SlideShare a Scribd company logo

Scanning web vulnerabilities

Download as PPT, PDF
M
Mohit Dholakiya

Web Vulnerabilities Scanning basics and knowledge about how to search for the vulnerabilities is given in this presentation.

Engineering
1 of 29
1 Scanning for Web Vulnerabilities By Hacking Spot
2 • Precisely document what a tool class does and does not do • Inform users – Match the tool to a particular situation – Understand significance of tool results • Provide feedback to tool developers Purpose of Tool Evaluations
3 • Select class of tool • Develop clear (testable) requirements – Tool functional specification aided by focus groups – Spec posted for public comment • Develop a measurement methodology – Develop reference datasets (test cases) – Document interpretation criteria Details of Tool Evaluations
4 • Static Analysis Security Tools • Web Application Vulnerability Tools • Binary Analysis Tools • Web Services Tools • Network Scanner Tools Some Tools for specific application*
5 • Firewall • Intrusion Detection/Prevention System • Virus Detection • Fuzzers • Web Proxy Honeypots • Blackbox Pen Tester Other Types of Software Assurance Security Tools *
6 • Life Cycle Process (requirements, design, …) • Automation (manual, semi, automatic) • Approach (preclude, detect, mitigate, react, appraise) • Viewpoint (blackbox, whitebox (static, dynamic)) • Other (price, platform, languages, …) How to Classify Tools and Techniques
7 The Rise of Web App Vulnerability 0 5 10 15 20 25 2000 2001 2002 2003 2004 2005 2006 Remote file inclusion SQL injection Cross-site scripting Top web app vulnerabilities as % of total vulnerabilities in NVD
8 is software which communicates with a web application through the web front-end and identifies potential security weaknesses in the web application.* Web Application Security Scanner
9 Web Application Architecture Database Server Client (Browser, Tool, etc.) HTTP Requests HTML, etc. Webapp Web Server
10 - Client and Server Interaction - Distributed n-tiered architecture - Remote access - Heterogeneity - Content delivery via HTTP - Concurrency - Session management - Authentication and authorization Characteristics of Web Application
11 - Limited to tools that examine software applications on the web. - Does not apply to tools that scan other artifacts, like requirements, byte-code, or binary code - Does not apply to database scanners - Does not apply to other system security tools, e.g., firewalls, anti-virus, gateways, routers, switches, intrusion detection system Scope – What types of tools does this spec NOT address?
12 - Cross-Site Scripting (XSS) - Injection flaws - Authentication and access control weaknesses - Path manipulation - Improper Error Handling Some Vulnerabilities that Web Application Scanners Check
13 - AppScan DE by Watchfire, Inc. (IBM) - WebInpect by SPI-Dynamics (HP) - Acunetix WVS by Acunetix - Hailstorm by Cenzic, Inc. - W3AF, Grabber, Paros, etc. - others… Some Web Application Security Scanning Tools
14 • What is a common set of functions? • Can they be tested? • How can one measure the effectiveness? HackingSpot is “neutral”, not consumer reports, and does not endorse products. Establishing a Framework to Compare
15 • Precisely document what a tool class does and does not do • Provide feedback to tool developers • Inform users • Match the tool to a particular situation • Understand significance of tool results Purpose of a Specification
16 • Specifies basic (minimum) functionality • Defines features unambiguously • Represents a consensus on tool functions and requirements • Serves as a guide to measure the capability of tools How should this spec be viewed?
17 • Not to prescribe the features and functions that all web application scanner tools must have. • Use of a tool that complies with this specification does not guarantee the application is free of vulnerabilities. • Production tools should have capabilities far beyond those indicated. • Used as the basis for developing test suites to measure how a tool meets these requirements. How should this spec be used?
18 • Found in existing applications today • Recognized by tools today • Likelihood of exploit or attack is medium to high Criteria for selection of Web Application Vulnerabilities
19 • OWASP Top Ten 2007 • WASC Threat Classification • CWE – 600+ weaknesses definition dictionary • CAPEC- 100+ attack patterns for known exploits Web Application Vulnerabilities
20 • Test applications that model real security features and vulnerabilities • Configurable to be vulnerable to one or many types of attack • Ability to provide increasing level of defense for a vulnerability Test Suites
21 Defense Mechanisms • Different programmers use different defenses • Defenses/Filters are not all equivalent • We have different instances of vulnerabilities: levels of defense
22 • Example: Cross-Site Request Forgeries Levels of Defense Untrusted.c0m MyShopping.Com CSRF ScriptUntrusted.c0m redirects to MyShopping.Com GET /shop.aspx?ItemID=42&Accept=Yes Thanks For Buying This Item! “This nice new website: Untrusted.c0m”
23 • Example: Cross-Site Request Forgeries - Level 0: No Protection (bad) - Level 1: Using only POST (well...) - Level 2: Checking the referrer (better but referrer may be spoofed) - Level 3: Using a nonce (good) • Higher level means harder to break Levels of Defense
24 Web Server Database Server Web Application Scanner Tool Attacks HTML, etc. Webapp Tool Report Seeded Vulns. Cheat sheet ?
25 Attacks Analysis • An action that exploits a vulnerability • What exactly is the tool testing? • What do I need to test in my application? • Do the results match?
26 Web Server Database Server Web Application Scanner Tool Attacks HTML, etc. Webapp Tool Report Attacks Analysis Seeded Vulns.?
27 • Test Suite with 21 vulnerabilities (XSS, SQL Injection, File Inclusion) – PHP, MySQL, Ajax – LAMP • 4 Scanners (Commercial and Open Source) • One type of vulnerability at the time • Results (Detection rate, False-Positive rate) Test Suite Evaluation
28 • Tools are limited in scope (companies sell service as opposed to selling tool) • Speed versus Depth (in-depth testing takes time) • Difficult to read output reports (typically log files) • False-Positives • Tuning versus default mode Issues with Web Application Scanner Tools
Thank You 29

