By -

Vulnerability Management: False Positives, False Negatives, Technical, Logical Vulnerabilities and Human Error


 At edgescan, we have delivered thousands of assessments over the past years and one topic which is both a commonly known weakness but also a source of concern is Accuracy of assessment

 - The challenge being (human & technical);

  • Can the technology detect security weaknesses report accurate findings ?  
  • Can the technology avoid reporting issues that are not real? - "False Positives"
  • Can the technology miss critical issues and simply not report the weakness - "False Negatives"
  • In addition, once an issue is reported shall the human dismiss the issue as a "False positive" because they misunderstand or cannot reproduce the issue, resulting in a "False negative"


 The majority of commercial and open source vulnerability scanning tools can not provide reliable results and require significant human validation which can also fail (as above).

Simple Vectors:

Most tools can accurately discover simple vulnerabilities sending a tainted request and analyzing the response. If the response is one of a number of typical expected responses signifying a vulnerability it is marked by the scanner as a vulnerable issue. - This assumes the scanner actually gets to scan the vulnerable parameter by virtue of knowing it exists in the first place......

Crawling/Coverage Challenge:

A scanner discovers an applications layout by Crawling/Spidering the site looking for Href and Links to other pages and invocations of HTTP methods. - Many scanners don't crawl applications very well and don't map the entire site. The is more and more the case not we have heavily front-loaded JavaScript-driven web applications / One-Page apps. - Poor crawling results in less than optimal coverage. The results in parts of a web application not being tested properly, if at all and leading us into the territory of "False Negatives".

 Example issues:
CSRF Tokens Preventing CrawlingCross-Site-Request Forgery tokens need to be resent with every request. If the token is not valid the application may invalidate the session. Tokens can be embedded in the HTML and not automatically used by the scanner. This results in the scanner not crawling or testing the site adequately.

DOM Security Vulnerabilities:  Client-Side security issues which do not generate HTTP requests may go undiscovered due to tools only testing the application via sending and receiving HTTP requests. DOM (Document Object Model) vulnerabilities may go undiscovered as the tool does not process client side scripts.

Dynamically Generated RequestsContemporary applications may dynamically generate HTTP requests via JavaScript functions and tools which crawl applications to establish site maps may not detect such dynamic links and requests.

Recursive Links - Limiting Repetitive FunctionalityApplications with recursive links may result in 1000’s of unnecessary requests. An example of this could be a calendar control or search result function. This may result in 1000’s of extra requests being sent to the application with little value to be yielded.
Example:
/Item/5/view , /Item/6/view, /Item/7/view,..,..

Interpretation of results:
This challenge can be both as a result of human error or automation. Tools can misinterpret results by claiming there is a security issue when there is not (False Positive) or by not applying an appropriate request to detect a vulnerability (False negative). Humans can get it wrong also (as above).




Comments

Post a Comment

Popular posts from this blog

By -
Image
The HSE Data Breach and the State of Irish Cyber Security Many years ago, shortly after I founded the Irish chapter of OWASP ( http://www.owasp.org ) (in 2007??) we were delivering free application and software development classes to anyone who wanted them. It was a local low key affair but every class we delivered was "sold out". We have 60-80 folks mostly developers willing to spend 4-5 hours on learning the fundamentals of secure application development and testing. I suppose we felt cyber security was an important issue because that's what we did. At the time many folks in business felt cyber security was an overhead or a "tax" and did not give it much time. A few years later (late 2010) when the the foundation of the NCSC (National Cyber Security Centre) was announced, a few of us (local OWASP Ireland leaders) wrote a number of emails to the Irish government offering free cyber security training. As we were working for a non profit (501.3c) charity (OWA...
Read more

Edgescan and Huawei - Cybersecurity - Irish Times Article and Panel Discussion

By -
Image
I recently was interviewed by the Irish times on why is everything getting hacked and how can we change the game.... https://www.irishtimes.com/special-reports/cybersecurity-focus/criminals-have-an-inbuilt-advantage-in-the-great-cyber-arms-race-1.4651078  A recording of the Panel with Andy Purdy, CSO of Huawei North America. https://www.youtube.com/watch?v=cQJ1uSQ4IEk&t=33s Both are decent and worth a listen.
Read more

How Simple can it be.....XSS Prevention....

By -
Cross Site Scripting is sill a very common web vulnerability. Generally it is used to attack clients/users. It can be used for malware upload, botnet hooking, keylogging, a payload delivery system for clickjacking and CSRF attacks and much much more, all for 6 easy payments of $9.99...sorry got carried away there :) But is is easily preventable. You dont even have to know what XSS (type 0, type 1, type 2, DOM, Stored, Reflected) is to prevent it. One pretty simple way to prevent XSS is to use the OWASP ESAPI (Enterprise Security API). A very easy tool to use/invoke. It's also managed and attended to by Chris Schmidt ....A great guy... Regardless of what it does....if there was a mandate to use it on all redisplayed external input a site could become virtually XSS free!! (all for 6 easy payments of......). It's easy to deploy.... 1. Include in JSP (Java version) 2. Invoke in JSP 3. Job done!!! We include it by <%@ page import="org.owasp.esapi.ESAPI...
Read more