Introduction to Web Application Penetration TestingRana Khalil
Intro to web application penetration testing workshop I held in Atlanta as part of the AnitaBorg Cybersecurity Weekend on Aug. 19. The link for the event can be found here: https://community.anitab.org/event/atl-cybersecurity-day-two/
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-b...Rana Khalil
This thesis compares the performance of six open-source web vulnerability scanners: Arachni, Burp Pro, Skipfish, Vega, Wapiti, and ZAP. The researcher evaluated the scanners using three benchmark applications and analyzed their crawling coverage, vulnerability detection accuracy, speed, and usability. The results showed that no scanner detected all vulnerabilities and they struggled with features like authentication, file uploads, and multi-step processes. ZAP and Burp Pro achieved the highest scores overall, while all scanners had room for improvement in fully automating the assessment of complex web applications.
This document discusses a comparative analysis of open-source web application vulnerability scanners. It describes Johnny, a developer tasked with developing secure software. Johnny initially believes vulnerability scanners can find all issues, but later pentests find many vulnerabilities the scanners missed. The document analyzes how six scanners perform on a sample application, finding they detect only 40% of vulnerabilities on average and struggle with tasks like authentication and multi-step processes. It concludes that scanners cannot replace a skilled pentester but can aid them if properly configured for the target application.
Web Application Penetration Testing - 101Andrea Hauser
This document provides an overview of web application pentesting. It discusses preparations like setting up reporting and tools. The methodology involves reconnaissance, automated testing, and manual testing. Technical topics covered include the OWASP Top 10 vulnerabilities like injection, broken authentication, sensitive data exposure, and cross-site scripting. Examples are provided and recommendations on prevention. Tutorial resources like PortSwigger and OWASP Juice Shop are referenced.
Static Analysis Security Testing for Dummies... and YouKevin Fealey
Most enterprise application security teams have at least one Static Analysis Security Testing (SAST) tool in their tool-belt; but for many, the tool never leaves the belt. SAST tools have gotten a reputation for being slow, error-prone, and difficult to use; and out of the box, many of them are – but with a little more knowledge behind how these tools are designed, a SAST tool can be a valuable part of any security program.
In this talk, we’ll help you understand the strengths and weaknesses of SAST tools by illustrating how they trace your code for vulnerabilities. You’ll see out-of-the-box rules for commercial and open-source SAST tools, and learn how to write custom rules for the widely-used open source SAST tool, PMD. We’ll explain the value of customizing tools for your organization; and you’ll learn how to integrate SAST technologies into your existing build and deployment pipelines. Lastly, we’ll describe many of the common challenges organizations face when deploying a new security tool to security or development teams, as well as some helpful hints to resolve these issues
The document discusses integrating security testing into the typical iterative development lifecycle through automated software tests at various stages, including unit tests, integration tests, and acceptance tests. It provides examples of using JUnit for unit testing and tools like Cactus, Selenium, and WATIR for integration and acceptance testing to validate valid/invalid inputs and test for vulnerabilities like SQL injection and cross-site scripting.
Outpost24 webinar - Demystifying Web Application Security with Attack Surface...Outpost24
Learn how to discover every web application you own and ascertain their risk levels through the hacker’s lens to gain a better understanding of the overall attack surface and locate the right path for remediation.
Evaluating Web App, Mobile App, and API Security - Matt CohenInman News
This document discusses evaluating web app, mobile app, and API security standards and tools. It provides an overview of the Open Web Application Security Project (OWASP) which publishes free, open-source security standards like the Application Security Verification Standard (ASVS). The document also discusses different types of software security testing like static analysis, dynamic analysis, code review, and penetration testing. It provides a demonstration of using the OWASP Zed Attack Proxy (ZAP) tool to conduct dynamic analysis and penetration testing of a web application.
Introduction to Web Application Penetration TestingRana Khalil
Intro to web application penetration testing workshop I held in Atlanta as part of the AnitaBorg Cybersecurity Weekend on Aug. 19. The link for the event can be found here: https://community.anitab.org/event/atl-cybersecurity-day-two/
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-b...Rana Khalil
This thesis compares the performance of six open-source web vulnerability scanners: Arachni, Burp Pro, Skipfish, Vega, Wapiti, and ZAP. The researcher evaluated the scanners using three benchmark applications and analyzed their crawling coverage, vulnerability detection accuracy, speed, and usability. The results showed that no scanner detected all vulnerabilities and they struggled with features like authentication, file uploads, and multi-step processes. ZAP and Burp Pro achieved the highest scores overall, while all scanners had room for improvement in fully automating the assessment of complex web applications.
This document discusses a comparative analysis of open-source web application vulnerability scanners. It describes Johnny, a developer tasked with developing secure software. Johnny initially believes vulnerability scanners can find all issues, but later pentests find many vulnerabilities the scanners missed. The document analyzes how six scanners perform on a sample application, finding they detect only 40% of vulnerabilities on average and struggle with tasks like authentication and multi-step processes. It concludes that scanners cannot replace a skilled pentester but can aid them if properly configured for the target application.
Web Application Penetration Testing - 101Andrea Hauser
This document provides an overview of web application pentesting. It discusses preparations like setting up reporting and tools. The methodology involves reconnaissance, automated testing, and manual testing. Technical topics covered include the OWASP Top 10 vulnerabilities like injection, broken authentication, sensitive data exposure, and cross-site scripting. Examples are provided and recommendations on prevention. Tutorial resources like PortSwigger and OWASP Juice Shop are referenced.
Static Analysis Security Testing for Dummies... and YouKevin Fealey
Most enterprise application security teams have at least one Static Analysis Security Testing (SAST) tool in their tool-belt; but for many, the tool never leaves the belt. SAST tools have gotten a reputation for being slow, error-prone, and difficult to use; and out of the box, many of them are – but with a little more knowledge behind how these tools are designed, a SAST tool can be a valuable part of any security program.
In this talk, we’ll help you understand the strengths and weaknesses of SAST tools by illustrating how they trace your code for vulnerabilities. You’ll see out-of-the-box rules for commercial and open-source SAST tools, and learn how to write custom rules for the widely-used open source SAST tool, PMD. We’ll explain the value of customizing tools for your organization; and you’ll learn how to integrate SAST technologies into your existing build and deployment pipelines. Lastly, we’ll describe many of the common challenges organizations face when deploying a new security tool to security or development teams, as well as some helpful hints to resolve these issues
The document discusses integrating security testing into the typical iterative development lifecycle through automated software tests at various stages, including unit tests, integration tests, and acceptance tests. It provides examples of using JUnit for unit testing and tools like Cactus, Selenium, and WATIR for integration and acceptance testing to validate valid/invalid inputs and test for vulnerabilities like SQL injection and cross-site scripting.
Outpost24 webinar - Demystifying Web Application Security with Attack Surface...Outpost24
Learn how to discover every web application you own and ascertain their risk levels through the hacker’s lens to gain a better understanding of the overall attack surface and locate the right path for remediation.
Evaluating Web App, Mobile App, and API Security - Matt CohenInman News
This document discusses evaluating web app, mobile app, and API security standards and tools. It provides an overview of the Open Web Application Security Project (OWASP) which publishes free, open-source security standards like the Application Security Verification Standard (ASVS). The document also discusses different types of software security testing like static analysis, dynamic analysis, code review, and penetration testing. It provides a demonstration of using the OWASP Zed Attack Proxy (ZAP) tool to conduct dynamic analysis and penetration testing of a web application.
