Vulnerability Scan Service
Application security is a crucial part for the continuous cycle of DevSecOps. Unlike OS and middleware, the security of your own applications must be guaranteed by yourself.
In other words, the "application vulnerability scanning stage" needs to be included in the development => testing => release cycle.
With AppSecOne, application vulnerability scanning service, you can incorporate the vulnerability scanning stage today.
How AppSecOne scans Application Vulnerability
- AppSecOne uses a Chrome extension to obtain HTML information about applications screen.
- Input patterns for scanning vulnerabilities are automatically genarated from the HTML information.
- The generated input patterns are applied to the actual application, and the HTML of the output result screen is obtained.
- The result screens of the application are displayed on the AppSecOne for each input pattern applied.
- By visual vulnerability checks, OK/NG judgment results can be registered.
- When an application is updated, the check can be started automatically.
- Target vulnerability amoung OWASP TOP 10 can be selected.
AppSecOne Vulnerability Scanning Execution Flow
Vulnerability items
- SQL Injection
- OS Command Injection
- LDAP Injection
- Mail Header Injection
- Format string attacks
- Cross Site Scripting
- Server Side Include Injection
- Custom Testing
Vulnerability testing with AppSecOne
Followings are steps of vulnerability testing by AppSecOne using bWAPP.
bWAPP, a buggy Web APPlication, is an open source web application with over 100 web vulnerabilities for the purpose to discover and prevent them.
Installing the Chrome Extensions
In order to perform vulnerability checks with AppSecOne, you will need to download the Chrome Extensions we provide and install it in your Chrome.
Extension for AppDocOne - Design Document Management Service
Used to register current HTML information of your application to AppSecOne.
Extension for AppSecOne - Vulnerability Check Service
Used to perform automatic testing based on the registered HTML information.
Obtaining HTML information from the application screen
Let's try to get HTML information on the target of bWAPP's SQL injection (Search/GET) screen.
SQL injection (Search/GET) screen of bWAPP
This is one of the screens published by bWAPP that is vulnerable to SQL injection.
"Search for a movie" input fields can cause the application to behave in a problematic manner if malicious input is made, in some cases displaying the user name, email address, and password from the user table on the screen.
With the bWAPP "SQL Injection (Search/GET)" screen open in your browser, open the AppDocOne extension and click the Analyze page button to retrieve current HTML information.
When the page analysis is complete, the AppSecOne screen displays the results of the analysis, including the application's input fields and labels.
Execute the Vulnerability Check
Once you are satisfied that the HTML information has been obtained, return to the bWAPP screen, open the AppSecOne extension, and click on the Test Page button.
When the Test Page button is clicked, AppSecOne will automatically set the malicious input values to the target input fields on your behalf and click the Search button. As a result, bWAPP will retrieve the screen displayed.
The following series of screens are excerpts from AppSecOne's actual screen input and some of the results.
AppSecOne will collect a series of the result screens for those inputs.
AppSecOne input
Set 'a' or 1 = 1;-- as the input value and retrieve the HTML information output when the Search button is clicked.
Vulnerability from the results
All registered movies were displayed in the search result with 'a' or 1 = 1;--, even though what was originally expected as the input value was the movie title.
If only all registered movie titles are displayed, there is no problem, since no confidentiality is being compromised. However, since the vulnerability has been exposed on this screen, if a malicious attacker sees this, it will trigger a further attack attempt..
AppSecOne input
Set "a" or 1 = 1;-- as the input value and obtain the HTML information output when the Search button is clicked.
Vulnerability from the results
The error message "No movies were found!" is displayed because no movies with titles matching the input text are registered.
The application is considered to work as expected.
AppSecOne input
Set ' and 1=2 union select 1,login,password,3,email,5,6 from users-- - and get the HTML information output when the Search button is clicked.
Vulnerability from the results
The screen should have displayed the title of the movie registered in the application and the year of release, but the login ID, password, and email address were displayed.
The password is barely displayed as an encrypted string, but it is possible to decrypt the plain-text password if one takes a little time.
Displaying Vulnerability Check Results
In this way, all screen content output by the application in response to malicious input is captured and listed in AppSecOne.
To review the results for each input, click on the screen portion of the check results displayed.
The result screen for this input value is problematic, so you click the Fail button to register it with AppSecOne as vulnerable.
AppSecOne can also check for other vulnerabilities listed on OWASP Top 10, a website that summarizes the latest vulnerabilities.
We are happy to provide an online demo of AppSecOne. Please send us a message via the "Contact us".