Web application security: manual penetration or automatic scanning

INTRODUCE

With more than 90% of Web applications with security flaws and more than 70% of attacks are on HTTP / S protocols. Therefore, organizations need to add network tools to secure their Web applications. The percentage of attacks that appear on ports 80 and 443 seems to be very large, on the other hand these ports are almost the front door for online communication.

Today, when Web applications become more complex, a large number of sensitive data including personal, financial, and medical information is exchanged and stored. Customers not only expect that they themselves require security of this information. But where to evaluate a Web application is going by manual application testing or by automated tools and systems. It shows from concepts, by modeling security risks introduced in applications as well as additional countermeasures added. Security needs to be considered as other important components in each application, must be analyzed, reviewed through every step of the application cycle. Finding vulnerabilities in Web applications can be done in many ways:

Automatic

  1. By scanning tools
  2. Static analysis

Handmade

  1. Check penetration
  2. Review the code

The main purpose of this article is to test specific vulnerability detection methods, such as the comparison of automated methods and manual penetration testing methods.

HISTORY

Picture 1 of Web application security: manual penetration or automatic scanning Manual security penetration testing is a long-standing method. Developers check their application vulnerabilities and problems during the lifetime of the application. However, when the attacks are increasingly sophisticated and complex applications are increasing, the goal of experts is to find and exploit such security issues more and more clearly. These people are known as 'test trees'. Automated testing of Web applications was launched in 1992. At that time, the web was quite meager and web browsers were only enough to manage the complexity of dynamic applications. The main goal of these tools is to automate the process of checking web applications and related errors in order to find vulnerabilities.

TYPES OF HOLLOW HOLE

In general, most web applications can be grouped into one of two categories: technical and logical. Technical vulnerabilities are known as: Cross-Site Scripting (XSS), Injection Flaws (vulnerable vulnerabilities) and Buffer Overflows. Logical holes are more difficult to sort out. These vulnerabilities relate to the logic of the application, which has never been planned before. For example, in early 2002, a person had intentionally used a logical vulnerability to bypass the validation of the personal information needed in the Microsoft Hotmail application - allowing users to reset the password. password by guessing the answer with each individual security question.

TECHNICAL HOLIDAYS

Automated tools and systems for testing technical vulnerabilities must include both methodological and comprehensiveness. Consider via the registration application for Microsoft Hotmail. This form includes approximately 30 required components: some are hidden, some are displayed. Each component of this form is potentially at risk of Cross-Site Scripting, Injection Flaws, Overflows Buffer or Improper Error Handling. Did you know that more than 70 different techniques can be used to explore Cross-Site Scripting. This indicates that the registration form requires more than 2000 tests to be tested thoroughly. Systems and tools such as crawling or analyzing and testing web applications are better than manually checking applications. However, the tools that are checking and scanning are often unable to detect 100% of technical vulnerabilities, there is no reason to believe that this will happen in the near future. The initial race exists with scanning tools that are having many problems in particular such as:

- The client generates URLs

- JavaScript functions

- Logout application

- Communication session-based systems require user links

- Submit the form automatically

- Passwords

- 'Infinite' websites with session IDs based on random URLs

Automated web application security tools are increasingly being perfected, the race between these two manual and automated methods all need a common point and need to be clarified. First , automatic evaluation will reduce any uncertainty (positive direction). Conversely, time will be an impossible cause of manual testing with technical vulnerabilities to increase from small to impossible when the size and scope of application increases. In many business organizations, it will not be easy to reduce the time, effort and money needed to access thousands of existing web applications. Secondly , the role of mankind influences the examination of thousands to millions of technical vulnerabilities that are subject to talk and cannot be trusted completely. The views of IDC researchers are ' The problem is time and cost. Craft work is time consuming and costly. But if you have really good people, it will be very safe, if not, they will just look at the code every day. With scanning software, you can make these tasks faster, cheaper and can cover many geographic territories . '

THE LOGIC HOLIDAY

Logical vulnerabilities can be explored by understanding how an application works and by finding its weaknesses. When both automated tools and test skills are not positive through a web application, then it is then that you will need to understand how the application works and the logic process under it. Understanding the logic of an application will allow manual penetration testing to break the business logic and expose security vulnerabilities. For example , an application can be directed at the user from point A to point B, then point C, where, point B exists a valid security check. The manual review at the application's A can show that it is perfectly possible to go directly from point A to point C by passing validity from point B.

STATISTICAL

Based on recent analysis of 100 websites, the following statistics are given:

- 36% of websites with manual testing detected less than the number of vulnerabilities compared to automated methods.

- 17% of manual checks detect vulnerabilities while automatic scanning cannot see any vulnerabilities.

- 46% of manual inspectors' searches and automated scanning tools were added.

Statistics may be misleading, and formula 80-20 is not necessary to apply. Because finding 80% of the vulnerabilities is not enough if a big hole is ignored.

CONCLUDE

In the previous section we have heard about the various methods used to explore vulnerabilities in web application security. Both manual testing methods and automated tools can be used to explore vulnerabilities in applications. Automated tools have its limitations, but if used correctly, automated tools can be used in organizations to find a range of vulnerabilities, which makes it possible for us to save Save money and time. With manual testing is used to increase the results for logical vulnerabilities. Organizations from there will determine the mix of automatic scanning with manual scanning to deliver the best security web application.

Van Linh