Recommended

Reconnaissance
ReconnaissanceReconnaissance
Reconnaissance
n|u - The Open Security Community
 
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
Lenur Dzhemiliev
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityAbdul Wahid
 
STRIDE And DREAD
STRIDE And DREADSTRIDE And DREAD
STRIDE And DREAD
chuckbt
 
Understanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for OrganizationUnderstanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for Organization
PECB
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodology
Rashad Aliyev
 
Cyber kill chain
Cyber kill chainCyber kill chain
Cyber kill chain
Ankita Ganguly
 
Web Application Security Vulnerability Management Framework
Web Application Security Vulnerability Management FrameworkWeb Application Security Vulnerability Management Framework
Web Application Security Vulnerability Management Framework
jpubal
 

Recommended

Reconnaissance
ReconnaissanceReconnaissance
Reconnaissance
n|u - The Open Security Community
 
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
Lenur Dzhemiliev
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityAbdul Wahid
 
STRIDE And DREAD
STRIDE And DREADSTRIDE And DREAD
STRIDE And DREAD
chuckbt
 
Understanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for OrganizationUnderstanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for Organization
PECB
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodology
Rashad Aliyev
 
Cyber kill chain
Cyber kill chainCyber kill chain
Cyber kill chain
Ankita Ganguly
 
Web Application Security Vulnerability Management Framework
Web Application Security Vulnerability Management FrameworkWeb Application Security Vulnerability Management Framework
Web Application Security Vulnerability Management Framework
jpubal
 
Cyber Security Vulnerabilities
Cyber Security VulnerabilitiesCyber Security Vulnerabilities
Cyber Security Vulnerabilities
Siemplify
 
Vulnerability Assessment and Penetration Testing Report
Vulnerability Assessment and Penetration Testing Report Vulnerability Assessment and Penetration Testing Report
Vulnerability Assessment and Penetration Testing Report
Rishabh Upadhyay
 
Vapt( vulnerabilty and penetration testing ) services
Vapt( vulnerabilty and penetration testing ) servicesVapt( vulnerabilty and penetration testing ) services
Vapt( vulnerabilty and penetration testing ) services
Akshay Kurhade
 
spyware
spywarespyware
spyware
NamanKikani
 
Web application penetration testing
Web application penetration testingWeb application penetration testing
Web application penetration testingImaginea
 
Software security
Software securitySoftware security
Software security
Roman Oliynykov
 
VULNERABILITY ( CYBER SECURITY )
VULNERABILITY ( CYBER SECURITY )VULNERABILITY ( CYBER SECURITY )
VULNERABILITY ( CYBER SECURITY )
Kashyap Mandaliya
 
Intrusion detection and prevention system
Intrusion detection and prevention systemIntrusion detection and prevention system
Intrusion detection and prevention system
Nikhil Raj
 
Network Security - Defense Through Layered Information Security
Network Security - Defense Through Layered Information SecurityNetwork Security - Defense Through Layered Information Security
Network Security - Defense Through Layered Information Security
Eryk Budi Pratama
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
Nahidul Kibria
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASPMarco Morana
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
Rana Khalil
 
Web application security
Web application securityWeb application security
Web application security
Kapil Sharma
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...
Noppadol Songsakaew
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jain
Suvrat Jain
 
Owasp zap
Owasp zapOwasp zap
Owasp zap
penetration Tester
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017
TriNimbus
 
SQL injection
SQL injectionSQL injection
SQL injection
Raj Parmar
 
CSSLP Course
CSSLP CourseCSSLP Course
CSSLP Course
Masoud Ostad
 
Cross site scripting (xss)
Cross site scripting (xss)Cross site scripting (xss)
Cross site scripting (xss)
Ritesh Gupta
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
Abu Sadat Mohammed Yasin
 
