Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Automatic detction of web apps vulnerability
Similar to Automatic detction of web apps vulnerability (20)
Recently uploaded
Recently uploaded (20)
Automatic detction of web apps vulnerability
- 1. Automatic Detection of Web Application Vulnerabilities
- 2. • This is translated short from Korean information Security journal, KIISC - Korea institute of information security and cryptology. Kumi Sandra, Student, Dongseo Univ SangGon Lee, Professor, Dongse Univ ChaeHo Lim, BitScan/Professor, Dongseo Univ http://journalhome.ap-northeast-2.elasticbeanstalk.com/journals/jkiisc/digital-library/23308 Notice
- 3. Outline Introduction Motivation Detection of Web Application Vulnerabilities Critical Web Application Vulnerabilities Detection of web application vulnerabilities Application Experimental Analysis Conclusions
- 4. http://journalhome.ap-northeast-2.elasticbeanstalk.com/journals/jkiisc/digital-library/23308 Introduction In recent years, the popularity of the internet and web applications has rapidly increased. Web servers and web applications have become target for attackers. • Attackers use the openness of the internet to disseminate malware in attempt to infect target systems. • Attacks on websites or web application can cause both direct and significant impact on organizations and individuals.
- 5. http://journalhome.ap-northeast-2.elasticbeanstalk.com/journals/jkiisc/digital-library/23308 Motivation Detection of Web Application Vulnerabilities • Application testing manually done by a specialist is time-consuming and costly. • Traditional defense strategy such as Web Application Firewall (WAF) can be exploited and bypassed with automated tools, to gain direct access to a web application. • Existing commercial vulnerability scanners consume lot of time and resources to detect some vulnerabilities that pose no risk to organizations
- 6. http://journalhome.ap-northeast-2.elasticbeanstalk.com/journals/jkiisc/digital-library/23308 Critical web application vulnerabilities The Open Web Application Security Project (OWASP) Top Ten Project[2] provides a powerful awareness document for web application security. The list focuses on identifying the most critical software risks for a web application. These risks are based on the frequency of discovered security defects, the severity of the vulnerabilities and potential impact on organizations.
- 7. Detection of web application vulnerabilities Two main techniques used: • Static Analysis (White box testing) • Dynamic Analysis (Black box testing) Nain components of a vulnerability scanner: • Crawling Component • Attacking Component • Analysis Component
- 8. BitScanner 30 Web Application Vulnerabilities Risk Level Description No Vulnerability OWASP MITRE 25 Severity Lev el Level 1 (High) RAT (Remote Acces s Terminal) 1 SQL Injection A1 6 High 2 XPATH Injection 3 LDAP Injection 4 Web Shell A9 16 5 Shell Shock 11 6 Apache Struts2 3 7 CVE-2014-6271 118 CVE-2014-6278 9 CVE-2014-6277 10 CVE-2017-5638 3 11 XXE Vulnerable A4 17 Level 2 (Medium) Data Leakage 12 Blind SQL Injection A1 6 13 SQL Injection Possibility A1, A3 Level 3 (Low) External Access 14 XSS (Cross Site Script) A7 2 Medium15 Internal Server Error A6 16 500 Page Error Level 4 (Trivial) Information Reveal 17 POST XML Found A6, A4 17 Low 18 Script Error (JavaScript) A6 419 Script Error (Visual Basic Scri pt) 20 Validation Error Level 5 (Information al) Alerts 21 Directory Listing A2,A3,A5,A6 10 22 Known Directory A6 23 Admin Directory Found 24 Cgi Directory Found A5 25 Cgi File Found 26 PHP Information Leaked A3 25 27 File Upload Function Found A5 16 28 Code Disclosure A6 4 29 Server Information A3 25 30 Post Method Allowed A6
- 9. Experimental Analysis Dashboard of BitScanner Vulnerability details
- 10. Experimental Analysis URL of Application Scanner VD Time (mins and seconds) http://testaspnet.vulnweb.com BitScanner 1 2mins 22sec Acunetix 65 11mins 48sec http://testhtml5.vulnweb.com BitScanner 3 1min 5sec Acunetix 47 22min 43sec http://testasp.vulnweb.com BitScanner 4 1min 11sec Acunetix 42 13mins 3sec VD: Number of vulnerabilities detected Comparison of BitScanner with Acunetix
- 11. Conclusion In this research, we presented a scanner that scans for the most important vulnerabilities in web applications. Unlike other scanners, BitScanner gives hint to developers where to fix vulnerabilities in the source code.