Testing and Comparing Result Scanning Using Web Vulnerability Scanner

Size: px

Start display at page:

Download "Testing and Comparing Result Scanning Using Web Vulnerability Scanner"

Meghan McLaughlin
6 years ago
Views:

1 Copyright 2015 American Scientific Publishers Advanced Science Letters All rights reserved Vol., , 2015 Printed in the United States of America Testing and Comparing Result Scanning Using Web Vulnerability Scanner Albert Sagala 1,2,, Elni Manurung 2 1 Faculty of Informatics and Electrical, Del Institute of Technology, Indonesia 2 Cyber Security Research Centre, Del Institute of Technology, Indonesia Popularity of the web increases nowadays and it is used every day and it needs a high security. Web vulnerability scanner (WVS) is a tools that can make observation of a web that can help developers or pentester web to find vulnerabilities in web and fix the holes before the developer online the website. Application web testing is very important thing to identify successes, completeness, safety and quality of the application. In this paper, will be explained about testing in a few websites using different scanners in five websites and the result will be analyzed toward the relevance result on each scanner. Scanning results are useful to complete in testing. Keywords: website, developer, web vulnerability scanner. 1. INTRODUCTION Website is collection of pages of many kinds information provided in internet that can be accessed around the world over network connected to Internet that consist of text, images, sound, etc, so that it becomes media informations that very popular nowadays 1.Website is now widely used in some aspect like Education (Elearning, information system), Culture (the official website of tourism in a region), Business (e-commerce, e- banking), and so on 5. For example doing some transaction in e-banking should have excellent security so the transaction is done well without harming anyone. For the prevention of leakage of information that often occur, it requires a high level of security, so it is advisable for testing and one of way using vulnerability scanner. Scanning in itself is not a policy enforcement tool, but it does provide us with necessary information to ensure that we can keep out hosts safe from unknown attacks. The lack of any internal security data meant we had no way of knowing the risk we faced from internal attack. This is a problem faced by many companies RELATED WORK Vulnerability scanning is the art of using computer to look for weakness in the security of another computer. Using the vulnerability scanner, we can find and fix the weakness in systems before someone or attacker finds that there is a security weakness and decides to break in. Like a shop keeper making sure all the doors and windows are closed and locked before closing up for the evening so the money is safe 3. Before publishing the website in internet for public use, the best way is do testing in applications because when the web was developed, mistakes are made and have errors slip through and the developers do not realize the way they codes had been written is mistaken. So, the intruder or attacker can gain access our system easily that can steal data and something precious. Because that reason, we need do testing our system so we can prevent it. There are two main approaches to testing software applications for the presence of bugs and vulnerabilities 4,5 : - In white-box testing, the source code of applications is analyzed is an attempt to track down defective or vulnerable line of code. This operation is often integrated into the development process environment. Because this approach is focused on internal structure, code program and programming skills, white-box testing has not experienced widespread for finding security flaws in web applications. - In black-box testing, the source code is not examined directly but an approach for examining the functional application without knowing the internal structure web. Instead, special input test case are generated and sent to the application by manually or using black-box web vulnerability scanner 9. Then, the result returned by the 1 Adv. Sci. Lett. Vol. 4, No. 2, /2015/4/400/008 doi: /asl

