®

IBM Software Group

© 2007 IBM Corporation

Performing a Web Application Security Assessment

2

Coordinate the Time of the AuditSet up a time window with the application ownerInform your security teamInform Web Operations (WebOps)

3

Scanning EnvironmentAn automated security scan could potentially affect your application

Overload the web and application serversCause denial of serviceInsert junk data, e.g. post messages on a message board, send multiple e-mails, etc.

It preferable to scan applications in pre-productionScan applications in production with caution

4

Get to Know the Site Site Model

What would be a good starting point? Are there links to more than one host?Are there parts of the site that should be excluded from the scan?Is execution of JavaScript used for application flow?Does your site contain FLASH?Are there pages that require special user input?

AuthenticationWhat type of authentication does your web application use?Does your system allow concurrent logins?Does your authentication system disable your user account after x number of invalid login attempts?

5

Configuring and Running a Scan – Quick Scan UIMakes creating a scan simplerScan is based on a predefined templateUser typically specifies

Starting URLLogin sequencePages to Scan (Manual Explore)

6

Creating a Scan Walkthrough

7

Creating a Scan – Specify Name and Template Specify NameSpecify TemplateClick Create

8

Creating a Scan – Recording a Login SequenceClick RecordAllows ASE to authenticate to the application

9

Creating a Scan – Recording a Login Sequence (cont.)ASE BrowserLogin to your app/siteClick the Stopbutton or close the browser

10

Creating a Scan – Specifying a Starting URLStarting point of the scan

11

Creating a Scan – Manual ExploreBrowse the application manually

Click on linksInput data

The easiest way to define scan scopeUse when scanning specific pages / functional path

12

Creating a Scan – Running the ScanClick Save and Run

13

Viewing Scan ProgressStatus IconClick on Stats

14

Scan StatisticsKey counters

Elapsed timePages foundPages scannedSecurity entities foundSecurity entities testedSecurity issue variantsSecurity tests sent

Link to Log enabled if problems occurred

15

Viewing ResultsStatus must be ReadyClick on scan name

16

Working with ReportsReport Pack SummaryReport list depends on templateKey reports

Security IssuesRemediation TasksPagesBroken Links

Click on report name to view

17

Working with Reports – Setting Up Your ViewGroupShowSearchLayout

18

Working with Reports – Viewing Issue DetailsClick on Issuenumber

19

Working with Reports – AdvisoryExplanation of the vulnerabilityWASC Threat ClassificationSecurity RiskPossible CauseTechnical DescriptionProducts AffectedReferences and Relevant Links

20

Working with Reports – Fix RecommendationHow do you fix the problem?General DescriptionASP .NET Fix RecommendationJ2EE Fix RecommendationPHP Recommendation

21

Working with Reports – Request / ResponseIssue variantsDifference (hyperlink)Reasoning (hyperlink)Test HTTP TrafficOriginal HTTP Traffic

22

Working with Reports – Issue ManagementMarking issue status

In ProgressNoiseFixedPassedOpen

23

Reviewing Test Results – StepsNote:

Test results MUST be reviewed for false positivesStart with the high priority items

1. Click on the Issue Number link2. Read the Advisory3. Review the Request / Response Tab

a) Look at the reasoning highlighted text in the Test HTTP response

b) If you are not convinced that this is a vulnerability1. Look at the difference2. Try to understand what the test is doing (go back to the advisory)3. Look at the test response4. Look at the original traffic – make sure it is valid (esp. was the page in

session)

24

Reviewing Test ResultsFalse PositivesFalse Negatives

25

Lab: Setting up and Running a Scan 1. Create a scan for http://demo.testfire.net2. Use Manual Explore test policy3. Run the scan4. View your reports5. Set up your report view6. Examine a vulnerability of each of the following

types:a) XSSb) SQL Injectionc) SQL Injection on the login page

7. Classify the issues

26

Advanced Scan Options ExplainedServers and Domains / URL NormalizationDynamic ComponentsCustom Error PagesAutomatic Form FillConnection SettingsNetwork ConnectionSchedulingLog Settings