SANDCAT THE WEB APPLICATION SECURITY ASSESSMENT SUITE WHAT IS SANDCAT? MAIN COMPONENTS. Web Application Security

Transcription

1 SANDCAT WHAT IS SANDCAT? THE WEB APPLICATION SECURITY ASSESSMENT SUITE Sandcat is a hybrid multilanguage web application security assessment suite - a software suite that simulates web-based attacks. Sandcat proactively guards an organization's Web infrastructure against web application security threats, finding existing vulnerabilities before the hackers. Today's Sandcat hybrid capabilities allows organizations to: Pen-test websites, scanning live web applications for multiple classes of vulnerabilities - an approach known as blackbox which equals to the hacker's perspective. Scan the source of web applications for the same classes of vulnerabilities - an internal code review (also known as whitebox). Combine both approaches, performing what is known as hybrid analysis (or greybox) Vulnerability Coverage Sandcat's extensive vulnerability coverage is the result of years of research - a total of 29 thousand web vulnerabilities were researched by Syhunt. Sandcat currently performs: Over 460 remote web application security checks in over 24 categories of web attacks - including: o XSS (Cross-Site Scripting), SQL Injection, File Inclusion, Command Execution, etc. o OWASP's Top Ten Most Critical Web Application Security Vulnerabilities & PHP Top 5 Vulnerabilities Over 300 source checks, covering several types of web security attacks Thousands of additional remote checks for vulnerabilities affecting specific web application/servers (Example: StatPressCN Plugin for Wordpress wp-admin/admin.php Multiple Parameter XSS - CVE ) MAIN COMPONENTS Remote Scanner Performs deep web crawling (spidering), automatically mapping an entire web site structure and running injection and directory brute force checks Includes a HTML5-aware spider and JavaScript emulation capabilities Scans any type of web application Some of the key technologies supported by Sandcat Source Scanner Scans the source code of web applications written in PHP, JSP & ASP.NET/Classic ASP for vulnerabilities Identifies key areas of the code, such as key HTML tags, AJAX / JavaScript, entry points and interesting keywords Sandcat 4.2 running under Windows 7

2 KEY PRODUCT FEATURES Concurrency/Scan Queue Support - Multiple security scans can be queued and the number of threads can be adjusted. Deep Crawling - Runs security tests against web pages discovered by crawling a single URL or a set of URLs provided by the user. Advanced Injection - Maps the entire web site structure (all links, forms, XHR requests and other entry points) and tries to find custom, unique vulnerabilities by simulating a wide range of attacks/sending thousands of requests (mostly GET and POST). Tests for SQL Injection, XSS, File Inclusion and many other web application vulnerability classes. Browser Emulation - Handles complex, large web sites and automatically adapts to different web environments and technologies. CVE & CWE-Compatible - Sandcat fully supports CVE & CWE. It makes the list of CVE-compatible products and services provided by the Mitre Corporation who created the standard. Local or Remote Storage - Scan results are saved locally (on the disk) or remotely (in the Sandcat web server). Results can be converted at any time to HTML or multiple other available formats. IPv6-Compatible - Allows to scan IPv6 addresses. Sandcat Console (Mini Edition) running under Windows 7 In addition to its GUI (Graphical User Interface) functionalities, Sandcat offers an easy to use command-line interface and a web-interface. REPORT GENERATION Sandcat comes with the ability to generate a report containing details about the vulnerabilities. After examining the application's response to the attacks, if the target URL is found vulnerable, it gets added to the report. Sandcat's reports also contain charts, statistics and compliance information. Syhunt offers a set of report templates tailored for different audiences. A Sandcat report usually includes: Full vulnerability information and references - CVE, NVD, CWE, Bugtraq & OSVDB Compliance Information - Such as OWASP Top 10, PHP Top 5, CWE/SANS Top 25, Payment Card Industry (PCI), etc. Reports generated by Sandcat Pro can include full vulnerability info, charts and more. Currently, Sandcat is able to generate reports and export data in several formats - including HTML, PDF, XML, Text, CSV, RTF, XLS, DOC & NBE, or your own custom format. Sandcat also includes the ability to automatically reports after a scan is completed. ADDITIONAL COMPONENTS Sandcat Browser - The first pen-test oriented web browser with extensions support Log Analyzer - Scans HTTP logs created by web servers for intrusion attempts Hardener - Scans Apache and PHP configuration files for weak security settings Gelo - A Lua extension library that aims to simplify and accelerate the development of exploit-oriented tools. Gelo is currently being used to build extensions in Sandcat.

3 THE WAVSEP COMPARISON Sandcat was included in the WAVSEP independent web application scanner accuracy tests produced by Shay Chen, an application security consultant. The WAVSEP (Web Application Vulnerability Scanner Evaluation Project) is the most comprehensive ever made (a total of 43 tools were included). Previous comparisons in the field were unable to cover free and open source scanners. The WAVSEP results were published in December How did Sandcat go? Cross-Site Scripting (XSS) Sandcat scored a near 100 percent XSS detection rate, detecting: 100% (33 of 33) of the GET-based XSS vulnerabilities 96% (32 of 33) of the POST-based vulnerabilities Other black-box scanning tools covered in the tests scored below 63% (missed almost 40% of the vulnerabilities). Many, including popular open source tools, scored near or below 30% SQL Injection (SQLi) Sandcat scored a 100 percent error-based SQL Injection detection rate. Sandcat also excelled at identifying an additional large set of 80 error-based SQL Injection vulnerabilities (detected 100% of the vulnerabilities, both GET-based and POST-based). Sandcat scored such high detection rates running at half its capabilities. It's white-box (source) scanning capabilities were not covered in the tests. Note: The WAVSEP project environment, containing hundreds of scenarios/vulnerable web pages used to produce the tests, was made available open source to the information security community through the Google Code website at For more information about Sandcat, visit

