The document summarizes a comparative analysis of six open-source black-box web application vulnerability scanners: Arachni, Burp Pro, Skipfish, Vega, Wapiti, and ZAP. The analysis evaluated the scanners' crawling coverage, vulnerability detection accuracy, speed, and usability when run in both point-and-shoot/default mode and trained/configured mode against three benchmark applications: WIVET, WAVSEP, and WackoPicko. The results showed that all scanners missed at least 50% of vulnerabilities in WackoPicko, with detection rates improving when run in trained mode. ZAP achieved the highest detection rates overall, while results varied by vulnerability category and
Introduction to Web Application Penetration TestingRana Khalil
Intro to web application penetration testing workshop I held in Atlanta as part of the AnitaBorg Cybersecurity Weekend on Aug. 19. The link for the event can be found here: https://community.anitab.org/event/atl-cybersecurity-day-two/
Platform Security IRL: Busting Buzzwords & Building BetterEqual Experts
Practical tips and heroic war stories on how to secure a large, modern, fast software delivery platform. From building a team to building cool stuff, dealing with organisational setups to dealing with security incidents.
Zero Buzzwords Guaranteed.
Chris Rutter has spent the last few years obsessed with making security, engineering and the business work together. Starting his career as an engineer, he uses a deep understanding of Agile, Devops, and product delivery to solve security problems in a way that enables teams, rather than hitting them with bricks.
This presentation is part of one of talk, I gave in Microsoft .NET Bootcamp. The contents are slightly edited to share the information in public domain. In this presentation, I tried to cover Application Security Tools that can be helpful for analyzing security threats as well as putting up some defense . This presentation will be useful for software architects/Managers,developers and QAs. Do share your feedback in comments.
Introduction to Web Application Penetration TestingRana Khalil
Intro to web application penetration testing workshop I held in Atlanta as part of the AnitaBorg Cybersecurity Weekend on Aug. 19. The link for the event can be found here: https://community.anitab.org/event/atl-cybersecurity-day-two/
Platform Security IRL: Busting Buzzwords & Building BetterEqual Experts
Practical tips and heroic war stories on how to secure a large, modern, fast software delivery platform. From building a team to building cool stuff, dealing with organisational setups to dealing with security incidents.
Zero Buzzwords Guaranteed.
Chris Rutter has spent the last few years obsessed with making security, engineering and the business work together. Starting his career as an engineer, he uses a deep understanding of Agile, Devops, and product delivery to solve security problems in a way that enables teams, rather than hitting them with bricks.
This presentation is part of one of talk, I gave in Microsoft .NET Bootcamp. The contents are slightly edited to share the information in public domain. In this presentation, I tried to cover Application Security Tools that can be helpful for analyzing security threats as well as putting up some defense . This presentation will be useful for software architects/Managers,developers and QAs. Do share your feedback in comments.
Because many organizations don't perform security unless they have to, more than 80% of all web applications are being exposed to vulnerabilities. In comes regulation. There are a number of different industries other than financial and healthcare that deal with PII and PHI but are either not regulated at all or are regulated very loosely. This presentation will discuss the various regulations (PCI, SOX, HIPAA, etc.) and what each does to address web application security, if any, as well as the shortcomings of each. Finally, it will further address industries that need to be more strictly regulated in order to better protect personal information.
Andrew Weidenhamer, Senior Security Consultant, SecureState
Andrew Weidenhamer, Senior Security Consultant, joined SecureState in January 2008. As a former member of the Profiling Team, Andrew performed technical security assessments on a weekly basis. These assessments included Internal and External Attack and Penetration Assessments, Wireless Penetration Assessments, Web Application Security Reviews, Physical Penetration Tests, and Social Engineering Assessments.
There is a need for enhanced layered web security control to prevent malicious web attacks attempts from sailing through the first defence in the network firewalls, tactical filters without notice because the attacks are buried within valid HTTP requests.
All-in-One Website Security Scanner
Find and detect vulnerabilities at the earliest stage using Acunetix automated web vulnerability scannerFind vulnerabilities in your websites and web APIs
Find vulnerabilities in your websites and web APIs
Highest detection rating of over 4500 vulnerabilities in custom, commercial, and open source apps with nearly 0% false positives.
AcuSensor (IAST) allows you to find and test hidden inputs not discovered during black-box scanning (DAST)
Advanced Crawling & Authentication support gives you the ability to crawl JavaScript websites and SPAs
Acunetix WVS doesn't just let you see
how your website is vulnerable. It also
provides information and tools that
allow you to test your web applications.
