qualysguard infoday 2014 - was
DESCRIPTION
TRANSCRIPT
![Page 1: QualysGuard InfoDay 2014 - WAS](https://reader031.vdocuments.pub/reader031/viewer/2022020921/546c34bab4af9f752c8b4f40/html5/thumbnails/1.jpg)
ww
w.r
ac.
cz
Ris
k A
naly
sis
Con
sult
an
tsV
06
04
20
QualysGuard InfoDay 2014
Představení nástroje pro testování webových aplikací (WAS)
![Page 2: QualysGuard InfoDay 2014 - WAS](https://reader031.vdocuments.pub/reader031/viewer/2022020921/546c34bab4af9f752c8b4f40/html5/thumbnails/2.jpg)
ww
w.r
ac.
cz
Ris
k A
naly
sis
Con
sult
an
tsV
06
04
20
QualysGuard InfoDay 2014
Představení nástroje pro testování webových aplikací (WAS)
1. Všeobecný úvod - webová aplikace
![Page 3: QualysGuard InfoDay 2014 - WAS](https://reader031.vdocuments.pub/reader031/viewer/2022020921/546c34bab4af9f752c8b4f40/html5/thumbnails/3.jpg)
Webová aplikace
• Co to je webová aplikace− Aplikace klient x server založená převážně na HTML protokolu− Logika převážně založena na relační databázi (Oracle, MS
SQL, MySQL) a skriptovacím jazyku (PHP, ASP, .NET, Java)− Každá aplikace je jiná a jedinečná− Nelze hledat zranitelnosti pouhým porovnáním s databází
zranitelností
![Page 4: QualysGuard InfoDay 2014 - WAS](https://reader031.vdocuments.pub/reader031/viewer/2022020921/546c34bab4af9f752c8b4f40/html5/thumbnails/4.jpg)
How does a web application work? Web Architecture
Client Browser
IE, FF, Safari, iCab ec…
Database
HTTP/HTML
Web Server
Application
Application
Application
Legacy Service
Merchant Services,
etc
![Page 5: QualysGuard InfoDay 2014 - WAS](https://reader031.vdocuments.pub/reader031/viewer/2022020921/546c34bab4af9f752c8b4f40/html5/thumbnails/5.jpg)
Defining a Web Application
An Application is:− A business function typically requiring a login− Running unique code− Typically supported by a single developer or team
of developers
![Page 6: QualysGuard InfoDay 2014 - WAS](https://reader031.vdocuments.pub/reader031/viewer/2022020921/546c34bab4af9f752c8b4f40/html5/thumbnails/6.jpg)
ww
w.r
ac.
cz
Ris
k A
naly
sis
Con
sult
an
tsV
06
04
20
QualysGuard InfoDay 2014
Představení nástroje pro testování webových aplikací (WAS)
Live Demo : Ukázka uživatelského rozhraní
![Page 7: QualysGuard InfoDay 2014 - WAS](https://reader031.vdocuments.pub/reader031/viewer/2022020921/546c34bab4af9f752c8b4f40/html5/thumbnails/7.jpg)
ww
w.r
ac.
cz
Ris
k A
naly
sis
Con
sult
an
tsV
06
04
20
QualysGuard InfoDay 2014
Představení nástroje pro testování webových aplikací (WAS)
2. Všeobecný úvod - Princip testování
![Page 8: QualysGuard InfoDay 2014 - WAS](https://reader031.vdocuments.pub/reader031/viewer/2022020921/546c34bab4af9f752c8b4f40/html5/thumbnails/8.jpg)
Scanning Flow
Web Application
Scanning engine
Auth. Required?Auth Record
yes
Crawl Scope
no
Option Profile
Crawl Phase
Discovery Vulnerability
FinishedVulnerability
Checks
![Page 9: QualysGuard InfoDay 2014 - WAS](https://reader031.vdocuments.pub/reader031/viewer/2022020921/546c34bab4af9f752c8b4f40/html5/thumbnails/9.jpg)
Scan TypesDiscovery Scan• Validate Scope settings• Crawl and ensure right coverage• Faster than Vulnerability Scan
Vulnerability Scan• Should happen after at least one Discovery Scan• Tests the web application for vulnerabilities
![Page 10: QualysGuard InfoDay 2014 - WAS](https://reader031.vdocuments.pub/reader031/viewer/2022020921/546c34bab4af9f752c8b4f40/html5/thumbnails/10.jpg)
Discovery Phase - Links Crawled
This list may contain fewer links than the maximum threshold.
