A Scanner Sparkly. Web Application Proxy Editors an

1
A Scanner Sparkly

• Web Application Proxy Editors and Scanners

2
Vulnerability Finders

• What is a scanner?
• A tool used by security professionals to locate
  vulnerabilities present in IT infrastructure
• What skills are required to use or interpret a
  scanner?
• Depends on many factors (i.e. your brain)
• What else do I need to know?
• A lot about HTTP, HTML, JS, Ajax, and XSS (i.e.
  RTFM. Also see your brain)

3
Ways to find vulns

• Static analysis
• Requires source code
• Source code isnt that hard to get these days
• Generates a lot of false positives
• More false positives usually also means less
  false negatives
• Dynamic analysis
• Can find things that static analysis cant
• Also generates a lot of false positives

4
False what?

• False negative
• Failure of a tool to report a weakness, where in
  fact there is one present in the code
• False positive
• Reporting of a vulnerability by a tool, when
  there is none
• Vulnerability
• A property of system security requirements,
  design implementation, or operation that could be
  accidentally triggered or intentionally exploited
  and result in a security failure

Taken from the WASC Glossary (http//webappsec.o
rg/projects/glossary)
5
What method / what tool?

• Static analysis done with Fortify SCA (or similar
  tool) by experienced engineers that wrote, helped
  write, or are re-architecting an application or
  set of applications
• Dynamic analysis done by an internal or external
  vulnerability assessment team using
  custom-written tools that are written to expose
  the largest number of vulnerabilities against a
  web application

6
COTS Scanners / Fuzzers

• Strong code coverage via static analysis can be
  automated by a test harness driven by a fuzzer
• For C/Java jCUTE, concolic unit tester smart
  fuzz
• For .NET Compuware SecurityChecker, fuzz tests
• Weak code coverage via dynamic analysis
• Commercial tools often do OWASP 2007 Top Ten A1,
  A2, A3, A4, A6, and mostly A10 (Unrestricted URL
  Access). What about A5, A7, A8, A9?
• Some tools do targeted fault-injection, and
  usually only for basic JS, metacharacter, SQL,
  LDAP, XML
• Fuzz testing is almost always random / cheap /
  poor

7
Test everything

• OWASP 2007 Top Ten, MITRE CWE, and WASC Threat
  Classifications
• NIST SAMATE Functional Specifications
• Suggests reporting on defense levels as well as
  on literature-defined vulnerabilities
• Defense levels are like Good Findings (also see
  Jaquith Happy Metrics), but show how positive
  (aka good) findings are really more like good /
  better / best

8
Custom fuzz testing

• Justin Clarke, Network Security Tools
• burpproxy (fast proxy editor that logs) Perl
• Perl handles log parsing and LWP fault-injection
• Could be Python, Ruby, Unix Shell (e.g. cURL)
• Johnathan Wilkins, Blackhat / CanSecWest
• WebScarab (popular editor from OWASP)
• ProxMon (tool he wrote at iSecPartners)
• Written in Python, extensible (plugins, other
  proxies, etc)
• Rules from OWASP Testing Guide v2

9
Burp / WebScarab demo
10
Missing issues

• Overflows (buffer, integer, heap, format string)
• Static analysis covers this. A new dynamic
  analysis method in additional demonstration
• Denial-of-Service (DoS)
• Sorry, no demonstration today. But I will
  address this in the buffer overflow demonstration
  slightly
• Incorrect configurations
• CISecurity.org (Apache Benchmark by Jeremiah
  Grossman), Month of PHP Bugs (and fixes!)

11
MSF-XB Demo
12
Thank you