It is an important tool for web
developers. It's very customizable and,
therefore, lends itself to in-depth testing
beautifully.
Introduction to Web Application Penetration TestingNetsparker
These slides give an introduction to all the different things and stages that make a complete web application penetration test. It starts from the very basics, including how to define a Scope of Engagement.
These slides are part of the course Introduction to Web Application Security and Penetration Testing with Netsparker, which can be found here: https://www.netsparker.com/blog/web-security/introduction-web-application-penetration-testing/
The OWASP Top Ten is the de-facto web application security standard because it reflects the evolving threat landscape, providing organizations a framework to manage and mitigate application security risk.
This presentation examines the critical newcomers and pesky incumbents from both an offensive and defensive perspective. Our experts share their insight on how to harden Web applications and align your program towards OWASP compliance.
Session on OWASP Top 10 Vulnerabilities presented by Aarti Bala and Saman Fatima. The session covered the below 4 vulnerabilities -
Injection,
Sensitive Data Exposure
Cross Site Scripting
Insufficient Logging and Monitoring
Web Application Penetration Tests - Information Gathering StageNetsparker
These slides explain in detail the Information Gathering stage, which is the first stage of a complete web application security test during which you, as a tester should gather as much information as you can about the target web application that has to be tested.
These slides are part of the course Introduction to Web Application Security and Penetration Testing with Netsparker, which can be found here: https://www.netsparker.com/blog/web-security/introduction-web-application-penetration-testing/
Most software developers have heard about OWASP Top Ten, describing the 10 most critical security vulnerabilities that should be avoided in web applications.
However, in order to prevent them, developers must be aware of the proactive controls that should be incorporated from early stages of software development lifecycle.
This talk briefly discusses the OWASP Top Ten Proactive Controls and then maps them to the respective OWASP Vulnerabilities that each of them addresses.
Web applications are commonly used to transmit, accept and store data that is personal, company confidential and sensitive.
More enterprises are spending more time testing web applications, but many still do not integrate security testing into an application's overall test plan.
In this presentation, we explore ways to integrate security testing into an end-to-end test plan, exercise security features in unit tests, integration tests, acceptance tests.
Outpost24 webinar - Demystifying Web Application Security with Attack Surface...Outpost24
Learn how to discover every web application you own and ascertain their risk levels through the hacker’s lens to gain a better understanding of the overall attack surface and locate the right path for remediation.
Because many organizations don't perform security unless they have to, more than 80% of all web applications are being exposed to vulnerabilities. In comes regulation. There are a number of different industries other than financial and healthcare that deal with PII and PHI but are either not regulated at all or are regulated very loosely. This presentation will discuss the various regulations (PCI, SOX, HIPAA, etc.) and what each does to address web application security, if any, as well as the shortcomings of each. Finally, it will further address industries that need to be more strictly regulated in order to better protect personal information.
Andrew Weidenhamer, Senior Security Consultant, SecureState
Andrew Weidenhamer, Senior Security Consultant, joined SecureState in January 2008. As a former member of the Profiling Team, Andrew performed technical security assessments on a weekly basis. These assessments included Internal and External Attack and Penetration Assessments, Wireless Penetration Assessments, Web Application Security Reviews, Physical Penetration Tests, and Social Engineering Assessments.
There is a need for enhanced layered web security control to prevent malicious web attacks attempts from sailing through the first defence in the network firewalls, tactical filters without notice because the attacks are buried within valid HTTP requests.
All-in-One Website Security Scanner
Find and detect vulnerabilities at the earliest stage using Acunetix automated web vulnerability scannerFind vulnerabilities in your websites and web APIs
Find vulnerabilities in your websites and web APIs
Highest detection rating of over 4500 vulnerabilities in custom, commercial, and open source apps with nearly 0% false positives.
AcuSensor (IAST) allows you to find and test hidden inputs not discovered during black-box scanning (DAST)
Advanced Crawling & Authentication support gives you the ability to crawl JavaScript websites and SPAs
Acunetix WVS doesn't just let you see
how your website is vulnerable. It also
provides information and tools that
allow you to test your web applications.
It is an important tool for web
developers. It's very customizable and,
therefore, lends itself to in-depth testing
beautifully.