RASP (Runtime Application Self-Protection) is a new concept aiming at revolutionizing application security. This presentation is a envisioned as a guide for early adopters and technology evaluators.
What? Why? Who? How? Of Application Security Testing TEST Huddle
This document contains slides from a presentation on application security testing. It discusses what application security is, the growing threats from cyber attacks, and why application vulnerabilities are difficult to detect. It emphasizes that application security needs to be addressed throughout the entire software development lifecycle (SDLC) by security experts working together with developers. Key approaches mentioned include understanding common risks like injection flaws, creating testing procedures, applying defenses, and validating security requirements to get everyone involved in prioritizing application security.
[OPD 2019] AST Platform and the importance of multi-layered application secu...OWASP
This document discusses the importance of multi-layered application security testing and summarizes several application security testing techniques. It introduces static application security testing (SAST), interactive application security testing (IAST), software composition analysis (SCA), and dynamic application security testing (DAST). For each technique, it provides a brief description and highlights of their advantages and disadvantages. It emphasizes that using multiple techniques together can provide more comprehensive security testing than any single technique alone.
Slide deck on the security aspects of using Open Source Software. Focused on the Apache HTTP Server project, this deck discusses general topics like what Open Source software is, what the prevailing myths surrounding it are and how the open development process works to ensure the result is secure.
Beyond the Perimeter discusses how traditional security defenses like firewalls and endpoint protection have not scaled effectively as applications have evolved. 84% of attacks now target applications, yet 90% of apps have critical bugs and it takes an average of 138 days to fix an SQL injection vulnerability. New attacks are found frequently. Encoding untrusted input is complicated and does not provide visibility into attacks or support commercial applications. Regular expressions used in web application firewalls are difficult to maintain and prone to evasion. Language-theoretic security (LANGSEC) treats code and data as formal languages that can be parsed to accurately identify valid and malicious inputs at runtime without false positives or vulnerability to obfuscation. Prevoty provides content and database protection products
Injecting Security into vulnerable web apps at RuntimeAjin Abraham
Web Application Security is not hard, but it’s easy to get it wrong as writing secure code is not easy as preaching. So to overcome incidents happening from such unforeseen events, organisations tend to rely on Web Application Firewalls or WAFs. Web Application Firewalls have been in the industry for a long time. Every one of them either work outside or around the web applications and act by intercepting the HTTP request coming to the web server, then take a decision to allow or block the request based on traditional signature checks. They are never aware of what is happening inside the application like how the user input is getting interpreted, Is the application/server under heavy load?, Is the attacker exfiltrating data by exploiting an SQLi that WAF couldn’t detect? etc. The strength of traditional WAF depends on manual or predefined rules/signature. As a result, they have the limitation that they will get bypassed if a payload is not present in their signature list. In the occurrence of a zero day, a WAF in most cases won’t be able to prevent an attack as they don’t know the signature of the exploit yet.
In this talk I will share my research outcomes on implementing a runtime application patching algorithm on an insecurely coded application to make it secure against code injection vulnerabilities and other logical issues related to web applications. I will introduce the next generation web application defending technology dubbed as Runtime Application Self Protection (RASP) that works by understanding your application to defend against web attacks by working inside the web application. RASP relies on Runtime Patching to inject security into web apps implicitly without introducing additional code changes. The root cause of all the code injection vulnerabilities is that the language interpreter cannot distinguish between data and code. The proposed solution will detect code context breakout to effectively detect and prevent code injections with the help of runtime hooking and patching at framework api or language api level. The research focuses mainly on detecting and preventing vulnerabilities like SQL Injection, Cross Site Scripting, Remote Command Execution, HTTP Verb Tampering, Header Injection, File Upload Bypass, Path Traversal etc and other application security challenges like Session Hijacking, Credential Stuffing and Layer 7 DDoS etc. This research is carried out by implementing a RASP module to a vulnerable web application written in python using tornado framework with sqlite backend.
This presentation talks about the focus towards building security in the software development life cycle and covers details related to Reconnaissance, Scanning and Attack based test design and execution approach.
Qualys provides vulnerability management software and services, including internet-based vulnerability scanners and internal scanning appliances. They have also developed research projects focused on web application fingerprinting, malware detection, browser security checks, and a malware analysis portal. Qualys continues working to expand their services and research activities around new technologies to help customers identify, manage, and respond to vulnerabilities and security risks.
Open source software is widely used but faces security challenges as vulnerabilities have been found in widely used open source components. While most companies do not currently monitor open source code for security issues, the open source community is adapting to improve security. New approaches for security processes and tools are emerging and will provide increased choices for addressing open source security over time.
What Good is this Tool? A Guide to Choosing the Right Application Security Te...Kevin Fealey
Abstract:
Choosing the right Application Security Testing (AST) tool can be challenging for any security program, and after rolling it out, discovering the real security value it brings can be downright discouraging. No single tool can solve all of all of your security problems, but unfortunately, that is exactly how many of them are marketed. This is compounded by sales teams who convince executive leadership that security programs should be built around their tools, rather than fitting each tool within a well-planned security program. The primary takeaways from this talk are:
• An understanding the real value of each type of AST tool (SAST, DAST, IAST);
• How to leverage your tools for better security visibility and process efficiency;
• Steps to find the right tool for your security program;
• Keys to finding the best stage of the SDLC to implement each tool type within your security program;
• How to integrate new tools with your existing DevOps or Agile environments and processes
Additional Takeaways:
• Examine the strengths and limitations of SAST, DAST, and IAST tools
• Learn how to choose the right tools for your security program
• Discover how to seamlessly integrate your tools into existing DevOps and Agile environments and processes
• Provide security visibility to developers, managers, and executives by enhancing your existing technology
• Learn to use your tools to improve the efficiency of security tasks that are currently manual
MITRE ATT&CK framework is about the framework that is followed by Threat Hunters, Threat Analysts for Threat Modelling purpose, which can be use for Adversary Emulation and Attack Defense. Cybersecurity Analyst widely use it for framing the attack through its various used Tactics and Techniques.
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentationDerrick Hunter
This document discusses the risks of using known vulnerable components in applications. It identifies threat agents as anyone who can send untrusted data, and lists possible attack vectors such as injection and broken access control. Examples are given of past vulnerabilities in Apache CXF and Spring that allowed remote code execution. It emphasizes that open source applications often contain vulnerable components that remain in use long after issues are discovered. Suggested prevention methods include keeping components up to date, monitoring for security issues, and adding security wrappers.
What You Need to Know About Web App Security Testing in 2018Ken DeSouza
See the associated webinar via https://www.softwaretestpro.com/what-you-need-to-know-about-web-app-security-testing-in-2018/ (there is a youtube link here)
Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]raj upadhyay
Zed Attack Proxy (ZAP) is a free and open source web application security tool that can be used to test for vulnerabilities during the development and testing phases. It includes features like an intercepting proxy, spidering to discover hidden links, both active and passive scanning to detect vulnerabilities, and reporting of results. ZAP allows users to intercept web traffic, modify requests and responses, scan sites for issues like XSS and SQLi, analyze results, and generate detailed vulnerability reports.
This document summarizes a webinar about SQL injection attacks. It discusses how SQL injection has remained the primary method of data theft from hacking. It provides statistics on the prevalence of SQL injection vulnerabilities and attacks. It then outlines the typical process attackers use, including using Google dorks to find vulnerable sites, scanning sites for vulnerabilities, and using automated tools like Havij and SQLmap to carry out attacks. The document concludes with recommendations for organizations on how to prevent SQL injection attacks, such as deploying web application firewalls, integrating vulnerability scanners, blocking known attacker systems, and fixing vulnerabilities.
