SlideShare a Scribd company logo

Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-box Web Application Vulnerability Scanners

Download as PPTX, PDF
Rana Khalil
Rana Khalil

This thesis compares the performance of six open-source web vulnerability scanners: Arachni, Burp Pro, Skipfish, Vega, Wapiti, and ZAP. The researcher evaluated the scanners using three benchmark applications and analyzed their crawling coverage, vulnerability detection accuracy, speed, and usability. The results showed that no scanner detected all vulnerabilities and they struggled with features like authentication, file uploads, and multi-step processes. ZAP and Burp Pro achieved the highest scores overall, while all scanners had room for improvement in fully automating the assessment of complex web applications.

Education
1 of 32
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-box Web Vulnerability Scanners Rana Khalil Master Thesis Defense, 20/11/2018 School of EECS University of Ottawa Committee: Carlisle Adams (Supervisor) Guy-Vincent Jourdan Anil Somayaji (Carleton University) 1
Roadmap 1. Introduction 2. Methodology 3. Results 4. Conclusion 2
Roadmap 1. Introduction 2. Methodology 3. Results 4. Conclusion 3
Introduction • We use websites for everything: e-commerce, online banking, social networking, social media, etc. • Web security has become a major concern 4
How to Secure a Web Application? • A combination of techniques are used to secure web applications: • Static code analysis • Web application firewalls • Secure coding practices • Web application vulnerability scanners • Etc. • Focus of this research: Performing a comprehensive comparative analysis of the performance of six chosen scanners 5
Previous Work 6 • Suto’s case studies [10][11] • 2007 paper evaluated scanners in PaS mode • 2010 paper evaluated scanners in PaS and Trained modes • Benchmark applications: • Web Input Vector Extractor Teaser (WIVET) created in 2009 by Tatli et al. [12] • Web Application Vulnerability Scanner Evaluation Project (WAVSEP) created in 2010 by Chen [13] • Doupé et al.’s work on evaluating WAVS in both PaS and Trained modes on the WackoPicko application [15] • Several other studies include [14], [16] and [17]
Roadmap 1. Introduction 2. Methodology 3. Results 4. Conclusion 7
Methodology 8 Figure 2.1: Methodology Process Tool Selection Benchmark Selection Environment Setup Feature and Metric Selection Result Analysis
Tool Selection 9 • Chen’s evaluation [18] • Consultation with professional ethical hackers Table 2.1: Characteristics of the Scanners Evaluated
Benchmark Selection 10 • Benchmark applications • WIVET - contains 56 test cases that utilize both Web 1.0 and Web 2.0 technologies • WAVSEP - consists of a total of 1220 true positive (TP) test cases and 40 false positive (FP) test cases covering a range of vulnerability categories • WackoPicko - intentionally vulnerable realistic web application • Contains 16 vulnerabilities covering several of the OWASP Top 10 • Contains crawling challenges: HTML parsing, multi-step process, infinite web site, authentication, client-side code, etc.
Environment Setup 11 • Each scanner was run in two modes: • Default - default configuration setting • Configured 1. Maximize crawling coverage – changing configuration 2. Maximize crawling coverage – use of proxy 3. Maximize attack vector • WackoPicko test scans were further divided into two subcategories: • INITIAL – without authentication / publicly accessible • CONFIG - valid username/password combination • In total, each scanner was run eight times. Note: Tests performed in a VM that was restored to its initial state before every test run. Table 2.2: Steps Included in Configured Scan
Feature Selection 12 • Crawling coverage: • % of passed test cases on the WIVET application • Crawling challenges in the WackoPicko application • Vulnerability detection accuracy: • TP, FN and FP on the WAVSEP and WackoPicko applications • Speed: • Scan time on the WAVSEP and WackoPicko appliations • Reporting: • Vulnerability detected • Vulnerability location • Exploit performed • Usability: • Efficiency • Product documentation • Community support Crawling Coverage Detection Accuracy Speed WIVET WackoPicko WAVSEP Features Applications Figure 2.2: Feature Measurement
Metric Selection 13Table 2.3 Vulnerability Scores • Final ranking was calculated based on the crawling coverage and vulnerability detection on the WackoPicko application
Roadmap 1. Introduction 2. Methodology 3. Results 4. Conclusion 14
Vulnerability Detection Accuracy – FN 1/2 15 FNs in WackoPicko Reason(s) 1. Weak password - admin interface with credentials admin/admin • Scanners did not attempt to guess username/password • Scanners did attempt to guess username/password but failed 2. Session id - vulnerability in the admin interface • Scanners did not guess the admin credentials and therefore never reached this vulnerability 3. Parameter manipulation - userid of sample user functionality • Most scanners did not attempt to manipulate the userid field • Arachni manipulated the userid field but failed to enter a valid number • Skipfish successfully manipulated the userid field but did not report it as a vulnerability
Vulnerability Detection Accuracy – FN 2/2 16 FNs in WackoPicko Reason(s) 4. Stored SQL injection - required registering a user 5. Directory traversal - required photo upload 6. Multi-step stored XSS - required completing a multi-step process • Crawling challenges – discussed later • Lack of detection for these types of vulnerabilities 7. Forceful browsing: - link to a high quality version of a picture 8. Logic flaw – coupon management system • Application specific vulnerabilities • Require understanding business logic of the application Note: WAVSEP FNs not listed
Vulnerability Detection Accuracy – TP 1/2 17 Table 3.1: WackoPicko Default and Configured Scan Detection Results Name RXSS XSS Stored SQLi Reflected Command line injection File Inclusion File Exposure RXSS behind JS RXSS behind Flash Arachni INITIAL INITIAL INITIAL INITIAL INITIAL INITIAL Burp Pro INITIAL INITIAL INITIAL INITIAL INITIAL INITIAL INITIAL CONFIG Skipfish INITIAL INITIAL INITIAL INITIAL INITIAL Vega INITIAL INITIAL INITIAL INITIAL Wapiti INITIAL INITIAL INITIAL INITIAL ZAP INITIAL INITIAL INITIAL INITIAL INITIAL INITIAL CONFIG Default Configured • All scanners missed at least 50% of the vulnerabilities • Running the scanners in trained mode increased the overall detection
18 Figure 3.1: WAVSEP Overall TP Detection Arachni Burp Skipfish Wapiti Vega ZAP Default 60.16% 27.87% 4.02% 25.41% 71.31% 60.74% Configured 60.16% 42.54% 62.62% 24.43% 71.31% 79.26% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% %ofWAVSEPTestsDetected Key Observations: • WAVSEP results were better than WackoPicko: • Vulnerability categories in the application • Integrating WAVSEP in the SDLC of the scanner • ZAP achieved highest score, followed by Vega and Skipfish • Vulnerability category detection varied with scanner • Arachni discovered 100% of SQLi, RFI, unvalidated redirect, but had a low detection rate for LFI vulnerabilities Vulnerability Detection Accuracy – TP 2/2
Crawling Coverage 1/2 19 Table 3.2: Account Creation Scanner # of Accounts Arachni 202 Burp Pro 113 Skipfish 364 Vega 117 Wapiti 0 ZAP 111 Features that scanners found difficult to crawl in WackoPicko: • Uploading a picture • All scanners were not able to upload a picture in Default mode • Burp and ZAP were able to in Configured mode • Authentication • All scanners except for Wapiti successfully created accounts • Multi-step processes • All scanners were not able to complete the process in Default mode • Burp and ZAP were able to in Configured mode
Crawling Coverage 2/2 20 Figure 3.2: WIVET Results Arachni Burp Skipfis h Wapiti Vega ZAP Default 94 50 50 50 16 42 Configured 94 50 50 50 16 78 0 10 20 30 40 50 60 70 80 90 100 %ofWIVETTestsPassed Features that scanners found difficult to crawl in WackoPicko: • Infinite websites • All scanners recognized the infinite loop except Arachni • Client-side code • Flash applications • Dynamic JavaScript • Ajax Requests
