Screen Shot Screen Shot

Finding and fixing security vulnerabilities

By Hernan Amaya – Java Developer at Santex

One of the main pillars of the Information Technology industry is security. Can you imagine what software would be like without security? Everyone could access privileged information everywhere, causing potentially precarious situations. It’s obvious that everybody who owns software wants to be secure against cyber attacks. Developers are always concerned about designing and implementing software that is protected. Yet no matter what tools or knowledge are at our disposal, no one can be certain that his or her development is 100% secure. That is why once a certain software is stable, it is good to determine whether or not it has any security vulnerabilities. Luckily, nowadays it is possible to use security vulnerability scanners for this purpose.

Our main goal is to share how to use different security scanners. We will also find and explain how to fix security vulnerabilities in a web application. Every tool exposed is automatic and straightforward and uses default configurations. We will scan demo.testfire.net. This web application is available for commercial use and free tools. To conclude, we will highlight all the vulnerabilities found in this web application.

AppScan

IBM developed this commercial tool. It runs on Windows and has a trial version that allows you to  scan the web application located at demo.testfire.net.

After installing and running the software in your local environment, select the following options: File -> New -> Regular Scan for accessing the wizard.

Adding software dependency to your project – web frameworks

AppScan offers three possible exploration methods. The first option is for scanning web applications. The second option is for REST APIs. The third option is for SOAP web services.

Leave the AppScan option selected and press the Next button.

Web scan against cyber attacks - Appscan wizard, enter the URL.

Enter https://demo.testfire.net and click Next.

Web scan against cyber attacks - Appscan wizard, select login method.

Leave the recorded option selected and click Next.

Web scan against cyber attacks - Appscan wizard, select test policy.

Scroll and select ‘Complete’ to let AppScan do an integral scan.

Web scan against cyber attacks - Appscan wizard, select option to complete the wizard.

Leave ‘Start a full automatic scan’ selected and press Finish. A pop-up will appear asking whether to save the project or not. Click ‘Yes’ to save it or ‘No’ to continue without saving it. The scan will start. Wait until it finishes. You may receive suggestions to change configuration options for improving the scan.

Web scan against cyber attacks - Appscan scan expert recomendations.

Press ‘Apply Recommendations’ and wait for the new scan phases to finish.

Web scan against cyber attacks - Appscan scan expert complete.

Click on ‘Issues’ to view the results of the analysis.

Web scan against cyber attacks - Appscan results.

Open VAS

This tool is Open Source and free. Several operating systems such as Windows and Linux support it. After installing Open VAS follow these instructions:

Web scan against cyber attacks – Open VAS, login page.

First, access the URL where Open VAS is running.

Web scan against cyber attacks – Open VAS, main screen.

Click the purple icon and then select “Task Wizard.”

Web scan against cyber attacks – Open VAS, task wizard.

Enter demo.testfire.net and press “Start Scan.”

Web scan against cyber attacks – Open VAS, task in progress

Wait for the task to complete. You can access the results by clicking on the progress bar whenever you want. When it is complete, you will be able to see all the results.

Web scan against cyber attacks – Open VAS, complete results.

Vega

Vega is a free and Open Source web security scanner. It is a web security testing platform to test web applications. It runs on Linux and Windows.

After you have installed Vega follow these instructions.

Web scan against cyber attacks – Vega, starting the wizard.

Press Scan -> Start a New Scan. The wizard will start. Enter demo.testfire.net in the Scan Target URI and click Next.

Web scan against cyber attacks – Vega, wizard, select modules.

Leave the default modules and click Next. You can examine them and add the ones you consider to be necessary, but adding new modules will require more analysis time.

Web scan against cyber attacks – Vega, wizard, cookies and authentication identity.

Leave cookies and authentication identity blank and click Next.

Web scan against cyber attacks – Vega, wizard, parameters.

Leave the parameters that are already on the exclusion list. Add the ones you consider important to exclude. Click Finish.

Web scan against cyber attacks – Vega, scanning process.

Wait until the scanning process ends. It shouldn’t take long.

Web scan against cyber attacks – Vega, scanning results.

Zed Attack Proxy

This tool is free and Open Source as well. It runs on several Operating Systems such as Linux and Windows. After installing it, follow these instructions.

Web scan against cyber attacks – ZAP, star scan.

In Quick Start enter https://demo.testfire.net and press start.

Web scan against cyber attacks – ZAP, scan results

This is a summary of the results:

Web scan against cyber attacks – Vulnerability results from different security scanners

Conclusion

Security is crucial in software development. Having tools for finding vulnerabilities and suggesting how to fix them is a wonderful benefit.

In this analysis, we scanned demo.testfire.net using several tools. AppScan is a commercial tool that has desktop and web application versions. The technical difference between them is the way you interact with them, and that the latter one’s result is a PDF file. The commercial difference is that, with the web application, you are able to pay for each individual scan, while with the desktop application, you have to pay for an entire year.

To sum up, we have discovered that nowadays the most powerful security scanner available is IBM’s AppScan. However, using several free, Open Source scanners is an excellent alternative. Consequently, combining scanners such as Open VAS, Vega and ZAP can be powerful as well.