Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-box Web Vulnerability Scanners

Khalil, Rana Fouad

19 December 2018

Black-box web application vulnerability scanners are automated tools that are used to crawl a web application to look for vulnerabilities. These tools are often used in one of two ways. In the first approach, scanners are used as Point-and-Shoot tools where a scanner is only given the root URL of an application and asked to scan the site. Whereas, in the second approach, scanners are first configured to maximize the crawling coverage and vulnerability detection accuracy. Although the performance of leading commercial scanners has been thoroughly studied, very little research has been done to evaluate open-source scanners. This paper presents a feature and performance evaluation of five open-source scanners. We analyze the crawling coverage, vulnerability detection accuracy, scanning speed, report- ing and usability features. The scanners are tested against two well known benchmarks: WIVET and WAVSEP. Additionally, the scanners are tested against a realistic web application called WackoPicko. The chosen benchmarks are composed of a wide range of vulnerabilities and crawling challenges. Each scanner is tested in two modes: default and configured. Lastly, the scanners are compared with the state of the art commercial scanner Burp Suite Professional. Our results show that being able to properly crawl a web application is a critical task in detecting vulnerabilities. Unfortunately, the majority of the scanners evaluated had difficulty crawling through common web technologies such as dynamically generated JavaScript content and Flash applications. We also identified several classes of vulnerabilities that are not being detected by the scanners. Furthermore, our results show that scanners displayed considerable improvement when run in configured mode.

web application

vulnerability scanners

penetration testing

web security

Analyse de vulnérabilités et évaluation de systèmes de détection d'intrusions pour les applications Web. / Web applications vulnerability analysis and intrusion detection systems assessment

Akrout, Rim

18 October 2012

Avec le développement croissant d’Internet, les applications Web sont devenues de plus en plus vulnérables et exposées à des attaques malveillantes pouvant porter atteinte à des propriétés essentielles telles que la confidentialité, l’intégrité ou la disponibilité des systèmes d’information. Pour faire face à ces malveillances, il est nécessaire de développer des mécanismes de protection et de test (pare-feu, système de détection d’intrusion, scanner Web, etc.) qui soient efficaces. La question qui se pose est comment évaluer l’efficacité de tels mécanismes et quels moyens peut-on mettre en oeuvre pour analyser leur capacité à détecter correctement des attaques contre les applications web.Dans cette thèse nous proposons une nouvelle méthode, basée sur des techniques de clustering de pages Web, qui permet d’identifier les vulnérabilités à partir de l’analyse selon une approche boîte noire de l’application cible. Chaque vulnérabilité identifiée est réellement exploitée ce qui permet de s’assurer que la vulnérabilité identifiée ne correspond pas à un faux positif. L’approche proposée permet également de mettre en évidence différents scénarios d’attaque potentiels incluant l’exploitation de plusieurs vulnérabilités successives en tenant compte explicitement des dépendances entre les vulnérabilités.Nous nous sommes intéressés plus particulièrement aux vulnérabilités de type injection de code, par exemple les injections SQL. Cette méthode s’est concrétisée par la mise en oeuvre d’un nouveau scanner de vulnérabilités et a été validée expérimentalement sur plusieurs exemples d’applications vulnérables. Nous avons aussi développé une plateforme expérimentale intégrant le nouveau scanner de vulnérabilités, qui est destinée à évaluer l’efficacité de systèmes de détection d’intrusions pour des applications Web dans un contexte qui soit représentatif des menaces auxquelles ces applications seront confrontées en opération. Cette plateforme intègre plusieurs outils qui ont été conçus pour automatiser le plus possible les campagnes d’évaluation. Cette plateforme a été utilisée en particulier pour évaluer deux techniques de détection d’intrusions développées par nos partenaires dans le cadre d’un projet de coopération financé par l’ANR, le projet DALI. / With the increasing development of Internet, Web applications have become increasingly vulnerable and exposed to malicious attacks that could affect essential properties such as confidentiality, integrity or availability of information systems. To cope with these threats, it is necessary to develop efficient security protection mechanisms and testing techniques (firewall, intrusion detection system,Web scanner, etc..). The question that arises is how to evaluate the effectiveness of such mechanisms and what means can be implemented to analyze their ability to correctly detect attacks against Webapplications.This thesis presents a new methodology, based on web pages clustering, that is aimed at identifying the vulnerabilities of a Web application following a black box analysis of the target application. Each identified vulnerability is actually exploited to ensure that the identified vulnerability does not correspond to a false positive. The proposed approach can also highlight different potential attack scenarios including the exploitation of several successive vulnerabilities, taking into account explicitly the dependencies between these vulnerabilities. We have focused in particular on code injection vulnerabilities, such asSQL injections. The proposed method led to the development of a new Web vulnerability scanner and has been validated experimentally based on various vulnerable applications.We have also developed an experimental platform integrating the new web vulnerability scanner, that is aimed at assessing the effectiveness of Web applications intrusion detection systems, in a context that is representative of the threats that such applications face in operation. This platform integrates several tools that are designed to automate as much as possible the evaluation campaigns. It has been used in particular to evaluate the effectiveness of two intrusion detection techniques that have been developed by our partners of the collaborative project DALI, funded by the ANR, the French National Research Agency

Système de détection d’intrusions

Scanner Web

Application Web

Attaque et vulnérabilités

Évaluation

Web vulnerability scanners

Web applications

Web attacks

Vulnerabilities

Evaluation

Ntrusion detection System

005

Deception strategies for web application security: application-layer approaches and a testing platform

Izagirre, Mikel

January 2017

The popularity of the internet has made the use of web applications ubiquitous and essential to the daily lives of people, businesses and governments. Web servers and web applications are commonly used to handle tasks and data that can be critical and highly valuable, making them a very attractive target for attackers and a vector for successful attacks that are aimed at the application layer. Existing misuse and anomaly-based detection and prevention techniques fail to cope with the volume and sophistication of new attacks that are continuously appearing, which suggests that there is a need to provide new additional layers of protection. This work aims to design a new layer of defense based on deception that is employed in the context of web application-layer traffic with the purpose of detecting and preventing attacks. The proposed design is composed of five deception strategies: Deceptive Comments, Deceptive Request Parameters, Deceptive Session Cookies, Deceptive Status Codes and Deceptive JavaScript. The strategies were implemented as a software artifact and their performance evaluated in a testing environment using a custom test script, the OWASP ZAP penetration testing tool and two vulnerable web applications. Deceptive Parameter strategy obtained the best security performance results, followed by Deceptive Comments and Deceptive Status Codes. Deceptive Cookies and Deceptive JavaScript got the poorest security performance results since OWASP ZAP was unable to detect and use deceptive elements generated by these strategies. Operational performance results showed that the deception artifact could successfully be implemented and integrated with existing web applications without changing their source code and adding a low operational overhead.

deception

computer deception

cyberdeception

intrusion detection

intrusion deception

security

cybersecurity

web

web applications

HTTP

penetration testing

security testing

honeypots

honeytokens

decoy

active defense

attacks

web vulnerability scanners

OWASP ZAP

BodgeIt

WAVSEP

Computer Systems

Datorsystem