Application Security has evolved to a large extent in the last decade or so. 10 years prior, discovering SQL Injections in applications was simpler than it is today. The applications were more inclined to weaknesses as there were fewer protections and less mindfulness among the developers.
Be that as it may, the circumstance has radically changed today. Developers are significantly more mindful and cognizant about security, and security controls are put all through the Software Development Life Cycle (SDLC), making the end application relatively secure.
Despite the fact that the improvement measures have become safer, the present applications are not simply restricted to the web. Current applications have administrations and Application Programming Interfaces (API’s) uncovered just as a portable and cloud presence. This plainly expands the intricacies and attack surfaces.
For an application security tester, it is vital to find all possible vulnerabilities in the entire application ecosystem.
We’ll rapidly look through what the normal and top application weaknesses are. The accepted standard alluded to for application weaknesses is OWASP. OWASP represents Open Web Application Security Project. The last Top 10 rundown for web application weaknesses was distributed in 2017. The weaknesses are as per the following:
- Injection – This includes vulnerabilities that are exploited by sending untrusted input to an interpreter either as part of a query or command. Specially crafted input tricks are what the interpreter uses in executing the commands or even giving unauthorized access to data. The most common type of injection is a database injection. Other types include the Operating System (OS) command injection or LDAP Injection, etc.
- Broken Authentication – This includes vulnerabilities arising out of poor implementation of authentication and session management functions. Exploiting such vulnerabilities can give attackers access to passwords, credentials, session tokens, keys, etc.
- Sensitive Data Exposure – Many times, applications lack controls to protect sensitive user data like personally identifiable information (PII), health data, or even financial data. Attackers can steal such sensitive data. Lack of data encryption at rest and in transit cause most of the vulnerabilities related to sensitive data exposure.
- XML External Entities – This is a special type of vulnerability wherein an attacker exploits the entity tag within the XML documents to launch several attacks like disclosing sensitive internal files, denial of service, remote code execution, etc.
- Broken Access Control – Even if a user is authenticated with valid credentials, it might not be necessary to have access to all of the applications. Authorization defines what an authenticated user can access. Broken authorization gives unauthorized access to the attacker to view other user accounts, sensitive files, or even modify other users’ data.
- Security Misconfiguration – Security misconfiguration issues are the most common
in the underlying infrastructure like web servers. Insecure configurations, default credentials, unreferenced backup files, unwanted services, open cloud storage, missing security headers and cookie flags, and missing security patches all contribute to the security misconfiguration category.
- Cross-Site Scripting – This is indeed the classic web application vulnerability that has been part of the OWASP list for so long. This commonly occurs when an attacker is able to inject and execute a script through an application input field. This attack can be used to hijack user sessions by stealing cookies, defacing websites, etc. Common types of cross-site scripting include Persistent, Reflected, and DOM Based.
- Insecure Deserialization – Attackers can manipulate the object serialization and deserialization process to introduce malicious payloads resulting in code execution.
- Using Components with Known Vulnerabilities – It’s very common for developers to import and use third-party code to avoid reinventing the wheel. However, at times the third-party code comes along with inherent vulnerabilities. An example is using the OpenSSL library, which is vulnerable to a Heart Bleed attack.
- Insufficient Logging and Monitoring – Quite often, applications lack the capabilities to log events that would help in case of an incident. In the absence of audit logging and detection capabilities, attackers can simply continue to infiltrate without getting detected or raising alarms.
While the OWASP Top 10 rundown is likely the primary spot to go for web application weaknesses, there are numerous expected weaknesses past this Top 10 rundown. Following are a portion of the unequivocally prescribed references to get a more extensive point of view for application security testing:
- OWASP Testing Guide – This guide is a very comprehensive resource covering many security test cases and a very handy reference guide.
- SANS Top 25 Programming Errors – Beyond the OWASP Top 10 list, SANS has published a list of the 25 most dangerous programming errors.
- OWASP API Top 10 – Application Programming Interfaces (APIs) are very commonly used these days and have some unique vulnerabilities. OWASP has published a special API Top 10 vulnerability list.
