website of tourism in a region), Business (e-commerce, e- .... Description ... Apple. Banana. Cherry. Durian. Guava. Fig. 3. Potential Distribution Charts Web ...
RESEARCH ARTICLE
Adv. Sci. Lett., 1936-6612, 2015
Copyright © 2015 American Scientific Publishers All rights reserved Printed in the United States of America
Advanced Science Letters Vol. ,1936-6612, 2015
Testing and Comparing Result Scanning Using Web Vulnerability Scanner Albert Sagala1,2,, Elni Manurung2 1
Faculty of Informatics and Electrical, Del Institute of Technology, Indonesia 2 Cyber Security Research Centre, Del Institute of Technology, Indonesia
Popularity of the web increases nowadays and it is used every day and it needs a high security. Web vulnerability scanner (WVS) is a tools that can make observation of a web that can help developers or pentester web to find vulnerabilities in web and fix the holes before the developer online the website. Application web testing is very important thing to identify successes, completeness, safety and quality of the application. In this paper, will be explained about testing in a few websites using different scanners in five websites and the result will be analyzed toward the relevance result on each scanner. Scanning results are useful to complete in testing. Keywords: website, developer, web vulnerability scanner.
1. INTRODUCTION Website is collection of pages of many kinds information provided in internet that can be accessed around the world over network connected to Internet that consist of text, images, sound, etc, so that it becomes media informations that very popular nowadays 1.Website is now widely used in some aspect like Education (Elearning, information system), Culture (the official website of tourism in a region), Business (e-commerce, ebanking), and so on5. For example doing some transaction in e-banking should have excellent security so the transaction is done well without harming anyone. For the prevention of leakage of information that often occur, it requires a high level of security, so it is advisable for testing and one of way using vulnerability scanner. Scanning in itself is not a policy enforcement tool, but it does provide us with necessary information to ensure that we can keep out hosts safe from unknown attacks. The lack of any internal security data meant we had no way of knowing the risk we faced from internal attack. This is a problem faced by many companies2. 2. RELATED WORK Vulnerability scanning is the art of using computer to look for weakness in the security of another computer. Using the vulnerability scanner, we can find and fix the weakness in systems before someone or attacker finds that there is a security weakness and decides to break in. 1
Adv. Sci. Lett. Vol. 4, No. 2, 201
Like a shop keeper making sure all the doors and windows are closed and locked before closing up for the evening so the money is safe3. Before publishing the website in internet for public use, the best way is do testing in applications because when the web was developed, mistakes are made and have errors slip through and the developers do not realize the way they codes had been written is mistaken. So, the intruder or attacker can gain access our system easily that can steal data and something precious. Because that reason, we need do testing our system so we can prevent it. There are two main approaches to testing software applications for the presence of bugs and vulnerabilities 4,5 : - In white-box testing, the source code of applications is analyzed is an attempt to track down defective or vulnerable line of code. This operation is often integrated into the development process environment. Because this approach is focused on internal structure, code program and programming skills, white-box testing has not experienced widespread for finding security flaws in web applications. - In black-box testing, the source code is not examined directly but an approach for examining the functional application without knowing the internal structure web. Instead, special input test case are generated and sent to the application by manually or using black-box web vulnerability scanner9. Then, the result returned by the 1936-6612/2015/4/400/008
doi:10.1166/asl.2011.1261
RESEARCH ARTICLE
Adv. Sci. Lett. 4, 400–407, 2011 application are analyzed for unexpected behavior that indicate errors or vulnerabilities. In practice, black-box testing scanners are used to discover security problems in web application. These tools operate by launching attack against an application and observing its response to these attacks. In this paper will using black-box testing approach with commercial and open source vulnerability scanner. The following are the four main parts that constitute the vulnerability assessment cycle (Katsicas, 2009)6: - Detect – Conduct a vulnerability assessment and report findings to management; - Correct – Advise the corrective actions that should be taken to resolve the findings and to maintain the continuity of business operations; - Prevent – Set the preventive actions that should be followed to avoid any future threats against existing vulnerabilities; - Assess Risks - Present to management the risk-based assessment report that includes the possible business impact from the identified assessment results. Figure 1 illustrates the vulnerability assessment cycle process. Detect
Assess Risks
Vulnerability Assessment Methodology
Correct
Prevent
Fig. 1. Vulnerability Assessment Cycle6 3. TESTING Scanning was done in five websites contained in the internet with active response using commercial and opensource WVS (Web Vulnerability Scanner) like Acunetix and Vega WVS. These websites are selected based on the number of users on website and the information contained in those websites because these websites are very popular in this country. Deliberately disguise the names of websites that are scanned in order not to harm the parties concerned. The selected sites are websites that frequently used and store various type of namely the informations published and highly confidential information. Name of the websites are Apple, Banana, Cherry, Orange and Guava. Before doing scanning, Figure 2 is a network topology that is used to perform scanning on the target server. Computer scanning is directly connected to Internet using the internet router supplied by one provider in this country so do not use LAN networking to perform scanning on the outside network.
