Acunetix Web Vulnerability Scanner

Slides:



Advertisements
Similar presentations
Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.
Advertisements

Closing the Gap: Analyzing the Limitations of Web Application Vulnerability Scanners David Shelly Randy Marchany Joseph Tront Virginia Polytechnic Institute.
Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.
Zenith Visa Web Acquiring A quick over view. Web Acquiring Allows merchants to receive payments for goods and services through the Internet Allows customers.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
 The Citrix Application Firewall prevents security breaches, data loss, and possible unauthorized modifications to Web sites that access sensitive business.
WebGoat & WebScarab “What is computer security for $1000 Alex?”
Hands-On Ethical Hacking and Network Defense
Barracuda Web Application Firewall
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
“Today over 70% of attacks against a company’s network come at the ‘Application Layer’ not the Network or System layer.” - Gartner Is Your Web Application.
Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.
SiteLock Internet Security: Big Threats for Small Business.
Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.
Web Application Security Assessment and Vulnerability Assessment.
Database Auditing Models Dr. Gabriel. 2 Auditing Overview Audit examines: documentation that reflects (from business or individuals); actions, practices,
Chapter 7 Database Auditing Models
Security Scanning OWASP Education Nishi Kumar Computer based training
Web Application Testing with AppScan Terry Labach.
W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.
Trust Guard PCI Certification Service Technical White Paper Trust Guard provides PCI DSS Compliant Scans that exceed PCI requirements. What’s more, your.
Is Your Website Hackable? Check with Acunetix Web Vulnerability Scanner. Acunetix Web Vulnerability Scanner V9.
GOOGLE HACKING FOR PENETRATION TESTERS Chris Chromiak SentryMetrics March 27 th, 2007.
+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.
Prepared By, Mahadir Ahmad. StopBadware makes the Web safer through the prevention, mitigation, and remediation of badware websites. partners include.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
1-Vulnerabilities 2-Hackers 3-Categories of attacks 4-What a malicious hacker do? 5-Security mechanisms 6-HTTP Web Servers 7-Web applications attacks.
Penetration Testing James Walden Northern Kentucky University.
A Security Review Process for Existing Software Applications
November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Security Testing Case Study 360logica Software Testing Services.
COMP3121 E-Commerce Technologies Richard Henson University of Worcester November 2011.
Varun Sharma Application Consulting and Engineering (ACE) Team, Microsoft India.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 7 Database Auditing Models.
Web Application Security ECE ECE Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.
Application Security Testing A practitioner’s rambling advice & musings.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
CSE 4481 Computer Security Lab Mark Shtern. INTRODUCTION.
October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Web Applications Testing By Jamie Rougvie Supported by.
Module 7: Advanced Application and Web Filtering.
PwC New Technologies New Risks. PricewaterhouseCoopers Technology and Security Evolution Mainframe Technology –Single host –Limited Trusted users Security.
Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security.
Deconstructing API Security
Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.
WEB SERVER SOFTWARE FEATURE SETS
EECS 354: Network Security Group Members: Patrick Wong Eric Chan Shira Schneidman Web Attacks Project: Detecting XSS and SQL Injection Vulnerabilities.
Chapter 1 Ethical Hacking Overview. Hands-On Ethical Hacking and Network Defense2  Describe the role of an ethical hacker  Describe what you can do.
MIS Week 5 Site:
By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,
Why Does The Site Need an SSL Certification?. Security should always be a high concern for your website, but do you need an SSL certificate? A secure.
Acunetix Vulnerability Scanner
Web Application Security
Module: Software Engineering of Web Applications
Web Application Protection Against Hackers and Vulnerabilities
Module: Software Engineering of Web Applications
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
TOPIC: Web Security (Part-4)
World Wide Web policy.
Secure Software Confidentiality Integrity Data Security Authentication
A Security Review Process for Existing Software Applications
HTML Level II (CyberAdvantage)
Lecture 2 - SQL Injection
Presentation transcript:

Acunetix Web Vulnerability Scanner Introduction to Acunetix and Web Security Is Your Website Hackable? Check with Acunetix Web Vulnerability Scanner.

Company Overview Founded 2004 Pioneer in Web Application Security Unique Technology - AcuSensor OWASP Member Award Winning Software Fortune 500 Customers License Holder of IBM Patent Patent # 6,584,569 Company Overview Acunetix is a pioneer in the web application security business. Found in 2004, its technology was developed by networking and web security experts. Acunetix was founded to combat web site hacking which is on the rise and the number of victims and cost is increasing everyday. The Acunetix development team consists of highly experienced security developers who have each spent years developing network security scanning software prior to starting development on Acunetix WVS. Acunetix is an OWASP partner and its Acunetix Web Application Security Scanner has won many comparative reviews, including reviews by <name>. As an industry pioneer Acunetix is a license holder of IBM patent #. This is important for fortune 500 customers in order to be protected by potential law suites. Some web app scanners do not have this license and this leaves the scan license holder open to potential law suites from IBM Input owasp, hipaa, pci logos?