- OWASP Mobile Top 10 – Mobile applications have different sets of vulnerabilities, and some even vary based on the type of platform.
- OWASP IoT Top 10 – Today even household devices are getting smarter and connected. Such Internet of Things (IoT devices) are prone to many vulnerabilities. OWASP has published an IoT Top 10 vulnerability.
Why Burp Suite is needed?
Today the market for application security scanning and testing tools are quickly developing. There are such countless tools accessible, business just as free, from various sellers, supporting different innovations and highlights. A large portion of these tools are slanted toward computerized filtering of software to discover weaknesses.
This is accomplished either by setting off the scanner subsequent to spidering or slithering the objective application or coordinating the scanner straightforwardly in the DevOps cycle.
Also Read: How to Setup Burp Suite the Easy way
While this is absolutely a benefit and builds proficiency of filtering with least manual intercession, there are sure weaknesses that can be better perceived and exploited through manual testing.
Manual Testing is generally reliant on two factors: the abilities of the tester and the tool utilized for testing. A tool like Burp Suite significantly aids in satisfying the necessities of manual testing from a tooling viewpoint.
It gives an incredible and adaptable stage where the security tester can productively discover and misuse likely weaknesses. Along these lines, for application security examining and testing, the best system is to utilize a combination of both computerized and manual testing.
Burp Suite has incredible manual testing capacities alongside a computerized scanner. So it gives the analyzer advantages of manual testing as well as automated scanning.
Different Versions of Burp Suite
Like most of the other tools, Burp Suite comes in different forms. Different users might have different needs and one size may not fit all. Keeping in mind the varying needs of users, Burp Suite comes in three different versions.
- Burp Suite Community Edition – The Burp Suite Community Edition is the most basic version, which is free to download and use. It comes with a limited set of tools and features to get started with web application security testing.If you are completely new to application security and want to explore the basics, then the Burp Suite Community Edition is certainly a very good starting point. It does have good tools and features required for basic manual web application security testing like the interception proxy, tamper and relay requests using repeater, encode and decode data, etc.
- Burp Suite Professional Edition – Once you have a very good understanding of web application security and you are regularly required to test applications as part of your profession, then the Burp Suite Professional Edition is definitely recommended.The Burp Suite Professional Edition comes along with many advanced features that significantly improve your ability to find potential vulnerabilities in applications. This is the most suitable edition for individual professionals looking for excellent manual and automated security testing capabilities. Some of the advanced features include the following:
- Testing out-of-band vulnerabilities
- Advanced brute-force and fuzzing capabilities
- Quickly generating exploits for CSRF, Clickjacking, etc.
- Automated scanning for vulnerabilities
- Useful extensions to further enhance vulnerability detection capabilities
- Burp Suite Enterprise Edition – While the Burp Suite Community Edition and the Burp Suite Professional Edition were aimed at individual professionals, the Burp Suite Enterprise Edition is useful to organizations looking for integrating security scanning in software pipelines.It doesn’t have the manual testing tools as compared to the earlier editions. This edition is recommended for enterprises looking out for DevSecOps solutions.
Main Features of Burp Suite
The Burp Suite Professional Edition comes with a wide range of features for manual penetration testing as well as for automated scanning. Some of the useful features include the following:
- Manual Penetration Testing – Intercept and tamper requests (HTTP / HTTPS), manually testing for out-of-band vulnerabilities, testing web sockets, testing token strength, easily test clickjacking and Cross-Site Request Forgery (CSRF) vulnerabilities.
- Advanced Automated Attacks – Passive and active scanning to find potential vulnerabilities, advanced capabilities to brute-force and fuzz inputs.
- Productivity – Detailed message analysis, efficient project options, tools to make code more readable, easy, and simple vulnerability reporting.
4. Extensions – Burp Suite Application Store to install extensions for significantly enhancing the existing tool capabilities.
We’ll be going through the above features more in detail in coming articles.