Leveraging User Interactions for In-Depth Testing of Web Applications

Similar documents
Leveraging User Interactions for In-Depth Testing of Web Applications

Acunetix Web Vulnerability Scanner. Getting Started. By Acunetix Ltd.

(WAPT) Web Application Penetration Testing

Check list for web developers

Using Foundstone CookieDigger to Analyze Web Session Management

HP WebInspect Tutorial

Web Application Security

A Practical Attack to De Anonymize Social Network Users

Guidelines for Web applications protection with dedicated Web Application Firewall

QualysGuard WAS. Getting Started Guide Version 3.3. March 21, 2014

Secure Web Development Teaching Modules 1. Security Testing. 1.1 Security Practices for Software Verification

DISCOVERY OF WEB-APPLICATION VULNERABILITIES USING FUZZING TECHNIQUES

Cross Site Scripting in Joomla Acajoom Component

Ruby on Rails Secure Coding Recommendations

Web Application Penetration Testing

Recon and Mapping Tools and Exploitation Tools in SamuraiWTF Report section Nick Robbins

MatriXay WEB Application Vulnerability Scanner V Overview. (DAS- WEBScan ) The best WEB application assessment tool

Adobe Systems Incorporated

Enemy of the State: A State-Aware Black-Box Web Vulnerability Scanner

Sample Report. Security Test Plan. Prepared by Security Innovation

Technical Proposal. In collaboration with Main Contractor. 24 th April 2012 (VER. 1.0) E-SPIN SDN BHD

Web application security: Testing for vulnerabilities

Application Security Testing. Erez Metula (CISSP), Founder Application Security Expert

Enemy of the State: A State-Aware Black-Box Web Vulnerability Scanner

Security vulnerabilities in new web applications. Ing. Pavol Lupták, CISSP, CEH Lead Security Consultant

Using Nessus In Web Application Vulnerability Assessments

Using Free Tools To Test Web Application Security

QualysGuard WAS. Getting Started Guide Version 4.1. April 24, 2015

Why Johnny Can t Pentest: An Analysis of Black-box Web Vulnerability Scanners

Web Vulnerability Scanner v8 User Manual

Online Vulnerability Scanner Quick Start Guide

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

Cloud Security:Threats & Mitgations

Conducting Web Application Pentests. From Scoping to Report For Education Purposes Only

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

An Analysis of the Effectiveness of Black-Box Web Application Scanners in Detection of Stored XSSI Vulnerabilities

HackMiami Web Application Scanner 2013 PwnOff

Application Layer Encryption: Protecting against Application Logic and Session Theft Attacks. Whitepaper

Øredev Web application testing using a proxy. Lucas Nelson, Symantec Inc.

List of Scanner Features (3 of 3)

Aiming at Higher Network Security Levels Through Extensive PENETRATION TESTING. Anestis Bechtsoudis. abechtsoudis (at) ieee.

Expert Services Group (Security Testing) Nilesh Dasharathi Sadaf Kazi Aztecsoft Limited

User s Guide. Version 2.1

Penetration Testing: Lessons from the Field

April 11, (Revision 2)

Online Vulnerability Scanner User Manual

Web Application Vulnerability Testing with Nessus

DANNY ALLAN, STRATEGIC RESEARCH ANALYST. A whitepaper from Watchfire

METHODS TO TEST WEB APPLICATION SCANNERS

Application Security Testing. Generic Test Strategy

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

EVALUATING COMMERCIAL WEB APPLICATION SECURITY. By Aaron Parke

Acunetix Website Audit. 5 November, Developer Report. Generated by Acunetix WVS Reporter (v8.0 Build )

Web Application Security Considerations

HTTPParameter Pollution. ChrysostomosDaniel

Cross-site site Scripting Attacks on Android WebView

Application Security Testing

ABC LTD EXTERNAL WEBSITE AND INFRASTRUCTURE IT HEALTH CHECK (ITHC) / PENETRATION TEST

Web Vulnerability Scanner v9 User Manual

Security Testing For RESTful Applications

Bust a cap in a web app with OWASP ZAP

SCAS: AN IMPROVED SINGLE SIGN-ON MODEL BASE ON CAS

How To Write A Web Application Vulnerability Scanner And Security Auditor

Web Application Security

Acunetix Web Vulnerability Scanner. Manual V6.5. By Acunetix Ltd.

Mobile Security Framework

Secret Server Qualys Integration Guide

CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities

Attack and Penetration Testing 101

Chapter 1 Web Application (In)security 1

SB 1386 / AB 1298 California State Senate Bill 1386 / Assembly Bill 1298

WebCruiser Web Vulnerability Scanner User Guide

Automating Security Testing. Mark Fallon Senior Release Manager Oracle

Semantic based Web Application Firewall (SWAF V 1.6) Operations and User Manual. Document Version 1.0

Annex B - Content Management System (CMS) Qualifying Procedure

Common Criteria Web Application Security Scoring CCWAPSS

Web Application Hacking (Penetration Testing) 5-day Hands-On Course

ASL IT SECURITY BEGINNERS WEB HACKING AND EXPLOITATION

1. Building Testing Environment

3dCart Shopping Cart Software V3.X Gift Registry Guide

OWASP Web Application Penetration Checklist. Version 1.1

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

Improving the Adoption of Dynamic Web Security Vulnerability Scanners

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

CSUSB Web Application Security Standard CSUSB, Information Security & Emerging Technologies Office

Lecture 11 Web Application Security (part 1)

Guide for the attention of developers/hosts for merchant websites on the minimum level of security for bank card data processing

The Top Web Application Attacks: Are you vulnerable?

