Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Researchers Launch Tool To Close The Development-Testing Gap

Current vulnerability scanning tools aren't keeping pace with Web app development technology, Black Hat speakers say

Today's vulnerability scanners and other bug-finding tools are not keeping up with the fast pace of Web application development, and this growing gap is creating opportunities for attacker, according to a group of security researchers who will discuss the problem at the Black Hat USA conference in Las Vegas this week.

Click here for more of Dark Reading's Black Hat articles.

"We're shedding light on some areas where applications themselves -- and the technologies used in them -- have kind of moved on," says Nathan Hamiel, one of the speakers. "But the tools used to test and identify vulnerabilities in those applications haven't really moved on yet.

"When something new [in app development] comes out, developers want to use it, they want to integrate it, they want to be first to develop with it," Hamiel observes. "And testing tools kind of lag behind on that front."

According to Hamiel and his fellow researchers -- Justin Engler, Seth Law, and Greg Fleischer, all of them consultants for FishNet Security -- most automated tools today offer only a limited scope of testing. The speakers will assert that believe that applications and testing data need to be analyzed by people -- not tools -- to find the broadest range of impactful vulnerabilities.

"At the end of the day, tools don't find vulnerabilities. People do," Hamiel says. "[Tools] point a knowledgeable person in the right direction to identify whether or not a vulnerability exists. That's lost in translation when people are spending a lot of money on these testing tools."

Others industry experts agree.

"From login mechanism flaws, certain input validation and session management weaknesses, weak passwords and even gotchas in application logic -- there's just too much for the typical tools to uncover," Kevin Beaver, owner of the security consultancy Principle Logic, wrote recently on the topic. "Ditto with mobile devices and other complexities associated with network infrastructures."

Security testing resources are stretched so thin that organizations can only do so much manual testing, which is why semi-automated testing has become popular, the speakers say. But such automation becomes more difficult as people try to leverage the tools in unorthodox ways or write custom scripts to help them do better application inspection.

"We're pointing out common areas for problems, such as the injection of randomized data. For cross-site request forgeries, people have begun using random tokens to protect against that. Sometimes, those random tokens are generated on a per-page basis," Hamiel says. "You might be running a test case and maybe only the first request you send is valid. Every other request that you send is invalid. Those are problems that crop up that need to be identified and handled."

Hamiel and his fellow researchers hope to contribute to the collective testing effort by offering a free tool that they say will help address some of the limitations of current fuzzing tools. "We didn't want to write an inspection proxy, and we didn't want to write it in Java. If you look at a lot of current tools -- especially open-source tools and even some commercial tools -- that's kind of the approach they take," Fleischer says. "As a user of that type of tool, you still need to use a Web browser, walk through that application, and do all this heavy-lifting work -- especially with modern Web applications that are very focused on AJAX and other sorts of rich-client technology."

Fleischer says he and his cohorts decided to use Python and to embed the Web browser into the tool.

"[This] can give us better introspection into the overall cage and how data is transferred between the tool and the application and back," he says. "That's where a lot of the time and effort was focused."

Most importantly, says Fleischer, the tool was designed to speed up the analysis of testing output generated by custom scripts. This is critical in that sweet spot of semi-automation, where organizations need to test for particular circumstances but want to do it through custom scripts. The output from those scripts can be difficult to analyze and requires manual analysis or the development of a custom analyzer, he says.

"With our tool, we put the output in this common format, import it into our analysis, then run analysis on it," he explains. "It takes those outputs and starts from there, so it gives you kind of a leg up instead of having to write your own custom analyzers every time you write a custom script. If you target a specific import format, then you can leverage all the work that we've done to build an intelligent analysis."

The FishNet foursome will demo their new tool at Black Hat Arsenal the day before their session and also at their presentation on Thursday. They will release source code immediately following the session, and they plan to release installable packages for Mac and Windows after the show.

Have a comment on this story? Please click "Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 11/19/2020
New Proposed DNS Security Features Released
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/19/2020
How to Identify Cobalt Strike on Your Network
Zohar Buber, Security Analyst,  11/18/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: A GONG is as good as a cyber attack.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-11-24
Matrix Synapse before 1.20.0 erroneously permits non-standard NaN, Infinity, and -Infinity JSON values in fields of m.room.member events, allowing remote attackers to execute a denial of service attack against the federation and common Matrix clients. If such a malformed event is accepted into the r...
PUBLISHED: 2020-11-24
HashiCorp Nomad and Nomad Enterprise 0.9.0 up to 0.12.7 client Docker file sandbox feature may be subverted when not explicitly disabled or when using a volume mount type. Fixed in 0.12.8, 0.11.7, and 0.10.8.
PUBLISHED: 2020-11-24
In Ortus TestBox 2.4.0 through 4.1.0, unvalidated query string parameters to test-browser/index.cfm allow directory traversal.
PUBLISHED: 2020-11-24
In Ortus TestBox 2.4.0 through 4.1.0, unvalidated query string parameters passed to system/runners/HTMLRunner.cfm allow an attacker to write an arbitrary CFM file (within the application's context) containing attacker-defined CFML tags, leading to Remote Code Execution.
PUBLISHED: 2020-11-24
Gitea 0.9.99 through 1.12.x before 1.12.6 does not prevent a git protocol path that specifies a TCP port number and also contains newlines (with URL encoding) in ParseRemoteAddr in modules/auth/repo_form.go.