Secure coding is the practice of developing computer software in a way that guards against the accidental introduction of security vulnerabilities. Defects, bugs and logic flaws are consistently the primary cause of commonly exploited software vulnerabilities. Through the analysis of thousands of reported vulnerabilities, security professionals have discovered that most vulnerabilities stem from a relatively small number of common software programming errors. By identifying the insecure coding practices that lead to these errors and educating developers on secure alternatives, organizations can take proactive steps to help significantly reduce or eliminate vulnerabilities in software before deployment.
Session by: Akash S Prakash
When performing a security testing, I often sit in a room with other QA and Software testers.
During that time, it is likely I receive questions such as: "Roberto, are you hacking this? Are you breaking
this again? What exactly are you testing?"
Whi l e talking to them I realise there is an information gap between us, especially when they share
information which is essential for my testing and crucial to identify security vulnerabilities.
After a good number of security tests, I came to a conclusion that people in our industry do not realise that
software testing and security testing have a lot to share.
This talk intends to reduce that information gap and provides an introduction to security software testing,
methodologies, and most importantly offers some food for thought to stimulate synergy between security
and software testers
This document provides an overview of the OWASP Testing Guide for vulnerability assessment and penetration testing (VAPT). It defines key terms like vulnerability, threat, control, and vulnerability assessment. It explains the security principles of confidentiality, integrity, and availability (CIA). It then describes common sources of vulnerabilities and outlines various testing methodologies for information gathering, configuration management, identity and authentication, authorization, session management, input validation, error handling, cryptography, and client-side testing. It stresses the importance of customizing the testing plan for different application types and remembering best practices like following protocols, capturing accurate details of the tested systems, informing clients, and filtering false positives.
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-...Rana Khalil
The document summarizes a comparative analysis of six open-source black-box web application vulnerability scanners: Arachni, Burp Pro, Skipfish, Vega, Wapiti, and ZAP. The analysis evaluated the scanners' crawling coverage, vulnerability detection accuracy, speed, and usability when run in both point-and-shoot/default mode and trained/configured mode against three benchmark applications: WIVET, WAVSEP, and WackoPicko. The results showed that all scanners missed at least 50% of vulnerabilities in WackoPicko, with detection rates improving when run in trained mode. ZAP achieved the highest detection rates overall, while results varied by vulnerability category and
This document discusses Qualys' strategy and roadmap for its Web Application Scanning (WAS) product. It outlines Qualys' approach to web app security which includes detection, protection, monitoring/forensics, and remediation. It provides details on current and upcoming WAS features like integrated malware detection, attack proxy integration, and sitemap implementation. The document also discusses how organizations can leverage WAS and how it compares favorably to competitors in areas like scale, cost, and providing a complete picture of web app security risks.
RASP (Runtime Application Self-Protection) is a new concept aiming at revolutionizing application security. This presentation is a envisioned as a guide for early adopters and technology evaluators.
What? Why? Who? How? Of Application Security Testing TEST Huddle
This document contains slides from a presentation on application security testing. It discusses what application security is, the growing threats from cyber attacks, and why application vulnerabilities are difficult to detect. It emphasizes that application security needs to be addressed throughout the entire software development lifecycle (SDLC) by security experts working together with developers. Key approaches mentioned include understanding common risks like injection flaws, creating testing procedures, applying defenses, and validating security requirements to get everyone involved in prioritizing application security.
[OPD 2019] AST Platform and the importance of multi-layered application secu...OWASP
This document discusses the importance of multi-layered application security testing and summarizes several application security testing techniques. It introduces static application security testing (SAST), interactive application security testing (IAST), software composition analysis (SCA), and dynamic application security testing (DAST). For each technique, it provides a brief description and highlights of their advantages and disadvantages. It emphasizes that using multiple techniques together can provide more comprehensive security testing than any single technique alone.
Slide deck on the security aspects of using Open Source Software. Focused on the Apache HTTP Server project, this deck discusses general topics like what Open Source software is, what the prevailing myths surrounding it are and how the open development process works to ensure the result is secure.
Beyond the Perimeter discusses how traditional security defenses like firewalls and endpoint protection have not scaled effectively as applications have evolved. 84% of attacks now target applications, yet 90% of apps have critical bugs and it takes an average of 138 days to fix an SQL injection vulnerability. New attacks are found frequently. Encoding untrusted input is complicated and does not provide visibility into attacks or support commercial applications. Regular expressions used in web application firewalls are difficult to maintain and prone to evasion. Language-theoretic security (LANGSEC) treats code and data as formal languages that can be parsed to accurately identify valid and malicious inputs at runtime without false positives or vulnerability to obfuscation. Prevoty provides content and database protection products
Injecting Security into vulnerable web apps at RuntimeAjin Abraham
Web Application Security is not hard, but it’s easy to get it wrong as writing secure code is not easy as preaching. So to overcome incidents happening from such unforeseen events, organisations tend to rely on Web Application Firewalls or WAFs. Web Application Firewalls have been in the industry for a long time. Every one of them either work outside or around the web applications and act by intercepting the HTTP request coming to the web server, then take a decision to allow or block the request based on traditional signature checks. They are never aware of what is happening inside the application like how the user input is getting interpreted, Is the application/server under heavy load?, Is the attacker exfiltrating data by exploiting an SQLi that WAF couldn’t detect? etc. The strength of traditional WAF depends on manual or predefined rules/signature. As a result, they have the limitation that they will get bypassed if a payload is not present in their signature list. In the occurrence of a zero day, a WAF in most cases won’t be able to prevent an attack as they don’t know the signature of the exploit yet.
In this talk I will share my research outcomes on implementing a runtime application patching algorithm on an insecurely coded application to make it secure against code injection vulnerabilities and other logical issues related to web applications. I will introduce the next generation web application defending technology dubbed as Runtime Application Self Protection (RASP) that works by understanding your application to defend against web attacks by working inside the web application. RASP relies on Runtime Patching to inject security into web apps implicitly without introducing additional code changes. The root cause of all the code injection vulnerabilities is that the language interpreter cannot distinguish between data and code. The proposed solution will detect code context breakout to effectively detect and prevent code injections with the help of runtime hooking and patching at framework api or language api level. The research focuses mainly on detecting and preventing vulnerabilities like SQL Injection, Cross Site Scripting, Remote Command Execution, HTTP Verb Tampering, Header Injection, File Upload Bypass, Path Traversal etc and other application security challenges like Session Hijacking, Credential Stuffing and Layer 7 DDoS etc. This research is carried out by implementing a RASP module to a vulnerable web application written in python using tornado framework with sqlite backend.
This presentation talks about the focus towards building security in the software development life cycle and covers details related to Reconnaissance, Scanning and Attack based test design and execution approach.
Qualys provides vulnerability management software and services, including internet-based vulnerability scanners and internal scanning appliances. They have also developed research projects focused on web application fingerprinting, malware detection, browser security checks, and a malware analysis portal. Qualys continues working to expand their services and research activities around new technologies to help customers identify, manage, and respond to vulnerabilities and security risks.
Open source software is widely used but faces security challenges as vulnerabilities have been found in widely used open source components. While most companies do not currently monitor open source code for security issues, the open source community is adapting to improve security. New approaches for security processes and tools are emerging and will provide increased choices for addressing open source security over time.
What Good is this Tool? A Guide to Choosing the Right Application Security Te...Kevin Fealey
Abstract:
Choosing the right Application Security Testing (AST) tool can be challenging for any security program, and after rolling it out, discovering the real security value it brings can be downright discouraging. No single tool can solve all of all of your security problems, but unfortunately, that is exactly how many of them are marketed. This is compounded by sales teams who convince executive leadership that security programs should be built around their tools, rather than fitting each tool within a well-planned security program. The primary takeaways from this talk are:
• An understanding the real value of each type of AST tool (SAST, DAST, IAST);
• How to leverage your tools for better security visibility and process efficiency;
• Steps to find the right tool for your security program;
• Keys to finding the best stage of the SDLC to implement each tool type within your security program;
• How to integrate new tools with your existing DevOps or Agile environments and processes
Additional Takeaways:
• Examine the strengths and limitations of SAST, DAST, and IAST tools
• Learn how to choose the right tools for your security program
• Discover how to seamlessly integrate your tools into existing DevOps and Agile environments and processes
• Provide security visibility to developers, managers, and executives by enhancing your existing technology
• Learn to use your tools to improve the efficiency of security tasks that are currently manual
MITRE ATT&CK framework is about the framework that is followed by Threat Hunters, Threat Analysts for Threat Modelling purpose, which can be use for Adversary Emulation and Attack Defense. Cybersecurity Analyst widely use it for framing the attack through its various used Tactics and Techniques.
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentationDerrick Hunter
This document discusses the risks of using known vulnerable components in applications. It identifies threat agents as anyone who can send untrusted data, and lists possible attack vectors such as injection and broken access control. Examples are given of past vulnerabilities in Apache CXF and Spring that allowed remote code execution. It emphasizes that open source applications often contain vulnerable components that remain in use long after issues are discovered. Suggested prevention methods include keeping components up to date, monitoring for security issues, and adding security wrappers.
What You Need to Know About Web App Security Testing in 2018Ken DeSouza
See the associated webinar via https://www.softwaretestpro.com/what-you-need-to-know-about-web-app-security-testing-in-2018/ (there is a youtube link here)
Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]raj upadhyay
Zed Attack Proxy (ZAP) is a free and open source web application security tool that can be used to test for vulnerabilities during the development and testing phases. It includes features like an intercepting proxy, spidering to discover hidden links, both active and passive scanning to detect vulnerabilities, and reporting of results. ZAP allows users to intercept web traffic, modify requests and responses, scan sites for issues like XSS and SQLi, analyze results, and generate detailed vulnerability reports.
This document summarizes a webinar about SQL injection attacks. It discusses how SQL injection has remained the primary method of data theft from hacking. It provides statistics on the prevalence of SQL injection vulnerabilities and attacks. It then outlines the typical process attackers use, including using Google dorks to find vulnerable sites, scanning sites for vulnerabilities, and using automated tools like Havij and SQLmap to carry out attacks. The document concludes with recommendations for organizations on how to prevent SQL injection attacks, such as deploying web application firewalls, integrating vulnerability scanners, blocking known attacker systems, and fixing vulnerabilities.
Secure coding is the practice of developing computer software in a way that guards against the accidental introduction of security vulnerabilities. Defects, bugs and logic flaws are consistently the primary cause of commonly exploited software vulnerabilities. Through the analysis of thousands of reported vulnerabilities, security professionals have discovered that most vulnerabilities stem from a relatively small number of common software programming errors. By identifying the insecure coding practices that lead to these errors and educating developers on secure alternatives, organizations can take proactive steps to help significantly reduce or eliminate vulnerabilities in software before deployment.
Session by: Akash S Prakash
When performing a security testing, I often sit in a room with other QA and Software testers.
During that time, it is likely I receive questions such as: "Roberto, are you hacking this? Are you breaking
this again? What exactly are you testing?"
Whi l e talking to them I realise there is an information gap between us, especially when they share
information which is essential for my testing and crucial to identify security vulnerabilities.
After a good number of security tests, I came to a conclusion that people in our industry do not realise that
software testing and security testing have a lot to share.
This talk intends to reduce that information gap and provides an introduction to security software testing,
methodologies, and most importantly offers some food for thought to stimulate synergy between security
and software testers
This document provides an overview of the OWASP Testing Guide for vulnerability assessment and penetration testing (VAPT). It defines key terms like vulnerability, threat, control, and vulnerability assessment. It explains the security principles of confidentiality, integrity, and availability (CIA). It then describes common sources of vulnerabilities and outlines various testing methodologies for information gathering, configuration management, identity and authentication, authorization, session management, input validation, error handling, cryptography, and client-side testing. It stresses the importance of customizing the testing plan for different application types and remembering best practices like following protocols, capturing accurate details of the tested systems, informing clients, and filtering false positives.
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-...Rana Khalil
The document summarizes a comparative analysis of six open-source black-box web application vulnerability scanners: Arachni, Burp Pro, Skipfish, Vega, Wapiti, and ZAP. The analysis evaluated the scanners' crawling coverage, vulnerability detection accuracy, speed, and usability when run in both point-and-shoot/default mode and trained/configured mode against three benchmark applications: WIVET, WAVSEP, and WackoPicko. The results showed that all scanners missed at least 50% of vulnerabilities in WackoPicko, with detection rates improving when run in trained mode. ZAP achieved the highest detection rates overall, while results varied by vulnerability category and
This document discusses Qualys' strategy and roadmap for its Web Application Scanning (WAS) product. It outlines Qualys' approach to web app security which includes detection, protection, monitoring/forensics, and remediation. It provides details on current and upcoming WAS features like integrated malware detection, attack proxy integration, and sitemap implementation. The document also discusses how organizations can leverage WAS and how it compares favorably to competitors in areas like scale, cost, and providing a complete picture of web app security risks.
Hacker Proof web app using Functional testsAnkita Gupta
This document discusses using functional test automation with the open source web application security scanner IronWasp to provide automated security testing of web applications. It outlines how Selenium test cases can be integrated with IronWasp to allow the scanner to crawl and test the full application workflow, providing security checks across all functional flows. This improves on traditional scanners by allowing testing of login screens, multi-page sequences, and ensuring the scanner has valid inputs to exercise all application features.
Why test automation is getting more difficult, and what can be done about it. This slides are from a presentation by Group Director, Product Management at TestPlant, Gordon McKeown, which was presented at the Northern Lights conference in Manchester in April 2016.
Building Your Application Security Data Hub - OWASP AppSecUSADenim Group
One of the reasons application security is so challenging to address is that it spans multiple teams within an organization. Development teams build software, security testing teams find vulnerabilities, security operations staff manage applications in production and IT audit organizations make sure that the resulting software meets compliance and governance requirements. In addition, each team has a different toolbox they use to meet their goals, ranging from scanning tools, defect trackers, Integrated Development Environments (IDEs), WAFs and GRC systems. Unfortunately, in most organizations the interactions between these teams is often strained and the flow of data between these disparate tools and systems is non-existent or tediously implemented manually.
In today’s presentation, we will demonstrate how leading organizations are breaking down these barriers between teams and better integrating their disparate tools to enable the flow of application security data between silos to accelerate and simplify their remediation efforts. At the same time, we will show how to collect the proper data to measure the performance and illustrate the improvement of the software security program. The challenges that need to be overcome to enable teams and tools to work seamlessly with one another will be enumerated individually. Team and tool interaction patterns will also be outlined that reduce the friction that will arise while addressing application security risks. Using open source products such as OWASP ZAP, ThreadFix, Bugzilla and Eclipse, a significant amount of time will also be spent demonstrating the kinds of interactions that need to be enabled between tools. This will provide attendees with practical examples on how to replicate a powerful, integrated Application Security program within their own organizations. In addition, how to gather program-wide metrics and regularly calculate measurements such as mean-time-to-fix will also be demonstrated to enable attendees to monitor and ensure the continuing health and performance of their Application Security program.
Practical White Hat Hacker Training - Vulnerability DetectionPRISMA CSI
This presentation part of Prisma CSI's Practical White Hat Hacker Training v1
PRISMA CSI • Cyber Security and Intelligence www.prismacsi.com
This document can be shared or used by quoted and used for commercial purposes, but can not be changed. Detailed information is available at https://creativecommons.org/licenses/by-nc-nd/4.0/legalcode.
Neev uses a scrum based Agile Development methodology, a proven Extended Delivery Center model of engagement - all designed to ensure high quality, timely deliverables.
Tune in for the Ultimate WAF Torture Test: Bots Attack!Distil Networks
This webinar compares the bot detection and mitigation capabilities of Imperva, F5 Networks, and Distil Networks web application firewall (WAF) products. A testing scenario involving a fictional airline website is used to evaluate how each product handles different bots and attacks. Distil Networks is shown to be the most effective at blocking bots while allowing legitimate traffic. The webinar also provides best practices for optimizing a WAF for bot detection, such as profiling applications and limiting exposure. Attendees are offered a free trial and traffic analysis from Distil Networks.
A penetration test evaluates a system's security by simulating attacks. A web application penetration test focuses on a web application's security. The process involves actively analyzing the application for weaknesses, flaws, or vulnerabilities. Any issues found are reported to the owner along with impact assessments and mitigation proposals.
Ankita- Hacker Proof your app using Functional TestsAnkita Gupta
The document discusses integrating automated web security scanning with functional test automation. It describes using the open source IronWasp scanner to test web applications alongside Selenium test cases. The benefits are that test cases provide valid inputs to the scanner, following the correct site flow, making scanning more efficient and effective at finding security vulnerabilities. It demonstrates setting up the IronWasp library and routing test traffic through the scanner. Limitations and areas for improvement are also outlined.
Chidambaram Vetrivel delivered a session on "Universal Test Automation Framework" at ATAGTR2020
ATAGTR2020 was the 5th Edition of Global Testing Retreat.
Chidambaram has 10+ years of IT experience and has been working as an Automation Expert in designing, strategizing and architecting automation testing solutions.
The video recording of the session is now available on the following link: https://youtu.be/_akHHEgLlVU
To know more about #ATAGTR2020, please visit: https://gtr.agiletestingalliance.org/
In this presentation a brief justification to performance testing will be given following with some terminology and a short demo
links is provided to some recommended solutions trails /freemium
in the comments, the two demo sessions,
TruClient Lite scripting demo
StormRunner Load simple performance test
Quality of software code for a given product shipped effectively translates not only to its functional quality but as well to its non functional aspects say security. Many of the issues in code can be addressed much before they reach SCM.
Todays' IT industry has vastly grown in multiple segments serving many time critical offerings. Need of the hour is continuous nature of requirements with the expectation of continuous delivery. Challenge in Agile methodology is managing 3 stages viz. requirements gathering, development & testing simultaneously. This nature of process has changed the traditional model of Waterfall process where each segment was controlled independently and process called Continuous Integration or Automated Integration is evolving. In this program, we will discuss about one virtual project having continuous mode of changing requirements and define Test Driven Development model using Open Source Tools combination.
Functional Testing of RESTful ApplicationsNenad Bozic
This document discusses tools and techniques for functional testing of RESTful applications. It covers different levels of testing from unit to system level. It then describes using blackbox testing as a monitoring tool by generating test data, overcoming latency, and integrating with monitoring services. Graybox testing is discussed as a way to control external dependencies through mocking services. Finally, it recommends using Cucumber to develop business-focused test scenarios that are closer to documentation and easier to maintain.
- Hemachandra Srinivasamurthy has over 11 years of experience in IT security including web application security, vulnerability assessment, penetration testing, and performance engineering.
- He is a Certified Ethical Hacker (CEH) with expertise in ethical hacking and penetration testing.
- Currently working as a Penetration Tester at CapGemini with experience assessing vulnerabilities and conducting penetration tests of applications, networks, and systems.
This document describes Cerberus, an open source test automation tool developed by La Redoute. Cerberus allows centralized management of test cases across multiple technologies like web, mobile, and APIs. It supports features like a step library, test automation, execution reporting, and integration with other tools. The document also provides examples of how Cerberus is used at La Redoute for regression testing websites in multiple languages and environments. It maintains over 3,500 regression tests that execute twice daily. Cerberus can also be used for functional monitoring of websites by regularly executing test cases and monitoring performance metrics.
Semelhante a Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-box Web Application Vulnerability Scanners (20)
In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject.
We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup.
Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved.
The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring.
The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise.
By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.
CAKE: Sharing Slices of Confidential Data on BlockchainClaudio Di Ciccio
Presented at the CAiSE 2024 Forum, Intelligent Information Systems, June 6th, Limassol, Cyprus.
Synopsis: Cooperative information systems typically involve various entities in a collaborative process within a distributed environment. Blockchain technology offers a mechanism for automating such processes, even when only partial trust exists among participants. The data stored on the blockchain is replicated across all nodes in the network, ensuring accessibility to all participants. While this aspect facilitates traceability, integrity, and persistence, it poses challenges for adopting public blockchains in enterprise settings due to confidentiality issues. In this paper, we present a software tool named Control Access via Key Encryption (CAKE), designed to ensure data confidentiality in scenarios involving public blockchains. After outlining its core components and functionalities, we showcase the application of CAKE in the context of a real-world cyber-security project within the logistics domain.
Paper: https://doi.org/10.1007/978-3-031-61000-4_16
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
Ivanti’s Patch Tuesday breakdown goes beyond patching your applications and brings you the intelligence and guidance needed to prioritize where to focus your attention first. Catch early analysis on our Ivanti blog, then join industry expert Chris Goettl for the Patch Tuesday Webinar Event. There we’ll do a deep dive into each of the bulletins and give guidance on the risks associated with the newly-identified vulnerabilities.
For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2024/06/building-and-scaling-ai-applications-with-the-nx-ai-manager-a-presentation-from-network-optix/
Robin van Emden, Senior Director of Data Science at Network Optix, presents the “Building and Scaling AI Applications with the Nx AI Manager,” tutorial at the May 2024 Embedded Vision Summit.
In this presentation, van Emden covers the basics of scaling edge AI solutions using the Nx tool kit. He emphasizes the process of developing AI models and deploying them globally. He also showcases the conversion of AI models and the creation of effective edge AI pipelines, with a focus on pre-processing, model conversion, selecting the appropriate inference engine for the target hardware and post-processing.
van Emden shows how Nx can simplify the developer’s life and facilitate a rapid transition from concept to production-ready applications.He provides valuable insights into developing scalable and efficient edge AI solutions, with a strong focus on practical implementation.
