Presentation is loading. Please wait.

Presentation is loading. Please wait.

Is Your Website Hackable? Check with Acunetix Web Vulnerability Scanner. Acunetix Web Vulnerability Scanner V9.

Published byGwen Baker Modified over 8 years ago

Similar presentations

Presentation on theme: "Is Your Website Hackable? Check with Acunetix Web Vulnerability Scanner. Acunetix Web Vulnerability Scanner V9."— Presentation transcript:

1 Is Your Website Hackable? Check with Acunetix Web Vulnerability Scanner. Acunetix Web Vulnerability Scanner V9

2 Combatting the Web Vulnerability Threatwww.acunetix.com Company Overview Founded 2004 Pioneer in Web Application Security Unique Technology - AcuSensor OWASP Member Award Winning Software Fortune 500 Customers License Holder of IBM Patent Patent # 6,584,569

3 Combatting the Web Vulnerability Threatwww.acunetix.com WVS V9 in a nutshell - 1 of 2 FULL HTML5 support Improved crawling capabilities, with particular attention to dynamic pages using AJAX, JavaScript and Single Page Applications Improved support for Mobile friendly sites

4 Combatting the Web Vulnerability Threatwww.acunetix.com WVS V9 in a nutshell – 2 of 2 Detection of DOM based XSS Detection of Blind XSS (unique to WVS) Detection of new vulnerabilities Server Side Request Forgery (SSRF) XML External Entity (XXE) Mail Header Injection Host Header based attacks

5 Combatting the Web Vulnerability Threatwww.acunetix.com FULL HTML5 support New HTML / Script evaluation engine Same as the one used in Chrome / Safari Used in 40% of the world’s internet browsing Introduces FULL support for HTML5 34% of Alexa’s Top 100 sites implemented in HTML5 in Sept 2011 HTML5 will eventually replace Flash http://testhtml5.vulnweb.com

6 Combatting the Web Vulnerability Threatwww.acunetix.com Improved Crawling capabilities Superior JavaScript evaluation Increased support for AJAX sites and other JavaScript based web sites Introduced support for Single Page Applications ( https://en.wikipedia.org/wiki/Single- page_application) https://en.wikipedia.org/wiki/Single- page_application You can only scan what has been crawled

7 Combatting the Web Vulnerability Threatwww.acunetix.com Improved support for Mobile Friendly sites – 1 of 2 1 billion smartphones used worldwide ( http://www.go-gulf.com/blog/smartphone/) http://www.go-gulf.com/blog/smartphone/ In Asia, Internet browsing from mobile increased threefold between 2011 and 2012 (http://gs.statcounter.com)http://gs.statcounter.com 2 versions of the same website – one for normal browsers, and another for mobiles, smartphones and tablets

8 Combatting the Web Vulnerability Threatwww.acunetix.com Improved support for Mobile Friendly sites – 2 of 2 WVS v9 detects mobile friendly sites at pre- crawl stage and gives option to focus the scan on one version of the site Our HTML / Script evaluation engine is the layout engine of choice for the default browsers in iPhone, Android, Blackberry and Amazon Kindle.

9 Combatting the Web Vulnerability Threatwww.acunetix.com Detection of DOM XSS – 1 of 2 3 types of XSS – Stored, Reflected and DOM based OWASP Top 10, 2013 classifies XSS as ‘Very Widespread’ Client scripts often process the Document Object Model (DOM) DOM can sometimes be manipulated so as to introduce custom scripts in the DOM

10 Combatting the Web Vulnerability Threatwww.acunetix.com Detection of DOM XSS – 2 of 2 Different from Stored or Reflected XSS, since payload is placed in the DOM (in the browser) and not on the page served by the web site Advanced techniques do not send payload to server, making exploitation completely invisible to the website’s owner Detection requires advanced interpretation of JavaScript https://www.owasp.org/index.php/DOM_Based_XSS

11 Combatting the Web Vulnerability Threatwww.acunetix.com Detection of Blind XSS - 1 of 2 Blind XSS is a type of Stored XSS where the payload is injected from one web application and executed in another web application Example: Hacker injects XSS on website in support request form XSS is executed when Support open the request from the Support portal

