15

I'm a developer, not a security guru. My primary focus is ensuring that I'm not introducing security holes through bad programming. I understand how to code to protect against the OWASP Top 10, as well as other vulnerabilities, but I know enough to know that I don't know enough. I'd like to add some additional testing to our process to scan for vulnerabilities throughout the development process.

We already do threat modeling throughout the project, as well as code reviews on all code changes going into production.

Also, as a part of our release process, we have penetration tests ran against our sites in our staging environment before releasing to live, and also in live once it's released. However, I'm not confident that our penetration testing tools are adequate. Also, the penetration tests are costly, and can only be done every so often. I'd really like for our team to perform them throughout the entire development process. (It's a lot cheaper to fix holes early on than later on in the project.)

I'm aware of tools like Havij that are used by cybercriminals, and I'm aware of how easy they make attacking sites with vulnerabilities for even non-technical people. I'd love to be able to use the same tools to test our own web sited in our test, then staging, then production environment. (Why should the bad guys have all the good tools?) But I'm not willing to go to the "shady" sites or newsgroups do download the tools. I wouldn't even know where to look. Even if I did know where to look, our network Admins would never allow us to get those tools from an untrusted source.

Is there a legitimate, trusted place where such tools can be downloaded or purchased for such white-hat purposes? I'm perfectly willing to try to get upper management to pay for membership in white hat groups that might provide these tools, and even better, training, so I'm not necessarily looking for free. I'm just looking for legal and legitimate sources.

David Stratton
  • 2,646
  • 2
  • 20
  • 36

4 Answers4

15

I'd like to point you to open source tools that we use in pen-testing web applications:

  • Arachni, already mentioned in a previous answer.
  • w3af, one of the most famous free open source scanners. This one is written in python and have a consistent UI (GUI and CLI). The project is sponsored by Rapid7, owners of Metasploit and NeXpose
  • Skipfish, a fire and forget command line scanner which excels at crawling and forced browsing, produces fancy HTML reports
  • OWASP Zed Attack Proxy, the defacto open source web attack proxy. ZAP has an API and integrates code and features of other reference tools like JBroFuzz and DirBuster. It is more suited for semi-automated testing

The following open source tools can help exploiting SQL injection (SQLi) and Cross Site Scripting (XSS) vulnerabilities:

  • SQLmap: this CLI python tool is ideal to exploit SQL injection flaws, i.e. dump the database, execute SQL commands and even compromise the back-end database's Operating System. It is similar in purpose to Havij and often used in the wild by script kiddies to exploit vulnerable targets
  • BeEF: the perfect tool to demonstrate the risk of XSS flaws, its new shiny Ruby on Rails web interface allows you to leverage XSS vulnerabilities in order to command victim browsers

There are a lot of commercial tools in the web vulnerability scanning market with prices ranging from a couple hundreds dollars to tens of thousands of dollars. These can get you better results than open source ones and can combine features of open source scanning and exploitation tools. However, you'll always need that chair and blood penetration tester to try and break the logic of the application, something a tool, no matter how much it's worth, can never do.

Maciej Piechotka
  • 125
  • 5
lisa17
  • 1,958
  • 7
  • 21
  • 43
8

Good answer from Chris Frazier, although I wouldn't personally recommend the CEH. Perhaps I took the test way too long ago, but didn't feel it covers anything close to what a penetration tester or a security-aware developer actually needs.

Perhaps I'm going to give you a slightly unorthodox answer, but it sounds to me like you're already doing quite an amazing job, and the fact that you're still worried alone just shows how much security-awareness there is in your organization. That already puts you in far better position than many other applications I've come across, where security is usually an oversight.

That being said, you shouldn't just relax and think everything is safe (which I doubt you would anyway). There are always things you can do to improve your security. Chris Mentioned some of those. I would also recommend looking at tools that can help with static or dynamic code analysis. There are several commercial vendors in this space with fairly good reputation. Sadly, the open-source alternatives usually lag behind in this particular area.

If you are really serious about plugging in some automated tools, I would suggest having a look at Arachni. There are many web application scanners, but this is probably one of the few that is pretty much built from the ground-up with an API. This probably makes it a prime candidate to integrate with your development / release / continuous-integration process. It doesn't mean it's necessarily better or the only tool you should count on, but at least it should be easy (or easier) to integrate with.