2 Adv. Sci. Lett. 4, , 2011 RESEARCH ARTICLE application are analyzed for unexpected behavior that indicate errors or vulnerabilities. In practice, black-box testing scanners are used to discover security problems in web application. These tools operate by launching attack against an application and observing its response to these attacks. In this paper will using black-box testing approach with commercial and open source vulnerability scanner. The following are the four main parts that constitute the vulnerability assessment cycle (Katsicas, 2009) 6 : - Detect Conduct a vulnerability assessment and report findings to management; - Correct Advise the corrective actions that should be taken to resolve the findings and to maintain the continuity of business operations; - Prevent Set the preventive actions that should be followed to avoid any future threats against existing vulnerabilities; - Assess Risks - Present to management the risk-based assessment report that includes the possible business impact from the identified assessment results. Figure 1 illustrates the vulnerability assessment cycle process. 3. TESTING Assess Risks Detect Vulnerability Assessment Methodology Prevent Fig. 1. Vulnerability Assessment Cycle 6 Correct Scanning was done in five websites contained in the internet with active response using commercial and opensource WVS (Web Vulnerability Scanner) like Acunetix and Vega WVS. These websites are selected based on the number of users on website and the information contained in those websites because these websites are very popular in this country. Deliberately disguise the names of websites that are scanned in order not to harm the parties concerned. The selected sites are websites that frequently used and store various type of namely the informations published and highly confidential information. Name of the websites are Apple, Banana, Cherry, Orange and Guava. Before doing scanning, Figure 2 is a network topology that is used to perform scanning on the target server. Computer scanning is directly connected to Internet using the internet router supplied by one provider in this country so do not use LAN networking to perform scanning on the outside network. A. Commercial Web Scanner Fig. 2. Network Topology In this approach, if we using vulnerability scanner, there is three phases generally like 7 : - In configuration stage, identifying Uniform Resource Locator (URL) of application and setup parameters. - In crawling stage, produces a map of an internal structure of the web application. - In the scanning stage is to begin testing by simulating user input from user and clicking. During this test, all tests were executed and all response and request are stored and analyzed. After doing the scanning phase, the result can be stored for analysis purposes. Most scanner also show some generic informations related the vulnerabilities found, including how to avoid or correct them. Acunetix WVS is an analytical tools to perform web security audits. Acunetic WVS works consist of target specification, site crawling, and structure mapping and pattern analysis 7. - Target Identification: WVS checks targets with active web server. Information is collected regarding, technologies used, web server banner and responsiveness for appropriate filtering tests. - Site Crawling and Structure Mapping: The first, index file of web application will be fetched first, determined by URL. Received responses are parsed to client side scripts, get links, parameters, forms, input fields, and that builds a list of directories and files inside the web application. - Pattern Analysis is executed against the web application. In this scanning, there is configuration before starting scanning the website like we can choose scanning mode options as show on Table 1. In this scanning we use all of these modes according to our needs. Speed/Depth in tables below has stars to describe the speed/depth s value using that mode and the value of speed/depth had been defined by the developer of that scanner before. Table 1. Scanning Options 8 Mode Description Speed/Depth Quick Only first value ffrom every pparameter will be tested Scan speed has 5 stars Scan depth has 2 stars Heuristic WVS will try automatically determine which Scan speed has 3 stars Scan depth has 2

Mode Description Speed/Depth parameter require 3 stars complex testing Extensive All possible Scan speed has combination for 1 stars every parameter Scan depth has will be tested 5 stars when there

3 Mode Description Speed/Depth parameter require 3 stars complex testing Extensive All possible Scan speed has combination for 1 stars every parameter Scan depth has will be tested 5 stars when there are a lot parameter/combina tions, this mode will generate a lot HTTP requests Table 2 presents result scanning such as how its responsive, web banner server, operating system, web server and programming languages used. Not only using this scanner, we can find informations from the target, on Linux, we can use whatweb to identify informations from the website that can know the use of the web technologies like CMS, javascript libraries and so on. The operating system must be protected from attacks of attacker like denial of service attack, Trojan horses, login spoofing, launch of program with access rights, memory protection, and others attacks. For example for government s website, they usually hide the target information so the attacker will have difficulty in entering the system. Table 2. Target Information Apple Banana Cherry Orange Guava Responsive True True True True True Web Server Apache Apache Nginx banner /2.22 Apache / (FreeBS D) mod_ssl / Apache / CentOS Operating System Unix Unix Unix Unknown Unknown Web Server Apache Apache Apache Apache Apache 2.x Technologi es PHP - PHP PHP PHP In the chart below, Figure 3, The web scanner has features to categorized potential attack called Web Alerts into 4 levels such as High, Medium, Low and Information. In the web scanner, had been defined, it is low, medium, high or informational. Both penetration and attacker using this to attack/testing the system. Figure 3 explains the number of percentage potential attack in this scanner Apple Banana Cherry Durian Guava Fig. 3. Potential Distribution Charts Web Attacks (1) In high web alerts, potential attacks are SQL Injection, Cross site scripting attacks, DOM-based XSS, PHP allow_url_ropen enabled, Slow HTTP Denial of Service Attack, Host header attack, HTTP parameter pollution, script source disclosure, SVN repository found and so on. In medium web alerts, potential attacks are application error message, apache http only cookie disclosure, error message on page, PHP open_base dir is not set, PHPinfo page found, source code disclosure, user credentials are sent in clear text, HTML form without CSRF protection. In Low web alerts, potential attacks are clickjacking:x- Frame-Options header missing, login page password guessing attack, possible sensitive directories, possible virtual host found, set, slow response time, session cookie without HTTPOnlyflag, sensitive data not encrypted,trace method is enabled and so on. In informational web alerts, give informations to us about the websites like broken links, address found, default phpinfo page,postscript files, possible temporary file/directory, password type input with autocomplete enabled and possible server path disclosure. Figure 4 presents the vulnerability description about the attack, the affected items, the impact of this vulnerability and how to fix, detailed informations and web references which is advantages of this WVS. It helps penetration testing to enhance the security of this web. Potential attack can we retest again using this scanner by feature that served by that WVS. We can check one by one and sometimes, we will find false positive. It means the potential attacks are not valid. Fig. 4. Vulnerability Description WVS(1) In table 3. The tick signified that site detected the four criteria like network alert, port scanner, knowledge base, site structure and dot signifies, the WVS does not detect the four criterias. Table 3. Scan Thread Apple Banana Cherry Orange Guava Network Alert Port Scanner Knowledge Base Site Structure 3 Adv. Sci. Lett. Vol. 4, No. 2, /2015/4/400/008 doi: /asl