EISA Considerations for Web Application Security
EISA Considerations for Web Application SecurityEISA Considerations for Web Application Security
EISA Considerations for Web Application SecurityLarry Ball
 

More Related Content

What's hot

Cyber Security Vulnerabilities
Cyber Security VulnerabilitiesCyber Security Vulnerabilities
Cyber Security Vulnerabilities
Siemplify
 
Vulnerability Assessment and Penetration Testing Report
Vulnerability Assessment and Penetration Testing Report Vulnerability Assessment and Penetration Testing Report
Vulnerability Assessment and Penetration Testing Report
Rishabh Upadhyay
 
Vapt( vulnerabilty and penetration testing ) services
Vapt( vulnerabilty and penetration testing ) servicesVapt( vulnerabilty and penetration testing ) services
Vapt( vulnerabilty and penetration testing ) services
Akshay Kurhade
 
spyware
spywarespyware
spyware
NamanKikani
 
Web application penetration testing
Web application penetration testingWeb application penetration testing
Web application penetration testingImaginea
 
Software security
Software securitySoftware security
Software security
Roman Oliynykov
 
VULNERABILITY ( CYBER SECURITY )
VULNERABILITY ( CYBER SECURITY )VULNERABILITY ( CYBER SECURITY )
VULNERABILITY ( CYBER SECURITY )
Kashyap Mandaliya
 
Intrusion detection and prevention system
Intrusion detection and prevention systemIntrusion detection and prevention system
Intrusion detection and prevention system
Nikhil Raj
 
Network Security - Defense Through Layered Information Security
Network Security - Defense Through Layered Information SecurityNetwork Security - Defense Through Layered Information Security
Network Security - Defense Through Layered Information Security
Eryk Budi Pratama
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
Nahidul Kibria
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASPMarco Morana
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
Rana Khalil
 
Web application security
Web application securityWeb application security
Web application security
Kapil Sharma
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...
Noppadol Songsakaew
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jain
Suvrat Jain
 
Owasp zap
Owasp zapOwasp zap
Owasp zap
penetration Tester
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017
TriNimbus
 
SQL injection
SQL injectionSQL injection
SQL injection
Raj Parmar
 
CSSLP Course
CSSLP CourseCSSLP Course
CSSLP Course
Masoud Ostad
 
Cross site scripting (xss)
Cross site scripting (xss)Cross site scripting (xss)
Cross site scripting (xss)
Ritesh Gupta
 

What's hot (20)

Cyber Security Vulnerabilities
Cyber Security VulnerabilitiesCyber Security Vulnerabilities
Cyber Security Vulnerabilities
 
Vulnerability Assessment and Penetration Testing Report
Vulnerability Assessment and Penetration Testing Report Vulnerability Assessment and Penetration Testing Report
Vulnerability Assessment and Penetration Testing Report
 
Vapt( vulnerabilty and penetration testing ) services
Vapt( vulnerabilty and penetration testing ) servicesVapt( vulnerabilty and penetration testing ) services
Vapt( vulnerabilty and penetration testing ) services
 
spyware
spywarespyware
spyware
 
Web application penetration testing
Web application penetration testingWeb application penetration testing
Web application penetration testing
 
Software security
Software securitySoftware security
Software security
 
VULNERABILITY ( CYBER SECURITY )
VULNERABILITY ( CYBER SECURITY )VULNERABILITY ( CYBER SECURITY )
VULNERABILITY ( CYBER SECURITY )
 
Intrusion detection and prevention system
Intrusion detection and prevention systemIntrusion detection and prevention system
Intrusion detection and prevention system
 
Network Security - Defense Through Layered Information Security
Network Security - Defense Through Layered Information SecurityNetwork Security - Defense Through Layered Information Security
Network Security - Defense Through Layered Information Security
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASP
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
Web application security
Web application securityWeb application security
Web application security
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jain
 
Owasp zap
Owasp zapOwasp zap
Owasp zap
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017
 
SQL injection
SQL injectionSQL injection
SQL injection
 
CSSLP Course
CSSLP CourseCSSLP Course
CSSLP Course
 
Cross site scripting (xss)
Cross site scripting (xss)Cross site scripting (xss)
Cross site scripting (xss)
 

Similar to Scanning web vulnerabilities

Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
Abu Sadat Mohammed Yasin
 
EISA Considerations for Web Application Security
EISA Considerations for Web Application SecurityEISA Considerations for Web Application Security
EISA Considerations for Web Application SecurityLarry Ball
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptx
DARSHANBHAVSAR14
 
Using Analyzers to Resolve Security Problems
Using Analyzers to Resolve Security ProblemsUsing Analyzers to Resolve Security Problems
Using Analyzers to Resolve Security Problems
kiansahafi
 
VAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptxVAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptx
karthikvcyber
 
chap-1 : Vulnerabilities in Information Systems
chap-1 : Vulnerabilities in Information Systemschap-1 : Vulnerabilities in Information Systems
chap-1 : Vulnerabilities in Information Systems
KashfUlHuda1
 
Application Explosion How to Manage Productivity vs Security
Application Explosion How to Manage Productivity vs SecurityApplication Explosion How to Manage Productivity vs Security
Application Explosion How to Manage Productivity vs Security
Lumension
 
Is Antivirus (AV) Dead or Just Missing in Action
Is Antivirus (AV) Dead or Just Missing in Action Is Antivirus (AV) Dead or Just Missing in Action
Is Antivirus (AV) Dead or Just Missing in Action
Quick Heal Technologies Ltd.
 
