Web application security scanner
A web application security scanner is a program which communicates with a web application through the web front-end in order to identify potential security vulnerabilities in the web application and architectural weaknesses.[1] It performs a black-box test. Unlike source code scanners, web application scanners don't have access to the source code and therefore detect vulnerabilities by actually performing attacks. Web applications have been highly popular since 2000 because they allow users to have an interactive experience on the Internet. Rather than just view static web pages, users are able to create personal accounts, add content, query databases and complete transactions. In the process of providing an interactive experience web applications frequently collect, store and use sensitive personal data to deliver their service. Customers benefit from the convenience of these applications, while tacitly taking on risk that private information stored in web applications will be compromised through hacker attacks, insider leaks etc. According to the Privacy Rights Clearinghouse, more than 18 million customer records have been compromised in 2012 due to insufficient security controls on corporate data and web applications.[2]
Overview
A web application security scanner facilitates the automated review of a web application with the expressed purpose of discovering security vulnerabilities, and are required to comply with various regulatory requirements. Web application scanners can look for a wide variety of vulnerabilities, including:
- Input/Output validation: (Cross-site scripting, SQL Injection, etc.)
- Specific application problems
- Server configuration mistakes/errors/version
In a copyrighted report published in March 2012 by security vendor Cenzic, the most common application vulnerabilities in recently tested applications include:[3]
37% Cross Site Scripting 16% SQL Injection 5% Path Disclosure 5% Denial of Service 4% Code Execution 4% Memory corruption 4% Cross Site Request Forgery 3% Information Disclosure 3% Arbitrary File 2% Local File Inclusion 1% Remote File Include 1% Buffer overflow 15% Other (PHP Injection, Javascript Injection, etc.)
Web applications security scanners typically rely on fully automated scanning, however a 'hybrid' approach, pioneered by High-Tech Bridge,[4] is emerging which aims to address the issue of false-positive reporting by having humans involved in the assessment process.
Commercial and open-source scanners
Tom's IT Pro has provided short reviews of a number of Web Application Security Scanners[5] and an older (but no longer maintained) list of free and commercially available scanners is available at the Web Application Security Consortium.[6]
Sectool Market provides a more up to date comparison of the cost and features of both open source and commercial scanners.[7]
Strengths and weaknesses
As with all testing tools, web application security scanners are not perfect, and have strengths and weaknesses.
Weaknesses and limitations
- Free tools are usually not updated with the latest language-specific security flaws contained in recently updated languages; while this might be a minority of vulnerability the competent attackers are expected to try those attacks --- especially if they can learn which language the target website uses.
- It's usually not possible to know how good a specific security scanner is if you don't have some security know-how yourself; and small business owners are hard to convince to run at least 5 free tools if the first found nothing.
- Attackers could theoretically test their attacks against popular scanning tools in order to find holes in websites made by people who use security scanners excessively (they could for example be a typo away from what the free tools scan for), for purpose of making spam sending botnets. As such at least all the free tools are weak against the competent and broad-targeting attackers.
- Botnets and other attacks where the attackers can update the malware on the remaining nonpatched computers are extremely hard to clear off some networks used by a large amount of undisciplined users; such as some university networks who don't teach computers at all.
- Because the tool is implementing a dynamic testing method, it cannot cover 100% of the source code of the application and then, the application itself. The penetration tester should look at the coverage of the web application or of its attack surface to know if the tool was configured correctly or was able to understand the web application.
- It is really hard for a tool to find logical flaws such as the use of weak cryptographic functions, information leakage, etc.
- Even for technical flaws, if the web application doesn't provide enough clues, the tool cannot catch them.
- The tool cannot implement all variants of attacks for a given vulnerability. So the tools generally have a predefined list of attacks and do not generate the attack payloads depending on the tested web application.
- The tools are usually limited in their understanding of the behavior of applications with dynamic content such as JavaScript, Flash, etc.
- These tools don't test for social engineering holes that are plainly obvious to competent attackers.
- A recent report found that the top application technologies overlooked by most Web application scanners includes JSON (such as JQuery), REST, and Google WebTookit in AJAX applications, Flash Remoting (AMF) and HTML5, as well as mobile apps and Web Services using JSON and REST. XML-RPC and SOAP technologies used in Web services, and complex workflows such as shopping cart, and XSRF/CSRF tokens were also listed.[8]
Strengths
- These tools can detect vulnerabilities of the finalized release candidates before shipping.
- Scanners simulate a malicious user by attacking and probing, and seeing what results are not part of the expected result set.
- As a dynamic testing tool, web scanners are not language dependent. A web application scanner is able to scan JAVA/JSP, PHP or any other engine driven web application.
- Attackers use the same tools, so if the tools can find a vulnerability, so can attackers.
List of Scanners
Notes
- ↑ Web Application Security Scanner Evaluation Criteria version 1.0, WASC, 2009
- ↑ "Chronology of Data Breaches". Privacy Rights Clearinghouse. 9 July 2012. Retrieved 9 July 2012.
- ↑ "2012 Trends Report: Application Security Risks". Cenzic, Inc. 11 March 2012. Retrieved 9 July 2012.
- ↑ Polic, Viktor. "Glow in the dark – how CISOs can find their way through the darkness of the web". CSO magazine. Retrieved 9 May 2014.
- ↑ Sullivan, Dan. "2014 Cloud-Based Vulnerability Scanning Tools Compared". Tom's IT Pro. p. 2. Retrieved 15 April 2014.
- ↑ Shura, Brian. "Web Application Security Scanner List". Web Application Security Consortium.
- ↑ http://www.sectoolmarket.com/price-and-feature-comparison-of-web-application-scanners-unified-list.html
- ↑ Web Application Scanners Challenged By Modern Web Technologies. SecurityWeek.Com (2012-10-25). Retrieved on 2014-06-10.
External links
- Web Application Security Scanner Evaluation Criteria from the Web Application Security Consortium (WASC)
- Web Application Vulnerability Scanners, a wiki operated by the NIST
- Challenges faced by automated web application security assessment from Robert Auger
- The WASC security scanner list
- List of Web-based Application Scanners, Mosaic Security Research
- Identifying Web Applications from Fabian Mihailowitsch
- Web vulnerability scanner