Through a hacker's eyes

"Malicious hackers have escalated Web page defacements over the Internet"

as a result of recent tensions with China, stated a recent alert from the

National Infrastructure Protection Center. Despite the warning, several

U.S. government sites were attacked.

And in March, the FBI warned of a ring of Eastern European hackers targeting

U.S. Web sites using Microsoft Corp.'s Internet Information Server.

It seems no one is safe. The speed with which many Web applications

are developed to keep up with the growing use of the Internet for business

and governmental transactions makes them prime targets for attackers. Often,

these applications are developed so quickly to meet deadlines that they

are not coded properly or subjected to security tests.

Fortunately, several tools exist to help you test your Web applications

for security holes so you can find and correct them before the bad guys

get to them. SPI Dynamics Inc.'s Web.Inspect and Sanctum Inc.'s AppScan

are the best tools available.

WebInspect 1.1

WebInspect employs artificial intelligence-based technology to detect

security vulnerabilities in Web applications. It scans the application and

evaluates each line of application logic for programming that causes security

vulnerabilities. The results are sorted by priority and presented in report

format for review and follow-up.

During the analysis phase, Web.Inspect performs a lot of detailed processing

behind the scenes. It looks for known vulnerabilities anywhere on the system,

not just the default location; follows all links through applications; truncates

directory paths to see if an attacker can obtain a directory listing; parses

forms and submits data to the forms; parses JavaScript; and checks backup

folders for potential vulnerabilities. Because WebInspect does not rely

completely on attack signatures, it can detect unknown vulnerabilities in

your application.

The installation process is quick and easy; we did not even have to

reboot our system. The application is installed on a single system and can

scan any application it can contact, as long as your license permits it.

Because of its potential for malicious use, SPI Dynamics carefully controls

the license associated with the scanner.

Once the scanner was up and running, we entered the address of the site

we wanted to scan. About two minutes later, the results were available for

review. WebInspect had identified the Web server we were running (Internet

Information Server) along with known vulnerabilities that needed to be patched.

It also alerted us to sample scripts and Web sites that contained vulnerabilities.

On the unknown vulnerability front, it found commented lines that contained

links or directory paths showing they could contain valuable information

to an attacker. The results also showed some Perl scripts and ASP pages

that contained user ID and password combinations and vulnerable code.

The final report is well organized and easy to read. Vulnerabilities

are sorted by criticality. Each vulnerability is described, discussing what

an attacker can do by exploiting the vulnerability. The report also provides

information on how to correct your application and links to patches where

applicable.

WebInspect is a fast, efficient tool to help analyze and audit your

Web applications.

AppScan 2.0

AppScan was the first Web application vulnerability scanner, and it

remains the most comprehensive. AppScan analyzes Web sites by using data

gathered from the site, together with an extensive database of known exploits.

Unlike WebInspect, AppScan is a server that runs on its own hardware.

The installation process completely overwrites the system hard drive, installing

a Linux OS as well as the AppScan engine. Users access AppScan through

a Web browser.

AppScan uses a three-stage process to analyze a Web application. First,

it "crawls" the site. You can do this manually by visiting the site and

using it like a regular user, or you can use the Automatic Crawler, which

gathers information from your site about links, forms and more.

Once the crawl stage is complete, you provide information about your

Web server and Web-related software. AppScan then analyzes the site to identify

possible vulnerabilities. Using technology originally developed for Sanctum's

AppShield product, AppScan identifies known and unknown vulnerabilities

in the Web application. It then generates a list of potentially harmful

links that are used during the next stage.

During the third, or attack, stage, AppScan uses the information gathered

in the crawl and analysis stages to attack your site. The Automatic Attack

Engine launches the attacks and records the results, including AppScan's

estimation of each attack's success. A session report is automatically generated

from these attacks and presented in an HTML report. You can also attack

your site manually or modify the automatic attacks and launch them against

your site again.

AppScan's key differentiator is its attack stage. Other Web application

vulnerability scanners, such as Web.Inspect, only report areas that seem

to be vulnerable. These can generate a number of false positives. AppScan's

attack stage greatly decreases false positives by reporting only results

that have a high probability of a successful attack.

AppScan and WebInspect both have places in an organization. AppScan

is best suited for very detailed application analysis, such as during a

security audit. WebInspect is best suited for quick checkup scans on a weekly

or monthly basis.

Andress is president and chief executive officer of ArcSec Technologies

Inc., a security consulting and product review firm. She can be reached

at mandy@arcsec.com.