Introduction to Web Application Penetration TestingNetsparker
These slides give an introduction to all the different things and stages that make a complete web application penetration test. It starts from the very basics, including how to define a Scope of Engagement.
These slides are part of the course Introduction to Web Application Security and Penetration Testing with Netsparker, which can be found here: https://www.netsparker.com/blog/web-security/introduction-web-application-penetration-testing/
The OWASP Top Ten is the de-facto web application security standard because it reflects the evolving threat landscape, providing organizations a framework to manage and mitigate application security risk.
This presentation examines the critical newcomers and pesky incumbents from both an offensive and defensive perspective. Our experts share their insight on how to harden Web applications and align your program towards OWASP compliance.
Session on OWASP Top 10 Vulnerabilities presented by Aarti Bala and Saman Fatima. The session covered the below 4 vulnerabilities -
Injection,
Sensitive Data Exposure
Cross Site Scripting
Insufficient Logging and Monitoring
Web Application Penetration Tests - Information Gathering StageNetsparker
These slides explain in detail the Information Gathering stage, which is the first stage of a complete web application security test during which you, as a tester should gather as much information as you can about the target web application that has to be tested.
These slides are part of the course Introduction to Web Application Security and Penetration Testing with Netsparker, which can be found here: https://www.netsparker.com/blog/web-security/introduction-web-application-penetration-testing/
Most software developers have heard about OWASP Top Ten, describing the 10 most critical security vulnerabilities that should be avoided in web applications.
However, in order to prevent them, developers must be aware of the proactive controls that should be incorporated from early stages of software development lifecycle.
This talk briefly discusses the OWASP Top Ten Proactive Controls and then maps them to the respective OWASP Vulnerabilities that each of them addresses.
Web applications are commonly used to transmit, accept and store data that is personal, company confidential and sensitive.
More enterprises are spending more time testing web applications, but many still do not integrate security testing into an application's overall test plan.
In this presentation, we explore ways to integrate security testing into an end-to-end test plan, exercise security features in unit tests, integration tests, acceptance tests.
Outpost24 webinar - Demystifying Web Application Security with Attack Surface...Outpost24
Learn how to discover every web application you own and ascertain their risk levels through the hacker’s lens to gain a better understanding of the overall attack surface and locate the right path for remediation.
This webinar series is designed to help internal auditors looking to equip themselves with competencies and confidence to handle audit of IT controls and information security, and learn about the emerging technologies and their underlying risks
The series focuses on contemporary IT audit approaches relevant to Internal Auditors and the processes underlying risk based IT audits.
Session 6 of 10
This Webinar focuses on Application Security
• Application security logging and monitoring
• Issues in current logging practices
• Resources required by developers for security logging
• Correlating and alerting from log sources
• Logging in multi-tiered architectures and disparate systems
• Application security logging requirements
All regulatory requirements (HIPAA, PCI, etc.) include a mandate for assessing vulnerabilities in systems that manage or store sensitive data. Organizations often opt to conduct vulnerability assessments on an annual, quarterly, or even monthly basis. But while vulnerability assessment tools can identify unpatched or misconfigured code bases, these tools overlook a large portion of an organization’s attack surface: known vulnerabilities in applications that are built in-house. These applications will not have public updates, nor will the thousands of open source components they utilize be included in public disclosures. This is concerning because over 6,000 vulnerabilities in open source projects have been reported since 2014. Register for this webinar to discover how to protect yourself.
Web App Security Presentation by Ryan Holland - 05-31-2017TriNimbus
Web App Security - A presentation by Ryan Holland, Sr. Director, Cloud Architecture at Alert Logic for the Vancouver AWS User Group Meetup on May 31, 2017.
Practical White Hat Hacker Training - Vulnerability DetectionPRISMA CSI
This presentation part of Prisma CSI's Practical White Hat Hacker Training v1
PRISMA CSI • Cyber Security and Intelligence www.prismacsi.com
This document can be shared or used by quoted and used for commercial purposes, but can not be changed. Detailed information is available at https://creativecommons.org/licenses/by-nc-nd/4.0/legalcode.
Open Source Security: How to Lay the Groundwork for a Secure CultureWhiteSource
Open-source components are prevalent in approximately 97% of modern applications and dominate anywhere between 60-80% of their codebases. This is hardly surprising given how integrating open source accelerates software development and enables organizations to keep up with today's frantic release pace and standards of constantly supplying new features and improvements.
