Web Application Security Testing for Complex Workflows. Not so Complex Anymore.

Conducting web application security testing for complex workflows can be a real pain. In order to find vulnerabilities, valid test data must be passed through exactly as the workflow prescribes. Most web application security testing scanners aren’t up for the job, so security testers must supplement their scans with manual testing.

If your organization has just a couple applications that aren’t changing, then manual testing may not be a big deal, but that’s rarely the case. Many large organizations have hundreds or thousands of web applications. Manually security testing all of them can be expensive and time consuming – requiring resources that your organization simply doesn’t have.

We understand, and have enhanced NTOSpider to address this pain point. Today, we announced that NTOSpider is now the first web application security testing scanner capable of understanding complex workflow sequences and the expected results, which enable it to automatically create relevant session states and find web application vulnerabilities. Bottom line: With NTOSpider, security teams can automate the security testing of complex workflows – saving a tremendous amount of time and finding more vulnerabilities sooner!

In order to understand the significance of NTOSpider’s update, it helps to understand how traditional scanners fail to test complex workflows. Most web application security testing scanners are built to conduct an assessment in two phases: a crawl phase and then an attack phase. During the crawl phase, the scanner gathers information about the application’s attack vectors. The scanner develops an understanding of the application’s landscape, including the pages and inputs on each page. Scanners then use the information gathered by the crawl to randomly attack pages.

Application Workflows

It’s best to attack most web application functionality randomly. However, this isn’t the case for complex workflows. In order to find vulnerabilities, valid test data must pass, in order, through the prescribed workflow. Attacking workflows at random isn’t effective. When the web application security testing scanner attempts to attack the shipping page without adding items to the cart, for example, the application generates an error without accepting the scanner’s attack, because there are no items in the cart. Unfortunately, the scanner is unaware of the error and misses vulnerabilities as a result.

Security testing the workflow in order is one important piece of the equation, but it’s also critical to test the entire workflow. Scanners, like hackers, submit various kinds of attacks. One kind of attack is SQL injection. In a SQL injection attack, the hacker or scanner enters a malicious SQL statement as an attack through the last name field instead of entering an actual last name. So, in this example, the malicious attack is entered through the ‘last name’ field on the billing form. The application then holds that data in temporary storage until the user confirms the order. It is not until the order is confirmed, that the information is sent to the database (SQL server) and the SQL vulnerability could be detected by the scanner. So, if complex workflows aren’t tested in their entirety vulnerabilities won’t be found, in this case, a vulnerability in the ‘last name’ field wouldn’t be found.

For these reasons, most web application security testing scanners are unable to effectively attack complex application workflows in their entirety and in the prescribed application workflow. Scanners need to be architected in a way that they can handle both kinds of security testing for complex workflows where both order and completeness are critical. NTOSpider understands and respects application workflows so that attack payloads are delivered into the application code where the scanner can discover vulnerabilities.

It can be costly and difficult to accurately test all complex workflows in today’s applications. NTOSpider gives you the ability to find vulnerabilities automatically, with more accuracy and in less time.

This new release of NTOSpider holds just one of many innovations that we are working on when it comes to automating web application security testing.

We understand how difficult and frustrating running a web application security testing program can be. Stay tuned! Our roadmap has many exciting advancements in store. We are committed to continued innovation and advancements that you won’t see anywhere else!

About Dan Kuykendall
Dan Kuykendall is the founder and co-CEO at the premier application security solutions provider NT OBJECTives, Inc. Throughout his career, Dan has helped develop advanced dynamic application security testing software, a fundamental aspect to NT OBJECTives’ reputation as a leader in comprehensive web application scanning. Dan has also worked for McAfee’s Foundstone and Fortis, where he founded the U.S. Information Security team. Connect with Dan on Google+

Leave a comment

Your email address will not be published.