::Software Security Quality::
Testing Taxonomy &
Testing Tools Classification
OWASP
AppSec
DC
October 2005
Arian J. Evans, OWASP Tools Project
Random Security Title, FishNet Security
[email protected]
913.710.7085 [mobile]
Copyright © 2005 - The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License.
The OWASP Foundation
http://www.owasp.org/
OWASP AppSec DC \NIST 2005
::Software Security Quality::
Testing Taxonomy &
Testing Tools Classification
Subtitle: What is Software Security, how do
we evaluate it, and what do we use to
evaluate it?
OWASP AppSec DC 2005
2
--OR--
::Software Security Quality::
Why does every web-based
Document Management
Solution Suck so Badly?
OWASP AppSec DC 2005
3
Testing Taxonomy & Tools Project
This project, like many other OWASP projects (e.g.-WebScarab, .NET
Tools), is:
Performed mostly nights and weekends
A personal labor of love (or dislike of FUD)
Performed by a team of one
As objective and vendor-agnostic as possible
Owes thanks to FishNet for letting me use their lab and
encouraging vendors to participate
 Results are free and worth every penny
 So don’t complain too much about the results. 
 Emphasis has been on “web app scanners” since that’s where the
predominant market interest seems to lie right now.





OWASP AppSec DC 2005
4
Who
Arian J. Evans
Tester, Teacher, Researcher, Decoder
Application Security Services
FishNet Security
FishNet Security
Security Consulting Company focused only on Infosec
Work in AppSec Group
They pay me to test and help people fix things
(blah, blah)
OWASP AppSec DC 2005
5
Outline:
I.
II.
Introduction (done)
Chapter One: In the Beginning was FUD.
1)
2)
Problems
About the OWASP Testing Taxonomy & Tools Project
III. Chapter Two: What is Application Security?
1)
2)
IV.
V.
VI.
Distinctions
Definition
Chapter Three: Clarification and Goals
Chapter Four: Taxonomy of Testing
Chapter Five: Automation Tools
VII. Chapter Seven: Q&A (Shoot the Messenger)
OWASP AppSec DC 2005
6
Chapter One:
In the Beginning was the FUD
Problems with understanding
application security, vendor FUD,
appsec testing tools, and testing
techniques.
OWASP AppSec DC 2005
7
Webappsec Vendor Marketing Hype
I.
The Problem of Particulars
−
−
−
II.
XSS, XST, XDS, XDF, XBS: why particulars can hurt more
than they help (reference: Issues slide)
Selling managers/auditors bullet-point friendly products
Classification of Threat/Risk/Issue: Lack of distinction
between Category/Class/Particular—Does anyone take
formal logic classes anymore?
Immature Metrics
−
−
−
What is *really* being exploited? (This is not what the
OWASP Top-10 or WASC taxonomy addresses.)
*What* exploits result in real loss? (Not what the threads on
[email protected] are talking about.)
No reward in securing without demonstrable risk.
OWASP AppSec DC 2005
8
The Problems:
 Different ways to “test” applications for security quality.
 Different tools to “test” applications for security quality.
 No categorization of differences or metrics to measure
pluses and minuses of testing techniques/tools.
 No single source of information on what tools are
available for testing applications
 No independent source of information on testing tools
that are available.
 Some tool vendors do a terrible job of educating the
consumer on what they do and don’t do, and how they
relate to their competition.
OWASP AppSec DC 2005
9
The Problems:
Unclear and immature terminology
Few Taxonomies, Categorizations, Metrics and
Models on AppSec
No Business Rule/Risk Taxonomy
No mature Threat Models/Taxonomy
No accurate Attack Models/Taxonomy
Other Taxonomies needed
We need a Taxonomy of Taxonomies
OWASP AppSec DC 2005
10
This Presentation is About:
 The OWASP Tools Project Version 1.2 which aims to:
 Categorize the different ways to “test” an application
for security.
 Categorize the variety of tools that may be used “test”
applications for security.
 Provide basic insight into features and functionality of
“software security tools”.
 Offset the active dissemination of misinformation about
what tools can and cannot provide.
 I bit off more than I can chew here (why are there so
many tools out there for this this???)
OWASP AppSec DC 2005
11
This Project is Headed:
 The OWASP Tools Project Version 2.0 which aims to:
 Categorize & Classify tools that may be used “test” applications for
security.
 Work with groups like OWASP, WASC, NIST, and Mitre/CVE
 Evaluate the value of & possibly provide checklist charts of
features and functionality in specific versions of appsec tools.
 I have concerns about above because for example not all XSS
checks are equal, and the quality can and does change overnight
in current tools.
 In non-COTS software metrics tend to lack pragmatic value as
software continues to increase size, complexity, extensibility, and
develop emergent behaviors as disparate technologies are bolted
together and new software evolves.
OWASP AppSec DC 2005
12
Limited Information; Full-on Equivocation
I.
Things Commercial Tool Vendors like to say:
