challenges of automated web application scanning · challenges of automated web application...

© 2004 by WhiteHat Security, Inc. http://www.whitehatsec.com

1

Jeremiah Grossman (CEO)WhiteHat Security, Inc.

Challenges of Automated WebApplication Scanning"Why automated scanning only solves half the problem."Blackhat Windows 2004Seattle, WA

2


Speaker BioJeremiah Grossman (Chief Executive Officer)

Founded WhiteHat Security in 2001

Former Yahoo! Information Security Officer

Primary developer of WhiteHat Arsenal, Web ServerFingerprinter, CIS Apache Benchmark Tool, andplatform for Sentinel

Performed over 300 web application securityassessments

3


Topics of conversationWeb application security landscape

Top 5 myths of web site security

Tools only solve the half the problem

6 ways to improve web application security

Mission: Develop a process for securingweb sites

4


Web Security is about Layer 7

Layer 1-6 security solutions are ineffective for web security

5


Web Security Hacks in the News

Guess200,000 credit card numbers compromised

SQL Injection permitted a properly-crafted URL to have direct accessto the customer database. FTC Settlement prohibits the companyfrom misrepresenting the security of personal information collectedfrom or about consumers.

Howard Beales - FTC's Bureau of Consumer Protection"Consumers have every right to expect that a business that says it'skeeping personal information secure is doing exactly that"

6


Victoria’s SecretFined $50,000 by the FTC

Customer order information accessible by changing a number inthe URL. Must implement security reforms outline by the FederalTrade Commission.

Eliot Spitzer - New York State Attorney General"A business that obtains consumers' personal information has alegal duty to ensure that the use and handling of that datacomplies in all respects"

Also hacked: Travelocity, RIAA, FTD.com, Creditcards.com, Tower Records, CDUniverse

Web Security Hacks in the News

7


Attractive Targets

The Gartner Group“97% of the over 300 Web sites audited were foundvulnerable to web application attack.”

“75% of the cyber attacks today are at the applicationlevel.”

Delivering data that’s valuable

Credit card numbersBank account informationPersonal and private informationMedical history

8


More business applications are movingto the web.

FTC Privacy Issues

Sarbanes-Oxley

Graham-Leach-Bliley

HIPAA

The Fed’s are getting restless

9


Who’s in charge?

10


Top 5 myths of web site security

We use 128-Bit SSL

Firewalls protect the web site

ISS/Eeye/Nessus shows no issues

My application scanner found no issues

We have annual security assessments

I am secure because...

11


Encrypted in between

SSL only protects traffic passing between the web site and the client

Users

SSL

Hackers

SSL

12


IDS

SSL

Opening 80 and 443

FirewallPort 443 Open

Hackers

13


A scanner for every day of theweek

14


How web applications scanners scan

Network Security Scanning:

“Identifying known vulnerabilitiesin known code.”

Web Application Security:

“Identifying known classes ofvulnerabilities in unknown code.”

15


Today’s best practices fall short

1 Week 51 Weeks

Insecure

Weekly Code Pushes

One time assessments are the normWeb sites change frequentlyCost prohibitive to perform more thanonceScanning tools only solve half the problemScanners only handle technicalvulnerabilitiesCurrent products are not robust

16


Tools, the incomplete solution

17


2.5 Years of R&DWhiteHat’s Team

Performed security assessments on over 1,000 web sites. Spent the lasttwo years developing Sentinel, our web application scanning technology.Sentinel required an incredible R&D effort to overcome unforeseenchallenges.

Challenges of Automated Scanning

Remote Scanning, Automated Login, Infinite Web Sites, Rate-of-Change, Strange URL Structure, Client-Side Scripting, Anti-Automation, Multi-Page Sequence, Authentication System Auditing,and Non-Standard Errors to name but a few.

18


Two kinds of issues

Scanners are unable toindentify flaws in businesslogic.

The most devastatingattacks are found bypeople.

19


String of code or repeatable pattern that a computer can beprogrammed to recognize.

If I put a single quote there and get a ODBC errorthen there is a SQL Injection vulnerability.

Technical vulnerability

20


Logical flaws“At step 3 of the wire transfer process, change the account parameter to point to theaccount you wish to transfer funds from. Continue changing the parameter on thenext 2 steps of the transfer process.”

A scanner is unable to determine context of good or bad

21


Humans vs. ScannersHumans, as well as automated scanners, arebest suited for identifying different types ofsecurity issues.

Scanners can be expected to be very thoroughin the testing process, but are only able toidentify “technical” vulnerabilities.

These automated scanners will not uncovermulti-page sequence problems that often occurin complex web application.

A human possess the ability to analyze a largeset of circumstances and determine if aweakness in a process exists.

22


Automating vulnerability discoveryHalting Problem

The halting problem is a decision problem whichcan be informally stated as follows:

“Given a description of an algorithm and adescription of its initial arguments, determinewhether the algorithm, when executed withthese arguments, ever halts.”

Undecidable Problem

“Not all problems can be solved. An undecidableproblem is one that cannot be solved by anyalgorithm, even given unbounded time andmemory.”

23


State-of-the-Art

Technicalvs.

