A Scanner Sparkly

Web Application Proxy Editors and Scanners

Vulnerability Finders

• What is a scanner?– A tool used by security professionals to locate

vulnerabilities present in IT infrastructure

• What skills are required to use or interpret a scanner?– Depends on many factors (i.e. your brain)

• What else do I need to know?– A lot about HTTP, HTML, JS, Ajax, and XSS

(i.e. RTFM. Also see: “your brain”)

Ways to find vulns

• Static analysis– Requires source code

• Source code isn’t that hard to get these days

– Generates a lot of false positives• More false positives usually also means less false

negatives

• Dynamic analysis– Can find things that static analysis can’t– Also generates a lot of false positives

False what?

• False negative– Failure of a tool to report a weakness, where in fact

there is one present in the code

• False positive– Reporting of a vulnerability by a tool, when there is

none

• Vulnerability– A property of system security requirements, design

implementation, or operation that could be accidentally triggered or intentionally exploited and result in a security failure

* Taken from the WASC Glossary (http://webappsec.org/projects/glossary)

What method / what tool?

• Static analysis done with Fortify SCA (or similar tool) by experienced engineers that wrote, helped write, or are re-architecting an application or set of applications

• Dynamic analysis done by an internal or external vulnerability assessment team using custom-written tools that are written to expose the largest number of vulnerabilities against a web application

COTS Scanners / Fuzzers

• Strong code coverage via static analysis can be automated by a test harness “driven by a fuzzer”– For C/Java: jCUTE, concolic unit tester + smart fuzz– For .NET: Compuware SecurityChecker, fuzz tests

• Weak code coverage via dynamic analysis– Commercial tools often do OWASP 2007 Top Ten:

A1, A2, A3, A4, A6, and mostly A10 (Unrestricted URL Access). What about A5, A7, A8, A9?

– Some tools do targeted fault-injection, and usually only for basic JS, metacharacter, SQL, LDAP, XML

– Fuzz testing is almost always random / cheap / poor

Test everything

• OWASP 2007 Top Ten, MITRE CWE, and WASC Threat Classifications

• NIST SAMATE Functional Specifications– Suggests reporting on defense levels as well

as on literature-defined vulnerabilities– Defense levels are like Good Findings (also

see Jaquith: Happy Metrics), but show how positive (aka good) findings are really more like good / better / best

Custom fuzz testing

• Justin Clarke, Network Security Tools– burpproxy (fast proxy editor that logs) + Perl

• Perl handles log parsing and LWP fault-injection• Could be Python, Ruby, Unix Shell (e.g. cURL)

• Johnathan Wilkins, Blackhat / CanSecWest– WebScarab (popular editor from OWASP)– ProxMon (tool he wrote at iSecPartners)

• Written in Python, extensible (plugins, other proxies, etc)

• Rules from OWASP Testing Guide v2

Burp / WebScarab demo

Missing issues

• Overflows (buffer, integer, heap, format string)– Static analysis covers this. A new dynamic analysis

method in additional demonstration

• Denial-of-Service (DoS)– Sorry, no demonstration today. But I will address this

in the buffer overflow demonstration slightly

• Incorrect configurations– CISecurity.org (Apache Benchmark by Jeremiah

Grossman), Month of PHP Bugs (and fixes!)

MSF-XB Demo

Thank you