We have used Acunetix Web Vulnerability scanner (Free 14-Day Trial) to test our Spring MVC and HDIV example application available on Github with HDIV 2.1.8 (Branch: rules) version.
Here is the video that summarizes this process:
What is Acunetix Web Vulnerability Scanner?
According to Acunetix:
“Acunetix Web Vulnerability Scanner is an automated web application security testing tool that audits your web applications by checking for vulnerabilities like SQL Injection, Cross site scripting, and other exploitable vulnerabilities.”
Acunetix’s security levels
Acunetix categorizes their vulnerabilities according to four severity levels:
- High Risk Alert Level 3 –“Vulnerabilities categorized as the most dangerous, which put the scan target at maximum risk for hacking and data theft.”
- Medium Risk Alert Level 2 –“Vulnerabilities caused by server misconfiguration and site-coding flaws, which facilitate server disruption and intrusion.”
- Low Risk Alert Level 1 – “Vulnerabilities derived from lack of encryption of data traffic or directory path disclosures.”
- Informational Alert –“These are items which have been discovered during a scan and which are deemed to be of interest, e.g. the possible disclosure of an internal IP address or email address, or matching a search string found in the Google Hacking Database, or information on a service that has been discovered during the scan.”
As the video shows, HDIV covers ‘High Risk Alert Level 3’ by default, the rest of the risks are out of HDIV’s scope.
Results
As described within the video, HDIV protects from the attacks performed by Acunetix Web Vulnerability Scanner, avoiding the exploitation of application level web risks such as:
- OWASP A1 – SQL Injection
- OWASP A3 – Cross-Site Scripting (XSS)
- OWASP A8 – Cross-Site Request Forgery (CRSF)
It is important to note that Acunetix Web Vulnerability Scanner does not detect OWASP A4 – Insecure Direct Object Reference (Parameter Tampering). This is normal with all kinds of vulnerability scanners because in many cases, this category of vulnerability requires human intelligence to identify it.
2 Comments
Great article on how a web vulnerability scanner such as Acunetix can be used in conjunction with web vulnerability mitigation applications such as HDIV.
Both techniques are important. However, better not over-rely on vulnerability mitigation applications, since it is somewhat dangerous to hide vulnerabilities, especially ones that are known. Ideally vulnerabilities that are detected by the scanners are addressed. Since this might take some time, the web application can be protected using mitigation apps. Mitigation apps are also useful to protect the web app between scans.
Thanks for your comment Nicholas!
We agree with your advice to solve detected vulnerabilities, of course. In our opinion HDIV is a complementary security layer that protects the applications without programmers intervention, but in all cases is advisable to use development best practices during the development and solve detected vulnerabilities.
Anyway you shouldn’t overlook the fact that some kind of vulnerabilities are very difficult to solve even though they are detected. For instance, SQL Injection vulnerabilities and XSS are very easy to solve once they are detected. Other kind of vulnerabilities such as OWASP A4, or binding issues (not allowed extra parameters) are very difficult to solve by hand because it requires a lot of coding work and it’s very easy to forget some validations. In addition to that some of this risks are not detected by security scanners, so you don’t know about them.
Also many known vulnerabilities (for instance see CVE-2012-1833, CVE-2006-1546, ) are based on the manipulation of the original data flow between the client and the server and the protection offered by HDIV does not allow the exploitation of this kind of attacks, even when they are not yet known.
So in our opinion, the best approach is the combination of different security techniques together (development best practices, security scanners, HDIV, updated software) in order to implemented a layered security strategy and HDIV should be activated all the time.