Dynamic Application Security Testing

(Redirected from Web Application Security Scanner)
Jump to navigation Jump to search

A Dynamic Application Security Testing (DAST) tool is a program which communicates with a web application through the web front-end in order to identify potential security vulnerabilities in the web application and architectural weaknesses.[1] It performs a black-box test. Unlike Static Application Security Testing tools, DAST tools do not have access to the source code and therefore detect vulnerabilities by actually performing attacks.

DAST tools allow sophisticated scans, detecting vulnerabilities with minimal user interactions once configured with host name, crawling parameters and authentication credentials. These tools will attempt to detect vulnerabilities in query strings, headers, fragments, verbs (GET/POST/PUT) and DOM injection.

Customers benefit from the convenience of these applications, while tacitly taking on risk that private information stored in web applications will be compromised through hacker attacks and insider leaks. According to the Privacy Rights Clearinghouse, more than 18 million customer records have been compromised in 2012 due to insufficient security controls on corporate data and web applications.[2]

Overview

DAST tools facilitate the automated review of a web application with the expressed purpose of discovering security vulnerabilities, and are required to comply with various regulatory requirements. Web application scanners can look for a wide variety of vulnerabilities, such as input/output validation: (e.g. cross-site scripting and SQL injection), specific application problems and server configuration mistakes.

In a copyrighted report published in March 2012 by security vendor Cenzic, the most common application vulnerabilities in recently tested applications include:[3]

Vulnerability statistics reports covering occurrences and breaches related to such vulnerabilities from Verizon and edgescan are available here [4] [5]

37% Cross Site Scripting
16% SQL Injection
5% Path Disclosure
5% Denial of Service
4% Code Execution
4% Memory corruption
4% Cross Site Request Forgery
3% Information Disclosure
3% Arbitrary File
2% Local File Inclusion
1% Remote File Include
1% Buffer overflow
15% Other (PHP Injection, Javascript Injection, etc.)

Commercial and open-source scanners

Commercial scanners are a category of web-assessment tools which need to be bought with a specific price (usually quite high). Some scanners include some free features but most need to be bought for full access to the tool's power.

And open-source scanners are another class which are free in nature. They are the best of the category since their source code is open and the user gets to know what is happening unlike commercial scanners.

Security researcher Shay Chen has previously compiled a exhaustive list of both commercial and open-source web application security scanners.[6] The list also highlights how each of the scanners performed during his benchmarking tests against the WAVSEP.

The WAVSEP platform is publicly available and can be used to evaluate the various aspects of web application scanners: technology support, performance, accuracy, coverage and result consistency.[7]

Listing of Vulnerability Scanners

Here is a list of vulnerability Scanners currently available in the market. [8]

Name Owner License Platform
w3af w3af.org Open Source (GPL v2.0) Linux and Mac
TIDoS Framework Infected Drake Open Source (GPL v3.0) Linux
Vega Subgraph Commercial / Free (Limited Capability) Windows, Linux, Mac
Probe.ly Probe.ly Commercial / Free (Limited Capability) SaaS
Netsparker MavitunaSecurity Commercial Windows, SaaS
Grabber Romain Gaucher Open Source Python 2.4, BeautifulSoup and PyXML
GamaScan GamaSec Commercial Windows
AppSpider Rapid7 Commercial Windows
AppScan IBM Commercial Windows
Acunetix WVS Acunetix Commercial / Free (Limited Capability) Windows, SaaS
DefenseCode Web Security Scanner DefenseCode Commercial / Free Windows

DAST Strengths

These tools can detect vulnerabilities of the finalized release candidate versions prior to shipping. Scanners simulate a malicious user by attacking and probing, identifying results which are not part of the expected result set.

As a dynamic testing tool, web scanners are not language dependent. A web application scanner is able to scan engine-driven web applications. Attackers use the same tools, so if the tools can find a vulnerability, so can attackers.

DAST Weaknesses

While scanning with a DAST tool, data may be overwritten or malicious payloads injected into the subject site. Sites should be scanned in a production like, but non-production environment to ensure accurate results while protecting the data in the production environment.

Because the tool is implementing a dynamic testing method, it cannot cover 100% of the source code of the application and then, the application itself. The penetration tester should look at the coverage of the web application or of its attack surface to know if the tool was configured correctly or was able to understand the web application.

The tool cannot implement all variants of attacks for a given vulnerability. So the tools generally have a predefined list of attacks and do not generate the attack payloads depending on the tested web application. Some tools are also quite limited in their understanding of the behavior of applications with dynamic content such as JavaScript and Flash.

A report from 2012 found that the top application technologies overlooked by most Web application scanners includes JSON (such as jQuery), REST, and Google WebToolkit in AJAX applications, Flash Remoting (AMF) and HTML5, as well as mobile apps and Web Services using JSON and REST. XML-RPC and SOAP technologies used in Web services, and complex workflows such as shopping cart, and XSRF/CSRF tokens were also listed.[9]

References

  1. ^ Web Application Security Scanner Evaluation Criteria version 1.0, WASC, 2009
  2. ^ "Chronology of Data Breaches". Privacy Rights Clearinghouse. 9 July 2012. Retrieved 9 July 2012.
  3. ^ "2012 Trends Report: Application Security Risks". Cenzic, Inc. 11 March 2012. Retrieved 9 July 2012.
  4. ^ "Verizon DBiR" (PDF). Verizon Enterprise. 2018.
  5. ^ "2018 edgescan Vulnerability Stats report" (PDF). www.edgescan.com. edgescan. 2018.
  6. ^ Comparison of Cloud & On-Premises Web Application Security Scanning Solutions. SecToolMarket.com Retrieved 2017-03-17
  7. ^ WAVSEP Platform Retrieved 2017-03-17
  8. ^ "Category:Vulnerability Scanning Tools - OWASP". www.owasp.org. Retrieved 2018-08-08.
  9. ^ Web Application Scanners Challenged By Modern Web Technologies. SecurityWeek.Com (2012-10-25). Retrieved on 2014-06-10.

External links