[ITAS.VN]Black-Box Automated Web Vulnerability Scanner Limitations

  • View
    510

  • Download
    9

Embed Size (px)

Text of [ITAS.VN]Black-Box Automated Web Vulnerability Scanner Limitations

  • Automated Web ApplicationBlack-box Scanner Limitions

    ITAS Corporation

  • Who we are? ITAS CORPORATION

    Office : 459A Nguyen Kiem St., Ward 9, Phu Nhuan District, HCMC.Tel : +84 - 8 - 38931952 Hotline : 0934589779Email : info@itas.vn www.itas.vn

    www.itas.vn

  • What we do? Penetration Testing Web Application Security

    - Web Application Penetration Testing- Source Code Audit

    Computer Forencis Security Training

    Penetration Testing Web Application Security

    - Web Application Penetration Testing- Source Code Audit

    Computer Forencis Security Training

    www.itas.vn

  • Automated Web Vulnerability Scanner:Overview

    Cng c kim tra bo mt ng dng web t ng t bn ngoi(Automatedblack-box web vulnerability scanners) :- Cng c kim tra bo mt web t ng bn ngoi l cng c c dng tm li t bn ngoi ca ng dng web. Cc cng c ny thng cthit k theo kiu Point-and-click pentesting(ch cn chn v bm kim tra).- Cc cng c kim tra t ng t bn ngoi c th kim tra website gnnh hon ton t ng t khu nhp mc tiu cn kim tra n lc xut rakt qu vi rt t s cn thit hoc khng cn s tham gia ca con ngi.- Cc cng c kim tra t ng ny c th xut ra cc bn bo co theonhiu cch v chi tit, em li s tin li cho cc chuyn gia bo mt trongvic nh gi bo mt ca website.

    Cng c kim tra bo mt ng dng web t ng t bn ngoi(Automatedblack-box web vulnerability scanners) :- Cng c kim tra bo mt web t ng bn ngoi l cng c c dng tm li t bn ngoi ca ng dng web. Cc cng c ny thng cthit k theo kiu Point-and-click pentesting(ch cn chn v bm kim tra).- Cc cng c kim tra t ng t bn ngoi c th kim tra website gnnh hon ton t ng t khu nhp mc tiu cn kim tra n lc xut rakt qu vi rt t s cn thit hoc khng cn s tham gia ca con ngi.- Cc cng c kim tra t ng ny c th xut ra cc bn bo co theonhiu cch v chi tit, em li s tin li cho cc chuyn gia bo mt trongvic nh gi bo mt ca website.

    www.itas.vn

  • Automated Web Vulnerability Scanner:Overview

    Cng c kim tra web t ng bn ngoi tr nn rt ph bin v cs dng rng ri do kh nng c lp cao, t ph thuc vi cng ngh ngdng web, d s dng, kh nng t ng ha cao.

    Ngy nay, s lng cc cng c kim tra web t ng cng nhiu v trthnh cng c khng th thiu vi cc chuyn gia bo mt cng nh ......hacker.

    Cng c kim tra web t ng bn ngoi pht hin c rt nhiu li litk trong Common Vulnerabilities and Exposures database. Cc cng ckim tra web t ng tr thnh phn bt buc s dng trong nhiuchun bo mt nh Payment Card Industry Data Security Standard(PCIDSS), Health Insurance Portability and Accountability Act (HIPAA)v The Sarbanes-Oxley Act.

    Cng c kim tra web t ng bn ngoi tr nn rt ph bin v cs dng rng ri do kh nng c lp cao, t ph thuc vi cng ngh ngdng web, d s dng, kh nng t ng ha cao.

    Ngy nay, s lng cc cng c kim tra web t ng cng nhiu v trthnh cng c khng th thiu vi cc chuyn gia bo mt cng nh ......hacker.

