1 Testing Web Application Scanner Tools Elizabeth Fong and Romain Gaucher NIST Verify Conference – Washington, DC, October 30, 2007 Disclaimer: Any commercial.

Slides:



Advertisements
Similar presentations
Closing the Gap: Analyzing the Limitations of Web Application Vulnerability Scanners David Shelly Randy Marchany Joseph Tront Virginia Polytechnic Institute.
Advertisements

Software Assurance Metrics and Tool Evaluation (SAMATE) Michael Kass National Institute of Standards and Technology
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
OWASP Periodic Table of Vulnerabilities James Landis
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
I.T. DIGIT TestCentre Vulnerability assessment service Gabriel BABIANO DIGIT.A.3 29/11/2012.
Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.
Application Security: What Does it Take to Build and Test a “Trusted” App? John Dickson, CISSP Denim Group.
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
“Today over 70% of attacks against a company’s network come at the ‘Application Layer’ not the Network or System layer.” - Gartner Is Your Web Application.
BUILDING A SECURE STANDARD LIBRARY Information Assurance Project I MN Tajuddin hj. Tappe Supervisor Mdm. Rasimah Che Mohd Yusoff ASP.NET TECHNOLOGY.
This is a work of the U.S. Government and is not subject to copyright protection in the United States. The OWASP Foundation OWASP AppSec DC October 2005.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.
This is a work of the U.S. Government and is not subject to copyright protection in the United States. The OWASP Foundation OWASP AppSec DC October 2005.
Varun Sharma Security Engineer | ACE Team | Microsoft Information Security
Web Application Security Assessment and Vulnerability Assessment.
Security Scanning OWASP Education Nishi Kumar Computer based training
By: Razieh Rezaei Saleh.  Security Evaluation The examination of a system to determine its degree of compliance with a stated security model, security.
A Scanner Sparkly Web Application Proxy Editors and Scanners.
CAP6135 – Malware and Software Vulnerability Analysis By Tara Lingle and Orcun Tagtekin.
Introduction to Application Penetration Testing
Secure Software Development Mini Zeng University of Alabama in Huntsville 1.
Is Your Website Hackable? Check with Acunetix Web Vulnerability Scanner. Acunetix Web Vulnerability Scanner V9.
SEC835 Database and Web application security Information Security Architecture.
HTTP and Server Security James Walden Northern Kentucky University.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
A Framework for Automated Web Application Security Evaluation
About Dynamic Sites (Front End / Back End Implementations) by Janssen & Associates Affordable Website Solutions for Individuals and Small Businesses.
Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.
Security testing of study information system Security team: Matis Alliksoo Alo Konno Urmo Lihten Taavi Podzuks Sander Saarm.
Penetration Testing James Walden Northern Kentucky University.
AMNESIA: Analysis and Monitoring for NEutralizing SQL- Injection Attacks Published by Wiliam Halfond and Alessandro Orso Presented by El Shibani Omar CS691.
Honeypot and Intrusion Detection System
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Web Application Security ECE ECE Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.
Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
REAL TIME GPS TRACKING SYSTEM MSE PROJECT PHASE I PRESENTATION Bakor Kamal CIS 895.
October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University
Web Applications Testing By Jamie Rougvie Supported by.
Security (Keep your site secure at extension level) Sergey Gorstka Fastw3b.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
This is a work of the U.S. Government and is not subject to copyright protection in the United States. The OWASP Foundation OWASP AppSec DC October 2005.
Unix Security Assessing vulnerabilities. Classifying vulnerability types Several models have been proposed to classify vulnerabilities in UNIX-type Oses.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
© 2011 IBM Corporation Hybrid Analysis for JavaScript Security Assessment Omer Tripp Omri Weisman Salvatore Guarnieri IBM Software Group Sep 2011.
SwA Co-Chair and Task Lead Strategy Session Agenda Technology, Tools and Product Evaluation Working Group Status Briefing Co-Chair(s) Michael Kass (NIST),
Copyright © The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation OWASP Denver February 2012.
© ITT Educational Services, Inc. All rights reserved. IS3220 Information Technology Infrastructure Security Unit 3 Network Security Threats Chapter 4.
SECURE DEVELOPMENT. SEI CERT TOP 10 SECURE CODING PRACTICES Validate input Use strict compiler settings and resolve warnings Architect and design for.
Smashing WebGoat for Fun and Research: Static Code Scanner Evaluation Josh Windsor & Dr. Josh Pauli.
SOFTWARE TESTING Date: 29-Dec-2016 By: Ram Karthick.
Presentation by: Naga Sri Charan Pendyala
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
^ About the.
Web Application Penetration Testing
HTML Level II (CyberAdvantage)
Risk Assessment = Risky Business
CSC 495/583 Topics of Software Security Intro to Web Security
Verify Conference – Washington, DC, October 30, 2007
Engineering Secure Software
OWASP Application Security Verification Standard
Presentation transcript:

1 Testing Web Application Scanner Tools Elizabeth Fong and Romain Gaucher NIST Verify Conference – Washington, DC, October 30, 2007 Disclaimer: Any commercial product mentioned is for information only; it does not imply recommendation or endorsement by NIST nor does it imply that the products mentioned are necessarily the best available for the purpose.

2

3 - NIST SAMATE Project - Which tools find what flaws? - Web Application Scanner tools: specification and capabilities - Testing Web Application Scanner Tools: Test methodologies and results Outline

4 Project partially funded by DHS and NSA. Our focus Examine software development and testing methods and tools to identify deficiencies in finding bugs, flaws, vulnerabilities, etc. Create studies and experiments to measure the effectiveness of tools. Software Assurance Metrics and Tool Evaluation (SAMATE) Project at NIST

5 Precisely document what a tool class does and does not do Inform users –Match the tool to a particular situation –Understand significance of tool results Provide feedback to tool developers Purpose of Tool Evaluations

6 Select class of tool Develop clear (testable) requirements –Tool functional specification aided by focus groups –Spec posted for public comment Develop a measurement methodology –Develop reference datasets (test cases)‏ –Document interpretation criteria Details of Tool Evaluations

7 Static Analysis Security Tools Web Application Vulnerability Tools Binary Analysis Tools Web Services Tools Network Scanner Tools * Defense Information Systems Agency, “Application Security Assessment Tool Market Survey,” Version 3.0 July 29, 2004 Some Tools for specific application*

8 Firewall Intrusion Detection/Prevention System Virus Detection Fuzzers Web Proxy Honeypots Blackbox Pen Tester * OWASP Tools Project Other Types of Software Assurance Security Tools *

9 Life Cycle Process (requirements, design, …) Automation (manual, semi, automatic) Approach (preclude, detect, mitigate, react, appraise) Viewpoint (blackbox, whitebox (static, dynamic)) Other (price, platform, languages, …) How to Classify Tools and Techniques

10 The Rise of Web App Vulnerability Top web app vulnerabilities as % of total vulnerabilities in NVD

11 is software which communicates with a web application through the web front-end and identifies potential security weaknesses in the web application.* * Web Application Security Consortium evaluation criteria technical draft, August Web Application Security Scanner

12 Web Application Architecture Database Server Client (Browser, Tool, etc.)‏ HTTP Requests HTML, etc. Webapp Web Server

13 - Client and Server Interaction - Distributed n-tiered architecture - Remote access - Heterogeneity - Content delivery via HTTP - Concurrency - Session management - Authentication and authorization Characteristics of Web Application

14 - Limited to tools that examine software applications on the web. - Does not apply to tools that scan other artifacts, like requirements, byte-code, or binary code - Does not apply to database scanners - Does not apply to other system security tools, e.g., firewalls, anti-virus, gateways, routers, switches, intrusion detection system Scope – What types of tools does this spec NOT address?

15 - Cross-Site Scripting (XSS) - Injection flaws - Authentication and access control weaknesses - Path manipulation - Improper Error Handling Some Vulnerabilities that Web Application Scanners Check

16 - AppScan DE by Watchfire, Inc. (IBM) - WebInpect by SPI-Dynamics (HP) - Acunetix WVS by Acunetix - Hailstorm by Cenzic, Inc. - W3AF, Grabber, Paros, etc. - others… Disclaimer: Any commercial product mentioned is for information only, it does not imply recommendation or endorsement by NIST nor does it imply that the products mentioned are necessarily the best available for the purpose. Some Web Application Security Scanning Tools

17 What is a common set of functions? Can they be tested? How can one measure the effectiveness? NIST is “neutral”, not consumer reports, and does not endorse products. Establishing a Framework to Compare

18 Precisely document what a tool class does and does not do Provide feedback to tool developers Inform users Match the tool to a particular situation Understand significance of tool results Purpose of a Specification

19 Specifies basic (minimum) functionality Defines features unambiguously Represents a consensus on tool functions and requirements Serves as a guide to measure the capability of tools How should this spec be viewed?

