Presentation is loading. Please wait.

Presentation is loading. Please wait.

Verify Conference – Washington, DC, October 30, 2007

Published byJemimah Chase Modified over 5 years ago

Similar presentations

Presentation on theme: "Verify Conference – Washington, DC, October 30, 2007"— Presentation transcript:

1 Testing Web Application Scanner Tools Elizabeth Fong and Romain Gaucher NIST
Verify Conference – Washington, DC, October 30, 2007 Disclaimer: Any commercial product mentioned is for information only; it does not imply recommendation or endorsement by NIST nor does it imply that the products mentioned are necessarily the best available for the purpose. . I 1

2

3 Outline - NIST SAMATE Project - Which tools find what flaws?
- Web Application Scanner tools: specification and capabilities - Testing Web Application Scanner Tools: Test methodologies and results 3

4 Project partially funded by DHS and NSA. Our focus
Software Assurance Metrics and Tool Evaluation (SAMATE) Project at NIST Project partially funded by DHS and NSA. Our focus Examine software development and testing methods and tools to identify deficiencies in finding bugs, flaws, vulnerabilities, etc. Create studies and experiments to measure the effectiveness of tools. 4

5 Purpose of Tool Evaluations
Precisely document what a tool class does and does not do Inform users Match the tool to a particular situation Understand significance of tool results Provide feedback to tool developers 5

6 Details of Tool Evaluations
Select class of tool Develop clear (testable) requirements Tool functional specification aided by focus groups Spec posted for public comment Develop a measurement methodology Develop reference datasets (test cases)‏ Document interpretation criteria 6

7 Some Tools for specific application*
Static Analysis Security Tools Web Application Vulnerability Tools Binary Analysis Tools Web Services Tools Network Scanner Tools * Defense Information Systems Agency, “Application Security Assessment Tool Market Survey,” Version 3.0 July 29, 2004 7

8 Other Types of Software Assurance Security Tools *
Firewall Intrusion Detection/Prevention System Virus Detection Fuzzers Web Proxy Honeypots Blackbox Pen Tester * OWASP Tools Project 8

9 How to Classify Tools and Techniques
Life Cycle Process (requirements, design, …) Automation (manual, semi, automatic) Approach (preclude, detect, mitigate, react, appraise) Viewpoint (blackbox, whitebox (static, dynamic)) Other (price, platform, languages, …) 9

10 The Rise of Web App Vulnerability
Top web app vulnerabilities as % of total vulnerabilities in NVD 10 10

11 Web Application Security Scanner
is software which communicates with a web application through the web front-end and identifies potential security weaknesses in the web application.* * Web Application Security Consortium evaluation criteria technical draft, August 11

12 Web Application Architecture
Web Server HTTP Requests Database Server Client (Browser, Tool, etc.)‏ Webapp HTML, etc. 12

13 Characteristics of Web Application
- Client and Server Interaction - Distributed n-tiered architecture - Remote access - Heterogeneity - Content delivery via HTTP - Concurrency - Session management - Authentication and authorization 13

14 Scope – What types of tools does this spec NOT address?
- Limited to tools that examine software applications on the web. - Does not apply to tools that scan other artifacts, like requirements, byte-code, or binary code - Does not apply to database scanners - Does not apply to other system security tools, e.g., firewalls, anti-virus, gateways, routers, switches, intrusion detection system 14

15 Some Vulnerabilities that Web Application Scanners Check
- Cross-Site Scripting (XSS) - Injection flaws - Authentication and access control weaknesses - Path manipulation - Improper Error Handling ) 15

16 Some Web Application Security Scanning Tools
- AppScan DE by Watchfire, Inc. (IBM) - WebInpect by SPI-Dynamics (HP) - Acunetix WVS by Acunetix - Hailstorm by Cenzic, Inc. - W3AF, Grabber, Paros, etc. - others… Disclaimer: Any commercial product mentioned is for information only, it does not imply recommendation or endorsement by NIST nor does it imply that the products mentioned are necessarily the best available for the purpose. ) 16