Logical50/50

24


Starting from zero

No access to source code

No access to binaries

No preexisting knowledge about thesoftware distribution or architecture

There is nothing known!

Remote black box scanning

25


Automated LoginMost authenticationsystems are set-updifferently.

If a valid session is notmaintained, the scan isinvalid because fullapplication functionalitycannot be exercised

The web application scanner must beable to generically login to a webapplication on demand.

26


Infinite web sites

@ 2 HTTP Request Per Second = 2.9days to crawl

Dynamic Web Sites:Rate of addition

Rate of decayDatabase of items 500,000+ linksDynamic URL creation

Many web sites are enormous and crawlingthe entire site in a reasonable amount oftime is impossible. Must compile anaccurate structural map.

27


Model the web site structureCondense the amount of links we need tocrawl and create a complete applicationstructural map of the web site.

Locate all webapplications and allunique parametername instances

28


Detecting LogoutLogout can occur by:

Clicking logout links,Timing out, Applicationerrors, Session expiration,etc,etc,etc,…

A scanner will at some point becomelogged out. How does the scanner knowwhen that happens?

29


Detecting and Invalid SessionWe designed system that performs preliminary tests onthe web application to learn the login/logout nuances.

30


Multi-Page SequenceWeb sites will commonly have multi-page business processes utilizingHTML forms. The user must properly perform certain steps throughthe process to move on.

Application flow is VERY difficult to traverse and mappedautomatically by a web application scanner. The scanner has nocontext to decide what to put into a form field or if answer they receiveis either good or bad.

31


Rate-of-ChangeWeb applications are constantly changing. Normally there is oneor more new revisions a year with incremental updates.

Every new line of code potentially introduces new securityissues.

Rate of change negatively affects the ability to complete a scanand maintain login state.

32


Map the URL structureThe normal web application url structure has a “?” delimiting thefile name from the parameters. However, developers haverealized that many web spiders will not index dynamic data sothey have opted for some non-standard url trickery.

The goal is to identify:Web application filenameWeb application parameter names and values

Even if:There is no question markNo “&” and uses strange delimiters.Strange file extension (like .html)

33


Normal URL Structure

Normal:

/articles/03/08/19/1748206.shtml?tid=109&tid=111&tid=126

/news?hl=en&edition=us&q=a&btnG=Search+News

/shopping/category.asp?categoryID=11

/weeknight_survival.asp?wday=3&ww=this

Inject into the name value pairs

34


Strange URL Structure

Strange, where is the injection point?

/gp/browse.html/10217298046144934?node=1036592

/exec/obidos/ASIN/B00009J5VW/ref=e_hp_cb_3_1/12-1729804-6144934

/srs7/sid=030803095821064050032/g=home/search/detail/base_pid/271134/

/catindex/computers.html?ssPageName=MOPS5:HEC03

/exec/obidos/subst/home/home.html/102-17298046144934

/shop/enter.asp?category=2378467~2378483

35


Client Side ScriptingDynamic Link MenusSometimes web sites will have menusand style-sheets which create hyperlinkson the fly. In these cases, web crawlershave a extremely difficult time traversingthe site since the links are not yet built orparse-able.

HTML EncryptionSome web sites will have their HTMLencrypted and then decrypted byjavascript when read into the browser.

36


Authentication System AuditingMany web application authentication systems are inherently weak.Many are susceptible to session hi-jacking, session replay, etc.

Cookie: T=user=100 or Cookie: T=user=101

OrCookie: S=UID=ae5fad5ad6a8asd6as9

Even if the scanner does twiddle the bits, how does scanner knowwhen something works or does not work, or what's good or what'sbad?How does a scanner know when it accesses another users bankaccount?

“Scanner is not able to generically determine context of good or bad”

37


Non-Standard Not-FoundNot Found does not always mean, “Not Found”.

Not everyone is RFC compliantUniversal Error CatchingError strings are different

38


Standard ResponsesWeb application scanning will become harder in the future as moresystems are configured by default to suppress error messages.

39


Error Response MessagesApplication Errors:

SQL Injections

Cross-Site Scripting

Command Injection

Removing responsemessages helps preventagainst exploitation.However, preventsscanners from findingthe vulnerabilities. Lotsof false positives.

40


Anti-AutomationIf a computer is not supposed to automate the

process, then how can a scanner?

41


Lessons learned?

We all have security issues in our web sites

One-time security assessments are not enough

Continuos security review by qualified personnel

Scanners help, but not a complete solution

42


Process: Combined ApproachPeople

Evaluate results

Assessbusiness logic

Continuous scanning

Thorough scan

Augments people

Technology

43


6 ways to improve web securityExperienced web security staff must perform assessments atleast once a quarter.

Automated vulnerability scans should be performed at least twicea month or as application change demands.

The security scanner should cover all technical security issues,able to support large web sites, maintain a logged-in state, yielda low volume of false positives, and remain current.

Application developers must consider security from thebeginning.

Involve security staff early in the development process.

Stay patched and configure properly.

44


Thank You - Questions?

Jeremiah [email protected]

http://www.whitehatsec.com

challenges of automated web application scanning · challenges of automated web application...

Documents