Copyright © 2019 for this paper by its authors. Use permitted under Creative Commons License Attribution 4.0 International (CC BY 4.0) Recommended Practices for the Analysis of Web Application Vulnerabilities Vitali V. Varenitca Alexey S. Markov Vladislav V. Savchenko Certification Department Information Security Department Certification Department NPO Echelon, JTC Bauman Moscow State Technical NPO Echelon, JTC Moscow, Russia University Moscow, Russia www@cnpo.ru Moscow, Russia mail@cnpo.ru a.markov@bmstu.ru Abstract. The paper is dedicated to information security of availability, and confidentiality of data processed by the web web applications. It discusses main classes of web application application. vulnerabilities and topic-related regulatory documents. An Existing vulnerabilities mean web application vulnerabilities original procedure for the analysis of web application that are confirmed by the developer or those for which an vulnerabilities is suggested. Conformity of the suggested exploitation scenario exists [16, 17]. procedure with modern standards is demonstrated. The paper highlights some issues of concern associated with the analysis We have analyzed information available in open information of vulnerabilities and identification of existing web sources (OIS) in order to identify the causes of web application application vulnerabilities, and suggests a few ways of how to vulnerabilities and vulnerability exploits. To date, the open solve them. The effectiveness and efficiency of this technique project of web application security assurance, Open Web- Application Security Project (OWASP), is one of the most has been proved by the vulnerability statistics in the course of comprehensive open information sources. OWASP regularly software certification for compliance with information publishes information on existing web application attack security requirements. techniques as well as the rating of attacks based on their Keywords – assessment of web application security, implementation complexity, frequency, and criticality. vulnerability assessment, vulnerability analysis technique. Vulners (https://vulners.com/), CVE (https://cve.mitre.org/), NIST (https://www.nist.gov) databases, databank of security threats of the Federal Service for Technical and Export Control (https://bdu.fstec.ru) can also be useful. I. INTRODUCTION Timely identification of vulnerabilities is one of the most crucial tasks of web application testing [1-6]. The importance of II. METHODOLOGICAL APPROACH TO WEB APPLICATION this problem is attributed to a number of reasons, including the VULNERABILITY ANALYSIS key ones [7-15]: To make the web application vulnerability analysis more — Existing vulnerabilities imply poor security of data effective, a vulnerability analysis technique based on web processed by web applications. application vulnerability analysis has been developed using the — It is difficult to identify various classes of web application information available in open sources. vulnerabilities using static analyzers. At first, developer’s software documents, including the — Constantly growing complexity of modern web source code need to be obtained. In addition to the software applications, the number of problems to be solved and the level documents, the expert can obtain a set of tests the developer of integration with other software and hardware make the carries out during the routine analysis of the product problem of software code analysis insolvable due to limited vulnerabilities and other types of tests. The developer can also resources allocated for testing. provide a test bench to enable familiarization with the product and ad hoc testing. — Certain classes of web application vulnerabilities cannot be identified using automation tools without a comprehensive At this stage, the expert should study the public information vulnerability analysis. sources to improve his/her awareness of the goals and tasks the tested product solves, the product purpose and its main — Regular vulnerability analysis helps minimize the risks functional features. The information should be sought for in the associated with eventual intrusion and violation of the integrity, following publicly available sources: 75 - OWASP Foundation – the free and open software - List of potentially unsafe product configurations security community (https://www.owasp.org). Then the expert shall carry out exploratory testing. At this - Software developer’s website. stage, the expert shall perform the tests using the steps listed below. - Other sources that contain information about the tested software and the information about similar software. The expert shall prepare for the exploratory testing. The expert shall obtain a bench with the product installed and Sought for information required to expand the initial data configured as required by the documents to prepare for should be based on following criteria: exploratory testing. The expert shall install and configure the - Product name and version. product on his/her own. The bench