Adv. Sci. Lett. 4, 400 407, 2011 RESEARCH ARTICLE Knowing the structure of the site, we can know how the web was built, using CMS or certain framework. Here is the distribution of this websites.

4 Adv. Sci. Lett. 4, , 2011 RESEARCH ARTICLE Knowing the structure of the site, we can know how the web was built, using CMS or certain framework. Here is the distribution of this websites. Table 4 presents that network alert was found in Apple, Cherry and Guava s website like DNS cache snooping. DNS cache snooping is the process to see if a particular resource record is in the cache. Cache snooping can be used to determine the host, who the clients and users, can be used to view the software that is used for a host of resource record that contains the address of software update and other information that is userful to an attacker. Network Alerts DNS cache snooping Table 4. Network Alerts Found Apple Cherry Guava Table 5, there are websites that have open ports like http (80), http-proxy(8080), ftp (21), https(443) which is very dangerous for safety websites. The websites are Apple, Cherry and Guava. Table 5. Port Scanner Found Port Scanner Open Port 80/http Apple Cherry Guava Open Port 8080/http-proxy Apple - - Open Port 21/ftp - - Guava Open port 443/https - - Guava Table 6 presents that WVS have found knowledge base which is helps the developer or pentester to fix these. Table 6. Knowledge Base Found Knowledge Base List of extensions Apple Banana - Guava Top 10 response Apple Banana - Guava times List of clients Apple Banana - Guava scripts List of external hosts Apple Banana - Guava List of with - - Cherry Guava inputs List of Apple Banana - Guava addresses List of TCP ports - - Cherry Guava DNS server running - - Cherry Guava Whois lookup - - Cherry Guava FTP Server Running Guava In this web scanner, we can retest the potentials attack using features that served by WVS. In Figure 5 checking the potentials whether the potentials including false positive or not. Fig. 5. Retest The Potential Attack False positive in simple words is, we received reports about attacks but it was not valid attack because the attack itself is not valid. In figure below, we can see the false positive. The system directly strikes out the potential attack that not valid. There are many kinds of websites hide their database so the scanner is difficult to find out them but if we using heuristic or extensive scanning mode, we can find database in one directory of that web. Penetration tester or attacker will try or analyze the result of the result of WVS. One of them is backdoor which is found when check all result that given by the scanner in Figure 6. Fig. 6. Backdoor Found Backdoor is a mechanism that is implanted by attackers who managed to make compromise bypass existing computer security, so in the future, may be easier to access to the attacked computer without being noticed by the owner. So, if the attacker has found this backdoor who had been made another attacker before, this backdoor can be taken over to the next attacker. B. Open Source Web Vulnerability Scanner In this sub bab, we used web vulnerability scanner that is free open source which can be used in windows a Linux. Using this scanner was simple and does not require any particular configurations, we do not need to configure the type of scanning mode, just pick one or two modules supplied i.e. Injection Modules/Response Processing Modules. This open-source WVS also same with a commercial WVS, they had categorized types of potentially attacks be 4 levels like low, medium, high and informational items in figure Apple 10 5 Banana 0 Cherry Orange Guava Fig. 7. Potential Distribution Chart Web Attacks (2) In high web alerts, potential attacks are Session Cookie without secure flag, session cookie with put httponlyflag, Integer overflow, Possible Social Security number detected, Page fingerprint differential detected- 4

Possible XPath Injection, Possible social insurance number detected, shell injection, clear text password over HTTP, Bash Shellshock injection, MySQL Error Detected-Possible SQL Injection, SQL

In medium web alerts, potential attack are local file system paths found, possible XML Injection, Possible HTTP Put File Upload, Possible Code Disclosure, HTTP Trace Support Detected.

