• No results found

How To Write A Web Application Vulnerability Scanner And Security Auditor

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "How To Write A Web Application Vulnerability Scanner And Security Auditor"

Copied!
28
0
0

Loading.... (view fulltext now)

Download now ( 28 Page )

Full text

(1)

ARGENTINA CHILE COLOMBIA MEXICO PANAMA PERU SPAIN USA VENEZUELA

WAPITI

(2)

Agenda

Why is security necessary?

Why do things happen?

Types of Security

OWASP Top 10

Vulnerability detection

Wapiti

(3)

Why is security necessary?

Data is a valuable asset for a company.

An attack could cause the loss of several thousands (or millions) of Euros.

An attack could damage the corporate image of a company.

(4)

“Bad things happen to other people”

Lazy system administrators

Fast developments focused on functionality

Ignorance in security

(5)

Physical security

Network security

Server security

Application security

(6)

1. Cross Site Scripting (XSS)

2. Injection Flaws (SQL Injection included)

3. Malicious File Execution

4. Insecure Direct Object Reference

5. Cross Site Request Forgery (CSRF)

6. Information Leakage and Improper Error Handling

7. Broken Authentication and Session Management

8. Insecure Cryptographic Storage

9. Insecure Communications

10. Failure to Restrict URL Access

(7)

XSS

Inject client-side code into web pages

Typically Javascript code

Types of XSS attacks: • Non-persistent • Persistent Examples: • http://page.com?foo_var=<SCRIPT>alert(“Cookie”+document.co okie)</SCRIPT> • <SCRIPT>alert(“Cookie”+document.cookie)</SCRIPT>

(8)

SQL Injection

Inject code from the client-side that is executed in the database layer.

Example: • Query:

• SELECT * FROM Users WHERE Username='$username' AND Password='$password'

• Input:

• $username = 1' or '1' = '1 • $password = 1' or '1' = '1

• Result:

• SELECT * FROM Users WHERE Username= '1' OR '1' = '1' AND Password= '1' OR '1' = '1'

(9)

Three types of techniques: • Black-box Testing

• External attacker approach • White-box Testing

• Dynamic and Static Analysis code • Grey box Testing

• Mixed approach

(10)

Wapiti

Web application vulnerability scanner and Security auditor

(11)

Project created in 2006 by Nicolas Surribas

Contributions from Gesfor from 2008

Written in Python

Black-box testing approach

Technique used: Fuzz testing

Vulnerabilities that are detected:

• XSS (persistent and non-persistent)

• SQL Injection (and Blind SQL Injection) • CRLF Injection

• Command Execution detection

(12)

Fuzz Testing (Steps)



1: Attack vectors detection

• Links

• Forms



2: Attack

• Injection of malicious chains in order to discover

existing vulnerabilities (optimized)



3: Response analysis

• Errors, injected chains...

Wapiti

(13)

Goal: discover attack vectors

• Forms and links

Using httplib2 library (instead of urllib2 ) • More efficient

• http://code.google.com/p/httplib2

(14)

Found issues I:

• HTTP Authentication:

• Solution: Auth option: -a <login%password> • Session Cookies:

• Solution: Cookie option: -c <cookie_file>

• Wapiti includes a tool that is able to create Cookie files

(15)

Found issues II:

• Infinite link navigation (“Calendar” problem) • Solution: Nice option: -n <limit>

• http://www.server.com/p?a=x&b=1&c=x

• http://www.server.com/p?a=x&b=2&c=x

• http://www.server.com/p?a=x&b=2&c=y

(16)

Limitations:

• Javascript links (Wapiti does not execute Javascript code => these links are not followed)

• Pages with the same URL without parameters (Interpreted as the same page)

• It is not able to discover the “Deep Web”

Inherent limitations of the Web Crawler approach

(17)

Attacks on the vectors identified in the first step.

