Web Application Testing with...
Transcript of Web Application Testing with...
![Page 1: Web Application Testing with AppScanist.uwaterloo.ca/~tlabach/watitis/Web-app-scanning-with-appscan.pdfOutline • The state of affairs • Risks and attacks • AppScan at UW •](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f45319634e45704ba33dc50/html5/thumbnails/1.jpg)
Web Application Testing with AppScan
Terry Labach
![Page 2: Web Application Testing with AppScanist.uwaterloo.ca/~tlabach/watitis/Web-app-scanning-with-appscan.pdfOutline • The state of affairs • Risks and attacks • AppScan at UW •](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f45319634e45704ba33dc50/html5/thumbnails/2.jpg)
"If you spend more on coffee than on Web application security, you will be hacked. What's more, you deserve to be hacked"
- Richard Clarke, Former White House Advisor on Cyberterrorism and Cybersecurity
2010 | The Sky’s the Limit
![Page 3: Web Application Testing with AppScanist.uwaterloo.ca/~tlabach/watitis/Web-app-scanning-with-appscan.pdfOutline • The state of affairs • Risks and attacks • AppScan at UW •](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f45319634e45704ba33dc50/html5/thumbnails/3.jpg)
Introduction
• What are the issues?• How can UW support secure Web
application development?• How can involved parties work together?
2010 | The Sky’s the Limit
![Page 4: Web Application Testing with AppScanist.uwaterloo.ca/~tlabach/watitis/Web-app-scanning-with-appscan.pdfOutline • The state of affairs • Risks and attacks • AppScan at UW •](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f45319634e45704ba33dc50/html5/thumbnails/4.jpg)
Outline
• The state of affairs• Risks and attacks• AppScan at UW• AppScan scanning example• Software engineering for the web• Questions
2010 | The Sky’s the Limit
![Page 5: Web Application Testing with AppScanist.uwaterloo.ca/~tlabach/watitis/Web-app-scanning-with-appscan.pdfOutline • The state of affairs • Risks and attacks • AppScan at UW •](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f45319634e45704ba33dc50/html5/thumbnails/5.jpg)
Web application security is no longer optional
• UW administration concerned about last IT audit
• IT professionalism now includes security
![Page 6: Web Application Testing with AppScanist.uwaterloo.ca/~tlabach/watitis/Web-app-scanning-with-appscan.pdfOutline • The state of affairs • Risks and attacks • AppScan at UW •](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f45319634e45704ba33dc50/html5/thumbnails/6.jpg)
The old Web
2010 | The Sky’s the Limit
"First we thought the PC was a calculator. Then we found out how to turn numbers into letters with ASCII -- and we thought it was a typewriter. Then we discovered graphics, and we thought it was a television. With the World Wide Web, we've realized it's a brochure."
- Douglas Adams
![Page 7: Web Application Testing with AppScanist.uwaterloo.ca/~tlabach/watitis/Web-app-scanning-with-appscan.pdfOutline • The state of affairs • Risks and attacks • AppScan at UW •](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f45319634e45704ba33dc50/html5/thumbnails/7.jpg)
The new Web
2010 | The Sky’s the Limit
![Page 8: Web Application Testing with AppScanist.uwaterloo.ca/~tlabach/watitis/Web-app-scanning-with-appscan.pdfOutline • The state of affairs • Risks and attacks • AppScan at UW •](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f45319634e45704ba33dc50/html5/thumbnails/8.jpg)
The new Web
• Shopping mall, office, movie theatre, communications hub, self-marketing firm
• We are expected to make more services available on the web
• Financial, medical, personal information increasingly used in web transactions
• Clients interact with our internal systems
2010 | The Sky’s the Limit
![Page 9: Web Application Testing with AppScanist.uwaterloo.ca/~tlabach/watitis/Web-app-scanning-with-appscan.pdfOutline • The state of affairs • Risks and attacks • AppScan at UW •](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f45319634e45704ba33dc50/html5/thumbnails/9.jpg)
Risks on the new Web
2010 | The Sky’s the Limit
![Page 10: Web Application Testing with AppScanist.uwaterloo.ca/~tlabach/watitis/Web-app-scanning-with-appscan.pdfOutline • The state of affairs • Risks and attacks • AppScan at UW •](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f45319634e45704ba33dc50/html5/thumbnails/10.jpg)
Risks
• Theft of personal information• Identity theft• Financial losses• Intellectual Property losses• Damage to UW's reputation• Legal requirements to notify breach
victims
2010 | The Sky’s the Limit
![Page 11: Web Application Testing with AppScanist.uwaterloo.ca/~tlabach/watitis/Web-app-scanning-with-appscan.pdfOutline • The state of affairs • Risks and attacks • AppScan at UW •](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f45319634e45704ba33dc50/html5/thumbnails/11.jpg)
Vulnerabilities
• Technical• OS, server design flaws
• Logical• Application logic design flaws
• Failing to account for malicious/incompetent users