However, taking into consideration the fact that recent years have seen an upsurge in reported open-source vulnerabilities, whose details and exploits are publicly available, it's no wonder that organizations are increasingly directing focus towards ensuring that their open-source components are securely integrated into their software.
Join Guy Bar-Gil, Product Manager at WhiteSource, as he discusses:
1. The four layers of open-source security
2. How to integrate continuous security into your SDLC
3. Best practices for organizations to own and execute the security process
Open Source Security: How to Lay the Groundwork for a Secure CultureDevOps.com
Open-source components are prevalent in approximately 97% of modern applications and dominate anywhere between 60-80% of their codebases. This is hardly surprising given how integrating open source accelerates software development and enables organizations to keep up with today's frantic release pace and standards of constantly supplying new features and improvements.
However, taking into consideration the fact that recent years have seen an upsurge in reported open-source vulnerabilities, whose details and exploits are publicly available, it's no wonder that organizations are increasingly directing focus towards ensuring that their open-source components are securely integrated into their software.
Join Guy Bar-Gil, Product Manager at WhiteSource, as he discusses:
The four layers of open-source security;
How to integrate continuous security into your SDLC;
Best practices for organizations to own and execute the security process.
INTERFACE by apidays 2023 - Something Old, Something New, Colin Domoney, 42Cr...apidays
INTERFACE by apidays 2023
APIs for a “Smart” economy. Embedding AI to deliver Smart APIs and turn into an exponential organization
June 28 & 29, 2023
https://www.apidays.global/interface/
Something Old, Something New - OWASP API Security Top 10 in 2023
Colin Domoney, CTO at 42Crunch
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
Pactera Technologies North America (NA) Cybersecurity Consulting Services specializes in Cybersecurity Program Development, Application Vulnerability Assessment, Application Security Governance, Secure SDLC, Secure Coding Practice Training, and Third-party supplier security risk management and assessment. We only hire top security consultants that are most qualified for this job. We love to prove ourselves to you!
Elements of the discussion will include:
– Insight into emerging cyber threats
– A profile of today’s evolved hackers: what they are after, why, and how they’re getting what they want
– Strategies and tools you can implement to safeguard against attacks
Application Explosion How to Manage Productivity vs SecurityLumension
Windows users today are more application oriented than ever, but that hunger often leads them to unsafe choices. In this presentation you’ll learn about the attributes of both free and commercial application security tools. You’ll also learn the key steps you need to follow to effectively accommodate user application needs without giving malefactors a foot in the door to your enterprise.
Secure Code review - Veracode SaaS Platform - Saudi Green MethodSalil Kumar Subramony
Veracode provides the world’s leading Application Risk Management Platform. Veracode's patented and proven cloud-based capabilities allow customers to govern and mitigate software security risk across a single application or an enterprise portfolio with unmatched simplicity. Veracode was founded with one simple mission in mind: to make it simple and cost-effective for organizations to accurately identify and manage application security risk.
Tune in for the Ultimate WAF Torture Test: Bots Attack!Distil Networks
Are WAFs the best approach for defending your website against malicious bots? How can you optimize your WAF for bot detection and mitigation? Watch this webinar and learn practical tips on how to defend your web infrastructure against the OWASP Top 10 as well as brute force attacks, web scraping, unauthorized vulnerability scans, fraud, spam and man-in-the-middle attacks.
World renowned expert and author of Web Application Firewalls: A Practical Approach, John Stauffacher, shares his expertise. He has over 17 years of experience in IT Security and is a certified Network Security and Engineering specialist.
Learn more : http://resources.distilnetworks.com/h/i/95930604-tune-in-for-the-ultimate-waf-torture-test-bots-attack/177622
Similar to Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-box Web Vulnerability Scanners (20)
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-box Web Vulnerability Scanners
1. Why Johnny Still Can’t Pentest:
A Comparative Analysis of Open-source Black-box
Web Application Vulnerability Scanners
Rana Khalil
Master of Computer Science
University of Ottawa
8/11/2018
2. Who am I?
• Student at the University of Ottawa
• B.S. in Mathematics and Computer
Science (2016)
• M.S. in Computer Science (2018)
• Supervisor: Dr. Carlisle Adams
2
• Previous work experience include:
software development, testing,
ransomware research, teaching and
penetration testing
4. Web Applications
• We use web applications for
everything:
• Over 3.9 billion users world wide
• Over 1.8 billion websites online
4
Banking Education
Shopping Communication
• How much personal data do you have
online?
