Presentation is loading. Please wait.

Presentation is loading. Please wait.

Evaluation on Web Application Security Scanner Na Wang, Li Li.

Published byPeter Cross Modified over 9 years ago

Similar presentations

Presentation on theme: "Evaluation on Web Application Security Scanner Na Wang, Li Li."— Presentation transcript:

1 Evaluation on Web Application Security Scanner Na Wang, Li Li

2 Scanning (simulation of attacks, submit inputs and analyze the outputs…) Crawling (structure, images, folders, scripts…) Configuration (URL, parameters…) Introduction Web applications scanners can be defined as automated tools, which perform a black box penetration testing on a web application. Web scanners inspect web applications by crawling through their pages and by parsing their contents while applying internal functions that inspect the retrieved content for a list of known vulnerabilities. This inspection often mimics the attacks performed by malicious users generating inputs and analyzing the web application behavior and response. These malicious inputs are often used in a technique called fuzzing which most web scanners are able to perform. 2

3 3 OWASP Top 10 Vulnerabilities SkipfishWapitiArachniNessusw3afZAP Acunetix WVS (free) Acunetix WVS Websecurify Injection (SQL, LDAP, XPATH, OS command) √√√√√√√√ Cross-Site Scripting (XSS) √√√√√√√√√ Broken Authentication and Session Management √√√√√√ Insecure Direct Object References √√√√√√ Cross-Site Request Forgery (CSRF) √√√ Security Misconfiguration √√√√ Insecure Cryptographic Storage √√√√ Failure to Restrict URL Access √√√√ Insufficient Transport Layer Protection √ Unvalidated Redirects and Forwards √√√ 1. Web Application Scanner

4 1.1 Skipfish 4 It prepares an interactive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes. Website: http://code.google.com/p/skipfish/wiki/SkipfishDochttp://code.google.com/p/skipfish/wiki/SkipfishDoc Commands:./skipfish –o outputfile http://129.59.89.23/securephoto/

5 1.2 Wapiti 5 It performs "black-box" scans, i.e. it does not study the source code of the application but will scans the webpages of the deployed webapp, looking for scripts and forms where it can inject data. Website: http://wapiti.sourceforge.net/http://wapiti.sourceforge.net/ Commands: python wapiti.py http://129.59.89.23/securephoto/

6 1.3 Arachni 6 Arachni is an Open Source, feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators evaluate the security of web applications. Website: http://arachni-scanner.com/http://arachni-scanner.com/ Commends: ruby arachni –fv http://129.59.89.23/securephoto/ -- report=afr:outfile=test.com.afr –auto-redundant=100

7 1.4 Nessus 7 Website: http://www.tenable.com/pr oducts/nessus/nessus- product-overview http://www.tenable.com/pr oducts/nessus/nessus- product-overview Go to: http://129.59.89.98:8834/h tml5.html#/ http://129.59.89.98:8834/

8 1.5 W3af 8 W3af is a Web Application Attack and Audit Framework. The project's goal is to create a framework to find and exploit web application vulnerabilities that is easy to use and extend. Website: http://w3af.sourceforge.net/ Commends:./w3af_guihttp://w3af.sourceforge.net/

9 1.6 ZAP 9 The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually. Website: https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Projecthttps://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project Commends:./zap.sh

10 1.7 Acunetix 10 Acunetix Web Vulnerability Scanner (WVS) is an automated web application security testing tool that audits your web applications by checking for vulnerabilities like SQL Injections, Cross site scripting and other exploitable hacking vulnerabilities. Website: http://www.acunetix.comhttp://www.acunetix.com Free version: only CSS vulnerabilities

11 1.8 Websecurify 11 Websecurify is a powerful cross-platform web security testing technology designed from the ground up with simplicity in mind. It can be used on Mac, Window, Ubuntu, Chrome, Firefox, iPhone, iPad, and Android. It is the first and only web application security solution designed to run entirely from your web browser. Website: http://www.websecurify.com/http://www.websecurify.com/

12 12 2. Evaluation on Scanners Basic Evaluation Input Vector Support Evaluation Coverage Features Evaluation Detection Accuracy The total Detection Accuracy The XSS Detection Accuracy The Injection Detection Accuracy Insecure Direct Object References Detection Accuracy

13 2.1 Basic Evaluation ScannerLicenseVendor Operation system Language Open Source GUIReport Scan log Pause SkipfishASF2 Michal Zalewski - Google Cross- platform CYNYYN WapitiGPL2OWASP Cross- platform Python 2.6.x YNYYY ArachniGPL2Tasos Laskos Cross- platform Ruby 1.9.xYYYYY NessusCommercial Tenable Network Security Cross- platform ——YYYYY w3afGPL2W3AF developers Cross- platform Python 2.6.x YYYYY ZAPASF2OWASP Cross- platform Java 1.6.xYYYYY Acunetix WVS (free) CommercialAcunetixWindows——NYYYY Websecurify (free) GPL2GNU Citizen Cross- platform JavascriptYYYNY WebsecurifyCommercialGNU Citizen Cross- platform JavascriptNYYNY 13

