Thursday, October 25, 2018

Dynamic Application Security Testing (DAST)

  • DAST

Web Application Vulnerability Scanners are automated tools that scan web applications, normally from the outside, to look for security vulnerabilities such as Cross-site scripting, SQL Injection, Command Injection, Path Traversal and insecure server configuration. This category of tools is frequently referred to as Dynamic Application Security Testing (DAST) Tools.

Tools Listing
Acunetix WVS
AppTrana Basic
Arachni
AVDS
Burp Suite
Grabber
Grendel-Scan
GoLismero
ImmuniWeb
Nexpose
Nikto
Vega
Wapiti
WebCookies
Wikto
w3af
Zed Attack Proxy - OWASP ZAP

https://www.owasp.org/index.php/Category:Vulnerability_Scanning_Tools


  • Dynamic Application Security Testing (DAST)

Dynamic application security testing (DAST) technologies are designed to detect conditions indicative of a security vulnerability in an application in its running state. Most DAST solutions test only the exposed HTTP and HTML interfaces of Web-enabled applications; however, some solutions are designed specifically for non-Web protocol and data malformation (for example, remote procedure call, Session Initiation Protocol [SIP] and so on).
http://www.gartner.com/it-glossary/dynamic-application-security-testing-dast/


  • Today’s organizations deploy a myriad of web applications, ranging from external-facing corporate websites to internal-facing portals.WhiteHat Sentinel Dynamic is a Software-as-a-Service platform for dynamic application security testing (DAST).

https://www.whitehatsec.com/products/dynamic-application-security-testing/

  • Application security can help organizations protect all kinds of applications (such as legacy, desktop, web, mobile, micro services) used by internal and external stakeholders including customers, business partners and employees

Why Application Security?
As validated by multiple studies, the majority of successful breaches target exploitable vulnerabilities residing in the application layer, indicating the need for enterprise IT departments to be extra vigilant about application security.Now, the software supply chain is much more complicated considering the outsourced development, the number of legacy applications, coupled with in-house development that takes advantage of 3rd party, open source and commercial, off-the-shelf software components.
Organizations need application security solutions that cover all of their applications, from those used internally to popular external apps used on customers’ mobile phones.
These solutions must cover the entire development stage and offer testing after an application is put into use to monitor for potential problems.

What is SAST?
Static Application Security Testing (SAST) scans the application source files, accurately identifies the root cause and helps remediate the underlying security flaws.
Developer Benefits of Static Application Security Testing:
Fully integrated with the Integrated Developer Environment (IDE)

What is DAST?
Dynamic Application Security Testing (DAST) simulates controlled attacks on a running web application or service to identify exploitable vulnerabilities in a running environment.
Benefits of Dynamic Application Security Testing:
    Provides a comprehensive view of application security by focusing on what’s exploitable and covering all components (server, custom code, open source, services)
Can be integrated into Dev, QA and Production to offer a continuous holistic view
Tests functional app, so unlike SAST, is not language constrained and runtime and environment-related issues can be discovered
https://www.microfocus.com/en-us/what-is/application-security

  • What is Dynamic Application Security Testing (DAST)?
Dynamic Application Security Testing (DAST) is the process of analyzing a web application through the front-end to find vulnerabilities through simulated attacks.This type of approach evaluates the application from the “outside in” by attacking an application like a malicious user would. 

Pros of DAST
    Independent of the application
    Immediately finds vulnerabilities that could be exploited
    Does not require access to the source code
Cons of DAST
    Does not find the exact location of a vulnerability in the code
    Security knowledge is needed to interpret reports
    Test can be time-consuming

There are many ways to test application security, including:
    Static Application Security Testing (SAST)
    Dynamic Application Security Testing (DAST)
    Mobile Application Security Testing (MAST)
    Interactive Application Security Testing (IAST)

Why is DAST Important?
Human error will inevitably play a part at some point in the Software Development Life Cycle (SDLC), and the sooner a vulnerability is caught during the SDLC, the cheaper it is to fix.
When DAST is included as part of the Continuous Integration/Continuous Development (CI/CD) pipeline, this is referred to as “Secure DevOps,” or “DevSecOps.”

