News

The Complex World of Web Application Security Testing – Part Two by Nithiya Subramanian and Shruthi Jagadeesh

In the second of this two-part blog, Triad consultants Nithiya Subramanian and Shruthi Jagadeesh run through the four tools that they used to test the digital service that Triad developed for the Department for Transport (DfT).

If you’ve read part one of this blog, then you’ll know that we researched and tested a variety of web security tools to assess the digital service that Triad developed for the Department for Transport (DfT). We also did our best to break down the complex world of web security testing to explain some of the key phrases and testing methods that we think you should know.

In part two, we walk you through the four tools that fit our criteria, and we explain the pros and cons of each, before highlighting the web security tool that we think did the best job for us.

Let’s begin, shall we?

Web Application Security tool analysis

We selected the following web security tools to test the digital service against our criteria (see part one of this blog):

  1. ZAP (Zed Attack Proxy)
  2. BURP SUITE
  3. VEGA
  4. WAPITI
  1. ZAP

Zed Attack Proxy (ZAP) is a free, open-source penetration testing tool maintained under the Open Worldwide Application Security Project (OWASP) umbrella. ZAP is designed specifically for testing web applications and is both flexible and extensible.

ZAP is an ideal proxy between the client’s web browser and your server. This tool can be used to monitor all communications and intercept malicious attempts. It provides a REST-based API that can be used to integrate it with your technology stack easily.

https://www.zaproxy.org/

Pros:

  • ZAP could identify more vulnerabilities in our live digital service compared to other tools we have used, and it also provides sufficient details to understand the issue and references for fixing them.
  • Easy to install (using a multi-platform installer builder).
  • Automated scanning – ZAP could crawl the web application with its spider and passively scan each page it finds. Then ZAP uses an active scanner to attack all the discovered pages, functionality, and parameters. The resultant report provided details of all requests & responses for each of the calls made and all the vulnerabilities with references to fix them.
  • Manual scanning – ZAP’s Manual scanning found more vulnerabilities compared to automated scanning.
  • Customizable parameters to ensure flexible scan policy administration.
  • Traditional and AJAX web crawlers scan every page of the web application.
  • The solution is constantly evolving with active development. The Heads-Up Display (HUD) is a new feature added recently that provides capabilities right in the browser. It is great for people new to web security and experienced testers alike.

Cons:

  • The product does not allow users to customize the report based on their needs. For example, suppose the user needs to test only the vulnerability of SQL injection and not any other category or vulnerabilities. In that case, it is better to provide end users with a way to choose the subject they want to audit and the severity of the vulnerability.
  • ZAP’s integration with cloud-based CI/CD pipelines could be better. ‘Aggressive scan’ does not have a time limit and does perform ‘attacks’ for a long time. Not ideally suited for CI but is a useful tool for release-gates.

Report:

  1. BURP SUITE

Burp Suite is an integrated platform/graphical tool for performing security testing of web applications. It supports the entire testing process, from initial mapping and analysis of an application’s attack surface, to finding and exploiting security vulnerabilities.

Burp Suite is installed by default in Kali Linux. The tool is written in Java and developed by PortSwigger Web Security. In addition to basic functionality, such as proxy server, scanner and intruder, the tool also contains more advanced options such as a spider, a repeater, a decoder, a comparer, an extender, and a sequencer.

https://portswigger.net/burp

Pros:

  • The tool offers a variety of customization options that allow users to tailor it to their specific needs. It offers a wide range of features and functionalities that can help users conduct comprehensive security testing of web applications.
  • It is possible to carry out manual security tests of web applications and mobile applications using this tool. The advantage is that you can also securely test the vulnerabilities related to the business logic of these apps.
  • It uses a local proxy, so it allows you to intercept the traffic of the applications to find vulnerabilities.
  • It also allows you to manipulate the attribute fields of intercepted traffic to find any flaws inside applications.
  • Burp tool can be automated using Selenium.
  • Reports can be downloaded in HTML / XML format.
  • Reports have detailed information on the issue found and remedies.