Cloud Security vs Security in the Cloud
Cloud Security vs Security in the CloudCloud Security vs Security in the Cloud
Cloud Security vs Security in the Cloud
Tjylen Veselyj
 
Is av dead or just missing in action - avar2016
Is av dead or just missing in action - avar2016Is av dead or just missing in action - avar2016
Is av dead or just missing in action - avar2016
rajeshnikam
 
CSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web ApplicationsCSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web Applications
Alert Logic
 
USPS CISO Academy - Vulnerability Management
USPS CISO Academy - Vulnerability ManagementUSPS CISO Academy - Vulnerability Management
USPS CISO Academy - Vulnerability Management
Jim Piechocki
 
Олексій Барановський “Vulnerability assessment as part software testing process”
Олексій Барановський “Vulnerability assessment as part software testing process”Олексій Барановський “Vulnerability assessment as part software testing process”
Олексій Барановський “Vulnerability assessment as part software testing process”
Dakiry
 
Web application vulnerability assessment
Web application vulnerability assessmentWeb application vulnerability assessment
Web application vulnerability assessment
Ravikumar Paghdal
 
Acunetix Training and ScanAssist
Acunetix Training and ScanAssistAcunetix Training and ScanAssist
Acunetix Training and ScanAssistBryan Ferrario
 
DevSecCon Asia 2017 Pishu Mahtani: Adversarial Modelling
DevSecCon Asia 2017 Pishu Mahtani: Adversarial ModellingDevSecCon Asia 2017 Pishu Mahtani: Adversarial Modelling
DevSecCon Asia 2017 Pishu Mahtani: Adversarial Modelling
DevSecCon
 
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_alCss sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
Alert Logic
 
CSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web AppsCSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web Apps
Alert Logic
 
Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Security
sedukull
 
How to break web applications
How to break web applicationsHow to break web applications
How to break web applicationsDinis Cruz
 

Similar to Scanning web vulnerabilities (20)

Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
 
EISA Considerations for Web Application Security
EISA Considerations for Web Application SecurityEISA Considerations for Web Application Security
EISA Considerations for Web Application Security
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptx
 
Using Analyzers to Resolve Security Problems
Using Analyzers to Resolve Security ProblemsUsing Analyzers to Resolve Security Problems
Using Analyzers to Resolve Security Problems
 
VAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptxVAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptx
 
chap-1 : Vulnerabilities in Information Systems
chap-1 : Vulnerabilities in Information Systemschap-1 : Vulnerabilities in Information Systems
chap-1 : Vulnerabilities in Information Systems
 
Application Explosion How to Manage Productivity vs Security
Application Explosion How to Manage Productivity vs SecurityApplication Explosion How to Manage Productivity vs Security
Application Explosion How to Manage Productivity vs Security
 
Is Antivirus (AV) Dead or Just Missing in Action
Is Antivirus (AV) Dead or Just Missing in Action Is Antivirus (AV) Dead or Just Missing in Action
Is Antivirus (AV) Dead or Just Missing in Action
 
Cloud Security vs Security in the Cloud
Cloud Security vs Security in the CloudCloud Security vs Security in the Cloud
Cloud Security vs Security in the Cloud
 
Is av dead or just missing in action - avar2016
Is av dead or just missing in action - avar2016Is av dead or just missing in action - avar2016
Is av dead or just missing in action - avar2016
 
CSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web ApplicationsCSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web Applications
 
USPS CISO Academy - Vulnerability Management
USPS CISO Academy - Vulnerability ManagementUSPS CISO Academy - Vulnerability Management
USPS CISO Academy - Vulnerability Management
 
Олексій Барановський “Vulnerability assessment as part software testing process”
Олексій Барановський “Vulnerability assessment as part software testing process”Олексій Барановський “Vulnerability assessment as part software testing process”
Олексій Барановський “Vulnerability assessment as part software testing process”
 
Web application vulnerability assessment
Web application vulnerability assessmentWeb application vulnerability assessment
Web application vulnerability assessment
 
Acunetix Training and ScanAssist
Acunetix Training and ScanAssistAcunetix Training and ScanAssist
Acunetix Training and ScanAssist
 
