Date post: | 16-Jul-2015 |
Category: |
Technology |
Upload: | yulianamar |
View: | 173 times |
Download: | 2 times |
EVALUATION OF WEB APPLICATION
VULNERABILITY SCANNERS’
STRENGTHS AND LIMITATIONS USING
CUSTOM WEB APPLICATION
By: Yuliana Martrosyan
Advisor: Dr. Levent Ertaul
GOAL OF THE THESIS
How efficient WAVS are to address security concerns in the web applications?
Develop custom test bed that implements vulnerabilities presented in the web
Assess results to suggest areas that require research to improve WAVS detection rate
Modeling User Behavior
Create Account
Update Account
Create Shopping Cart
Check Product Review
Add Product Review
Recover Password
Partners’ Newsletters
Subscribe to Mailing List
MusicStore
implements 55
variations of OWASP
Top 10 Vulnerabilities
First Order SQLI
String query = ”
SELECT Password
FROM v_UserPass
WHERE
v_UserPass.EmailAddress
= ’”
+ emailAddress +
"’
AND v_UserPass.Answer
= ’”+ answer +"') ";
First Order SQLI
Acunetix WVS
Missed all SQLI.
Not all of the
required fields
were filled.
QualysGulard WAS
First-Order
SQLI was
detected
Second Order SQLI
String query = "UPDATE
v_UserPass SET ”
+ "Password = ?”
+ ", Answer = ”
+ "’”+ answer + "' ”+ ”
WHERE EmailAddress = '”
+ emailAddress + "'";
Cross-Site Scripting
XSS
Acunetix WVS
Missed
Persistent
XSS. Unable
to find the
payload
QualysGuard
WAS
Detected most
Non-
Persistent,
Persistent.
DOM XSS
Acunetix WVS
Detected all
AJAX XSS and
most Non-
Persistent XSS
QualysGuard
WAS
Missed all
AJAX
vulnerabilities.
Detected some
other DOM
vulnerabilities.
GET Request:
http://vulnerablewebapp.com/email/addToE
mailList?
firstName=%3CIFRAME%20src=javascri
pt:alert(%27firstName%20XSS%27)%20/
%3E&lastName=Simpson&emailAddress=
hs@hs .com
Broken Authentication
and Session
Management
Both scanners
missed Weak
Password
Recovery Model
vulnerability.
Both scanners
found Brute
Force attack
vulnerability.
Cross Site Request
Forgery (CSRF)
Most vulnerabilities
were missed by both
scanners due to
incomplete crawling
phase.
QualysGuard WAS
reported numerous
CSRF duplicated
marked as
‘clickjacking’
vulnerabilities
SECURITY MISCONFIGURATION
QualysGuard
detected DoS
attack possibility.
Data submission
HTTP methods
should be tested.
INSECURE CRYPTOGRAPHIC STORAGE
AND
INSUFFICIENT TRANSPORT LAYER PROTECTION
Non-Encrypted Storage
Displaying passwords
while typing
No ‘secure’ and
‘HTTPOnly’ cookies
No SSL with Log In
No SSL with Confidential
Info
Both scanners
recommend setting
‘secure’ flag to the
application cookies.
Both scanners should test
for insecure handling of
confidential data
FAILURE TO RESTRICT URL ACCESS
Both scanners did not detect the hidden link.
Advanced force browsing should be performed
UN-VALIDATED REDIRECT AND FORWARD
QualysGuard
WAS found
the flaw.
Acunetix
WVS should
spider the site
to see if it
generates
any redirects.
DETECTED AND FALSE POSITIVES
QualysGuard WAS Acunetix WVS
0
20
40
60
80
100
Detected FP
0
50
100
150
200
250
Detected FP
GROUP RESULTS
0
20
40
60
80
100
V1 V2 V3 V4 V5 V6 V7 V8 V9 V10
Dete
cti
on
Rate
OWASP Vulnerabilities
PUBLICATIONS
L. Ertaul
Y. Martirosyan
Implementation of a WEB Application for Evaluation
of WEB Application Security Scanners
Proceedings of the 2012 International Conference on Security &
Management SAM’12, July, Las Vegas.
CONCLUSION
Improve Crawling Functionality
Re-indexing the pages of target application
after the attack to detect the payload
Check all possible attack vectors and then
report the vulnerability and reproduction steps
Use WASSs as a group