• No results found

SANDCAT THE WEB APPLICATION SECURITY ASSESSMENT SUITE WHAT IS SANDCAT? MAIN COMPONENTS. Web Application Security

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "SANDCAT THE WEB APPLICATION SECURITY ASSESSMENT SUITE WHAT IS SANDCAT? MAIN COMPONENTS. Web Application Security"

Copied!
6
0
0

Loading.... (view fulltext now)

Download now ( 6 Page )

Full text

(1)

SANDCAT

THE WEB APPLICATION SECURITY ASSESSMENT SUITE

WHAT IS SANDCAT?

Sandcat® is a hybrid multilanguage web application security assessment

suite - a software suite that simulates web-based attacks. Sandcat proactively guards an organization's Web infrastructure against web application security threats, finding existing vulnerabilities before the hackers.

Today's Sandcat hybrid capabilities allows organizations to:

Pen-test websites, scanning live web applications for multiple classes

of vulnerabilities - an approach known as blackbox which equals to the hacker's perspective.

Scan the source of web applications for the same classes of

vulnerabilities - an internal code review (also known as whitebox).

Combine both approaches, performing what is known as hybrid

analysis (or greybox) Vulnerability Coverage

Sandcat's extensive vulnerability coverage is the result of years of research -a tot-al of 29 thous-and web vulner-abilities were rese-arched by Syhunt. Sandcat currently performs:

Over 460 remote web application security checks in over 24 categories of web attacks - including:

o

XSS (Cross-Site Scripting), SQL Injection, File Inclusion, Command Execution, etc.

o

OWASP's Top Ten Most Critical Web Application Security Vulnerabilities & PHP Top 5 Vulnerabilities

Over 300 source checks, covering several types of web security attacks

Thousands of additional remote checks for vulnerabilities affecting specific web application/servers (Example: StatPressCN Plugin for Wordpress wp-admin/admin.php Multiple Parameter XSS - CVE-2011-0641)

MAIN COMPONENTS

Remote Scanner

Performs deep web crawling (spidering), automatically mapping an entire web site structure and running injection and directory brute force checks

Includes a HTML5-aware spider and JavaScript emulation capabilities

Scans any type of web application

Source Scanner

Scans the source code of web applications written in PHP, JSP & ASP.NET/Classic ASP for vulnerabilities

Identifies key areas of the code, such as key HTML tags, AJAX / JavaScript, entry points and interesting keywords

Some of the key technologies supported by Sandcat

(2)

Concurrency/Scan Queue Support - Multiple security scans can be

queued and the number of threads can be adjusted.

Deep Crawling - Runs security tests against web pages discovered by

crawling a single URL or a set of URLs provided by the user.

Advanced Injection - Maps the entire web site structure (all links,

forms, XHR requests and other entry points) and tries to find custom, unique vulnerabilities by simulating a wide range of attacks/sending thousands of requests (mostly GET and POST). Tests for SQL Injection, XSS, File Inclusion and many other web application vulnerability classes.

Browser Emulation - Handles complex, large web sites and

automatically adapts to different web environments and technologies.

CVE & CWE-Compatible - Sandcat fully supports CVE & CWE. It makes

the list of CVE-compatible products and services provided by the Mitre Corporation who created the standard.

Local or Remote Storage - Scan results are saved locally (on the disk)

or remotely (in the Sandcat web server). Results can be converted at any time to HTML or multiple other available formats.

IPv6-Compatible - Allows to scan IPv6 addresses.

In addition to its GUI (Graphical User Interface) functionalities, Sandcat offers an easy to use command-line interface and a web-interface.

REPORT GENERATION

Sandcat comes with the ability to generate a report containing details about the vulnerabilities. After examining the application's response to the attacks, if the target URL is found vulnerable, it gets added to the report. Sandcat's reports also contain charts, statistics and compliance

information. Syhunt offers a set of report templates tailored for different audiences. A Sandcat report usually includes:

Full vulnerability information and references - CVE, NVD, CWE,

Bugtraq & OSVDB

Compliance Information - Such as OWASP Top 10, PHP Top 5,

CWE/SANS Top 25, Payment Card Industry (PCI), etc.

Currently, Sandcat is able to generate reports and export data in several formats - including HTML, PDF, XML, Text, CSV, RTF, XLS, DOC & NBE, or your own custom format. Sandcat also includes the ability to automatically email reports after a scan is completed.