shall allow for all types of product researches in all operation modes defined in the - Name of similar software. documents or tests required by the customer. - Names of products which have the architecture similar to When preparing the test bench the expert shall perform the that of the tested product steps listed below. - expert’s propositions about the technologies used in the tested product based on expert’s experience and qualification III. CONFIGURATION OF THE SOFTWARE OPERATIONAL ENVIRONMENTS The next stage includes ad hoc testing of the product. Software installation and configuration in compliance with During the exploratory testing, the expert shall perform ad the operating documentation. hoc testing of the product. Development and implementation of security measures The expert shall use a bench with the product installed and required for software research. configured as required by the documents to prepare for ad hoc Preparation of the test bench shall include the deployment testing. To complete this step, the expert can: and configuration of all operational environments in which the - Use the bench prepared by the developer for ad hoc product can operate according to the operating documentation or testing. which are specified by the customer, and identification of the tools required to perform the tests. The operational - Install and configure the product as required by the environments shall be installed, configured and adjusted in documents on his/her own. compliance with the relevant operating documentation. In case - Use the product installed as part of the existing information of any conflict between the requirements specified in the system. environment documents and the requirements for the environments in the software documents, the expert shall use the During this step, the expert shall: requirements defined in the environment documents and record - View the product. the conflict. The expert shall analyze the conflict during the analysis of the product configuration when making further steps - Test the product trying to disrupt the software operation or of this technique. make it stop as soon as possible. The expert shall analyze the available product documents - Define the list of tools the expert is planning to use to and open information sources to obtain complete information identify defects in the code or product configuration. about the product. The expert should examine the product A product can be tested by: documents and data provided in open information sources to obtain the following information: - Changing the configuration of the product and tools the product interacts with during the operation - Identification characteristics of the product tested - Using different variations of input data - Identification characteristics of the software in which environment the test product operates - Using the product to process data known to be incorrect - Identification characteristics of the borrowed software - Making intentional attempts to put the product out of operation - Identification characteristics of the technologies used in the test product - Studying the responses to specially formulated requests to the product After the identification characteristics are defined, the expert shall analyze the documents for the test product and perform a At the end of ad hoc testing, the following shall be direct analysis of the product in order to define the set of the documented: product input interfaces, to understand how these interfaces process the data, and to identify any additional potential - Potential weaknesses of the software which, in expert’s vulnerabilities of the product. opinion, may be the evidence of defects in the software code During this step, the expert shall use expert analysis, - Name of potentially vulnerable technologies used to documentation analysis and automated tools to identify the input implement functional features of the product interfaces of the test product, which make it possible to influence 76 on the product. The analysis shall result in a set of entry points analyzers which are based on symbolic execution methods and the expert can use to produce a direct impact on the product. other state-of-the-art methods of false positive minimization during the static code analysis. The expert shall identify the After identification of all input interfaces of the product, the responses which cannot be well-defined as false by the researcher shall get an idea of the structure and the type of data automated analysis tools as potential vulnerabilities of the that can be sent to the identified interface. Then the expert shall product code and document them as an attachment to the define the input interfaces that affect the operation of the product vulnerability analysis certificate. The expert shall expand the security mechanisms. information on the potential product weaknesses identified After identification of the input interfaces of the product, the earlier with the information obtained during this step. expert shall analyze the open