“An Outlook of the Ongoing and Future Relationship between Blockchain Technologies and Process-aware Information Systems.” Invited talk at the joint workshop on Blockchain for Information Systems (BC4IS) and Blockchain for Trusted Data Sharing (B4TDS), co-located with with the 36th International Conference on Advanced Information Systems Engineering (CAiSE), 3 June 2024, Limassol, Cyprus.
Best 20 SEO Techniques To Improve Website Visibility In SERPPixlogix Infotech
Boost your website's visibility with proven SEO techniques! Our latest blog dives into essential strategies to enhance your online presence, increase traffic, and rank higher on search engines. From keyword optimization to quality content creation, learn how to make your site stand out in the crowded digital landscape. Discover actionable tips and expert insights to elevate your SEO game.
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceIndexBug
Imagine a world where machines not only perform tasks but also learn, adapt, and make decisions. This is the promise of Artificial Intelligence (AI), a technology that's not just enhancing our lives but revolutionizing entire industries.
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc
How does your privacy program stack up against your peers? What challenges are privacy teams tackling and prioritizing in 2024?
In the fifth annual Global Privacy Benchmarks Survey, we asked over 1,800 global privacy professionals and business executives to share their perspectives on the current state of privacy inside and outside of their organizations. This year’s report focused on emerging areas of importance for privacy and compliance professionals, including considerations and implications of Artificial Intelligence (AI) technologies, building brand trust, and different approaches for achieving higher privacy competence scores.
See how organizational priorities and strategic approaches to data security and privacy are evolving around the globe.
This webinar will review:
- The top 10 privacy insights from the fifth annual Global Privacy Benchmarks Survey
- The top challenges for privacy leaders, practitioners, and organizations in 2024
- Key themes to consider in developing and maintaining your privacy program
GraphRAG for Life Science to increase LLM accuracyTomaz Bratanic
GraphRAG for life science domain, where you retriever information from biomedical knowledge graphs using LLMs to increase the accuracy and performance of generated answers
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-und-domino-lizenzkostenreduzierung-in-der-welt-von-dlau/
DLAU und die Lizenzen nach dem CCB- und CCX-Modell sind für viele in der HCL-Community seit letztem Jahr ein heißes Thema. Als Notes- oder Domino-Kunde haben Sie vielleicht mit unerwartet hohen Benutzerzahlen und Lizenzgebühren zu kämpfen. Sie fragen sich vielleicht, wie diese neue Art der Lizenzierung funktioniert und welchen Nutzen sie Ihnen bringt. Vor allem wollen Sie sicherlich Ihr Budget einhalten und Kosten sparen, wo immer möglich. Das verstehen wir und wir möchten Ihnen dabei helfen!
Wir erklären Ihnen, wie Sie häufige Konfigurationsprobleme lösen können, die dazu führen können, dass mehr Benutzer gezählt werden als nötig, und wie Sie überflüssige oder ungenutzte Konten identifizieren und entfernen können, um Geld zu sparen. Es gibt auch einige Ansätze, die zu unnötigen Ausgaben führen können, z. B. wenn ein Personendokument anstelle eines Mail-Ins für geteilte Mailboxen verwendet wird. Wir zeigen Ihnen solche Fälle und deren Lösungen. Und natürlich erklären wir Ihnen das neue Lizenzmodell.
Nehmen Sie an diesem Webinar teil, bei dem HCL-Ambassador Marc Thomas und Gastredner Franz Walder Ihnen diese neue Welt näherbringen. Es vermittelt Ihnen die Tools und das Know-how, um den Überblick zu bewahren. Sie werden in der Lage sein, Ihre Kosten durch eine optimierte Domino-Konfiguration zu reduzieren und auch in Zukunft gering zu halten.
Diese Themen werden behandelt
- Reduzierung der Lizenzkosten durch Auffinden und Beheben von Fehlkonfigurationen und überflüssigen Konten
- Wie funktionieren CCB- und CCX-Lizenzen wirklich?
- Verstehen des DLAU-Tools und wie man es am besten nutzt
- Tipps für häufige Problembereiche, wie z. B. Team-Postfächer, Funktions-/Testbenutzer usw.
- Praxisbeispiele und Best Practices zum sofortigen Umsetzen
UiPath Test Automation using UiPath Test Suite series, part 6DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 6. In this session, we will cover Test Automation with generative AI and Open AI.
UiPath Test Automation with generative AI and Open AI webinar offers an in-depth exploration of leveraging cutting-edge technologies for test automation within the UiPath platform. Attendees will delve into the integration of generative AI, a test automation solution, with Open AI advanced natural language processing capabilities.
Throughout the session, participants will discover how this synergy empowers testers to automate repetitive tasks, enhance testing accuracy, and expedite the software testing life cycle. Topics covered include the seamless integration process, practical use cases, and the benefits of harnessing AI-driven automation for UiPath testing initiatives. By attending this webinar, testers, and automation professionals can gain valuable insights into harnessing the power of AI to optimize their test automation workflows within the UiPath ecosystem, ultimately driving efficiency and quality in software development processes.
What will you get from this session?
1. Insights into integrating generative AI.
2. Understanding how this integration enhances test automation within the UiPath platform
3. Practical demonstrations
4. Exploration of real-world use cases illustrating the benefits of AI-driven test automation for UiPath
Topics covered:
What is generative AI
Test Automation with generative AI and Open AI.
UiPath integration with generative AI
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Have you ever been confused by the myriad of choices offered by AWS for hosting a website or an API?
Lambda, Elastic Beanstalk, Lightsail, Amplify, S3 (and more!) can each host websites + APIs. But which one should we choose?
Which one is cheapest? Which one is fastest? Which one will scale to meet our needs?
Join me in this session as we dive into each AWS hosting service to determine which one is best for your scenario and explain why!
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxSitimaJohn
Ocean Lotus cyber threat actors represent a sophisticated, persistent, and politically motivated group that poses a significant risk to organizations and individuals in the Southeast Asian region. Their continuous evolution and adaptability underscore the need for robust cybersecurity measures and international cooperation to identify and mitigate the threats posed by such advanced persistent threat groups.
Things to Consider When Choosing a Website Developer for your Website | FODUUFODUU
Choosing the right website developer is crucial for your business. This article covers essential factors to consider, including experience, portfolio, technical skills, communication, pricing, reputation & reviews, cost and budget considerations and post-launch support. Make an informed decision to ensure your website meets your business goals.
HCL Notes and Domino License Cost Reduction in the World of DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-and-domino-license-cost-reduction-in-the-world-of-dlau/
The introduction of DLAU and the CCB & CCX licensing model caused quite a stir in the HCL community. As a Notes and Domino customer, you may have faced challenges with unexpected user counts and license costs. You probably have questions on how this new licensing approach works and how to benefit from it. Most importantly, you likely have budget constraints and want to save money where possible. Don’t worry, we can help with all of this!
We’ll show you how to fix common misconfigurations that cause higher-than-expected user counts, and how to identify accounts which you can deactivate to save money. There are also frequent patterns that can cause unnecessary cost, like using a person document instead of a mail-in for shared mailboxes. We’ll provide examples and solutions for those as well. And naturally we’ll explain the new licensing model.
Join HCL Ambassador Marc Thomas in this webinar with a special guest appearance from Franz Walder. It will give you the tools and know-how to stay on top of what is going on with Domino licensing. You will be able lower your cost through an optimized configuration and keep it low going forward.
These topics will be covered
- Reducing license cost by finding and fixing misconfigurations and superfluous accounts
- How do CCB and CCX licenses really work?
