Conducting web application security testing for complex workflows can be a real pain. In order to find vulnerabilities, valid test data must be passed through exactly as the workflow prescribes. Most web application security testing scanners aren't up for the job, so security testers must supplement their scans with manual testing.
If your organization has just a couple applications that aren't changing, then manual testing may not be a big deal, but that's rarely the case. Many large organizations have hundreds or thousands of web applications. Manually security testing all of them can be expensive and time consuming – requiring resources that your organization simply doesn't have.
We've enhanced AppSpider to address this pain point. AppSpider is the first web application security testing scanner capable of understanding complex workflow sequences and the expected results, which enable it to automatically create relevant session states and find web application vulnerabilities. Bottom line: With AppSpider, security teams can automate the security testing of complex workflows – saving a tremendous amount of time and finding more vulnerabilities sooner.
In order to understand the significance of AppSpider's update, it helps to understand how traditional scanners fail to test complex workflows. Most web application security testing scanners are built to conduct an assessment in two phases: a crawl phase and then an attack phase. During the crawl phase, the scanner gathers information about the application's attack vectors. The scanner develops an understanding of the application's landscape, including the pages and inputs on each page. Scanners then use the information gathered by the crawl to randomly attack page.
It's best to attack most web application functionality randomly. However, this isn't the case for complex workflows. In order to find vulnerabilities, valid test data must pass, in order, through the prescribed workflow. Attacking workflows at random isn't effective. When the web application security testing scanner attempts to attack the shipping page without adding items to the cart, for example, the application generates an error without accepting the scanner's attack, because there are no items in the cart. Unfortunately, the scanner is unaware of the error and misses vulnerabilities as a result.
Security testing the workflow in order is one important piece of the equation, but it's also critical to test the entire workflow. Scanners, like hackers, submit various kinds of attacks. One kind of attack is SQL injection. In a SQL injection attack, the hacker or scanner enters a malicious SQL statement as an attack through the last name field instead of entering an actual last name. So, in this example, the malicious attack is entered through the ‘last name' field on the billing form. The application then holds that data in temporary storage until the user confirms the order. It is not until the order is confirmed, that the information is sent to the database (SQL server) and the SQL vulnerability could be detected by the scanner. So, if complex workflows aren't tested in their entirety vulnerabilities won't be found, in this case, a vulnerability in the ‘last name' field wouldn't be found.
For these reasons, most web application security testing scanners are unable to effectively attack complex application workflows in their entirety and in the prescribed application workflow. Scanners need to be architected in a way that they can handle both kinds of security testing for complex workflows where both order and completeness are critical. AppSpider understands and respects application workflows so that attack payloads are delivered into the application code where the scanner can discover vulnerabilities.
It can be costly and difficult to accurately test all complex workflows in today's applications. AppSpider gives you the ability to find vulnerabilities automatically, with more accuracy and in less time. This release of AppSpider holds just one of many innovations that we are working on when it comes to automating web application security testing.
We understand how difficult and frustrating running a web application security testing program can be, so do stay tuned—we are committed to continued innovation and advancements to make these products even more effective for you.