2 . web app s canners
TRANSCRIPT
Who Am I TGy aldeen abdalmoniem Software Engineer / InfoSec researcher. Interested in machine learning usage in intrusion detection
systems and IOT security.If any one interested, please contact me.
Contact:http://[email protected]
Top 10 Web
Dev. Guides
Design Guides
Testing Guides
WebGoat
WebScarab
ZAP
ESAPI
Browser
Security
Industry
Sectors
Access Control
Education
Local Chapters
Conferences
Tutorials
Mailing Lists
Documentation Tools Groups Community
Wanna join?
Join our community (free cookies?)Share and learn.Attend meetings and sessions.Push us to do better.Become a member?
Content
Introduction. Who is this for. Why should we use it. How magic really happen? Scan Steps. Code Samples. Advice and References. Questions.
IntroductionWhat is Web application scanner !!• Briefly, these tools crawl a web application and locate application layer
vulnerabilities and weaknesses, either by manipulating HTTP messages or by inspecting them for suspicious attributes.
• In other words: the scanner search the application for vulnerabilities by simulating attacks on it.
• So it is software that detects security weaknesses and vulnerabilities.
Who Is this for !
Software engineers interested in developing Security applications.
Web application Developers.
On the other Hand:Software Testers.Quality assurance section in companies. Penetration Testers.
Small noteThe aim of this session is not to define a list of scanners,
and evaluating specific products.
GoalsProvide scanner users with a reference that can be used to conduct a thorough scanner evaluation and make an informed decision.Provide scanner developers with a list of capabilities to compare their tools against to help them create a roadmap of future enhancements
Why should we use scanner !
o First of all Network Firewalls, SSL and locked-down servers can’t stop your web applications and websites from being hacked. Any note on this !
o Do you grantee your code is secure !o Do you know how to write secure code !
o Web application scanners help reduce the number of vulnerabilities in web applications.
o Scanners are an important part of most application security programs.
Steps of the scan:1. Protocol support2. Crawling3. Parsing4. Testing5. Command and Control6. Reporting
Protocol Support & Authentication Check the protocol support list of the scanner and verify that
SSL/TLS, requiredHTTP versions, HTTP compression.Check the ability of the scanner to keep the connections open for
multiple requests.
o What types of authentication are used by the application you’ll be scanning?
o HTML form-based.o Login process that can’t be fully automated ( CAPTCHA).
Authentication:
Crawl and coverage Ensure that representation of your web application includes
Files.Scripts.Client scripts.Input parameters.Directories etc…
If not all objects are listed, it means that the crawler is not able to automatically crawl all of the web application, thus might not identify all vulnerabilities.
Crawling procedureo Scanner must first find the page in order to
find thevulnerability!
o How well does the scanner support redirects? AJAX?
o Lots of details in this section for developers who wouldlike to improve their scanners!
Parsing Some of it can be done through manual training of the
scanner but the intelligence of the tool depends on the ability to parse web content of the application.
What Content is supported The essential web content types that the scanner should
be able to parse are HTML, JavaScript, VBScript, XML, Plaintext, ActiveX Objects, Java Applets, Flash, CSS, and many more.
ParsingThe web scanner will submit this form and start testing the form inputs with various payloads looking for vulnerabilities.
Command, Control
The primary factors to be considered here are as follows: Ability to schedule scans Ability to Pause and resume scans Ability to view real time scan status Ability to define re-usable configurable templates Multi user and multi scan support
Testing and Reporting
A scanner should allow configurations to include/exclude/set URL, file extensions, parameters, host names/IP, cookies and http headers.
It should be able to identify vulnerabilities, architectural weaknesses, authorization and authentication related problems.
Vulnerability Example
The scanners assess a target application by constructing HTTP or HTTPS requests that are known to elicit a response indicating susceptibility to various types of attack. POST /bank/search.aspx HTTP/1.0<br> Host: www.acme-hackme.com \r\n ...\r\n searchterms=<script>alert('xss')</script> "/%20<script>alert('css')</script>%20.shtml"
If the response contains the submitted "searchterms" parameter value in the exact format it was submitted, then the input value is vulnerable to cross-site scripting.
Advice for a Scanner Evaluation
Obtain latest version of each scanner.For commercial scanners, contact vendor for free trial.
Don’t download old versions off of PirateBay!
References: For Developers and Testers
o https://www.owasp.org/index.php/Category:Vulnerability_Scanning_Toolso Securitytube.neto Nikto By Linux CBT
For Software engineerso Python Scripting Expert (Security Tube)o Wa3fo Vega (open source) for java developers.o B3ati (written by me)
o https://github.com/TGyAlDeen/B3ati.Contribute if you can, believe me you can (wa3f report) and many more .
Summary
o Scanners will help you to find vulnerabilities in your applications, But why even vulnerability can be found!!
o Learn how to write secure application from scratch.o Use WAF, check mazin paper for more information.