Scanning Speed 21 Figure 3.3: WackoPicko Default Scanning Speed Figure 3.4: WackoPicko Configured Scanning Speed Arachni Burp Skipfish Vega Wapiti ZAP INITIAL 0.3 0.1 0.05 0.08 0.04 0.07 CONFIG 0.32 0.12 0.1 0.1 0.05 0.18 0 0.2 0.4 0.6 0.8 1 1.2 1.4 1.6 1.8 ScanTime(Hours) Arachni Burp Skipfish Vega Wapiti ZAP INITIAL 0.3 0.17 0.05 0.12 1.47 0.2 CONFIG 0.32 0.35 0.1 0.22 1.62 1.31 0 0.2 0.4 0.6 0.8 1 1.2 1.4 1.6 1.8 ScanTime(Hours)
Reporting Features Features tested for: 1) List of all the vulnerabilities detected 2) Locations of all the detected vulnerabilities 3) Exploits performed to detect these vulnerabilities All six scanners generate reports that include the above three features 22
Usability Features Features tested for: 1) Efficiency 2) Product documentation 3) Community support 23 Table 3.3: Usability Features
Final Ranking 24 Figure 3.4: Final Ranking Name Score Burp Pro 26 ZAP 23 Arachni 15 Wapiti 10 Skipfish 10 Vega 8
Comparison to Previous Research 25 • Suto’s 2010 study showed there is no significant increase in vulnerability detection in PaS vs Trained modes • Our results show there is a significant increase for several of the scanners • Possible reasons for difference in conclusion – different benchmark applications and scanners were used • Doupé et al.’s 2010 study showed that scanners had difficulty crawling through common web technologies such as Flash applications and dynamic JavaScript measured on the WackoPicko and WIVET applications • Our results show similar conclusion • Doupé et al.’s study showed that scanners missed several categories of vulnerabilities such as weak authentication, stored vulnerabilities and logic specific vulnerabilities • Our results show similar conclusion • Doupé et al.’s study showed that commercial scanners are not significantly better than open-source scanners • Our results show similar conclusion
Roadmap 1. Introduction 2. Methodology 3. Results 4. Conclusion 26
Conclusion • Scanners are far from being used as PaS tools only • Several classes of vulnerabilities were not detected • Scanners had difficulty crawling through common web technologies such as dynamic JavaScript and Flash applications • Different scanners have different strengths/weaknesses • Open-source scanner performance is comparable to commercial scanner performance and in several cases better 27
References [1] Internet Live Stats, “Internet Users.” http://www.internetlivestats.com/ internet-users/, 2018. Accessed Aug. 4, 2018. [2] InternetLiveStats,“Total number of Websites.”http://www.internetlivestats. com/total-number-of-websites/, 2018. Accessed Aug. 4, 2018. [3] Braga, M., “100,000 Canadian victims: What we know about the Equifax breach - and what we don’t.” https://www.cbc.ca/news/technology/equifax-canada- breach-sin-cybersecurity-what-we-know-1.4297532, Sept. 2017. Accessed Aug. 4, 2018. [4] Trustwave, “2018 Trustwave Global Security Report.” https://www2.trustwave. com/GlobalSecurityReport.html, 2018. Accessed Aug. 4, 2018. [5] “The OWASP Foundation.” https://www.owasp.org/index.php/Main_Page, 2018. Accessed Aug. 3, 2018. [6] “Category:OWASP Top Ten Project.” https://www.owasp.org/index.php/ Category:OWASP_Top_Ten_Project#tab=Main, 2018. Accessed Aug. 3, 2018. [7] “OWASP Top 10 - 2017: The Ten Most Critical Web Application Security Risks.” https://www.owasp.org/images/7/72/OWASP_Top_10- 2017_%28en%29.pdf.pdf, 2018. Accessed Aug. 3, 2018. [8] J. Jive, “XSS Vectors Cheat Sheet.” https://gist.github.com/kurobeats/9a613c9ab68914312cbb415134795b45, 2017. Accessed Aug. 3, 2018. [9] B. Shura, R. Auger, and R. Gaucher, “Web Application Security Scanner Evaluation Criteria.” http://projects.webappsec.org/w/page/13246986/Web% 20Application%20Security%20Scanner%20Evaluation%20Criteria, 2014. Accessed Aug. 4, 2018. 28
References [10] L. Suto, “Analyzing the Effectiveness and Coverage of Web Application Security Scanners,” Case Study, Oct. 2007. [11] L. Suto, “Analyzing the Accuracy and Time Costs of Web Application Security Scanners,” Feb. 2010. [12] E. I. Tatli and B. Urgun, “Web Input Vector Extractor Teaser.” https://github. com/bedirhan/wivet, 2014. Accessed Aug. 1, 2018. [13] S. Chen, “The Web Application Vulnerability Scanner Evaluation Project.” https: //github.com/sectooladdict/wavsep, 2014. Accessed Aug. 2, 2018. [14] D. Gupta, J. Bau, J. Mitchell, and E. Bursztein, “State of the art: Automated black- box web application vulnerability testing,” in 2010 IEEE Symposium on Security and Privacy (SP), pp. 332–345, May 2010. [15] A. Doupé, M. Cova, and G. Vigna, “Why Johnny Can’t Pentest: An Analysis of Black-Box Web Vulnerability Scanners,” in Detection of Intrusions and Malware, and Vulnerability Assessment (C. Kreibich and M. Jahnke, eds.), (Berlin, Heidelberg), pp. 111–131, Springer Berlin Heidelberg, 2010. [16] K. McQuade, “Open Source Web Vulnerability Scanners: The Cost Effective Choice?,” in Conference for Information Systems Applied Research, 2014. [17] S. ElIdressi, N. Berbiche, F. Guerouate, and M. Sbihi, “Performance Evaluation of Web Application Security Scanners for Prevention and Protection against Vulnerabilities,” in International Journal of Applied Engineering Research, vol. 12, pp. 11068– 11076, 2017. [18] S. Chen, “The Prices vs. Features of Web Application Vulnerability Scanners.” http://sectoolmarket.com/price-and-feature-comparison-of-web- application-scanners-opensource-list.html, 2016. Accessed Aug. 1, 2018. 29
References [19] “Home - Arachni - Web Application Security Scanner Framework.” http://www. arachni-scanner.com/, 2017. Accessed Aug. 4, 2018. [20] L. Kuppan, “IronWASP - Iron Web application Advanced Security testing Platform.” https://ironwasp.org/index.html, 2014. Accessed Aug. 4, 2018. [21] “OWASP Zed Attack Proxy Project.” https://www.owasp.org/index.php/ OWASP_Zed_Attack_Proxy_Project, 2018. Accessed Aug. 4, 2018. [22] M. Zalewski, “skipfish(1) - Linux man page.” https://linux.die.net/man/1/ skipfish. Accessed Aug. 4, 2018. [23] N. Surribas, “Wapiti : a Free and Open-source Web-application Vulnerability Scanner.” http://wapiti.sourceforge.net/, 2018. Accessed Aug. 4, 2018. [24] “Vega Vulnerability Scanner - Subgraph OS.” https://subgraph.com/vega/, 2014. Accessed Aug. 4, 2018. [25] “Burp Suite Scanner | PortSwigger.” https://portswigger.net/burp, 2018. Ac- cessed Aug. 4, 2018. [26] “AppScan - Application Security | IBM.” https://www.ibm.com/security/ application-security/appscan, 2018. Accessed Aug. 3, 2018. [27] R. Siles and S. Bennetts, “OWASP Vulnerable Web Applications Direc- tory Project.” https://www.owasp.org/index.php/OWASP_Vulnerable_Web_ Applications_Directory_Project, 2018. Accessed Aug. 1, 2018. [28] A. Doupe, “WackoPicko Vulnerable Website.” https://github.com/adamdoupe/ WackoPicko, 2018. Accessed Aug. 2, 2018. 30
References [29] C. Willis, “OWASP Broken Web Applications Project.” https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project, 2016. Accessed Aug. 3, 2018. [30] A. Riancho, “WIVET - Web Input Vector Extractor Teaser.” https://hub.docker. com/r/andresriancho/wivet/, 2015. Accessed Aug. 2, 2018. [31] “The Web Application Vulnerability Scanner Evaluation Project.” https://hub. docker.com/r/owaspvwad/wavsep/, 2016. Accessed Aug. 2, 2018. [32] R. Khalil, “Thesis-Test-Results.” https://github.com/rkhal101/Thesis-Test- Results, 2018. [33] “Crawler Coverage and Vulnerability Detection.” http://www.arachni-scanner. com/features/framework/crawl-coverage-vulnerability- detection/. Accessed Aug. 4, 2018. [34] R. Khalil, “Arachni does not maintain session across scan #986.” https://github. com/Arachni/arachni/issues/986, 2018. Accessed Aug. 4, 2018. [35] R.Khalil,“Sitemap does not contain all crawled links #987.”https://github.com/Arachni/arachni/issues/987, 2018. Accessed Aug. 4, 2018. [36] R. Khalil, “Run Vega on WIVET #157.” https://github.com/subgraph/Vega/ issues/157, 2018. Accessed Aug. 4, 2018. [37] R.Khalil,“"Alerts for this node” does not display high alerts of risk type High #4899.” https://github.com/zaproxy/zaproxy/issues/4899, 2018. Accessed Aug. 4, 2018. 31
Thank you! 32

