Through a hacker's eyes

"Malicious hackers have escalated Web page defacements over the Internet" as a result of recent tensions with China, stated a recent alert from the National Infrastructure Protection Center. Despite the warning, several U.S. government sites were attacked.

And in March, the FBI warned of a ring of Eastern European hackers targeting U.S. Web sites using Microsoft Corp.'s Internet Information Server.

It seems no one is safe. The speed with which many Web applications are developed to keep up with the growing use of the Internet for business and governmental transactions makes them prime targets for attackers. Often, these applications are developed so quickly to meet deadlines that they are not coded properly or subjected to security tests.

Fortunately, several tools exist to help you test your Web applications for security holes so you can find and correct them before the bad guys get to them. SPI Dynamics Inc.'s WebInspect and Sanctum Inc.'s AppScan are the best tools available.

WebInspect 1.1

WebInspect employs artificial intelligence-based technology to detect security vulnerabilities in Web applications. It scans the application and evaluates each line of application logic for programming that causes security vulnerabilities. The results are sorted by priority and presented in report format for review and follow-up.

During the analysis phase, Web-Inspect performs a lot of detailed processing behind the scenes. It looks for known vulnerabilities anywhere on the system, not just the default location; follows all links through applications; truncates directory paths to see if an attacker can obtain a directory listing; parses forms and submits data to the forms; parses JavaScript; and checks backup folders for potential vulnerabilities. Because Web-Inspect does not rely completely on attack signatures, it can detect unknown vulnerabilities in your application.

The installation process is quick and easy; we did not even have to reboot our system. The application is installed on a single system and can scan any application it can contact, as long as your license permits it. Because of its potential for malicious use, SPI Dynamics carefully controls the license associated with the scanner.

Once the scanner was up and running, we entered the address of the site we wanted to scan. About two minutes later, the results were available for review. WebInspect had identified the Web server we were running (Internet Information Server) along with known vulnerabilities that needed to be patched. It also alerted us to sample scripts and Web sites that contained vulnerabilities.

On the unknown vulnerability front, it found commented lines that contained links or directory paths showing they could contain valuable information to an attacker. The results also showed some Perl scripts and ASP pages that contained user ID and password combinations and vulnerable code.

The final report is well organized and easy to read. Vulnerabilities are sorted by criticality. Each vulnerability is described, discussing what an attacker can do by exploiting the vulnerability. The report also provides information on how to correct your application and links to patches where applicable.

WebInspect is a fast, efficient tool to help analyze and audit your Web applications.

AppScan 2.0

AppScan was the first Web application vulnerability scanner, and it remains the most comprehensive. AppScan analyzes Web sites by using data gathered from the site, together with an extensive database of known exploits.

Unlike WebInspect, AppScan is a server that runs on its own hardware. The installation process completely overwrites the system hard drive, installing a Linux OS as well as the AppScan engine. Users access AppScan through a Web browser.

AppScan uses a three-stage process to analyze a Web application. First, AppScan "crawls" the site. You can do this man-ually by visiting the site and using it like a regular user, or you can use the Automatic Crawler, which gathers information from your site about links, forms and more.

Once the crawl stage is complete, you provide information about your Web server and Web-related software. AppScan then analyzes the site to identify possible vulnerabilities. Using technology originally developed for Sanctum's AppShield product, AppScan identifies known and unknown vulnerabilities in the Web application. It then generates a list of potentially harmful links that are used during the next stage.

During the third, or attack, stage, AppScan uses the information gathered in the crawl and analysis stages to attack your site. The Automatic Attack Engine launches the attacks and records the results, including AppScan's estimation of each attack's success. A session report is automatically generated from these attacks and presented in an HTML report. You can also attack your site manually or modify the automatic attacks and launch them against your site again.

AppScan's key differentiator is its attack stage. Other Web application vulnerability scanners, such as WebInspect, only report areas that seem to be vulnerable. These can generate a number of false positives. AppScan's attack stage greatly decreases false positives by reporting only results that have a high probability of a successful attack.

AppScan and WebInspect both have places in an organization. AppScan is best suited for very detailed application analysis, such as during a security audit. Web-Inspect is best suited for quick checkup scans on a weekly or monthly basis.

Andress is president and chief executive officer of ArcSec Technologies Inc., a security consulting and product review firm. She can be reached at mandy@arcsec.com.

WebInspect 1.1

Grade: A- SPI Dynamics Inc. www.spidynamics.com (404) 223-2442

Scanning up to 10 devices costs $1,000 per device; 10-50 devices costs $500 per device.

WebInspect is a quick, efficient application scanner that provides detailed information on the structure of Web applications.AppScan 2.0

Grade: A Sanctum Inc. www.sanctuminc.com (408) 855-9500

Subscription-based pricing with volume discounts is available. For end users, pricing starts at $20,000 per user per year with unlimited audits for enterprise domains.

AppScan is a powerful vulnerability scanner that identifies known and unknown vulnerabilities.