ARGENTINA CHILE COLOMBIA MEXICO PANAMA PERU SPAIN USA VENEZUELA WAPITI Web application vulnerability scanner and Security auditor March 2010 www.gesfor.es www.grupogesfor.com1
Agenda Why is security necessary? Why do things happen? Types of Security OWASP Top 10 Vulnerability detection Wapiti About Gesfor 2
Why is security necessary? Data is a valuable asset for a company. An attack could cause the loss of several thousands (or millions) of Euros. An attack could damage the corporate image of a company. 3
Why do things happen? Bad things happen to other people Lazy system administrators Fast developments focused on functionality Ignorance in security 4
Types of Security Physical security Network security Server security Application security 5
Common Security Vulnerabilities (OWASP Top 10) 1. Cross Site Scripting (XSS) 2. Injection Flaws (SQL Injection included) 3. Malicious File Execution 4. Insecure Direct Object Reference 5. Cross Site Request Forgery (CSRF) 6. Information Leakage and Improper Error Handling 7. Broken Authentication and Session Management 8. Insecure Cryptographic Storage 9. Insecure Communications 10. Failure to Restrict URL Access 6
XSS Inject client-side code into web pages Typically Javascript code Types of XSS attacks: Non-persistent Persistent Examples: http://page.com?foo_var=<script>alert( Cookie +document.co okie)</script> <SCRIPT>alert( Cookie +document.cookie)</script> 7
SQL Injection Inject code from the client-side that is executed in the database layer. Example: Query: SELECT * FROM Users WHERE Username='$username' AND Password='$password' Input: $username = 1' or '1' = '1 $password = 1' or '1' = '1 Result: SELECT * FROM Users WHERE Username= '1' OR '1' = '1' AND Password= '1' OR '1' = '1' 8
Vulnerability detection Three types of techniques: Black-box Testing External attacker approach White-box Testing Dynamic and Static Analysis code Grey box Testing Mixed approach 9
Wapiti Web application vulnerability scanner and Security auditor 10
Wapiti: Content and Characteristics Project created in 2006 by Nicolas Surribas Contributions from Gesfor from 2008 Written in Python Black-box testing approach Technique used: Fuzz testing Vulnerabilities that are detected: XSS (persistent and non-persistent) SQL Injection (and Blind SQL Injection) CRLF Injection Command Execution detection 11
Wapiti Fuzz Testing (Steps) 1: Attack vectors detection Links Forms 2: Attack Injection of malicious chains in order to discover existing vulnerabilities (optimized) 3: Response analysis Errors, injected chains... 12
Wapiti: First step (Web Crawler) Goal: discover attack vectors Forms and links Using httplib2 library (instead of urllib2 ) More efficient http://code.google.com/p/httplib2 13
Wapiti: First step (Web Crawler) Found issues I: HTTP Authentication: Solution: Auth option: -a <login%password> Session Cookies: Solution: Cookie option: -c <cookie_file> Wapiti includes a tool that is able to create Cookie files 14
Wapiti: First step (Web Crawler) Found issues II: Infinite link navigation ( Calendar problem) Solution: Nice option: -n <limit> http://www.server.com/p?a=x&b=1&c=x http://www.server.com/p?a=x&b=2&c=x http://www.server.com/p?a=x&b=2&c=y 15
Wapiti: First step (Web Crawler) Limitations: Javascript links (Wapiti does not execute Javascript code => these links are not followed) Pages with the same URL without parameters (Interpreted as the same page) It is not able to discover the Deep Web Inherent limitations of the Web Crawler approach 16
Wapiti: Second step (Fuzzing Testing) Attacks on the vectors identified in the first step. Injection of malicious chains in order to discover existing vulnerabilities (optimized) 17
Wapiti: Third step (Response analysis) Discovering of existing vulnerabilities from analysis of the obtained errors and responses to the injected chains 18
Wapiti: Disadvantages and Advantages Disadvantages: Wapiti is not able to find all the vulnerabilities Advantages of this technique: Fast testing User does not need security knowledge Wapiti discovers the most common vulnerabilities (according to the OWASP Top Ten) New attacks can be added in an easy way 19
Wapiti: Results More than 30.000 downloads from sourceforge.net Positionated 1,588 in sourceforge ranking (162,419 total projects) Included as OWASP project Included in the most important Security Linux distributions. BackTrack, OWASP Live CD... 20
Wapiti: Results 21
Wapiti: Results 22
Wapiti: Contributions from Gesfor Version Contributions 2.0 2.1 2.2 Generation of reports Refactoring to an Object Oriented approach Extensibility of payloads Nice option Extensive documentation New Wapiti portal J2EE version Online demo XSS improvements More efficient (using httplib2 library) Blind SQL Injection attacks Create cookies files tool XSS improvements Scope option Temporal files Internationalization (English, Spanish and French) Compatibility with Segovia 23
Wapiti: Website Features of each version Download Wiki Introduction Getting started User guides FAQ Roadmap Videos... 24
Wapiti: Future Roadmap 2009/2010 25
Wapiti: Future Version 2.3 (in progress). Improvements: SQL injection Threading attacks Cookies management 26
A Group with 25 years experience Spanish Multinational Capital. In IT and HR sectors Technological Consulting, Integration Systems, Outsourcing, HR Consulting and Training. Over 2,000 professionals. Wide presence in 20 countries. More than 300 large customers from all sectors. More than 25 projects a year in R & D at European, national and local levels.. Commitment towards Quality and Excellence. Leading company in the field of Information Technology recognized in the market for high sustained commitment to its customers, employees and partners. 27
GRUPO GESFOR HH.RR. & IT Global Provider www.gesfor.es http://innovacion.grupogesfor.com WAPITI: http://www.ict-romulus.eu/web/wapiti A group without boundaries 28