• Name, SIN, addresses, phone numbers,
emails
• Financial information
• Heath information
5. Web Security
• State of web security today
• Trustwave’s 2018 Global Security
Report:
• 100% of web applications displayed
at least one vulnerability
• Median number of 11 vulnerabilities
per application
5
7. How to Secure a Web Application?
• A combination of techniques are
used to secure web applications:
7
• Static code analysis
• Web application firewalls
• Secure coding practices
• Web application vulnerability scanners
8. How to Secure a Web Application?
• A combination of techniques are
used to secure web applications.
8
• Static code analysis
• Web application firewalls
• Secure coding practices
• Web application vulnerability scanners
10. What is a Vulnerability?
Vulnerability is a term that refers to a flaw in a system that can leave the system
open to attack.
Example: Cross Site Scripting (XSS)
10
11. OWASP TOP 10
The Open Web Application Security Project Top 10 project contains the
top 10 most critical web application security risks:
11
1. Injection
2. Broken Authentication
3. Sensitive Data Exposure
4. XML External Entities (XXE)
5. Broken Access Control
6. Security Misconfiguration
7. Cross-Site Scripting
8. Insecure Deserialization
9. Using Components with Known Vulnerabilities
10. Insufficient Logging & Monitoring
12. OWASP TOP 10
The Open Web Application Security Project Top 10 project contains the
top 10 most critical web application security risks:
12
1. Injection
2. Broken Authentication
3. Sensitive Data Exposure
4. XML External Entities (XXE)
5. Broken Access Control
6. Security Misconfiguration
7. Cross-Site Scripting
8. Insecure Deserialization
9. Using Components with Known Vulnerabilities
10. Insufficient Logging & Monitoring
13. WAVS
Web Application Vulnerability Scanners have three modules:
13
Crawler Attacker Analysis
*XSS found*
*SQLi found*
*LFI found*
*RFI found*
14. WAVS
Web application vulnerability scanners are largely used in two ways:
1. Point-and-Shoot (PaS) / Default
• Scanner is given root URL of the application
• Default configuration remains unchanged
• Minimal human interference
14
15. WAVS
Web application vulnerability scanners are used in two ways:
2. Trained / Configured
• Change configuration (ex. crawl depth)
• Manually visit every page of the application while scanner is in proxy mode.
15
Browser Scanner Proxy Web Application
16. WASSEC
The Web Application Security Scanner Evaluation Criteria provides a set of
detailed evaluation criteria and a framework for formally evaluating WAVS.
16
• Protocol support
• Authentication
• Session management
• Crawling
• Parsing
• Testing
• Command and control
• Reporting
17. Previous Work
17
• Suto’s case studies:
• 2007 paper evaluated scanners in PaS mode
• 2010 paper evaluated scanners in PaS and Trained modes
• Benchmark applications:
• Web Input Vector Extractor Teaser (WIVET) created in 2009 by Tatli et al.
• Web Application Vulnerability Scanner Evaluation Project (WAVSEP) created in 2010 by
Chen
• Doupé et al.’s 2010 work on evaluating WAVS on the WackoPicko application
• Several other more recent studies evaluate scanners in PaS mode only
20. Tool Selection
20
• Chen’s evaluation
• Consultation with professional ethical hackers
Name Version License Price
Last
Update*
Arachni 1.5.1-0.5.12 Arachni Public Source v1.0 N/A 2017-03-29
Burp Pro 1.7.35 Commercial $349/year 2018-08-29
Skipfish 2.10b Apache v2.0 N/A 2012-12-04
Vega 1.0 MIT N/A 2016-06-29
Wapiti 3.0.1 GNU GPL v2 N/A 2018-05-11
ZAP 2.7.0 Apache v2.0 N/A 2017-11-28
*Checked on August 2018
21. Benchmark Selection
21
• Benchmark applications:
• WIVET – crawling challenges
• WAVSEP – vulnerability classes
• Intentionally vulnerable realistic web application
• Type of vulnerabilities included in the application
• Architecture of the application and the web technologies used
• Ability of the application to with stand aggressive automated scans
• OWASP Vulnerable Web Applications Directory (VWAD) project
• WackoPicko
22. Benchmark Selection - WIVET
22
• Contains 56 test cases that utilize
both Web 1.0 and Web 2.0