− Sanctum: “Oh, those are *network* scanners”
− Compuware: “the only ones in the world who do this”
− Cenzic: “We’ve automated webapp pen testing”
− Several: “Oh, no, that’s a CVE scanner. It doesn’t find
anything on our sample application which has “real”
vulnerabilities. See here, we’ll just install our sample
application we wrote right here and show you…”
− Tautology: The Scanner and Firewall Vendors
II.
Goings-on in the AppSec Industry:
− No Standards or Standards-bodies
− No Metrics
− No Watchdogs
− Vendors provide the vast bulk of “Factual Literature”
OWASP AppSec DC 2005
13
Chapter II: The Definition
What is Application Security?
OWASP AppSec DC 2005
14
Why and What is Application Security?:
Why do you care about AppSec
Testing Tools?
When will the tools be mature
enough that I just click “Scan”
and get my report?
OWASP AppSec DC 2005
15
Why do you care about AppSec Tools?
Because you lack expertise
Because you lack subject information.
Because you lack resources.
Because you lack time.
Because of the desire for automation.
Because of the need for reliable,
repeatable tests that produce accurate
quantifiable information about software
defects with security implications.
OWASP AppSec DC 2005
16
When can I click ‘Scan’?
Never.
There are things that we can automate and things
that we cannot automate.
There are issues that are easy to automate reliable
detection and issues that are not:
- business logic flaws
- workflow bypasses
- human eyeball parsable errors.
Terminology: Functional versus Technical Issues
OWASP AppSec DC 2005
17
Functional versus Technical Issues
There are two main types of application security issues:
I.
Technical Vulnerabilities
1) Lack of Input Validation, resulting in:
2) XSS
3) SQL Injection
4) Parameter Tampering, etc.
II.
Functional or Logical Vulnerabilities
1) Click two or more buttons at the same time results in
unexpected behavior.
2) Password change form disclosing detailed errors.
3) Session-idle deconstruction not consistent with Policies
4) Spend deposit before deposit funds are validated (B/L)
OWASP AppSec DC 2005
18
Functional versus Technical Issues
These two types of security issues must be tested differently:
I.
Technical Vulnerabilities
− Usually about Data Handling
− Dealing with Strong Typing, Encoding, and Validation
of Data that the application handles
− Can be tested fairly effectively by automated tools (at
least, in theory, as tools mature)
II.
Functional or Logical Vulnerabilities
− Deals with issues allowed by design, but not foreseen
by the designers (or understood to be a risk)
− Deals with eyeball issues—does the error message text
provide a brain-decipherable “secret message”?
OWASP AppSec DC 2005
19
Two Items to Reiterate
Restated:
I.
Automation Tools
− Testing: useful; use daily
− Protection: maybe useful, maybe not (is your issue
XSS? Do you know what your issues are?)
− Anecdote of client who solved 90% of their issues
even though they didn’t know what they were.
− Anecdote of WAF vendor who “successfully deployed in
under an hour” for the java applet communicating on
TCP/5000 with an encrypted binary protocol.
II.
Examples of Vendor Challenges
− Sanctum Support Issues: XSS vs. Phishing debate
− Other vendors “Phishing” “XSS” “blahfoo” feature FUD
OWASP AppSec DC 2005
20
What is “Application Security”?
I.
Things that Application Security is not:
− It is not a product
− It is not a firewall with “AI” (app intelligence)
− It is not a NIDS/NIPS with app signatures
− It is not any “perimeter access control”.
− It is not a “web app firewall” widget.
− For today and tomorrow’s web applications
the concept of a perimeter is dead.
OWASP AppSec DC 2005
21
What is “Application Security”?
II. Things that Application Security is not:
− It is not a process (it is possible, however
unlikely, to have secure applications with
or without a process)
− It is not “application hacking school” or
“secure coding school” for your developers
− It is not the BPPT (Big Production
Penetration Test) you have at the end of
your BUFD app lifecycle.
OWASP AppSec DC 2005
22
What is “Application Security”?
III. Things that Application Security IS:
− It is one possible emergent Quality of a
well designed application.
− It is about predictability, dependability,
reliability. (Business speak !=“security”)
− Rob’s Report must Run Right (bugs are not
difference of kind but difference of degree
and the issue is always the same)
OWASP AppSec DC 2005
23
How do we evaluate applications for Security?
First and most important application
security principle:
The Application Must Defend Itself
OWASP AppSec DC 2005
24
Presentation Outline Updated
I.
Introduction (done)
II. Chapter One: The Problem (done)
III. Chapter Two: The Definition (done)
IV. Chapter Three: The Clarification and Goals
V.
Chapter Four: Taxonomy of Testing
VI. Chapter Five: Tools Tools Tools of Automation
VII. Chapter Six: Q&A (Shoot the Messenger)
OWASP AppSec DC 2005
25
Chapter III
Clarification and Goals
OWASP AppSec DC 2005
26
The Categorization Basics:




Software flaws with Security Implications
Category
Class
Particular
-Example-
1. Category (Coding Error)
2. Class (Output Encoding)
3. Particular (XSS (Cross-Site Scripting))
OWASP AppSec DC 2005
27
Are we trying to Categorize and Classify?
Clarification of Terms
Categorization of Issues
Abstract fixation from particulars
Needs: Category, Class, Particular
Needs Risk, Threat, Attack, Weakness,
Vulnerability
 Needs account for Severity, Attackability
(Ease), Prevalence, Priority





OWASP AppSec DC 2005
28
The Classification Basics:
Risk ((Loss|Impact) : Financial, Legal, Market)
Threat (Likelihood, Severity, Ease, Implication)
Attack (Exploit Vector)
Weakness (Fundamental Issue)
Vulnerability (Particular Issue/Flaw Instance)
OWASP AppSec DC 2005
29
The Classification Breakdown:
-Example One-
 Risk
 Financial Loss, Repudiation, Market Goodwill
 Threat
 Elevation of Privilege; Forged Transaction
 Attack (A: Spoofing of User Identity)
 A1 Session Fixation
 A1-2 Session Token\Cookie set a priori user authentication
 Weakness
 Insecure Authorization Mechanism; Insecure Session Handling
 Vulnerability
 Harvest Session Cookie on Login Form
OWASP AppSec DC 2005
30
The Classification Breakdown:
-Example Two Risk
 Financial Loss(???), Market Goodwill
 Threat
 Elevation of Privilege; Sensitive Information Disclosure
 Attack (A: Arbitrary Script Injection)
 A1 XSS/Cross-Site Scripting
 A1-2 Embedded/Persisted Malicious Javascript
 Weakness
 Insecure Output Encoding
 Vulnerability
 Support forum page allows embedded linking to external
javascript/flash/actionscript/etc.
OWASP AppSec DC 2005
31
Example Problems with Existing Threat Models:
Microsoft: STRIDE and DREAD
Spoofing of User Identity (Threat or Attack?)
Tampering with Data (Attack?)
Repudiation (Risk or Threat?)
Denial of Service (Threat or Attack?)
Elevation of Privilege (Threat)
STRIDE, DREAD and others mix of Threats,
Attacks, Vulnerabilities, disparate elements.
New TRIKE methodology shows promise.
OWASP AppSec DC 2005
32
More on Threat Modeling:
Threat Modeling is very important; I use it
extensively particularly in communicating to
business owners or stakeholders of an
application
For more see the OWASP Testing presentation
The OWASP Testing GUIDE
STRIDE & DREAD in MS Threat Modeling Book
TRIKE is a new Threat Modeling Whitepaper
Visit the Threats and Countermeasures Website
by Foundstone
OWASP AppSec DC 2005
33
How do we evaluate applications for Security?
First and most important application
security principle:
The Application Must Defend Itself
OWASP AppSec DC 2005
34
Conclusion to Chapter III
The previous material is presented to provide a common set of terms
and framework for understanding what we can and can’t do with
automated tools that discover software flaws with security
implications.
 Security is not a “feature” you implement in code
 Security is an emergent Quality of well-designed and well-built
software, much like speed and reliability
 Categorical difference between technical and functional issues and
how you discover them
 Tools tend to flag everything as “vulnerabilities”
 Tools really find a mix of threats, attacks, and vulnerabilities (XSS
is an attack, not a vulnerability)
 Tools tend not to indicate systemic weaknesses, like improper
output encoding techniques, which is what we really need to be
concerned with if our focus is *fixing* the application issues.
OWASP AppSec DC 2005
35
Chapter IV
Taxonomy of Testing
OWASP AppSec DC 2005
36
Taxonomy of Testing Categories
1.
2.
3.
4.
5.
6.
7.
8.
Vulnerability Scanning
Fault-Injection Testing (Blackboxing)
Fault-Injection Testing with Sandboxing
Binary Analysis
Source Code Analysis
Threat Modeling/Architectural Analysis
Rootkit and Trojan Analysis
(What about runtime analysis and
runtime patching?)
OWASP AppSec DC 2005
37
Taxonomy of Testing Categories
1. Vulnerability Scanning
 regex matches on version numbers.
2. Fault-Injection Testing (Blackboxing)
 Inject all possible faults and parse responses.
3. Fault-Injection Testing with Sandboxing
 Inject all possible faults and analyze data
storage, manipulation, and local entry and
exit points, and fuzz/fault-inject those points.
4. Binary Analysis
 Analyze static binary or perform runtime
analysis and look for breakpoints.
OWASP AppSec DC 2005
38
Taxonomy of Testing Categories
5.
Source Code Analysis

