Integrating Web Application Penetration Testing into Your

Vulnerability Management Program

Rich MogullSecurosis, L.L.C.

ecurosis.com

Top Threats

ClientsideWeb Applications

ecurosis.com

Why Web Applications Are Such a Problem

• Rapid development with limited QA

• Eternal beta cycles

• Un(security)trained developers

• New vulnerability classes

• Insecure browsers

• Inherent insecurity of web model

ecurosis.com

Major Webapp AttacksBreaking Trust Relationships

Cross Site Scripting

Cross Site Request Forgery

SQL InjectionBrowser Server

ecurosis.com

Cross Site Scripting

2) Malicious script stored

Stored

1

2) User follows to

trusted site

3) Malicious script injected

by site

Reflected

1) Malicious URL

23

Victim VictimAttacker Attacker

ecurosis.com

Cross Site Request Forgery

Script/link to submit

transaction to trusted site

Malicious transactions

Session 1

Authenticates

Session 2 StealthSession

ecurosis.com

SQL Injection

SQL Statement

Statement: “SELECT * FROM users WHERE name = '" + uName + "‘ AND password =

‘” + upass + “’;”

admin‘--

Attack Input

SELECT * FROM users WHERE name = ‘admin’-- "‘ AND password = ‘” + upass

+ “’;”

Executed Statement

ecurosis.com

Accidental/Directory Traversal

+ Or - “/” =

ecurosis.com

How we used to manage web applications

ecurosis.com

Vulnerability Management

ecurosis.com

Web Application Security Program Overview

ecurosis.com

Application Security Lifecycle

ecurosis.com

Development Phases

ecurosis.com

Integration

Pla$ormvulns

ecurosis.com

Integration

Pla$ormvulns

ecurosis.com

Limitations of static analysis/scanning

• Can’t catch everything

• No validation

• No exploitability/Impact

• Miss logic flaws

• Fire and forget

• The bad guys don’t use them

ecurosis.com

Best Practices for Web App Pen Testing

• Begun testing in the development process.

• Use a combination of tools and manual process.

• Include traditional pen testing of the underlying platform.

• Perform periodic testing post-deployment, especially as new exploits appear.

ecurosis.com

Adapting your program for the long term

• Understand the different requirements of web application vulnerability management.

• Establish web application configuration standards and begin enforcement during development.

• Include code and vulnerability scanning, but you cannot skip penetration testing.

ecurosis.com

Integrating Web Application Penetration Testing into Your

Vulnerability Management Program

Rich MogullSecurosis, L.L.C.

http://securosis.comrmogull@securosis.com