2010 | The Sky’s the Limit
![Page 12: Web Application Testing with AppScanist.uwaterloo.ca/~tlabach/watitis/Web-app-scanning-with-appscan.pdfOutline • The state of affairs • Risks and attacks • AppScan at UW •](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f45319634e45704ba33dc50/html5/thumbnails/12.jpg)
Attacks
• Technical• XSS, SQL injection
• Logical • authorization errors
2010 | The Sky’s the Limit
![Page 13: Web Application Testing with AppScanist.uwaterloo.ca/~tlabach/watitis/Web-app-scanning-with-appscan.pdfOutline • The state of affairs • Risks and attacks • AppScan at UW •](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f45319634e45704ba33dc50/html5/thumbnails/13.jpg)
SQL injection
2010 | The Sky’s the Limit
![Page 14: Web Application Testing with AppScanist.uwaterloo.ca/~tlabach/watitis/Web-app-scanning-with-appscan.pdfOutline • The state of affairs • Risks and attacks • AppScan at UW •](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f45319634e45704ba33dc50/html5/thumbnails/14.jpg)
Cross-site scripting
2010 | The Sky’s the Limit
![Page 15: Web Application Testing with AppScanist.uwaterloo.ca/~tlabach/watitis/Web-app-scanning-with-appscan.pdfOutline • The state of affairs • Risks and attacks • AppScan at UW •](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f45319634e45704ba33dc50/html5/thumbnails/15.jpg)
Authentication and authorization errors
2010 | The Sky’s the Limit
![Page 16: Web Application Testing with AppScanist.uwaterloo.ca/~tlabach/watitis/Web-app-scanning-with-appscan.pdfOutline • The state of affairs • Risks and attacks • AppScan at UW •](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f45319634e45704ba33dc50/html5/thumbnails/16.jpg)
Why scan?
• Mimics the attack of the hacker• No substitute for proper application
development
2010 | The Sky’s the Limit
![Page 17: Web Application Testing with AppScanist.uwaterloo.ca/~tlabach/watitis/Web-app-scanning-with-appscan.pdfOutline • The state of affairs • Risks and attacks • AppScan at UW •](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f45319634e45704ba33dc50/html5/thumbnails/17.jpg)
Scanning methods
• Manual• Automatic
2010 | The Sky’s the Limit
![Page 18: Web Application Testing with AppScanist.uwaterloo.ca/~tlabach/watitis/Web-app-scanning-with-appscan.pdfOutline • The state of affairs • Risks and attacks • AppScan at UW •](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f45319634e45704ba33dc50/html5/thumbnails/18.jpg)
Scanning methods
• Manual• Penetration (“pen”)
testing• Requires human
expert• Slow, error-prone• Can be insightful
2010 | The Sky’s the Limit
![Page 19: Web Application Testing with AppScanist.uwaterloo.ca/~tlabach/watitis/Web-app-scanning-with-appscan.pdfOutline • The state of affairs • Risks and attacks • AppScan at UW •](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f45319634e45704ba33dc50/html5/thumbnails/19.jpg)
Scanning methods
• Automatic• Faster• Complete list of
tests• Not as perceptive
as human tester
2010 | The Sky’s the Limit
![Page 20: Web Application Testing with AppScanist.uwaterloo.ca/~tlabach/watitis/Web-app-scanning-with-appscan.pdfOutline • The state of affairs • Risks and attacks • AppScan at UW •](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f45319634e45704ba33dc50/html5/thumbnails/20.jpg)
What scanning can do
• Black box scanning• Works with any:
• Language• Application server• Web server
2010 | The Sky’s the Limit
![Page 21: Web Application Testing with AppScanist.uwaterloo.ca/~tlabach/watitis/Web-app-scanning-with-appscan.pdfOutline • The state of affairs • Risks and attacks • AppScan at UW •](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f45319634e45704ba33dc50/html5/thumbnails/21.jpg)
What scanning can't do
• White box scanning (can't help with source code issues without additional software)
• Can't be integrated early in the development process
• Requires functional web site
2010 | The Sky’s the Limit
![Page 22: Web Application Testing with AppScanist.uwaterloo.ca/~tlabach/watitis/Web-app-scanning-with-appscan.pdfOutline • The state of affairs • Risks and attacks • AppScan at UW •](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f45319634e45704ba33dc50/html5/thumbnails/22.jpg)
IST Web application testing
2010 | The Sky’s the Limit
![Page 23: Web Application Testing with AppScanist.uwaterloo.ca/~tlabach/watitis/Web-app-scanning-with-appscan.pdfOutline • The state of affairs • Risks and attacks • AppScan at UW •](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f45319634e45704ba33dc50/html5/thumbnails/23.jpg)
AppScan
2010 | The Sky’s the Limit
• IBM product• Selected by IST in 2009 to provide testing
services• IST staff will scan your web application as
part of your testing process• No charge
![Page 24: Web Application Testing with AppScanist.uwaterloo.ca/~tlabach/watitis/Web-app-scanning-with-appscan.pdfOutline • The state of affairs • Risks and attacks • AppScan at UW •](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f45319634e45704ba33dc50/html5/thumbnails/24.jpg)