sources for information on existing After the static analysis [3, 6, 18], the expert shall scan the vulnerabilities of the product, its operational environment or test product using a security network scanner. The expert shall technologies used to design the product. The expert shall use the findings of the security scanner to identify the vulnerable document the analysis findings. components of the test product, unsafe configurations and other In order to complete this step, the expert shall use the unique types of errors. characteristics identified previously. The expert shall search for During this step, the expert shall use network scanning tools the known (confirmed) vulnerabilities of the product using the to assess the configured product in its real operating mode. If following publicly available information sources: any potential configuration vulnerabilities or potentially unsafe - Databank of security threats of the Federal Service for components are identified, the expert shall correct the previous Technical and Export Control of Russia (http://bdu.fstec.ru); results. - Software vulnerabilities database Common On the completion of the product analysis with a network Vulnerabilities and Exposures (CVE) (https://cve.mitre.org/); scanner [14, 18], the expert shall assess the security mechanisms of the test product for correct operation. - Software vulnerabilities database Vulners (https://vulners.com); The expert shall examine the security mechanisms of the software under study, assess the correctness of their operation - National Vulnerability Database (NVD) and make attempts to disrupt the claimed logic of the security (https://nvd.nist.gov/vuln/search); mechanisms. If the expert can disrupt the normal operation of - OWASP Foundation – the free and open software the product security mechanisms, or identify potential defects of security community (https://www.owasp.org); the program using any of the methods, the expert shall add these findings to the identification results of the product potential - Websites of the product developer and manufacturer weaknesses. and developers of borrowed components; The exploratory testing shall result in a list of potential - Other open information sources. weaknesses of the product. The dynamic code analysis and Based on the analysis of the open sources, the expert shall fuzzing test shall be performed in relation to the potential supplement the previously identified potential weaknesses of the software weaknesses identified. At the end of the completed product. analysis, the expert shall obtain [4, 5]: Having identified the potential vulnerabilities described in - The list of errors in the product operation the open information sources, the expert shall study the product - Fragments of data that lead to errors in the product documents to define the list of potentially unsafe product operation. configurations. At this step, the expert shall read the documents for the test product to identify all possible ways of the software - Sample scenarios of work with the product components reconfiguration and define those configurations which can whose execution causes a product behavior different from that compromise the information integrity, availability, and described in the product documents. confidentiality. At the end of this step, the expert shall correct The expert shall develop penetration tests based on the data the findings obtained earlier during the study of the product obtained during the exploratory testing, dynamic analysis and documents and in the course of ad hoc testing. The expert shall fuzzing test, and carry out the penetration test [19, 20]. supplement the information about unsafe configurations of the test product by potentially dangerous configurations defined IV. CONCLUSIONS during this step and remove the potentially dangerous The paper suggests a general technique and configurations for which the documents describe the techniques recommendations on identification of web application of how to neutralize threats caused by such configurations. vulnerabilities. This technique has an applied scientific nature as Identification of unsafe configurations shall be followed by it was formulated based on the findings of information security a static analysis of the product code to identify potential certification tests of software systems performed over many vulnerabilities of the test software code. years. At this step, the expert shall use static analysis tools to Using this technique will turn the web application security perform an expert assessment of the product source code. The assessment into a problem-oriented process, which will enable a number of false positive results can be minimized by using static more complete check of web resources in very a short time. This 77 technique complies with the state-of-the-art web application [11] Petrenko, A.S., Petrenko, S.A., Makoveichuk, K.A., Chetyrbok, P.V.: security assessment standards. Protection Model of PCS of Subway from Attacks Type «Wanna cry», «Petya» and «Bad rabbit» IoT. In: Proceedings of the 2018 IEEE The available statistical data confirm the reliability, Conference of Russian Young Researchers in Electrical and Electronic Engineering (ElConRus 2018). IEEE, pp. 945 – 949 (2018). DOI: effectiveness and efficiency of the suggested technique [21]. 