Syhunt Presentation 2011

SYHUNTWeb Application Security Assessment Provider

Sandcat Assessment SuiteWhat is Sandcat?

PSandcat is a hybrid multilanguage webapplication security assessment suite

PA software suite that simulates web-based attacksPProactively guards an organization's Web

infrastructure against web application securitythreats< Finds the vulnerabilities before the hackers

Sandcat Assessment SuiteEvolution

P Initially an evasion-capable web server scanner< With CGI/directory brute force scanning and a very

extensive database of checks. (2001-2003)PAdded spidering & injection capabilities.< Became a remote web app sec scanner (2004)

PAdded source code scanning capabilities (2008)

Sandcat Assessment SuiteHow It Works

PScans live websites for multiple classes ofvulnerabilities - an external pen-test< This is the hacker’s perspective (aka blackbox)

PScans locally, its source for the same multipleclasses of vulnerabilities - an internal code review(aka whitebox)

PWhen it combines both approaches, you havewhat is called a hybrid analysis (or greybox)

Sandcat Assessment SuiteSandcat’s hybrid multilanguage web application securityscanning capabilities

Source ScannerInternal

Any Web AppScans

EmulationJavaScript

Aware SpiderHTML5-

Remote ScannerExternal

FeaturesCore Functionality

PConcurrency/Scan Queue Support (Multithreads)PDeep Crawling (Spidering)< Maps the entire web site structure (all links, forms,

XHR requests and other entry points)PMultiple Versions (Windows Only)< GUI (Graphical User Interface)< CLI (Command-Line Interface)< Web-Interface (Apache-Based)

Sandcat Assessment SuiteCore Functionality

PReport Generation< Multiple formats and templates< Compliance - OWASP Top 10, PHP Top 5,

CWE/SANS Top 25, Payment Card Industry (PCI),etc. Also includes:

< OSVDB references< CVE & CWE references< Charts

Vulnerability CoverageSandcat Database

POver 460 remote web application security checksin over 24 categories of web attacks< XSS, SQL Injection, File Inclusion, Command

Execution, etcPOWASP's Top Ten Most Critical Web

Application Security Vulnerabilities & PHP Top5 Vulnerabilities


POver 561 source checks, covering several typesof web attacks:< SQL Injection

– Both remote and source checks tailored to cover MySQL,Oracle, PostgreSQL, Microsoft Access, Microsoft SQLServer, SQLite, Firebird, Sybase...

< Cross-Site Scripting (XSS), Arbitrary FileManipulation, Command Execution, File Inclusion(Local & Remote) and more.


P29K (29 thousand) web vulnerabilities researchedsince 2003 affecting specific webapplications/servers.

PExamples:< StatPressCN Plugin for Wordpress wp-

admin/admin.php Multiple Parameter XSS (CVE-2011-0641)

< PHPCMS 2008 data.php where_time Parameter SQLInjection (CVE-2011-0645)

Additional ComponentsOther Sandcat Components

PSandcat Log Analyzer< Scans HTTP logs (created by web servers) for

intrusion attemptsPSandcat Apache/PHP Hardener< Scans Apache and PHP configuration files for weak

security settings

WAVSEP 2011 ComparisonWAVSEP Comparison

P Independent web application scanner accuracytests produced every year by Shay Chen (OWASPIsrael), an application security consultant

PThe most comprehensive ever made (a total of 60tools were included this year, including theleading commercial tools)

PWhat did we find out?

WAVSEP 2011 ComparisonSandcat Accuracy Tests (August 2011)

PWe’ve the best XSS vulnerability detection ratein the market< #1 when the Free Edition of Sandcat is compared with

other free and open source tools< #2 when Sandcat Pro is compared to other commercial

tools such as IBM AppScan, HP WebInspect andothers– Sandcat Pro, AppScan and ParosPro top the WAVSEP

benchmark charts with 100 percent or near-100 percent XSSdetection rates


PSQL Injection (SQLi)< Sandcat also scored a 100 percent error-based SQL

Injection detection rate– Sandcat excelled at identifying an additional large set of 80

error-based SQL Injection vulnerabilities (detected 100% ofthe vulnerabilities, both GET-based and POST-based)

– Sandcat’s SQL Injection checks covers several types ofdatabases


PSandcat scored a 100 percent detection raterunning at half its capabilities< Sandcat’s white-box (source code) scanning

capabilities were not covered in the tests.

Additional HighlightsStandards & Additional Info

PSandcat makes the list of CVE-compatibleproducts and services provided by the MitreCorporation who created the standard.

P Invited this year by the U.S. NIST (NationalInstitute of Standards and Technology) toparticipate the Static Analysis Tool Exposition(SATE)< SATE’s goal: advance research in the field of static

analysis tools

Additional HighlightsStandards & Additional Info

PUsed by the U.S. Department of DefensePListed and covered in the Information Assurance

Tools Report published this year (2011) by theU.S. Department of Defense’s IATAC(Information Assurance Technology AnalysisCenter), alongside leading tools

CustomersWhere they come from

PFrom over 26 countries. Mainly from the UnitedStates, United Kingdom and Canada

PFrom different markets and industries< Consulting, Education/Government, Finance, Banking,

and Insurance, High Technology & Software,Hospitality, Travel & Tourism, Telecommunications,etc

CustomersWhere they come from (Government & Military)

PNASA, US NOAA, US DoE (Department ofEnergy) and others

PUS Navy, UK’s Royal Air ForceP Intelligence Agencies< CSE (Canada’s intelligence agency)< CISEN (Mexico’s intelligence agency)

The EndThank You

More Info: www.syhunt.comTwitter: @syhuntEmail: [email protected]

Syhunt Presentation 2011

Technology

Transcript of Syhunt Presentation 2011