Performing a Web Application Security Assessment

Similar documents
Acunetix Web Vulnerability Scanner. Getting Started. By Acunetix Ltd.

THE OPEN UNIVERSITY OF TANZANIA

Online Vulnerability Scanner Quick Start Guide

HP WebInspect Tutorial

Unique promotion code

Apparo Fast Edit. Excel data import via 1 / 19

Tool Tip. SyAM Management Utilities and Non-Admin Domain Users

Rational AppScan & Ounce Products

Web Application Vulnerability Testing with Nessus

Load testing with. WAPT Cloud. Quick Start Guide

Configuring Security for FTP Traffic

The Top Web Application Attacks: Are you vulnerable?

Secure Web Development Teaching Modules 1. Security Testing. 1.1 Security Practices for Software Verification

Census. di Monitoring Installation User s Guide

How To Test Your Web Site On Wapt On A Pc Or Mac Or Mac (Or Mac) On A Mac Or Ipad Or Ipa (Or Ipa) On Pc Or Ipam (Or Pc Or Pc) On An Ip

Executive Summary On IronWASP

How To Create A Hyperlink In Publisher On Pc Or Macbookpress.Com (Windows) On Pc/Apple) On A Pc Or Apple Powerbook (Windows 7) On Macbook Pressbook (Apple) Or Macintosh (Windows 8

ESISS Security Scanner

Managing Qualys Scanners

Managed Security Web Portal USER GUIDE

Cascade Server CMS Quick Start Guide

Working with Office Applications and ProjectWise

Migrating helpdesk to a new server

Microsoft Dynamics GP SQL Server Reporting Services Guide

QualysGuard WAS. Getting Started Guide Version 3.3. March 21, 2014

Adobe Systems Incorporated

Web application security: Testing for vulnerabilities

Print Audit 6 - SQL Server 2005 Express Edition

Setting up Sharp MX-Color Imagers for Inbound Fax Routing to or Network Folder

Web attacks and security: SQL injection and cross-site scripting (XSS)

Bug Report. Date: March 19, 2011 Reporter: Chris Jarabek

How-to: HTTP-Proxy and Radius Authentication and Windows IAS Server settings. Securepoint Security System Version 2007nx

1. Building Testing Environment

How to Build a SharePoint Website

Barracuda Spam Firewall

Team Foundation Server 2010, Visual Studio Ultimate 2010, Team Build 2010, & Lab Management Beta 2 Installation Guide

Creating a generic user-password application profile

Online Vulnerability Scanner User Manual

Configuring Your Firewall for Client Access in Professional Edition

IBM Security QRadar SIEM Version MR1. Vulnerability Assessment Configuration Guide

Using Foundstone CookieDigger to Analyze Web Session Management

Security features of ZK Framework

Server Installation Guide ZENworks Patch Management 6.4 SP2

EVALUATING COMMERCIAL WEB APPLICATION SECURITY. By Aaron Parke

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

MultiSite Manager. Setup Guide

Automatic vs. Manual Code Analysis

SQL Server Protection

vtiger Customer Portal 4.2 User Manual

Application Security Testing

(WAPT) Web Application Penetration Testing

HDAccess Administrators User Manual. Help Desk Authority 9.0

VisiCount Installation. Revised: 8/28/2012

IBM Case Manager Solution Assistant using admin client for Case Manager

HackMiami Web Application Scanner 2013 PwnOff

Trustwave SEG Cloud Customer Guide

Millennium Drive. Installation Guide

Hello! This provides details below pertaining to the University's Bank of America VISA charge card program.

Security Products Development. Leon Juranic

MY HELPDESK - END-USER CONSOLE...

Threat Modeling. Categorizing the nature and severity of system vulnerabilities. John B. Dickson, CISSP

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

MultiSite Manager. Setup Guide

SharePoint Integration Framework Developers Cookbook

WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6

Using different Security Policies on Group Level for AD within one Portal. SSL-VPN Security on Group Level. Introduction

Snapt Balancer Manual

Configuring SQL Server Lock (Block) Monitoring With Sentry-go Quick & Plus! monitors

University of Mary s Spam Solution

Using Internet or Windows Explorer to Upload Your Site

Using Time Matters Software as a Document Management System

Dynamic DNS How-To Guide

How to Configure Outlook Client for Exchange

STK Terrain Server Installation Guide

System Area Management Software Tool Tip: Integrating into NetIQ AppManager

Administrator Operations Guide

This presentation explains how to integrate Microsoft Active Directory to enable LDAP authentication in the IBM InfoSphere Master Data Management

Quick Help Guide SAP CRMS Login, Navigation and Layout

Kaseya 2. Installation guide. Version 7.0. English

Web Application Security

Web based training for field technicians can be arranged by calling These Documents are required for a successful install:

How do I set up a branch office VPN tunnel with the Management Server?