Recommended

Hackfest 2019 Talk
Hackfest 2019 TalkHackfest 2019 Talk
Hackfest 2019 Talk
Rana Khalil
 
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-b...
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-b...Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-b...
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-b...
Rana Khalil
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
Rana Khalil
 
Web Application Penetration Testing - 101
Web Application Penetration Testing - 101Web Application Penetration Testing - 101
Web Application Penetration Testing - 101
Andrea Hauser
 
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
Denim Group
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
Kevin Fealey
 
nullcon 2011 - Vulnerabilities and Malware: Statistics and Research for Malwa...
nullcon 2011 - Vulnerabilities and Malware: Statistics and Research for Malwa...nullcon 2011 - Vulnerabilities and Malware: Statistics and Research for Malwa...
nullcon 2011 - Vulnerabilities and Malware: Statistics and Research for Malwa...
n|u - The Open Security Community
 
Smart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parentingSmart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parenting
Abraham Aranguren
 

Recommended

Hackfest 2019 Talk
Hackfest 2019 TalkHackfest 2019 Talk
Hackfest 2019 Talk
Rana Khalil
 
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-b...
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-b...Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-b...
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-b...
Rana Khalil
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
Rana Khalil
 
Web Application Penetration Testing - 101
Web Application Penetration Testing - 101Web Application Penetration Testing - 101
Web Application Penetration Testing - 101
Andrea Hauser
 
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
Denim Group
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
Kevin Fealey
 
nullcon 2011 - Vulnerabilities and Malware: Statistics and Research for Malwa...
nullcon 2011 - Vulnerabilities and Malware: Statistics and Research for Malwa...nullcon 2011 - Vulnerabilities and Malware: Statistics and Research for Malwa...
nullcon 2011 - Vulnerabilities and Malware: Statistics and Research for Malwa...
n|u - The Open Security Community
 
Smart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parentingSmart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parenting
Abraham Aranguren
 
Evaluating Web App, Mobile App, and API Security - Matt Cohen
Evaluating Web App, Mobile App, and API Security - Matt CohenEvaluating Web App, Mobile App, and API Security - Matt Cohen
Evaluating Web App, Mobile App, and API Security - Matt Cohen
Inman News
 
Application Security Tools
Application Security ToolsApplication Security Tools
Application Security Tools
Lalit Kale
 
What You Need to Know About Web App Security Testing in 2018
What You Need to Know About Web App Security Testing in 2018What You Need to Know About Web App Security Testing in 2018
What You Need to Know About Web App Security Testing in 2018
Ken DeSouza
 
From the Frontline of RASP Adoption
From the Frontline of RASP AdoptionFrom the Frontline of RASP Adoption
From the Frontline of RASP Adoption
Goran Begic
 
Web Application Security Testing Tools
Web Application Security Testing ToolsWeb Application Security Testing Tools
Web Application Security Testing ToolsEric Lai
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples
42Crunch
 
Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]
Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]
Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]
raj upadhyay
 
Automation of Security scanning easy or cheese
Automation of Security scanning easy or cheeseAutomation of Security scanning easy or cheese
Automation of Security scanning easy or cheese
Katherine Golovinova
 
Automation of Security scanning easy or cheese?
Automation of Security scanning easy or cheese?Automation of Security scanning easy or cheese?
Automation of Security scanning easy or cheese?
Dmitriy Gumeniuk
 
Outpost24 webinar - Demystifying Web Application Security with Attack Surface...
Outpost24 webinar - Demystifying Web Application Security with Attack Surface...Outpost24 webinar - Demystifying Web Application Security with Attack Surface...
Outpost24 webinar - Demystifying Web Application Security with Attack Surface...
Outpost24
 
Injecting Security into Web apps at Runtime Whitepaper
Injecting Security into Web apps at Runtime WhitepaperInjecting Security into Web apps at Runtime Whitepaper
Injecting Security into Web apps at Runtime Whitepaper
Ajin Abraham
 
What? Why? Who? How? Of Application Security Testing
What? Why? Who? How? Of Application Security Testing What? Why? Who? How? Of Application Security Testing
What? Why? Who? How? Of Application Security Testing
TEST Huddle
 
[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...
OWASP
 
Android pentesting
Android pentestingAndroid pentesting
Android pentesting
Mykhailo Antonishyn
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
Ajin Abraham
 
Android pentesting
Android pentestingAndroid pentesting
Android pentesting
Mykhailo Antonishyn
 
Android application security testing
Android application security testingAndroid application security testing
Android application security testing
Mykhailo Antonishyn
 
Injecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at RuntimeInjecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at Runtime
Ajin Abraham
 
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
Kevin Fealey
 
20160211 OWASP Charlotte RASP
20160211 OWASP Charlotte RASP20160211 OWASP Charlotte RASP
20160211 OWASP Charlotte RASP
chadtindel
 
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-...
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-...Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-...
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-...
Rana Khalil
 
AnitaB-Atlanta-CyberSecurity-Weekend-Rana-Khalil.pdf
AnitaB-Atlanta-CyberSecurity-Weekend-Rana-Khalil.pdfAnitaB-Atlanta-CyberSecurity-Weekend-Rana-Khalil.pdf
AnitaB-Atlanta-CyberSecurity-Weekend-Rana-Khalil.pdf
sk0894308
 

More Related Content

What's hot

Evaluating Web App, Mobile App, and API Security - Matt Cohen
Evaluating Web App, Mobile App, and API Security - Matt CohenEvaluating Web App, Mobile App, and API Security - Matt Cohen
Evaluating Web App, Mobile App, and API Security - Matt Cohen
Inman News
 
Application Security Tools
Application Security ToolsApplication Security Tools
Application Security Tools
Lalit Kale
 