20 Not to prescribe the features and functions that all web application scanner tools must have. Use of a tool that complies with this specification does not guarantee the application is free of vulnerabilities. Production tools should have capabilities far beyond those indicated. Used as the basis for developing test suites to measure how a tool meets these requirements. How should this spec be used?

21 Found in existing applications today Recognized by tools today Likelihood of exploit or attack is medium to high Criteria for selection of Web Application Vulnerabilities

22 OWASP Top Ten 2007 WASC Threat Classification CWE – 600+ weaknesses definition dictionary CAPEC attack patterns for known exploits Web Application Vulnerabilities

23 Test applications that model real security features and vulnerabilities Configurable to be vulnerable to one or many types of attack Ability to provide increasing level of defense for a vulnerability Test Suites

24 Defense Mechanisms Different programmers use different defenses Defenses/Filters are not all equivalent We have different instances of vulnerabilities: levels of defense

25 Example: Cross-Site Request Forgeries Levels of Defense Untrusted.c0m MyShopping.Com CSRF Script Untrusted.c0m redirects to MyShopping.Com GET /shop.aspx?ItemID=42&Accept=Yes Thanks For Buying This Item! “This nice new website: Untrusted.c0m”

26 Example: Cross-Site Request Forgeries - Level 0: No Protection (bad) - Level 1: Using only POST (well...) - Level 2: Checking the referrer (better but referrer may be spoofed) - Level 3: Using a nonce (good) Higher level means harder to break Levels of Defense

27 Web Server Database Server Web Application Scanner Tool Attacks HTML, etc. Webapp Tool Report Seeded Vulns. Cheat sheet ?

28 Attacks Analysis An action that exploits a vulnerability What exactly is the tool testing? What do I need to test in my application? Do the results match?

29 Web Server Database Server Web Application Scanner Tool Attacks HTML, etc. Webapp Tool Report Attacks Analysis Seeded Vulns. ?

30 Testing the tool accuracy by inserting check points in most of the attack surface Is the tool testing all the application surface? Ex: login correctly, with errors, etc. Attack Surface Coverage

31 (1) Touch the file [login.php] if ( all fields are set ) then (2) All fields are set [login.php] Boolean goodCredentials = checkThisUser(fields)‏ if ( goodCredentials ) then (3) Credentials are correct; Log in [login.php] registerSessionCurrentUser()‏ else if ( available login test > 0 ) then (4) Login information incorrect [login.php] displayErrorLogin()‏ available login test -= 1 else (5) Too many tries with bad info [login.php] displayErrorLogin()‏ askUserToSolveCAPTCHA()‏ endif

32 Web Server Database Server Web Application Scanner Tool Attacks HTML, etc. Webapp Tool Report Attacks Analysis Coverage Analysis Seeded Vulns. ? Attack Surface Coverage SAMATE Webapps Scanner Testing Lab

33 Test Suite with 21 vulnerabilities (XSS, SQL Injection, File Inclusion) –PHP, MySQL, Ajax –LAMP 4 Scanners (Commercial and Open Source) One type of vulnerability at the time Results (Detection rate, False-Positive rate) Test Suite Evaluation

34 Detection Rates for Different Levels of Defense

35 False Positive Rates for Different Levels of Defense

36 Attack Surface Coverage

37 Refining level of defense in order to have a better granularity Thinking of tool profiles such as: Coming next

38 Coming next (cont.) Using different technologies in our test suites (JSP,.NET, etc.) More than one vulnerability at a time (combinatorial testing?) Metrics? Brian Chess' metric? t: True Positive p: False Positive n: False Negative

39 Tools are limited in scope (companies sell service as opposed to selling tool) Speed versus Depth ( in-depth testing takes time) Difficult to read output reports (typically log files) False-Positives Tuning versus default mode Issues with Web Application Scanner Tools

40 - People to comment on specifications - People to submit test cases for sharing with the community - People to help build reference datasets for testing tools? We need …

41 - SAMATE web site - Project Leader: Dr. Paul E. Black - Project Team Members: Elizabeth Fong, Romain Gaucher, Michael Kass, Michael Koo, Vadim Okun, Will Guthrie, John Barkley Contacts

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.