Fig. 2. Network Topology A. Commercial Web Scanner
In this approach, if we using vulnerability scanner, there is three phases generally like 7: - In configuration stage, identifying Uniform Resource Locator (URL) of application and setup parameters. - In crawling stage, produces a map of an internal structure of the web application. - In the scanning stage is to begin testing by simulating user input from user and clicking. During this test, all tests were executed and all response and request are stored and analyzed. After doing the scanning phase, the result can be stored for analysis purposes. Most scanner also show some generic informations related the vulnerabilities found, including how to avoid or correct them. Acunetix WVS is an analytical tools to perform web security audits. Acunetic WVS works consist of target specification, site crawling, and structure mapping and pattern analysis7. - Target Identification: WVS checks targets with active web server. Information is collected regarding, technologies used, web server banner and responsiveness for appropriate filtering tests. - Site Crawling and Structure Mapping: The first, index file of web application will be fetched first, determined by URL. Received responses are parsed to client side scripts, get links, parameters, forms, input fields, and that builds a list of directories and files inside the web application. - Pattern Analysis is executed against the web application. In this scanning, there is configuration before starting scanning the website like we can choose scanning mode options as show on Table 1. In this scanning we use all of these modes according to our needs. Speed/Depth in tables below has stars to describe the speed/depth’s value using that mode and the value of speed/depth had been defined by the developer of that scanner before. Table 1. Scanning Options8 Mode Quick
Description Only first value ffrom every pparameter will be tested Heuristic WVS will try automatically determine which
Speed/Depth Scan speed has 5 stars Scan depth has 2 stars Scan speed has 3 stars Scan depth has
2
RESEARCH ARTICLE Mode
Extensive
Description parameter require complex testing All possible combination for every parameter will be tested when there are a lot parameter/combina tions, this mode will generate a lot HTTP requests
Adv. Sci. Lett., 1936-6612, 2015
Speed/Depth 3 stars Scan speed has 1 stars Scan depth has 5 stars
Table 2 presents result scanning such as how its responsive, web banner server, operating system, web server and programming languages used. Not only using this scanner, we can find informations from the target, on Linux, we can use whatweb to identify informations from the website that can know the use of the web technologies like CMS, javascript libraries and so on. The operating system must be protected from attacks of attacker like denial of service attack, Trojan horses, login spoofing, launch of program with access rights, memory protection, and others attacks. For example for government’s website, they usually hide the target information so the attacker will have difficulty in entering the system. Table 2. Target Information Apple Banana Responsive True True Web Server Apache Apache banner /2.22 /2.2.21 (FreeBS D) mod_ssl / Operating Unix Unix System Web Server Apache Apache 2.x Technologi PHP es
Cherry True Apache /2.2.15 CentOS
Orange Guava True True Apache Nginx
Unix
Unknown Unknown
Apache
Apache
Apache
PHP
PHP
PHP
Attack, Host header attack, HTTP parameter pollution, script source disclosure, SVN repository found and so on. In medium web alerts, potential attacks are application error message, apache http only cookie disclosure, error message on page, PHP open_base dir is not set, PHPinfo page found, source code disclosure, user credentials are sent in clear text, HTML form without CSRF protection. In Low web alerts, potential attacks are clickjacking:XFrame-Options header missing, login page password guessing attack, possible sensitive directories, possible virtual host found, set, slow response time, session cookie without HTTPOnlyflag, sensitive data not encrypted ,trace method is enabled and so on. In informational web alerts, give informations to us about the websites like broken links, email address found, default phpinfo page,postscript files, possible temporary file/directory, password type input with autocomplete enabled and possible server path disclosure. Figure 4 presents the vulnerability description about the attack, the affected items, the impact of this vulnerability and how to fix , detailed informations and web references which is advantages of this WVS. It helps penetration testing to enhance the security of this web. Potential attack can we retest again using this scanner by feature that served by that WVS. We can check one by one and sometimes, we will find false positive. It means the potential attacks are not valid.
