Untangling Web app security
- 03 September, 2003 11:37
With the increased use of Web applications, businesses have had to peel back a layer in their perimeter defences and give public network traffic access to internal applications. The result is a rise in network security problems, and an increase in the need to audit and thoroughly check publicly facing code for potential security vulnerabilities. Unfortunately, security expertise is in short supply.
WebInspect 3.0 from SPI Dynamics aims to fill that gap by automating the tasks necessary to perform security audits. WebInspect is a remote assessment tool, meaning that it performs its audits solely by means of the same HTTP calls to which an attacker would have access. Administrators can add custom checks to find problems that are specific to a particular application.
Setting WebInspect apart from similar tools available on the Internet is SecureBase, a database of more than 3600 known security vulnerabilities and misconfiguration problems. This database is the heart of the WebInspect audit process. SecureBase is continually updated with new vulnerabilities. The tool updates its local copy of the database over the Internet as needed.
Overall, WebInspect gives organisations a simple, useful tool for building and operating secure Web services. The tool is easy to use and provides valuable feedback on Web-based system security. The information it presents on potential security problems is detailed, revealing not only which vulnerabilities exist but also how they work and how to protect against them.
Cataloguing the site
Beginners need to remember, however, that the tool needs to be tuned against the system it’s inspecting so that the information it returns is targeted and accurate. Setting up WebInspect is simple with the installation wizard. Running the tool entails just selecting the Scan Wizard and entering the URL of the system to be tested.
The tool works by first cataloguing the site, then testing it for the vulnerabilities in its database on the basis of the site’s structure. For small sites, this happens fairly quickly, but large sites can take many hours to assess.
The user interface is intuitive and easy to use. As a security scan progresses, the three panes show important information WebInspect is finding. The Site pane displays the results of the scan, building an explorer tree of the Web site. The Summary pane displays alerts on the vulnerabilities that WebInspect has found so far, along with general information about the Web site. The Information pane displays details on whatever is selected in the Site or Summary pane.
When an alert is selected, the information panel provides a detailed description of the vulnerability, how it is executed, and known fixes. Other panels in the Information pane allow the HTTP request and response to be explored, as well a showing a browser window with the result of the exploitation.
Once the scan is done, WebInspect produces several PDF reports ranging from detailed to executive summaries. A detailed report lists each suspect vulnerability in the system, along with in-depth information on how the attack works and how to guard against it. The reports can be customised with specific logos and other front piece information.
When people discuss Web services security, most of the discussion quickly turns to encryption and authentication. Most never stop to think that the biggest threat to security is the Web service itself. Many Web services expose the API of a legacy application, one that was never designed to run on anything but a trusted network.
To address this issue, another option in the Scan Wizard takes the URL of a WSDL file and tests the Web service described therein for security problems. WebInspect reads the WSDL file and performs a number of automatic audits, such as assessments of input and output parameters, the effects of malformed data, and common SOAP attacks, including some that allow arbitrary command execution.
WebInspect is aimed at four audiences. The first line of defense is the developers themselves. By customising WebInspect and training developers in its use, a security expert can provide the development staff with a tool for testing their applications for security vulnerabilities.
The second audience is the quality assurance team, which can use WebInspect to test a preproduction application before it is rolled out.
Accuracy requires expertise
The third audience is the operations group, which can use WebInspect in scheduled security audits of production code. The tool provides some specific features for use as an operational audit tool, including the capability of running autonomously and of scaling back the tests’ aggressiveness to prevent overwhelming the system being audited.
The final audience is security auditors who are called upon to verify the security of the company’s networks and IT systems. An often overlooked problem of security auditors is their neglect of important security problems due to their lack of a developer’s application knowledge. A tool such as WebInspect catalogues the components and layout of the Web application, giving the security auditor a peek under the covers.
As it should, WebInspect points out security vulnerabilities that might be present when it can’t make a clean determination of their existence. An up-to-date vulnerability database such as SecureBase helps reduce the number of these false positives, but it can’t eliminate them altogether. WebInspect is not a replacement for a real understanding of Web application security. Even so, as a tool for codifying and applying that knowledge, WebInspect provides real value to the overworked security expert who needs to spread the responsibility for Web application to development, testing and operations staff. Companies interested in securing their Web applications should require the use of WebInspect in their development activities and consider periodic audits of their production servers as well.
I loaded WebInspect on an IBM ThinkPad laptop (with an Intel Pentium III processor and 256MB of RAM) running Windows XP. I had to update XP to Service Pack 1 for WebInspect to run. The key file, which is delivered separately, is dropped into the program’s main directory. The program requires little additional configuration to get started.
Getting started with WebInspect is easy: After installing it, I selected the Scan Wizard and inputted the URL of the Web site that I wanted the program to inspect. There are some options, but the defaults work well. From there, the scan progresses automatically; it can be controlled using VCR-like controls for pausing, stopping, and replaying the scan.
I tested WebInspect against a large system that SPI Dynamics maintains for that purpose and ran scans against several Web sites that I maintain. Be warned: The tool can be quite aggressive, and shouldn’t be used against production systems without throttling it back and running pilot tests. I also ran it against a test SOAP service that I deployed for this review.
The standard licence key contains the name of the person to whom it is licensed and a range of IP addresses on which the product can be run.
SPI Dynamics uses these to restrict the usability of the product in case it should get into the wild.