automating web applications security assessments through scanners
DESCRIPTION
Presented on IBWAS\'10TRANSCRIPT
ISCTE-IUL/ISTA/ADETTI-IUL
Instituto Superior de Ciências do Trabalho e da EmpresaLisbon University Institute
ISCTE-IUL School of Technology and ArchitectureADETTI-IUL
Nuno Teodoro
[email protected]@hotmail.com (IM)
http://pt.linkedin.com/in/nunoteodorohttp://www.facebook.com/nuno.teodoro
Automating Web Applications Security Assessments through
Scanners
2
Agenda
Motivation Web Scanners Web Scanners Evaluation Case Study
3
Motivation
Lack of security awareness
Organizations don’t properly invest into security
Critical programmers don’t understand security issues
Finish my master thesis....
4
Motivation
Easy to explore
78%
Others22%
5
Testing Methods
Source code access and internal infrastructure knowledge of some kind
- Testing with automatic tools (Web scanners)- Confirm scanners resultsBlack box
White box Gray box
Online access to the Web Application
6
Web Scanners
“Try” to find applicational vulnerabilities Perform pre-defined tests – active analysis through
atacks simulation
HTTP messages manipulation HTTP messagens inspection Find weird attributes fuzzing Code analysis …
Scan web application
Content analysis
Specific crafted requests
Results generation
7
Web Scanners
Very important in some scenarios
Point and Shot
Scan Vulnerabilities
8
Web Scanners
9
Web Scanners Evaluation
NIST SAMATE Software Assurance Metrics and Tools
Evaluation WASSEC
Web Application Security Scanner Evaluation Criteria
10
Web Scanners Evaluation
NIST SAMATE Web Applications Issues Technical vulnerabilities Security Vulnerabilities Architectural/Logical Vulnerabilities Other vulnerabilities
1st January 2010 – no longer supported
11
Web Scanners Evaluation
WASSEC Protocol Support Authentication Session Management Crawling Parsing Testing Command and Control Reporting <Customized>
12
Web Scanners Evaluation
Complementary evaluation method Select vulnerability to test Create exploitation levels based on information
on how to protect against it Explore Web scanner behavior for each level
13
Web Scanners Evaluation
Ideally we would create a Web application to assess each level
Optionally we can just use pre defined available ones Cenzic Watchfire WebMaven / Buggy Bank Updated HackmeBank OWASP WebGoat Stanford SecuriBench
14
Manual Analysis
Vulnerability analysis
Understand how to test it
Impacts
Mitigation
Documentation
[end]
[For each vulnerability]
There are always false positives
Manual confirmation needed
Why?
15
Case Study
Related with my master thesis
17 Real Web Applications
Education
Government
Other relevant service providers
16
Case Study
Choose Web Scanners
Apply Web Scanners to Web
Applications
Evaluate Results
17
Case Study – Choose Web Scanners
1. Overall Web scanners discovery on the Open Source community
2. Discard the less accepted Web scanners
3. Apply customized WASSEC
18
Case Study – Choose Web Scanners
Overall Web scanners discovery on the Open Source community
Grabber Grendel-Scan Paros Proxy Powerfuzzer
Skipfish W3AF Wapiti Watcher
Netsparker OpenAcunetix RatProxy
SecurityQA Toolbar
Websecurify
19
Case Study – Choose Web Scanners
Discard the less accepted Web scanners
Grabber Grendel-Scan Paros Proxy Powerfuzzer
Skipfish W3AF Wapiti Watcher
Netsparker OpenAcunetix RatProxy
SecurityQA Toolbar
Websecurify
20
Case Study – Choose Web Scanners
Apply customized WASSEC
OWASP Top 10 coverage Recent activity and updates New technologies support Fast bugs solving (easy to interact with
developers)
21
Case Study – Choose Web Scanners
22
Case Study – Apply Web Scanners to Web Applications
PHP Java .NET/Aspx
8 Web Applications 1 Web Application 8 Web Applications
23
Tests Methodology
Using different tools and live CDs
Use Web scannerUse Web scanner
Document found vulnerabilitiesDocument found vulnerabilities
Select Web applicationSelect Web application
Manual verificationManual verification
[for each web scanner]
[for each web scanner]
[test’s end]
Create detailed report Create detailed report
Delivr the report to the organization
Delivr the report to the organization
After legal authorization
24
Case Study – Apply Web Scanners to Web Applications
w3af websecurify skipfish0
100200300400500600700800900
301
865
221194 16564
Total Vulnerabilities analysis
TotalFalse Positives
Nº
Vuln
erab
ilitie
s
25
Case Study – Apply Web Scanners to Web Applications
61%
39%
False Positives Percentage - w3af
TotalFalse Positives
84%
16%
False Positives Percentage - Websecurify
TotalFalse Positives
78%
22%
False Positives Percentage - skipfish
TotalFalse Positives
26
Case Study – Apply Web Scanners to Web Applications
77%
23%Total False Positives - All scanners
TotalFalse Positives
On a total of 1387 vulnerabilities found........~ 319 are false positives
27
Evaluate Results
Maybe these tools are not so bad In the right context
Leverage security awareness
False positives are also good (am I crazy?)
ISCTE-IUL/ISTA/ADETTI-IUL
Instituto Superior de Ciências do Trabalho e da EmpresaLisbon University Institute
ISCTE-IUL School of Technology and ArchitectureADETTI-IUL
Nuno Teodoro
[email protected]@hotmail.com (IM)
http://pt.linkedin.com/in/nunoteodorohttp://www.facebook.com/nuno.teodoro
Questions?