why johnny can’t pentest - university of birminghamtpc/isecsem/talks/sa.pdf · pentest: an...
TRANSCRIPT
-
"
Why Johnny Can’t Pentest:
An Analysis of Black-box Web Vulnerability Scanners
Adam Doupe , Marco Cova and Giovanni Vigna
Said Alriyami
-
Introduction
• Black-Box web vulnerability Scanner • Point-and-click Pentesting • 11 black-box tools tested in the paper • Fail to detect a significant number of
vulnerabilities, Why ?
-
OWASP Top 10 List 2010
• A1: Injection • A2: Cross-Site Scripting (XSS) • A3: Broken Authentication and Session
Management • A4: Insecure Direct Object References • A5: Cross-Site Request Forgery (CSRF) • A6: Security Misconfiguration • A7: Insecure Cryptographic Storage • A8: Failure to Restrict URL Access • A9: Insufficient Transport Layer Protection • A10: Unvalidated Redirects and Forwards
-
How to Test ?
• XSS • SQL Injection • Code Injection • Broken Access Controls
-
How does it work?
• Consisting of three main modules: 1. Crawler Module 2. Attacker Module 3. Analysis Module
-
• URL • input points (GET,
Input, Upload file)
• Values to attack vulnerability
• predefined values
• detect vulnerabilities
• feedback
-
How we can to test them ?
• Applications that deliberately contain vulnerabilities • HacmeBank • WebGoat
• Application Design to test it • SiteGenerator
• Older version of an open-source application that has known vulnerabilities
• Or ?
-
Create your own
-
Design of WackoPicko
• Authentication • Upload Pictures • Comment On Pictures • Purchase Pictures • Search • Guestbook • Admin Area
-
Publicly Accessible Vulnerabilities
• Reflected XSS • Stored XSS: • Session ID • Weak password • Reflected SQL Injection • Command Line Injection • File Inclusion • Unauthorized File Exposure • Reflected XSS Behind JavaScript • Parameter Manipulation
-
Vulnerabilities Requiring Authentication
• Stored SQL Injection • Multi-Step Stored XSS • Forceful Browsing • Logic Flaw • Reflected XSS Behind Flash
-
Apps under the test
-
Mods of Test
• INITIAL
• CONFIG
• MANUAL
-
Detection Results
-
True positives & False negatives
-
Running Time
74 Seconds (Burp)
6 Hours (N-Stalker)
-
Final Ranking
-
Crawling Challenges
• HTML Parsing • Multi-Step Process • Infinite Web Site • Authentication • Client-side Code • Link Extraction
-
WIVET results
-
DEMO