Otherwise, always try to expand your knowledge, read more, check out the questions and tools mentioned here, and try to make sure your entire team is aware of those security issues. I would also recommend spending time with your penetration testers when they do come in to do a scan. There are always some new tricks you can pick up this way.

Yoav Aner
  • 5,299
  • 3
  • 24
  • 37
  • Accepting this answer because even though it's not exactly what I asked Arachni looks like a nice tool to add to our arsenal. Thank you!!! – David Stratton Apr 04 '12 at 02:24
  • Thanks. Don't overlook the code analysis tools, they could potentially discover more than many web-based scanners. Good pointers from @D.W. about the SDLC. I assumed you are aware of those since you mentioned doing threat modelling already. – Yoav Aner Apr 04 '12 at 07:56
  • Links are updated to these: https://github.com/Arachni/arachni and http://www.arachni-scanner.com/ – Yannis Dran Sep 26 '16 at 11:01
8

No. You should not use tools like Zeus or Havij, or other black-hat tools, to assess the security of your site. Zeus isn't designed for vulnerability assessment; they're designed for placing a backdoor once you're in. In general, my experience is that the black-hats don't have better vulnerability assessment tools than white-hat penetration testing and vulnerability assessment services. Moreover, it is dangerous to use software written by the blackhat community; you may find yourself with a self-inflicted Trojan.

Instead, if you'd like to look at how your organization can do more, I'd start researching how you can integrate security into the software development lifecycle. Microsoft has some great resources on this.

D.W.
  • 98,420
  • 30
  • 267
  • 572
  • Microsoft does, indeed, provide excellent resources. We use several of the tools that Microsoft provides, and our development life-cycle is patterned off their SDLC. We are constantly adding refinements, but in essence, we took their recommendations, those of OWASP, and use what we can feasibly use with our small team and limited budget. From what I understand of Havij, however, it is designed specifically to root out potential SQL Injection flaws. Our goal is to find the flaws that our existing tools, code reviews, and penetration tests may miss. But thank you for your response. – David Stratton Apr 04 '12 at 02:07
  • At any rate, the reason I'm interested is that using real tools to attempt to infect/exploit our test/staging environment is exactly the type of testing we want to add to our existing arsenal. I think Zeus was a bad example, but Havij, which lets you plug in a website url and then does all the hard work for you is exactly the type of testing we want to perform on our test environment, where it can do no harm, before publishing code changes to our live environment. We'd much rather try to break our test environment, where no real customer data is at risk. – David Stratton Apr 04 '12 at 02:16
  • @DavidStratton, I think the question you should ask is: What are the best tools for penetration testing and vulnerability assessment? There's a *lot* on that question on this site. But don't glamorize tools used by the bad guys; they're not somehow magically better. Instead, you should be judging pentesting tools on their own merits. – D.W. Apr 04 '12 at 02:41
  • Fair point. Thank you, again, and it's too bad I could only accept one answer. I truly appreciated your advice on improving the development lifecycle, and your point about a self-inflicted Trojan is spot-on. Thank you again! – David Stratton Apr 04 '12 at 03:34
7

I think your a little confused over some of the tools, for example Zeus is a trojan and not used for general website pen testing.

But regardless, there is no magic toolkit you can use for web site assessment. Because of the dynamic nature of web development it really does take a human presence to analyze and find most vulnerabilities. Relying solely on a set of tools will set you up for failure. These tools are often out of date and not complex enough for your requirements.

Sure, I could download/create a program that scans for a specific web vulnerability and run it against 1000's of sites hoping for a hit, but for targeted attacks you need to keep the human factor involved.

That being said I think your best bet would be to start with some training courses in the security world. For example the CEH certification covers web application hacking at a high level and included with the course is a huge toolkit of exploit tools.

I still say your best bet is using a trained penetration tester that can identify and communicate the vulnerabilities effectively. This way your devs will learn from their mistakes and everyone wins.

Chris Frazier
  • 795
  • 5
  • 6
  • Thank you for the response. As I said, I wouldn't be relying solely on these tools. I view them as an additional layer of testing on top of what we're already doing. I agree a trained penetration tester would be best. Convincing management of the need for one on top of the other pen testing we're doing with a third party is a bit of a challenge, however. I also realize that these aren't pen test tools. My goal is to see how our web apps stand up against real attack tools that are being used in the wild as opposed to the tools we already have. +1 for a good response. – David Stratton Apr 03 '12 at 17:48