Maximum links to crawl includes:
• Links in this list
• Requests for the same link made as anonymous and authenticated user
• Requests made via HTML forms
![Page 11: QualysGuard InfoDay 2014 - WAS](https://reader031.vdocuments.pub/reader031/viewer/2022020921/546c34bab4af9f752c8b4f40/html5/thumbnails/11.jpg)
Discovery Phase – Forms
What is a form? - Forms are used to pass data to a server**
** www.w3schools.com
![Page 12: QualysGuard InfoDay 2014 - WAS](https://reader031.vdocuments.pub/reader031/viewer/2022020921/546c34bab4af9f752c8b4f40/html5/thumbnails/12.jpg)
ww
w.r
ac.
cz
Ris
k A
naly
sis
Con
sult
an
tsV
06
04
20
QualysGuard InfoDay 2014
Představení nástroje pro testování webových aplikací (WAS)
3. Typy zranitelností
![Page 13: QualysGuard InfoDay 2014 - WAS](https://reader031.vdocuments.pub/reader031/viewer/2022020921/546c34bab4af9f752c8b4f40/html5/thumbnails/13.jpg)
Web Application Scanning Introduction of Web Application Security
![Page 14: QualysGuard InfoDay 2014 - WAS](https://reader031.vdocuments.pub/reader031/viewer/2022020921/546c34bab4af9f752c8b4f40/html5/thumbnails/14.jpg)
WASC www.webappsec.org divides Web vulnerabilities into six categories • Authentication • Authorization• Client-side Attacks• Command Execution• Information Disclosure• Logical Attacks
Web Application Scanning
![Page 15: QualysGuard InfoDay 2014 - WAS](https://reader031.vdocuments.pub/reader031/viewer/2022020921/546c34bab4af9f752c8b4f40/html5/thumbnails/15.jpg)
What is (Stored) XSS?
Attacker enters script on page, and the server stores it.
Victim goes to view the page and the script is rendered in the victim’s browser.
In the background, the script steals the victim’s session cookie and sends it to the attacker (who then uses it to gain access to the application with permissions of the user.)
![Page 16: QualysGuard InfoDay 2014 - WAS](https://reader031.vdocuments.pub/reader031/viewer/2022020921/546c34bab4af9f752c8b4f40/html5/thumbnails/16.jpg)
What is (Reflected) XSS?
Web site (no input or output validation)
Attacker
1. Attacker can input text into form2. Application reflects it back, rendering the script3. Attacker crafts email (Phishing) containing script for vulnerable page (and form)
- Script can pass cookie over to attacker - Script can redirect the credentials plugged in to Attacker’s site.
4. Victim clicks on link, and vulnerability is exploited
Victim
12
3
4
![Page 17: QualysGuard InfoDay 2014 - WAS](https://reader031.vdocuments.pub/reader031/viewer/2022020921/546c34bab4af9f752c8b4f40/html5/thumbnails/17.jpg)
How does WAS check for XSS?WAS engine verifies XSS vulnerabilities using multiple injections and verifications.
![Page 18: QualysGuard InfoDay 2014 - WAS](https://reader031.vdocuments.pub/reader031/viewer/2022020921/546c34bab4af9f752c8b4f40/html5/thumbnails/18.jpg)
What is SQLi?
Attacker sees a form on a web site.
Attacker sends an attack in the form of an SQL query in the form
data. (‘ OR 1=1 --)
The application sends the attacker’s input to the database.
The database runs the query and sends those results back to the
attacker.
![Page 19: QualysGuard InfoDay 2014 - WAS](https://reader031.vdocuments.pub/reader031/viewer/2022020921/546c34bab4af9f752c8b4f40/html5/thumbnails/19.jpg)
How does WAS check for SQL Injection?WAS engine verifies SQLi vulnerabilities using multiple injections and verifications.