What You Need to Know About Web App Security Testing in 2018
What You Need to Know About Web App Security Testing in 2018What You Need to Know About Web App Security Testing in 2018
What You Need to Know About Web App Security Testing in 2018
Ken DeSouza
 
From the Frontline of RASP Adoption
From the Frontline of RASP AdoptionFrom the Frontline of RASP Adoption
From the Frontline of RASP Adoption
Goran Begic
 
Web Application Security Testing Tools
Web Application Security Testing ToolsWeb Application Security Testing Tools
Web Application Security Testing ToolsEric Lai
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples
42Crunch
 
Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]
Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]
Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]
raj upadhyay
 
Automation of Security scanning easy or cheese
Automation of Security scanning easy or cheeseAutomation of Security scanning easy or cheese
Automation of Security scanning easy or cheese
Katherine Golovinova
 
Automation of Security scanning easy or cheese?
Automation of Security scanning easy or cheese?Automation of Security scanning easy or cheese?
Automation of Security scanning easy or cheese?
Dmitriy Gumeniuk
 
Outpost24 webinar - Demystifying Web Application Security with Attack Surface...
Outpost24 webinar - Demystifying Web Application Security with Attack Surface...Outpost24 webinar - Demystifying Web Application Security with Attack Surface...
Outpost24 webinar - Demystifying Web Application Security with Attack Surface...
Outpost24
 
Injecting Security into Web apps at Runtime Whitepaper
Injecting Security into Web apps at Runtime WhitepaperInjecting Security into Web apps at Runtime Whitepaper
Injecting Security into Web apps at Runtime Whitepaper
Ajin Abraham
 
What? Why? Who? How? Of Application Security Testing
What? Why? Who? How? Of Application Security Testing What? Why? Who? How? Of Application Security Testing
What? Why? Who? How? Of Application Security Testing
TEST Huddle
 
[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...
OWASP
 
Android pentesting
Android pentestingAndroid pentesting
Android pentesting
Mykhailo Antonishyn
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
Ajin Abraham
 
Android pentesting
Android pentestingAndroid pentesting
Android pentesting
Mykhailo Antonishyn
 
Android application security testing
Android application security testingAndroid application security testing
Android application security testing
Mykhailo Antonishyn
 
Injecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at RuntimeInjecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at Runtime
Ajin Abraham
 
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
Kevin Fealey
 
20160211 OWASP Charlotte RASP
20160211 OWASP Charlotte RASP20160211 OWASP Charlotte RASP
20160211 OWASP Charlotte RASP
chadtindel
 

What's hot (20)

Evaluating Web App, Mobile App, and API Security - Matt Cohen
Evaluating Web App, Mobile App, and API Security - Matt CohenEvaluating Web App, Mobile App, and API Security - Matt Cohen
Evaluating Web App, Mobile App, and API Security - Matt Cohen
 
Application Security Tools
Application Security ToolsApplication Security Tools
Application Security Tools
 
What You Need to Know About Web App Security Testing in 2018
What You Need to Know About Web App Security Testing in 2018What You Need to Know About Web App Security Testing in 2018
What You Need to Know About Web App Security Testing in 2018
 
From the Frontline of RASP Adoption
From the Frontline of RASP AdoptionFrom the Frontline of RASP Adoption
From the Frontline of RASP Adoption
 
Web Application Security Testing Tools
Web Application Security Testing ToolsWeb Application Security Testing Tools
Web Application Security Testing Tools
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples
 
Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]
Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]
Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]
 
Automation of Security scanning easy or cheese
Automation of Security scanning easy or cheeseAutomation of Security scanning easy or cheese
Automation of Security scanning easy or cheese
 
Automation of Security scanning easy or cheese?
Automation of Security scanning easy or cheese?Automation of Security scanning easy or cheese?
Automation of Security scanning easy or cheese?
 
Outpost24 webinar - Demystifying Web Application Security with Attack Surface...
Outpost24 webinar - Demystifying Web Application Security with Attack Surface...Outpost24 webinar - Demystifying Web Application Security with Attack Surface...
Outpost24 webinar - Demystifying Web Application Security with Attack Surface...
 
Injecting Security into Web apps at Runtime Whitepaper
Injecting Security into Web apps at Runtime WhitepaperInjecting Security into Web apps at Runtime Whitepaper
Injecting Security into Web apps at Runtime Whitepaper
 
What? Why? Who? How? Of Application Security Testing
What? Why? Who? How? Of Application Security Testing What? Why? Who? How? Of Application Security Testing
What? Why? Who? How? Of Application Security Testing
 
[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...
 
Android pentesting
Android pentestingAndroid pentesting
Android pentesting
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
 
Android pentesting
Android pentestingAndroid pentesting
Android pentesting
 
Android application security testing
Android application security testingAndroid application security testing
Android application security testing
 
Injecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at RuntimeInjecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at Runtime
 
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
 
20160211 OWASP Charlotte RASP
20160211 OWASP Charlotte RASP20160211 OWASP Charlotte RASP
20160211 OWASP Charlotte RASP
 

Similar to Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-box Web Application Vulnerability Scanners

Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-...
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-...Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-...
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-...
Rana Khalil
 
AnitaB-Atlanta-CyberSecurity-Weekend-Rana-Khalil.pdf
AnitaB-Atlanta-CyberSecurity-Weekend-Rana-Khalil.pdfAnitaB-Atlanta-CyberSecurity-Weekend-Rana-Khalil.pdf
AnitaB-Atlanta-CyberSecurity-Weekend-Rana-Khalil.pdf
sk0894308
 
Open Source Security: How to Lay the Groundwork for a Secure Culture
Open Source Security: How to Lay the Groundwork for a Secure CultureOpen Source Security: How to Lay the Groundwork for a Secure Culture
Open Source Security: How to Lay the Groundwork for a Secure Culture
WhiteSource
 
Open Source Security: How to Lay the Groundwork for a Secure Culture
Open Source Security: How to Lay the Groundwork for a Secure CultureOpen Source Security: How to Lay the Groundwork for a Secure Culture
Open Source Security: How to Lay the Groundwork for a Secure Culture
DevOps.com
 
Presentation application server diagnostics
Presentation application server diagnosticsPresentation application server diagnostics
Presentation application server diagnostics
xKinAnx
 
PAC 2019 virtual Bruno Audoux
PAC 2019 virtual Bruno Audoux PAC 2019 virtual Bruno Audoux
PAC 2019 virtual Bruno Audoux
Neotys
 
Web application vulnerability assessment
Web application vulnerability assessmentWeb application vulnerability assessment
Web application vulnerability assessment
Ravikumar Paghdal
 
WE-06-Testing.ppt
WE-06-Testing.pptWE-06-Testing.ppt
WE-06-Testing.ppt
javed281701
 
Hacker Proof web app using Functional tests
Hacker Proof web app using Functional testsHacker Proof web app using Functional tests
Hacker Proof web app using Functional tests
Ankita Gupta
 
Cyber security series Application Security
Cyber security series Application SecurityCyber security series Application Security
Cyber security series Application Security
Jim Kaplan CIA CFE
 
Neoload
Neoload Neoload
Neoload
Kumar Gupta
 
Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Security
sedukull
 
Functional Testing of RESTful Applications
Functional Testing of RESTful ApplicationsFunctional Testing of RESTful Applications
Functional Testing of RESTful Applications
Nenad Bozic
 
Vapt pci dss methodology ppt v1.0
Vapt pci dss methodology ppt v1.0Vapt pci dss methodology ppt v1.0
Vapt pci dss methodology ppt v1.0
Network Intelligence India
 
Performance Engineering - how to start!
Performance Engineering - how to start!Performance Engineering - how to start!
Performance Engineering - how to start!
Yoav Weiss
 
Cerberus : Framework for Manual and Automated Testing (Web Application)
Cerberus : Framework for Manual and Automated Testing (Web Application)Cerberus : Framework for Manual and Automated Testing (Web Application)
Cerberus : Framework for Manual and Automated Testing (Web Application)
CIVEL Benoit
 
Cerberus_Presentation1
Cerberus_Presentation1Cerberus_Presentation1
Cerberus_Presentation1CIVEL Benoit
 
QualysGuard InfoDay 2014 - QualysGuard Web Application Security a Web Applica...
QualysGuard InfoDay 2014 - QualysGuard Web Application Security a Web Applica...QualysGuard InfoDay 2014 - QualysGuard Web Application Security a Web Applica...
QualysGuard InfoDay 2014 - QualysGuard Web Application Security a Web Applica...Risk Analysis Consultants, s.r.o.
 