ADDITIONAL COMPONENTS

Sandcat Browser - The first pen-test oriented web browser with

extensions support

Log Analyzer - Scans HTTP logs created by web servers for intrusion

attempts

Hardener - Scans Apache and PHP configuration files for weak security

settings

Gelo - A Lua extension library that aims to simplify and accelerate the

development of exploit-oriented tools. Gelo is currently being used to build extensions in Sandcat.

Sandcat Console (Mini Edition) running under Windows 7

Reports generated by Sandcat Pro can include full vulnerability info, charts and more.

(3)

THE WAVSEP COMPARISON

Sandcat was included in the WAVSEP independent web application scanner accuracy tests produced by Shay Chen, an application security consultant. The WAVSEP (Web Application Vulnerability Scanner Evaluation Project) is the most

comprehensive ever made (a total of 43 tools were included). Previous comparisons in the field were unable to cover free and open source scanners. The WAVSEP results were published in December 2010.

How did Sandcat go?

Cross-Site Scripting (XSS)

Sandcat scored a near 100 percent XSS detection rate, detecting:

100% (33 of 33) of the GET-based XSS vulnerabilities

96% (32 of 33) of the POST-based vulnerabilities

Other black-box scanning tools covered in the tests scored below 63% (missed almost 40% of the vulnerabilities). Many, including popular open source tools, scored near or below 30%

SQL Injection (SQLi)

Sandcat scored a 100 percent error-based SQL Injection detection rate. Sandcat also excelled at identifying an additional large set of 80 error-based SQL Injection vulnerabilities (detected 100% of the vulnerabilities, both GET-based and POST-based).

Sandcat scored such high detection rates running at half its capabilities. It's white-box (source) scanning capabilities were not covered in the tests.

Note: The WAVSEP project environment, containing hundreds of scenarios/vulnerable web pages used to produce the tests, was made available open source to the information security community through the Google Code website at

http://code.google.com/p/wavsep/.

(4)

SANDCAT

SCANNER CHECKS

APPLICATION CHECKS (REMOTE / BLACK-BOX)

Sandcat includes checks for a extremely wide array of different web application security threats, as shown below.

Backup Files

Common Exposures

o

Dangerous Methods

o

Default Content

o

Internal IP Address Disclosure

Common Files and Folders

Common Vulnerable Scripts

o

ASP & ASP .Net

o

PHP

o

JSP

o

Perl

Email Form Hijacking

Old/Backup Files

o

Common Backup Folders & Files

Outdated Server Software

Path Disclosure

Source Code Disclosure

Suspicious HTML Comments

Unencrypted Login

Web-Based Backdoors

Compliance

o

OWASP Top 10

o

PHP Top 5

o

CWE/SANS Top 25

o

WASC Threat Classification

Fault Injection (See below)

o

Parameter Tampering

o

Form Field Manipulation Fault Injection Checks

Buffer Overflow

Cookie Manipulation

Command Execution

CRLF Injection

Cross Frame Scripting

Cross-Site Scripting (XSS)

o

XSS Filter Evasion

Default Account

Directory Listing

Directory Traversal

File Inclusion (Local & Remote)

Information Disclosure

LDAP Injection

MX Injection

Password Disclosure

Path Disclosure

PHP Code Injection

Server-Specific Vulnerabilities

o

IIS

o

iPlanet

o

Others

Source Code Disclosure

SQL Injection (Error-Based & Blind)

o

Access

o

DB2

o

Firebird/InterBase

o

Informix

o

MySQL

o

Oracle

o

PostgreSQL

o

SQL Server

o

SQLite

o

Sybase

o

Others

XPath Injection

Miscellaneous

(5)

APPLICATION CHECKS (SOURCE / WHITE-BOX)

Sandcat now also includes the ability to scan the source code of your web applications for multiple classes of application vulnerabilities.

Arbitrary File Manipulation

Command Execution

Cross-Site Scripting (XSS)

File Inclusion (Local & Remote)

HTTP Response Splitting

SQL Injection (Error-Based & Blind)

o

DB2 & dbx

o

Firebird/InterBase

o

FrontBase

o

Informix

o

Ingres

o

MaxDB

o

mSQL

o

MySQL

o

Oracle

o

Ovrimos

o

PostgreSQL

o

SQL Server & SQLite

o

Swish & Sybase

Weak Validation

Key HTML Tags

Key AJAX / JavaScript

Entry Points - User Input

Entry Points - Indirect User Input

Interesting Keywords

Compliance

o

OWASP PHP Top 5

Configuration Hardening

o

Apache

o

PHP

Supports ASP*/ASP.NET*, PHP & JSP*.

