Monday, May 28, 2012

Web Vulnerability Scanners

UPDATE 20141203: I have posted recent findings about the security scanners mentioned in this post since a new open sourced test bed tool from Google called Firing Range has become available. With this tool we at least have a least of vulnerabilities we can test against to evaluate the vulnerability coverage in terms of Web Application Scanners. Note that nikto is a Web Server scanner which means it does not get into application logic vulnerabilities. When you are performing Penetration Testing usually the first tier you will want to address is that HTTP(S) web URL that you have exposed to the outside. Please do your Business a favor and perform an ssl test as your very first step).

Low budget companies usually opt for relying on software developers to take care of this area and while that can be an apparent cheap path and definitely it is indeed better than nothing be aware that this is like investing in a Fund where no external accounting is performed, where is the Audit really?

A company risks too much if it decides to go without a BCP or DR plan, right? A company without a PenTest plan is risking as much or probably more.

PenTesting is not difficult when you know the Web protocols and languages. Most likely your developers, devops, sysadmins know them. The problem is that it is a time consuming task that demands not just knowing protocols and how to use the tools but also a lot of reading, research and community interaction. As usual certain passion for this job is a must have for the team in charge.

Here are some guidelines for an in house security team. Note that I strongly recommend to reach out professional service in this area however at a minimum there should be pentest done yearly and if you ask me it should be integrated in your delivery pipeline. Every time you are ready to deploy you run automated large (AUAT/E2E) tests don't you? So why not using a proxy like ZAP to inspect for vulnerabilities out of those tests?

I hope this will be useful for others starting on the PenTest arena. The site has been my home page for some time now and I can tell you the more you read the more you realize how little you know about protecting your applications.

Here is the list of those tools I have been using so far as Web Vulnerability Scanners. Note that they complement each other. The fact that I use them all is because some of them will report issues the others won't. An extensive list of these are found on OWASP site and even compiled in Linux Security distros like BackTrack distro.
  1. SkipFish: After running the below command (custom for $site) several warnings/errors are provided starting at output_${site}/index.html. As usual some of them are false positives but everything must be inspected. Sometimes big vulnerabilities lie on "info" level warnings:
    ./skipfish -S dictionaries/complete.wl -o output_${site} http://${site}
  2. Nikto: Installed with simple apt-get in ubuntu you use the below to scan the web app. Press "v" once the app starts to get verbose information:
    nikto -h $site -o ~/Downloads/nikto-${site}.html
  3. w3af: Use just the w3af-gui providing the URL and checking for OWASP TOP 10 configuration for a start. Look at the results tab after even though from command line you get all information you need as well.
    git clone --depth 1
    cd w3af
  4. OWASP ZAP: Run an "active scan" just starting the app and pointing to your URL:
    Run a "passive scan" out of your automated tests. This is the most powerful test of all and while it can come out of manual interaction with your application the real power of it comes out of your automated users acceptance tests (AUAT) AKA end to end (E2E) tests. This is yet another example of a must have for UI automated testing. With that in place you can assert vulnerabilities related to common user interactions with the system. You need to turn on the proxy in your browser. Chrome uses the system wide proxy capabilities so for example in Ubuntu you will proceed as below to configure all HTTP traffic including local to go through the proxy, that way ZAP will be able to search for vulnerabilities.

PenTest Weekend Conclusions

False positives: These are common for any of the tools you use. In some you will notice errors about PHP (modules.php) and ASP (members.asp) resources which do not exist as you are running a J2EE app. Some false positives are related to redirections to the login form for example.

No Silver Bullet: w3af was the only one detecting clickjacking threats this time. I am happy it found something as my latest usage of the tool was almost telling me I could live without it.

Proxy interceptors: Of those available in the market free like in beer the OWASP ZAP is the one that has given me better results so far.

No comments: