1
00:00:06,583 --> 00:00:07,865
- [Narrator] In the discovery phase

2
00:00:07,865 --> 00:00:09,911
of web application testing,

3
00:00:09,911 --> 00:00:13,411
we're lifting each page of the application

4
00:00:14,261 --> 00:00:17,439
to uncover all vulnerabilities.

5
00:00:17,439 --> 00:00:19,130
This phase can also be performed

6
00:00:19,130 --> 00:00:21,038
using different approaches.

7
00:00:21,038 --> 00:00:23,455
Again, we can do it manually.

8
00:00:24,579 --> 00:00:26,662
We can use an automated approach.

9
00:00:26,662 --> 00:00:31,043
Or a little of both,
with a hybrid type scan.

10
00:00:31,043 --> 00:00:34,440
We can do this using an automated tool,

11
00:00:34,440 --> 00:00:36,958
or manually by browsing
each and every page

12
00:00:36,958 --> 00:00:39,322
of the site or application.

13
00:00:39,322 --> 00:00:41,643
An automated scanner will take the results

14
00:00:41,643 --> 00:00:45,810
of a web spider, that was
done in the mapping phase.

15
00:00:47,172 --> 00:00:49,673
It will then begin to probe those results

16
00:00:49,673 --> 00:00:52,756
to identify possible vulnerabilities.

17
00:00:53,971 --> 00:00:56,333
The scanner does this by correlating

18
00:00:56,333 --> 00:00:58,963
a database of known vulnerabilities,

19
00:00:58,963 --> 00:01:03,063
against the context of the
application that was mapped.

20
00:01:03,063 --> 00:01:05,652
From there, we'll produce a report

21
00:01:05,652 --> 00:01:09,483
on what it suspects could be vulnerable.

22
00:01:09,483 --> 00:01:13,201
Keep in mind that these
results, many times,

23
00:01:13,201 --> 00:01:14,868
are false positives,

24
00:01:15,799 --> 00:01:18,529
and need to all be validated.

25
00:01:18,529 --> 00:01:20,068
At the very least, this type of tool

26
00:01:20,068 --> 00:01:23,318
will give you an idea of where to look.

27
00:01:25,059 --> 00:01:29,520
The manual discovery process
is fairly self explanatory.

28
00:01:29,520 --> 00:01:31,769
It is literally the manual process

29
00:01:31,769 --> 00:01:36,619
of walking through each
identified page of an application,

30
00:01:36,619 --> 00:01:40,462
and looking for possible vulnerabilities.

31
00:01:40,462 --> 00:01:43,230
There are a number of
automated web scanning tools

32
00:01:43,230 --> 00:01:45,711
available these days.

33
00:01:45,711 --> 00:01:48,683
Each has its merits and its flaws.

34
00:01:48,683 --> 00:01:51,444
We won't get deep into
the specific features

35
00:01:51,444 --> 00:01:53,904
of these in this module,

36
00:01:53,904 --> 00:01:56,465
however I can tell you
that the best approach

37
00:01:56,465 --> 00:01:59,632
to testing is using multiple scanners.

38
00:02:00,645 --> 00:02:02,916
The reason why is that one might find

39
00:02:02,916 --> 00:02:05,594
some things that others miss.

40
00:02:05,594 --> 00:02:08,177
So, by using multiple scanners,

41
00:02:09,475 --> 00:02:13,162
we can validate the
results against each other.

42
00:02:13,162 --> 00:02:14,823
From an open source perspective,

43
00:02:14,823 --> 00:02:16,955
W3AF is a good option.

44
00:02:16,955 --> 00:02:19,465
However, it's hard to compare with

45
00:02:19,465 --> 00:02:22,245
the commercial scanners
that are available today.

46
00:02:22,245 --> 00:02:24,755
Here in this slide, we
have a few different ones

47
00:02:24,755 --> 00:02:27,135
that we can talk about.

48
00:02:27,135 --> 00:02:29,944
Burp Suite, of course,
we already mentioned.

49
00:02:29,944 --> 00:02:32,025
Here in this slide we show a few

50
00:02:32,025 --> 00:02:34,814
of the automated scanners
that are available.

51
00:02:34,814 --> 00:02:38,185
Burp Suite of course is
an interception proxy,

52
00:02:38,185 --> 00:02:41,845
but it also has automated
scanning capabilities.

53
00:02:41,845 --> 00:02:43,914
Although they aren't as comprehensive

54
00:02:43,914 --> 00:02:47,527
as the other scanners here mentioned,

55
00:02:47,527 --> 00:02:50,372
it does have that capability available.

56
00:02:50,372 --> 00:02:52,251
As for the other three,

57
00:02:52,251 --> 00:02:55,224
they're all similar in features.

