1 / 15

Is Your Website Hackable?

Acunetix Web Vulnerability Scanner V9. Is Your Website Hackable?. Check with Acunetix Web Vulnerability Scanner. Company Overview. Founded 2004 Pioneer in Web Application Security Unique Technology - AcuSensor OWASP Member Award Winning Software Fortune 500 Customers

carlosb
Download Presentation

Is Your Website Hackable?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Acunetix Web Vulnerability Scanner V9 Is Your Website Hackable? Check with Acunetix Web Vulnerability Scanner.

  2. Company Overview • Founded 2004 • Pioneer in Web Application Security • Unique Technology - AcuSensor • OWASP Member • Award Winning Software • Fortune 500 Customers • License Holder of IBM Patent • Patent # 6,584,569

  3. WVS V9 in a nutshell - 1 of 2 • FULL HTML5 support • Improved crawling capabilities, with particular attention to dynamic pages using AJAX, JavaScript and Single Page Applications • Improved support for Mobile friendly sites

  4. WVS V9 in a nutshell – 2 of 2 • Detection of DOM based XSS • Detection of Blind XSS (unique to WVS) • Detection of new vulnerabilities • Server Side Request Forgery (SSRF) • XML External Entity (XXE) • Mail Header Injection • Host Header based attacks

  5. FULL HTML5 support • New HTML / Script evaluation engine • Same as the one used in Chrome / Safari • Used in 40% of the world’s internet browsing • Introduces FULL support for HTML5 • 34% of Alexa’s Top 100 sites implemented in HTML5 in Sept 2011 • HTML5 will eventually replace Flash • http://testhtml5.vulnweb.com

  6. Improved Crawling capabilities • Superior JavaScript evaluation • Increased support for AJAX sites and other JavaScript based web sites • Introduced support for Single Page Applications (https://en.wikipedia.org/wiki/Single-page_application) • You can only scan what has been crawled

  7. Improved support for Mobile Friendly sites – 1 of 2 • 1 billion smartphones used worldwide (http://www.go-gulf.com/blog/smartphone/) • In Asia, Internet browsing from mobile increased threefold between 2011 and 2012 (http://gs.statcounter.com) • 2 versions of the same website – one for normal browsers, and another for mobiles, smartphones and tablets

  8. Improved support for Mobile Friendly sites – 2 of 2 • WVS v9 detects mobile friendly sites at pre-crawl stage and gives option to focus the scan on one version of the site • Our HTML / Script evaluation engine is the layout engine of choice for the default browsers in iPhone, Android, Blackberry and Amazon Kindle.

  9. Detection of DOM XSS – 1 of 2 • 3 types of XSS – Stored, Reflected and DOM based • OWASP Top 10, 2013 classifies XSS as ‘Very Widespread’ • Client scripts often process the Document Object Model (DOM) • DOM can sometimes be manipulated so as to introduce custom scripts in the DOM

  10. Detection of DOM XSS – 2 of 2 • Different from Stored or Reflected XSS, since payload is placed in the DOM (in the browser) and not on the page served by the web site • Advanced techniques do not send payload to server, making exploitation completely invisible to the website’s owner • Detection requires advanced interpretation of JavaScript • https://www.owasp.org/index.php/DOM_Based_XSS

  11. Detection of Blind XSS - 1 of 2 • Blind XSS is a type of Stored XSS where the payload is injected from one web application and executed in another web application • Example: • Hacker injects XSS on website in support request form • XSS is executed when Support open the request from the Support portal

  12. Detection of Blind XSS - 2 of 2 • Blind XSS detection requires AcuMonitor (AcunetixVulnerability Verification Service (VVS) to be enabled • How blind XSS works • Acunetix WVS probes an XSS prone web form and tries to inject scripts in doing so. • Scripts are stored in database, but never executed on main web application. • After some time, the script is executed from other web application which makes web request to AcuMonitor

  13. Detection of Blind XSS - 3 of 3 XSS stored in DB Scan Web Site XSS loaded in backend webapp Admin VVS VVS informs admin by email Script informs VVS

  14. Detection of New Vulnerabilities • Server Side Request Forgery (SSRF) • XML External Entity (XXE) • Mail Header Injection • Host Header based attacks

  15. Acunetix Blog http://www.acunetix.com/blog Acunetix Facebook Page http://www.facebook.com/Acunetix List of Checks Run by Acunetix WVS http://www.acunetix.com/support/vulnerability-checks.htm Contact Us sales@acunetix.com Tel EMEA, Asia: +44 330 202 0190 / Tel Americas: +1 888 593 5285 www.Acunetix.com

More Related