Tag Archives: NTOSpider


SSL Poodle Check Added to NTOSpider

This week’s “big hack” everyone is yapping about is the POODLE flaw in Secure Socket Layer (SSL 3.0). The hack is a bad one, when the attacker can get man-in-the-middle to set it up, but the need for MitM does limit the scope of this exploit.

Adding the check for POODLE’s downgrade flag to our NTOSpider scanner was trivial as we already perform SSL Strength Analysis, but the real challenge is how to score this. Quite frankly just allowing SSL 3.0 is inherently bad, and POODLE just makes it worse. I can see an argument for making it high risk to have SSL 3.0 enabled, but then does POODLE make it “Super-High”?

As with my recent post about the 8 lessons learned from Shellshock, I encourage caution with this weekly hype cycle for each new “big hack.” It’s reminiscent of “The Boy Who Cried Wolf” – we’ll see how that will turn out for us.


NTOSpider 6.4 Now Available!

We are excited to announce a host of enhancements to NTOSpider that will further assist you in testing more of your applications in less time. Our mission is and has always been to create the most automated and accurate assessment possible even on the most modern applications. And, in this release, we further expand NTOSpider’s ability to effectively test modern web and mobile applications.

The following are some of the highlights of NTOSpider 6.4:

  • Web service authentication to further automate testing of web services and mobile applications.
  • Automatic update tool to enable users to automatically download new versions of NTOSpider.
  • Crawler improvements to further expand coverage of Web 2.0 applications and improved performance on very large sites.
  • Added and improved attack modules to include additional vulnerabilities in automated coverage, including Shellshock or BASH Bug.
  • Improved UI features including user defined attack policies and macro debugging.

New and Enhanced Features

  • Web Service Authentication – Expanded ability to test web services with the ability to handle the authentication and session management solutions used by many web services. Including: comprehensive OAuth, HMAC, integrated NONCE support and user defined solutions.
  • Improved Web 2.0/3.0 and HTML5 crawling – Improved automated crawling of heavy Javascript (AJAX) web sites and popular frameworks such as jQuery.
  • Enhanced performance – Performance improvements include increased scan speed and reduced memory consumption especially for very large sites.
  • Auto-updater – NTOSpider finally has a configurable automatic update mechanism that enables users to choose between three options that give the user flexibility and control over upgrades.
  • User Defined Attack Policy – Simplifies selections of attacks.
  • Macro debugger – UI feature to help user replay and debug MACRO recordings.
  • Attack modules – The following attack modules have been added or improved.
    • Shellshock (aka The BASH Bug)
    • CORS (Cross-Origin Resource Sharing)
    • XPath Injections
    • LDAP Injection
    • XML External Entity
    • Server Side Include (SSI) Injection
    • Expression Language Injection
    • ASP.NET ViewState Validation

For complete details review the release notes.

For more information or to request a free trial of NTOSpider visit: www.ntobjectives.com/security-software/ntospider-application-security-scanner/

Response to WAF/IDS/IPS Effectiveness Report

For those of you who know me as well as Dan, you know that we have spoken quite often on our podcast (Information Security Place Podcast) about the effectiveness of today’s current technologies used by Web Aware Firewalls (WAFs) and Intrusion Detection/Prevention Solutions (IDS/IPS).  I’m rarely one to say “I told you so”, but Larry Suto’s latest report on the effectiveness of these technologies, does  kind of do that for me.

For more information about the study:

In the WAF effectiveness report, Larry illustrates the need to properly train a WAF solution on the application it is protecting to gain effective or consistent protection from the app.  According to the report, it took an average of 3.5 hours by a WAF savy technician to train or tune the WAF solution to get an effective level of protection for the test application.  As noted in the report, this is significantly more time spent, than the average organization spends on their production WAF installations.

One issue to note, is that many WAF solutions are leveraged to protect more than one application once they are in production, so can it be safe to say that an organization should plan to spend 2-3.5 hours per application they plan to place behind a WAF to gain that consistent level of protection for all their applications? It could be a safe assumption since many applications are not identical or leverage completely different technologies.