17 Establishing a Framework to Compare
What is a common set of functions? Can they be tested? How can one measure the effectiveness? NIST is “neutral”, not consumer reports, and does not endorse products. 17

18 Purpose of a Specification
Precisely document what a tool class does and does not do Provide feedback to tool developers Inform users Match the tool to a particular situation Understand significance of tool results . 18

19 How should this spec be viewed?
Specifies basic (minimum) functionality Defines features unambiguously Represents a consensus on tool functions and requirements Serves as a guide to measure the capability of tools 19

20 How should this spec be used?
Not to prescribe the features and functions that all web application scanner tools must have. Use of a tool that complies with this specification does not guarantee the application is free of vulnerabilities. Production tools should have capabilities far beyond those indicated. Used as the basis for developing test suites to measure how a tool meets these requirements. 20

21 Criteria for selection of Web Application Vulnerabilities
Found in existing applications today Recognized by tools today Likelihood of exploit or attack is medium to high 21

22 Web Application Vulnerabilities
OWASP Top Ten 2007 WASC Threat Classification CWE – 600+ weaknesses definition dictionary CAPEC attack patterns for known exploits 22

23 Test Suites Test applications that model real security features and vulnerabilities Configurable to be vulnerable to one or many types of attack Ability to provide increasing level of defense for a vulnerability . 23

24 Defense Mechanisms Different programmers use different defenses
Defenses/Filters are not all equivalent We have different instances of vulnerabilities: levels of defense 24

25 Thanks For Buying This Item!
Levels of Defense Example: Cross-Site Request Forgeries Untrusted.c0m “This nice new website: Untrusted.c0m” CSRF Script Untrusted.c0m redirects to MyShopping.Com GET /shop.aspx?ItemID=42&Accept=Yes MyShopping.Com Thanks For Buying This Item! 25

26 Levels of Defense Example: Cross-Site Request Forgeries - Level 0: No Protection (bad) - Level 1: Using only POST (well...) - Level 2: Checking the referrer (better but referrer may be spoofed) - Level 3: Using a nonce (good) Higher level means harder to break 26

27 ? Web Server Web Application Scanner Tool Attacks Tool Report Webapp
Database Server Web Application Scanner Tool Attacks Webapp HTML, etc. Tool Report ? Seeded Vulns. Cheat sheet 27

28 Attacks Analysis An action that exploits a vulnerability
What exactly is the tool testing? What do I need to test in my application? Do the results match? . 28

29 ? Web Server Web Application Scanner Tool Attacks Tool Report Webapp
Database Server Web Application Scanner Tool Attacks Webapp HTML, etc. Attacks Analysis Tool Report ? Seeded Vulns. 29

30 Attack Surface Coverage
Testing the tool accuracy by inserting check points in most of the attack surface Is the tool testing all the application surface? Ex: login correctly, with errors, etc. . 30

31 (1) Touch the file [login.php]
if ( all fields are set ) then (2) All fields are set [login.php] Boolean goodCredentials = checkThisUser(fields)‏ if ( goodCredentials ) then (3) Credentials are correct; Log in [login.php] registerSessionCurrentUser()‏ else if ( available login test > 0 ) then (4) Login information incorrect [login.php] displayErrorLogin()‏ available login test -= 1 (5) Too many tries with bad info [login.php] askUserToSolveCAPTCHA()‏ endif

32 SAMATE Webapps Scanner Testing Lab
Web Server Database Server Web Application Scanner Tool Attacks Webapp HTML, etc. Attacks Analysis Tool Report ? Seeded Vulns. SAMATE Webapps Scanner Testing Lab Coverage Analysis Attack Surface Coverage 32

33 Test Suite Evaluation Test Suite with 21 vulnerabilities (XSS, SQL Injection, File Inclusion) PHP, MySQL, Ajax LAMP 4 Scanners (Commercial and Open Source) One type of vulnerability at the time Results (Detection rate, False-Positive rate)

34 Detection Rates for Different Levels of Defense

35 False Positive Rates for Different Levels of Defense

36 Attack Surface Coverage

37 Coming next Refining level of defense in order to have a better granularity Thinking of tool profiles such as:

38 Coming next (cont.) Using different technologies in our test suites (JSP, .NET, etc.) More than one vulnerability at a time (combinatorial testing?) Metrics? Brian Chess' metric? t: True Positive p: False Positive n: False Negative

39 Issues with Web Application Scanner Tools
Tools are limited in scope (companies sell service as opposed to selling tool) Speed versus Depth (in-depth testing takes time) Difficult to read output reports (typically log files) False-Positives Tuning versus default mode 39

40 We need … - People to comment on specifications
- People to submit test cases for sharing with the community - People to help build reference datasets for testing tools? 40

41 Contacts - SAMATE web site http://samate.nist.gov/
- Project Leader: Dr. Paul E. Black - Project Team Members: Elizabeth Fong, Romain Gaucher, Michael Kass, Michael Koo, Vadim Okun, Will Guthrie, John Barkley 41

Download ppt "Verify Conference – Washington, DC, October 30, 2007"

Similar presentations

Closing the Gap: Analyzing the Limitations of Web Application Vulnerability Scanners David Shelly Randy Marchany Joseph Tront Virginia Polytechnic Institute.

Closing the Gap: Analyzing the Limitations of Web Application Vulnerability Scanners David Shelly Randy Marchany Joseph Tront Virginia Polytechnic Institute.
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
OWASP Periodic Table of Vulnerabilities James Landis

OWASP Periodic Table of Vulnerabilities James Landis
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.

Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.
Application Security: What Does it Take to Build and Test a “Trusted” App? John Dickson, CISSP Denim Group.

Application Security: What Does it Take to Build and Test a “Trusted” App? John Dickson, CISSP Denim Group.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
“Today over 70% of attacks against a company’s network come at the ‘Application Layer’ not the Network or System layer.” - Gartner Is Your Web Application.

“Today over 70% of attacks against a company’s network come at the ‘Application Layer’ not the Network or System layer.” - Gartner Is Your Web Application.
1 Testing Web Application Scanner Tools Elizabeth Fong and Romain Gaucher NIST Verify Conference – Washington, DC, October 30, 2007 Disclaimer: Any commercial.

1 Testing Web Application Scanner Tools Elizabeth Fong and Romain Gaucher NIST Verify Conference – Washington, DC, October 30, 2007 Disclaimer: Any commercial.
This is a work of the U.S. Government and is not subject to copyright protection in the United States. The OWASP Foundation OWASP AppSec DC October 2005.

This is a work of the U.S. Government and is not subject to copyright protection in the United States. The OWASP Foundation OWASP AppSec DC October 2005.
Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.

Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.
This is a work of the U.S. Government and is not subject to copyright protection in the United States. The OWASP Foundation OWASP AppSec DC October 2005.

This is a work of the U.S. Government and is not subject to copyright protection in the United States. The OWASP Foundation OWASP AppSec DC October 2005.
Varun Sharma Security Engineer | ACE Team | Microsoft Information Security

Varun Sharma Security Engineer | ACE Team | Microsoft Information Security
Web Application Security Assessment and Vulnerability Assessment.

Web Application Security Assessment and Vulnerability Assessment.
Security Scanning OWASP Education Nishi Kumar Computer based training

Security Scanning OWASP Education Nishi Kumar Computer based training
By: Razieh Rezaei Saleh.  Security Evaluation The examination of a system to determine its degree of compliance with a stated security model, security.

By: Razieh Rezaei Saleh.  Security Evaluation The examination of a system to determine its degree of compliance with a stated security model, security.
A Scanner Sparkly Web Application Proxy Editors and Scanners.

A Scanner Sparkly Web Application Proxy Editors and Scanners.
CAP6135 – Malware and Software Vulnerability Analysis By Tara Lingle and Orcun Tagtekin.

CAP6135 – Malware and Software Vulnerability Analysis By Tara Lingle and Orcun Tagtekin.
Introduction to Application Penetration Testing

Introduction to Application Penetration Testing

Similar presentations

Ads by Google