Cons:

  • Does not describe how to test different vulnerabilities, which can be challenging if you are a new user of this tool.
  • The community edition provides a limited number of features compared to the professional edition. Since many researchers use the community edition for security testing, they should provide more features that would be helpful.
  • Setup for proxies is cumbersome and took some time to get set up. There is a lot to be done outside of Burp itself for this to work.
  • User interface and Feature explaining in tutorials is not user-friendly.
  • Free edition is limited to 15 minutes of scanning.

Report:

 

  1. VEGA

Vega is a free and open-source web security scanner and web security testing platform to test the security of web applications.

Pros:

  • Vega can help you find and validate SQL Injection, cross-site scripting, inadvertently disclosed sensitive information and other vulnerabilities.
  • Vega includes an automated scanner for quick tests and an intercepting proxy for tactical inspection.
  • GUI Based.
  • Multi-platform. Vega is written in Java and runs on Linux, OS X, and Windows.
  • Vega detection modules are written in JavaScript. It is easy to create new attack modules using the rich API exposed by Vega.
  • Using target scan we can add multiple URL paths to scan.
  • Scan Info on the app has detailed information about the issue.

Cons:

  • User Interface is not user-friendly.
  • Vega is not able to find all the vulnerabilities compared to ZAP or BURP Suite.
  • Downloading report option is not available.

https://subgraph.com/vega/

Report:

  1. WAPITI

Wapiti allows you to audit the security of your websites or web applications. It performs “black box” scans (it does not study the source code) of the web application by crawling the webpages of the deployed web app, looking for scripts and forms where it can inject data.

Pros:

  • Wapiti acts like a fuzzer and injects payloads to see if a script is vulnerable. Wapiti could detect vulnerabilities, such as file-handling errors, database injection, cross-site scripting, LDAP injection and CRLF injection.
  • Wapiti is easy to use. It utilises open source. The user does not have to be an expert in security testing.

Cons:

  • Wapiti is not able to find all the vulnerabilities compared to ZAP or BURP
  • Installation in Windows platform is a challenge and we could not get it working (this has been reported by other users in their community forum )

https://wapiti-scanner.github.io/

Sample Report:

Final Thoughts on the Web Application Security tools we tested

Wapiti is a command-based tool. We didn’t find it user-friendly. It is not supported in a Windows environment, and it has no support for automation. Wapiti also detects fewer vulnerabilities compared to Zap and Burp.

We also found Vega to be not particularly user-friendly, with the reporting feature inefficient. Vega also detected fewer vulnerabilities compared to Zap and Burp.

Burp Suite is a popular commercial web application pen testing tool. It provides a free (closed source) Community edition and a paid Professional edition. We found the tool easy to use, with great reporting features.

ZAP provides most of the features available in both the Professional and Community editions of Burp Suite. ZAP isn’t intended to be a Burp Suite clone; it has a unique way of working. So, don’t expect the ZAP and Burp Suite features to be the same. We found that in some cases Burp Suite provided more options, whereas ZAP exceeded Burp Suite’s capabilities in other areas.

Our users claimed ZAP to be reporting false positives which might be a downside for the tool, but still with a proper analysis of the report this could be mitigated. In fact, we would suggest that a proper analysis of the output is needed for any tool.

With our experience using each tool against our digital service, ZAP was able to find a superset of those found by BURP Suite. The test reports produced by ZAP have enough information for the developers to understand and fix the problem which is an added advantage. We have also shared and discussed the test results from ZAP & BURP Suite with the Development team, and they agreed the vulnerabilities found by ZAP were valid and without any false positives.

Whilst ZAP and BURP Suite both integrate well with the Selenium web driver for security test automation, ZAP also provides its own automation framework and can be integrated and used within CI\CD pipelines without needing to rely on Selenium.

ZAP is open-source and is a prominent tool in the market, sets high standards and is user friendly. The ZAP community is continually active, and they have plans to further improve the system to bring in more features and benefits.

We hope that you have found our blog of two halves useful. If you are interested in security testing or have a question for the Triad Automation test team, please get in touch.

 

Recent Posts

A day in my life, by Sreeparna Goswami

Read news story

Dual-Track Agile – when everyone is a researcher, by Dan Moore and Lucille Harvey

Read news story