(*) indicates initial or beta support

SERVER CHECKS (REMOTE / BLACK-BOX)

Checks for vulnerabilities affecting known web applications and servers

Admin Pages

CGI, CGI-Bin & CGI-Local Folders

CGI-Sys

CGI Scripts

Common Files and Folders

Common Server Vulnerabilities

Cisco IOS

ColdFusion

Domino & NSF

IIS

NCSA

FrontPage / FrontPage CGI

Other Servers & Add-Ons

Common Vulnerable Scripts

o

ASP & ASP .Net

o

PHP

o

JSP

o

Perl (PL)

Compliance

o

CWE/SANS Top 25

o

WASC Threat Classification

Database Disclosure

Denial-of-Service

IDS Testing

Old/Backup Files

o

Common Backup Folders & Files

Outdated Server Software

Web-Based Backdoors

(6)

MULTI-LAYER DEFENSE EVASION

The Multi-Layer Defense Evasion is the ability of Sandcat to combine multiple techniques aimed at a wide array of security mechanisms to perform stealthy tests. Today's Sandcat defense evasion feature set includes:

Anti-XSS Filters evasion - Bypasses regular expression filters used against XSS.

UTF8-Decode - Ability to take advantage of UTF8-Decode problems to evade filters when performing injection

checks.

Signature-Based Web Honeypot & Application Firewall Detection

Common IDS evasion techniques (over 10 techniques)

Multiple WAF and IDS evasion techniques, targeting specifically:

o

mod_security

o

PHP-IDS

OWASP TOP 10 CHECKS

The OWASP Top Ten is a list of vulnerabilities that require immediate remediation. Existing code should be checked for these vulnerabilities immediately, as these flaws are being actively targeted by attackers. The OWASP Foundation encourage companies to adopt the OWASP Top Ten as a minimum standard for securing web applications.

SANS TOP 20 CHECKS

The SANS Top 20 includes step-by-step instructions and pointers to additional information useful for correcting the security flaws. The SANS Institute updates the list and the instructions as more critical threats and more current or convenient methods of protection are identified. It is a community consensus document.

COMPLIANCE

Sandcat helps organizations address the most pressing compliance issues such as:

Health Insurance Portability and Accountability Act (HIPAA):

The Sandcat solution allows healthcare organizations to perform assessment of web applications and portals to identify areas of possible vulnerability to data disclosure, denial of service attacks or system compromise.

Gramm-Leach-Bliley (GLBA)/Payment Card Industry (PCI) Data Security Standard/CA-SB1:

Financial organizations can harden home banking, customer service, ecommerce and other web-based applications and deployments.

Sarbanes-Oxley:

Executive management systems can be assessed and data integrity risks can be mitigated through the use of Sandcat against web-based interfaces.

References

Download now ( PDF - 6 Page - 194.06 KB )

Related documents

Elements of IPM for Field Corn in New York State

Calculate pest degree days for black cutworm, armyworm, seed corn maggot, western bean cutworm and other insect pests when you start scouting. You can use the NEWA Degree

Clinicopathological Study on Malignant Pleural Mesotheliomas

reported that nonspecific inflammatory lesions, pachypleuritis, nodules smaller than 5mm, and a combination of pachypleuritis and small nodules were observed in the patients

Cisco Unified Contact Center Express Historical Reports User Guide Release

Step 1 In the Unified CCX Historical Reports window, choose the general report settings and detailed report settings that you want to save.. Step 2 Choose File > Save, or choose

Working Paper A social network analysis of occupational segregation

Second, if the wage differential between the two jobs (for equal numbers of A-educated and B-educated workers) is not ”too large” vis--vis the social network effect (condition

Heinzl Weblogic Automation

Another alternative, which I actually prefer as it eliminates the above problem, is to use the default template, create the basic domain, and after the files have been created

Web Application security testing: who tests the test?

About myself Functional testing Leading test group Reporting to client Formal QA Performance testing HTTP level analysis Behavior modelling Security testing Application

Nuclear Regulatory Commission Computer Security Office Computer Security Standard

Web applications will be assessed against the most recent effective version of the Open Web Application Security Project (OWASP) Top Ten list of web application

Relationships Between Claim Structure and the Competitiveness of a Patent

The total number of independent claims (k) and the maximum number of independent claims within a single claim category (l) at the time of filing patent applications of winning