ISCTE-IUL/ISTA/ADETTI-IUL

Instituto Superior de Ciências do Trabalho e da EmpresaLisbon University Institute

ISCTE-IUL School of Technology and ArchitectureADETTI-IUL

Nuno Teodoro

nuno.filipe.teodoro@gmail.comnfteodoro@hotmail.com (IM)

http://pt.linkedin.com/in/nunoteodorohttp://www.facebook.com/nuno.teodoro

Automating Web Applications Security Assessments through

Scanners

2

Agenda

Motivation Web Scanners Web Scanners Evaluation Case Study

3

Motivation

Lack of security awareness

Organizations don’t properly invest into security

Critical programmers don’t understand security issues

Finish my master thesis....

4

Motivation

Easy to explore

78%

Others22%

5

Testing Methods

Source code access and internal infrastructure knowledge of some kind

- Testing with automatic tools (Web scanners)- Confirm scanners resultsBlack box

White box Gray box

Online access to the Web Application

6

Web Scanners

“Try” to find applicational vulnerabilities Perform pre-defined tests – active analysis through

atacks simulation

HTTP messages manipulation HTTP messagens inspection Find weird attributes fuzzing Code analysis …

Scan web application

Content analysis

Specific crafted requests

Results generation

7

Web Scanners

Very important in some scenarios

Point and Shot

Scan Vulnerabilities

8

Web Scanners

9

Web Scanners Evaluation

NIST SAMATE Software Assurance Metrics and Tools

Evaluation WASSEC

Web Application Security Scanner Evaluation Criteria

10

Web Scanners Evaluation

NIST SAMATE Web Applications Issues Technical vulnerabilities Security Vulnerabilities Architectural/Logical Vulnerabilities Other vulnerabilities

1st January 2010 – no longer supported

11

Web Scanners Evaluation

WASSEC Protocol Support Authentication Session Management Crawling Parsing Testing Command and Control Reporting <Customized>

12

Web Scanners Evaluation

Complementary evaluation method Select vulnerability to test Create exploitation levels based on information

on how to protect against it Explore Web scanner behavior for each level

13

Web Scanners Evaluation

Ideally we would create a Web application to assess each level

Optionally we can just use pre defined available ones Cenzic Watchfire WebMaven / Buggy Bank Updated HackmeBank OWASP WebGoat Stanford SecuriBench

14

Manual Analysis

Vulnerability analysis

Understand how to test it

Impacts

Mitigation

Documentation

[end]

[For each vulnerability]

There are always false positives

Manual confirmation needed

Why?

15

Case Study

Related with my master thesis

17 Real Web Applications

Education

Government

Other relevant service providers

16

Case Study

Choose Web Scanners

Apply Web Scanners to Web

Applications

Evaluate Results

17

Case Study – Choose Web Scanners

1. Overall Web scanners discovery on the Open Source community

2. Discard the less accepted Web scanners

3. Apply customized WASSEC

18

Case Study – Choose Web Scanners

Overall Web scanners discovery on the Open Source community

Grabber Grendel-Scan Paros Proxy Powerfuzzer

Skipfish W3AF Wapiti Watcher

Netsparker OpenAcunetix RatProxy

SecurityQA Toolbar

Websecurify

19

Case Study – Choose Web Scanners

Discard the less accepted Web scanners

Grabber Grendel-Scan Paros Proxy Powerfuzzer

Skipfish W3AF Wapiti Watcher

Netsparker OpenAcunetix RatProxy

SecurityQA Toolbar

Websecurify

20

Case Study – Choose Web Scanners

Apply customized WASSEC

OWASP Top 10 coverage Recent activity and updates New technologies support Fast bugs solving (easy to interact with

developers)

21

Case Study – Choose Web Scanners

22

Case Study – Apply Web Scanners to Web Applications

PHP Java .NET/Aspx

8 Web Applications 1 Web Application 8 Web Applications

23

Tests Methodology

Using different tools and live CDs

Use Web scannerUse Web scanner

Document found vulnerabilitiesDocument found vulnerabilities

Select Web applicationSelect Web application

Manual verificationManual verification

[for each web scanner]

[for each web scanner]

[test’s end]

Create detailed report Create detailed report

Delivr the report to the organization

Delivr the report to the organization

After legal authorization

24

Case Study – Apply Web Scanners to Web Applications

w3af websecurify skipfish0

100200300400500600700800900

301

865

221194 16564

Total Vulnerabilities analysis

TotalFalse Positives

Nº

Vuln

erab

ilitie

s

25

Case Study – Apply Web Scanners to Web Applications

61%

39%

False Positives Percentage - w3af

TotalFalse Positives

84%

16%

False Positives Percentage - Websecurify

TotalFalse Positives

78%

22%

False Positives Percentage - skipfish

TotalFalse Positives

26

Case Study – Apply Web Scanners to Web Applications

77%

23%Total False Positives - All scanners

TotalFalse Positives

On a total of 1387 vulnerabilities found........~ 319 are false positives

27

Evaluate Results

Maybe these tools are not so bad In the right context

Leverage security awareness

False positives are also good (am I crazy?)

ISCTE-IUL/ISTA/ADETTI-IUL

Instituto Superior de Ciências do Trabalho e da EmpresaLisbon University Institute

ISCTE-IUL School of Technology and ArchitectureADETTI-IUL

Nuno Teodoro

nuno.filipe.teodoro@gmail.comnfteodoro@hotmail.com (IM)

http://pt.linkedin.com/in/nunoteodorohttp://www.facebook.com/nuno.teodoro

Questions?