Nonfunctional Testing: Examine the Other Side of the Coin
Nonfunctional Testing: Examine the Other Side of the CoinNonfunctional Testing: Examine the Other Side of the Coin
Nonfunctional Testing: Examine the Other Side of the Coin
TechWell
 
Agile and Continuous Delivery for Audits and Exams - DC Continuous Delivery M...
Agile and Continuous Delivery for Audits and Exams - DC Continuous Delivery M...Agile and Continuous Delivery for Audits and Exams - DC Continuous Delivery M...
Agile and Continuous Delivery for Audits and Exams - DC Continuous Delivery M...
Simon Storm
 

Similar to Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-box Web Application Vulnerability Scanners (20)

Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-...
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-...Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-...
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-...
 
AnitaB-Atlanta-CyberSecurity-Weekend-Rana-Khalil.pdf
AnitaB-Atlanta-CyberSecurity-Weekend-Rana-Khalil.pdfAnitaB-Atlanta-CyberSecurity-Weekend-Rana-Khalil.pdf
AnitaB-Atlanta-CyberSecurity-Weekend-Rana-Khalil.pdf
 
Open Source Security: How to Lay the Groundwork for a Secure Culture
Open Source Security: How to Lay the Groundwork for a Secure CultureOpen Source Security: How to Lay the Groundwork for a Secure Culture
Open Source Security: How to Lay the Groundwork for a Secure Culture
 
Open Source Security: How to Lay the Groundwork for a Secure Culture
Open Source Security: How to Lay the Groundwork for a Secure CultureOpen Source Security: How to Lay the Groundwork for a Secure Culture
Open Source Security: How to Lay the Groundwork for a Secure Culture
 
Presentation application server diagnostics
Presentation application server diagnosticsPresentation application server diagnostics
Presentation application server diagnostics
 
PAC 2019 virtual Bruno Audoux
PAC 2019 virtual Bruno Audoux PAC 2019 virtual Bruno Audoux
PAC 2019 virtual Bruno Audoux
 
Web application vulnerability assessment
Web application vulnerability assessmentWeb application vulnerability assessment
Web application vulnerability assessment
 
WE-06-Testing.ppt
WE-06-Testing.pptWE-06-Testing.ppt
WE-06-Testing.ppt
 
Hacker Proof web app using Functional tests
Hacker Proof web app using Functional testsHacker Proof web app using Functional tests
Hacker Proof web app using Functional tests
 
Cyber security series Application Security
Cyber security series Application SecurityCyber security series Application Security
Cyber security series Application Security
 
Neoload
Neoload Neoload
Neoload
 
Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Security
 
Functional Testing of RESTful Applications
Functional Testing of RESTful ApplicationsFunctional Testing of RESTful Applications
Functional Testing of RESTful Applications
 
Vapt pci dss methodology ppt v1.0
Vapt pci dss methodology ppt v1.0Vapt pci dss methodology ppt v1.0
Vapt pci dss methodology ppt v1.0
 
Performance Engineering - how to start!
Performance Engineering - how to start!Performance Engineering - how to start!
Performance Engineering - how to start!
 
Cerberus : Framework for Manual and Automated Testing (Web Application)
Cerberus : Framework for Manual and Automated Testing (Web Application)Cerberus : Framework for Manual and Automated Testing (Web Application)
Cerberus : Framework for Manual and Automated Testing (Web Application)
 
Cerberus_Presentation1
Cerberus_Presentation1Cerberus_Presentation1
Cerberus_Presentation1
 
QualysGuard InfoDay 2014 - QualysGuard Web Application Security a Web Applica...
QualysGuard InfoDay 2014 - QualysGuard Web Application Security a Web Applica...QualysGuard InfoDay 2014 - QualysGuard Web Application Security a Web Applica...
QualysGuard InfoDay 2014 - QualysGuard Web Application Security a Web Applica...
 
Nonfunctional Testing: Examine the Other Side of the Coin
Nonfunctional Testing: Examine the Other Side of the CoinNonfunctional Testing: Examine the Other Side of the Coin
Nonfunctional Testing: Examine the Other Side of the Coin
 
Agile and Continuous Delivery for Audits and Exams - DC Continuous Delivery M...
Agile and Continuous Delivery for Audits and Exams - DC Continuous Delivery M...Agile and Continuous Delivery for Audits and Exams - DC Continuous Delivery M...
Agile and Continuous Delivery for Audits and Exams - DC Continuous Delivery M...
 

Recently uploaded

The basics of sentences session 5pptx.pptx
The basics of sentences session 5pptx.pptxThe basics of sentences session 5pptx.pptx
The basics of sentences session 5pptx.pptx
heathfieldcps1
 
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
MysoreMuleSoftMeetup
 
Home assignment II on Spectroscopy 2024 Answers.pdf
Home assignment II on Spectroscopy 2024 Answers.pdfHome assignment II on Spectroscopy 2024 Answers.pdf
Home assignment II on Spectroscopy 2024 Answers.pdf
Tamralipta Mahavidyalaya
 
Model Attribute Check Company Auto Property
Model Attribute Check Company Auto PropertyModel Attribute Check Company Auto Property
Model Attribute Check Company Auto Property
Celine George
 
2024.06.01 Introducing a competency framework for languag learning materials ...
2024.06.01 Introducing a competency framework for languag learning materials ...2024.06.01 Introducing a competency framework for languag learning materials ...
2024.06.01 Introducing a competency framework for languag learning materials ...
Sandy Millin
 
The Accursed House by Émile Gaboriau.pptx
The Accursed House by Émile Gaboriau.pptxThe Accursed House by Émile Gaboriau.pptx
The Accursed House by Émile Gaboriau.pptx
DhatriParmar
 
Introduction to AI for Nonprofits with Tapp Network
Introduction to AI for Nonprofits with Tapp NetworkIntroduction to AI for Nonprofits with Tapp Network
Introduction to AI for Nonprofits with Tapp Network
TechSoup
 
Unit 2- Research Aptitude (UGC NET Paper I).pdf
Unit 2- Research Aptitude (UGC NET Paper I).pdfUnit 2- Research Aptitude (UGC NET Paper I).pdf
Unit 2- Research Aptitude (UGC NET Paper I).pdf
Thiyagu K
 
Acetabularia Information For Class 9 .docx
Acetabularia Information For Class 9 .docxAcetabularia Information For Class 9 .docx
Acetabularia Information For Class 9 .docx
vaibhavrinwa19
 
CLASS 11 CBSE B.St Project AIDS TO TRADE - INSURANCE
CLASS 11 CBSE B.St Project AIDS TO TRADE - INSURANCECLASS 11 CBSE B.St Project AIDS TO TRADE - INSURANCE
CLASS 11 CBSE B.St Project AIDS TO TRADE - INSURANCE
BhavyaRajput3
 