Mostly static signature matching, but some tools claim to walk
codepath, follow nested loops and other regression through
objects
6.
Threat Modeling/Architectural Analysis

Detailed, logical modeling. Time consuming, thorough; avoid
wasted man hours of broken feature-implementation up front.
Or find obvious design flaws quickly.
7.
Rootkit and Trojan Analysis

Why not? The NCUA/OCCU mandates it.
8.
What about runtime analysis and runtime patching? Another idea…
OWASP AppSec DC 2005
39
What Follows
The next series of slides is a short summary of common and well-known
applications that fall into these categories.
It is not intended to be comprehensive (later slides will be more
comprehensive).
It is not intended to indicate quality or imply any form of advocacy for
the listed software security tools.
If you are looking for product advocacy there are plenty of sales people
and “sales engineers” that can help you there. 
Most importantly: These tools are constantly evolving. Consider that the
data presented may already be outdated. Use as a guide only and
evaluate any selection you make Yourself, on Your Applications.
OWASP AppSec DC 2005
40
Vulnerability Scanning
1.
2.
3.
4.
5.
6.
7.
ISS Internet Security Scanner (the old basic VA tool)
eEye Retina (CGI Scanning?)
Qualys Qualysguard (XSS, limited SQLi)
NGS Typhon (claims full JS Parsing)
McAfee Foundscan (DNE for webapps)
nCircle IP360 (similar to Qualysguard)
Known-File Scanners e.g.-Whisker, Nikto,
Nessus+Nikto, Nstalker Nstealth
These tools do a regex version match (e.g. 12.8.1.0 diff vuln-database)
or simply match a filename (e.g. “login.asp”…Oh No!, not a Login!)
OWASP AppSec DC 2005
41
Fault Injection Testing
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
SPI Dynamics WebInspect 5.5
Watchfire AppScan 5.5
Acunetix WVS 2.x
Cenzic Hailstorm 2.6
NTO Spider x?
Compuware Devpartner x?
NGS Typhon x?
Parasoft Webking X?
SPIKE (while using binaries with attached debuggers to monitor
breakpoints like any traditional fuzzing)
Peach Fuzzer
These tools inject a fault into the application and in some cases evaluate
the response.
OWASP AppSec DC 2005
42
Fault Injection with Sandboxing
Sandboxing Tools:
• Security Innovation’s Holodeck
• Sysinternals filemon, regmon, procmon
• Any sandboxing malware-analysis tools
OWASP AppSec DC 2005
43
Binary Analysis
1.
2.
3.
4.
IDA Pro
@stake SmartRisk Analyzers
Fortify Application Risk Analyzer
Halvar Flake’s Sabre-Security projects
– BinNavi
– BinDiff
– BinAudit
5. WiSA
OWASP AppSec DC 2005
44
Source Code Analysis
1.
2.
3.
4.
5.
6.
7.
Compuware
Coverity
Fortify Software
Ounce Labs
Parasoft
Secure Software
Lots O’ Free & Open Source Stuff
OWASP AppSec DC 2005
45
Threat Modeling / Architectural Analysis
1.
2.
3.
4.
Microsoft Threat Modeling Tool
SecuriTree
PTA Technologies
TRIKE TM tool (to be released)
OWASP AppSec DC 2005
46
Rootkit/Trojan/Backdoor Analysis
Checking for Rootkits, Trojans, and Backdoors is another interesting issue
that is recommended in the “Secure Coding” pamphlet sold as a
book by O’Reilly, and recommended by the NCUA 2004-03 Guidance
letter “must review source code for backdoors, trojans, etc. etc.”
1. Rootkit and Binary analysis tools for
Backdoors & Trojans
OWASP AppSec DC 2005
47
Runtime Analysis and Patching
Tools that are designed to analyze behavior and code at runtime and
perform runtime limitation/security enforcement and/or “virtual”
patching of userspace coded and kernel code.
1. Immunix kernel & stack protection.
2. Some new virtual patching product for
Linux that I accidentally deleted the
info on and can’t find the emails of the
kind folks who contacted me originally.
OWASP AppSec DC 2005
48
Chapter V
Automation Tools
(or manual human eyeball supplicants)
YMMV
Key:
MA (Mature)
HP (Has Promise)
DNE (Did Not Evaluate)
RE (Refused Evaluation or ignored repeated requests)
TOY (Amusing little widget)
OWASP AppSec DC 2005
49
Vulnerability Scanning
1.
2.
3.
4.
5.
6.
7.
8.
9.
ISS Internet Security Scanner (???)
eEye Retina (CGI Scanning?)
Qualys Qualysguard (XSS, limited SQLI)
McAfee Foundstone Enterprise
nCircle IP360
Rapid 7 Nexus
NGS Typhon (full JS Parsing; XSS & SQLI)
Saint
Known-File Scanners e.g.-Whisker, Nikto,
Nessus+Nikto, Nstalker Nstealth
OWASP AppSec DC 2005
50
Commercial Fault Injection Test Tools
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
SPI Dynamics WebInspect (5.5, MA)
Sanctum now Watchfire AppScan (5.5 MA but may become a ‘dashboard’)
Cenzic Hailstorm (HP…ways to go, version 2.6 DNE)