How does DAST work?
A DAST scanner searches for vulnerabilities in a running application and then sends automated alerts if it finds flaws that allow for attacks like SQL injections, Cross-Site Scripting (XSS), and more. Since DAST tools are equipped to function in a dynamic environment, they can detect runtime flaws which SAST tools can’t identify.

What is the difference between SAST and DAST?
SAST, on the other hand, analyzes static environments, meaning the source code of an application. It looks at the application from the “inside out,” searching for vulnerabilities in the code.
To maximize the strength of your security posture, it’s a best practice to use both SAST and DAST. Having this unified taxonomy across testing methods enables you to have a complete view of vulnerabilities.

https://www.microfocus.com/en-us/what-is/dast

  • ZAPGETTINGSTARTEDGUIDE-2.7

Software security testing is the process of assessing and testing a system to discover security risks and vulnerabilities of the system and its data.
we defne assessments as the analysis and discovery of vulnerabilities without attempting to actually exploit those vulnerabilities.
At its core, ZAP is what is known as a “man-in-the-middle proxy.”
It stands between the tester’s browser and the web application so that it can intercept and inspect messages sent between browser and web application, modify the contents if needed, and then forward those packets on to the destination.
It can be used as a stand-alone application, and as a daemon process.
When you frst start ZAP, you will be asked if you want to persist the ZAP session. By default,ZAP sessions are always recorded to disk in a HSQLDB database with a default name and
location. If you do not persist the session, those fles are deleted when you exit ZAP If you choose to persist a session, the session information will be saved in the local database so you can access it later, and you will be able to provide custom names and locations for
saving the fles.

Expand Your Pentesting with ZAP
Any pages protected by a login page are not discoverable during a passive scan because, unless you’ve confgured ZAP’s authentication functionality, ZAP will not
handle the required authentication Any pages that are not fndable with ZAP’s default spider are not testable during a passive scan. ZAP does provide additional options for discovery and coverage outside
of passive scanning.

Quick Scan uses the traditional ZAP spider, which discovers links by examining the HTML in responses from the web application. This spider is fast, but it is not
always effective when exploring an AJAX web application that generates  links using JavaScript.

Spiders are a great way to explore your basic site, but they should be combined with manual exploration to be more effective.
Spiders, for example, will only enter basic default data into forms in your web application but a user can enter more relevant information which can, in
turn, expose more of the web application to ZAP.
This is especially true with things like
registration forms where a valid email address is required. The spider may enter a random string, which will cause an error. A user will be able to react to that error and supply a
correctly formatted string, which may cause more of the application to be exposed when the form is submitted and accepted.
Obscurity is not security, and hidden pages sometimes go live without warning or notice. So be as thorough as you can when exploring your site.

Passive scanning is good at fnding some vulnerabilities and as a way to get a feel for the basic security state of a web application and locate where more investigation may be warranted
Active scanning, however, att empts to fnd other vulnerabilities by using known attacks against the selected targets.

  • The OWASP Top Ten Proactive Controls 2016 is a list of security techniques that should be included in every software development project
Verify for Security Early and Often
Parameterize Queries
Encode Data
Validate All Inputs
Implement Identity and Authentication Controls
Implement Appropriate Access Controls
Protect Data
Implement Logging and Intrusion Detection
Leverage Security Frameworks and Libraries
Error and Exception Handling
https://www.owasp.org/index.php/OWASP_Proactive_Controls

  • OWASP OWTF
OWTF aims to make pen testing:
    Aligned with OWASP Testing Guide + PTES + NIST
https://www.owasp.org/index.php/OWASP_OWTF

  • Vega is a free and open source web security scanner and web security testing platform to test the security of web applications. Vega can help you find and validate SQL Injection, Cross-Site Scripting (XSS), inadvertently disclosed sensitive information, and other vulnerabilities
https://subgraph.com/vega/ 


  • Arachni is a feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators evaluate the security of modern web applications
http://www.arachni-scanner.com/ 


  • w3af is a Web Application Attack and Audit Framework. The project’s goal is to create a framework to help you secure your web applications by finding and exploiting all web application vulnerabilities.W3af is known as most powerful and flexible tool for finding web application’s vulnerability. It’s easy to use feature made it popular among the security professionals like ethical hackers. W3af contains many web assessment and exploitation plugins as well.