Mingyu Web Application Firewall (DAS- WAF) All transparent deployment for Web application gateway

State of The Art: Automated Black Box Web Application Vulnerability Testing. Jason Bau, Elie Bursztein, Divij Gupta, John Mitchell

Security and Vulnerability Testing How critical it is?

Kenneth Hee Director, Business Development Security & Identity Management. Oracle Identity Management 11g R2 Securing The New Digital Experience

SANDCAT THE WEB APPLICATION SECURITY ASSESSMENT SUITE WHAT IS SANDCAT? MAIN COMPONENTS. Web Application Security

STABLE & SECURE BANK lab writeup. Page 1 of 21

Acunetix Web Vulnerability Scanner

Finding Your Way in Testing Jungle. A Learning Approach to Web Security Testing.

TriCore Secure Web Gateway User Guide 1

WHITEPAPER. Nessus Exploit Integration

Transcription:

Leveraging User Interactions for In-Depth Testing of Web Applications Sean Mc Allister, Technical University Vienna (sean@iseclab.org) Christopher Kruegel, University California, Santa Barbara (chris@iseclab.org) Engin Kirda, Institute Eurecom, France (ek@iseclab.org) 1

Overview 1. Challenges 2. Improved Fuzzing 3. Evaluation 2

Vulnerability Scanners black-box testing tools to detect vulnerabilities within web applications 3 main phases in the workflow: Discovery find new URLs (+ input parameters) to be used as attack vectors follow links and analyze forms Audit (Fuzzing Phase) fuzz parameters, send request and analyze response Crawling (optional) used to detect persistent vulnerabilities 3

Current Problems complex forms: server side validation prevents tools to find new attack vectors current solutions often guess values some tools offer the possibility to supply values for certain forms (i.e. login credentials) the lack of valid input keeps tools from finding vulnerabilities embedded deeper within the application but persistent attacks (such as stored XSS) require malicious input that is accepted as valid 4

Current Problems Importance of workflow within the web application login required before interaction with the application supply credentials and block logout links order of steps is of importance 5

Our Solution to correctly fill out complex forms it is necessary to have real user input to follow workflows within the application the scanner needs some sort of guidance build black-box test cases from real user interaction with the application by monitoring user behavior and capturing POST / GET data 6

Overview 1. Challenges 2. Improved Fuzzing 3. Evaluation 7

Guided Fuzzing 8

Guided Fuzzing use cases can reach deep into the application user supplied input is (often) valid 8

Guided Fuzzing use cases can reach deep into the application user supplied input is (often) valid - less breadth than traditional fuzzers (depending on the amount of use cases) 8

Extended, Guided Fuzzing depths of the application reached by following user interactions (1. & 3.), testing breadth increased by alternating crawling phases (2.) 9

Extended, Guided Fuzzing depths of the application reached by following user interactions (1. & 3.), testing breadth increased by alternating crawling phases (2.) - fuzzing phases might break the use case 9

Problems these workflows have the disadvantage that the fuzzing phase can in some cases break the replay of the use case i.e. logout from web application, deletion of all items from the shopping cart before proceeding to checkout or, even worse, delete content generated by the fuzzing component the need for stateful testing arises due to these shortcomings the state of a web application is controlled by (1) the client (cookie values) (2) the server (database) client side can be controlled but the server side cannot 10

Stateful Fuzzing 11

Implementation request capturing component running as a middleware between the server and the web application replay component (HTTP protocol driver) server side implementation of the state-machine intercepts and records all data manipulation originating from a request rollback all changes after fuzzing phase fuzzing component 12

Overview 1. Challenges 2. Improved Fuzzing 3. Evaluation 13

Tested Applications 3 common web applications were tested 1. blog Browse entries and create comments forced preview of comment 2. forum application create threads and replies 3. e-commerce application large number of pages browsing of articles, adding to shopping cart, checkout registration of new users, login, logout comment on articles 14

Tools tested and compared 1. w3af open source vulnerability scanner many modules available for various attacks 2. Acunetix Web Vulnerability Scanner commercial tool claims high success rates high amount of different attack strings, including advanced XSS attacks 3. Burp Suite Spider Component not really a vulnerability scanner, but a manual penetration testing tool simple form filling algorithms and web spider capabilities 15

Measuring the Effectiveness coverage of an application (number of pages found and tested) high coverage of an application is definitely desirable - questionable for sites with large amount of content that all derive from the same base template measuring generated content does the scanner have any effect on the content displayed on a web application? Both in terms of generated pages (new threads in bulletin boards) and content on existing pages (replies and comments on existing content) on the data level: How many objects have been generated by the scanner? 16

Results 1. blog no other scanner managed to generate a comment on the blog Acunetix and w3af both found more pages, by requesting root directories of each found URL persistent XSS vulnerability found after successfully posting comment 2. forum application due to the varying number of test strings used, some scanners generated more objects in the database Acunetix: 687 threads w3af: 29 ours: 1 to 36, depending on method amount of found vulnerabilities (1) identical for all scanners 17

Results (2) 3. e-commerce application due to the complexity of this application the evaluated scanners failed to supply valid input data for most forms (even after configuration with username/password) and could not find more than a single vulnerability, the use case based approaches found up to 8 more a crawling and attacking phase breaks the use case immediately spider logs out deletes content from shopping cart etc. coverage was high with all presented approaches, but depth could only be reached with use cases stateful fuzzing as the only feasible approach to reach both depth and breadth for security testing of this application 18

Conclusions The workflow of vulnerability scanners can not cope with the demand for extensive testing of web applications, because they are unable to reach certain end points. Use cases offer a good approach to increase the coverage of scanners within a complex web application. The lack of extensive use cases leads to the demand for alternative approaches that can increase the testing breadth of the application In an application that strongly depends upon actions being performed in the right order, additional effort is needed to ensure a high coverage. 19

Any questions? 20

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information