App Scanning Helps Secure
Weak Spots"> Strong security means closing every possible entry point for system crackers, and the weak links for many organizations are custom-built Web applications. Two just-released updates to application vulnerability scanners from Sanctum Inc. and SPI Dynamics Inc. will help developers trying to build secure applications. Custom application security is a new area in the security field because its difficult to build generic software packages that can effectively test home-grown applications. Because every Web application is different, these scanners have to do Web crawls and use dynamic probing algorithms to determine how to attack Web applications. Even then, these scanners have to do a lot of repetitive guessing to look for errors and, as a result, are no substitute for a skilled human audit or regular penetration tests.eWeek Labs tested late beta code of AppScan; final code is expected to ship by the end of this month. WebInspect 2.0 started shipping last month, and we tested final code. We found that these applications are very similar: Both parsed Web applications to determine HTML form parameters and then submitted forms with permutations of parameter values such as nulls, quotes, browser script code and SQL commands. Web applications that dont filter out these attacks will likely break in some way, a bug that can sometimes also be a security hole. Both also scan for known Web and application server vulnerabilities. AppScan breaks its scanning phase into separate categories, and each category of attacks is scanned in parallel. WebInspect, in contrast, does its scanning serially. The types of probes most useful to custom Web application designers are those that do various forms of parameter and cookie data manipulation to try to find places where developers missed adding necessary input checks. For example, the packages will pass in file references as hidden parameter values in the hope that the parameter is used to hold a file name that the Web application will display. They modify parameters to include characters such as a pipe symbol or ampersand that can cause Web applications to run operating system commands or add SQL strings to text input values, which, if not filtered out, can allow an attacker to retrieve database data. Both packages also check for cross-site scripting attacks by passing input with embedded script code to applications and seeing if the script code is displayed on the following page. Theres also a lot of simple guessing involved. Both packages check for a long list of files and directories that might be present and accessible to the outside world. If developers leave source files with .bak or .old files or other leftover bits such as file transfer logs, theyll be detected this way. AppScan runs on Windows 2000 servers and costs $15,000 plus a variable annual maintenance fee. This cost covers scanning of all the domain names and IP addresses owned by the purchaser. WebInspect runs on Windows 98, NT or 2000 and will be more expensive than AppScan for most sites: $4,995 per physical server scanned. Caution Warranted Although AppScan and webinspects thoroughness will uncover hard-to-find bugs, their aggressive scanning can also cause application server or Web server crashes. As a result, we suggest testing applications in only nonproduction environments. We didnt experience any crashes in our tests, but officials at both companies said it was a possibility. In addition, because of the invalid input tests these applications do on every Web form they find, garbage data can get stored in an applications database during testing. AppScan has a few versions under its belt, but this release has been heavily reworked. The previous version of AppScan, 2.5, required a dedicated PC because it installed a customized version of Debian Projects Debian GNU/Linux as its run-time engine. AppScan 3.0 is a Windows application and has a completely new user interface that we found more usable than the 2.5 version. The interface provides clear, step-by-step guidance through site tests and has dynamic filtering controls that let us quickly switch among different sections of a test result. AppScan is much faster at scanning than WebInspect. A full AppScan security test of one of our sites finished in 6 minutes vs. an hour for WebInspect and delivered similar results. However, WebInspect has a few advantages that users wanting more control will value. With WebInspect, for example, we could write our own tests using VBScript. (A script editor with method name completion and debugging is also included.) Custom tests in AppScan, in contrast, were limited to three types of simple tests. WebInspect also provides regular expression-based search (and search and replace) features for HTTP request and response data. In tests, WebInspect stood out for the quality and comprehensiveness of its vulnerability descriptions (see screen, above), which were, by and large, more detailed and had more background information than those in AppScan. Both packages include information on how to fix or work around found vulnerabilities, although neither had any system of tracking if these fixes were applied. What wed like to see is a way of comparing scans so that administrators can verify that identified problems have been fixed.
However, Sanctums AppScan 3.0 and SPI Dynamics WebInspect 2.0 are good additions to a corporations security tool kit. Both perform thousands of checks and will be sure to catch the security mistakes that creep into Web server configurations or large custom applications. Organizations with outward-facing Web applications developed internally should consider using this type of tool.