How web application scanners Work

Future University Computer Science Open Day August 2016

Who Am I TGy aldeen abdalmoniem Software Engineer / InfoSec researcher. Interested in machine learning usage in intrusion detection

systems and IOT security.If any one interested, please contact me.

Contact:http://tagy.sdtagy-aldeen@hotmail.com

OWASP …

... and OWASP Khartoum.

Around the world

OWASP is not

L33t haxorzing

Private 0day

Private forums

Mad 0wnag3 sk1lz

Top 10 Web

Dev. Guides

Design Guides

Testing Guides

WebGoat

WebScarab

ZAP

ESAPI

Browser

Security

Industry

Sectors

Access Control

Education

Local Chapters

Conferences

Tutorials

Mailing Lists

Documentation Tools Groups Community

Wanna join?

Join our community (free cookies?)Share and learn.Attend meetings and sessions.Push us to do better.Become a member?

Content

Introduction. Who is this for. Why should we use it. How magic really happen? Scan Steps. Code Samples. Advice and References. Questions.

IntroductionWhat is Web application scanner !!•  Briefly, these tools crawl a web application and locate application layer

vulnerabilities and weaknesses, either by manipulating HTTP messages or by inspecting them for suspicious attributes.

• In other words: the scanner search the application for vulnerabilities by simulating attacks on it.

• So it is software that detects security weaknesses and vulnerabilities.

Who Is this for !

Software engineers interested in developing Security applications.

Web application Developers.

On the other Hand:Software Testers.Quality assurance section in companies. Penetration Testers.

Small noteThe aim of this session is not to define a list of scanners,

and evaluating specific products.

GoalsProvide scanner users with a reference that can be used to conduct a thorough scanner evaluation and make an informed decision.Provide scanner developers with a list of capabilities to compare their tools against to help them create a roadmap of future enhancements

Why should we use scanner !

o First of all Network Firewalls, SSL and locked-down servers can’t stop your web applications and websites from being hacked. Any note on this !

o Do you grantee your code is secure !o Do you know how to write secure code !

o Web application scanners help reduce the number of vulnerabilities in web applications.

o Scanners are an important part of most application security programs.

Steps of the scan:1. Protocol support2. Crawling3. Parsing4. Testing5. Command and Control6. Reporting 

Protocol Support & Authentication Check the protocol support list of the scanner and verify that

SSL/TLS, requiredHTTP versions, HTTP compression.Check the ability of the scanner to keep the connections open for

multiple requests.

o What types of authentication are used by the application you’ll be scanning?

o HTML form-based.o Login process that can’t be fully automated ( CAPTCHA).

Authentication:

Crawl and coverage Ensure that representation of your web application includes

Files.Scripts.Client scripts.Input parameters.Directories etc…

If not all objects are listed, it means that the crawler is not able to automatically crawl all of the web application, thus might not identify all vulnerabilities.

Crawling procedureo Scanner must first find the page in order to

find thevulnerability!

o How well does the scanner support redirects? AJAX?

o Lots of details in this section for developers who wouldlike to improve their scanners!

Scanner view of the pages:The web scanner Track links by searching for <a href > tags

Parsing Some of it can be done through manual training of the

scanner but the intelligence of the tool depends on the ability to parse web content of the application.

What Content is supported The essential web content types that the scanner should

be able to parse are HTML, JavaScript, VBScript, XML, Plaintext, ActiveX Objects, Java Applets, Flash, CSS, and many more.

How parser see the page !

ParsingThe web scanner will submit this form and start testing the form inputs with various payloads looking for vulnerabilities.

Command, Control

The primary factors to be considered here are as follows: Ability to schedule scans Ability to Pause and resume scans Ability to view real time scan status Ability to define re-usable configurable templates Multi user and multi scan support

Testing and Reporting

A scanner should allow configurations to include/exclude/set URL, file extensions, parameters, host names/IP, cookies and http headers.

It should be able to identify vulnerabilities, architectural weaknesses, authorization and authentication related problems.

Report Sample

Vulnerability Example

The scanners assess a target application by constructing HTTP or HTTPS requests that are known to elicit a response indicating susceptibility to various types of attack. POST /bank/search.aspx HTTP/1.0<br> Host: www.acme-hackme.com \r\n ...\r\n searchterms=<script>alert('xss')</script> "/%20<script>alert('css')</script>%20.shtml"

If the response contains the submitted "searchterms" parameter value in the exact format it was submitted, then the input value is vulnerable to cross-site scripting.

SQl Injection Example

Detecting DB

Stander Error message

Sample From B3ati

1

3

4

3

2

Advice for a Scanner Evaluation

Obtain latest version of each scanner.For commercial scanners, contact vendor for free trial.

Don’t download old versions off of PirateBay!

References: For Developers and Testers

o https://www.owasp.org/index.php/Category:Vulnerability_Scanning_Toolso Securitytube.neto Nikto By Linux CBT

For Software engineerso Python Scripting Expert (Security Tube)o Wa3fo Vega (open source) for java developers.o B3ati (written by me)

o https://github.com/TGyAlDeen/B3ati.Contribute if you can, believe me you can (wa3f report) and many more .

Summary

o Scanners will help you to find vulnerabilities in your applications, But why even vulnerability can be found!!

o Learn how to write secure application from scratch.o Use WAF, check mazin paper for more information.

Questions !