One element of the report I really think Larry does an effective job at illustrating is the lack of effectiveness that a traditional IDS/IPS brings to the table.  Since these technologies are not designed to specifically look for your application’s vulnerabilities they require custom rulesets to be created to be effective at protecting your applications.

As announced earlier last month, NT OBJECTives released NTODefend to assist organizations in creating those custom rule sets for both WAF and IDS/IPS solutions. In the report, Larry was able to illustrate the effectiveness of NTODefend at creating custom rulesets that are unique to each of your organizations applications. In both instances, the rules created by NTODefend provided a substantial improvement for all of the platforms that can currently leverage our technology. Note, in some instances the IDS/IPS solutions actually became just as effective if not more effective than some of the WAF solutions, after applying our rules.

All in all, the report goes to show that even with these technologies in place, organizations are still required to perform ongoing testing to find vulnerabilities and then train their WAF or IDS/IPS solutions to protect their applications. Thankfully, at NT OBJECTives we have solutions to help you do just that… NTOSpider and NTODefend.

Is your WAF effective? Independent research study

There has been a lot of discussion, articles and analyst reports about WAF’s over the years (some listed below). The truth is that WAF’s aren’t perfect, but I believe that they are an essential part of a comprehensive application security defense strategy. The WAF technology has been maturing and improving over the last few years. There is even more good news in a just-released in-depth study, by Larry Suto, security consultant, where he tested six WAF’s and two IPS’s for their effectiveness at blocking application vulnerabilities.

Two of the most interesting findings in the report are:

  • A properly tuned IPS can be as or more effective than WAF solutions at blocking security vulnerabilities. After seeing the results of this study, the IPS vendors have agreed that their devices can, in concert with NTOSpider/NTODefend be counted as a WAF for PCI compliance purposes.
  • Automatically generated filters from dynamic application security tools (DAST) can improve vulnerability blocking effectiveness by as much as 39% for a WAF and as much as 66% on an IPS.
Why are WAF’s Essential?
For me, the bottom line is that we can’t ignore the fact that there are known vulnerabilities in production applications. Ideally, these would all be fixed in the source code, but the reality is that they can’t always be fixed immediately, they might take months to fix or they might not be able to be fixed at all in the foreseeable future. In these instances, a WAF is very practical solution as a temporary patch for the vulnerability. I mean, if someones sitting out there in public with no pants, someone please hand them a towel!
The other painful truth about WAF’s is that they take time to train and configure. Most security teams are short on time and short on resources. The people on the front lines whom I speak with tell me they would love to be able to better train their WAF’s more quickly. Here’s the good news
  • With about 3.5 hours of expert tuning, most WAF’s can perform fairly well.
  • When you add DAST generated custom filters, both WAF’s and IPS’s are excellent at blocking vulnerabilities
  • One of the things, that makes NTODefend unique is the ability to confirm that the filters are blocking unwanted traffic and allowing desired traffic. During his study, Larry was able to play with this false positive detection functionality in NTODefend. He was pleased to see that it does in fact shows if the WAF/IPS is blocking good traffic – pardon the promotion :-)
As you would expect, a handful of other vendors (including NT OBJECTives)  provided tools for Larry to use to complete the report. Anyone who has every tried to do a study knows that it takes a lot of work, and Larry does not receive any payment from any vendor to complete these studies. No study is perfect, but given his finite amount available time and resources, I believe Larry tried to implement the fairest study he could.
For more information about the study:
Good articles that discuss the use of WAF’s & IPS’s

“Perfect-Fit” Virtual Patching for WAF/IPS with NTODefend

Recently NT OBJECTives announced NTODefend and its ability to generate “perfect-fit” custom patches for WAF & IPS. This marketing term “perfect-fit” has been the cause of some questions. People are wondering how our “perfect-fit” rules differ from what other DAST vendors are doing, as well as solutions like ThreadFix (aka Vulnerability Manager) from Denim Group. Those who know me, know that I don’t like when vendors overstate their capabilities, and I make sure NTO does not do this either, so I think this term deserves some explanation.

