AppSec USA 2017

Web Application Vulnerability Scanners are becoming increasingly automated and are facing more difficulties as web technologies change and evolve.

 

As is evident from the October 2015 “Talk-Talk hack”, where a 16-Year-old boy performed an easily exploitable SQL Injection attack which resulted in TalkTalk losing £60 million and where 157,000 customers had their detailsstolen, The effects of having insecure Web Applications can be utterly disastrous.

Web Application Scanning tools are used by Penetration Testers and Security folk alike in order to help identify vulnerabilities in a given web app. They come in many different forms and some cost a significant sum.



Scanners attempt to identify dangerous vulnerabilities like Cross Site Scripting (XSS) and SQL Injection among many others and these tools must be constantly improved and enhanced in order to keep up with the latest maliciou sattacker techniques but also contemporary development frameworks.

 

For example, architectural changes and improvements issues such as Anti-CSRF tokens, recursive links and JS dynamically generated URLS have a massive impact on a scanners ability to effectively identify, crawl, scan and analyse a target web application for vulnerabilities.  

 

This presentation addresses the problems that current web application scanners face in dealing with both traditional and contemporary web architectures and technologies. It suggests improvements and identifies pitfalls of using automation without applying intelligence and a contextual view of the target being assessed.