Government Customers FAA US Coast Guard US Department of Energy National Weather Service NASA WHO South Yorkshire Police National Health Service UK Acunetix Clients Leading organizations worldwide choose Acunetix as their web scanner of choice, including the US Air Force, the US Army, Barclays Bank, Adidas, Levis, IBM, France Telecom and more. Acunetix is chosen because of its cutting edge technology and industry leadership. Queensland Government US Geological Survey Saudi Food & Drug Authority

Korean People’s Army Air Force Norwegian Armed Forces Military Customers US Army US Air Force The Pentagon Taiwan Ministry of National Defense Korean People’s Army Air Force Norwegian Armed Forces

IT & Telecom Customers British Telecom Samsung Panasonic T-Mobile Siemens Nokia France Telecom Fujitsu Telstra Acunetix Clients Leading organizations worldwide choose Acunetix as their web scanner of choice, including the US Air Force, the US Army, Barclays Bank, Adidas, Levis, IBM, France Telecom and more. Acunetix is chosen because of its cutting edge technology and industry leadership. Turk Telecom Skype Telefonica

PricewaterhouseCoopers Financial Customers Credit Suisse PricewaterhouseCoopers HSBC Bank of China ING Deloitte American Express Deutsche Bank Barclays Bank Acunetix Clients Leading organizations worldwide choose Acunetix as their web scanner of choice, including the US Air Force, the US Army, Barclays Bank, Adidas, Levis, IBM, France Telecom and more. Acunetix is chosen because of its cutting edge technology and industry leadership.

Educational Customers American Naval War College Penn State University Columbia University Medical Center Potsdam University The Hong Kong Polytechnic University The University of Adelaide The Ohio State University Acunetix Clients Leading organizations worldwide choose Acunetix as their web scanner of choice, including the US Air Force, the US Army, Barclays Bank, Adidas, Levis, IBM, France Telecom and more. Acunetix is chosen because of its cutting edge technology and industry leadership. University of Reading Victoria University

Other Clients Danone CERN Adidas Air New Zealand Qatar Airways AXA Canon Betfair Travelex Nikon Carrefour Hilton Acunetix Clients Leading organizations worldwide choose Acunetix as their web scanner of choice, including the US Air Force, the US Army, Barclays Bank, Adidas, Levis, IBM, France Telecom and more. Acunetix is chosen because of its cutting edge technology and industry leadership. Lonely Planet Avis Sony

You must audit your web applications! Why Web Application Security? Hackers concentrating on web applications Shopping carts and login pages at risk Web apps are publically available 24/7 Web apps are often custom made and therefore less tested Firewalls/network level defense provide no protection! You must audit your web applications!

Why Hackers Hack Gain access to sensitive data (credit card data) Run phishing sites Run botnets Distribute illegal content Improve ranking

The Cost of Being Hacked Loss of customer confidence and thus revenue Loss of ability to accept VISA, MC, AMEX and PayPal Significant website downtime Cost of rebuilding website and server Loss of customer data can result in court cases

Famous Website Hacks www.acunetix.com/blog 11th April 2011 - Barracuda Networks SQL injection vulnerability despite web app firewall 27th March 2011 – MySQL.com SQL injection attack 4th July 2010 – YouTube hacked Cross-Site Scripting (XSS) Vulnerability 6th February 2010 – Kaspersky SQL Injection Vulnerability www.acunetix.com/blog Famous website hacks Hackers are finding security holes in websites every day. Some of the hacks lead to site defacement, some lead to customers’ records being stolen and some others lead hackers to have access and control hardware. It is also a well known fact, that custom made or in house developed websites or web applications are more susceptible to attacks since usually a lesser degree of testing is done when compared to off-the-shelf software. Web servers are usually connected to big networks, like in a web server farm scenario or they are part of the DMZ in an enterprise network. If a website is hacked, the hacker is one step away from gaining access to the whole network, including other internal servers and other network attached devices and computers. This shows the importance of securing a website or web application and not just the network around it.

Acunetix Web Vulnerability Scanner? Why Choose Acunetix Web Vulnerability Scanner? Key Features and Unique Selling Points

Industry Leading Crawler State of art crawler technology Client Script Analyzer (CSA) Good crawler reduces false positives Web 2.0, JavaScript, JQuery and Ajax supported with CSA engine

Industry Leading Crawler Detection of custom 404 Able to traverse log in areas using the log on recorder Can handle CAPTCHA forms Supports single sign on and security token mechanisms Understands scope of page and can act accordingly AcuSensor technology can find unlinked files too and can deal with URL rewriting rules

Acunetix AcuSensor Technology Combines black box scanning & source code analysis Analyzes code whilst it is executed!