12 Combatting the Web Vulnerability Threatwww.acunetix.com Detection of Blind XSS - 2 of 2 Blind XSS detection requires AcuMonitor (Acunetix Vulnerability Verification Service (VVS) to be enabled How blind XSS works Acunetix WVS probes an XSS prone web form and tries to inject scripts in doing so. Scripts are stored in database, but never executed on main web application. After some time, the script is executed from other web application which makes web request to AcuMonitor

13 Combatting the Web Vulnerability Threatwww.acunetix.com Detection of Blind XSS - 3 of 3 VVS Admin Scan Web Site XSS stored in DB XSS loaded in backend webapp Script informs VVS VVS informs admin by email

14 Combatting the Web Vulnerability Threatwww.acunetix.com Detection of New Vulnerabilities Server Side Request Forgery (SSRF) XML External Entity (XXE) Mail Header Injection Host Header based attacks

15 Combatting the Web Vulnerability Threatwww.acunetix.com Acunetix Blog http://www.acunetix.com/blog Acunetix Facebook Page http://www.facebook.com/Acunetix List of Checks Run by Acunetix WVS http://www.acunetix.com/support/vulnerability-checks.htm Contact Us sales@acunetix.com Tel EMEA, Asia: +44 330 202 0190 / Tel Americas: +1 888 593 5285 www.Acunetix.com

Download ppt "Is Your Website Hackable? Check with Acunetix Web Vulnerability Scanner. Acunetix Web Vulnerability Scanner V9."

Similar presentations

Cross-Site Scripting (XSS) Vulnerability in AJAX and Adobe Flex Applications Danielle Cauthen 04/09/2010 COMS E6125 – Web enHanced Information Management.

Cross-Site Scripting (XSS) Vulnerability in AJAX and Adobe Flex Applications Danielle Cauthen 04/09/2010 COMS E6125 – Web enHanced Information Management.
Past, Present and Future By Eoin Keary and Jim Manico

Past, Present and Future By Eoin Keary and Jim Manico
Closing the Gap: Analyzing the Limitations of Web Application Vulnerability Scanners David Shelly Randy Marchany Joseph Tront Virginia Polytechnic Institute.

Closing the Gap: Analyzing the Limitations of Web Application Vulnerability Scanners David Shelly Randy Marchany Joseph Tront Virginia Polytechnic Institute.
Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks Yinzhi Cao, Vinod Yegneswaran, Phillip Porras, and Yan Chen.

Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks Yinzhi Cao, Vinod Yegneswaran, Phillip Porras, and Yan Chen.
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
Server-Side vs. Client-Side Scripting Languages

Server-Side vs. Client-Side Scripting Languages
IS 360 Course Introduction. Slide 2 What you will Learn (1) The role of Web servers and clients How to create HTML, XHTML, and HTML 5 pages suitable for.

IS 360 Course Introduction. Slide 2 What you will Learn (1) The role of Web servers and clients How to create HTML, XHTML, and HTML 5 pages suitable for.
INTERNET DATABASE. Internet and E-commerce Internet – a worldwide collection of interconnected computer network Internet – a worldwide collection of interconnected.

INTERNET DATABASE. Internet and E-commerce Internet – a worldwide collection of interconnected computer network Internet – a worldwide collection of interconnected.
WHAT IS AJAX? Zack Sheppard [zts2101] WHIM April 19, 2011.

WHAT IS AJAX? Zack Sheppard [zts2101] WHIM April 19, 2011.
Multiple Tiers in Action

Multiple Tiers in Action
Introduction to eValid Presentation Outline What is eValid? About eValid, Inc. eValid Features System Architecture eValid Functional Design Script Log.

Introduction to eValid Presentation Outline What is eValid? About eValid, Inc. eValid Features System Architecture eValid Functional Design Script Log.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?

CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?
Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.

Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.
Part or all of this lesson was adapted from the University of Washington’s “Web Design & Development I” Course materials.

Part or all of this lesson was adapted from the University of Washington’s “Web Design & Development I” Course materials.
Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.

Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.
Web Application Security Assessment and Vulnerability Assessment.

Web Application Security Assessment and Vulnerability Assessment.
WEB DESIGN SOME FOUNDATIONS. SO WHAT IS THIS INTERNET.

WEB DESIGN SOME FOUNDATIONS. SO WHAT IS THIS INTERNET.
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Similar presentations

Ads by Google