Transcript Document
Evaluation on Web Application Security Scanner Na Wang, Li Li Introduction Web applications scanners can be defined as automated tools, which perform a black box penetration testing on a web application. Web scanners inspect web applications by crawling through their pages and by parsing their contents while applying internal functions that inspect the retrieved content for a list of known vulnerabilities. This inspection often mimics the attacks performed by malicious users generating inputs and analyzing the web application behavior and response. These malicious inputs are often used in a technique called fuzzing which most web scanners are able to perform. Configuration (URL, parameters…) Crawling (structure, images, folders, scripts…) Scanning (simulation of attacks, submit inputs and analyze the outputs…) 2 1. Web Application Scanner OWASP Top 10 Vulnerabilities Skipfish Wapiti Arachni Nessus w3af ZAP Injection (SQL, LDAP, XPATH, OS command) √ √ √ √ √ √ Cross-Site Scripting (XSS) √ √ √ √ √ √ Broken Authentication and Session Management √ √ √ Insecure Direct Object References Cross-Site Request Forgery (CSRF) Security Misconfiguration √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ Insecure Cryptographic Storage √ √ √ √ Failure to Restrict URL Access √ √ √ √ Unvalidated Redirects and Forwards Websecurify √ √ Insufficient Transport Layer Protection Acunetix Acunetix WVS (free) WVS √ √ √ √ √ 3 1.1 Skipfish It prepares an interactive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes. Website: http://code.google.com/p/skipfish/wiki/SkipfishDoc Commands: ./skipfish –o outputfile http://129.59.89.23/securephoto/ 4 1.2 Wapiti It performs "black-box" scans, i.e. it does not study the source code of the application but will scans the webpages of the deployed webapp, looking for scripts and forms where it can inject data. Website: http://wapiti.sourceforge.net/ Commands: python wapiti.py http://129.59.89.23/securephoto/ 5 1.3 Arachni Arachni is an Open Source, feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators evaluate the security of web applications. Website: http://arachni-scanner.com/ Commends: ruby arachni –fv http://129.59.89.23/securephoto/ -report=afr:outfile=test.com.afr –auto-redundant=100 6 1.4 Nessus Website: http://www.tenable.com/pr oducts/nessus/nessusproduct-overview Go to: http://129.59.89.98:8834/h tml5.html#/ 7 1.5 W3af W3af is a Web Application Attack and Audit Framework. The project's goal is to create a framework to find and exploit web application vulnerabilities that is easy to use and extend. Website: http://w3af.sourceforge.net/ Commends: ./w3af_gui 8 1.6 ZAP The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually. Website: https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project Commends: ./zap.sh 9 1.7 Acunetix Acunetix Web Vulnerability Scanner (WVS) is an automated web application security testing tool that audits your web applications by checking for vulnerabilities like SQL Injections, Cross site scripting and other exploitable hacking vulnerabilities. Website: http://www.acunetix.com Free version: only CSS vulnerabilities 10 1.8 Websecurify Websecurify is a powerful cross-platform web security testing technology designed from the ground up with simplicity in mind. It can be used on Mac, Window, Ubuntu, Chrome, Firefox, iPhone, iPad, and Android. It is the first and only web application security solution designed to run entirely from your web browser. Website: http://www.websecurify.com/ 11 2. Evaluation on Scanners • • • • Basic Evaluation Input Vector Support Evaluation Coverage Features Evaluation Detection Accuracy • • • • The total Detection Accuracy The XSS Detection Accuracy The Injection Detection Accuracy Insecure Direct Object References Detection Accuracy 12 2.1 Basic Evaluation Scanner License Skipfish ASF2 Wapiti GPL2 OWASP Arachni GPL2 Tasos Laskos Nessus Commercial w3af GPL2 