http://w3af.org/


  • Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6400 potentially dangerous files/CGIs, checks for outdated versions of over 1200 servers, and version specific problems on over 270 servers .Nikto is sponsored by Netsparker, a false positive free web application security scanner.

https://cirt.net/Nikto2


  • Burp Suite is an integrated platform for performing security testing of web applications
    https://portswigger.net/burp/


    •  Spider - This can be used for automatically crawling an application, to discover its content and functionality.    Scanner - This is used to automatically scan HTTP requests to find security vulnerabilities.

        Intruder - This allows you to perform customized automated attacks, to carry out all kinds of testing tasks.
        Repeater - This is used to manually modify and reissue individual HTTP requests over and over.
        Sequencer - This is used to analyze the quality of randomness in an application's session tokens.
        Decoder - This lets you transform bits of application data using common encoding and decoding schemes.
        Comparer - This is used to perform a visual comparison of bits of application data to find interesting differences.


    https://portswigger.net/burp/help/suite_gettingstarted


    • Firefox - Go to the Firefox menu, click on Options, click on Advanced, go to the Network tab, and click on the Settings button in the Connection section. Select the "Manual proxy configuration" radio button. Enter your Burp Proxy listener address in the "HTTP proxy" field (by default, 127.0.0.1). Enter your Burp Proxy listener port in the "Port" field (by default, 8080). Make sure the "Use this proxy server for all protocols" box is checked. Delete anything that appears in the "No proxy for" field. Then click "OK" to close all of the options dialogs.

    https://portswigger.net/burp/help/suite_gettingstarted#browser

    The intercept feature will intercept ALL traffic sent from the browser, additional extensions such as FoxyProxy can be used to specify which URLs and IPs are blacklisted/whitelisted and therefore bypass the Burp intercept.


    http://www.primalsecurity.net/0x2-exploit-tutorial-web-hacking-with-burp-suite/
    • Two ways to go about this are static application security testing (SAST) and dynamic application security testing (DAST). These application security testing methodologies are used to find the security vulnerabilities that make your organization’s applications susceptible to attack.The two methodologies approach applications very differently. They are most effective at different phases of the software development life cycle (SDLC) and find different types of vulnerabilities. For example, SAST detects critical vulnerabilities such as cross-site scripting (XSS), SQL injection, and buffer overflow earlier in the SDLC. DAST, on the other hand, uses an outside-in penetration testing approach to identify security vulnerabilities while web applications are running.
    https://www.cigital.com/blog/sast-vs-dast
    • SAST vs DAST 




    • SAST, DAST, IAST, and RASP: Pros, cons and how to choose


    Some organizations need to focus on their developers, adding static application security testing (SAST) to the development cycle to catch potential flaws early
    Other organizations may want to prove their need by using dynamic application security testing (DAST) or penetration testing to show how vulnerable their applications are.
    there's interactive application security testing (IAST), which uses agents and additional software libraries to collect data from running applications that can then reveal vulnerabilities.
    Companies that want to “virtually patch” their applications can lock down their portfolios using some form of application firewall or a newer technology, such as runtime application self-protection (RASP), a form of IAST.

    IAST, including RASP: Protect code against exploits and known bugs
    a new approach—known as interactive application security testing (IAST), or “glass-box” testing—promises to catch attacks that the other approaches miss
    IAST runs as an agent, allowing you to collect and analyze event data from running applications.

    https://learn.techbeacon.com/units/sast-dast-iast-rasp-pros-cons-how-choose



    • Fiddler
    Use Fiddler for security testing your web applications -- decrypt HTTPS traffic, and display and modify requests using a man-in-the-middle decryption technique. Configure Fiddler to decrypt all traffic, or only specific sessions.
    http://www.telerik.com/fiddler

