Through a hacker's eyes
Tools help you look for security holes
"Malicious hackers have escalated Web page defacements over the Internet"
as a result of recent tensions with China, stated a recent alert from the
National Infrastructure Protection Center. Despite the warning, several
U.S. government sites were attacked.
And in March, the FBI warned of a ring of Eastern European hackers targeting
U.S. Web sites using Microsoft Corp.'s Internet Information Server.
It seems no one is safe. The speed with which many Web applications
are developed to keep up with the growing use of the Internet for business
and governmental transactions makes them prime targets for attackers. Often,
these applications are developed so quickly to meet deadlines that they
are not coded properly or subjected to security tests.
Fortunately, several tools exist to help you test your Web applications
for security holes so you can find and correct them before the bad guys
get to them. SPI Dynamics Inc.'s Web.Inspect and Sanctum Inc.'s AppScan
are the best tools available.
WebInspect 1.1
WebInspect employs artificial intelligence-based technology to detect
security vulnerabilities in Web applications. It scans the application and
evaluates each line of application logic for programming that causes security
vulnerabilities. The results are sorted by priority and presented in report
format for review and follow-up.
During the analysis phase, Web.Inspect performs a lot of detailed processing
behind the scenes. It looks for known vulnerabilities anywhere on the system,
not just the default location; follows all links through applications; truncates
directory paths to see if an attacker can obtain a directory listing; parses
forms and submits data to the forms; parses JavaScript; and checks backup
folders for potential vulnerabilities. Because WebInspect does not rely
completely on attack signatures, it can detect unknown vulnerabilities in
your application.
The installation process is quick and easy; we did not even have to
reboot our system. The application is installed on a single system and can
scan any application it can contact, as long as your license permits it.
Because of its potential for malicious use, SPI Dynamics carefully controls
the license associated with the scanner.
Once the scanner was up and running, we entered the address of the site
we wanted to scan. About two minutes later, the results were available for
review. WebInspect had identified the Web server we were running (Internet
Information Server) along with known vulnerabilities that needed to be patched.
It also alerted us to sample scripts and Web sites that contained vulnerabilities.
On the unknown vulnerability front, it found commented lines that contained
links or directory paths showing they could contain valuable information
to an attacker. The results also showed some Perl scripts and ASP pages
that contained user ID and password combinations and vulnerable code.
The final report is well organized and easy to read. Vulnerabilities
are sorted by criticality. Each vulnerability is described, discussing what
an attacker can do by exploiting the vulnerability. The report also provides
information on how to correct your application and links to patches where
applicable.
WebInspect is a fast, efficient tool to help analyze and audit your
Web applications.
AppScan 2.0
AppScan was the first Web application vulnerability scanner, and it
remains the most comprehensive. AppScan analyzes Web sites by using data
gathered from the site, together with an extensive database of known exploits.
Unlike WebInspect, AppScan is a server that runs on its own hardware.
The installation process completely overwrites the system hard drive, installing
a Linux OS as well as the AppScan engine. Users access AppScan through
a Web browser.
AppScan uses a three-stage process to analyze a Web application. First,
it "crawls" the site. You can do this manually by visiting the site and
using it like a regular user, or you can use the Automatic Crawler, which
gathers information from your site about links, forms and more.
Once the crawl stage is complete, you provide information about your
Web server and Web-related software. AppScan then analyzes the site to identify
possible vulnerabilities. Using technology originally developed for Sanctum's
AppShield product, AppScan identifies known and unknown vulnerabilities
in the Web application. It then generates a list of potentially harmful
links that are used during the next stage.
During the third, or attack, stage, AppScan uses the information gathered
in the crawl and analysis stages to attack your site. The Automatic Attack
Engine launches the attacks and records the results, including AppScan's
estimation of each attack's success. A session report is automatically generated
from these attacks and presented in an HTML report. You can also attack
your site manually or modify the automatic attacks and launch them against
your site again.
AppScan's key differentiator is its attack stage. Other Web application
vulnerability scanners, such as Web.Inspect, only report areas that seem
to be vulnerable. These can generate a number of false positives. AppScan's
attack stage greatly decreases false positives by reporting only results
that have a high probability of a successful attack.
AppScan and WebInspect both have places in an organization. AppScan
is best suited for very detailed application analysis, such as during a
security audit. WebInspect is best suited for quick checkup scans on a weekly
or monthly basis.
Andress is president and chief executive officer of ArcSec Technologies
Inc., a security consulting and product review firm. She can be reached
at mandy@arcsec.com.
NEXT STORY: Letter to the editor