1 / 17

Web Application Vulnerability S canner oss tools investigation

Web Application Vulnerability S canner oss tools investigation . Outline . Dissertation proposal List of Freeware & Open source WAS WAVS decide to choose Future plan. Dissertation proposal. Project goal : Provide a web application scan service for china university on Cernet Topology.

rianne
Télécharger la présentation

Web Application Vulnerability S canner oss tools investigation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Web Application VulnerabilityScanner oss tools investigation

  2. Outline • Dissertation proposal • List of Freeware & Open source WAS • WAVS decide to choose • Future plan

  3. Dissertation proposal Project goal: Provide a web application scan service for china university on Cernet Topology WAVS service provider cernet Register and authentication

  4. Web Applications Issues • Scripting issues • Sources of input: forms, text boxes, dialog windows, etc. • Multiple Charset Encodings (UTF-8, ISO-8859-15, UTF-7, etc.) • Regular expression checks • Header integrity (e.g. Multiple HTTP Content Length, HTTP Response Splitting) • Session handling/fixation • Cookies • Framework vulnerabities(Java Server Pages, .NET, Ruby On Rails, Django, etc.) • Success control: front door, back door vulnerability assessment • Penetration attempts versus failures NIST(national Cyber security Division)

  5. Technical vulnerabilities • Unvalidated input: • Tainted parameters - Parameters users in URLs, HTTP headers, and forms are often used to control and validate access to sentitive information. • Tainted data • Cross-Site Scripting flaws: • XSS takes advantage of a vulnerable web site to attack clients who visit that web site. The most frequent goal is to steal the credentials of users who visit the site. • Content Injection flaws: • Data injection • SQL injection - SQL injection allows commands to be executed directly against the database, allowing disclosure and modification of data in the database • XPath injection - XPath injection allows attacker to manipulate the data in the XML database • Command injection - OS and platform commands can often be used to give attackers access to data and escalate privileges on backend servers. • Process injection • Cross-site Request Forgeries NIST(national Cyber security Division)

  6. Architectural/LogicalVulnerabilities • Information leakage • Insufficient authentification • Password change form disclosing detailed errors • Session-idle deconstruction not consistent with policies • Spend deposit before deposit funds are validated NIST(national Cyber security Division)

  7. Other vulnerabilities • Debug mode • Thread Safety • Hidden Form Field Manipulation • Weak Session Cookies: Cookies are often used to transit sensitive credentials, and are often easily modified to escalate access or assume another user's identify. • Fail Open Authentication • Dangers of HTML Comments NIST(National Cyber security Division)

  8. Owasptop10 Risks • A1: Injection 注入威胁 • A2: Cross-Site Scripting (XSS) 跨站脚本 • A3: Broken Authentication and Session Management 失效的验证及会话管理 • A4: Insecure Direct Object References 不安全的直接对象引用 • A5: Cross-Site Request Forgery (CSRF) 跨站请求伪造 • A6: Security Misconfiguration 错误的安全配置 • A7: Insecure Cryptographic Storage 不安全的加密存储 • A8: Failure to Restrict URL Access 限制URL访问失败 • A9: Insufficient Transport Layer Protection 缺乏足够的传输层保护 • A10: Unvalidated Redirects and Forwards 未验证的重定向和跳转

  9. List of Freeware & Open source WAS comprehensive scanner • AcunetixWeb Vulnerability Scanner Free Edition • Arachni • NetsparkerCommunity Edition • Paros Proxy • W3AF (will replace wmap in metasploit ) • WebScarab • Grendel-Scan • Wapiti • Nikto • Webshag • Skipfish

  10. Specialized scanner • sqlmap(数据库挖掘) • XSSploit(跨站工具) • Powerfuzzer (a lot to be done )(模糊测试工具) • Inspathx(路径信息泄露漏洞挖掘工具)

  11. WAVS decide to choose

  12. arachni Arachni is a feature-full, modular, high-performance Ruby framework Support proxy authentication UI abstraction command line UI/WebUI XMLPRC Client/Dispatch server(Centraliseddeployment@mutiple clients& Prarllel scans) High performance asynchronous HTTP requsets Website Crawler HTML Parser Module Manangement Report Management

  13. Pros and cons Pros Module design (framwork support msf) Audit potential vulnerability (OWASP TOP10) Support web UI (Utilizing the Client - Dispatch-server XMLRPC architecture) Html Parser Cons not stable Web UI is under developing More module to be added

  14. skipfish Skipfish is an active web application security reconnaissance tool Written in pure c code • High risk flaws (potentially leading to system compromise) • Medium risk flaws (potentially leading to data compromise) • Low risk issues (limited impact or low specificity) skipfish tries to address some of the common problems 

  15. Pros and cons Pros High performance 500+ per second against targets , Multiplexing single-thread, Ease of use easy to configure Well-designed security checks Cons Do not support XMLPRC Client/Dispatch server A lot of features to be done Do not have a good UI

  16. Future plan • Know the principle of vulnerability(owasp top10) • Make a summarize paper about the ossWAVS • Participate in the arachni&skipfishproject learn to make some module to enhance the tool Further more use fuzz to explore web-application vulnerability

  17. From tielei 1) 如果以Activex这类插件为目标,我觉得和传统Fuzzing区别不大 (发现的漏洞 也以内存错误为主)。可能要识别这些插件的输入点,考虑插件的运行环境。2) 现在Web环境下,XSS、SQL Injection类型的漏洞,与传统C/C++环境下漏洞有 了很多不同。如果基于Fuzzing查找XSS、SQL Injection这类漏洞,就要特别考虑 脚本语言了。脚本语言的灵活性、字符串操作的普遍性都给漏洞挖掘带来很多挑战。3)现在web环境中一类比较常见漏洞是use-after-free类型。这类漏洞是由于浏览 器指针引用计数机制发生了错误。以Use- after-free为代表的漏洞,已经不仅仅是靠输入数据触发,而是由脚本解释执行触发。现有fuzzing工具比较 难发现这类漏洞。

More Related