5. Testing Methods White box Gray box Source code access and internal infrastructure knowledge of some kind Black box - Testing with automatic tools (Web scanners) - Confirm scanners results Online access to the Web Application
6. Web Scanners “Try” to find applicational vulnerabilities Perform pre-defined tests – active analysis through atacks simulation HTTP messages manipulation HTTP messagens inspection Find weird attributes fuzzing Code analysis … Scan web application Content analysis Specific crafted requests Results generation
7. Web Scanners Very important in some scenarios Point and Shot Scan Vulnerabilities
9. Web Scanners Evaluation NIST SAMATE Software Assurance Metrics and Tools Evaluation WASSEC Web Application Security Scanner Evaluation Criteria
10. Web Scanners Evaluation NIST SAMATE Web Applications Issues Technical vulnerabilities Security Vulnerabilities Architectural/Logical Vulnerabilities Other vulnerabilities 1st January 2010 – no longer supported
11. Web Scanners Evaluation WASSEC Protocol Support Authentication Session Management Crawling Parsing Testing Command and Control Reporting <Customized>
12. Web Scanners Evaluation Complementary evaluation method Select vulnerability to test Create exploitation levels based on information on how to protect against it Explore Web scanner behavior for each level
13. Web Scanners Evaluation Ideally we would create a Web application to assess each level Optionally we can just use pre defined available ones Cenzic Watchfire WebMaven / Buggy Bank Updated HackmeBank OWASP WebGoat Stanford SecuriBench
14. Manual Analysis Why? Vulnerability analysis There are always false positives Understand how to test it [For each vulnerability] Impacts Mitigation Manual confirmation needed Documentation [end]
15. Case Study Related with my master thesis 17 Real Web Applications Government Education Other relevant service providers
16. Case Study Choose Web Scanners Apply Web Scanners to Web Applications Evaluate Results
17. Case Study – Choose Web Scanners Overall Web scanners discovery on the Open Source community Discard the less accepted Web scanners Apply customized WASSEC
18. Case Study – Choose Web Scanners Overall Web scanners discovery on the Open Source community Grabber Grendel-Scan Paros Proxy Powerfuzzer SecurityQA Toolbar Skipfish W3AF Wapiti Watcher Websecurify Netsparker OpenAcunetix RatProxy
19. Case Study – Choose Web Scanners Discard the less accepted Web scanners Grabber Grendel-Scan Paros Proxy Powerfuzzer SecurityQA Toolbar Skipfish W3AF Wapiti Watcher Websecurify Netsparker OpenAcunetix RatProxy
20. Case Study – Choose Web Scanners Apply customized WASSEC OWASP Top 10 coverage Recent activity and updates New technologies support Fast bugs solving (easy to interact with developers)
22. Case Study –Apply Web Scanners to Web Applications PHP Java .NET/Aspx 8 Web Applications 1 Web Application 8 Web Applications
23. Tests Methodology Select Web application After legal authorization Use Web scanner [for each web scanner] [for each web scanner] Create detailed report Document found vulnerabilities Using different tools and live CDs [test’s end] Delivr the report to the organization Manual verification