    • paros
    A Java-based web proxy for assessing web application vulnerability. It supports editing/viewing HTTP/HTTPS messages on-the-fly to change items such as cookies and form fields. It includes a web traffic recorder, web spider, hash calculator, and a scanner for testing common web application attacks such as SQL injection and cross-site scripting
    http://sectools.org/tool/paros/
    • Odysseus
    Odysseus is a proxy server, which acts as a man-in-the-middle during an HTTP session. A typical HTTP proxy will relay packets to and from a client browser and a web server. Odysseus will intercept an HTTP session’s data in either direction and give the user the ability to alter the data before transmission.
    http://www.darknet.org.uk/2007/02/odysseus-win32-proxy-telemachus-http-transaction-analysis/

    • Charles is an HTTP proxy / HTTP monitor / Reverse Proxy that enables a developer to view all of the HTTP and SSL / HTTPS traffic between their machine and the Internet.

    https://www.charlesproxy.com/
    • Application Security Automation
    Glue is a framework for running a series of tools. Generally, it is intended as a backbone for automating a security analysis pipeline of tools.
    https://github.com/OWASP/glue

    • OWASP Glue Tool Project
    The purpose of the project is to make it easy to integrate security tools (like static or dynamic analysis) into the CI/CD pipeline.
    https://www.owasp.org/index.php/OWASP_Glue_Tool_Project

    • What is BeEF?

    BeEF is short for The Browser Exploitation Framework. It is a penetration testing tool that focuses on the web browser.
    including mobile clients, BeEF allows the professional penetration tester to assess the actual security posture of a target environment by using client-side attack vectors. Unlike other security frameworks, BeEF looks past the hardened network perimeter and client system, and examines exploitability within the context of the one open door: the web browser
    https://beefproject.com/

    • OWASP Application Security Verification Standard Project

    The OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application technical security controls and also provides developers with a list of requirements for secure development.
    https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project



    • Free for Open Source Application Security Tools

    the following lists of automated vulnerability detection tools that are free for open source projects
        Static Application Security Testing (SAST) Tools
        Dynamic Application Security Testing (DAST) Tools - (Primarily for web apps)
        Interactive Application Security Testing (IAST) Tools - (Primarily for web apps and web APIs)
        Keeping Open Source libraries up-to-date (to avoid Using Components with Known Vulnerabilities (OWASP Top 10-2017 A9))
        Static Code Quality Tools
    • https://www.owasp.org/index.php/Free_for_Open_Source_Application_Security_Tools
    • Software Assurance Maturity Model

    The Software Assurance Maturity Model (SAMM) is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization
    https://www.opensamm.org/

    Overview of Burp Suite

    DAST (Dynamic Application Security Testing) / Penetration Testing Tool
    Integrated platform for performing security testing of web apps
    Developed to provide comprehensive solution for web app security checks.Functionality includes proxy server, scanner, intruder, spidering, a repeater, a decoder,comparer, an extender, and sequence

    Desired an automated approach to running Burp Suitesecurity scanning
    Manual security scanning is time consuming (bottleneck) due to applicationdiscovery/ crawling process

    Used Automated UI tests for application discovery
    Used protractor (selenium) UI automated tests to act as the event based trigger forapplication discovery while using Burp Proxy to intercept all Requests/Response
    Used Jenkins (Cl/CD) to run the automated UI test

    Burp Suite Professional (v.1.7.34) with 'Burp-REST-API
    Automated the spidering, proxy, intercepts request/response from UI tests, thenkicks off security scan, then generates Burp security scan report

    Development Frivironment
    Angular/NodeJS Web application
    Protractor/Jasmine — Automated UI tool
    Jenkins Cl/CD pipeline
    Burp Suite Faternal API

    Using multiple approach to testing applications
    Manual Penetration Testing
    DAST (Web App Scanning Tools)
    Burp
    Accunetix
    Netsparker
    SAST (DevSecOps Tools)
    Checkmarx
    Fortify
    SonarQube
    https://www.osti.gov/servlets/purl/1639985

    Static Application Security Testing (SAST) / Source code analysis / Static code analysis

    • SAST

    Source code analysis tools, also referred to as Static Application Security Testing (SAST) Tools, are designed to analyze source code and/or compiled versions of code to help find security flaws.
    Some tools are starting to move into the IDE. For the types of problems that can be detected during the software development phase itself, this is a powerful phase within the development life cycle to employ such tools, as it provides immediate feedback to the developer on issues they might be introducing into the code during code development itself.

