Fuzz testing tools, such as free extension for Firefox browser ImmuniWeb Self-Fuzzer (real-time fuzzer) can analyse many possible data entry combinations during the short period of time. That process is similar to brute forcing password combinations and cannot compare to an intelligent attack. Attackers can put more logic into their attacks after reconnaissance or collecting information about the target. They can easily learn about the profiles of target company users and significantly reduce the scope of attack. Their data searches will resemble those of legitimate users.
Such interaction with web applications can hardly be identified as potentially malicious. It would not be detected by log analyzers and application firewalls. What remains to attackers is to find vulnerability such as buffer overflow on the web content management system or the underlying database and that would open the doors to the crown jewel: corporate information.
Automated web application scanning is very useful for an initial information security assessment. There are many scanning tools on the market. Some are even free including OWASP Zed Attack Proxy (ZAP). It is simple to use but web application security experience is required in order to produce some meaningful results. Self-Fuzzer and ZAP are important tools within my web application security toolbox. I use them regularly to perform the initial phase of a corporate web applications security assessment. It helps prioritize web applications in terms of potential vulnerabilities and their criticality. It results in defining the scope for further more in-depth security assessments and allocation of the security budget for preventive, detective and security monitoring activities.
Like all automated scanners, ZAP cannot detect logical vulnerabilities. OWASP recommends performing manual penetration tests to find all types of vulnerabilities. Manual penetration testing is time consuming and requires specific skills. Consequently it is an expensive consultancy service. It is therefore quite unlikely that my favorite sushi chef would authorize penetration testing to assess the security of his website. However, there is solution even for small e-commerce site like his. Personally I was unaware of a hybrid approach to web application security assessment until 2013 when High-Tech Bridge, one of our penetration testing providers, offered to test ImmuniWeb. ImmuniWeb is an on-demand web application security assessment solution that combines automated scanning with manual web application penetration testing for an affordable price. Moreover, ImmuniWeb could be used to assess websites hosted with Cloud Service Providers, as it does not perform any dangerous security checks and does not affect the web server or network equipment performance.
For large companies with hundreds of web applications such hybrid assessment helps when expanding the scope of assessment to cover even applications estimated at medium or lower risk. CISOs finally have a solution that combines strength of technology with human skills and intelligence to more accurately assess potentials to exploit application vulnerabilities.
Sign up for CIO Asia eNewsletters.