Improving Test Coverage of Standalone Vulnerability Scanner when Scanning HTTP API
Uusikorpi, Taneli (2018)
Uusikorpi, Taneli
2018
Automaatiotekniikka
Teknisten tieteiden tiedekunta - Faculty of Engineering Sciences
This publication is copyrighted. You may download, display and print it for Your own personal use. Commercial use is prohibited.
Hyväksymispäivämäärä
2018-05-09
Julkaisun pysyvä osoite on
https://urn.fi/URN:NBN:fi:tty-201804091466
https://urn.fi/URN:NBN:fi:tty-201804091466
Tiivistelmä
Information security and security testing is important for software companies because even if their own information has not been compromised one bad news about badly implemented security can cause irreparable affects to market value and future sales. Standalone vulnerability scanners can be used to implement security testing easily but real effectiveness and functionality how they work remain in the dark if the security tester does not know enough about penetrations testing, technologies used in the software and methods that is used to reveal vulnerabilities.
A Finnish software company M-Files has developed M-files Web Service that is REST like HTTP API for communicating between their document management system and client applications for web and mobile platforms. The goal of my master thesis was to study web application security testing and understand functionality, limitations and technical challenges of standalone vulnerability scanners for web applications. Also it was suggested and implemented solutions that improve the results when M-Files Web Service was scanned by using a standalone vulnerability scanner. The reconnaissance phase was improved by creating an application that retrieves information of every method of M-Files Web Service directly from the source code and sends valid requests to the scanner by using this information. The attack surface is always up-to date and any shortcomings caused by inadequate documentation or environment are defeated. This component improved testing coverage compared to the previous manual solution by 125 percent. Second component that was created was POC extension to OWASP ZAP that improves active scanning by ensuring that the environment is in the best state to reveal vulnerabilities by executing pre-steps before every attack request sent by OWASP ZAP. The solution required modification to core source codes of OWASP ZAP but it was proofed that suggestion could work and produce better result. Some issues caused by the created customization to OWASP ZAP left without solutions so this component is not yet ready for production.
A Finnish software company M-Files has developed M-files Web Service that is REST like HTTP API for communicating between their document management system and client applications for web and mobile platforms. The goal of my master thesis was to study web application security testing and understand functionality, limitations and technical challenges of standalone vulnerability scanners for web applications. Also it was suggested and implemented solutions that improve the results when M-Files Web Service was scanned by using a standalone vulnerability scanner. The reconnaissance phase was improved by creating an application that retrieves information of every method of M-Files Web Service directly from the source code and sends valid requests to the scanner by using this information. The attack surface is always up-to date and any shortcomings caused by inadequate documentation or environment are defeated. This component improved testing coverage compared to the previous manual solution by 125 percent. Second component that was created was POC extension to OWASP ZAP that improves active scanning by ensuring that the environment is in the best state to reveal vulnerabilities by executing pre-steps before every attack request sent by OWASP ZAP. The solution required modification to core source codes of OWASP ZAP but it was proofed that suggestion could work and produce better result. Some issues caused by the created customization to OWASP ZAP left without solutions so this component is not yet ready for production.