58
00:02:55,224 --> 00:02:58,685
Of course they have additional
features in some cases,

59
00:02:58,685 --> 00:03:02,852
that may work better for
specific types of applications.

60
00:03:03,825 --> 00:03:07,908
Most automated scanners
work in a similar way.

61
00:03:07,908 --> 00:03:10,798
You provide the scanner
with a starting point,

62
00:03:10,798 --> 00:03:14,477
usually the homepage of the application.

63
00:03:14,477 --> 00:03:17,138
You can choose to provide credentials,

64
00:03:17,138 --> 00:03:21,305
if authentication is
required for the application.

65
00:03:22,227 --> 00:03:24,627
The scanner will crawl the application,

66
00:03:24,627 --> 00:03:26,769
with the permissions it has,

67
00:03:26,769 --> 00:03:30,186
mapping out all edges of the application.

68
00:03:31,178 --> 00:03:33,916
From there, it will compare the results

69
00:03:33,916 --> 00:03:37,520
against its database of
known vulnerabilities.

70
00:03:37,520 --> 00:03:40,968
It will report possible vulnerabilities,

71
00:03:40,968 --> 00:03:42,968
based on what was found.

72
00:03:44,117 --> 00:03:48,284
Keep in mind that many of
these will be false positives.

73
00:03:49,561 --> 00:03:51,754
So we need to validate.

74
00:03:51,754 --> 00:03:55,569
Some scanners will attempt
to exploit the vulnerability,

75
00:03:55,569 --> 00:03:59,294
or give you the option
of exploiting manually.

76
00:03:59,294 --> 00:04:02,893
The result will be a report
detailing the application,

77
00:04:02,893 --> 00:04:04,893
and what is recommended.

78
00:04:06,644 --> 00:04:08,618
An automated vulnerability scanner

79
00:04:08,618 --> 00:04:10,668
is actually just an application

80
00:04:10,668 --> 00:04:14,878
that you would run on your
attack or testing machine.

81
00:04:14,878 --> 00:04:17,278
What you would do is, you
would point the scanner

82
00:04:17,278 --> 00:04:20,290
at the web server that you're evaluating.

83
00:04:20,290 --> 00:04:22,599
With an automated vulnerability scanner,

84
00:04:22,599 --> 00:04:26,359
we need to provide some
information to get it started.

85
00:04:26,359 --> 00:04:30,597
So, for instance, we
would give it the base URL

86
00:04:30,597 --> 00:04:31,915
that we want it to start with.

87
00:04:31,915 --> 00:04:34,165
In this case, hackazon.net.

88
00:04:36,075 --> 00:04:38,365
We normally want it to start at the root,

89
00:04:38,365 --> 00:04:41,405
so that it can analyze the whole site.

90
00:04:41,405 --> 00:04:45,345
However, depending on
the size of the site,

91
00:04:45,345 --> 00:04:48,084
we can also pare things down,

92
00:04:48,084 --> 00:04:51,334
and test individual sections at a time.

93
00:04:53,773 --> 00:04:54,947
We also need to tell the scanner

94
00:04:54,947 --> 00:04:56,774
which port the application

95
00:04:56,774 --> 00:04:58,924
we want to test, is listening on.

96
00:04:58,924 --> 00:05:02,341
Some websites respond on port 80, or 443.

97
00:05:06,194 --> 00:05:09,932
But others might respond
on totally different ports.

98
00:05:09,932 --> 00:05:14,099
So, in this case, our web
server is running on port 80.

99
00:05:15,736 --> 00:05:18,514
We might also need to provide
the username and password

100
00:05:18,514 --> 00:05:21,105
to authenticate to the site.

101
00:05:21,105 --> 00:05:22,594
This is another piece of information

102
00:05:22,594 --> 00:05:26,184
that we would need to
provide to the web scanner,

103
00:05:26,184 --> 00:05:27,854
so that it can authenticate,

104
00:05:27,854 --> 00:05:30,815
and scan all of the pages.

105
00:05:30,815 --> 00:05:33,186
For our test site, hackazon.net,

106
00:05:33,186 --> 00:05:36,184
we won't provide authentication.

107
00:05:36,184 --> 00:05:37,494
Now once we've given the scanner

108
00:05:37,494 --> 00:05:40,753
all of the information we need to start,

109
00:05:40,753 --> 00:05:43,285
we'll kick off the scan.

110
00:05:43,285 --> 00:05:46,686
From here, what the web
scanner is gonna do,

111
00:05:46,686 --> 00:05:48,815
is it's gonna start by
crawling the website,

112
00:05:48,815 --> 00:05:51,674
to map out the application.

113
00:05:51,674 --> 00:05:53,284
So, essentially what it's doing

114
00:05:53,284 --> 00:05:57,451
is it's gonna keep sending
requests to the web server,

115
00:06:00,814 --> 00:06:04,897
and as the web server
responds to those requests,

116
00:06:06,306 --> 00:06:10,473
the application is going to
record all of the responses.