NT Objectives NTOSpider (HP, DNE new GUI version)
Acunetix Web Vulnerability Scanner 2 (TOY, no scheduling, state, form-fill, etc.)
Compuware DevPartner Fault Simulator (RE)
Whitehats Security (hosted application, ‘dashboard’ approach, think ‘Qualys’)
Fortify Pen Testing Team Tool (RE, unknown; secretive)
Burp Intruder (HP, nice fuzzer)
MaxPatrol 7 (strange phone-home to Russia traffic observed, stopped eval)
Syhunt Sandcat Scanner & Miner (evolving)
TrustSecurityConsulting HTTPExplorer (TOY, limited)
Ecyware BlueGreen Inspector (TOY, limited)
NGS Typhon (DNE, claims full parsing/testing capability)
Parasoft WebKing (DNE, positive references from credible sources)
Kavado Scando (dead, IP purchased, may show up again, CVE-type scanner)
AppSecInc AppDetective for Web Apps (dead, believed permanently)
@stake Web Proxy 2.0 (dead or suffocating at Symantec)
Sandsprite Web Sleuth (HP, but development End-of-Life?)
OWASP AppSec DC 2005
51
Commercial Fault Injection Test Tools
Data on FI Tools:
Data includes version number as many of these tools have new
features/improvements since time of testing:
 Tools tested from March to August of 2005
 Tools tested on sample applications like OWASP WebGoat
 Tools tested on multiple real-world applications
 Tools tested on same versions of applications
 Tools tested on “default” settings and also attempted to
customize tools as best possible to provide optimal use-case
scenario for final result data
 Many tools were configured with help from or onsite support
from the vendors, all installed on clean, new boxes, so should
represent the best the vendor could provide at that time.
 I have been guilty of RTFM errors before, but for this testing this
is why vendor configuration support was solicited.
OWASP AppSec DC 2005
52
Commercial Fault Injection Test Tools
SPI Dynamics WebInspect 5.5
Pros:
 Best manual testing tools of the FI market (Proxy, Cookie Tester)
 Excellent javascript parsing
 Most powerful tools for writing custom checks
 Best API integration with other QA tools
 Have removed a lot of the marketing crap that other tools still
report like detecting “31 Flavors of XSS” and
Cons:
 No ability to look under the hood on adaptive agents
 No ability to customize default checks (to protect “IP”)
 Come on guys, I can run a sniffer and see what you are doing
anyway
 Not the fastest
OWASP AppSec DC 2005
53
Commercial Fault Injection Test Tools
Watchfire AppScan 5.5
Pros:
 Fast on smaller applications
 Best XSS testing
 Most powerful right out of the box with no tweaking
 Excellent reporting
 New free manual testing toolkit; ‘PowerTools’
Cons:
 No ability to look under the hood or customize effectively
 Unnecessary XSS variants, and made-up vuln terminology
 Watchfire is a dashboard company and this is not a effective way
to evaluate/measure application security
 Limited ability to tweak to handle dynamic session affinity and
complex authentication variants
OWASP AppSec DC 2005
54
Commercial Fault Injection Test Tools
Cenzic Hailstorm 2.3
Pros:
 Allow you to get under the hood and customize everything.
 Most potential for automating complex custom checks.
 Nice drag-and-drop configuration in GUI.
 Definitely a contender to keep an eye on.
Cons:
 Custom checks simply didn’t work right
 Slowest tool tested
 No ability to configure operational/engine parameters like
threading, bandwidth, scope, etc.
 At time of testing was long on hype, highest priced, low on
delivery of results
OWASP AppSec DC 2005
55
Commercial Fault Injection Test Tools
NT Objectives NTOSpider
1.something CLI-only beta version
Pros:
 Fast. Wow, this thing is fast.
 Most effective XSS checks behind WI and AS.
 Only tool with effective automated session token testing.
 Auto-state detection and auto-login abilities.
 Small, lightweight, simple configuration.
Cons:
 No CVE-style checks.
 No ability to look under the hood or customize tests easily.
 Roughly half the accuracy of WI or AS on XSS and SQLi.
 No GUI at time of testing.
OWASP AppSec DC 2005
56
Commercial Fault Injection Test Tools
Acunetix WVS
Pros:
 Nice, pretty GUI
 Appears fast, but it doesn’t do much so I guess it’s easy to be
fast at that.
Cons:
 Limited authentication support
 No scripting or scheduling capabilities
 Utter lack of session/state handling
 No manual analysis tools
 False positive centric
 Marketing appears targeted at sub-100 IQ demographic
 Included due to massive advertising blitz recently
OWASP AppSec DC 2005
57
Commercial Fault Injection Test Tools
Compuware DevPartner Fault Simulator
