|S N E A K P R E V I E W|
AppScan Flags Security Problems in Web Applications
October 16, 2000
By Jeff Forristal
As Internet-based business becomes more commonplace, we're seeing huge growth in the number of available e-commerce solutions, many of which are custom-coded. Programming an application is easy, but making it secure is difficult. So how do you analyze your custom Web application for security holes?
It requires a software package such as Sanctum's (formerly Perfecto Technologies) AppScan, which is part of an emerging generation of security tools that take a proactive approach to finding security holes in Web applications. Unlike today's vulnerability scanners, which look only for known problems, AppScan will analyze your Web site or application and attempt to identify some of the more common programming mistakes and security concerns. These include application tampering (changing the price of a purchased item), cookie poisoning, third-party misconfigurations, known Web vulnerabilities and buffer overflows. It does this by monitoring sample Web sessions (via a specialized proxy server) and remotely scanning your Web site.
In my testing, in our partner lab at Neohapsis in Chicago, the AppScan installation was clean and fast thanks to Sanctum's "appliance" approach, which required me merely to boot off the product CD-ROM. Installation loads a copy of Debian Linux and all necessary AppScan components (including Web and database servers), and automatically configures the system for use. From this point, you do not even need to log into the system; you simply access the included Web interface.
Before the product can be deployed, you need to install a license--a somewhat cumbersome process that requires properly aligning the correct combination of hardware MAC address, user ID and target Web domains. However, once you have successfully negotiated all the parameters of the licensing and user IDs, you're left with a sleek, efficient product interface. The next step is to log in under the appropriate user ID; from there you can begin setting up the information necessary to scan your particular Web site. Once this task is complete, you enter what Sanctum has named the "Crawling" phase. You simply surf your site as a normal user would, while AppScan reviews and monitors your actions, compiles reports and watches for possible problems. In this manner, you can walk through complex transactions, such as logging into your site and placing orders. However, this step can be arduous and time-consuming if your site requires long streams of user interaction.
Once you're done navigating the site, you should return to the administrative interface and tell AppScan to analyze the surf results. The product will compile everything it observed and start to determine possible areas of vulnerability. Unfortunately, at this point, AppScan does nothing more than generate a list of derivative links (quite possibly a large number of them) for you to investigate by hand. A human eye with application-development knowledge is required to watch how the Web server and/or Web application responds to each mutated link. If the application or server does something unexpected (such as letting you make purchases at reduced costs or returning source code), you can flag that mutation as a problem area. While the interface makes it easy to catalog and verify these links, the process is time-consuming.
You need to be fairly proficient in the workings of HTTP and Web applications to understand many of AppScan's recommendations and to use the product's advanced features (such as Manual Hacking mode, which lets you construct custom HTTP requests). The final reports include only the problem areas you manually identified and flagged earlier, with the addition of a few URLs pointing to more information and/or fixes. They also indicate if AppScan's sister product, AppShield, is capable of defending against each type of vulnerability. AppShield is a Web proxy that acts as a "security defense shield" you place in front of your Web server. There isn't an option to autogenerate basic reports, which is a capability I would have liked to have seen.
The types of problems AppScan helps identify generally are more geared to application engineers and of less concern to network engineers. While AppScan's interface is outstanding and its framework is solid, only HTTP-savvy techies will be able to make the most of the product. To Sanctum's credit, however, AppScan's fresh approach to Web security is much needed, and a little maturation time could yield some worthwhile enhancements. Version 1.0 boasts ideas and a framework that hint at a significant future addition to any Web-enabled company's arsenal of security tools.
Just as we were going to press with this review, Sanctum released version 1.5 of AppScan. The company says the latest version does add support for SSL (Secure Sockets Layer) encryption, but it does not address any of the concerns here. According to Sanctum, AppScan 1.5 can work with any site using SSL encryption technology and requires no additional user modification.
Jeff Forristal is a senior security consultant for Neohapsis in Chicago. Send your comments on this article to him at firstname.lastname@example.org.