117
00:06:11,802 --> 00:06:16,011
From there, it's going
to analyze the responses,

118
00:06:16,011 --> 00:06:18,511
to determine where there
may be vulnerabilities

119
00:06:18,511 --> 00:06:20,064
in the site.

120
00:06:20,064 --> 00:06:22,633
It does this based on a database

121
00:06:22,633 --> 00:06:26,312
of known vulnerabilities that it has.

122
00:06:26,312 --> 00:06:29,785
So, the next step that
the scanner will take,

123
00:06:29,785 --> 00:06:32,514
is to send attacks at
those vulnerabilities,

124
00:06:32,514 --> 00:06:34,597
to try and validate them.

125
00:06:35,621 --> 00:06:38,121
Again, based on the responses,

126
00:06:39,703 --> 00:06:42,673
the web scanner will record the responses,

127
00:06:42,673 --> 00:06:46,163
into its database, for later reporting.

128
00:06:46,163 --> 00:06:48,102
And of course last but not least,

129
00:06:48,102 --> 00:06:51,683
the web scanner will
report what it's found.

130
00:06:51,683 --> 00:06:54,001
Normally the form of the report

131
00:06:54,001 --> 00:06:57,764
is of high, medium,
and low categorization,

132
00:06:57,764 --> 00:07:01,330
but depending on the actual web scanner,

133
00:07:01,330 --> 00:07:02,663
that may differ.

134
00:07:04,791 --> 00:07:06,493
In this demo, we will show

135
00:07:06,493 --> 00:07:11,146
the Netsparker automated
web vulnerability scanner.

136
00:07:11,146 --> 00:07:13,186
As we mentioned in previous slides,

137
00:07:13,186 --> 00:07:15,697
there are many commercial
scanners available.

138
00:07:15,697 --> 00:07:17,377
They're all very similar, so we won't

139
00:07:17,377 --> 00:07:20,956
go into the details of
how to use Netsparker.

140
00:07:20,956 --> 00:07:22,537
Our goal here is to give you an idea

141
00:07:22,537 --> 00:07:25,077
of how automated scanners work,

142
00:07:25,077 --> 00:07:26,806
so let's jump into it.

143
00:07:26,806 --> 00:07:30,376
First we start up our web scanner tool,

144
00:07:30,376 --> 00:07:33,054
in this case Netsparker.

145
00:07:33,054 --> 00:07:35,417
This specific one runs on Windows.

146
00:07:35,417 --> 00:07:38,917
There are others that run on
multiple operating systems.

147
00:07:38,917 --> 00:07:42,436
The first thing the
scanner needs, is a target.

148
00:07:42,436 --> 00:07:46,603
To do this, we click on
the Start New Scan button.

149
00:07:47,827 --> 00:07:51,994
Here we type in our target,
which is hackazon.net.

150
00:07:53,814 --> 00:07:57,246
All scanners have a way
to set specific options

151
00:07:57,246 --> 00:07:58,329
for the scan.

152
00:07:59,196 --> 00:08:03,363
For instance, if we click on
the Scan Policy Editor button,

153
00:08:04,734 --> 00:08:08,043
we can see all the different options.

154
00:08:08,043 --> 00:08:10,676
We can choose to scan
for specific defects,

155
00:08:10,676 --> 00:08:12,593
or scan for everything.

156
00:08:14,108 --> 00:08:18,137
For this scan, we'll take
the default security checks.

157
00:08:18,137 --> 00:08:22,875
Another important configuration
option is authentication.

158
00:08:22,875 --> 00:08:24,936
If your site requires authentication

159
00:08:24,936 --> 00:08:27,018
to view any of the pages then,

160
00:08:27,018 --> 00:08:31,185
you want to run the scan
with specific credentials.

161
00:08:32,297 --> 00:08:35,587
Most sites have different
levels of authorization.

162
00:08:35,587 --> 00:08:39,296
For instance, user or admin type roles.

163
00:08:39,296 --> 00:08:42,075
For testing this, you
want to run a scanner

164
00:08:42,075 --> 00:08:43,874
as an administrator,

165
00:08:43,874 --> 00:08:46,915
then run it again as a normal user.

166
00:08:46,915 --> 00:08:49,556
Then compare the results.

167
00:08:49,556 --> 00:08:53,723
For hackazon.net, we will just
run a non-credentialed scan.

168
00:08:54,788 --> 00:08:57,625
If we click on the arrow
next to Start Scan,

169
00:08:57,625 --> 00:09:00,107
we see there are a few different options.

170
00:09:00,107 --> 00:09:02,157
We can of course Start the Scan.

171
00:09:02,157 --> 00:09:06,804
This would crawl the site,
and attack at the same time.

