Finding and fixing security vulnerabilities

By Hernan Amaya – Java Developer at Santex

One of the main pillars of the Information Technology industry is security. Can you imagine what software would be like without security? Everyone could access privileged information everywhere, causing potentially precarious situations. It’s obvious that everybody who owns software wants to be secure against cyber attacks. Developers are always concerned about designing and implementing software that is protected. Yet, no matter what tools or knowledge are at our disposal, no one can be certain that his or her development is 100% secure. That is why once a certain software is stable, it is good to determine whether or not it has any security vulnerabilities. Luckily, nowadays it is possible to use security vulnerability scanners for this purpose.

Our main goal is to share how to use different security scanners. We will find and explain how to fix security vulnerabilities in a web application. Every tool exposed is automatic and straightforward and uses default configurations. We will scan demo.testfire.net. This web application is available for commercial use and free tools. To conclude, we will highlight all the vulnerabilities found in this web application.

AppScan

IBM developed this commercial tool. It runs on Windows and has a trial version that allows you to  scan the web application located at demo.testfire.net.

After installing and running the software in your local environment, select the following options: File -> New -> Regular Scan for accessing the wizard.

AppScan offers three possible exploration methods. The first option is for scanning web applications. The second option is for REST APIs. The third option is for SOAP web services.

Leave AppScan option selected and press the Next button.

Enter https://demo.testfire.net and click Next.

Leave the recorded option selected and click Next.

Scroll and select ‘Complete’ to let AppScan do an integral scan.

Leave ‘Start a full automatic scan’ selected and press Finish. A pop-up will appear asking whether to save the project or not. Click ‘Yes’ to save it or ‘No’ to continue without saving it. The scan will start. Wait until it finishes. You may receive suggestions to change configuration options for improving the scan.

Press ‘Apply Recommendations’ and wait for the new scan phases to finish.

Click on ‘Issues’ to view the results of the analysis.

Open VAS

This tool is Open Source and free. Several operating systems such as Windows and Linux support it. After installing Open VAS follow these instructions:

First, access to the URL where Open VAS is running.

Click the purple icon and then select “Task Wizard”.

Enter demo.testfire.net and press “Start Scan”.

Wait for the task to complete. You can access the results by clicking on the progress bar whenever you want. When it is complete, you will be able to see all the results.

Vega

Vega is a free and Open Source web security scanner. It is a web security testing platform   to test web applications. It runs on Linux and Windows.

After you have installed Vega follow these instructions.

Press Scan -> Start a New Scan. The wizard will start. Enter demo.testfire.net in the Scan Target URI and click Next.

Leave the default modules and click Next. You can examine them and add the ones you consider to be necessary, but adding new modules will require more analysis time.

Leave cookies and authentication identity blank and click Next.

Leave the parameters that are already on the exclusion list. Add the ones you consider important to exclude. Click Finish.

Wait until the scanning process ends. It shouldn’t take long.

Zed Attack Proxy

This tool is free and Open Source as well. It runs on several Operating Systems such as Linux and Windows. After installing it, follow these instructions.

In Quick Start enter https://demo.testfire.net and press start.

This is a summary of the results:

 

 

Conclusion

Security is crucial in software development. Having tools for finding vulnerabilities and suggesting how to fix them is a wonderful benefit.

In this analysis, we scanned demo.testfire.net using several tools. AppScan is a commercial tool that has a desktop and web application version. The technical difference between them is the way you interact with them, and that the latter one’s result is a PDF file. The commercial difference is that with the web application, you are able to pay for each individual scan, while with the desktop application, you have to pay for an entire year.

To sum up, we have discovered that nowadays the most powerful security scanner available is IBM’s AppScan. However, using several free, Open Source scanners is an excellent alternative. Consequently, combining scanners such as Open VAS, Vega and ZAP can be powerful as well.

Leave a reply