The OWASP Foundationhttp://www.owasp.org

OWASP EducationComputer based training

Security Scanning

Nishi KumarIT Architect Specialist

Chair, Software Security Forum FISOWASP CBT Project Lead

OWASP Global Industry CommitteeNishi.Kumar@owasp.org

Contributor and Reviewer Keith Turpin

2

ObjectivesUnderstand different offerings available to find vulnerabilities

Learn pros and cons of those offerings

Know about some open source and commercial scanning tools

3

Industry Application Security Offerings

AutomatedDynamic web application interface scanningStatic code scanningWeb app firewallsIntrusion Prevention Systems (IPS)

Manual

Application penetration testCode review

4

Automated vs. Manual: Advantages

Advantages of automated solutionsLow incremental costMinimal trainingPotentially 24/7 protection

Advantages of manual solutionsNo false positivesGuaranteed code coverageAbility to identify complex vulnerabilitiesUnderstand business logicActs like a determined attackerCan combine vulnerabilities

5

What Automated Solutions Miss

TheoreticalLogic flaws (business and application)Design flaws

Practical

Difficulty interacting with Rich Internet ApplicationsComplex variants of common attacks (SQL Injection, XSS, etc)Cross-Site Request Forgery (CSRF)Uncommon or custom infrastructureAbstract information leakage

6

Conducting the Assessment

If you are using automated scanning tools, beware of false positives and negatives

Pattern recognition has limitationsCombine various testing methods Automated scanning Code review Manual testing

Learn what tools do and do not do wellValidate every findingKeep detailed notes

7

Commercial Dynamic Scanning Tools

Web Inspect – by HP

Rational AppScan – by IBM

Acunetix WVS – by Acunetix

Hailstorm – by Cenzic

NTOSpider – by NT OBJECTives

8

Open Source and Low Cost Scanners

W3af - http://w3af.sourceforge.net/

Burp Suite - http://portswigger.net/

Grendel Scan - http://grendel-scan.com/

Wapiti - http://wapiti.sourceforge.net/

Arachni - http://zapotek.github.com/arachni/

Skipfish - http://code.google.com/p/skipfish/

Paros - http://www.parosproxy.org/ (Free version no longer maintained)

9

Code Scanning Tools

Fortify – by HP

Rational AppScan Source Edition – by IBM

Coverity Static Analysis – by Coverity

CxSuite – by Checkmarx

Yasca – by OWASP

Veracode binary analysis – Veracode(Veracode uses a different methodology than other scanners)

10

Client Side Web Proxies

Paros - http://www.parosproxy.org/ (Free version no longer maintained)

Burp Suite - http://portswigger.net/

WebScarab NG - https://www.owasp.org/index.php/OWASP_WebScarab_NG_Project

Charles Proxy - www.charlesproxy.com/

Browser Plugins:Internet Explorer: FiddlerFirefox: Tamper Data

11

Paros Proxy

Paros Proxy is a security scanning tool. Through Paros's proxy all HTTP and

HTTPS data between server and client, including cookies and form fields, can

be intercepted and modified.

Paros Proxy is a security scanning tool. Through Paros's proxy all HTTP and

HTTPS data between server and client, including cookies and form fields, can

be intercepted and modified.

12

Paros Proxy- Interface

13

Paros Proxy- Options Dialog

14

Paros Proxy- Reporting

15

W3AF by OWASP

Web application attack and audit

framework

Web application attack and audit

framework

16

W3af - Web application attack and audit framework

17

W3af - Web application attack and audit framework

18

W3af - Exploit

19

IBM Rational App Scan

Commercial Scanning ToolCommercial

Scanning Tool

20

IBM Rational App Scan InterfaceOnline Risk Mitigation and Compliance SolutionsOnline Risk Mitigation and Compliance Solutions

21

Scan Configuration – URL and server

22

Scan Configuration – Login Management

23

Scan Configuration – Test Policy

24

Scan Configuration – Complete

25

Reporting Industry Standard

26

Reporting Industry Standard

27

Web Inspect

Commercial Scanning ToolCommercial

Scanning Tool

28

Scan mode

29

Audit Policy

30

Requester Thread

31

Http Parsing

32

Report Type

33

Summary Over 90% of ecommerce PCI breaches are from

application flaws

Application security is not a percentage game. One missed flaw is all it takes

Vulnerabilities can come from more than one avenue:AcquisitionsOld or dead codeThird-party libraries

Over 90% of ecommerce PCI breaches are from application flaws

Application security is not a percentage game. One missed flaw is all it takes

Vulnerabilities can come from more than one avenue:AcquisitionsOld or dead codeThird-party libraries

34