Debugging Web Applications and Web Services

I think that I am getting addicted to this forum :icecream: You people really provide good detailed information about the needful things (you all really rock :thumbup1:). Now I am here to get some debugging notes about the applications and services that are related to the web. You must be knowing that vulnerabilities in Web applications and Web services are a dangerous gateway into the corporate IT. I read somewhere that web application scanners automate the troubleshooting web applications and reduce the time for the bug search dramatically. Is this true? Also I want to know how the web application scanner works? I am hoping that you people will continue to help me. :notworthy

Whether online shopping, online banking or just a simple Internet search, interactive Web pages with forms and input fields are at the core of the Internet. The operation of platform-independent browser makes web applications for all business areas of interest. But astonishingly many Web applications, there are serious security flaws. These are all the more difficult because about internal company data from anywhere in the world of spying. Guilt is often a tight schedule that leaves little time for debugging a new release of an application. But even well-informed and experienced programmers with no time pressure can make mistakes, which may draw serious consequences - in the worst case, commands can be run on the underlying systems or read confidential data from the database. Basically, be recognized sooner such vulnerabilities in the development phase, the easier they are to fix. To eliminate these shortcomings in time, the Commission recommends two approaches. For one, these are the static (source code) analysis, which attempts to base the produced code to detect the flow of data and detect errors in logic and data processing. Then there are the dynamic verification of an executable application, which addresses this review will center.

The dynamic verification, the classic "Web Audit", which includes consuming manual tasks, but can also be automated to some extent: support make this web application scanner, can be detected efficiently with the help of many vulnerabilities in an application. Unlike conventional network scanners such as "Nessus" or "retina" that look at the operating system and service level for vulnerabilities, and share these special tools on a higher level and interact - like a browser - only the HTTP (S) - channel with the application.

In general, a Web application scanner works in two consecutive steps: First, the structure and all pages are scanned in an application. For the so-called crawlers to follow links to other sites, even if they are dynamically generated, for example in the form of a JavaScript menu, the scanner capable of. In addition, the tool has to recognize when it runs in a cycle, say, visiting the same page again and again. For difficult cases, most products manual mode to a crawl: The auditor can a browser, even by the application click and so define which sites and areas will be reviewed by the scanner. In the second step of the scanning process, the actual vulnerability scanning. Each side that captured the scanner during the Crawl is examined individually and repeatedly. These all form fields and parameters within this site are preset with specific attack patterns, then sent to the web application in order to evaluate their response to the attack pattern. On the answer can be, for example using the HTTP status codes (eg "200 OK" or "500 Internal Server Error") or error messages in the HTML body recognized by whether the application fell for the attack is on.

With good products can not only web applications, but Web services are checked for vulnerabilities. The procedure is similar, but omitted the first step in the crawl, there can be inferred from the available functions from the web service definition, the WSDL file. The vulnerability of Web services, however, may have the same impact as Web applications. In addition to an automated check scanning specialized service providers the complete web application manually. It is necessary to elaborate this inspection, because there are vulnerabilities that are of a scanner not found or not interpreted correctly. In general, all parameters are considered separately and on each side, similar to the scanner, tried different attack patterns. This step requires the greatest know-how across the Web audit. Basically, it takes experience and background knowledge to operate an audit sense and with the best possible outcome. Help promise in this country, many companies that offer a test of web applications. Methods, tools and experience in individual cases should be questioned, because very few security companies are in fact a specialist on it and bring the necessary know-how. But even without a profound knowledge and in-house, companies can achieve with a web application scanner sometimes good results. Some products, such as the Acunetix Web Vulnerability Scanner can be easy to use and provide little money for better results than a false sense of security at the cheapest external provider.

If you are buying a web application scanner is considering to be the products in advance, however, carefully evaluate, as all dealing with specific techniques or session strengths and weaknesses in the mechanisms. The two most popular tools on the market, "HP WebInspect" (formerly SPI Dynamics) and "IBM AppScan" (formerly Watchfire). Both offer not only many possible configurations and attack patterns of practical tools for manual review shall nosed vulnerabilities. An equally powerful product is "Cenzic Hailstorm" that its complexity, however, a certain amount of technical know-how requires due.