EVALUATION OF WEB APPLICATION

VULNERABILITY SCANNERS’

STRENGTHS AND LIMITATIONS USING

CUSTOM WEB APPLICATION

By: Yuliana Martrosyan

Advisor: Dr. Levent Ertaul

GOAL OF THE THESIS

How efficient WAVS are to address security concerns in the web applications?

Develop custom test bed that implements vulnerabilities presented in the web

Assess results to suggest areas that require research to improve WAVS detection rate

OWASP TOP 10 PROJECT

ACUNETIX WVS

QUALYS WAS

Modeling User Behavior

Create Account

Update Account

Create Shopping Cart

Check Product Review

Add Product Review

Recover Password

Partners’ Newsletters

Subscribe to Mailing List

MusicStore

implements 55

variations of OWASP

Top 10 Vulnerabilities

First Order SQLI

String query = ”

SELECT Password

FROM v_UserPass

WHERE

v_UserPass.EmailAddress

= ’”

+ emailAddress +

"’

AND v_UserPass.Answer

= ’”+ answer +"') ";

First Order SQLI

Acunetix WVS

Missed all SQLI.

Not all of the

required fields

were filled.

QualysGulard WAS

First-Order

SQLI was

detected

Second Order SQLI

String query = "UPDATE

v_UserPass SET ”

+ "Password = ?”

+ ", Answer = ”

+ "’”+ answer + "' ”+ ”

WHERE EmailAddress = '”

+ emailAddress + "'";

Second Order SQLI

Both Acunetix WVS

and QualysGulard

WAS

Missed all

Second Order

SQLI

Cross-Site Scripting

XSS

Acunetix WVS

Missed

Persistent

XSS. Unable

to find the

payload

QualysGuard

WAS

Detected most

Non-

Persistent,

Persistent.

DOM XSS

Acunetix WVS

Detected all

AJAX XSS and

most Non-

Persistent XSS

QualysGuard

WAS

Missed all

AJAX

vulnerabilities.

Detected some

other DOM

vulnerabilities.

GET Request:

http://vulnerablewebapp.com/email/addToE

mailList?

firstName=%3CIFRAME%20src=javascri

pt:alert(%27firstName%20XSS%27)%20/

%3E&lastName=Simpson&emailAddress=

hs@hs .com

Broken Authentication

and Session

Management

Both scanners

missed Weak

Password

Recovery Model

vulnerability.

Both scanners

found Brute

Force attack

vulnerability.

Both scanners

detected

INSECURE DIRECT

OBJECT

REFERENCE

Cross Site Request

Forgery (CSRF)

Most vulnerabilities

were missed by both

scanners due to

incomplete crawling

phase.

QualysGuard WAS

reported numerous

CSRF duplicated

marked as

‘clickjacking’

vulnerabilities

SECURITY MISCONFIGURATION

QualysGuard

detected DoS

attack possibility.

Data submission

HTTP methods

should be tested.

INSECURE CRYPTOGRAPHIC STORAGE

AND

INSUFFICIENT TRANSPORT LAYER PROTECTION

Non-Encrypted Storage

Displaying passwords

while typing

No ‘secure’ and

‘HTTPOnly’ cookies

No SSL with Log In

No SSL with Confidential

Info

Both scanners

recommend setting

‘secure’ flag to the

application cookies.

Both scanners should test

for insecure handling of

confidential data

FAILURE TO RESTRICT URL ACCESS

Both scanners did not detect the hidden link.

Advanced force browsing should be performed

UN-VALIDATED REDIRECT AND FORWARD

QualysGuard

WAS found

the flaw.

Acunetix

WVS should

spider the site

to see if it

generates

any redirects.

DETECTED AND FALSE POSITIVES

QualysGuard WAS Acunetix WVS

0

20

40

60

80

100

Detected FP

0

50

100

150

200

250

Detected FP

GROUP RESULTS

0

20

40

60

80

100

V1 V2 V3 V4 V5 V6 V7 V8 V9 V10

Dete

cti

on

Rate

OWASP Vulnerabilities

PUBLICATIONS

L. Ertaul

Y. Martirosyan

Implementation of a WEB Application for Evaluation

of WEB Application Security Scanners

Proceedings of the 2012 International Conference on Security &

Management SAM’12, July, Las Vegas.

CONCLUSION

Improve Crawling Functionality

Re-indexing the pages of target application

after the attack to detect the payload

Check all possible attack vectors and then

report the vulnerability and reproduction steps

Use WASSs as a group

Server

Client

MUSICSTORE ARCHITECTURE

AJAXJS

P

Jav

aSQL

Database

HTM

L

Request

Response