Web applications are popping up everywhere these days, and the growth of Web services will only expand that trend. When data must be accessed and easily shared, the standard solution is to develop a quick Web application that provides data access with a nice GUI – hence the proliferation.
What many developers do not realize is that the Web application may contain numerous security vulnerabilities that could easily lead to the destruction, modification, or public disclosure of data, not to mention embarrassing press coverage for a defaced Web site.
KaVaDo Inc.’s ScanDo Version 1.5 can test these Web applications for vulnerabilities of data stored in the back-end database. ScanDo analyses for common threats such as known security vulnerabilities in site components (Web server and application server), parameter tampering (hidden field manipulation), cookie poisoning, SQL injection, and buffer overflows.
ScanDo first scans the Web site to identify all pages, links, and forms. It can then run a security assessment on the identified site to find any potential problems. It’s a very unintrusive process that provides detailed security information.
Users can then opt to run an attack against the site. ScanDo uses information from the assessment phase to strike the Web application just as a malicious attacker would. This step is very intrusive and may cause the Web site to crash, so we don’t recommend running the attack against production sites.
Finally, ScanDo generates reports detailing the identified security threats in the Web application. The reports are easy to read, but should provide more details. For example, if the assessment identifies a known IIS (Internet Information Server) vulnerability, ScanDo only directs users to Microsoft Corp.’s security site. A link to the patch or detailed instructions for eliminating the vulnerability would be useful.
ScanDo provides the ability to export report data in XML or ADTG (Advanced Data TableGram) formats, allowing third-party applications to process the data. Many users may find this feature useful if they prefer specific reporting packages or have a centralized reporting facility. Users can also create custom reports using ScanDo’s data.
The customizable features allow users to provide form input data, custom HTTP headers, provide client certificates, and configure custom 404 pages and excluded content. ScanDo also supports custom scripts, so users can generate their own tests using VBScript. Users can also launch their own manual attacks that provide very detailed control over the process, for example, creating specific HTTP requests and attack parameters.
One of the better features of ScanDo is its modular design. The Update Wizard provides quick deployment of new security checks and could easily contain a new module to assess a new technology, such as SOAP (Simple Object Access Protocol). This modularity means that as Web applications start using new technologies, ScanDo can test their security – instead of requiring users to buy yet another product.
Licensing, however, is tricky. KaVaDo closely licenses ScanDo and the program will not function without a valid licence. Additionally, ScanDo is usually licensed for a specific domain; any links or pages ScanDo finds that are not in the licensed domain are ignored. Unlimited licences are available, though.
We installed ScanDo on a Windows 2000 Professional System (SP2). Installation is very simple using the typical Windows installer program. We scanned a test Web application we developed that runs on IIS and contained some well-known Web application security issues, such as hidden tags, IIS vulnerabilities, and no input validation.
We launched a comprehensive scan, the most detailed available. As the scan progressed, we could watch everything in the GUI as it occurred. The windows are very informative, showing the file tree of the site on the left, discovered links at the bottom, and the page that is being analysed to the right. ScanDo found all of our planted vulnerabilities, as well as a few buffer overflows we were not aware of. It also found all of the missing IIS patches on our Web server.
ScanDo is an excellent tool that should be used at all stages of Web application development and for periodic audits after the application is in production. A proactive approach to application security, starting with this kind of vulnerability scanning, can save a lot of time and money down the road.
THE BOTTOM LINE: DEPLOY
KaVaDo ScanDo 1.5
Business Case: Because Web applications can provide easy access to your network, they demand proper security precautions. ScanDo provides a comprehensive security assessment tool to make sure precautions are taken.
Technology Case: ScanDo’s easy-to-use interface and customizable features make it useful for any organization. Its modular design provides easy upgrades and support for new technologies, allowing it to grow with the Web application.
+ Modular, easy to update
+ Customizable testing and report generation
– Reports lacking enough detail
Cost: US$15,000 to US$25,000
Platform(s): Can be installed on systems running Windows NT, 2000, or XP
Company: KaVaDo; http://www.kavado.com
Mandy Andress ( [email protected]) covers security and networking for the Test Center.