Upload
kory-thornton
View
212
Download
0
Embed Size (px)
Citation preview
A Scanner Sparkly
Web Application Proxy Editors and Scanners
Vulnerability Finders
• What is a scanner?– A tool used by security professionals to locate
vulnerabilities present in IT infrastructure
• What skills are required to use or interpret a scanner?– Depends on many factors (i.e. your brain)
• What else do I need to know?– A lot about HTTP, HTML, JS, Ajax, and XSS
(i.e. RTFM. Also see: “your brain”)
Ways to find vulns
• Static analysis– Requires source code
• Source code isn’t that hard to get these days
– Generates a lot of false positives• More false positives usually also means less false
negatives
• Dynamic analysis– Can find things that static analysis can’t– Also generates a lot of false positives
False what?
• False negative– Failure of a tool to report a weakness, where in fact
there is one present in the code
• False positive– Reporting of a vulnerability by a tool, when there is
none
• Vulnerability– A property of system security requirements, design
implementation, or operation that could be accidentally triggered or intentionally exploited and result in a security failure
* Taken from the WASC Glossary (http://webappsec.org/projects/glossary)
What method / what tool?
• Static analysis done with Fortify SCA (or similar tool) by experienced engineers that wrote, helped write, or are re-architecting an application or set of applications
• Dynamic analysis done by an internal or external vulnerability assessment team using custom-written tools that are written to expose the largest number of vulnerabilities against a web application
COTS Scanners / Fuzzers
• Strong code coverage via static analysis can be automated by a test harness “driven by a fuzzer”– For C/Java: jCUTE, concolic unit tester + smart fuzz– For .NET: Compuware SecurityChecker, fuzz tests
• Weak code coverage via dynamic analysis– Commercial tools often do OWASP 2007 Top Ten:
A1, A2, A3, A4, A6, and mostly A10 (Unrestricted URL Access). What about A5, A7, A8, A9?
– Some tools do targeted fault-injection, and usually only for basic JS, metacharacter, SQL, LDAP, XML
– Fuzz testing is almost always random / cheap / poor
Test everything
• OWASP 2007 Top Ten, MITRE CWE, and WASC Threat Classifications
• NIST SAMATE Functional Specifications– Suggests reporting on defense levels as well
as on literature-defined vulnerabilities– Defense levels are like Good Findings (also
see Jaquith: Happy Metrics), but show how positive (aka good) findings are really more like good / better / best
Custom fuzz testing
• Justin Clarke, Network Security Tools– burpproxy (fast proxy editor that logs) + Perl
• Perl handles log parsing and LWP fault-injection• Could be Python, Ruby, Unix Shell (e.g. cURL)
• Johnathan Wilkins, Blackhat / CanSecWest– WebScarab (popular editor from OWASP)– ProxMon (tool he wrote at iSecPartners)
• Written in Python, extensible (plugins, other proxies, etc)
• Rules from OWASP Testing Guide v2
Burp / WebScarab demo
Missing issues
• Overflows (buffer, integer, heap, format string)– Static analysis covers this. A new dynamic analysis
method in additional demonstration
• Denial-of-Service (DoS)– Sorry, no demonstration today. But I will address this
in the buffer overflow demonstration slightly
• Incorrect configurations– CISecurity.org (Apache Benchmark by Jeremiah
Grossman), Month of PHP Bugs (and fixes!)
MSF-XB Demo
Thank you