performing a web application security assessment · 3 scanning environment an automated security...
TRANSCRIPT
![Page 1: Performing a Web Application Security Assessment · 3 Scanning Environment An automated security scan could potentially affect your application Overload the web and application servers](https://reader031.vdocuments.us/reader031/viewer/2022021900/5b5969667f8b9ad0048cf2bb/html5/thumbnails/1.jpg)
®
IBM Software Group
© 2007 IBM Corporation
Performing a Web Application Security Assessment
![Page 2: Performing a Web Application Security Assessment · 3 Scanning Environment An automated security scan could potentially affect your application Overload the web and application servers](https://reader031.vdocuments.us/reader031/viewer/2022021900/5b5969667f8b9ad0048cf2bb/html5/thumbnails/2.jpg)
2
Coordinate the Time of the AuditSet up a time window with the application ownerInform your security teamInform Web Operations (WebOps)
![Page 3: Performing a Web Application Security Assessment · 3 Scanning Environment An automated security scan could potentially affect your application Overload the web and application servers](https://reader031.vdocuments.us/reader031/viewer/2022021900/5b5969667f8b9ad0048cf2bb/html5/thumbnails/3.jpg)
3
Scanning EnvironmentAn automated security scan could potentially affect your application
Overload the web and application serversCause denial of serviceInsert junk data, e.g. post messages on a message board, send multiple e-mails, etc.
It preferable to scan applications in pre-productionScan applications in production with caution
![Page 4: Performing a Web Application Security Assessment · 3 Scanning Environment An automated security scan could potentially affect your application Overload the web and application servers](https://reader031.vdocuments.us/reader031/viewer/2022021900/5b5969667f8b9ad0048cf2bb/html5/thumbnails/4.jpg)
4
Get to Know the Site Site Model
What would be a good starting point? Are there links to more than one host?Are there parts of the site that should be excluded from the scan?Is execution of JavaScript used for application flow?Does your site contain FLASH?Are there pages that require special user input?
AuthenticationWhat type of authentication does your web application use?Does your system allow concurrent logins?Does your authentication system disable your user account after x number of invalid login attempts?
![Page 5: Performing a Web Application Security Assessment · 3 Scanning Environment An automated security scan could potentially affect your application Overload the web and application servers](https://reader031.vdocuments.us/reader031/viewer/2022021900/5b5969667f8b9ad0048cf2bb/html5/thumbnails/5.jpg)
5
Configuring and Running a Scan – Quick Scan UIMakes creating a scan simplerScan is based on a predefined templateUser typically specifies
Starting URLLogin sequencePages to Scan (Manual Explore)
![Page 6: Performing a Web Application Security Assessment · 3 Scanning Environment An automated security scan could potentially affect your application Overload the web and application servers](https://reader031.vdocuments.us/reader031/viewer/2022021900/5b5969667f8b9ad0048cf2bb/html5/thumbnails/6.jpg)
6
Creating a Scan Walkthrough
![Page 7: Performing a Web Application Security Assessment · 3 Scanning Environment An automated security scan could potentially affect your application Overload the web and application servers](https://reader031.vdocuments.us/reader031/viewer/2022021900/5b5969667f8b9ad0048cf2bb/html5/thumbnails/7.jpg)
7
Creating a Scan – Specify Name and Template Specify NameSpecify TemplateClick Create
![Page 8: Performing a Web Application Security Assessment · 3 Scanning Environment An automated security scan could potentially affect your application Overload the web and application servers](https://reader031.vdocuments.us/reader031/viewer/2022021900/5b5969667f8b9ad0048cf2bb/html5/thumbnails/8.jpg)
8
Creating a Scan – Recording a Login SequenceClick RecordAllows ASE to authenticate to the application