Acunetix Website Audit. 5 November, Developer Report. Generated by Acunetix WVS Reporter (v8.0 Build )

System Administration Training Guide. S100 Installation and Site Management

Campus VPN. Version 1.0 September 22, 2008

Intranet Website Solution Based on Microsoft SharePoint Server Foundation 2010

OutDisk 4.0 FTP FTP for Users using Microsoft Windows and/or Microsoft Outlook. 5/1/ Encryptomatic LLC

1 (11) Paperiton DMS Document Management System System Requirements Release: 2012/

All of the IntelliGanttt functions are accessed directly in Microsoft Project from the IntelliGanttt menu on the menu bar.

Information Technology Policy

SANS Dshield Webhoneypot Project. OWASP November 13th, The OWASP Foundation Jason Lam

Semantic based Web Application Firewall (SWAF V 1.6) Operations and User Manual. Document Version 1.0

Acunetix Web Vulnerability Scanner. Manual V6.5. By Acunetix Ltd.

SQL Server Protection Whitepaper

Defender Token Deployment System Quick Start Guide

Transcription:

IBM Software Group Performing a Web Application Security Assessment 2007 IBM Corporation

Coordinate the Time of the Audit Set up a time window with the application owner Inform your security team Inform Web Operations (WebOps) 2

Scanning Environment An automated security scan could potentially affect your application Overload the web and application servers Cause denial of service Insert junk data, e.g. post messages on a message board, send multiple e-mails, etc. It preferable to scan applications in preproduction Scan applications in production with caution 3

Get to Know the Site Site Model What would be a good starting point? Are there links to more than one host? Are there parts of the site that should be excluded from the scan? Is execution of JavaScript used for application flow? Does your site contain FLASH? Are there pages that require special user input? Authentication What type of authentication does your web application use? Does your system allow concurrent logins? Does your authentication system disable your user account after x number of invalid login attempts? 4

Configuring and Running a Scan Quick Scan UI Makes creating a scan simpler Scan is based on a predefined template User typically specifies Starting URL Login sequence Pages to Scan (Manual Explore) 5

Creating a Scan Walkthrough 6

Creating a Scan Specify Name and Template Specify Name Specify Template Click Create 7

Creating a Scan Recording a Login Sequence Click Record Allows ASE to authenticate to the application 8

Creating a Scan Recording a Login Sequence (cont.) ASE Browser Login to your app/site Click the Stop button or close the browser 9

Creating a Scan Specifying a Starting URL Starting point of the scan 10

Creating a Scan Manual Explore Browse the application manually Click on links Input data The easiest way to define scan scope Use when scanning specific pages / functional path 11

Creating a Scan Running the Scan Click Save and Run 12

Viewing Scan Progress Status Icon Click on Stats 13

Scan Statistics Key counters Elapsed time Pages found Pages scanned Security entities found Security entities tested Security issue variants Security tests sent Link to Log enabled if problems occurred 14

Viewing Results Status must be Ready Click on scan name 15

Working with Reports Report Pack Summary Report list depends on template Key reports Security Issues Remediation Tasks Pages Broken Links Click on report name to view 16

Working with Reports Setting Up Your View Group Show Search Layout 17

Working with Reports Viewing Issue Details Click on Issue number 18

Working with Reports Advisory Explanation of the vulnerability WASC Threat Classification Security Risk Possible Cause Technical Description Products Affected References and Relevant Links 19

Working with Reports Fix Recommendation How do you fix the problem? General Description ASP.NET Fix Recommendation J2EE Fix Recommendation PHP Recommendation 20

Working with Reports Request / Response Issue variants Difference (hyperlink) Reasoning (hyperlink) Test HTTP Traffic Original HTTP Traffic 21

Working with Reports Issue Management Marking issue status In Progress Noise Fixed Passed Open 22

Reviewing Test Results Steps Note: Test results MUST be reviewed for false positives Start with the high priority items 1. Click on the Issue Number link 2. Read the Advisory 3. Review the Request / Response Tab a) Look at the reasoning highlighted text in the Test HTTP response b) If you are not convinced that this is a vulnerability 1. Look at the difference 2. Try to understand what the test is doing (go back to the advisory) 3. Look at the test response 4. Look at the original traffic make sure it is valid (esp. was the page in session) 23

Reviewing Test Results False Positives False Negatives 24

Lab: Setting up and Running a Scan 1. Create a scan for http://demo.testfire.net 2. Use Manual Explore test policy 3. Run the scan 4. View your reports 5. Set up your report view 6. Examine a vulnerability of each of the following types: a) XSS b) SQL Injection c) SQL Injection on the login page 7. Classify the issues 25

Advanced Scan Options Explained Servers and Domains / URL Normalization Dynamic Components Custom Error Pages Automatic Form Fill Connection Settings Network Connection Scheduling Log Settings 26

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information