Phrasal Verbs.XXXXXXXXXXXXXXXXXXXXXXXXXX
Phrasal Verbs.XXXXXXXXXXXXXXXXXXXXXXXXXXPhrasal Verbs.XXXXXXXXXXXXXXXXXXXXXXXXXX
Phrasal Verbs.XXXXXXXXXXXXXXXXXXXXXXXXXX
MIRIAMSALINAS13
 
Francesca Gottschalk - How can education support child empowerment.pptx
Francesca Gottschalk - How can education support child empowerment.pptxFrancesca Gottschalk - How can education support child empowerment.pptx
Francesca Gottschalk - How can education support child empowerment.pptx
EduSkills OECD
 
Additional Benefits for Employee Website.pdf
Additional Benefits for Employee Website.pdfAdditional Benefits for Employee Website.pdf
Additional Benefits for Employee Website.pdf
joachimlavalley1
 
Embracing GenAI - A Strategic Imperative
Embracing GenAI - A Strategic ImperativeEmbracing GenAI - A Strategic Imperative
Embracing GenAI - A Strategic Imperative
Peter Windle
 
BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...
BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...
BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...
Nguyen Thanh Tu Collection
 
How to Make a Field invisible in Odoo 17
How to Make a Field invisible in Odoo 17How to Make a Field invisible in Odoo 17
How to Make a Field invisible in Odoo 17
Celine George
 
Guidance_and_Counselling.pdf B.Ed. 4th Semester
Guidance_and_Counselling.pdf B.Ed. 4th SemesterGuidance_and_Counselling.pdf B.Ed. 4th Semester
Guidance_and_Counselling.pdf B.Ed. 4th Semester
Atul Kumar Singh
 
The geography of Taylor Swift - some ideas
The geography of Taylor Swift - some ideasThe geography of Taylor Swift - some ideas
The geography of Taylor Swift - some ideas
GeoBlogs
 
TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
EugeneSaldivar
 
The Roman Empire A Historical Colossus.pdf
The Roman Empire A Historical Colossus.pdfThe Roman Empire A Historical Colossus.pdf
The Roman Empire A Historical Colossus.pdf
kaushalkr1407
 

Recently uploaded (20)

The basics of sentences session 5pptx.pptx
The basics of sentences session 5pptx.pptxThe basics of sentences session 5pptx.pptx
The basics of sentences session 5pptx.pptx
 
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
 
Home assignment II on Spectroscopy 2024 Answers.pdf
Home assignment II on Spectroscopy 2024 Answers.pdfHome assignment II on Spectroscopy 2024 Answers.pdf
Home assignment II on Spectroscopy 2024 Answers.pdf
 
Model Attribute Check Company Auto Property
Model Attribute Check Company Auto PropertyModel Attribute Check Company Auto Property
Model Attribute Check Company Auto Property
 
2024.06.01 Introducing a competency framework for languag learning materials ...
2024.06.01 Introducing a competency framework for languag learning materials ...2024.06.01 Introducing a competency framework for languag learning materials ...
2024.06.01 Introducing a competency framework for languag learning materials ...
 
The Accursed House by Émile Gaboriau.pptx
The Accursed House by Émile Gaboriau.pptxThe Accursed House by Émile Gaboriau.pptx
The Accursed House by Émile Gaboriau.pptx
 
Introduction to AI for Nonprofits with Tapp Network
Introduction to AI for Nonprofits with Tapp NetworkIntroduction to AI for Nonprofits with Tapp Network
Introduction to AI for Nonprofits with Tapp Network
 
Unit 2- Research Aptitude (UGC NET Paper I).pdf
Unit 2- Research Aptitude (UGC NET Paper I).pdfUnit 2- Research Aptitude (UGC NET Paper I).pdf
Unit 2- Research Aptitude (UGC NET Paper I).pdf
 
Acetabularia Information For Class 9 .docx
Acetabularia Information For Class 9 .docxAcetabularia Information For Class 9 .docx
Acetabularia Information For Class 9 .docx
 
CLASS 11 CBSE B.St Project AIDS TO TRADE - INSURANCE
CLASS 11 CBSE B.St Project AIDS TO TRADE - INSURANCECLASS 11 CBSE B.St Project AIDS TO TRADE - INSURANCE
CLASS 11 CBSE B.St Project AIDS TO TRADE - INSURANCE
 
Phrasal Verbs.XXXXXXXXXXXXXXXXXXXXXXXXXX
Phrasal Verbs.XXXXXXXXXXXXXXXXXXXXXXXXXXPhrasal Verbs.XXXXXXXXXXXXXXXXXXXXXXXXXX
Phrasal Verbs.XXXXXXXXXXXXXXXXXXXXXXXXXX
 
Francesca Gottschalk - How can education support child empowerment.pptx
Francesca Gottschalk - How can education support child empowerment.pptxFrancesca Gottschalk - How can education support child empowerment.pptx
Francesca Gottschalk - How can education support child empowerment.pptx
 
Additional Benefits for Employee Website.pdf
Additional Benefits for Employee Website.pdfAdditional Benefits for Employee Website.pdf
Additional Benefits for Employee Website.pdf
 
Embracing GenAI - A Strategic Imperative
Embracing GenAI - A Strategic ImperativeEmbracing GenAI - A Strategic Imperative
Embracing GenAI - A Strategic Imperative
 
BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...
BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...
BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...
 
How to Make a Field invisible in Odoo 17
How to Make a Field invisible in Odoo 17How to Make a Field invisible in Odoo 17
How to Make a Field invisible in Odoo 17
 
Guidance_and_Counselling.pdf B.Ed. 4th Semester
Guidance_and_Counselling.pdf B.Ed. 4th SemesterGuidance_and_Counselling.pdf B.Ed. 4th Semester
Guidance_and_Counselling.pdf B.Ed. 4th Semester
 
The geography of Taylor Swift - some ideas
The geography of Taylor Swift - some ideasThe geography of Taylor Swift - some ideas
The geography of Taylor Swift - some ideas
 
TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
 
The Roman Empire A Historical Colossus.pdf
The Roman Empire A Historical Colossus.pdfThe Roman Empire A Historical Colossus.pdf
The Roman Empire A Historical Colossus.pdf
 

Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-box Web Application Vulnerability Scanners