5 Possible XPath Injection, Possible social insurance number detected, shell injection, clear text password over HTTP, Bash Shellshock injection, MySQL Error Detected-Possible SQL Injection, SQL Injection, Crosssite Scripting, Page Fingerprinting differential detectedpossible. In medium web alerts, potential attack are local file system paths found, possible XML Injection, Possible HTTP Put File Upload, Possible Code Disclosure, HTTP Trace Support Detected. Support Detected/Apache/2.2.21/FreeBSD mod_ssl/ OpenSSL/0.9.8q, Possible XML Injection. In Low web alerts, potential attack are address found, form password field with autocomplete enabled (wp-login) and internal address found. In opensource WVS also has detail informations about the potential attack. In this web scanner, we only can check the potentials one by one manually without having to retest it. Fig. 8. Detail Information s Web Attack In figure 9 presents the vulnerability s example have been found the high critical alert. When the security hole is not treated quickly and properly, then attacker can easily disrupt the system and can be detrimental to some of parties. Fig. 9. Vulnerability Found Using Opensource WVS 4. EXPERIMENTAL RESULT Figure 3 and Figure 7 presents the potential attacks in commercial and open source web vulnerability. - In high potential attack, there is contrast difference like on orange website, using WVS 1 there is no high potential attack but in other WVS, there are a number of very high potential attack. - In medium, the distribution is almost same (which distinguishes the number of potential attacks). - In low, in first WVS, there are a number of low attacks but in the second WVS, the number of low attacks is lower than first. - In informational, orange s website contain the highest informations. With this result information, the developer or pentester of that web expected to find further information about a potential attack information that is found in a scanner which is a preventive step against the web is built. 5. CONCLUSION In this paper we evaluate and compare some websites using two different vulnerability scanners that can help us to keep maintain our system well. In the result, there are difference result in each scanner, because web vulnerability scanner has official standard in conduction vulnerability scanning on websites, has its advantages and disadvantages. We can use both of them, commercial/free or opensource depends to needs. Both are needed to complete the scanning for developer/pentester to improve security on the website before publishing to the public. REFERENCES [1] [2] SANS Institute InfoSec Reading Room:Implementing vulnerability scanning in a large organization [3] SANS Institute InfoSec Reading Room: Vulnerabilitis &;Vulnerability scanning [4] Kals, S. Kirda, E. Kruegel, C., and Jovanovic, N. Secubat: A Web Vulnerability Scanner. In Proceedings of the 15th International Conference On World Wide Web (2006). [5] Foncesa, J., Vierira, M., Madeira, H.,. Testing and comparing web vulnerability scanning tools for SQL injection and XSS attacks. In 13th IEEE International Symposium on Pasific Rim Dependable Computing Conference (PRDC 2007, Melbourne Victoria, Australia, December 2007 [6] SANS Institute.Auditing using Vulnerability tools to identify today s threats Business Performance.Global Information Assurance Certification Paper, November [7] Bairwa, S., Mewara, B., Gajrani, J., Vulnerability Scanners:A Proactive Approach to Assess Web Application Security. In International Journal On Computational Sciences &Application (IJCSA) Vol.4, No.4, No.1, February 2014 [8] Acunetix.Acunetix Web Vulnerability Scanner.. [9] A.Doupe, M. Cova and G.Vigna. Why Johnny Can t Pentest:An Analysis of Black-box Web Vulnerability Scanners. In C.Kreibich, M.Jahne (Eds.) Proceedings of the 7th International conference on Detection of Intrusions and Malware, and Vulnerability Assessment-DIMVA Adv. Sci. Lett. Vol. 4, No. 2, /2015/4/400/008 doi: /asl

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition Chapter 3 Investigating Web Attacks Objectives After completing this chapter, you should be able to: Recognize the indications