In the chart below, Figure 3, The web scanner has features to categorized potential attack called Web Alerts into 4 levels such as High, Medium, Low and Information. In the web scanner, had been defined, it is low, medium, high or informational. Both penetration and attacker using this to attack/testing the system. Figure 3 explains the number of percentage potential attack in this scanner. 8 6 4 2 0
Fig. 4. Vulnerability Description WVS(1) Apple Banana Cherry Durian
In table 3. The tick signified that site detected the four criteria like network alert, port scanner, knowledge base, site structure and dot signifies, the WVS does not detect the four criterias. Table 3. Scan Thread Apple
Guava
Fig. 3. Potential Distribution Charts Web Attacks (1) In high web alerts, potential attacks are SQL Injection , Cross site scripting attacks, DOM-based XSS, PHP allow_url_ropen enabled, Slow HTTP Denial of Service 3
Adv. Sci. Lett. Vol. 4, No. 2, 201
Network Alert Port Scanner Knowledge Base Site Structure
Banana
Cherry
Orange
Guava
1936-6612/2015/4/400/008
doi:10.1166/asl.2011.1261
RESEARCH ARTICLE
Adv. Sci. Lett. 4, 400–407, 2011 Knowing the structure of the site, we can know how the web was built, using CMS or certain framework. Here is the distribution of this websites. Table 4 presents that network alert was found in Apple, Cherry and Guava’s website like DNS cache snooping. DNS cache snooping is the process to see if a particular resource record is in the cache. Cache snooping can be used to determine the host, who the clients and users, can be used to view the software that is used for a host of resource record that contains the address of software update and other information that is userful to an attacker.
False positive in simple words is, we received reports about attacks but it was not valid attack because the attack itself is not valid. In figure below, we can see the false positive. The system directly strikes out the potential attack that not valid. There are many kinds of websites hide their database so the scanner is difficult to find out them but if we using heuristic or extensive scanning mode, we can find database in one directory of that web. Penetration tester or attacker will try or analyze the result of the result of WVS. One of them is backdoor which is found when check all result that given by the scanner in Figure 6.
Table 4. Network Alerts Found Network Alerts DNS cache snooping
Apple
Websites Cherry Guava
Table 5, there are websites that have open ports like http (80), http-proxy(8080), ftp (21), https(443) which is very dangerous for safety websites. The websites are Apple, Cherry and Guava. Table 5. Port Scanner Found Port Open Open Open Open
Scanner Port 80/http Port 8080/http-proxy Port 21/ftp port 443/https
Apple Apple -
Websites Cherry -
Guava Guava Guava
Apple Apple
Websites Banana Banana -
Guava Guava
Apple
Banana
-
Guava
Fig. 6. Backdoor Found Backdoor is a mechanism that is implanted by attackers who managed to make compromise bypass existing computer security, so in the future, may be easier to access to the attacked computer without being noticed by the owner. So, if the attacker has found this backdoor who had been made another attacker before, this backdoor can be taken over to the next attacker.
Apple
Banana
-
Guava
B. Open Source Web Vulnerability Scanner
-
-
Cherry
Guava
Apple
Banana
-
Guava
-
-
Cherry Cherry Cherry -
Guava Guava Guava Guava
In this sub bab, we used web vulnerability scanner that is free open source which can be used in windows a Linux. Using this scanner was simple and does not require any particular configurations, we do not need to configure the type of scanning mode, just pick one or two modules supplied i.e. Injection Modules/Response Processing Modules. This open-source WVS also same with a commercial WVS, they had categorized types of potentially attacks be 4 levels like low, medium, high and informational items in figure 7.
Table 6 presents that WVS have found knowledge base which is helps the developer or pentester to fix these. Table 6. Knowledge Base Found Knowledge Base List of extensions Top 10 response times List of clients scripts List of external hosts List of with inputs List of email addresses List of TCP ports DNS server running Whois lookup FTP Server Running
In this web scanner, we can retest the potentials attack using features that served by WVS. In Figure 5 checking the potentials whether the potentials including false positive or not.
