®
IBM Software Group
© 2007 IBM Corporation
Performing a Web Application Security Assessment
2
Coordinate the Time of the AuditSet up a time window with the application ownerInform your security teamInform Web Operations (WebOps)
3
Scanning EnvironmentAn automated security scan could potentially affect your application
Overload the web and application serversCause denial of serviceInsert junk data, e.g. post messages on a message board, send multiple e-mails, etc.
It preferable to scan applications in pre-productionScan applications in production with caution
4
Get to Know the Site Site Model
What would be a good starting point? Are there links to more than one host?Are there parts of the site that should be excluded from the scan?Is execution of JavaScript used for application flow?Does your site contain FLASH?Are there pages that require special user input?
AuthenticationWhat type of authentication does your web application use?Does your system allow concurrent logins?Does your authentication system disable your user account after x number of invalid login attempts?
5
Configuring and Running a Scan – Quick Scan UIMakes creating a scan simplerScan is based on a predefined templateUser typically specifies
Starting URLLogin sequencePages to Scan (Manual Explore)
6
Creating a Scan Walkthrough
7
Creating a Scan – Specify Name and Template Specify NameSpecify TemplateClick Create
8
Creating a Scan – Recording a Login SequenceClick RecordAllows ASE to authenticate to the application
9
Creating a Scan – Recording a Login Sequence (cont.)ASE BrowserLogin to your app/siteClick the Stopbutton or close the browser
10
Creating a Scan – Specifying a Starting URLStarting point of the scan
11
Creating a Scan – Manual ExploreBrowse the application manually
Click on linksInput data
The easiest way to define scan scopeUse when scanning specific pages / functional path
12
Creating a Scan – Running the ScanClick Save and Run
13
Viewing Scan ProgressStatus IconClick on Stats
14
Scan StatisticsKey counters
Elapsed timePages foundPages scannedSecurity entities foundSecurity entities testedSecurity issue variantsSecurity tests sent
Link to Log enabled if problems occurred
15
Viewing ResultsStatus must be ReadyClick on scan name
16
Working with ReportsReport Pack SummaryReport list depends on templateKey reports
Security IssuesRemediation TasksPagesBroken Links
Click on report name to view
17
Working with Reports – Setting Up Your ViewGroupShowSearchLayout
18
Working with Reports – Viewing Issue DetailsClick on Issuenumber
19
Working with Reports – AdvisoryExplanation of the vulnerabilityWASC Threat ClassificationSecurity RiskPossible CauseTechnical DescriptionProducts AffectedReferences and Relevant Links
20
Working with Reports – Fix RecommendationHow do you fix the problem?General DescriptionASP .NET Fix RecommendationJ2EE Fix RecommendationPHP Recommendation
21
Working with Reports – Request / ResponseIssue variantsDifference (hyperlink)Reasoning (hyperlink)Test HTTP TrafficOriginal HTTP Traffic
22
Working with Reports – Issue ManagementMarking issue status
In ProgressNoiseFixedPassedOpen
23
Reviewing Test Results – StepsNote:
Test results MUST be reviewed for false positivesStart with the high priority items
1. Click on the Issue Number link2. Read the Advisory3. Review the Request / Response Tab
a) Look at the reasoning highlighted text in the Test HTTP response
b) If you are not convinced that this is a vulnerability1. Look at the difference2. Try to understand what the test is doing (go back to the advisory)3. Look at the test response4. Look at the original traffic – make sure it is valid (esp. was the page in
session)
24
Reviewing Test ResultsFalse PositivesFalse Negatives
25
Lab: Setting up and Running a Scan 1. Create a scan for http://demo.testfire.net2. Use Manual Explore test policy3. Run the scan4. View your reports5. Set up your report view6. Examine a vulnerability of each of the following
types:a) XSSb) SQL Injectionc) SQL Injection on the login page
7. Classify the issues
26
Advanced Scan Options ExplainedServers and Domains / URL NormalizationDynamic ComponentsCustom Error PagesAutomatic Form FillConnection SettingsNetwork ConnectionSchedulingLog Settings