4 SANDCAT SCANNER CHECKS APPLICATION CHECKS (REMOTE / BLACK-BOX) Sandcat includes checks for a extremely wide array of different web application security threats, as shown below. Backup Files Common Exposures o Dangerous Methods o Default Content o Internal IP Address Disclosure Common Files and Folders Common Vulnerable Scripts o ASP & ASP.Net o PHP o JSP o Perl Form Hijacking Old/Backup Files o Common Backup Folders & Files Outdated Server Software Path Disclosure Source Code Disclosure Suspicious HTML Comments Unencrypted Login Web-Based Backdoors Compliance o OWASP Top 10 o PHP Top 5 o CWE/SANS Top 25 o WASC Threat Classification Fault Injection (See below) o Parameter Tampering o Form Field Manipulation Fault Injection Checks Buffer Overflow Cookie Manipulation Command Execution CRLF Injection Cross Frame Scripting Cross-Site Scripting (XSS) o XSS Filter Evasion Default Account Directory Listing Directory Traversal File Inclusion (Local & Remote) Information Disclosure LDAP Injection MX Injection Password Disclosure Path Disclosure PHP Code Injection Server-Specific Vulnerabilities o IIS o iplanet o Others Source Code Disclosure SQL Injection (Error-Based & Blind) o Access o DB2 o Firebird/InterBase o Informix o MySQL o Oracle o PostgreSQL o SQL Server o SQLite o Sybase o Others XPath Injection Miscellaneous Supports any web server platform.

5 APPLICATION CHECKS (SOURCE / WHITE-BOX) Sandcat now also includes the ability to scan the source code of your web applications for multiple classes of application vulnerabilities. Arbitrary File Manipulation Command Execution Cross-Site Scripting (XSS) File Inclusion (Local & Remote) HTTP Response Splitting SQL Injection (Error-Based & Blind) o DB2 & dbx o Firebird/InterBase o FrontBase o Informix o Ingres o MaxDB o msql o MySQL o Oracle o Ovrimos o PostgreSQL o SQL Server & SQLite o Swish & Sybase Weak Validation Key HTML Tags Key AJAX / JavaScript Entry Points - User Input Entry Points - Indirect User Input Interesting Keywords Compliance o OWASP PHP Top 5 Configuration Hardening o Apache o PHP Supports ASP*/ASP.NET*, PHP & JSP*. (*) indicates initial or beta support SERVER CHECKS (REMOTE / BLACK-BOX) Checks for vulnerabilities affecting known web applications and servers Admin Pages CGI, CGI-Bin & CGI-Local Folders CGI-Sys CGI Scripts Common Files and Folders Common Server Vulnerabilities Cisco IOS ColdFusion Domino & NSF IIS NCSA FrontPage / FrontPage CGI Other Servers & Add-Ons Common Vulnerable Scripts o ASP & ASP.Net o PHP o JSP o Perl (PL) Compliance o CWE/SANS Top 25 o WASC Threat Classification Database Disclosure Denial-of-Service IDS Testing Old/Backup Files o Common Backup Folders & Files Outdated Server Software Web-Based Backdoors WinCGI

6 MULTI-LAYER DEFENSE EVASION The Multi-Layer Defense Evasion is the ability of Sandcat to combine multiple techniques aimed at a wide array of security mechanisms to perform stealthy tests. Today's Sandcat defense evasion feature set includes: Anti-XSS Filters evasion - Bypasses regular expression filters used against XSS. UTF8-Decode - Ability to take advantage of UTF8-Decode problems to evade filters when performing injection checks. Signature-Based Web Honeypot & Application Firewall Detection Common IDS evasion techniques (over 10 techniques) Multiple WAF and IDS evasion techniques, targeting specifically: o mod_security o PHP-IDS OWASP TOP 10 CHECKS The OWASP Top Ten is a list of vulnerabilities that require immediate remediation. Existing code should be checked for these vulnerabilities immediately, as these flaws are being actively targeted by attackers. The OWASP Foundation encourage companies to adopt the OWASP Top Ten as a minimum standard for securing web applications. SANS TOP 20 CHECKS The SANS Top 20 includes step-by-step instructions and pointers to additional information useful for correcting the security flaws. The SANS Institute updates the list and the instructions as more critical threats and more current or convenient methods of protection are identified. It is a community consensus document. COMPLIANCE Sandcat helps organizations address the most pressing compliance issues such as: Health Insurance Portability and Accountability Act (HIPAA): The Sandcat solution allows healthcare organizations to perform assessment of web applications and portals to identify areas of possible vulnerability to data disclosure, denial of service attacks or system compromise. Gramm-Leach-Bliley (GLBA)/Payment Card Industry (PCI) Data Security Standard/CA-SB1: Financial organizations can harden home banking, customer service, ecommerce and other web-based applications and deployments. Sarbanes-Oxley: Executive management systems can be assessed and data integrity risks can be mitigated through the use of Sandcat against web-based interfaces. For more information about Sandcat Checks, visit