15 10 5 0
Apple Banana Cherry Orange Guava
Fig. 5. Retest The Potential Attack
Fig. 7. Potential Distribution Chart Web Attacks (2) In high web alerts, potential attacks are Session Cookie without secure flag, session cookie with put httponlyflag, Integer overflow, Possible Social Security number detected, Page fingerprint differential detected4
RESEARCH ARTICLE Possible XPath Injection, Possible social insurance number detected, shell injection, clear text password over HTTP, Bash “Shellshock” injection, MySQL Error Detected-Possible SQL Injection, SQL Injection, Crosssite Scripting, Page Fingerprinting differential detectedpossible. In medium web alerts, potential attack are local file system paths found, possible XML Injection, Possible HTTP Put File Upload, Possible Code Disclosure, HTTP Trace Support Detected. Support Detected/Apache/2.2.21/FreeBSD mod_ssl/2.2.21 OpenSSL/0.9.8q, Possible XML Injection. In Low web alerts, potential attack are email address found, form password field with autocomplete enabled (wp-login) and internal address found. In opensource WVS also has detail informations about the potential attack. In this web scanner, we only can check the potentials one by one manually without having to retest it.
Adv. Sci. Lett., 1936-6612, 2015 4. EXPERIMENTAL RESULT Figure 3 and Figure 7 presents the potential attacks in commercial and open source web vulnerability. - In high potential attack, there is contrast difference like on orange website, using WVS 1 there is no high potential attack but in other WVS, there are a number of very high potential attack. - In medium, the distribution is almost same (which distinguishes the number of potential attacks). - In low, in first WVS, there are a number of low attacks but in the second WVS, the number of low attacks is lower than first. - In informational, orange’s website contain the highest informations. With this result information, the developer or pentester of that web expected to find further information about a potential attack information that is found in a scanner which is a preventive step against the web is built. 5. CONCLUSION In this paper we evaluate and compare some websites using two different vulnerability scanners that can help us to keep maintain our system well. In the result, there are difference result in each scanner, because web vulnerability scanner has official standard in conduction vulnerability scanning on websites, has its advantages and disadvantages. We can use both of them, commercial/free or opensource depends to needs. Both are needed to complete the scanning for developer/pentester to improve security on the website before publishing to the public.
REFERENCES Fig. 8. Detail Information’s Web Attack In figure 9 presents the vulnerability’s example have been found the high critical alert. When the security hole is not treated quickly and properly, then attacker can easily disrupt the system and can be detrimental to some of parties.
Fig. 9. Vulnerability Found Using Opensource WVS
5
Adv. Sci. Lett. Vol. 4, No. 2, 201
[1] http://www.proweb.co.id/articles/web_design/website_adalah.html [2] SANS Institute InfoSec Reading Room:Implementing vulnerability scanning in a large organization [3] SANS Institute InfoSec Reading Room: Vulnerabilitis &;Vulnerability scanning [4] Kals, S. Kirda, E. Kruegel, C., and Jovanovic, N. Secubat: A Web Vulnerability Scanner. In Proceedings of the 15th International Conference On World Wide Web (2006). [5] Foncesa, J., Vierira, M., Madeira, H.,. Testing and comparing web vulnerability scanning tools for SQL injection and XSS attacks. In 13th IEEE International Symposium on Pasific Rim Dependable Computing Conference (PRDC 2007, Melbourne Victoria, Australia, December 2007 [6] SANS Institute.Auditing using Vulnerability tools to identify today’s threats Business Performance.Global Information Assurance Certification Paper, November 2014. [7] Bairwa, S., Mewara, B., Gajrani, J., Vulnerability Scanners:A Proactive Approach to Assess Web Application Security. In International Journal On Computational Sciences &Application (IJCSA) Vol.4, No.4, No.1, February 2014 [8] Acunetix.Acunetix Web Vulnerability Scanner. .http://www.acunetix.com [9] A.Doupe, M. Cova and G.Vigna. Why Johnny Can’t Pentest:An Analysis of Black-box Web Vulnerability Scanners. In C.Kreibich, M.Jahne (Eds.) Proceedings of the 7th International conference on Detection of Intrusions and Malware, and Vulnerability Assessment-DIMVA 10.
1936-6612/2015/4/400/008
doi:10.1166/asl.2011.1261
