Obscurity

Saturday September 27, 2008

Custom Tests for Appscan

I knew this day would come. :) A reason to write your own tests because you want to test parameter tampering... :)

Using the Tools >> User Defined Tests menu.

Create a new test and specify:

    •  Test name
    •  Test advisory (impact, description, fix recommendation, etc)
    •  Test severity level
    •  Test validation criteria (when is this test considered successful)

Appscan Functions

Not only does AppScan run security scans on Web applications it also does that on Web Services applications. I've been evaluating the quality of testing on applications containing Flash and/or JavaScript. AppScan seems to be able to parse them to navigate the application properly. AppScan can also act as a SOAP client to test applications with custom values / data sets. This is an invaluable tool in itself.

The general operation of Appscan is that it applies 3 basic steps to generate its reports:

    •  Surfing / Exploration - It acts as a front-end user traversing pages. It can send SOAP / RMI XML requests to emulate a web-service subscriber. During this part of its operation it logs any potential vulnerabilities it would want to test for. From what I can see its primarily based upon sending invalid requests then logging the error / warning responses from the application being tested

    •  Analysis /  Testing - The data collected form the Surfing / Exploration stage is used to conduct a series of tests via requests and then validation rules are applied to the responses. Its not easy to work out what these validation rules are as yet. However it is at this point that security risks are identified.

    •  Iterative Scanning - This step can be configured to be repeated (by configuration) to use the data from the first two steps. The second step generates extra application tests which require exploration.

The concept of templates in Appscan is effectively configuration data for the web application being tested. For example, this usually involves specifying where the WSDL is, etc.

Thursday September 25, 2008

Rational Appscan do what others cant...

Interesting product. IBM accquired it from Watchfire Corporation, a security and compliance testing software company based in Waltham, Massachusetts.  It appears that Appscan provides Web application security testing and compliance management software and services that help clients evaluate, understand and resolve issues impacting their online businesses. 

The product is very comprehensive in what it can provide:

    •  Established attacks and string based manipulation of URLs to detect vulnerabilities with regard to session hi-jacking, login avoidance, stray pages that don't have any security on them. This includes static AND dynamic testing.

    •  Port scanning for security holes like SQL injection

    •  A comprehensive report on all the exploits it found to work

    •  A recommendation on how to repair / patch these exploits.

Most products / suite of of products on the market do not have the reporting tool which has recommendations. I am usually skeptical of all-in-one products that claim to provide recommendations. Appscan seems to deliver what it promises.