A Scanner Sparkly Web Application Proxy Editors and Scanners

Vulnerability Finders What is a scanner? –A tool used by security professionals to locate vulnerabilities present in IT infrastructure What skills are required to use or interpret a scanner? –Depends on many factors (i.e. your brain) What else do I need to know? –A lot about HTTP, HTML, JS, Ajax, and XSS (i.e. RTFM. Also see: “your brain”)

Ways to find vulns Static analysis –Requires source code Source code isn’t that hard to get these days –Generates a lot of false positives More false positives usually also means less false negatives Dynamic analysis –Can find things that static analysis can’t –Also generates a lot of false positives

False what? False negative –Failure of a tool to report a weakness, where in fact there is one present in the code False positive –Reporting of a vulnerability by a tool, when there is none Vulnerability –A property of system security requirements, design implementation, or operation that could be accidentally triggered or intentionally exploited and result in a security failure * Taken from the WASC Glossary (

What method / what tool? Static analysis done with Fortify SCA (or similar tool) by experienced engineers that wrote, helped write, or are re-architecting an application or set of applications Dynamic analysis done by an internal or external vulnerability assessment team using custom-written tools that are written to expose the largest number of vulnerabilities against a web application

COTS Scanners / Fuzzers Strong code coverage via static analysis can be automated by a test harness “driven by a fuzzer” –For C/Java: jCUTE, concolic unit tester + smart fuzz –For.NET: Compuware SecurityChecker, fuzz tests Weak code coverage via dynamic analysis –Commercial tools often do OWASP 2007 Top Ten: A1, A2, A3, A4, A6, and mostly A10 (Unrestricted URL Access). What about A5, A7, A8, A9? –Some tools do targeted fault-injection, and usually only for basic JS, metacharacter, SQL, LDAP, XML –Fuzz testing is almost always random / cheap / poor

Test everything OWASP 2007 Top Ten, MITRE CWE, and WASC Threat Classifications NIST SAMATE Functional Specifications –Suggests reporting on defense levels as well as on literature-defined vulnerabilities –Defense levels are like Good Findings (also see Jaquith: Happy Metrics), but show how positive (aka good) findings are really more like good / better / best

Custom fuzz testing Justin Clarke, Network Security Tools –burpproxy (fast proxy editor that logs) + Perl Perl handles log parsing and LWP fault-injection Could be Python, Ruby, Unix Shell (e.g. cURL) Johnathan Wilkins, Blackhat / CanSecWest –WebScarab (popular editor from OWASP) –ProxMon (tool he wrote at iSecPartners) Written in Python, extensible (plugins, other proxies, etc) Rules from OWASP Testing Guide v2

Burp / WebScarab demo

Missing issues Overflows (buffer, integer, heap, format string) –Static analysis covers this. A new dynamic analysis method in additional demonstration Denial-of-Service (DoS) –Sorry, no demonstration today. But I will address this in the buffer overflow demonstration slightly Incorrect configurations –CISecurity.org (Apache Benchmark by Jeremiah Grossman), Month of PHP Bugs (and fixes!)

MSF-XB Demo

Thank you