14 2.2 Input Vector Support Evaluation AliasGeneral FeatureDescription GETHTTP Query String ParametersInput parameters sent in the URL POSTHTTP Body ParametersInput parameters sent in the HTTP body COOKIEHTTP Cookie ParametersInput parameters sent in the HTTP cookie HEADERHTTP HeadersHTTP request headers used by the application SECRETSecret HTTP ParametersNon-visible valid HTTP parameters (such as GET to POST, etc) PNameHTTP Parameter NamesHTTP parameter names used by the application XMLXML Element ContentThe content of XML elements XmlATTXML AttributesXML attributes XmlTAGXML TagsThe names of XML tags JSONJSON ParametersParameters sent in JSON format.NetENC.Net PostBack Encoded ParametersParameters sent after undergoing.net PostBack encoding AMFFlash Action Message FormatParameters sent in Flash AMF format JavaSERJava Serialized ObjectsParameters sent within Java serialized objects.NetSER.Net Serialized Objects / RemotingParameters sent within.Net serialized objects / remoting WCF.Net WCF ObjectsParameters sent in WCF requests WCF-Bin.Net Binary WCF ObjectsParameters sent in binary WCF requests WebSockHTML5 WebSocketsDirect Socket Browser-Server Communication DWRJava Direct Web RemotingParameters sent in DWR format CustomCustom Input VectorSupport for defining custom input vectors in the HTTP request 14

15 2.2 Input Vector Support Evaluation ScoreGETPOSTCOOKIE HEAD ER SECRE T PNam e XML XmlA TT XmlT AG JSON.NetE NC AMF JavaS ER.NetS ER WCF WCF- Bin WebS ock DWR Custo m Skipfish4YYYYNNNNNNNNNNNNNNN Wapiti3YYNNNNNNNNNNNNNNNNN Arachni4YYYYNNNNNNNNNNNNNNN Nessus5YYYYNYNNNNNNNNNNNNN w3af5YYYYNYNNNNNNNNNNNNN ZAP2YYNNNNNNNNNNNNNNNNN Acunetix WVS Free Edition 5YYYYNNNNNYNNNNNNNNN Websec urify (free) 2YYNNNNNNNNNNNNNNNNN 15

16 2.3 Coverage Features Evaluation AliasGeneral FeatureDescription Manual CrawlManual Crawling SupportSupport for manually "teaching" the application structure to the scanner URL FileURL File Parsing SupportSupport for loading the list of target entry points from a file Html CrawlerHTML Form/Link CrawlerThe ability to automatically crawl HTML forms/links (a.k.a Spider) Ajax CrawlerJS/VBS/Ajax CrawlerThe ability to automatically crawl entry points that are accessed via JS/VBS/Ajax code Flash Crawler The ability to automatically crawl Flash applications Applet Crawler The ability to automatically crawl Applet applications (Java) Silverlight Crawler The ability to automatically crawl Silverlight applications WSDL CrawlerWebService WSDL CrawlerThe ability to automatically identify, analyze and crawl web service WSDL files REST CrawlerREST WSDL CrawlerThe ability to automatically identify, analyze and crawl RESTful web service WSDL files Field AutoFillField Value AutoFill The ability to fill fields with default values while automatically crawling the application (param-name based) Smart AutoFillSmart Field Value AutoFill The ability to fill fields with default values while automatically crawling the application (GUI based) AntiCSRF SupportAntiCSRF Token SupportSupport for replaying & updating AntiCSRF tokens (GET/POST) Viewstate SupportEvenet & Viewstate SupportSupport for replaying & updating various viewstate and event fields CAPTCHA Bypass CAPTCHA Cracking/Bypass Features Crack/Bypass CAPTCHA fields while scanning the application WAF BypassWAF Evasion TechniquesUse WAF evasion techniques while scanning the application 16

17 2.3 Coverage Features Evaluation Count Manual Crawl URL File Html Crawler Ajax Crawler Flash Crawler Applet Crawler Silverlig ht Crawler WSDL Crawler REST Crawler Field Autofill Smart Autofill Anti CSRF Support Viewst ate Suppor t CAPTCHA Bypass WAF Bypass Skipfish2NYYNNNNNNNNNNNN Wapiti1NNYNNNNNNNNNNNN Arachni2YNYNNNNNNNNNNNN Nessus1NNYNNNNNNNNNNNN w3af5YNYYNNNNNYNNNNY ZAP3YNYNNNNNNNNYNNN Acunetix WVS Free Edition 5YNYYNNNNNYNNNNY Websecu rify (free) 1NNYNNNNNNNNNNNN 17

