d0a444fdf832c14afe41df83451afca3.ppt
- Количество слайдов: 12
A Scanner Sparkly Web Application Proxy Editors and Scanners
Vulnerability Finders • What is a scanner? – A tool used by security professionals to locate vulnerabilities present in IT infrastructure • What skills are required to use or interpret a scanner? – Depends on many factors (i. e. your brain) • What else do I need to know? – A lot about HTTP, HTML, JS, Ajax, and XSS (i. e. RTFM. Also see: “your brain”)
Ways to find vulns • Static analysis – Requires source code • Source code isn’t that hard to get these days – Generates a lot of false positives • More false positives usually also means less false negatives • Dynamic analysis – Can find things that static analysis can’t – Also generates a lot of false positives
False what? • False negative – Failure of a tool to report a weakness, where in fact there is one present in the code • False positive – Reporting of a vulnerability by a tool, when there is none • Vulnerability – A property of system security requirements, design implementation, or operation that could be accidentally triggered or intentionally exploited and result in a security failure * Taken from the WASC Glossary (http: //webappsec. org/projects/glossary)
What method / what tool? • Static analysis done with Fortify SCA (or similar tool) by experienced engineers that wrote, helped write, or are re-architecting an application or set of applications • Dynamic analysis done by an internal or external vulnerability assessment team using custom-written tools that are written to expose the largest number of vulnerabilities against a web application
COTS Scanners / Fuzzers • Strong code coverage via static analysis can be automated by a test harness “driven by a fuzzer” – For C/Java: j. CUTE, concolic unit tester + smart fuzz – For. NET: Compuware Security. Checker, fuzz tests • Weak code coverage via dynamic analysis – Commercial tools often do OWASP 2007 Top Ten: A 1, A 2, A 3, A 4, A 6, and mostly A 10 (Unrestricted URL Access). What about A 5, A 7, A 8, A 9? – Some tools do targeted fault-injection, and usually only for basic JS, metacharacter, SQL, LDAP, XML – Fuzz testing is almost always random / cheap / poor
Test everything • OWASP 2007 Top Ten, MITRE CWE, and WASC Threat Classifications • NIST SAMATE Functional Specifications – Suggests reporting on defense levels as well as on literature-defined vulnerabilities – Defense levels are like Good Findings (also see Jaquith: Happy Metrics), but show positive (aka good) findings are really more like good / better / best
Custom fuzz testing • Justin Clarke, Network Security Tools – burpproxy (fast proxy editor that logs) + Perl • Perl handles log parsing and LWP fault-injection • Could be Python, Ruby, Unix Shell (e. g. c. URL) • Johnathan Wilkins, Blackhat / Can. Sec. West – Web. Scarab (popular editor from OWASP) – Prox. Mon (tool he wrote at i. Sec. Partners) • Written in Python, extensible (plugins, other proxies, etc) • Rules from OWASP Testing Guide v 2
Burp / Web. Scarab demo
Missing issues • Overflows (buffer, integer, heap, format string) – Static analysis covers this. A new dynamic analysis method in additional demonstration • Denial-of-Service (Do. S) – Sorry, no demonstration today. But I will address this in the buffer overflow demonstration slightly • Incorrect configurations – CISecurity. org (Apache Benchmark by Jeremiah Grossman), Month of PHP Bugs (and fixes!)
MSF-XB Demo
Thank you
d0a444fdf832c14afe41df83451afca3.ppt