“Web Application Security Scanners”

/ Miguel Bigueur

WEB APPS

I will distinguish the differences between three separate web application security scanners, OWASP Zed, w3af, and Ratproxy. Areas to be explored include, ease of use, accuracy of findings, depth of information in the tool, reporting capability, and effectiveness of any actionable information provided along with any other pertinent criteria. This report will also compare the results, remediation advice, and reliability as observed by the three different software programs.

All three web application security scanners offer various templates presenting a large variety of scans types that can be performed. The first notable distinction between the three web scanners is that Ratproxy requires the web browser to divert all visited web pages through a proxy, where only visited web pages are scanned for vulnerabilities as where the other two scanners, w3af and OWASP Zed, perform scans and/or attacks based on a specific URL or groups of URLs. W3af seemed to be the most unstable version becoming almost unresponsive during a scan. W3af doesn’t have the capability to generate a report based on the results neither by way of html, pdf, or any other mechanism. This is where OWASP Zed and Ratproxy excelled and whose reports generated information including severity level, description of vulnerability, attack type, attack parameter, references, and solutions. Although w3af doesn’t have the ability to create external html reports, the scan results did yield large amounts of valuable information which were easily acted upon. W3af runs in both graphical and command line modes which boast a less than 5 click predefined results driven process in GUI mode which I was able to reproduce without a hitch. OWASP’s HTML output report is massive compared to Ratproxy’s and was easy to read as the information was laid of in a very intuitive manner. Ratproxy’s HTML output report was much more convoluted, difficult to read, and provided much less information. Ratproxy’s findings merely highlighted areas of concern and are not indicative of an actual security flaw which is probably why the HTML report was drastically smaller than OWASP’s. One could conclude that Ratproxy’s approach would inherently lead to fewer false positives. Ratproxy is a light weight alternative to the other two web scanners, which utilizes the command line interface. OWASP is the most boastful full featured GUI version of the three. OWASP’s descriptions and solutions are the most insightful and both OWASP’s and w3af’s results provided a vast depth of information making it easier to act upon.

I found OWASP’s and w3af’s GUIs to be vastly more intuitive than Ratproxy’s command line interface which requires more experience with the Linux command line. An audit report was performed using Ratproxy which returned the fewest results of the three scanners. Five were “HIGH”, two “MEDIUM”, with the remainder being “LOW”. The most colossal report came from open source OWASP’s default scan which returned 9 high, 4,413 medium, 12,703 low, and 0 informational vulnerabilities. The open source W3af web scanner offers the most scalable solution through a large library of available plugins. W3af and OWASP are both cross-platform with versions for Mac, Windows, and Linux that operate in GUI mode except w3af which operates in both GUI and command line interfaces for all platforms.

The depth of information available within the tools used for OWASP and w3af are vastly greater than those of Ratproxy. Included references are useful for devising remedial actions and security policy updates. Since every network is different, a critical component to assuring that scans return the least possible number of false positives is to tune the scanning profiles to suit the specific requirements of the web application being probed for weaknesses. Actionability of all three web scanners is commensurate with the quality of provided scan solutions which is where OWASP and w3af both excelled at equally.

Web security scanning is a fundamental component to web application security and should be implemented by any organization seeking to improve its security stance. It’s critical in today’s web environment that organizations take a tougher position with securing their web applications. Web security scanners offer a detailed analysis of potential vulnerabilities that may exist within web applications if used properly. All three web scanners provided the same baseline of information but the presentation, available scan options, and quality of results are vastly different as well as the reporting mechanisms used for presentation. Costs not being a consideration I would choose OWASP Zed, which slightly edged out w3af due to lack of external reporting mechanisms, over the other two as it seems to be the most fully featured web scanner with the most well rounded and detailed reporting mechanisms, which is instrumental to security administrators in helping formulate remediation in addition to new security policies and procedures.

Citations:

Google. (2015). ratproxy – passive web application security assessment tool. Retrieved 6 26, 2015, from code.google.com: https://code.google.com/p/ratproxy/wiki/RatproxyDoc

OWASP. (2015). OWASP Zed Attack Proxy Project. Retrieved 6 25, 2015, from owasp.org: https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

w3af. (2015). w3af Open Source Web Application Security Scanner. Retrieved 6 26, 2015, from w3af.org: http://w3af.org/

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.