![Page 9: Performing a Web Application Security Assessment · 3 Scanning Environment An automated security scan could potentially affect your application Overload the web and application servers](https://reader031.vdocuments.us/reader031/viewer/2022021900/5b5969667f8b9ad0048cf2bb/html5/thumbnails/9.jpg)
9
Creating a Scan – Recording a Login Sequence (cont.)ASE BrowserLogin to your app/siteClick the Stopbutton or close the browser
![Page 10: Performing a Web Application Security Assessment · 3 Scanning Environment An automated security scan could potentially affect your application Overload the web and application servers](https://reader031.vdocuments.us/reader031/viewer/2022021900/5b5969667f8b9ad0048cf2bb/html5/thumbnails/10.jpg)
10
Creating a Scan – Specifying a Starting URLStarting point of the scan
![Page 11: Performing a Web Application Security Assessment · 3 Scanning Environment An automated security scan could potentially affect your application Overload the web and application servers](https://reader031.vdocuments.us/reader031/viewer/2022021900/5b5969667f8b9ad0048cf2bb/html5/thumbnails/11.jpg)
11
Creating a Scan – Manual ExploreBrowse the application manually
Click on linksInput data
The easiest way to define scan scopeUse when scanning specific pages / functional path
![Page 12: Performing a Web Application Security Assessment · 3 Scanning Environment An automated security scan could potentially affect your application Overload the web and application servers](https://reader031.vdocuments.us/reader031/viewer/2022021900/5b5969667f8b9ad0048cf2bb/html5/thumbnails/12.jpg)
12
Creating a Scan – Running the ScanClick Save and Run
![Page 13: Performing a Web Application Security Assessment · 3 Scanning Environment An automated security scan could potentially affect your application Overload the web and application servers](https://reader031.vdocuments.us/reader031/viewer/2022021900/5b5969667f8b9ad0048cf2bb/html5/thumbnails/13.jpg)
13
Viewing Scan ProgressStatus IconClick on Stats
![Page 14: Performing a Web Application Security Assessment · 3 Scanning Environment An automated security scan could potentially affect your application Overload the web and application servers](https://reader031.vdocuments.us/reader031/viewer/2022021900/5b5969667f8b9ad0048cf2bb/html5/thumbnails/14.jpg)
14
Scan StatisticsKey counters
Elapsed timePages foundPages scannedSecurity entities foundSecurity entities testedSecurity issue variantsSecurity tests sent
Link to Log enabled if problems occurred
![Page 15: Performing a Web Application Security Assessment · 3 Scanning Environment An automated security scan could potentially affect your application Overload the web and application servers](https://reader031.vdocuments.us/reader031/viewer/2022021900/5b5969667f8b9ad0048cf2bb/html5/thumbnails/15.jpg)
15
Viewing ResultsStatus must be ReadyClick on scan name
![Page 16: Performing a Web Application Security Assessment · 3 Scanning Environment An automated security scan could potentially affect your application Overload the web and application servers](https://reader031.vdocuments.us/reader031/viewer/2022021900/5b5969667f8b9ad0048cf2bb/html5/thumbnails/16.jpg)
16
Working with ReportsReport Pack SummaryReport list depends on templateKey reports
Security IssuesRemediation TasksPagesBroken Links
Click on report name to view
![Page 17: Performing a Web Application Security Assessment · 3 Scanning Environment An automated security scan could potentially affect your application Overload the web and application servers](https://reader031.vdocuments.us/reader031/viewer/2022021900/5b5969667f8b9ad0048cf2bb/html5/thumbnails/17.jpg)
17
Working with Reports – Setting Up Your ViewGroupShowSearchLayout
![Page 18: Performing a Web Application Security Assessment · 3 Scanning Environment An automated security scan could potentially affect your application Overload the web and application servers](https://reader031.vdocuments.us/reader031/viewer/2022021900/5b5969667f8b9ad0048cf2bb/html5/thumbnails/18.jpg)
18
Working with Reports – Viewing Issue DetailsClick on Issuenumber