W3AF developers ZAP ASF2 Acunetix WVS Commercial (free) Vendor Operation Open Scan Language GUI Report Pause system Source log Michal Zalewski - CrossGoogle platform C Y N Y Y N Python 2.6.x Y N Y Y Y Y Y Y Y Y —— Y Y Y Y Y Crossplatform Python 2.6.x Y Y Y Y Y OWASP Crossplatform Java 1.6.x Y Y Y Y Y Acunetix Windows —— N Y Y Y Y Y Crossplatform CrossRuby 1.9.x platform Tenable Network CrossSecurity platform Websecurify (free) GPL2 GNU Citizen CrossJavascript platform Y Y Y N Websecurify Commercial GNU Citizen CrossJavascript platform N Y Y N 13 Y 2.2 Input Vector Support Evaluation Alias GET POST COOKIE HEADER SECRET PName XML XmlATT XmlTAG JSON General Feature HTTP Query String Parameters HTTP Body Parameters HTTP Cookie Parameters HTTP Headers Secret HTTP Parameters HTTP Parameter Names XML Element Content XML Attributes XML Tags JSON Parameters Description Input parameters sent in the URL Input parameters sent in the HTTP body Input parameters sent in the HTTP cookie HTTP request headers used by the application Non-visible valid HTTP parameters (such as GET to POST, etc) HTTP parameter names used by the application The content of XML elements XML attributes The names of XML tags Parameters sent in JSON format .NetENC AMF JavaSER .Net PostBack Encoded Parameters Flash Action Message Format Java Serialized Objects Parameters sent after undergoing .net PostBack encoding Parameters sent in Flash AMF format Parameters sent within Java serialized objects .NetSER WCF WCF-Bin WebSock DWR .Net Serialized Objects / Remoting .Net WCF Objects .Net Binary WCF Objects HTML5 WebSockets Java Direct Web Remoting Parameters sent within .Net serialized objects / remoting Parameters sent in WCF requests Parameters sent in binary WCF requests Direct Socket Browser-Server Communication Parameters sent in DWR format Custom Custom Input Vector Support for defining custom input vectors in the HTTP request 14 2.2 Input Vector Support Evaluation Score GET POST COOKIE HEAD SECRE PNam XmlA XmlT .NetE JavaS .NetS WCF- WebS Custo XML JSON AMF WCF DWR ER T e TT AG NC ER ER Bin ock m Skipfish 4 Y Y Y Y N N N N N N N N N N N N N N N Wapiti 3 Y Y N N N N N N N N N N N N N N N N N Arachni 4 Y Y Y Y N N N N N N N N N N N N N N N Nessus 5 Y Y Y Y N Y N N N N N N N N N N N N N w3af 5 Y Y Y Y N Y N N N N N N N N N N N N N ZAP 2 Y Y N N N N N N N N N N N N N N N N N Acunetix WVS Free Edition 5 Y Y Y Y N N N N N Y N N N N N N N N N Websec urify (free) 2 Y Y N N N N N N N N N N N N N N N N N 15 2.3 Coverage Features Evaluation Alias General Feature Description Manual Crawl Manual Crawling Support Support for manually "teaching" the application structure to the scanner URL File URL File Parsing Support Support for loading the list of target entry points from a file Html Crawler HTML Form/Link Crawler The ability to automatically crawl HTML forms/links (a.k.a Spider) Ajax Crawler JS/VBS/Ajax Crawler The ability to automatically crawl entry points that are accessed via JS/VBS/Ajax code Flash Crawler Flash Crawler The ability to automatically crawl Flash applications Applet Crawler Applet Crawler The ability to automatically crawl Applet applications (Java) Silverlight Crawler Silverlight Crawler The ability to automatically crawl Silverlight applications WSDL Crawler WebService WSDL Crawler The ability to automatically identify, analyze and crawl web service WSDL files REST Crawler REST WSDL Crawler The ability to automatically identify, analyze and crawl RESTful web service WSDL files Field AutoFill Field Value AutoFill The ability to fill fields with default values while automatically crawling the application (param-name based) Smart AutoFill Smart Field Value AutoFill The ability to fill fields with default values while automatically crawling the application (GUI based) AntiCSRF Support AntiCSRF Token Support Support for replaying & updating AntiCSRF tokens (GET/POST) Viewstate Support Evenet & Viewstate Support