DevSecCon Asia 2017 Pishu Mahtani: Adversarial Modelling
DevSecCon Asia 2017 Pishu Mahtani: Adversarial ModellingDevSecCon Asia 2017 Pishu Mahtani: Adversarial Modelling
DevSecCon Asia 2017 Pishu Mahtani: Adversarial Modelling
 
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_alCss sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
 
CSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web AppsCSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web Apps
 
Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Security
 
How to break web applications
How to break web applicationsHow to break web applications
How to break web applications
 

More from Mohit Dholakiya

Data science
Data scienceData science
Data science
Mohit Dholakiya
 
Vulnerability
VulnerabilityVulnerability
Vulnerability
Mohit Dholakiya
 
Cyber laws
Cyber lawsCyber laws
Cyber laws
Mohit Dholakiya
 
How to grow on you tube
How to grow on you tubeHow to grow on you tube
How to grow on you tube
Mohit Dholakiya
 
Instagram strategies
Instagram strategiesInstagram strategies
Instagram strategies
Mohit Dholakiya
 
Cyber ethics
Cyber ethicsCyber ethics
Cyber ethics
Mohit Dholakiya
 

More from Mohit Dholakiya (6)

Data science
Data scienceData science
Data science
 
Vulnerability
VulnerabilityVulnerability
Vulnerability
 
Cyber laws
Cyber lawsCyber laws
Cyber laws
 
How to grow on you tube
How to grow on you tubeHow to grow on you tube
How to grow on you tube
 
Instagram strategies
Instagram strategiesInstagram strategies
Instagram strategies
 
Cyber ethics
Cyber ethicsCyber ethics
Cyber ethics
 

Recently uploaded

AIR POLLUTION lecture EnE203 updated.pdf
AIR POLLUTION lecture EnE203 updated.pdfAIR POLLUTION lecture EnE203 updated.pdf
AIR POLLUTION lecture EnE203 updated.pdf
RicletoEspinosa1
 
Harnessing WebAssembly for Real-time Stateless Streaming Pipelines
Harnessing WebAssembly for Real-time Stateless Streaming PipelinesHarnessing WebAssembly for Real-time Stateless Streaming Pipelines
Harnessing WebAssembly for Real-time Stateless Streaming Pipelines
Christina Lin
 
原版制作(unimelb毕业证书)墨尔本大学毕业证Offer一模一样
原版制作(unimelb毕业证书)墨尔本大学毕业证Offer一模一样原版制作(unimelb毕业证书)墨尔本大学毕业证Offer一模一样
原版制作(unimelb毕业证书)墨尔本大学毕业证Offer一模一样
obonagu
 
basic-wireline-operations-course-mahmoud-f-radwan.pdf
basic-wireline-operations-course-mahmoud-f-radwan.pdfbasic-wireline-operations-course-mahmoud-f-radwan.pdf
basic-wireline-operations-course-mahmoud-f-radwan.pdf
NidhalKahouli2
 
spirit beverages ppt without graphics.pptx
spirit beverages ppt without graphics.pptxspirit beverages ppt without graphics.pptx
spirit beverages ppt without graphics.pptx
Madan Karki
 
Understanding Inductive Bias in Machine Learning
Understanding Inductive Bias in Machine LearningUnderstanding Inductive Bias in Machine Learning
Understanding Inductive Bias in Machine Learning
SUTEJAS
 
PPT on GRP pipes manufacturing and testing
PPT on GRP pipes manufacturing and testingPPT on GRP pipes manufacturing and testing
PPT on GRP pipes manufacturing and testing
anoopmanoharan2
 
Modelagem de um CSTR com reação endotermica.pdf
Modelagem de um CSTR com reação endotermica.pdfModelagem de um CSTR com reação endotermica.pdf
Modelagem de um CSTR com reação endotermica.pdf
camseq
 
KuberTENes Birthday Bash Guadalajara - K8sGPT first impressions
KuberTENes Birthday Bash Guadalajara - K8sGPT first impressionsKuberTENes Birthday Bash Guadalajara - K8sGPT first impressions
KuberTENes Birthday Bash Guadalajara - K8sGPT first impressions
Victor Morales
 
一比一原版(UMich毕业证)密歇根大学|安娜堡分校毕业证成绩单专业办理
一比一原版(UMich毕业证)密歇根大学|安娜堡分校毕业证成绩单专业办理一比一原版(UMich毕业证)密歇根大学|安娜堡分校毕业证成绩单专业办理
一比一原版(UMich毕业证)密歇根大学|安娜堡分校毕业证成绩单专业办理
zwunae
 
14 Template Contractual Notice - EOT Application
14 Template Contractual Notice - EOT Application14 Template Contractual Notice - EOT Application
14 Template Contractual Notice - EOT Application
SyedAbiiAzazi1
 
TOP 10 B TECH COLLEGES IN JAIPUR 2024.pptx
TOP 10 B TECH COLLEGES IN JAIPUR 2024.pptxTOP 10 B TECH COLLEGES IN JAIPUR 2024.pptx
TOP 10 B TECH COLLEGES IN JAIPUR 2024.pptx
nikitacareer3
 
Self-Control of Emotions by Slidesgo.pptx
Self-Control of Emotions by Slidesgo.pptxSelf-Control of Emotions by Slidesgo.pptx
Self-Control of Emotions by Slidesgo.pptx
iemerc2024
 
BPV-GUI-01-Guide-for-ASME-Review-Teams-(General)-10-10-2023.pdf
BPV-GUI-01-Guide-for-ASME-Review-Teams-(General)-10-10-2023.pdfBPV-GUI-01-Guide-for-ASME-Review-Teams-(General)-10-10-2023.pdf
BPV-GUI-01-Guide-for-ASME-Review-Teams-(General)-10-10-2023.pdf
MIGUELANGEL966976
 
[JPP-1] - (JEE 3.0) - Kinematics 1D - 14th May..pdf
[JPP-1] - (JEE 3.0) - Kinematics 1D - 14th May..pdf[JPP-1] - (JEE 3.0) - Kinematics 1D - 14th May..pdf
[JPP-1] - (JEE 3.0) - Kinematics 1D - 14th May..pdf
awadeshbabu
 
Building Electrical System Design & Installation
Building Electrical System Design & InstallationBuilding Electrical System Design & Installation
Building Electrical System Design & Installation
symbo111
 
Recycled Concrete Aggregate in Construction Part III
Recycled Concrete Aggregate in Construction Part IIIRecycled Concrete Aggregate in Construction Part III
Recycled Concrete Aggregate in Construction Part III
Aditya Rajan Patra
 
Design and Analysis of Algorithms-DP,Backtracking,Graphs,B&B
Design and Analysis of Algorithms-DP,Backtracking,Graphs,B&BDesign and Analysis of Algorithms-DP,Backtracking,Graphs,B&B
Design and Analysis of Algorithms-DP,Backtracking,Graphs,B&B
Sreedhar Chowdam
 
Fundamentals of Electric Drives and its applications.pptx
Fundamentals of Electric Drives and its applications.pptxFundamentals of Electric Drives and its applications.pptx
Fundamentals of Electric Drives and its applications.pptx
manasideore6
 
一比一原版(SFU毕业证)西蒙菲莎大学毕业证成绩单如何办理
一比一原版(SFU毕业证)西蒙菲莎大学毕业证成绩单如何办理一比一原版(SFU毕业证)西蒙菲莎大学毕业证成绩单如何办理
一比一原版(SFU毕业证)西蒙菲莎大学毕业证成绩单如何办理
bakpo1
 

Recently uploaded (20)

AIR POLLUTION lecture EnE203 updated.pdf
AIR POLLUTION lecture EnE203 updated.pdfAIR POLLUTION lecture EnE203 updated.pdf
AIR POLLUTION lecture EnE203 updated.pdf
 
Harnessing WebAssembly for Real-time Stateless Streaming Pipelines
Harnessing WebAssembly for Real-time Stateless Streaming PipelinesHarnessing WebAssembly for Real-time Stateless Streaming Pipelines
Harnessing WebAssembly for Real-time Stateless Streaming Pipelines
 
原版制作(unimelb毕业证书)墨尔本大学毕业证Offer一模一样
原版制作(unimelb毕业证书)墨尔本大学毕业证Offer一模一样原版制作(unimelb毕业证书)墨尔本大学毕业证Offer一模一样
原版制作(unimelb毕业证书)墨尔本大学毕业证Offer一模一样
 
basic-wireline-operations-course-mahmoud-f-radwan.pdf
basic-wireline-operations-course-mahmoud-f-radwan.pdfbasic-wireline-operations-course-mahmoud-f-radwan.pdf
basic-wireline-operations-course-mahmoud-f-radwan.pdf
 
spirit beverages ppt without graphics.pptx
spirit beverages ppt without graphics.pptxspirit beverages ppt without graphics.pptx
spirit beverages ppt without graphics.pptx
 
Understanding Inductive Bias in Machine Learning
Understanding Inductive Bias in Machine LearningUnderstanding Inductive Bias in Machine Learning
Understanding Inductive Bias in Machine Learning
 
PPT on GRP pipes manufacturing and testing
PPT on GRP pipes manufacturing and testingPPT on GRP pipes manufacturing and testing
PPT on GRP pipes manufacturing and testing
 
Modelagem de um CSTR com reação endotermica.pdf
Modelagem de um CSTR com reação endotermica.pdfModelagem de um CSTR com reação endotermica.pdf
Modelagem de um CSTR com reação endotermica.pdf
 
KuberTENes Birthday Bash Guadalajara - K8sGPT first impressions
KuberTENes Birthday Bash Guadalajara - K8sGPT first impressionsKuberTENes Birthday Bash Guadalajara - K8sGPT first impressions
KuberTENes Birthday Bash Guadalajara - K8sGPT first impressions
 