Preparing your site for testing
• Test instance of application• Be ready for disaster • Backups of all code, data• Allow access to scan server
(firewall, .htaccess)• Method to recreate the web site
2010 | The Sky’s the Limit
![Page 25: Web Application Testing with AppScanist.uwaterloo.ca/~tlabach/watitis/Web-app-scanning-with-appscan.pdfOutline • The state of affairs • Risks and attacks • AppScan at UW •](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f45319634e45704ba33dc50/html5/thumbnails/25.jpg)
The scanning process
• Explore• Spider traverses site and learns about
structure
• Test• Attacks made on site
• Report findings
2010 | The Sky’s the Limit
![Page 26: Web Application Testing with AppScanist.uwaterloo.ca/~tlabach/watitis/Web-app-scanning-with-appscan.pdfOutline • The state of affairs • Risks and attacks • AppScan at UW •](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f45319634e45704ba33dc50/html5/thumbnails/26.jpg)
AppScan demonstration
2010 | The Sky’s the Limit
• IBM provides sample web application to test• Altoro Mutual• http://demo.testfire.net• User: jsmith• Password: demo123
![Page 27: Web Application Testing with AppScanist.uwaterloo.ca/~tlabach/watitis/Web-app-scanning-with-appscan.pdfOutline • The state of affairs • Risks and attacks • AppScan at UW •](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f45319634e45704ba33dc50/html5/thumbnails/27.jpg)
Running AppScan
2010 | The Sky’s the Limit
• URL• Scan wizard• Login method
• Recorded - go through process for scan• Prompt - record initial location, then enter as needed• Automatic - use entered name, password when
required• None - when authentication not used (or ignored)
• Test policy
![Page 28: Web Application Testing with AppScanist.uwaterloo.ca/~tlabach/watitis/Web-app-scanning-with-appscan.pdfOutline • The state of affairs • Risks and attacks • AppScan at UW •](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f45319634e45704ba33dc50/html5/thumbnails/28.jpg)
Running AppScan
2010 | The Sky’s the Limit
• Complete scan• full auto scan• auto explore• manual explore (embedded browser)
• allows limiting scan to part of site or ensuring it follows a set path
• scan later (scheduled)• scan expert
• does short scan to evaluate settings• may suggest configuration changes
![Page 29: Web Application Testing with AppScanist.uwaterloo.ca/~tlabach/watitis/Web-app-scanning-with-appscan.pdfOutline • The state of affairs • Risks and attacks • AppScan at UW •](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f45319634e45704ba33dc50/html5/thumbnails/29.jpg)
Running AppScan
2010 | The Sky’s the Limit
• Scan results• Views
• Reports• Remediation• Regulatory• OWASP• Custom
![Page 30: Web Application Testing with AppScanist.uwaterloo.ca/~tlabach/watitis/Web-app-scanning-with-appscan.pdfOutline • The state of affairs • Risks and attacks • AppScan at UW •](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f45319634e45704ba33dc50/html5/thumbnails/30.jpg)
Thoughts on software engineering for the web
• Basic SE principles still apply• Development-Test-Production
environments• Use commercial solutions rather than
coding your own where reasonable• Application development must be planned
and managed
2010 | The Sky’s the Limit
![Page 31: Web Application Testing with AppScanist.uwaterloo.ca/~tlabach/watitis/Web-app-scanning-with-appscan.pdfOutline • The state of affairs • Risks and attacks • AppScan at UW •](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f45319634e45704ba33dc50/html5/thumbnails/31.jpg)
Thoughts on software engineering for the web
• Add security from the beginning• Publish only desired files• Define what is good input and limit to that,
rather than trying to strip out bad input.• “good enough” isn't – the risks are too
great
2010 | The Sky’s the Limit
![Page 32: Web Application Testing with AppScanist.uwaterloo.ca/~tlabach/watitis/Web-app-scanning-with-appscan.pdfOutline • The state of affairs • Risks and attacks • AppScan at UW •](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f45319634e45704ba33dc50/html5/thumbnails/32.jpg)
References
2010 | The Sky’s the Limit
● IBM AppScan• http://www.ibm.com/software/awdtools/appscan/
standard/
• OWASP• http://www.owasp.org
• IST IT Security team• http://ist.uwaterloo.ca/security/
• Quotation of the Day• http://quotationofthedaylist.blogspot.com/
![Page 33: Web Application Testing with AppScanist.uwaterloo.ca/~tlabach/watitis/Web-app-scanning-with-appscan.pdfOutline • The state of affairs • Risks and attacks • AppScan at UW •](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f45319634e45704ba33dc50/html5/thumbnails/33.jpg)
Questions?
2010 | The Sky’s the Limit
![Page 34: Web Application Testing with AppScanist.uwaterloo.ca/~tlabach/watitis/Web-app-scanning-with-appscan.pdfOutline • The state of affairs • Risks and attacks • AppScan at UW •](https://reader033.fdocuments.us/reader033/viewer/2022050107/5f45319634e45704ba33dc50/html5/thumbnails/34.jpg)