172
00:09:06,804 --> 00:09:08,814
We can select Crawl and Wait,

173
00:09:08,814 --> 00:09:11,876
meaning the scanner will
just map out the site for us.

174
00:09:11,876 --> 00:09:14,377
It won't perform any attacks.

175
00:09:14,377 --> 00:09:16,455
We can also do a manual crawl.

176
00:09:16,455 --> 00:09:19,797
This is like using an interception proxy.

177
00:09:19,797 --> 00:09:22,935
We would use our browser
to crawl the site manually,

178
00:09:22,935 --> 00:09:25,554
telling the scanner where to look.

179
00:09:25,554 --> 00:09:27,547
We can also tell the scanner to attack

180
00:09:27,547 --> 00:09:31,464
an imported list of links
from another crawler.

181
00:09:33,086 --> 00:09:34,494
Those are all typical options

182
00:09:34,494 --> 00:09:36,954
that are in most automated scanners.

183
00:09:36,954 --> 00:09:39,704
So, let's kick that scan off now.

184
00:09:40,937 --> 00:09:42,693
While the scan is running,

185
00:09:42,693 --> 00:09:45,397
we can see the results come in.

186
00:09:45,397 --> 00:09:48,286
Depending on the size of the site,

187
00:09:48,286 --> 00:09:51,537
the scan could take from minutes to days.

188
00:09:51,537 --> 00:09:53,846
So, for the purpose of this demo,

189
00:09:53,846 --> 00:09:56,957
what we'll do is we'll
pause the recording,

190
00:09:56,957 --> 00:09:59,457
and skip to the finished scan.

191
00:10:00,725 --> 00:10:03,466
Now let's take a look at the results.

192
00:10:03,466 --> 00:10:05,086
With Netsparker, it does a great job

193
00:10:05,086 --> 00:10:08,627
of showing us clearly,
how many defects it found,

194
00:10:08,627 --> 00:10:10,615
and the severity.

195
00:10:10,615 --> 00:10:12,932
The scanners really just
give you an indication

196
00:10:12,932 --> 00:10:15,801
of where there might be an issue.

197
00:10:15,801 --> 00:10:18,352
It's up to you to validate them.

198
00:10:18,352 --> 00:10:20,051
Some scanners give you the ability

199
00:10:20,051 --> 00:10:24,092
to do the validation
inside the application.

200
00:10:24,092 --> 00:10:25,232
So let's take a look at the results

201
00:10:25,232 --> 00:10:27,065
of this specific scan.

202
00:10:28,239 --> 00:10:30,792
One of the first ones we
see here, on the left,

203
00:10:30,792 --> 00:10:34,222
is an outdated version of Apache.

204
00:10:34,222 --> 00:10:36,312
If we click on it, we can get the details

205
00:10:36,312 --> 00:10:40,139
of any vulnerabilities that may apply.

206
00:10:40,139 --> 00:10:41,924
This one is easy to validate.

207
00:10:41,924 --> 00:10:43,415
We just need to verify that

208
00:10:43,415 --> 00:10:46,065
the version of Apache is correct.

209
00:10:46,065 --> 00:10:48,846
We can actually look
at, back at our results,

210
00:10:48,846 --> 00:10:52,763
from the Nikto scan, to
see that it matches up.

211
00:10:54,525 --> 00:10:57,735
Let's take a look at another
vulnerability that was found.

212
00:10:57,735 --> 00:11:01,574
This one is suspected
cross-site request forgery.

213
00:11:01,574 --> 00:11:04,803
If we click on the
Request and Response tab,

214
00:11:04,803 --> 00:11:08,204
we can see that there
is a field highlighted.

215
00:11:08,204 --> 00:11:09,882
This is the field where
the scanner suspects

216
00:11:09,882 --> 00:11:13,382
there might be cross-site request forgery.

217
00:11:14,617 --> 00:11:17,484
From here, I would
normally take this request,

218
00:11:17,484 --> 00:11:20,134
and replicate it in Burp Suite,

219
00:11:20,134 --> 00:11:23,774
to validate that it really is CSRF.

220
00:11:23,774 --> 00:11:25,396
The main use for automated scanners

221
00:11:25,396 --> 00:11:30,142
is to identify the areas
where we should look deeper.

222
00:11:30,142 --> 00:11:34,024
It usually catches the
low hanging fruit as well,

223
00:11:34,024 --> 00:11:38,191
like basic authentication,
and outdated versions, etc.

224
00:11:39,097 --> 00:11:41,564
Most of your work will be sifting through

225
00:11:41,564 --> 00:11:44,413
the results of the scans.

226
00:11:44,413 --> 00:11:48,704
You can also export the
results into a report format.

227
00:11:48,704 --> 00:11:50,074
This is another feature that

228
00:11:50,074 --> 00:11:52,824
is common to automated scanners.