Researchers aim to smarten Web application security scanners

Article

Researchers aim to smarten Web application security scanners

Michael S. Mimoso, Editorial Director

BOSTON -- Two application security experts are working on a way to improve the testing of Web applications by incorporating application data flow maps and other information typically used by software quality assurance testers.

Rafal Los and Matt Wood of Hewlett-Packard Co.'s Web Security Research Group presented a set of new testing processes Wednesday at SOURCE Boston 2010. They said the new processes they proposed are currently far too complicated to implement, but will eventually be incorporated in an automated tool.

"We're trying to take the human element and move it more into the scanners," Wood said.

For far too long, penetration testers hunting for vulnerabilities in Web applications have been losing ground.

Continue Reading This Article

Enjoy this article as well as all of our content, including E-Guides, news, tips and more.

Web application security scanners have improved the time to detect and identify the location of bugs in JavaScript, AJAX and other modern coding techniques, but more sophisticated applications results in far less attack surface being tested, Los said.

"Security analyst tools today aren't equipped properly to test highly complex applications," Los said. "The more complex Web apps get, the less effective automation becomes unless we do something. This is that something."

The two researchers developed what they call an execution-flow-based approach to application security testing. They use data from QA testers to fully map the Web application's attack surface to better understand how an application functions and more importantly, how data flows through it. Once security testers have the data, they could quickly drill down into a particular area and identify vulnerabilities that pose more risk, Los said.

"QA teams generally know the app; they test for known stuff that is supposed to be there," Los said. "They can tell you that they covered the entire application -- all the functionality."

The researchers call their processes a radical testing methodology in which data requirements and functional paths are used to create an execution-flow diagram to understand the key business logic of an application. The process will result in function-based automated testing. The technique helps testers identify actions that change the application's document flow or actions that could change the state of the application. Indirect flows, external data that can modify the document state, are also incorporated.

For example, in a payment page, "when a user selects American Express or Visa a QA guy will know the user's selection results in a different action within the application," Wood said. "The scanners are not going to know." Since a scanner can only identify errors in a small portion of the attack surface, feeding them application flow data could help "smarten" the scanner and improve the overall test.

Using flow-based threat analysis, pen testers can determine that two vulnerabilities in an area of an app that handle credit cards should take a higher priority than vulnerabilities in a product viewing area. The processes could also help boost the credibility of security testers, the researchers said. Security teams typically are given an application to test in a very short time frame.

"If you have 24 hours and 2.5 million lines to functionally test, how are you going to get that done?" Los asked.