The other solutions that are able to generate virtual patches work from pre-defined templates based on categories of attacks, such as SQL Injection, Cross-Site Scripting, OS Injection. So if a given input is vulnerable to SQL Injection, then the SQL Injection template will be used to generate a virtual patch for the vulnerable input.

NT Objectives’ approach differs in that NTODefend is able to generate rules based on deeper intelligence about the input. This extra information comes from two key features in NTOSpider:

  1. NTOSpider‘s input population technology works to determine the intended legitimate data. For example, the input population technology will determine if the input only accepts numbers, or is intended for a phone number, email address, street address, etc.
  2. NTOSpider’s attacking engines detail specifics about the attacks that worked, with information such as usable characters and escape sequences.

By leveraging details about the attacks, NTODefend can generate more specific and aggressive rules to function as counter-measures to the attacks that the input was vulnerable to. This can include making rules that only allow numerical values, or maybe blocking single quotes but not double quotes, or allowing parenthesis but not dashes. NTODefend can also decide which canned filters to include to make sure the input is well protected.

The key point is that each rule is generated custom to the input AND custom to the ways it can be exploited.

After installing the virtual patches into the solution, NTODefend provides the ability to re-test all the inputs with both attack traffic and good traffic (modifiable database included with each data type NTOSpider can detect). It then generates a report to show which of the good request and bad requests got blocked. This provides users with the ability to quickly understand how effective the virtual patches were and hopefully alerts them to any virtual patches that could be blocking good traffic.

We do not claim that these generated virtual patches will always be 100% accurate to all situations, but we are confident that they will be useful and that we provide solutions for users to quickly deal with discovered vulnerabilities.

I welcome discussion and questions on this topic.

NT OBJECTives announces NTODefend, automatic WAF & IPS rule generation

Do your WAF and IPS rules fit like a custom suit or an off the rack one?

Announcing NTODefend

NT OBJECTives is excited to announce the general availability of NTODefend, a software solution that enables enterprise security teams to quickly, easily and automatically create “perfect-fit” custom rules to patch Web Application Firewalls (WAF) or Intrusion Prevention System (IPS) against web application vulnerabilities discovered in automated NTOSpider scans.

Read the full NTODefend press release.
Visit NTODefend’s web page for additional details.

NTODefend goes beyond standard, one-size-fits-all WAF rule generation to create stronger customized rules, while also allowing for rule modification. It combines NTOSpider’s knowledge of the application functionality with an understanding of specific vulnerabilities to be the first tool to create “perfect-fit” custom rules that effectively block bad traffic while letting the good traffic flow through. With these rules, NTODefend also tunes an IPS to behave like a WAF.

A comprehensive application security approach addresses the entire software development lifecycle, from development through production. Security teams use two primary kinds of tools to help them identify, patch and resolve application security issues in production applications, dynamic application testing products and web application firewalls (WAF). The ideal production solution includes a dynamic application testing tool that understands your WAF so the two can share information to automatically patch vulnerabilities that haven’t yet been fixed in the source code.

NTODefend Product Features

  • Automated Custom Rule Generation for WAF/IPS Quickly and easily generate custom rules, and if needed modify these rules, to patch vulnerabilities on WAF/IPS, using the results from NTOSpider scans.
  • Vulnerability Report Selection – Quickly select which vulnerabilities to patch and automatically generate the highly targeted filters for the user’s particular WAF/IPS solution.
  • Re-scan Ability to Confirm Effectiveness – NTODefend enables security teams to conduct a quick re-scan applications to confirm the trained WAF/IPS effectiveness. Now, teams can quickly confirm that target vulnerabilities are patched and that good traffic can continue to flow through as expected, eliminating the risk of false positives & false negatives and dramatically reducing QA time.
Visit NTODefend’s web page for additional details.