April 28, 2016

Last Updated on January 15, 2024

Pivot Point Security is always looking to enhance its web application vulnerability assessment practice in line with both client demands and new developments across both threats and countermeasures.
For example, we recently began using a top-rated open-source web application scanner called Arachni. We chose Arachni because competitive reviews of web application testing tools consistently rated it very high on both coverage and the reduction of false positives.
This makes Arachni an ideal counterpart going forward to our front-line commercial scanner (AppSpider by Rapid7)—especially as a “second opinion” for application penetration testing clients who want periodic rescans of critical applications and/or need a remediation scan after addressing known vulnerabilities.
We’ve also recently rolled out a powerful new weapon in our web application security testing arsenal. For years now we’ve relied on the attack proxy in the Professional edition of Burp Suite. But the latest Burp Suite release offers something even better. It’s called Burp Collaborator and it gives us an edge in detecting issues like blind cross-side scripting (XSS), server-side request forgery, asynchronous code injection and similar emerging attack vectors.
What’s great about Burp Collaborator is that it gets around some inherent limitations in most security testing scenarios:

  • Situations where a successful injection test has no detectable effect on the application; e.g., a “blind” SQL injection into an asynchronous logging function.
  • Attacks involving stored data; e.g., stored SQL injections (also called stored procedure attacks) where data is injected into a database and later read back and concatenated into an SQL query.
  • Attacks involving interactions with external systems (e.g., server-side request forgery or remote file include).

What Burp Collaborator basically does for us is provide a URL to a private, third-party server that we control, and upon which the Collaborator runs. From there it listens for requests for the URL we injected. This setup offers distinct security advantages over tools that rely on public third-party servers.
A further benefit is that our private server can spot not only web access attempts, but also DNS lookups against the private server’s domain. Thus, even if code injected into a vulnerable application can’t contact an external server but can still do a DNS lookup, we can still see that there was a positive injection that otherwise would’ve been invisible.
For example, say our application vulnerability assessment successfully injects a cross-site scripting exploit that isn’t triggered until an administrator looks at the application’s log three days after the test. When the attack reaches out to the Burp Suite Collaborator server, we’ll get an alert.
Overall, we’re seeing a growing demand for application vulnerability assessment, probably because more businesses want to proactively ensure that their websites and shopping carts are secure before they become a target. To find out how our expertise in security and compliance can give you effective testing, thorough reporting and peace of mind, contact Pivot Point Security.