technologies
• Test cases include:
• Standard anchor links
• Links created dynamically using
JavaScript
• Multi-page forms
• Links in comments
• Links embedded in Flash objects
• Links within AJAX requests
23. Benchmark Selection - WAVSEP
23
• Consists of a total of 1220 true positive (TP) test cases and 40 false positive
(FP) test cases
Vulnerability Category # of TP test cases # of FP test cases
SQL Injection 138 10
Reflected XSS 89 7
Path Traversal / LFI 816 8
RFI 108 6
Unvalidated Redirect 60 9
DOM XSS 4 0
Passive 5 0
24. Benchmark Selection - WackoPicko
24
• Open-source intentionally vulnerable realistic
web application
• Photo sharing and purchasing site
• Contains 16 vulnerabilities covering several of
the OWASP Top 10
• Contains crawling challenges:
• HTML parsing
• Multi-step process
• Infinite website
• Authentication
• Client-side code
26. Environment Setup 2/2
26
• Each scanner was run in two modes:
• PaS / Default - default configuration setting
• Trained / Configured
1. Maximize crawling coverage – changing
configuration
2. Maximize crawling coverage – use of proxy
3. Maximize attack strength
• WackoPicko test scans were further divided into two
subcategories:
• INITIAL – without authentication / publicly accessible
• CONFIG - valid username/password combination
• In total, each scanner was run eight times
27. Feature and Metric Selection
27
• Crawling coverage:
• % of passed test cases on the WIVET application
• Crawling challenges in the WackoPicko application
• Vulnerability detection accuracy:
• TP, FN and FP on the WAVSEP and WackoPicko
applications
• Speed:
• Scan time on the WAVSEP and WackoPicko appliations
• Reporting:
• Vulnerability detected
• Vulnerability location
• Exploit performed
• Usability:
• Efficiency
• Product documentation
• Community support
Crawling
Coverage
Detection
Accuracy
Speed
WIVET
WackoPicko
WAVSEP
Features Applications
29. Vulnerability Detection -FNs
Vulnerabilities in WackoPicko that were not
detected by any scanners:
1. Weak authentication credentials
• admin/admin
• Reasons:
• Scanners did not attempt to guess
username/password
• Scanners did attempt to guess
username/password but failed
29
30. Vulnerability Detection -FNs
Vulnerabilities in WackoPicko that were not detected
by any scanners:
2. Parameter Manipulation
• Sample user: WackoPicko/users/sample.php?userid=1
Real user: WackoPicko/users/sample.php?userid=2
• Reasons:
• Most scanners did not attempt to
manipulate the userid field
• Arachni manipulated the userid field but
failed to enter a valid number.
• Skipfish successfully manipulated the
userid field but did not report it as a
vulnerability 30
userid=2
31. Vulnerability Detection -FNs
Vulnerabilities in WackoPicko that were not detected by any scanners:
3. Sored SQL Injection
4. Directory Traversal
5. Stored XSS
Reasons:
• Crawling challenges – discussed later
• Lack of detection for these types of vulnerabilities
31
32. Vulnerability Detection -FNs
Vulnerabilities in WackoPicko that were not
detected by any scanners:
6. Forceful Browsing
• Access to a link that contains a high quality
version of a picture without authentication
• /WackoPicko/pictures/high_quality.php?key=hig
hquality&picid=11
7. Logic Flaw
• Coupon management functionality
Reasons:
• Require understanding business logic of the
application
• Application specific vulnerabilities
32
33. Vulnerability Detection Accuracy – TPs
33
WackoPicko Overall Scan Detection Results
Arachni Burp Skipfish Vega Wapiti ZAP
PaS 37.5 37.5 31.25 18.75 25 37.5
Trained 37.5 50 31.25 25 25 43.75
0
10
20
30
40
50
60
70
80
90
100
%ofDetectedVulnerabilities
Key Observations:
• All scanners missed at least 50% of the
vulnerabilities
• In PaS mode Burp, ZAP and Arachni
achieved the same score
• Running the scanners in trained mode
increased the overall detection
• Vega – increase in attack vector
• ZAP & Burp – Manually visiting the pages in
proxy mode for Flash and dynamic JS
technologies
34. Vulnerability Detection Accuracy - TPs
34
WAVSEP Overall TP Detection
Key Observations:
• WAVSEP results were better than
WackoPicko.