![Page 19: Performing a Web Application Security Assessment · 3 Scanning Environment An automated security scan could potentially affect your application Overload the web and application servers](https://reader031.vdocuments.us/reader031/viewer/2022021900/5b5969667f8b9ad0048cf2bb/html5/thumbnails/19.jpg)
19
Working with Reports – AdvisoryExplanation of the vulnerabilityWASC Threat ClassificationSecurity RiskPossible CauseTechnical DescriptionProducts AffectedReferences and Relevant Links
![Page 20: Performing a Web Application Security Assessment · 3 Scanning Environment An automated security scan could potentially affect your application Overload the web and application servers](https://reader031.vdocuments.us/reader031/viewer/2022021900/5b5969667f8b9ad0048cf2bb/html5/thumbnails/20.jpg)
20
Working with Reports – Fix RecommendationHow do you fix the problem?General DescriptionASP .NET Fix RecommendationJ2EE Fix RecommendationPHP Recommendation
![Page 21: Performing a Web Application Security Assessment · 3 Scanning Environment An automated security scan could potentially affect your application Overload the web and application servers](https://reader031.vdocuments.us/reader031/viewer/2022021900/5b5969667f8b9ad0048cf2bb/html5/thumbnails/21.jpg)
21
Working with Reports – Request / ResponseIssue variantsDifference (hyperlink)Reasoning (hyperlink)Test HTTP TrafficOriginal HTTP Traffic
![Page 22: Performing a Web Application Security Assessment · 3 Scanning Environment An automated security scan could potentially affect your application Overload the web and application servers](https://reader031.vdocuments.us/reader031/viewer/2022021900/5b5969667f8b9ad0048cf2bb/html5/thumbnails/22.jpg)
22
Working with Reports – Issue ManagementMarking issue status
In ProgressNoiseFixedPassedOpen
![Page 23: Performing a Web Application Security Assessment · 3 Scanning Environment An automated security scan could potentially affect your application Overload the web and application servers](https://reader031.vdocuments.us/reader031/viewer/2022021900/5b5969667f8b9ad0048cf2bb/html5/thumbnails/23.jpg)
23
Reviewing Test Results – StepsNote:
Test results MUST be reviewed for false positivesStart with the high priority items
1. Click on the Issue Number link2. Read the Advisory3. Review the Request / Response Tab
a) Look at the reasoning highlighted text in the Test HTTP response
b) If you are not convinced that this is a vulnerability1. Look at the difference2. Try to understand what the test is doing (go back to the advisory)3. Look at the test response4. Look at the original traffic – make sure it is valid (esp. was the page in
session)
![Page 24: Performing a Web Application Security Assessment · 3 Scanning Environment An automated security scan could potentially affect your application Overload the web and application servers](https://reader031.vdocuments.us/reader031/viewer/2022021900/5b5969667f8b9ad0048cf2bb/html5/thumbnails/24.jpg)
24
Reviewing Test ResultsFalse PositivesFalse Negatives
![Page 25: Performing a Web Application Security Assessment · 3 Scanning Environment An automated security scan could potentially affect your application Overload the web and application servers](https://reader031.vdocuments.us/reader031/viewer/2022021900/5b5969667f8b9ad0048cf2bb/html5/thumbnails/25.jpg)
25
Lab: Setting up and Running a Scan 1. Create a scan for http://demo.testfire.net2. Use Manual Explore test policy3. Run the scan4. View your reports5. Set up your report view6. Examine a vulnerability of each of the following
types:a) XSSb) SQL Injectionc) SQL Injection on the login page
7. Classify the issues
![Page 26: Performing a Web Application Security Assessment · 3 Scanning Environment An automated security scan could potentially affect your application Overload the web and application servers](https://reader031.vdocuments.us/reader031/viewer/2022021900/5b5969667f8b9ad0048cf2bb/html5/thumbnails/26.jpg)
26
Advanced Scan Options ExplainedServers and Domains / URL NormalizationDynamic ComponentsCustom Error PagesAutomatic Form FillConnection SettingsNetwork ConnectionSchedulingLog Settings