September 9, 2009 at 3:09 pmIBM Rational AppScan will give hackers a worthy rebuff
Application testing is always difficult. Time, forces, people able to do it - everything turns into tasks that need to be solved. And especially testing for vulnerability from hacker attacks, because not everyone knows what methods are used by digital criminals. In order to solve this problem, IBM created Rational AppScan, a program that automatically scans web applications for vulnerabilities and generates reports on test results.
Like all other things, hacker activities are also investigated and counted. Moreover, the numbers sometimes turn out to be different from those that exist in a professional environment. For example, Gartner estimated that the targets of 75% of all attacks are web applications. And that two-thirds of all applications are vulnerable. Which, in fact, means that if you do not have your own security specialist, they will hack you whenever they want, even if you use a firewall and regularly check it. The most popular attack tools turned out to be XSS and SQL injections, before which all server-level protection is useless: the attack is at the application level. In addition, insofar as people learned how to protect the server and spend money on it, but with applications it’s not so, this is where the value of 75% comes from. Plus, security testing is carried out at the end of the project,
Consider the two most popular technologies: XSS and SQL injection.
The essence of XSS technology (cross-site scripting) is to pass javascript to the victim in the address bar. For example, send an email on the bank’s corporate template, which the victim uses. Some of the words will be highlighted as a link, and the user is unlikely to pay attention to what is contained in the address after the domain name, if at all, will look at the address.
And then this javascript gets access to the site’s security context because it was called inside it. And this means that in this way you can steal cookies, track all actions in the browser from the moment the script is launched, redirect the user to a fraudulent website, and even completely modify the content of the pages viewed.
Not surprisingly, this is the most popular technology to date. But SQL injections are not far behind her. The principle of their action, as the name implies, is to send SQL commands along with the data entered by the user. Very often, a programmer, either lazily or unknowingly, neglects the verification of the submitted data and inserts it directly into the generated SQL query in the form in which it came. And if the attacker sends SQL commands there, they will be executed, as they will go straight to that query, which is automatically generated by a low-quality program.
The simplest example: the user clicks on the link with the name of the product, which contains the digital ID of this product in the address bar. The script on the site substitutes this ID into the request template directly from the address bar, and executes it. SQL is an open widely used language, and it’s easy to guess what the pattern looks like SELECT * FROM products WHERE id = '...', where the number from the address bar is substituted for the ellipsis. It is enough to write an apostrophe first, so that id is passed an empty value, and continue to write your own commands. The trick is simple but popular.
IBM Rational AppScan uses a black box approach to the application. First, he examines the web application and builds his own site model. Based on these results, it determines attack vectors based on the selected testing policy. Then it starts sending various HTTP requests matching this policy and parses the HTTP responses.
What do we get as a result? A powerful and understandable tool that can automatically scan and test web applications for common vulnerabilities, including services and javascript, and fix them (including by giving a list of actions to close discovered vulnerabilities if this cannot be done automatically). IBM Rational AppScan integrates seamlessly with other testing tools, and may have a joint schedule and reporting with them. In total, he provides more than 40 ready-made reports on compliance with safety requirements.
A very important property of IBM Rational AppScan is that it does not require expensive security specialists in the team, as it provides very detailed reports and instructions. For example, each vulnerability is equipped with an accessible description of how it works and how it is dangerous, including through video clips. That is, the guys from IBM approached the educational component with all responsibility.
And they can be understood: the higher the average computer literacy, the less problems for us IT employees. Knowledge is the most effective way to protect information. This application is called Rational is not just for a beautiful word.
Curious statistics.
Like all other things, hacker activities are also investigated and counted. Moreover, the numbers sometimes turn out to be different from those that exist in a professional environment. For example, Gartner estimated that the targets of 75% of all attacks are web applications. And that two-thirds of all applications are vulnerable. Which, in fact, means that if you do not have your own security specialist, they will hack you whenever they want, even if you use a firewall and regularly check it. The most popular attack tools turned out to be XSS and SQL injections, before which all server-level protection is useless: the attack is at the application level. In addition, insofar as people learned how to protect the server and spend money on it, but with applications it’s not so, this is where the value of 75% comes from. Plus, security testing is carried out at the end of the project,
How does it happen
Consider the two most popular technologies: XSS and SQL injection.
The essence of XSS technology (cross-site scripting) is to pass javascript to the victim in the address bar. For example, send an email on the bank’s corporate template, which the victim uses. Some of the words will be highlighted as a link, and the user is unlikely to pay attention to what is contained in the address after the domain name, if at all, will look at the address.
And then this javascript gets access to the site’s security context because it was called inside it. And this means that in this way you can steal cookies, track all actions in the browser from the moment the script is launched, redirect the user to a fraudulent website, and even completely modify the content of the pages viewed.
Not surprisingly, this is the most popular technology to date. But SQL injections are not far behind her. The principle of their action, as the name implies, is to send SQL commands along with the data entered by the user. Very often, a programmer, either lazily or unknowingly, neglects the verification of the submitted data and inserts it directly into the generated SQL query in the form in which it came. And if the attacker sends SQL commands there, they will be executed, as they will go straight to that query, which is automatically generated by a low-quality program.
The simplest example: the user clicks on the link with the name of the product, which contains the digital ID of this product in the address bar. The script on the site substitutes this ID into the request template directly from the address bar, and executes it. SQL is an open widely used language, and it’s easy to guess what the pattern looks like SELECT * FROM products WHERE id = '...', where the number from the address bar is substituted for the ellipsis. It is enough to write an apostrophe first, so that id is passed an empty value, and continue to write your own commands. The trick is simple but popular.
How does IBM Rational AppScan handle this?
IBM Rational AppScan uses a black box approach to the application. First, he examines the web application and builds his own site model. Based on these results, it determines attack vectors based on the selected testing policy. Then it starts sending various HTTP requests matching this policy and parses the HTTP responses.
What do we get as a result? A powerful and understandable tool that can automatically scan and test web applications for common vulnerabilities, including services and javascript, and fix them (including by giving a list of actions to close discovered vulnerabilities if this cannot be done automatically). IBM Rational AppScan integrates seamlessly with other testing tools, and may have a joint schedule and reporting with them. In total, he provides more than 40 ready-made reports on compliance with safety requirements.
A very important property of IBM Rational AppScan is that it does not require expensive security specialists in the team, as it provides very detailed reports and instructions. For example, each vulnerability is equipped with an accessible description of how it works and how it is dangerous, including through video clips. That is, the guys from IBM approached the educational component with all responsibility.
And they can be understood: the higher the average computer literacy, the less problems for us IT employees. Knowledge is the most effective way to protect information. This application is called Rational is not just for a beautiful word.