  • 1. Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-box Web Vulnerability Scanners Rana Khalil Master Thesis Defense, 20/11/2018 School of EECS University of Ottawa Committee: Carlisle Adams (Supervisor) Guy-Vincent Jourdan Anil Somayaji (Carleton University) 1
  • 4. Introduction • We use websites for everything: e-commerce, online banking, social networking, social media, etc. • Web security has become a major concern 4
  • 5. How to Secure a Web Application? • A combination of techniques are used to secure web applications: • Static code analysis • Web application firewalls • Secure coding practices • Web application vulnerability scanners • Etc. • Focus of this research: Performing a comprehensive comparative analysis of the performance of six chosen scanners 5
  • 6. Previous Work 6 • Suto’s case studies [10][11] • 2007 paper evaluated scanners in PaS mode • 2010 paper evaluated scanners in PaS and Trained modes • Benchmark applications: • Web Input Vector Extractor Teaser (WIVET) created in 2009 by Tatli et al. [12] • Web Application Vulnerability Scanner Evaluation Project (WAVSEP) created in 2010 by Chen [13] • Doupé et al.’s work on evaluating WAVS in both PaS and Trained modes on the WackoPicko application [15] • Several other studies include [14], [16] and [17]
  • 8. Methodology 8 Figure 2.1: Methodology Process Tool Selection Benchmark Selection Environment Setup Feature and Metric Selection Result Analysis
  • 9. Tool Selection 9 • Chen’s evaluation [18] • Consultation with professional ethical hackers Table 2.1: Characteristics of the Scanners Evaluated
  • 10. Benchmark Selection 10 • Benchmark applications • WIVET - contains 56 test cases that utilize both Web 1.0 and Web 2.0 technologies • WAVSEP - consists of a total of 1220 true positive (TP) test cases and 40 false positive (FP) test cases covering a range of vulnerability categories • WackoPicko - intentionally vulnerable realistic web application • Contains 16 vulnerabilities covering several of the OWASP Top 10 • Contains crawling challenges: HTML parsing, multi-step process, infinite web site, authentication, client-side code, etc.
  • 11. Environment Setup 11 • Each scanner was run in two modes: • Default - default configuration setting • Configured 1. Maximize crawling coverage – changing configuration 2. Maximize crawling coverage – use of proxy 3. Maximize attack vector • WackoPicko test scans were further divided into two subcategories: • INITIAL – without authentication / publicly accessible • CONFIG - valid username/password combination • In total, each scanner was run eight times. Note: Tests performed in a VM that was restored to its initial state before every test run. Table 2.2: Steps Included in Configured Scan
  • 12. Feature Selection 12 • Crawling coverage: • % of passed test cases on the WIVET application • Crawling challenges in the WackoPicko application • Vulnerability detection accuracy: • TP, FN and FP on the WAVSEP and WackoPicko applications • Speed: • Scan time on the WAVSEP and WackoPicko appliations • Reporting: • Vulnerability detected • Vulnerability location • Exploit performed • Usability: • Efficiency • Product documentation • Community support Crawling Coverage Detection Accuracy Speed WIVET WackoPicko WAVSEP Features Applications Figure 2.2: Feature Measurement
  • 13. Metric Selection 13Table 2.3 Vulnerability Scores • Final ranking was calculated based on the crawling coverage and vulnerability detection on the WackoPicko application
  • 14. Roadmap 1. Introduction 2. Methodology 3. Results 4. Conclusion 14
  • 15. Vulnerability Detection Accuracy – FN 1/2 15 FNs in WackoPicko Reason(s) 1. Weak password - admin interface with credentials admin/admin • Scanners did not attempt to guess username/password • Scanners did attempt to guess username/password but failed 2. Session id - vulnerability in the admin interface • Scanners did not guess the admin credentials and therefore never reached this vulnerability 3. Parameter manipulation - userid of sample user functionality • Most scanners did not attempt to manipulate the userid field • Arachni manipulated the userid field but failed to enter a valid number • Skipfish successfully manipulated the userid field but did not report it as a vulnerability
  • 16. Vulnerability Detection Accuracy – FN 2/2 16 FNs in WackoPicko Reason(s) 4. Stored SQL injection - required registering a user 5. Directory traversal - required photo upload 6. Multi-step stored XSS - required completing a multi-step process • Crawling challenges – discussed later • Lack of detection for these types of vulnerabilities 7. Forceful browsing: - link to a high quality version of a picture 8. Logic flaw – coupon management system • Application specific vulnerabilities • Require understanding business logic of the application Note: WAVSEP FNs not listed
  • 17. Vulnerability Detection Accuracy – TP 1/2 17 Table 3.1: WackoPicko Default and Configured Scan Detection Results Name RXSS XSS Stored SQLi Reflected Command line injection File Inclusion File Exposure RXSS behind JS RXSS behind Flash Arachni INITIAL INITIAL INITIAL INITIAL INITIAL INITIAL Burp Pro INITIAL INITIAL INITIAL INITIAL INITIAL INITIAL INITIAL CONFIG Skipfish INITIAL INITIAL INITIAL INITIAL INITIAL Vega INITIAL INITIAL INITIAL INITIAL Wapiti INITIAL INITIAL INITIAL INITIAL ZAP INITIAL INITIAL INITIAL INITIAL INITIAL INITIAL CONFIG Default Configured • All scanners missed at least 50% of the vulnerabilities • Running the scanners in trained mode increased the overall detection
  • 18. 18 Figure 3.1: WAVSEP Overall TP Detection Arachni Burp Skipfish Wapiti Vega ZAP Default 60.16% 27.87% 4.02% 25.41% 71.31% 60.74% Configured 60.16% 42.54% 62.62% 24.43% 71.31% 79.26% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% %ofWAVSEPTestsDetected Key Observations: • WAVSEP results were better than WackoPicko: • Vulnerability categories in the application • Integrating WAVSEP in the SDLC of the scanner • ZAP achieved highest score, followed by Vega and Skipfish • Vulnerability category detection varied with scanner • Arachni discovered 100% of SQLi, RFI, unvalidated redirect, but had a low detection rate for LFI vulnerabilities Vulnerability Detection Accuracy – TP 2/2
  • 19. Crawling Coverage 1/2 19 Table 3.2: Account Creation Scanner # of Accounts Arachni 202 Burp Pro 113 Skipfish 364 Vega 117 Wapiti 0 ZAP 111 Features that scanners found difficult to crawl in WackoPicko: • Uploading a picture • All scanners were not able to upload a picture in Default mode • Burp and ZAP were able to in Configured mode • Authentication • All scanners except for Wapiti successfully created accounts • Multi-step processes • All scanners were not able to complete the process in Default mode • Burp and ZAP were able to in Configured mode
  • 20. Crawling Coverage 2/2 20 Figure 3.2: WIVET Results Arachni Burp Skipfis h Wapiti Vega ZAP Default 94 50 50 50 16 42 Configured 94 50 50 50 16 78 0 10 20 30 40 50 60 70 80 90 100 %ofWIVETTestsPassed Features that scanners found difficult to crawl in WackoPicko: • Infinite websites • All scanners recognized the infinite loop except Arachni • Client-side code • Flash applications • Dynamic JavaScript • Ajax Requests
  • 21. Scanning Speed 21 Figure 3.3: WackoPicko Default Scanning Speed Figure 3.4: WackoPicko Configured Scanning Speed Arachni Burp Skipfish Vega Wapiti ZAP INITIAL 0.3 0.1 0.05 0.08 0.04 0.07 CONFIG 0.32 0.12 0.1 0.1 0.05 0.18 0 0.2 0.4 0.6 0.8 1 1.2 1.4 1.6 1.8 ScanTime(Hours) Arachni Burp Skipfish Vega Wapiti ZAP INITIAL 0.3 0.17 0.05 0.12 1.47 0.2 CONFIG 0.32 0.35 0.1 0.22 1.62 1.31 0 0.2 0.4 0.6 0.8 1 1.2 1.4 1.6 1.8 ScanTime(Hours)
