners<br />Overall Web scanners discovery on the Open Source community <br />Discard the less accepted Web scanners <br />Apply customized WASSEC <br />
  18. 18. Case Study – Choose Web Scanners<br />Overall Web scanners discovery on the Open Source community <br />Grabber<br />Grendel-Scan<br />Paros Proxy<br />Powerfuzzer<br />SecurityQA Toolbar<br />Skipfish<br />W3AF<br />Wapiti<br />Watcher<br />Websecurify<br />Netsparker<br />OpenAcunetix<br />RatProxy<br />
  19. 19. Case Study – Choose Web Scanners<br />Discard the less accepted Web scanners <br />Grabber<br />Grendel-Scan<br />Paros Proxy<br />Powerfuzzer<br />SecurityQA Toolbar<br />Skipfish<br />W3AF<br />Wapiti<br />Watcher<br />Websecurify<br />Netsparker<br />OpenAcunetix<br />RatProxy<br />
  20. 20. Case Study – Choose Web Scanners<br />Apply customized WASSEC <br />OWASP Top 10 coverage <br />Recent activity and updates <br />New technologies support <br />Fast bugs solving (easy to interact with developers)<br />
  21. 21. Case Study – Choose Web Scanners<br />
  22. 22. Case Study –Apply Web Scanners to Web Applications<br />PHP<br />Java<br />.NET/Aspx<br />8 Web Applications<br />1 Web Application<br />8 Web Applications<br />
  23. 23. Tests Methodology<br />Select Web application<br />After legal authorization<br />Use Web scanner<br />[for each web scanner]<br />[for each web scanner]<br />Create detailed report<br />Document found vulnerabilities<br />Using different tools and live CDs<br />[test’s end]<br />Delivr the report to the organization<br />Manual verification<br />
  24. 24. Case Study –Apply Web Scanners to Web Applications<br />
  25. 25. Case Study –Apply Web Scanners to Web Applications<br />
  26. 26. Case Study –Apply Web Scanners to Web Applications<br />On a total of 1387 vulnerabilities found....<br />....~ 319 are false positives<br />
  27. 27. Evaluate Results<br />Maybe these tools are not so bad<br />In the right context<br />Leverage security awareness<br />False positives are also good (am I crazy?)<br />
  28. 28. Questions?<br />

×