Everyone claims to know the "right way" to go about testing the security of Web applications. "Perform an external scan," the auditors recommend. "Just use our vulnerability scanner," the vendors proclaim. "Do a peer review of the source code," the quality assurance (QA) analysts declare. And then there are the government, industry regulatory, and standards bodies who believe they know what it takes to secure an app. Regardless, it's their way or the highway. Ha!
With everything else being equal, unrelenting and almost aggressive malicious attacks are the absolute best way for uncovering Web security holes. In this tip, we'll cover why you must literally go through your Web systems and throw everything you possibly can at them. This tip will get you started on using malicious manipulation to boost security. In forthcoming tips, I'll show how to do malicious hacking in various different software development and testing scenarios.
There's so much information available for uncovering Web application flaws, but there's no good place to start. So how can you, the security admin, developer or IT manager, filter through the noise and distill exactly what needs to be done to find the Web flaws that count? Let me be clear, it's simple. There is no one best way to go about it. As lawyers and consultants like to say, "it all depends." It depends on the type of business you're in and the regulations you fall under. It also depends on what type of Web presence you have and how sensitive information is processed, stored or otherwise passed through your system. It depends on how much management supports your efforts and, frankly, how much money you have to spend.
Every organization and every Web application is different. Ironically, this is one of the things that management misunderstands the most. Web security testing is not a black- and-white science. It's just as much an art, and one that requires good tools, creativity, along with a confident security assessor.
Choosing the one thing that stands out as being the most important for uncovering the obvious and not so obvious Web vulnerabilities is pretty easy. Some of this requires Web vulnerability scanning tools like WebInspect, Acunetix WVS and N-Stalker. No matter how good you are with Web apps and security, there's still no replacing the requests that tools such as these can throw at an application. They can mimic hack attacks like no human possibly could.
Don't let me steer you in the wrong direction though. Based on my experience testing Web applications over the years, the ability to poke, prod, and control an application with ill-gotten gains in mind is the key for making things happen. It's required if you're going to find the flaws that really matter. At the heart of this is manipulation, which often a matter of just the right poking and prodding to see how the application trusts you and what it spits back. This will rarely require special "hax0r skillz". It's merely a matter of understanding the basic operation of Web applications and thinking of creative ways to hack and throw just the right jabs to force them into submission.
Many, many times I've tested Web applications with automated scanners, only to realize I wasn't even halfway home. Beyond the scanning phase, I've seen situations such as creative URL manipulation, weak passwords or sensitive files stored in download folders that have turned two to three day Web security "reviews" into week-long plus analyses bordering on data breach situations. All because of some basic hacking -- manipulation -- of these applications that would've gone undiscovered otherwise.
I can't stress enough the value of in-depth ethical hacking of your Web applications. There's no replacement for manual manipulation; just you and your Web browser. Get past the one-scan-fits-all mindset. It's dangerous and it'll come back and bite you if you rely on just the basics to get by.
About the author: Kevin Beaver is an independent information security consultant, speaker and expert witness with Atlanta-based Principle Logic, LLC. He has over 20 years experience in the industry and specializes in performing independent information security assessments revolving around compliance and information risk management. Kevin has authored/co-authored seven books on information security including the ethical hacking books, Hacking for Dummies and Hacking Wireless Networks for Dummies (Wiley). He's also the creator of the Security On Wheels IT security audio books.