一比一原版(UMich毕业证)密歇根大学|安娜堡分校毕业证成绩单专业办理
一比一原版(UMich毕业证)密歇根大学|安娜堡分校毕业证成绩单专业办理一比一原版(UMich毕业证)密歇根大学|安娜堡分校毕业证成绩单专业办理
一比一原版(UMich毕业证)密歇根大学|安娜堡分校毕业证成绩单专业办理
 
14 Template Contractual Notice - EOT Application
14 Template Contractual Notice - EOT Application14 Template Contractual Notice - EOT Application
14 Template Contractual Notice - EOT Application
 
TOP 10 B TECH COLLEGES IN JAIPUR 2024.pptx
TOP 10 B TECH COLLEGES IN JAIPUR 2024.pptxTOP 10 B TECH COLLEGES IN JAIPUR 2024.pptx
TOP 10 B TECH COLLEGES IN JAIPUR 2024.pptx
 
Self-Control of Emotions by Slidesgo.pptx
Self-Control of Emotions by Slidesgo.pptxSelf-Control of Emotions by Slidesgo.pptx
Self-Control of Emotions by Slidesgo.pptx
 
BPV-GUI-01-Guide-for-ASME-Review-Teams-(General)-10-10-2023.pdf
BPV-GUI-01-Guide-for-ASME-Review-Teams-(General)-10-10-2023.pdfBPV-GUI-01-Guide-for-ASME-Review-Teams-(General)-10-10-2023.pdf
BPV-GUI-01-Guide-for-ASME-Review-Teams-(General)-10-10-2023.pdf
 
[JPP-1] - (JEE 3.0) - Kinematics 1D - 14th May..pdf
[JPP-1] - (JEE 3.0) - Kinematics 1D - 14th May..pdf[JPP-1] - (JEE 3.0) - Kinematics 1D - 14th May..pdf
[JPP-1] - (JEE 3.0) - Kinematics 1D - 14th May..pdf
 
Building Electrical System Design & Installation
Building Electrical System Design & InstallationBuilding Electrical System Design & Installation
Building Electrical System Design & Installation
 
Recycled Concrete Aggregate in Construction Part III
Recycled Concrete Aggregate in Construction Part IIIRecycled Concrete Aggregate in Construction Part III
Recycled Concrete Aggregate in Construction Part III
 
Design and Analysis of Algorithms-DP,Backtracking,Graphs,B&B
Design and Analysis of Algorithms-DP,Backtracking,Graphs,B&BDesign and Analysis of Algorithms-DP,Backtracking,Graphs,B&B
Design and Analysis of Algorithms-DP,Backtracking,Graphs,B&B
 
Fundamentals of Electric Drives and its applications.pptx
Fundamentals of Electric Drives and its applications.pptxFundamentals of Electric Drives and its applications.pptx
Fundamentals of Electric Drives and its applications.pptx
 
一比一原版(SFU毕业证)西蒙菲莎大学毕业证成绩单如何办理
一比一原版(SFU毕业证)西蒙菲莎大学毕业证成绩单如何办理一比一原版(SFU毕业证)西蒙菲莎大学毕业证成绩单如何办理
一比一原版(SFU毕业证)西蒙菲莎大学毕业证成绩单如何办理
 