Pros:
 Built with the Developer in mind
 IDE integration
 Integrates with Source-Code analysis
 May be one to keep an eye on but looks like not intended to be
“best of breed” solution.
Cons:
 Vendor has no clue about competitive landscape.
 Vendor appears to have limited security knowledge.
 Did Webex eval only.
 Got tool but not license key; vendor promised follow up
repeatedly but never did.
 Vendor to provide data for the OWASP Tools project but never
followed through in providing this.
OWASP AppSec DC 2005
58
Commercial Fault Injection Test Tools
WhiteHat Security (the Seattle Company)
Hosted FI Tool; think Qualys of WebAppSec
Pros:
 DNE (Did Not Evaluate)
 Some smart people building this
 Hosting approach nice for repeated testing/change management
 Cost effective
Cons:
 No replacement for manual testing
 DNE
OWASP AppSec DC 2005
59
Commercial Fault Injection Test Tools
NGS Typhon
Pros:
 DNE for Web Application Checks
 Experience with NGS tools is that they are very fast, fairly
accurate, lack ability to customize/configure much through the
GUI and have terrible reporting. 
 Will include in next release of this project.
Cons:
 DNE.
OWASP AppSec DC 2005
60
Commercial Fault Injection Test Tools
Parasoft WebKing
Pros:
 DNE
 Have heard has is less mature but some nice features
 Will include in next version of project
Cons:
 DNE
OWASP AppSec DC 2005
61
Commercial Fault Injection Test Tools
SandSprite Web Sleuth
Pros:
 Inexpensive
 Simple easy-to-use Windows GUI
 Nice code markup and views
 Custom scripts for crawling, cookie testing, etc.
Cons:
 Geared towards all manual testing
 No default pre-built checks
 Doesn’t appear under active development
OWASP AppSec DC 2005
62
Commercial Fault Injection Test Tools
OWASP WebScarab v.20051012 
Pros:
 Many advanced testing features geared towards experienced
application security professionals.
 Free & Open Source.
 Session Token entropy analysis.
 Static string fuzzer.
 User-extensible with custom agents.
 Web Services testing interface for complex types
Cons:
 Non-intuitive, complex interface.
 No “scan” or pre-built checks like CVE issues.
 Tends to hang and need restarted.
 No vulnerability reporting mechanism or management style
reporting a’la Watchfire.
OWASP AppSec DC 2005
63
Fault Injection Test Tools Anecdotes
 Similar to diet fads
 My Book “Body of Anecdotal Evidence:
Portion-sized Marketing” out soon
 That was a “Body for Life” joke for you not
from the US
 Again, there is no book for those of you that
asked me after the presentation.
 YMMV
 Anecdotes are subjective
 Anecdotes are not logically valid proofs
 Repeat Disclaimer: YMMV
OWASP AppSec DC 2005
64
Fault Injection Tool Experiences
The following metrics were gathered from realworld assessments performed by myself
along with up to four other testers.
These were commercial assessments on a mix
of COTS software and custom applications
developed by clients ranging from Fortune
100 to smaller ISVs that authorized
benchmarking of these tools during the
course of software security assessment.
OWASP AppSec DC 2005
65
Fault Injection Tool Experiences
Application #1:
 150+ pages, Complex workflow
 Dynamically built javascript menu/functions
 Application contained 1 trivial XSS, 1 Workflow Bypass (WFB),
1 Brute Force (BF)
 The tools in this test were run with default configurations;
essentially clicked ‘scan’ as many people unfortunately use
these tools in RealLife™.
WebInspect 5.0: 147 pages, no XSS, WFB, BF
AppScan 5.5: 38 pages, 1 XSS, no WFB, BF
Acunetix 2: 6 pages, no valid positive results
NTO Spider: 80+ pages, no XSS, WFB, BF
Paros 2.something: 0 (zero) (loop)
Cenzic Hailstorm: Couldn’t get working
(The security defects detected in the applications were discovered during the course of manual analysis)
OWASP AppSec DC 2005
66
Fault Injection Tool Experiences
Application #2:
 30+ templates, Dynamically generated content
 15k+ actual pages, Long forms, simple workflow
 32 XSS from URL parameters to multi-form <--!-->
 Weak Session Handling; Auto-scripting attacks (“Session
Riding” or “Web Trojans”)
 Tests run as ‘scan’ with minimal tweaking
WebInspect 5.0: 31 XSS, no SH or SR issues
AppScan 5.5: 18k+ pages, slowed to 1 rec/6 seconds
Acunetix 2: No Results (couldn’t automate effectively)
NTO Spider: 18 XSS, weak SH, no SR, fast! (CLI version)
Hailstorm 2.2: 3 days, 4 people, Cenzic onsite, nothing
Paros 3.0.2: 18 pages, no results, would hang on audit
OWASP AppSec DC 2005
67
Fault Injection Tool Experiences
Application #3:

