Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

5/15/2013
01:45 AM
50%
50%

Web Application Testing Using Real-World Attacks

Using exploits to test Web applications can be an enlightening way to test for vulnerabilities, but there are downsides as well

Vulnerability management and scanning systems typically combine a number of techniques to assess the risk faced by a business' information technology, from scanning files and evaluating the current patch level to launching attacks and testing for practical vulnerabilities.

While assessing patch level tends to be the most reliable way to check for vulnerable code, there are times when real-world exploits are needed. In cases where the patch has not been correctly applied, or when there is no patch, the best way to check for the vulnerability is to actually probe the application. Custom Web applications, for example, will generally not be able to be assessed using a patch-level check, says Ross Barrett, senior manager for security engineering at Rapid7, a vulnerability management firm.

"If a company has in-house Web apps, that is where you are going to get a lot of value out of that approach," he says. "The real-world attacks can be replayed and give you results."

Using actual exploits to test for vulnerabilities is an old technique that turns a vulnerability scan into an automated penetration test rather than a catalog of the system's patch level. Exploitation, however, can result in system instability, a danger that causes many companies to be wary of active probes of their networks or Internet applications, says Lamar Bailey, director of security research for risk-management firm nCircle, now owned by Tripwire.

"It's tricky to use real exploits because you have to neuter them," Bailey says. "We got a lot of pushback from customers -- they would not run a lot of the tests -- because they did not want production servers to go down."

[Fear of business disruption and downtime often leaves enterprises hesitant to scan the critical applications that hackers are most likely to target in their quest for exploitable vulnerabilities. See Too Scared To Scan.]

Moreover, exploits are not 100 percent reliable, he says. With current anti-exploitation techniques -- such as address layout randomization and data-execution protection -- success in forcing exploit writers to track complex system states tends not to be a given, Bailey says.

"The fact that you could not get into the box does not mean that the box is not vulnerable," he says.

Web applications are a good match for exploit-based scanning because applications that continually deal with the Internet tend to be more robust, Bailey says. In addition, many of the types of attacks that threaten Web applications, such as cross-site scripting and SQL injection, are at low risk of causing downtime.

"As long as you don't crash anything and you tell the company what changes you made, many of them will let you use active techniques against a Web application," Bailey says. Using actual attack intelligence can help direct vulnerability testing as well. By looking at incoming attacks, security teams can replicate them and discover whether the business' systems are vulnerable to exploits. By automating the exploitation process, a company can turn attack research into defense, says Jason Schmitt, director of product management for Hewlett-Packard's Fortify business unit.

"The automation is about capturing the security-research expertise to give our customers a current perspective on the types of threats out there," he says.

The reverse works as well, Rapid7's Barrett says.

"There is a lot of noise to filter through," he says. "So tying the attack traffic into your vulnerability situation can tell you what you are actually vulnerable to, and that's hugely valuable."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Barry Shteiman
50%
50%
Barry Shteiman,
User Rank: Apprentice
5/15/2013 | 5:55:48 PM
re: Web Application Testing Using Real-World Attacks
A good portion of the larger enterprises and the government agencies of the world, have staging and production-like sites that allow them to test for things like system load and version control, that is where testing of this kind might be effective if performed under a monitored environment.

Having security controls in staging environments is key to large scale release management making sure that the controls put in place are effectively doing what they are meant to.
AccessServices
50%
50%
AccessServices,
User Rank: Apprentice
5/16/2013 | 1:32:45 PM
re: Web Application Testing Using Real-World Attacks
I agree with Barry if the company has a good SDLC. One could also use copies of production virtual servers to create a test environment with a sample database if the company did not send everything through QA.
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-32615
PUBLISHED: 2021-05-13
Piwigo 11.4.0 allows admin/user_list_backend.php order[0][dir] SQL Injection.
CVE-2021-33026
PUBLISHED: 2021-05-13
The Flask-Caching extension through 1.10.1 for Flask relies on Pickle for serialization, which may lead to remote code execution or local privilege escalation. If an attacker gains access to cache storage (e.g., filesystem, Memcached, Redis, etc.), they can construct a crafted payload, poison the ca...
CVE-2021-31876
PUBLISHED: 2021-05-13
Bitcoin Core 0.12.0 through 0.21.1 does not properly implement the replacement policy specified in BIP125, which makes it easier for attackers to trigger a loss of funds, or a denial of service attack against downstream projects such as Lightning network nodes. An unconfirmed child transaction with ...
CVE-2019-10062
PUBLISHED: 2021-05-13
The HTMLSanitizer class in html-sanitizer.ts in all released versions of the Aurelia framework 1.x repository is vulnerable to XSS. The sanitizer only attempts to filter SCRIPT elements, which makes it feasible for remote attackers to conduct XSS attacks via (for example) JavaScript code in an attri...
CVE-2020-23995
PUBLISHED: 2021-05-13
An information disclosure vulnerability in ILIAS before 5.3.19, 5.4.12 and 6.0 allows remote authenticated attackers to get the upload data path via a workspace upload.