Support for replaying & updating various viewstate and event fields CAPTCHA Bypass CAPTCHA Cracking/Bypass Features Crack/Bypass CAPTCHA fields while scanning the application WAF Bypass WAF Evasion Techniques Use WAF evasion techniques while scanning the application 16 2.3 Coverage Features Evaluation Manual URL Html Ajax Flash Applet Count Crawl File Crawler Crawler Crawler Crawler Viewst Silverli WSDL REST Field Smart Anti CSRF ate CAPTCHA WAF ght Crawler Crawler Autofill Autofill Support Suppor Bypass Bypass Crawler t Skipfish 2 N Y Y N N N N N N N N N N N N Wapiti 1 N N Y N N N N N N N N N N N N Arachni 2 Y N Y N N N N N N N N N N N N Nessus 1 N N Y N N N N N N N N N N N N w3af 5 Y N Y Y N N N N N Y N N N N Y ZAP 3 Y N Y N N N N N N N N Y N N N Acunetix WVS Free Edition 5 Y N Y Y N N N N N Y N N N N Y Websecu rify (free) 1 N N Y N N N N N N N N N N N N 17 2.4 Evaluation based on OWASP Broken Web Applications Project The Broken Web Applications (BWA) Project produces a Virtual Machine running a variety of applications with known vulnerabilities. 18 2.4.1 Test bed Ⅰ Website AWStats GTD-PHP GetBoo Mandiant Struts Forms OWASP AppSensor Demo Application Severity Summary Category Low Open Redirect Path Traversal Low Internal Path Disclosure Path Traversal Medium Reflected XSS in http://owaspbwa/gtdphp/editChecklist.php XSS Medium Reflected XSS in http://owaspbwa/gtd-php/editList.php Injection High GetBoo Email Forgotten Password SQL injection Injection High GetBoo Email Forgotten Password SQL injection XSS Medium GetBoo stored XSS XSS Medium Reflected XSS in http://owaspbwa/mandiant-struts-formvulnerable/submitname.do XSS AppSensor viewProfile lack of access control Broken Authentication and Session Management Medium 19 2.4.1 Test bed Ⅱ Website OWASP Vicnum Severity Summary High State Manipulation High High INSERT SQL Inection Reflected XSS in http://owaspbwa/vicnum/vicnum5.php Vanilla SQL Injection Reflected XSS in http://owaspbwa/vicnum/cgibin/vicnum1.pl SQL Injection Login Bypass Medium Directory Traversal Medium Local File Inclusion Medium Reflected XSS Medium Lack of access controls Medium Reflected XSS in http://owaspbwa/mono/simplereflected-xss.aspx Medium Medium Medium Peruggia Simple ASP.NET Forms Category State Manipulation Injection XSS Injection XSS Injection Path Traversal Local File Inclusion XSS Lack of access controls XSS 20 2.4.1 Test bed Ⅲ Website Severity Summary Category High Remote PHP Injection (CVE-2007-5423) Injection Medium CVE-2008-1047 XSS Medium XSS vulnerability in tiki-special_chars.php (CVE-2007-6526) XSS Medium Directory traversal in tiki-listmovies.php (CVE-2007-6528) Local File Inclusion Medium Cross-site scripting (XSS) vulnerability in tiki-featured_link.php (CVE-2006-5703) XSS High High High Command Injection SQL Injection SQL Injection Injection Injection Injection High Malicious File Execution Malicious File Execution Medium Reflected XSS in http://owaspbwa/yazd/bay/post.jsp XSS Medium Reflected XSS in http://owaspbwa/yazd/bay/account.jsp XSS Medium CSRF to change password and e-mail CSRF TikiWiki WordPress Yazd 21 2.4.2 Vulnerability category in test bed 3% 3% XSS 3% 3% Injection 43% 18% Insecure Direct Object References Broken Authentication and Session Management CSRF Malicious File Execution 27% State Manipulation 22 2.4.3 The Detection Accuracy The Total Detection Accuracy Skipfish Detection Rate False Positives Arachni Acunetix Websecurify 3/32 16/32 15/32 10/32 2 11 36 13 The XSS Detection Accuracy Skipfish Detection Rate False Positives Wapiti Wapiti Arachni Acunetix Websecurify 2 /14 11/14 13/14 10/14 1 4 17 13 The Injection Detection Accuracy Skipfish Wapiti 14/32 13 10/14 5 Arachni Acunetix Websecurify Detection Rate 0/9 5/9 1/9 0/9 2/9 False Positives 0 7 4 0 5 Insecure Direct Object References Detection Accuracy Detection Rate False Positives Skipfish Wapiti 1/6 1 2/6 0 Arachni Acunetix Websecurify 0/6 0 0/6 0 1/6 1 23