- Understanding the DLAU tool and how to best utilize it
- Tips for common problem areas, like team mailboxes, functional/test users, etc
- Practical examples and best practices to implement right away
Driving Business Innovation: Latest Generative AI Advancements & Success StorySafe Software
Are you ready to revolutionize how you handle data? Join us for a webinar where we’ll bring you up to speed with the latest advancements in Generative AI technology and discover how leveraging FME with tools from giants like Google Gemini, Amazon, and Microsoft OpenAI can supercharge your workflow efficiency.
During the hour, we’ll take you through:
Guest Speaker Segment with Hannah Barrington: Dive into the world of dynamic real estate marketing with Hannah, the Marketing Manager at Workspace Group. Hear firsthand how their team generates engaging descriptions for thousands of office units by integrating diverse data sources—from PDF floorplans to web pages—using FME transformers, like OpenAIVisionConnector and AnthropicVisionConnector. This use case will show you how GenAI can streamline content creation for marketing across the board.
Ollama Use Case: Learn how Scenario Specialist Dmitri Bagh has utilized Ollama within FME to input data, create custom models, and enhance security protocols. This segment will include demos to illustrate the full capabilities of FME in AI-driven processes.
Custom AI Models: Discover how to leverage FME to build personalized AI models using your data. Whether it’s populating a model with local data for added security or integrating public AI tools, find out how FME facilitates a versatile and secure approach to AI.
We’ll wrap up with a live Q&A session where you can engage with our experts on your specific use cases, and learn more about optimizing your data workflows with AI.
This webinar is ideal for professionals seeking to harness the power of AI within their data management systems while ensuring high levels of customization and security. Whether you're a novice or an expert, gain actionable insights and strategies to elevate your data processes. Join us to see how FME and AI can revolutionize how you work with data!
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-box Web Application Vulnerability Scanners
1. Why Johnny Still Can’t
Pentest:
A Comparative Analysis of Open-source Black-box
Web Application Vulnerability Scanners
@rana__khalil
Rana Khalil, University of Ottawa
2. Who am I?
• Student at the University of Ottawa
• B.S. in Mathematics and Computer
Science (2016)
• M.S. in Computer Science (2018)
• Supervisor: Dr. Carlisle Adams
• OSCP Certification (current)
• Previous work experience include:
software development, testing,
ransomware research, teaching and
penetration testing
2
5. Web Applications
• We use web applications for
everything:
• Over 3.9 billion users world wide
• Over 1.8 billion websites online
5
Banking Education
Shopping Communication
• How much personal data do you have
online?
• Name, SIN, addresses, phone numbers,
emails
• Financial information
• Heath information
6. Web Security
• State of web security today
• Trustwave’s 2018 Global Security
Report:
• 100% of web applications displayed
at least one vulnerability
• Median number of 11 vulnerabilities
per application
6
8. How to Secure a Web Application?
• A combination of techniques are
used to secure web applications:
8
• Static code analysis
• Web application firewalls
• Secure coding practices
• Web application vulnerability scanners
9. How to Secure a Web Application?
• A combination of techniques are
used to secure web applications.
9
• Static code analysis
• Web application firewalls
• Secure coding practices
• Web application vulnerability scanners
10. WAVS
Web Application Vulnerability Scanners have three modules:
10
Crawler Attacker Analysis
*XSS found*
*SQLi found*
*LFI found*
*RFI found*
11. WAVS
Web application vulnerability scanners are largely used in two ways:
1. Point-and-Shoot (PaS) / Default
• Scanner is given root URL of the application
• Default configuration remains unchanged
• Minimal human interference
11
12. WAVS
Web application vulnerability scanners are used in two ways:
2. Trained / Configured
• Change configuration (ex. crawl depth)
• Manually visit every page of the application while scanner is in proxy mode.
12
Browser Scanner Proxy Web Application
13. Previous Work
13
• Suto’s case studies:
• 2007 paper evaluated scanners in PaS mode
• 2010 paper evaluated scanners in PaS and Trained modes
• Benchmark applications:
• Web Input Vector Extractor Teaser (WIVET) created in 2009 by Tatli et al.
• Web Application Vulnerability Scanner Evaluation Project (WAVSEP) created in 2010 by
Chen
• Doupé et al.’s 2010 work on evaluating WAVS on the WackoPicko application
• Several other more recent studies evaluate scanners in PaS mode only
15. Research Goal
• Goal: Performing a comprehensive comparative analysis of the performance of six
chosen scanners in two modes:
• PaS / Default
• Trained / Configured
15
Tool
Selection
Benchmark
Selection
Environment
Setup
Feature &
Metric
Selection
Result
Analysis
16. Tool Selection
• Chen’s evaluation
• Consultation with professional ethical hackers
16
Name Version License Price
Last
Update*
Arachni 1.5.1-0.5.12 Arachni Public Source v1.0 N/A 2017-03-29
Burp Pro 1.7.35 Commercial $349/year 2018-08-29
Skipfish 2.10b Apache v2.0 N/A 2012-12-04
Vega 1.0 MIT N/A 2016-06-29
Wapiti 3.0.1 GNU GPL v2 N/A 2018-05-11
ZAP 2.7.0 Apache v2.0 N/A 2017-11-28
*Checked on August 2018
17. Benchmark Selection
• Benchmark applications:
• WIVET – crawling challenges
• WAVSEP – vulnerability classes
• Intentionally vulnerable realistic web application
• Type of vulnerabilities included in the application
• Architecture of the application and the web technologies used
• Ability of the application to withstand aggressive automated scans
• OWASP Vulnerable Web Applications Directory (VWAD) project
• WackoPicko
17
18. Benchmark Selection - WIVET
• Contains 56 test cases that utilize
both Web 1.0 and Web 2.0
technologies
• Test cases include:
• Standard anchor links
• Links created dynamically using
JavaScript
• Multi-page forms
• Links in comments
• Links embedded in Flash objects
• Links within AJAX requests
18
19. Benchmark Selection - WAVSEP
• Consists of a total of 1220 true positive (TP) test cases and 40 false positive
(FP) test cases
19
Vulnerability Category # of TP test cases # of FP test cases
SQL Injection 138 10
Reflected XSS 89 7
Path Traversal / LFI 816 8
RFI 108 6
Unvalidated Redirect 60 9
DOM XSS 4 0
Passive 5 0
20. Benchmark Selection - WackoPicko
20
• Open-source intentionally vulnerable realistic
web application
• Photo sharing and purchasing site
• Contains 16 vulnerabilities covering several of
the OWASP Top 10
• Contains crawling challenges:
• HTML parsing
• Multi-step process
• Infinite website
• Authentication
• Client-side code
22. Environment Setup 2/2
22
• Each scanner was run in two modes:
• PaS / Default - default configuration setting
• Trained / Configured
1. Maximize crawling coverage – changing
configuration
2. Maximize crawling coverage – use of proxy
3. Maximize attack strength
• WackoPicko test scans were further divided into two
subcategories:
• INITIAL – without authentication / publicly accessible
• CONFIG - valid username/password combination