    Cng c kim tra web t ng bn ngoi pht hin c rt nhiu li litk trong Common Vulnerabilities and Exposures database. Cc cng ckim tra web t ng tr thnh phn bt buc s dng trong nhiuchun bo mt nh Payment Card Industry Data Security Standard(PCIDSS), Health Insurance Portability and Accountability Act (HIPAA)v The Sarbanes-Oxley Act.

    www.itas.vn

  • Automated Web Vulnerability Scanner:Overview

    Mt s cc cng c kim tra t ng c nh gi cao :Cng c thng mi : Cc cng c min ph hoc gi thpWeb Inspect by HP - W3af - http://w3af.sourceforge.net/Rational AppScan by IBM - Burp Suite - http://portswigger.net/Acunetix WVS by Acunetix - Wapiti - http://wapiti.sourceforge.net/

    www.itas.vn

    Hailstorm by Cenzic - WebScarab - webscarab.sourceforge.net/NTOSpider by NT OBJECTives - Paros - http://www.parosproxy.org/. .. Mt s cc cng c c s dng nh dch v kim tra (SaaS-Software as a

    Service):- McAfee by McAfee - AVDS - by BeyondSecurity- Hacker Shield by HackerShield .....................

  • Automated Web Vulnerability Scanner:Overview

    Mc d cc cng c kim tra bo mt t ng t bn ngoi pht hin crt nhiu li bo mt nhng thc s nu cc cng c ny khng pht hinthy im yu trong ng dng th liu ng dng thc s an ton, bomt? Liu cc cng c kim tra web t ng ny c th thay th cc chuyngia bo mt kim tra bo mt c khng?

    Hiu c nhng gii hn ca cng c l chuyn cn thit i vi cc cngty bo mt v cc chuyn gia bo mt t b xung cc phn thiu bngkin thc v kinh nghim cho nhng d n v bo mt.

    Mc d cc cng c kim tra bo mt t ng t bn ngoi pht hin crt nhiu li bo mt nhng thc s nu cc cng c ny khng pht hinthy im yu trong ng dng th liu ng dng thc s an ton, bomt? Liu cc cng c kim tra web t ng ny c th thay th cc chuyngia bo mt kim tra bo mt c khng?

    Hiu c nhng gii hn ca cng c l chuyn cn thit i vi cc cngty bo mt v cc chuyn gia bo mt t b xung cc phn thiu bngkin thc v kinh nghim cho nhng d n v bo mt.

    www.itas.vn

  • Automated Web Vulnerability Scanner:Overview

    Trong kh nng ca mnh cc chuyn gia ca cng ty ITAS mong mun tptrung vo cc qu trnh hot ng ca cc cng c t qu trnh thu thp dliu, la chn u vo, phn tch phn ng n xut bo co phn tchnhng hn ch ca cc cng c.

    Cc mc tiu s tp trung:- Cc thnh phn ca ng dng web.- Cc cng c kim tra bo mt t ng t bn ngoi l g?- Nhng gii hn ca cc cng c kim tra t ng t bn ngoi.- Tng ng cc gii hn ca cng c kim tra t ng vi OWASP TOP10 2010.

    Trong kh nng ca mnh cc chuyn gia ca cng ty ITAS mong mun tptrung vo cc qu trnh hot ng ca cc cng c t qu trnh thu thp dliu, la chn u vo, phn tch phn ng n xut bo co phn tchnhng hn ch ca cc cng c.

    Cc mc tiu s tp trung:- Cc thnh phn ca ng dng web.- Cc cng c kim tra bo mt t ng t bn ngoi l g?- Nhng gii hn ca cc cng c kim tra t ng t bn ngoi.- Tng ng cc gii hn ca cng c kim tra t ng vi OWASP TOP10 2010.

    www.itas.vn

  • Generic Web Application System

  • WebApplication: Overview Cc thnh phn ca ng dng web cc k a dng :

    - Platform Apache, IIS, Sun One.- Client Javascript, VB, ActionScript- AJAX/JSON user experience- Server C#, VB, PHP, Java, ColdFusion, Perl, Ruby- Web services SOAP, WSDL, UDDI- Database Oracle, MySQL, MS SQL, Postgres- LDAP AD, Novell, Sun

    V cn nhiu na

    Cc thnh phn ca ng dng web cc k a dng :- Platform Apache, IIS, Sun One.- Client Javascript, VB, ActionScript- AJAX/JSON user experience- Server C#, VB, PHP, Java, ColdFusion, Perl, Ruby- Web services SOAP, WSDL, UDDI- Database Oracle, MySQL, MS SQL, Postgres- LDAP AD, Novell, Sun

    V cn nhiu na

    www.itas.vn

  • Automated Web Vulnerability Scanner:Overview

    Cc cng c kim tra t ng t bn ngoi hot ng th no?- Cc cng c qut li t ng s thu thp d liu u vo ca ng dngweb xc nh cu trc ca web site bao gm danh sch cc lin kt(links) cng nh cc thng s lin quan , sau da vo database c sn to ra cc tp mu th tng ng v y vo ng dng web mt cch tng , tip n cc cng c phn tch s ghi nhn v phn tch cc gi tr trv ca ng dng (HTTP response) xc nh c gi tr tr v no tng tnh gi tr li quy nh trc t xc nh ng dng c li hay khng.