  • 22. Reporting Features Features tested for: 1) List of all the vulnerabilities detected 2) Locations of all the detected vulnerabilities 3) Exploits performed to detect these vulnerabilities All six scanners generate reports that include the above three features 22
  • 23. Usability Features Features tested for: 1) Efficiency 2) Product documentation 3) Community support 23 Table 3.3: Usability Features
  • 24. Final Ranking 24 Figure 3.4: Final Ranking Name Score Burp Pro 26 ZAP 23 Arachni 15 Wapiti 10 Skipfish 10 Vega 8
  • 25. Comparison to Previous Research 25 • Suto’s 2010 study showed there is no significant increase in vulnerability detection in PaS vs Trained modes • Our results show there is a significant increase for several of the scanners • Possible reasons for difference in conclusion – different benchmark applications and scanners were used • Doupé et al.’s 2010 study showed that scanners had difficulty crawling through common web technologies such as Flash applications and dynamic JavaScript measured on the WackoPicko and WIVET applications • Our results show similar conclusion • Doupé et al.’s study showed that scanners missed several categories of vulnerabilities such as weak authentication, stored vulnerabilities and logic specific vulnerabilities • Our results show similar conclusion • Doupé et al.’s study showed that commercial scanners are not significantly better than open-source scanners • Our results show similar conclusion
  • 26. Roadmap 1. Introduction 2. Methodology 3. Results 4. Conclusion 26
  • 27. Conclusion • Scanners are far from being used as PaS tools only • Several classes of vulnerabilities were not detected • Scanners had difficulty crawling through common web technologies such as dynamic JavaScript and Flash applications • Different scanners have different strengths/weaknesses • Open-source scanner performance is comparable to commercial scanner performance and in several cases better 27
  • 28. References [1] Internet Live Stats, “Internet Users.” http://www.internetlivestats.com/ internet-users/, 2018. Accessed Aug. 4, 2018. [2] InternetLiveStats,“Total number of Websites.”http://www.internetlivestats. com/total-number-of-websites/, 2018. Accessed Aug. 4, 2018. [3] Braga, M., “100,000 Canadian victims: What we know about the Equifax breach - and what we don’t.” https://www.cbc.ca/news/technology/equifax-canada- breach-sin-cybersecurity-what-we-know-1.4297532, Sept. 2017. Accessed Aug. 4, 2018. [4] Trustwave, “2018 Trustwave Global Security Report.” https://www2.trustwave. com/GlobalSecurityReport.html, 2018. Accessed Aug. 4, 2018. [5] “The OWASP Foundation.” https://www.owasp.org/index.php/Main_Page, 2018. Accessed Aug. 3, 2018. [6] “Category:OWASP Top Ten Project.” https://www.owasp.org/index.php/ Category:OWASP_Top_Ten_Project#tab=Main, 2018. Accessed Aug. 3, 2018. [7] “OWASP Top 10 - 2017: The Ten Most Critical Web Application Security Risks.” https://www.owasp.org/images/7/72/OWASP_Top_10- 2017_%28en%29.pdf.pdf, 2018. Accessed Aug. 3, 2018. [8] J. Jive, “XSS Vectors Cheat Sheet.” https://gist.github.com/kurobeats/9a613c9ab68914312cbb415134795b45, 2017. Accessed Aug. 3, 2018. [9] B. Shura, R. Auger, and R. Gaucher, “Web Application Security Scanner Evaluation Criteria.” http://projects.webappsec.org/w/page/13246986/Web% 20Application%20Security%20Scanner%20Evaluation%20Criteria, 2014. Accessed Aug. 4, 2018. 28
  • 29. References [10] L. Suto, “Analyzing the Effectiveness and Coverage of Web Application Security Scanners,” Case Study, Oct. 2007. [11] L. Suto, “Analyzing the Accuracy and Time Costs of Web Application Security Scanners,” Feb. 2010. [12] E. I. Tatli and B. Urgun, “Web Input Vector Extractor Teaser.” https://github. com/bedirhan/wivet, 2014. Accessed Aug. 1, 2018. [13] S. Chen, “The Web Application Vulnerability Scanner Evaluation Project.” https: //github.com/sectooladdict/wavsep, 2014. Accessed Aug. 2, 2018. [14] D. Gupta, J. Bau, J. Mitchell, and E. Bursztein, “State of the art: Automated black- box web application vulnerability testing,” in 2010 IEEE Symposium on Security and Privacy (SP), pp. 332–345, May 2010. [15] A. Doupé, M. Cova, and G. Vigna, “Why Johnny Can’t Pentest: An Analysis of Black-Box Web Vulnerability Scanners,” in Detection of Intrusions and Malware, and Vulnerability Assessment (C. Kreibich and M. Jahnke, eds.), (Berlin, Heidelberg), pp. 111–131, Springer Berlin Heidelberg, 2010. [16] K. McQuade, “Open Source Web Vulnerability Scanners: The Cost Effective Choice?,” in Conference for Information Systems Applied Research, 2014. [17] S. ElIdressi, N. Berbiche, F. Guerouate, and M. Sbihi, “Performance Evaluation of Web Application Security Scanners for Prevention and Protection against Vulnerabilities,” in International Journal of Applied Engineering Research, vol. 12, pp. 11068– 11076, 2017. [18] S. Chen, “The Prices vs. Features of Web Application Vulnerability Scanners.” http://sectoolmarket.com/price-and-feature-comparison-of-web- application-scanners-opensource-list.html, 2016. Accessed Aug. 1, 2018. 29
  • 30. References [19] “Home - Arachni - Web Application Security Scanner Framework.” http://www. arachni-scanner.com/, 2017. Accessed Aug. 4, 2018. [20] L. Kuppan, “IronWASP - Iron Web application Advanced Security testing Platform.” https://ironwasp.org/index.html, 2014. Accessed Aug. 4, 2018. [21] “OWASP Zed Attack Proxy Project.” https://www.owasp.org/index.php/ OWASP_Zed_Attack_Proxy_Project, 2018. Accessed Aug. 4, 2018. [22] M. Zalewski, “skipfish(1) - Linux man page.” https://linux.die.net/man/1/ skipfish. Accessed Aug. 4, 2018. [23] N. Surribas, “Wapiti : a Free and Open-source Web-application Vulnerability Scanner.” http://wapiti.sourceforge.net/, 2018. Accessed Aug. 4, 2018. [24] “Vega Vulnerability Scanner - Subgraph OS.” https://subgraph.com/vega/, 2014. Accessed Aug. 4, 2018. [25] “Burp Suite Scanner | PortSwigger.” https://portswigger.net/burp, 2018. Ac- cessed Aug. 4, 2018. [26] “AppScan - Application Security | IBM.” https://www.ibm.com/security/ application-security/appscan, 2018. Accessed Aug. 3, 2018. [27] R. Siles and S. Bennetts, “OWASP Vulnerable Web Applications Direc- tory Project.” https://www.owasp.org/index.php/OWASP_Vulnerable_Web_ Applications_Directory_Project, 2018. Accessed Aug. 1, 2018. [28] A. Doupe, “WackoPicko Vulnerable Website.” https://github.com/adamdoupe/ WackoPicko, 2018. Accessed Aug. 2, 2018. 30
  • 31. References [29] C. Willis, “OWASP Broken Web Applications Project.” https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project, 2016. Accessed Aug. 3, 2018. [30] A. Riancho, “WIVET - Web Input Vector Extractor Teaser.” https://hub.docker. com/r/andresriancho/wivet/, 2015. Accessed Aug. 2, 2018. [31] “The Web Application Vulnerability Scanner Evaluation Project.” https://hub. docker.com/r/owaspvwad/wavsep/, 2016. Accessed Aug. 2, 2018. [32] R. Khalil, “Thesis-Test-Results.” https://github.com/rkhal101/Thesis-Test- Results, 2018. [33] “Crawler Coverage and Vulnerability Detection.” http://www.arachni-scanner. com/features/framework/crawl-coverage-vulnerability- detection/. Accessed Aug. 4, 2018. [34] R. Khalil, “Arachni does not maintain session across scan #986.” https://github. com/Arachni/arachni/issues/986, 2018. Accessed Aug. 4, 2018. [35] R.Khalil,“Sitemap does not contain all crawled links #987.”https://github.com/Arachni/arachni/issues/987, 2018. Accessed Aug. 4, 2018. [36] R. Khalil, “Run Vega on WIVET #157.” https://github.com/subgraph/Vega/ issues/157, 2018. Accessed Aug. 4, 2018. [37] R.Khalil,“"Alerts for this node” does not display high alerts of risk type High #4899.” https://github.com/zaproxy/zaproxy/issues/4899, 2018. Accessed Aug. 4, 2018. 31

Editor's Notes

  1. Moving on to the methodology.
  2. Thank you!