18 2.4 Evaluation based on OWASP Broken Web Applications Project The Broken Web Applications (BWA) Project produces a Virtual Machine running a variety of applications with known vulnerabilities. 18

19 WebsiteSeveritySummaryCategory AWStats LowOpen RedirectPath Traversal LowInternal Path DisclosurePath Traversal GTD-PHP Medium Reflected XSS in http://owaspbwa/gtd- php/editChecklist.php XSS MediumReflected XSS in http://owaspbwa/gtd-php/editList.phpInjection GetBoo HighGetBoo Email Forgotten Password SQL injectionInjection HighGetBoo Email Forgotten Password SQL injectionXSS MediumGetBoo stored XSSXSS Mandiant Struts Forms Medium Reflected XSS in http://owaspbwa/mandiant-struts-form- vulnerable/submitname.do XSS OWASP AppSensor Demo Application MediumAppSensor viewProfile lack of access control Broken Authentication and Session Management 2.4.1 Test bed Ⅰ 19

20 2.4.1 Test bed Ⅱ WebsiteSeveritySummaryCategory OWASP Vicnum HighState Manipulation HighINSERT SQL InectionInjection Medium Reflected XSS in http://owaspbwa/vicnum/vicnum5.php XSS MediumVanilla SQL InjectionInjection Medium Reflected XSS in http://owaspbwa/vicnum/cgi- bin/vicnum1.pl XSS Peruggia HighSQL Injection Login BypassInjection MediumDirectory TraversalPath Traversal MediumLocal File Inclusion MediumReflected XSSXSS MediumLack of access controls Simple ASP.NET Forms Medium Reflected XSS in http://owaspbwa/mono/simple- reflected-xss.aspx XSS 20

21 2.4.1 Test bed Ⅲ WebsiteSeveritySummaryCategory TikiWiki HighRemote PHP Injection (CVE-2007-5423)Injection MediumCVE-2008-1047XSS MediumXSS vulnerability in tiki-special_chars.php (CVE-2007-6526)XSS MediumDirectory traversal in tiki-listmovies.php (CVE-2007-6528) Local File Inclusion Medium Cross-site scripting (XSS) vulnerability in tiki-featured_link.php (CVE-2006-5703) XSS WordPress HighCommand InjectionInjection HighSQL InjectionInjection HighSQL InjectionInjection HighMalicious File Execution Yazd MediumReflected XSS in http://owaspbwa/yazd/bay/post.jspXSS MediumReflected XSS in http://owaspbwa/yazd/bay/account.jspXSS MediumCSRF to change password and e-mailCSRF 21

22 2.4.2 Vulnerability category in test bed 22

23 2.4.3 The Detection Accuracy The Total Detection Accuracy SkipfishWapitiArachniAcunetixWebsecurify Detection Rate 3/3216/32 15/32 10/32 14/32 False Positives 211 36 13 The XSS Detection Accuracy SkipfishWapitiArachniAcunetixWebsecurify Detection Rate2 /14 11/1413/14 10/14 False Positives 1 4 1713 5 The Injection Detection Accuracy SkipfishWapitiArachniAcunetixWebsecurify Detection Rate 0/95/9 1/9 0/92/9 False Positives0 74 0 5 Insecure Direct Object References Detection Accuracy SkipfishWapitiArachniAcunetixWebsecurify Detection Rate 1/62/60/6 1/6 False Positives1 0 0 0 1 23

Download ppt "Evaluation on Web Application Security Scanner Na Wang, Li Li."

Similar presentations

Webgoat.

Webgoat.
Closing the Gap: Analyzing the Limitations of Web Application Vulnerability Scanners David Shelly Randy Marchany Joseph Tront Virginia Polytechnic Institute.

Closing the Gap: Analyzing the Limitations of Web Application Vulnerability Scanners David Shelly Randy Marchany Joseph Tront Virginia Polytechnic Institute.
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.

Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.
Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!

Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
SEC835 OWASP Top Ten Project.

SEC835 OWASP Top Ten Project.
Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
AUTOMATED DISCOVERY OF PARAMETER POLLUTION VULNERABILITIES IN WEB APPLICATIONS Marco Balduzzi, Carmen Torrano Gimenez, Davide Balzarotti, and Engin Kirda,

AUTOMATED DISCOVERY OF PARAMETER POLLUTION VULNERABILITIES IN WEB APPLICATIONS Marco Balduzzi, Carmen Torrano Gimenez, Davide Balzarotti, and Engin Kirda,
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.

Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.
Blackbox Reversing of XSS Filters Alexander Sotirov ekoparty 2008.

Blackbox Reversing of XSS Filters Alexander Sotirov ekoparty 2008.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Penetration testing – W3AF Tool

Penetration testing – W3AF Tool
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Web Application Security Assessment and Vulnerability Assessment.

Web Application Security Assessment and Vulnerability Assessment.

Similar presentations

Ads by Google