• Vulnerability categories in the application
• Integrating WAVSEP in the SDLC of the
scanner
• ZAP achieved highest score, followed by
Vega and Skipfish
• Vulnerability category detection varied with
scanner.
• Arachni discovered 100% of SQLi, RFI,
unvalidated redirect, but had a low
detection rate for LFI vulnerabilities
Arachni Burp Skipfish Wapiti Vega ZAP
PaS 60.2 27.9 4.0 25.4 71.3 60.7
Trained 60.2 42.5 62.6 24.4 71.3 79.3
0
10
20
30
40
50
60
70
80
90
100
%ofWAVSEPTestsDetected
35. Vulnerability Detection Accuracy - FPs
35
WackoPicko CONFIG scan FPs
Name PaS Trained
Arachni 5 5
Burp 4 5
Skipfish 0 1
Vega 2 1
Wapiti 0 0
ZAP 2 8
Key Observations:
• # of FPs varied across scanners
• No correlation between # of TPs, FNs and
FPs
• No correlation between # of requests a
scanner sends and # of FPs
• Increase in attack strength generally
increases # of FPs – not enough data to
make that correlation
36. Crawling Coverage
Features that scanners found difficult to crawl in
WackoPicko:
• Uploading a picture
• All scanners were not able to upload a picture in PaS mode
• Burp and ZAP were able to in Trained mode
36
Scanner # of Accounts
Arachni 202
Burp 113
Skipfish 364
Vega 117
Wapiti 0
ZAP 111
• Authentication
• All scanners except for Wapiti successfully created accounts
• Multi-step processes
• All scanners were not able to complete the process in PaS
mode
• Burp and ZAP were able to in Trained mode
37. Crawling Coverage
• Infinite websites
• All scanners recognized the infinite
loop except Arachni
• Client-side code
• Flash applications
• Dynamic JavaScript
• Ajax Requests
37
Arachni Burp Skipfish Wapiti Vega ZAP
PaS 94 50 50 50 16 42
Trained 94 50 50 50 16 78
0
10
20
30
40
50
60
70
80
90
100
%ofWIVETTestsPassed
Features that scanners found difficult to crawl in
WackoPicko:
38. Scanning Speed
38
Arachni Burp Skipfish Vega Wapiti ZAP
PaS 0.32 0.12 0.1 0.1 0.05 0.18
Trained 0.32 0.35 0.1 0.22 1.62 1.31
0
0.2
0.4
0.6
0.8
1
1.2
1.4
1.6
1.8
2
ScanTime(Hours)
WackoPicko CONFIG Mode Scanning Speed
Key Observations:
• Speed varies across scanners – no
correlation to number of requests and
vulnerability detection rate
• Speed generally increases with
configuration
Note: WAVSEP scanning speed shows
similar results
39. Reporting Features
Features tested for:
1) List of all the vulnerabilities detected
2) Locations of all the detected vulnerabilities
3) Exploits performed to detect these vulnerabilities
39
All six scanners generate
reports that include these
three features.
40. Usability Features
Features tested for:
1) Efficiency
2) Product documentation
3) Community support
40
*
* Active in the past 3 months – checked last in August 2018
41. Final Ranking 1/2
41
WackoPicko Vulnerability Scores
• Final ranking was
calculated based on the
crawling coverage and
vulnerability detection
on the WackoPicko
application.
44. Conclusion
• Scanners are far from being used as PaS tools only
• Several classes of vulnerabilities were not detected
• Scanners had difficulty crawling through common web technologies
such as dynamic JavaScript and Flash applications
• Different scanners have different strengths/weaknesses
• Open-source scanner performance is comparable to commercial scanner
performance and in several cases better
44
47. To view full results of research refer to: https://github.com/rkhal101/Thesis-
Test-Results
Note: This slide was not shown during the presentation. I added it after
receiving many requests asking for the link to the detailed results.
47
Editor's Notes
Picture taken from: https://www.freepik.com/free-vector/vector-path-on-the-road_1306557.htm#term=road%20map&page=1&position=2
Picture taken from: https://www.freepik.com/free-vector/vector-path-on-the-road_1306557.htm#term=road%20map&page=1&position=2
Picture taken from: https://www.freepik.com/free-vector/vector-path-on-the-road_1306557.htm#term=road%20map&page=1&position=2
Picture taken from: https://www.freepik.com/free-vector/vector-path-on-the-road_1306557.htm#term=road%20map&page=1&position=2