Acunetix AcuSensor Technology Detection of more vulnerabilities Less false positives Find configuration issues in the web server or run time environment

AcuSensor Reports Advanced Debug Information Reports the SQL query vulnerable to SQL Injection, the POST variable, stack trace Pinpoint the line of code with the security issue thanks to AcuSensor Technology The amount of debug information AcuSensor Technology reports, helps the developer understand and solve the issue much quicker. It also trains developers in writing more secure code. Once a SQL injection is found, AcuSensor reports the source file using this query, the vulnerable SQL query and also the stack trace information to help troubleshooting and solving the issue. If a Cross site scripting vulnerability or directory traversal attack is found, AcuSensor Technology reports the source file which is vulnerable, the line number of the source code which leads to the vulnerability and also all related variables and calls.

Indicates where in your code the vulnerability is AcuSensor Reports Advanced Debug Information Indicates where in your code the vulnerability is

Saves security officers and developers time! Lower False Positives Includes advanced techniques to verify vulnerabilities Analyzes response and fine tunes attack AcuSensor does not allow on application feedback only Analyzes what app does during execution Saves security officers and developers time! Results in significantly lower false positives

Advanced SQL Injection Best in class SQL Injection Detection Comparative review confirmed that Acunetix detected many more SQL Injection vulnerabilities than other scanners Can do Blind SQL Injection checking AcuSensor checks all SQL statements, including SQL INSERT Acunetix SQL injection is best in class. Unlike anti virus or network security scanning, it is important for a web application security scanner to be able to intelligently scan for sql injection issues and try out security issues in an innovative manner. It should also be able to perform blind SQL Injection security scanning. Cross site scripting is another important area It is important for customers to understand that web application security is unlike anti virus. It is not important how many security vulnerabilities the scanner can detect but how many variations of the leading security vulnerabilities, SQL injection and Cross Site scripting, it can detect.

Advanced Cross-Site Scripting Detects more Cross Site Scripting (XSS) vulnerabilities Analyzes if characters are encoded or filtered Adapts analysis based on application response Uses heuristic approach that focuses on hacking methods Does not launch fire and forget checks which other scanners do Acunetix SQL injection is best in class. Unlike anti virus or network security scanning, it is important for a web application security scanner to be able to intelligently scan for sql injection issues and try out security issues in an innovative manner. It should also be able to perform blind SQL Injection security scanning. Cross site scripting is another important area It is important for customers to understand that web application security is unlike anti virus. It is not important how many security vulnerabilities the scanner can detect but how many variations of the leading security vulnerabilities, SQL injection and Cross Site scripting, it can detect.

User Friendly Interface All tools integrated in a single, easy to use GUI Acunetix Web Vulnerability Scanner is built on cutting edge technology that allows both automated and manual audits. With the automated scan, one can start scanning his website in a matter of seconds. It also helps saving time in the process of securing the website or web application. If you are a beginner in web security, Acunetix WVS friendly wizard helps you get started. In addition, Acunetix WVS also includes a suite of manual tools, to make further manual testing. Having a user friendly interface, Acunetix WVS makes web security easy to everyone. In a matter of seconds an inexperienced user can launch a scan and start securing his web application.

Easy Configuration, Little Tuning Custom 404 detection Automatic detection of technologies used (PHP, ASP etc.) Point and click config of authenticated area configuration Easily configure how to traverse CAPTCHAS Manual scan a page and submit to scanner for analysis Acunetix SQL injection is best in class. Unlike anti virus or network security scanning, it is important for a web application security scanner to be able to intelligently scan for sql injection issues and try out security issues in an innovative manner. It should also be able to perform blind SQL Injection security scanning. Cross site scripting is another important area It is important for customers to understand that web application security is unlike anti virus. It is not important how many security vulnerabilities the scanner can detect but how many variations of the leading security vulnerabilities, SQL injection and Cross Site scripting, it can detect.

