"

Why Johnny Can’t Pentest:

An Analysis of Black-box Web Vulnerability Scanners

Adam Doupe , Marco Cova and Giovanni Vigna

Said Alriyami

Introduction

•  Black-Box web vulnerability Scanner •  Point-and-click Pentesting •  11 black-box tools tested in the paper •  Fail to detect a significant number of

vulnerabilities, Why ?

OWASP Top 10 List 2010

•  A1: Injection •  A2: Cross-Site Scripting (XSS) •  A3: Broken Authentication and Session

Management •  A4: Insecure Direct Object References •  A5: Cross-Site Request Forgery (CSRF) •  A6: Security Misconfiguration •  A7: Insecure Cryptographic Storage •  A8: Failure to Restrict URL Access •  A9: Insufficient Transport Layer Protection •  A10: Unvalidated Redirects and Forwards

How to Test ?

•  XSS •  SQL Injection •  Code Injection •  Broken Access Controls

How does it work?

•  Consisting of three main modules: 1.  Crawler Module 2.  Attacker Module 3.  Analysis Module

•  URL •  input points (GET,

Input, Upload file)

•  Values to attack vulnerability

•  predefined values

•  detect vulnerabilities

•  feedback

How we can to test them ?

•  Applications that deliberately contain vulnerabilities •  HacmeBank •  WebGoat

•  Application Design to test it •  SiteGenerator

•  Older version of an open-source application that has known vulnerabilities

•  Or ?

Create your own

Design of WackoPicko

•  Authentication •  Upload Pictures •  Comment On Pictures •  Purchase Pictures •  Search •  Guestbook •  Admin Area

Publicly Accessible Vulnerabilities

•  Reflected XSS •  Stored XSS: •  Session ID •  Weak password •  Reflected SQL Injection •  Command Line Injection •  File Inclusion •  Unauthorized File Exposure •  Reflected XSS Behind JavaScript •  Parameter Manipulation

Vulnerabilities Requiring Authentication

•  Stored SQL Injection •  Multi-Step Stored XSS •  Forceful Browsing •  Logic Flaw •  Reflected XSS Behind Flash

Apps under the test

Mods of Test

•  INITIAL

•  CONFIG

•  MANUAL

Detection Results

True positives & False negatives

Running Time

74 Seconds (Burp)

6 Hours (N-Stalker)

Final Ranking

Crawling Challenges

•  HTML Parsing •  Multi-Step Process •  Infinite Web Site •  Authentication •  Client-side Code •  Link Extraction

WIVET results

DEMO