10.1109/EIConRus.2018.8317245. REFERENCES [12] Priya R. L., Lifna C. S., Dhanamma J., Anooja J. Rational Unified Treatment for Web application Vulnerability Assessment. In: 2014 [1] Gaskova D., Massel A. Intelligent System for Risk Identification of International Conference on Circuits, Systems, Communication and Cybersecurity Violations in Energy Facility”, In: Proceedings of the:2018 Information Technology Applications (CSCITA), IEEE, 2014, 14395120. 3rd Russian-Pacific Conference on Computer Technology and DOI: 10.1109/CSCITA.2014.6839283. Applications (Vladivostok, Russia, August 18-25, 2018), RPC, IEEE, [13] Rafique S., Humayun M., Gul Z., Abbas A., Javed H. Systematic Review 2018, pp 1-5. DOI: 10.1109/RPC.2018.8482229. of Web Application Security Vulnerabilities Detection Methods, Journal [2] Kharzhevskaya A., Lomako A., Petrenko S. Representing Programs with of Computer and Communications, 2015. V. 3, No 9, pp. 28-40. DOI: Similarity Invariants for Monitoring Tampering with Calculations. 10.4236/jcc.2015.39004. Voprosy kiberbezopasnosti [Cybersecurity issues]. 2017. No2 (20). P. 9- [14] Wang B., Liu L., Li F., Zhang J., Chen T., Zou Z. Research 20. DOI: 10.21681/2311-3456-2017-2-9-20. on Web Application Security Vulnerability Scanning Technology. In: [3] Markov A.S., Fadin A.A., Tsirlov V.L. Multilevel Metamodel for 2019 IEEE 4th Advanced Information Technology, Electronic and Heuristic Search of Vulnerabilities in the Software Source Code, Automation Control Conference (IAEAC), IEEE, 2019, 19359942, DOI: International Journal of Control Theory and Applications, 2016, vol. 9, 10.1109/IAEAC47372.2019.8997964. No 30, pp. 313-320. [15] Yadav D., Gupta D., Singh D., Kumar D., Sharma U. Vulnerabilities and [4] Pechenkin, A.I., Lavrova, D.S. Modeling the search for vulnerabilities via Security of Web Applications. In: 2018 4th International Conference on the fuzzing method using an automation representation of network Computing Communication and Automation (ICCCA), IEEE, 2018, protocols. (2015) Automatic Control and Computer Sciences, 49 (8), pp. 18868543. DOI: 10.1109/CCAA.2018.8777558. 826-833. DOI: 10.3103/S0146411615080325. [16] Barabanov A.V., Markov A.S., Tsirlov V.L. Methodological Framework [5] Reber, G., Malmquist, K., Shcherbakov, A. 2014. Mapping the for Analysis and Synthesis of a Set of Secure Software Development Application Security Terrain. Voprosy kiberbezopasnosti [Cybersecurity Controls, Journal of Theoretical and Applied Information Technology, issues]. 2014. N 1(2). P. 36-39. DOI: 10.21681/2311-3456-2014-2-36-39. 2016, vol. 88, No 1, pp. 77-88. [6] Zegzhda, P., Zegzhda, D., Pavlenko, E., Dremov, A. Detecting Android [17] Howard M., Lipner S. The Security Development Lifecycle: A Process application malicious behaviors based on the analysis of control flows and for Developing Demonstrably More Secure Software. Microsoft Press, data flows (2017) ACM International Conference Proceeding Series, pp. 2006. 352 p. 280-286. DOI: 10.1145/3136825.3140583. [18] Dorofeev A.V., Markov A.S., Rautkin Y.V. Ethical Hacking Training. In: [7] Barabanov A.V., Markov A.S., Tsirlov V.L. Information Security CEUR Workshop Proceedings, 2019, Vol-2522, pp. 47-56. Controls Against Cross-Site Request Forgery Attacks on Software [19] Markov A., Barabanov A., Tsirlov V. Models for Testing Modifiable Application of Automated Systems. Journal of Physics: Conference Systems. In Book: Probabilistic Modeling in System Engineering, by ed. Series. 2018. V. 1015. P. 042034. DOI :10.1088/1742- A.Kostogryzov. IntechOpen, 2018, Chapter 7, pp. 147-168. DOI: 6596/1015/4/04203 10.5772/intechopen.75126. [8] Calzavara S., Focardi R., Nemec M., Rabitti A., Squarcina M. Postcards [20] Poltavtseva, M.A., Pechenkin, A.I. Intelligent data analysis in decision from the Post-HTTP World: Amplification of HTTPS Vulnerabilities in support systems for penetration tests. In: (2017) Automatic Control and the Web Ecosystem. In: 2019 IEEE Symposium on Security and Privacy Computer Sciences, 51 (8), pp. 985-991. DOI: (SP), IEEE, 2019, 8995551, DOI: 10.1109/SP.2019.00053 10.3103/S014641161708017X. [9] Calzavara S., Focardi R., Squarcina M., Tempesta M. Surviving the Web: [21] Barabanov A.V., Markov A.S., Tsirlov V.L. Statistics of Software A Journey into Web Session Security, ACM Comput. Surv., 2017, vol. Vulnerability Detection in Certification Testing. Journal of Physics: 50, no. 1, pp. 1-34, DOI: 10.1145/3038923. Conference Series. 2018. V. 1015. P. 042033. DOI :10.1088/1742- [10] Nirmal K., Janet B., Kumar R. Web Application Vulnerabilities - The 6596/1015/4/042033. Hacker's Treasure. In: 2018 International Conference on Inventive Research in Computing Applications (ICIRCA), IEEE, 2018, 18358073, DOI: 10.1109/ICIRCA.2018.8597221. 78