100’s of pages/forms

Strong UI, Input Validation, Output Encoding

Web Server packages XML POST string

Passes to routing servlet for authorization

Function Servlet name/route in Hidden FF

Create XML String and POST directly to DST servlet

XML Abstraction Layer has no authentication/authorization

ASMQ does not have crypto enabled; auth is function group code

Point of this example is that there are holes you could drive a Mac Truck through
and every FI Scanner failed to detect them. Some things require humans.
WebInspect 5.5: Nothing
AppScan 5.5: Nothing; WF PowerTools Proxy: failed
Acunetix 2: PHP issue, some other issues, false positives (200 codes)
NTO Spider: Nothing (CLI version); no proxy
Paros 3.0.2: Nothing; Proxy-mode: failed
Proxies: SPI Proxy (only proxy to handle various cert-auth)
OWASP AppSec DC 2005
68
Fault Injection Tool Experiences
Application #4:
 AAWBDMS (Another Awful Web-Based DMS)
 XSS, Parameter Tampering, etc. (everything you can imagine
controlled in client-side hidden form-field parameters)
 URL Parameters passed directly to compiled C code (DLLs, EXEs)
running as Domain Admin with traditional buffer overflows.
 Dual-Factor Authentication
 Authentication Two-step Workflow
 First page UserID & PRNG Token number in HTML Form
 Second Page identical UserID and Password in HTML Form
 All responses 200; everything returns one of two login forms
Every darn tool: NADT
NADT: Not a Darn Thing
Nobody could handle dual-auth with custom error pages identical to
the login pages.
OWASP AppSec DC 2005
69
Fault Injection Tool Experiences
XSS attacks should be fully automated, but as of yet are not. We find XSS in
almost every application we test that is not found by any automated tool;
some are trivially devastating. Examples:






Form
Form
Form
Tools
value expects email address ([email protected])
value validated by sloppy regex; Output not encoded
error returns no data unless you bypass regex filter
submit the following types of checks:





<script>alert(‘somethingclever’);<script>
<script>alert(‘somethingclever’);<script>[email protected]
[email protected]<script>alert(‘somethingclever’);<script>
some replace ‘silly’ and ‘com’ with <script>alert();<script> check
some add escape characters like ‘>, ‘>>, ‘), and so on



encoding attack strings (reference OWASP Guide 2.0.1 or RSnake’s XSS page)
partial encoding of attack string elements
using specific HTML tags like body elements and background
Actual XSS by silly@<script>alert()<script>.com
Other attack vectors tools fail include
OWASP AppSec DC 2005
70
Open Source or Freeware Fault Injection Test Tools
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
WebScarab (DNE current version, re: HTTPush, Exodus)
Paros Proxy (HP)
Watchfire PowerTools (HP, free, proxy nice GUI, rest so-so)
Burp Spider (HP, free)
Burp Proxy (HP, free)
Snark HTTP Proxy & Tabby Tunnel (DNE)
Peach Fuzzer (HP, free, Python fuzzer)
SPIKE Proxy (Horrible interface, free, limited fuzzing)
SPIKE Fuzzer (dev EOL? Dave pointing people at Peach)
Achilles Proxy (TOY, first Windows proxy, free, old)
Odysseus Proxy (some cool features, GUI needs work)
Webstretch Proxy (DNE)
Absinthe 1.1 (formerly SQLSqueal) (HP, free)
Sensepost E-Or, Wikto (Google hacking utility), other
webappsec and pen testing tools
(everything Sensepost is working on is worth looking at)
OWASP AppSec DC 2005
71
Open Source or Freeware Fault Injection Test Tools
And your Basic Web Browsers…don’t forget them:
15.
16.
17.
Internet Explorer + HTMLBar DLL extension (buggy)
Firefox + LiveHTTP Headers, Tamper Data, Developer Tools,
and many, many, more useful extensions….however,
keep in mind Firefox encoding is often different, more
restrictive, sometimes more secure than IE so if the
application client population includes/is predominantly
IE MAKE SURE you test encoding/format in IE as well.
Foundstone Free Tools:

SiteDigger (Google Hacking Utility)