![Page 20: QualysGuard InfoDay 2014 - WAS](https://reader031.vdocuments.pub/reader031/viewer/2022020921/546c34bab4af9f752c8b4f40/html5/thumbnails/20.jpg)
ww
w.r
ac.
cz
Ris
k A
naly
sis
Con
sult
an
tsV
06
04
20
QualysGuard InfoDay 2014
Představení nástroje pro řízení zranitelností (VM)
4. Nastavení testování
![Page 21: QualysGuard InfoDay 2014 - WAS](https://reader031.vdocuments.pub/reader031/viewer/2022020921/546c34bab4af9f752c8b4f40/html5/thumbnails/21.jpg)
Průvodce definice webové aplikaci
![Page 22: QualysGuard InfoDay 2014 - WAS](https://reader031.vdocuments.pub/reader031/viewer/2022020921/546c34bab4af9f752c8b4f40/html5/thumbnails/22.jpg)
Průvodce pro autentizaci
![Page 23: QualysGuard InfoDay 2014 - WAS](https://reader031.vdocuments.pub/reader031/viewer/2022020921/546c34bab4af9f752c8b4f40/html5/thumbnails/23.jpg)
• Formulářové přihlašování− Používá většina webů − Přihlašovací formulář je vytvořen vývojářem, přihlašovací
proměnné jsou různé− Při přihlašování použity často další skryté parametry, např.
cookies− Není úplně triviální zjistit typ autentizace
Formulářové přihlašování - popis
![Page 24: QualysGuard InfoDay 2014 - WAS](https://reader031.vdocuments.pub/reader031/viewer/2022020921/546c34bab4af9f752c8b4f40/html5/thumbnails/24.jpg)
Autentizace - podpora pro selenium IDE• Pro Formulářové přihlašování
• Usnadňuje nastavení autentizace• Od verze 2.1
![Page 25: QualysGuard InfoDay 2014 - WAS](https://reader031.vdocuments.pub/reader031/viewer/2022020921/546c34bab4af9f752c8b4f40/html5/thumbnails/25.jpg)
Autentizace - podpora pro client certifikáty
![Page 26: QualysGuard InfoDay 2014 - WAS](https://reader031.vdocuments.pub/reader031/viewer/2022020921/546c34bab4af9f752c8b4f40/html5/thumbnails/26.jpg)
Crawling• Přesná specifikace cíle testování
− White list, Black List, Explicit URL, POST Data Black List − Od verze 2.3 – podpora selenium IDE pro definici přístupu
![Page 27: QualysGuard InfoDay 2014 - WAS](https://reader031.vdocuments.pub/reader031/viewer/2022020921/546c34bab4af9f752c8b4f40/html5/thumbnails/27.jpg)
ww
w.r
ac.
cz
Ris
k A
naly
sis
Con
sult
an
tsV
06
04
20
QualysGuard InfoDay 2014
Představení nástroje pro testování webových aplikací (WAS)
Live Demo : Možnosti nastavení testů
![Page 28: QualysGuard InfoDay 2014 - WAS](https://reader031.vdocuments.pub/reader031/viewer/2022020921/546c34bab4af9f752c8b4f40/html5/thumbnails/28.jpg)
ww
w.r
ac.
cz
Ris
k A
naly
sis
Con
sult
an
tsV
06
04
20
QualysGuard InfoDay 2014
Představení nástroje pro testování webových aplikací (WAS)
5. Scan + Reporting
![Page 29: QualysGuard InfoDay 2014 - WAS](https://reader031.vdocuments.pub/reader031/viewer/2022020921/546c34bab4af9f752c8b4f40/html5/thumbnails/29.jpg)
Dashboard
Catalog
ReportsView Scans
Summary
![Page 30: QualysGuard InfoDay 2014 - WAS](https://reader031.vdocuments.pub/reader031/viewer/2022020921/546c34bab4af9f752c8b4f40/html5/thumbnails/30.jpg)
Scan Results
Did Authentication Work? &What type was used?
Build scan reports from here
Find largest applications
![Page 31: QualysGuard InfoDay 2014 - WAS](https://reader031.vdocuments.pub/reader031/viewer/2022020921/546c34bab4af9f752c8b4f40/html5/thumbnails/31.jpg)
Web Application ScanningReporting – Scan Report
• Choose from Scans (similar to Manual Data in VM)
![Page 32: QualysGuard InfoDay 2014 - WAS](https://reader031.vdocuments.pub/reader031/viewer/2022020921/546c34bab4af9f752c8b4f40/html5/thumbnails/32.jpg)
Web Application ScanningReporting – Scorecard
• Statistics on all applications tagged in UI
• High-level• Good
starting point
![Page 33: QualysGuard InfoDay 2014 - WAS](https://reader031.vdocuments.pub/reader031/viewer/2022020921/546c34bab4af9f752c8b4f40/html5/thumbnails/33.jpg)
ww
w.r
ac.
cz
Ris
k A
naly
sis
Con
sult
an
tsV
06
04
20
QualysGuard InfoDay 2014
Představení nástroje pro testování webových aplikací (WAS)
Live Demo : Reporty