Scanning web vulnerabilities

  • 1. 1 Scanning for Web Vulnerabilities By Hacking Spot
  • 2. 2 • Precisely document what a tool class does and does not do • Inform users – Match the tool to a particular situation – Understand significance of tool results • Provide feedback to tool developers Purpose of Tool Evaluations
  • 3. 3 • Select class of tool • Develop clear (testable) requirements – Tool functional specification aided by focus groups – Spec posted for public comment • Develop a measurement methodology – Develop reference datasets (test cases) – Document interpretation criteria Details of Tool Evaluations
  • 4. 4 • Static Analysis Security Tools • Web Application Vulnerability Tools • Binary Analysis Tools • Web Services Tools • Network Scanner Tools Some Tools for specific application*
  • 5. 5 • Firewall • Intrusion Detection/Prevention System • Virus Detection • Fuzzers • Web Proxy Honeypots • Blackbox Pen Tester Other Types of Software Assurance Security Tools *
  • 6. 6 • Life Cycle Process (requirements, design, …) • Automation (manual, semi, automatic) • Approach (preclude, detect, mitigate, react, appraise) • Viewpoint (blackbox, whitebox (static, dynamic)) • Other (price, platform, languages, …) How to Classify Tools and Techniques
  • 7. 7 The Rise of Web App Vulnerability 0 5 10 15 20 25 2000 2001 2002 2003 2004 2005 2006 Remote file inclusion SQL injection Cross-site scripting Top web app vulnerabilities as % of total vulnerabilities in NVD
  • 8. 8 is software which communicates with a web application through the web front-end and identifies potential security weaknesses in the web application.* Web Application Security Scanner
  • 9. 9 Web Application Architecture Database Server Client (Browser, Tool, etc.) HTTP Requests HTML, etc. Webapp Web Server
  • 10. 10 - Client and Server Interaction - Distributed n-tiered architecture - Remote access - Heterogeneity - Content delivery via HTTP - Concurrency - Session management - Authentication and authorization Characteristics of Web Application
  • 11. 11 - Limited to tools that examine software applications on the web. - Does not apply to tools that scan other artifacts, like requirements, byte-code, or binary code - Does not apply to database scanners - Does not apply to other system security tools, e.g., firewalls, anti-virus, gateways, routers, switches, intrusion detection system Scope – What types of tools does this spec NOT address?
  • 12. 12 - Cross-Site Scripting (XSS) - Injection flaws - Authentication and access control weaknesses - Path manipulation - Improper Error Handling Some Vulnerabilities that Web Application Scanners Check
  • 13. 13 - AppScan DE by Watchfire, Inc. (IBM) - WebInpect by SPI-Dynamics (HP) - Acunetix WVS by Acunetix - Hailstorm by Cenzic, Inc. - W3AF, Grabber, Paros, etc. - others… Some Web Application Security Scanning Tools
  • 14. 14 • What is a common set of functions? • Can they be tested? • How can one measure the effectiveness? HackingSpot is “neutral”, not consumer reports, and does not endorse products. Establishing a Framework to Compare
  • 15. 15 • Precisely document what a tool class does and does not do • Provide feedback to tool developers • Inform users • Match the tool to a particular situation • Understand significance of tool results Purpose of a Specification
  • 16. 16 • Specifies basic (minimum) functionality • Defines features unambiguously • Represents a consensus on tool functions and requirements • Serves as a guide to measure the capability of tools How should this spec be viewed?
  • 17. 17 • Not to prescribe the features and functions that all web application scanner tools must have. • Use of a tool that complies with this specification does not guarantee the application is free of vulnerabilities. • Production tools should have capabilities far beyond those indicated. • Used as the basis for developing test suites to measure how a tool meets these requirements. How should this spec be used?
  • 18. 18 • Found in existing applications today • Recognized by tools today • Likelihood of exploit or attack is medium to high Criteria for selection of Web Application Vulnerabilities
  • 19. 19 • OWASP Top Ten 2007 • WASC Threat Classification • CWE – 600+ weaknesses definition dictionary • CAPEC- 100+ attack patterns for known exploits Web Application Vulnerabilities
  • 20. 20 • Test applications that model real security features and vulnerabilities • Configurable to be vulnerable to one or many types of attack • Ability to provide increasing level of defense for a vulnerability Test Suites
  • 21. 21 Defense Mechanisms • Different programmers use different defenses • Defenses/Filters are not all equivalent • We have different instances of vulnerabilities: levels of defense
  • 22. 22 • Example: Cross-Site Request Forgeries Levels of Defense Untrusted.c0m MyShopping.Com CSRF ScriptUntrusted.c0m redirects to MyShopping.Com GET /shop.aspx?ItemID=42&Accept=Yes Thanks For Buying This Item! “This nice new website: Untrusted.c0m”
  • 23. 23 • Example: Cross-Site Request Forgeries - Level 0: No Protection (bad) - Level 1: Using only POST (well...) - Level 2: Checking the referrer (better but referrer may be spoofed) - Level 3: Using a nonce (good) • Higher level means harder to break Levels of Defense
  • 24. 24 Web Server Database Server Web Application Scanner Tool Attacks HTML, etc. Webapp Tool Report Seeded Vulns. Cheat sheet ?
  • 25. 25 Attacks Analysis • An action that exploits a vulnerability • What exactly is the tool testing? • What do I need to test in my application? • Do the results match?
  • 26. 26 Web Server Database Server Web Application Scanner Tool Attacks HTML, etc. Webapp Tool Report Attacks Analysis Seeded Vulns.?
  • 27. 27 • Test Suite with 21 vulnerabilities (XSS, SQL Injection, File Inclusion) – PHP, MySQL, Ajax – LAMP • 4 Scanners (Commercial and Open Source) • One type of vulnerability at the time • Results (Detection rate, False-Positive rate) Test Suite Evaluation
  • 28. 28 • Tools are limited in scope (companies sell service as opposed to selling tool) • Speed versus Depth (in-depth testing takes time) • Difficult to read output reports (typically log files) • False-Positives • Tuning versus default mode Issues with Web Application Scanner Tools

Editor's Notes

  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
  15. 15
  16. 16
  17. 17
  18. 18
  19. 19
  20. 20
  21. 21
  22. 22
  23. 23
  24. 24
  25. 25
  26. 26
  27. 28