Sunday, March 8, 2009

Building our own Web App Scanner - First Time

Hi all, i decided to create this blog mainly to share and get knowledge from the community. I just started 3 months ago in the development of my own Web Application Security Scanner tool. Basically, this new tool will try to be the Next Generation Web App Scanner.

I have been working with the main and famous Web App scanners and i think there is no tool nowadays that can be able to cover the 3 most important roles in this kinda efforts:

1. Business
2. Developers
3. Testers

Basically, i will be talking about WebInspect, Acunetix and Watchguard which are the tools i know and the ones from where i have been inspired to create my own one.

Some tools focus on Business by delivering good security compliant reports, others focus on Testers by creating a good interface to reproduce vulnerabilities so that testers can avoid false positives and by the way, no one take cares of developers. I think this later team needs to understand how to reproduce a vuln so that it can try to fix it right? The problem is that this tools gives you the URL and parameter injected to find the bug but what about the Flow to follow to get to that POST request to inject the parameter? I mean, may be you need to authenticate and then click on the 5th check boxes which will displayed a new windows where you need to select "Save" button to get to the vulnerable request.

What about Scan coverage? These tools show the URL's which they assessed and the bugs identified but who can guarantee the whole application got tested?
I ask business, how do you know that app is not missing some important sections or hidden transactions from your application?

But in order to know if Scan Coverage was successful, business need to:

Compare the 80 URLs of the app and the 1000 different POST/GET Parameters plus 4000 Lines of JavaScript (AJAX) against technical documentation of the Web App to try to identify any gap right??
But this human effort is not doable.

Another question to business, these tools says "I am PCI Compliant" or "I am OWASP TOP Ten Compliant" but ... how can business validate all TOP Ten kinda attacks are being sent to your app? or how old are those kinda attacks?

Technology supported by the tool.

Lets suppose business have its own implementation of AJAX, how do you need the web app scanner tool is supporting it, and if not? the tool is informing you that it was not able to test such kinda "weird" transactions?

Vulnerabilities management

Ok, good, the tool found 50 confirmed vulnerabilities, so... what is next?? is there an integrated interface to deal with this new bugs until get them fixed by Dev Team?


These kinda improvements is what i think will generate the Next Gen Web App Scanner.

In coming posts i will start talking about the new features i am integrating to my app and i will share the problems i am facing, how i worked them out and technical stuff!!!!!!