    Strengths
        Scales well -- can be run on lots of software, and can be run repeatedly (as with nightly builds or continuous integration)
        Useful for things that such tools can automatically find with high confidence, such as buffer overflows, SQL Injection Flaws, and so forth
        Output is good for developers -- highlights the precise source files, line numbers, and even subsections of lines that are affected

    Weaknesses
        Many types of security vulnerabilities are very difficult to find automatically, such as authentication problems, access control issues, insecure use of cryptography, etc. The current state of the art only allows such tools to automatically find a relatively small percentage of application security flaws. However, tools of this type are getting better.
        High numbers of false positives.
        Frequently can't find configuration issues, since they are not represented in the code.
        Difficult to 'prove' that an identified security issue is an actual vulnerability.
        Many of these tools have difficulty analyzing code that can't be compiled. Analysts frequently can't compile code because they don't have the right libraries, all the compilation instructions, all the code, etc.

    Important Selection Criteria
    How accurate is it? False Positive/False Negative rates?
        Does the tool have an OWASP Benchmark score?

    Open Source or Free Tools Of This Type
    ...

    https://www.owasp.org/index.php/Source_Code_Analysis_Tools

    • static application security testing (SAST)
    WhiteHat Sentinel Source is our static application security testing (SAST) product. It is used for scanning source code of the most commonly-used programming languages, identifying vulnerabilities, and providing actionable vulnerability reports, as well as offering Software Composition Analysis and ready-to-implement code fixes for certain vulnerabilities. Scanning of binary files for certain languages is also available.WhiteHat offers three tiers of Static Application Security testing (SAST) products to help secure all stages of the DevOpsSec lifecycle.
    https://www.whitehatsec.com/products/static-application-security-testing


    • The OWASP SonarQube project aims to provide open source SAST using the existing open source solutions. SonarQube is one of the world’s most popular continuous code quality tools and it's actively used by many developers and companies.

    This project aims to enable more security functionalities to SonarQube and use it as an SAST.
    https://www.owasp.org/index.php/OWASP_SonarQube_Project
    • SonarQube

    SonarQube provides the capability to not only show health of an application but also to highlight issues newly introduced

    https://www.sonarqube.org/

    • OWASP Orizon is a source code security scanner designed to spot vulnerabilities in J2EE web applications, Android code and generally speaking in Java written source code. 

    https://www.owasp.org/index.php/Category:OWASP_Orizon_Project


    • The OWASP Lapse Project is LAPSE+: The Security Scanner for Java EE Applications. OWASP LAPSE Project is an initiative to make available to developers and auditors a tool for detecting vulnerabilities in Java EE Applications.

    https://www.owasp.org/index.php/OWASP_LAPSE_Project


    • OWASP WAP - Web Application Protection Project

    WAP is a tool to detect and correct input validation vulnerabilities in web applications written in PHP and predicts false positives. The tool combines source code static analysis and data mining to detect vulnerabilities and predict false positives.
    https://www.owasp.org/index.php/OWASP_WAP-Web_Application_Protection


    • The O2 platform represents a new paradigm for how to perform, document and distribute Web Application security reviews. O2 is designed to Automate Security Consultants Knowledge and Workflows and to Allow non-security experts to access and consume Security Knowledge. 

    https://www.owasp.org/index.php/OWASP_O2_Platform


    • Coverity Scan Static Analysis
    Find and fix defects in your Java, C/C++, C#, JavaScript, Ruby, or Python open source project for free
    https://scan.coverity.com/

    • OWASP Dependency-Check

    Dependency-Check is a utility that identifies project dependencies and checks if there are any known, publicly disclosed, vulnerabilities.
    Currently, Java and .NET are supported; additional experimental support has been added for Ruby, Node.js, Python, and limited support for C/C++ build systems (autoconf and cmake).
    The tool can be part of a solution to the OWASP Top 10 2017 A9-Using Components with Known Vulnerabilities previously known as OWASP Top 10 2013 A9-Using Components with Known Vulnerabilities.
    https://www.owasp.org/index.php/OWASP_Dependency_Check