Advanced Penetration Testing Tools Includes advanced penetration testing tools: HTTP Editor HTTP Sniffer HTTP Fuzzer Authentication Tester Blind SQL Injector Advanced Penetration Testing Tools This suite of advanced penetration testing tools is available to help penetration testers and security experts to facilitate the manual audit process which takes place while securing a web application or website. An automated scanner does not always cover all security tests of a target website or web application, it depends on a lot of factors. Using this suite of tools, a penetration tester or security expert can run his own tests against the target, and also automate some of the manual audit procedures thus saving valuable time. HTTP Editor The HTTP Editor tool allows you to create, analyze and edit client HTTP requests and server responses. HTTP Sniffer The HTTP Sniffer tool is a proxy server which allows you to capture, edit and filter requests made between a web client (browser or other http application) and a web server or vice versa. This can also be used to crawl parts of a website or web application manually. HTTP Fuzzer Using the HTTP Fuzzer, a rule can be created to automatically replace a part of a URL with a number, character or any other type of generator. Only valid results will be reported. This gives the advantage to quickly test 1000 queries while significantly reducing the amount of time and manual input. Blind SQL Injector Ideal for penetration testers, the Blind SQL injector is an automated database data extraction tool. Using SQL injections found when scanning a website and importing them to this tool, one can see what a serious impact an SQL injection can have on the website. Authentication Tester The authentication tester is a tool used to test the strength of passwords within HTTP or HTML forms authentication environments via a dictionary attack. This helps in automating some processing where human intervention cannot be faster.

Powerful Reporting For developers, managers or Compliance Legal and Compliance reports PCI HIPAA Sarbanes Oxley Security Standards OWASP top 10 CWE / Sans top 25 DISA NIST Web Application Security Consortium The Reporter Detailed reporting For every vulnerability reported, an extensive amount of details is presented to the user to help him understand what is the vulnerability, the impact of the vulnerability and what is leading to such vulnerability. This also helps developers who are not familiar with web security to trace the vulnerability and fix it in the shortest time possible. Using AcuSensor technology even reports which line in the code is vulnerable or the SQL query vulnerable to SQL injection, including the stack trace. From the selection of already available templates in the reporter, one can generate any of the following report styles: Detailed scan report; where all scan details including solution tips are in the report Developer report; a report targeted for developers to help them fix issues in the website or web application quickly Executive report; a reported targeted for executives, where it gives them a summary of the status of their web application or website security Compliance report; from these report templates one can generate PCI, OWASP, WASC, HIPAA and other compliancy reports Scan comparison report; use this report to compare 2 scans of the same target Monthly vulnerabilities report; use this report to see vulnerability trends by month and vulnerability group Reports can also be exported to other formats to share with colleagues such as pdf, word document, html and more. The reports can also be modified to add a company logo and also to change the page setup (available in consultant version only).

Detailed Vulnerability Fixing Suggestions Includes detailed vulnerability fixing suggestions: Detailed description Links to articles Advanced Penetration Testing Tools This suite of advanced penetration testing tools is available to help penetration testers and security experts to facilitate the manual audit process which takes place while securing a web application or website. An automated scanner does not always cover all security tests of a target website or web application, it depends on a lot of factors. Using this suite of tools, a penetration tester or security expert can run his own tests against the target, and also automate some of the manual audit procedures thus saving valuable time. HTTP Editor The HTTP Editor tool allows you to create, analyze and edit client HTTP requests and server responses. HTTP Sniffer The HTTP Sniffer tool is a proxy server which allows you to capture, edit and filter requests made between a web client (browser or other http application) and a web server or vice versa. This can also be used to crawl parts of a website or web application manually. HTTP Fuzzer Using the HTTP Fuzzer, a rule can be created to automatically replace a part of a URL with a number, character or any other type of generator. Only valid results will be reported. This gives the advantage to quickly test 1000 queries while significantly reducing the amount of time and manual input. Blind SQL Injector Ideal for penetration testers, the Blind SQL injector is an automated database data extraction tool. Using SQL injections found when scanning a website and importing them to this tool, one can see what a serious impact an SQL injection can have on the website. Authentication Tester The authentication tester is a tool used to test the strength of passwords within HTTP or HTML forms authentication environments via a dictionary attack. This helps in automating some processing where human intervention cannot be faster.

Competitive Pricing http://www.acunetix.com/ordering/pricing.htm Competitively priced Starting from only €995 Available in 5 editions: Small Business Edition: 1 nominated Website Enterprise Edition: Unlimited Websites Enterprise Edition x10 Instances: Unlimited Websites Consultant Edition: Unlimited Websites Consultant Edition x10 Instances: Unlimited Websites http://www.acunetix.com/ordering/pricing.htm Acunetix is very competitively priced compared to competing products – because the company is able to sell volume, it is able to sell licenses at aproximiately 60 percent of the cost of comparable solutions. Pricing starts from €995 / $1445. Acunetix is available in 3 versions: A Small Business Version which scans one designated website an enterprise edition which can scan an unlimited number of sites and a consultant version which allows you to scan sites for customers . Additional pricing information at http://www.acunetix.com/ordering/pricing.htm)

Thank You Acunetix Blog http://www.acunetix.com/blog Acunetix Facebook Page http://www.facebook.com/Acunetix List of Checks Run by Acunetix WVS http://www.acunetix.com/support/vulnerability-checks.htm www.Acunetix.com For more information and to download Acunetix visit our website at acunetix.com Thank you