• Injection of malicious chains in order to discover existing vulnerabilities (optimized)

(18)

Wapiti: Third step (Response analysis)

Discovering of existing vulnerabilities from analysis of the obtained errors and responses to the injected chains

(19)

Disadvantages:

• Wapiti is not able to find all the vulnerabilities

Advantages of this technique:

• Fast testing

• User does not need security knowledge

• Wapiti discovers the most common vulnerabilities (according to the OWASP Top Ten)

• New attacks can be added in an easy way

(20)

More than 30.000 downloads from sourceforge.net

Positionated 1,588 in sourceforge ranking (162,419 total projects)

Included as OWASP project

Included in the most important Security Linux distributions.

BackTrack, OWASP Live CD ...

(21)
(22)
(23)

Wapiti: Contributions from Gesfor

Version Contributions

2.0

Generation of reports

Refactoring to an Object Oriented approach Extensibility of payloads

“Nice” option

Extensive documentation New Wapiti portal

J2EE version Online demo

XSS improvements

2.1

More efficient (using httplib2 library) Blind SQL Injection attacks

Create cookies files tool XSS improvements

2.2

Scope option Temporal files

(24)

Features of each version Download Wiki • Introduction • Getting started • User guides • FAQ Roadmap Videos...

Wapiti: Website

(25)

Roadmap 2009/2010

(26)

Version 2.3 (in progress). Improvements:

• SQL injection

• Threading attacks

• Cookies management

(27)

A Group with 25 years experience

Leading company in the field of Information Technology recognized in ƒ Spanish Multinational Capital.

ƒ In IT and HR sectors

ƒ Technological Consulting, Integration Systems, Outsourcing, HR Consulting and Training.

ƒ Over 2,000 professionals.

ƒ Wide presence in 20 countries.

ƒ More than 300 large customers from all sectors.

ƒ More than 25 projects a year in R & D at European, national and local levels. .

ƒ Commitment towards Quality and Excellence.

(28)

A group without boundaries

GRUPO GESFOR

HH.RR. & IT Global Provider

www.gesfor.es

http://innovacion.grupogesfor.com

References

Download now ( PDF - 28 Page - 1.00 MB )

Related documents

How To Write A Web Server In Javascript

Many Skill Sets Required Database Backend Code “Business logic” Web server Application Communication Protocol User Interface Frontend Code.. API to web server Application

Process Design Engineering-Manual[1]

The Detailed Engineering Phase involves engineering activities as follows o Verification of FEED / Basic Design.. o Carrying out Pre-engineering Survey,

BUSINESS CONNECTIONS. More devices, more bandwidth, and more learning. Sponsored by: Frontier Communications SUMMER 2014 VOLUME 6 ISSUE 1

Business Edge in abbreviation spells “BE.” It represents the theme of this commercial brand, which is: “Find out what your business can BE.” Frontier wants to help your

Towards a National Housing Strategy for Homeless Youth

Transitional Living Program grants and HUD’s Continuum of Care Program, offers a developmentally appropriate housing model for homeless young people who do not have families who

Efeito da eletronarcose e do método de insensibilização por atmosfera controlada no comportamento das aves ao abate, nos indicadores sanguíneos de estresse e nas características da carne

The controlled atmosphere stunning method reduces the level of blood stress indicators of broiler chicken – glucose and corticosterone – when compared to the

Year 3 English Assessment

A/ A rectan!ular cake cut my &amp;arents. B/ My &amp;arents cut a rectan!ular cake. C/ arents cut my cake rectan!ular.. My House has many different sha&amp;es. my house has

BHT-ALL-SPM

Anvil type staking is used in those using fabricated bearing and sleeve installation and applications where a roll staking tool cannot removal tool (figure

Yoshitatsu Mori *3 Consulting Dept. 2, Solution business Division, Yokogawa Solution Service Corporation *2

The three considerable changing cost losses are fol­ lows; ① cost losses of the Na components (alkali com­ pounds) that are brought out to the outside, attached to the