SSLDigger

Probably others I haven’t looked at yet

SiteGenerator (coming soon, may be useful for testing
Fault-Injection tools for javascript parsing, etc.)
OWASP AppSec DC 2005
72
Fault Injection with Sandboxing
Sandboxing Tools (Commercial & Free):
1. Security Innovation’s Holodeck (HP)
2. Sysinternals filemon, regmon, procmon
can be combined with VMWare
3. Any sandboxing malware-analysis tools
available from various forensics sites
and possibly from the AV vendors.
OWASP AppSec DC 2005
73
Binary Analysis
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
IDA Pro + scripts from Halvar & iDefense
Grammatech CodeSonar
Paradyn Project (claims superiority to IDA Pro when C++ variables present in object)
FX Dumbug
@Stake SmartRisk Analyzers (gone/dead)
Fortify Application Risk Analyzer (marketing freebie)
WiSA (Wisconsin Safety Analyzer)
SABRE BinDiff (IDA Pro extension)
SABRE BinNavi (Graphical flowgraphs, playback of codepaths, Win/Linux debuggers)
SABRE BinAudit (Full Binary Analysis; beta project; Halvar restarted this again)
Secure Software CodeAssure Auditor (Binary Analysis)
Brute Force Binary Checker (http://bfbtester.sourceforge.org)
OWASP AppSec DC 2005
74
Commercial Source Code Analysis
1.
2.
3.
4.
Compuware DevPartner SecurityChecker .NET Languages
Coverity SWAT C/C++
Escher Technologies Eschertech
Fortify Software Suite (analysis, workbench, metrics & trending
console, customization module, won’t show me anything)
C/C++,Java,JSP,HTML,Java bytecode,(PL/SQL),C#,VB.NET,MSIL, …
5. Gimple PC and Flexe-Lint C/C++ (we use, simple, cheap, functional)
6. Grammatech CodeSurfer C/C++
7. Ounce Labs Prexis C/C++, JSP, Java (nice, rough UI, recursion abilities?)
8. Parasoft JTest Java (? NE)
9.
Reasoning SecurityInspect “Service”
10. Secure Software CodeAssure Workbench C/C++, Java
11. Security-Assessments CodeScan ? (April 01 05) won’t give specifics
12.
13.
Note if you are in sales: My name is not Ariel, Arial, Adrian, Aruin, etc
WiSA
C/C++
OWASP AppSec DC 2005
75
Open Source, Free, or Bundled Source Code Analysis
1.
2.
OWASP .NET (Reference Dinis Cruz presentations on OWASP
website about OWASP .NET tools)
Foundstone .NET Tools (same story as above; DNE but
heard these were coming out soon)
The Next Slide has All The Other Stuff
OWASP AppSec DC 2005
76
Open Source, Free, or Bundled Source Code Analysis
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
Bunch http://serg.cs.drexel.edu/bunch
Cigital ITS4 (no longer supported) C/C++
CQual http://www.cs.berkeley.edu/~jfoster/cqual
David Wagner’s BOON C http://www.cs.berkeley.edu/~daw/boon/
David Wheeler’s Flawfinder C/C++ www.dwheeler.com
Reference/Credit David Wheeler’s Page
Microsoft PREFix (full codepath execution, recursion), C families
Microsoft PREFast (stripped down PREfix) only static signatures for
performance reasons, shipping with Visual Team Studio 2005, C families
Microsoft FXCop (even more limited signature tool) C/C++ only
MOPS http://www.cs.berkeley.edu/~daw/mops
PScan http://www.striker.ottawa.on.ca/~aland/pscan
RAT C/C++, Java, Perl, Python, whatever other random signatures
written
ShareFuzz
SPLINT http://splint.org/
OWASP AppSec DC 2005
77
Threat Modeling / Architectural Analysis
1. Microsoft Threat Modeling Tool
(non-intuitive for beginners)
2. SecuriTree
(clunky Java tool, not appsec focused)
3. PTA Technologies
(DNE, have had several references)
4. TRIKE Threat-Modeling Tool
(DNE, in development stage, unsure release
date, but idea has promise)
Need more tools here!
OWASP AppSec DC 2005
78
Rootkit/Trojan/Backdoor Analysis
Checking for Rootkits, Trojans, and Backdoors is another interesting issue
that is recommended in the “Secure Coding” pamphlet sold as a
book by O’Reilly, and recommended by the NCUA 2004-03 Guidance
letter “must review source code for backdoors, trojans, etc. etc.”
1. Rootkit and Binary analysis tools for
Backdoors & Trojans
rootkits.org and rootkit.nl + many Forensic
Distributions have these tools
OWASP AppSec DC 2005
79
Recommended Motto for Vendors
Ne Supra Crepidum
Suter Judicaret
OWASP AppSec DC 2005
80
Chapter 6
Shoot the Messenger
(he may duck and run)
OWASP AppSec DC 2005
81
Arian J. Evans
Does Application Security Stuff
FishNet Security
913.710.7085 [mobile]
[email protected]
OWASP Tools Project
OWASP Chapter Leader, Kansas City
Feel free to contact me with questions
Vendor updates, corrections, confusions, or complaints welcome
Email me repeatedly if I miss your first one
OWASP AppSec DC 2005
82
Descargar

OWASP AppSec 2004 Presentation