Upload
others
View
8
Download
0
Embed Size (px)
Citation preview
"
Why Johnny Can’t Pentest:
An Analysis of Black-box Web Vulnerability Scanners
Adam Doupe , Marco Cova and Giovanni Vigna
Said Alriyami
Introduction
• Black-Box web vulnerability Scanner • Point-and-click Pentesting • 11 black-box tools tested in the paper • Fail to detect a significant number of
vulnerabilities, Why ?
OWASP Top 10 List 2010
• A1: Injection • A2: Cross-Site Scripting (XSS) • A3: Broken Authentication and Session
Management • A4: Insecure Direct Object References • A5: Cross-Site Request Forgery (CSRF) • A6: Security Misconfiguration • A7: Insecure Cryptographic Storage • A8: Failure to Restrict URL Access • A9: Insufficient Transport Layer Protection • A10: Unvalidated Redirects and Forwards
How to Test ?
• XSS • SQL Injection • Code Injection • Broken Access Controls
How does it work?
• Consisting of three main modules: 1. Crawler Module 2. Attacker Module 3. Analysis Module
• URL • input points (GET,
Input, Upload file)
• Values to attack vulnerability
• predefined values
• detect vulnerabilities
• feedback
How we can to test them ?
• Applications that deliberately contain vulnerabilities • HacmeBank • WebGoat
• Application Design to test it • SiteGenerator
• Older version of an open-source application that has known vulnerabilities
• Or ?
Create your own
Design of WackoPicko
• Authentication • Upload Pictures • Comment On Pictures • Purchase Pictures • Search • Guestbook • Admin Area
Publicly Accessible Vulnerabilities
• Reflected XSS • Stored XSS: • Session ID • Weak password • Reflected SQL Injection • Command Line Injection • File Inclusion • Unauthorized File Exposure • Reflected XSS Behind JavaScript • Parameter Manipulation
Vulnerabilities Requiring Authentication
• Stored SQL Injection • Multi-Step Stored XSS • Forceful Browsing • Logic Flaw • Reflected XSS Behind Flash
Apps under the test
Mods of Test
• INITIAL
• CONFIG
• MANUAL
Detection Results
True positives & False negatives
Running Time
74 Seconds (Burp)
6 Hours (N-Stalker)
Final Ranking
Crawling Challenges
• HTML Parsing • Multi-Step Process • Infinite Web Site • Authentication • Client-side Code • Link Extraction
WIVET results
DEMO