• In total, each scanner was run eight times
23. Feature and Metric Selection
• Crawling coverage
• % of passed test cases on the WIVET application
• Crawling challenges in the WackoPicko application
• Vulnerability detection accuracy
• TP, FN and FP on the WAVSEP and WackoPicko
applications
• Speed
• Scan time on the WAVSEP and WackoPicko appliations
• Reporting
• Vulnerability detected
• Vulnerability location
• Exploit performed
• Usability
• Efficiency
• Product documentation
• Community support
23
Crawling
Coverage
Detection
Accuracy
Speed
WIVET
WackoPicko
WAVSEP
Features Applications
24. Feature and Metric Selection
• Crawling coverage
• % of passed test cases on the WIVET application
• Crawling challenges in the WackoPicko application
• Vulnerability detection accuracy
• TP, FN and FP on the WAVSEP and WackoPicko
applications
• Speed
• Scan time on the WAVSEP and WackoPicko applications
• Reporting
• Vulnerability detected
• Vulnerability location
• Exploit performed
• Usability
• Efficiency
• Product documentation
• Community support
24
Crawling
Coverage
Detection
Accuracy
Speed
WIVET
WackoPicko
WAVSEP
Features Applications
26. Vulnerability Detection Accuracy – FNs 1/4
Vulnerabilities in WackoPicko that were not
detected by any scanners:
1. Weak authentication credentials
• admin/admin
• Reasons:
• Scanners did not attempt to guess
username/password
• Scanners did attempt to guess
username/password but failed
26
27. Vulnerability Detection Accuracy – FNs 2/4
Vulnerabilities in WackoPicko that were not detected
by any scanners:
2. Parameter Manipulation
• Sample user: WackoPicko/users/sample.php?userid=1
Real user: WackoPicko/users/sample.php?userid=2
• Reasons:
• Most scanners did not attempt to
manipulate the userid field
• Arachni manipulated the userid field but
failed to enter a valid number
• Skipfish successfully manipulated the
userid field but did not report it as a
vulnerability 27
userid=2
28. Vulnerability Detection Accuracy – FNs 3/4
Vulnerabilities in WackoPicko that were not detected by any scanners:
3. Sored SQL Injection
4. Directory Traversal
5. Stored XSS
Reasons:
• Crawling challenges – discussed later
• Lack of detection for these types of vulnerabilities
28
29. Vulnerability Detection Accuracy – FNs 4/4
Vulnerabilities in WackoPicko that were not
detected by any scanners:
6. Forceful Browsing
• Access to a link that contains a high quality
version of a picture without authentication
• /WackoPicko/pictures/high_quality.php?key=hig
hquality&picid=11
7. Logic Flaw
• Coupon management functionality
Reasons:
• Require understanding business logic of the
application
• Application specific vulnerabilities
29
30. Vulnerability Detection Accuracy – TPs 1/4
30
WackoPicko Overall Scan Detection Results
Arachni Burp Skipfish Vega Wapiti ZAP
PaS 37.5 37.5 31.25 18.75 25 37.5
Trained 37.5 50 31.25 25 25 43.75
0
10
20
30
40
50
60
70
80
90
100
%ofDetectedVulnerabilities
Key Observations:
• All scanners missed at least 50% of the
vulnerabilities
• In PaS mode Burp, ZAP and Arachni
achieved the same score
• Running the scanners in trained mode
increased the overall detection
• Vega – increase in attack vector
• ZAP & Burp – Manually visiting the pages in
proxy mode for Flash and dynamic JS
technologies
31. 31
WackoPicko Detection Results. The simplest configuration that detected a vulnerability is listed.
Name RXSS XSS
Stored
SQLi
Reflected
Command
line injection
File
Inclusion
File
Exposure
RXSS
behind JS
RXSS
behind
Flash
Arachni INITIAL INITIAL INITIAL INITIAL INITIAL INITIAL
Burp Pro INITIAL INITIAL INITIAL INITIAL INITIAL INITIAL INITIAL CONFIG
Skipfish INITIAL INITIAL INITIAL INITIAL INITIAL
Vega INITIAL INITIAL INITIAL INITIAL
Wapiti INITIAL INITIAL INITIAL INITIAL
ZAP INITIAL INITIAL INITIAL INITIAL INITIAL INITIAL CONFIG
PaS
Trained
• Reminder: INITIAL means w/o authentication credentials and CONFIG means w/ authentication
• Running the scanners in trained mode increased the overall detection
Vulnerability Detection Accuracy – TPs 2/4
32. Vulnerability Detection Accuracy – TPs 3/4
32
WAVSEP Overall TP Detection
Key Observations:
• WAVSEP results were better than
WackoPicko.
• Vulnerability categories in the application
• Integrating WAVSEP in the SDLC of the
scanner
• ZAP achieved highest score, followed by
Vega and Skipfish
Arachni Burp Skipfish Wapiti Vega ZAP
PaS 60.2 27.9 4.0 25.4 71.3 60.7
Trained 60.2 42.5 62.6 24.4 71.3 79.3
0
10
20
30
40
50
60
70
80
90
100
%ofWAVSEPTestsDetected
34. Crawling Challenges 1/6
Features that scanners found difficult to crawl in
WackoPicko:
1. Uploading a file
• All scanners were not able to upload a
picture in PaS mode
• Burp and ZAP were able to in Trained mode
34
35. Crawling Challenges 2/6
Features that scanners found difficult to crawl in
WackoPicko:
2. Authentication
• All scanners except for Wapiti successfully
created accounts
• None of the scanners used the created
accounts to authenticate
35
Scanner # of Accounts
Arachni 202
Burp 113
Skipfish 364
Vega 117
Wapiti 0
ZAP 111
36. Crawling Challenges 3/6
36
Features that scanners found difficult to
crawl in WackoPicko:
3. Multi-step processes
• All scanners were not able to complete
the process in PaS mode
• Burp and ZAP were able to in Trained
mode
37. Crawling Challenges 4/6
Features that scanners found difficult to crawl in WackoPicko:
4. Infinite websites
• All scanners recognized the infinite loop except Arachni
37
…..
/calendar.php?date=1541454543 /calendar.php?date=1541540943 /calendar.php?date=1541627343
38. Crawling Challenges 5/6
Features that scanners found difficult
to crawl in WackoPicko:
5. Client-side code
• Flash applications
• Dynamic JavaScript
• Ajax Requests
38
Arachni Burp Skipfish Wapiti Vega ZAP
PaS 94 50 50 50 16 42
Trained 94 50 50 50 16 78
0
10
20
30
40
50
60
70
80
90
100
%ofWIVETTestsPassed
WIVET Results
39. Crawling Challenges 6/6
Features that scanners found difficult to crawl in
WackoPicko:
6. State - awareness
• All the scanners exploited SQL injection
vulnerability in login form, however didn’t
discover any of the vulnerabilities that require
authentication
• Vulnerabilities that require authentication
were only discovered in Trained mode
• Credentials given
• Logout link excluded
39
Scanner Web Application
40. Crawling Challenges 6/6
Features that scanners found difficult to crawl in
WackoPicko:
6. State - awareness
• All the scanners exploited SQL injection
vulnerability in login form, however didn’t
discover any of the vulnerabilities that require
authentication
• Vulnerabilities that require authentication
were only discovered in Trained mode
• Credentials given
• Logout link excluded
40
Scanner Web Application
42. Conclusion
• Scanners are far from being used as PaS tools only
• Several classes of vulnerabilities were not detected
• Scanners had difficulty crawling through common web architectures
and web technologies
• Different scanners have different strengths/weaknesses
• Open-source scanner performance is comparable to commercial scanner
performance and in several cases better
42
43. Last Words…
To secure a web application you need to find and stop ALL
attack vectors, whereas to break a web application you just
need to exploit ONE attack vector.
43
Web application vulnerability scanners are trying to solve a VERY hard problem!