    Cc cng c kim tra t ng t bn ngoi hot ng th no?- Cc cng c qut li t ng s thu thp d liu u vo ca ng dngweb xc nh cu trc ca web site bao gm danh sch cc lin kt(links) cng nh cc thng s lin quan , sau da vo database c sn to ra cc tp mu th tng ng v y vo ng dng web mt cch tng , tip n cc cng c phn tch s ghi nhn v phn tch cc gi tr trv ca ng dng (HTTP response) xc nh c gi tr tr v no tng tnh gi tr li quy nh trc t xc nh ng dng c li hay khng.

    www.itas.vn

    RequestsWeaknesses

    &VulnerabilitiesWeaknesses

    &VulnerabilitiesSRDTest Cases

    WebApplication Web ApplicationScanner

    Responses

  • Automated Web Vulnerability Scanner:Illustrated

    C th chia cc cng c kim tra t ng thnh 4 phn ring bit :- A crawler module : phn thu thp d liu u vo- An attacker module : phn tn cng- An analysis module : phn ghi nhn v phn tch d liu tr v- A report generator module : phn bo co

    www.itas.vn

    CrawlModule

    AttackModule

    AnalysisModule

    ReportModule

  • Automated Web Vulnerability Scanner:Illustrated

    B phn thu thp d liu u vo(Crawler Module) :- Chc nng ca b phn ny l thu thp ton b cu trc ca ng dngweb v cc thnh phn tng ng vi cu trc thu thp c bao gm :+ Nhng lin kt (set of URLs) ca ng dng web k c follows links vredirect.+ Cc thnh phn tng ng ca cc lin kt ny bao gm ni dung, ccform nhp d liu, upload, cc tham s c nh v cc gi tr ca chng,method gi POST, GET,.- Ngoi ra, b phn thu thp s tng kt t kt qu thu thp c xcnh cc im nhp d liu u vo ca ng dng web v gi kt qu tiphn tn cng (Attack Module)- y l phn quan trng nht trong cc cng c kim tra t ng, kt quca phn ny s quyt nh phn no trong ng dng web c kim tra.

    B phn thu thp d liu u vo(Crawler Module) :- Chc nng ca b phn ny l thu thp ton b cu trc ca ng dngweb v cc thnh phn tng ng vi cu trc thu thp c bao gm :+ Nhng lin kt (set of URLs) ca ng dng web k c follows links vredirect.+ Cc thnh phn tng ng ca cc lin kt ny bao gm ni dung, ccform nhp d liu, upload, cc tham s c nh v cc gi tr ca chng,method gi POST, GET,.- Ngoi ra, b phn thu thp s tng kt t kt qu thu thp c xcnh cc im nhp d liu u vo ca ng dng web v gi kt qu tiphn tn cng (Attack Module)- y l phn quan trng nht trong cc cng c kim tra t ng, kt quca phn ny s quyt nh phn no trong ng dng web c kim tra.

    www.itas.vn

  • Automated Web Vulnerability Scanner:Illustrated

    B phn tn cng(Attacker Module) :- B phn tn cng phn tch cc im nhp d liu do b phn thu thp dliu thu thp c. Sau vi mi im nhp d liu b phn tn cng sto ra cc tp mu th u vo tng ng vi cc kiu tn cng da vodatabase c sn gi ti ng dng web.V d : i vi kim tra XSS b phn tn cng s to ra cc mu th l mjavascript lm u vo, i vi kim tra SQL Injection b phn tn cngs to ra mu th l cc chui c ngha trong ngn ng SQL.- Cc u vo ny thng c chun b sn theo cc bn SQL, XSS....Cheat sheet ca tng cng ty cung cp sn phm cng c kim tra.

    B phn tn cng(Attacker Module) :- B phn tn cng phn tch cc im nhp d liu do b phn thu thp dliu thu thp c. Sau vi mi im nhp d liu b phn tn cng sto ra cc tp mu th u vo tng ng vi cc kiu tn cng da vodatabase