Integrate business logic to get the most out of DAST
Why business logic complicates the life of (some) scanners
Today’s web applications are nothing like the static websites of yore – the code your browser loads and manipulates all the time is constantly changing in response to user interactions and the business logic of the app itself. Any modern web vulnerability scanner worth its salt has a built-in browser engine and is able to simulate user interactions, allowing it to automatically perform exploration and testing, even on highly dynamic pages.
Things get complicated when an application includes elements or sections that are only loaded in specific cases that depend on the underlying business logic. For example, a sales application might guide the user through a different sequence of approval pages depending on the value of the transaction. Unknowingly (as well as the ranges of values used in this specific company), the automated DAST has no way of telling that different values will cause the browser to navigate to a different sequence of pages with different elements and parameters to test for vulnerabilities . To scan all of these potential attack surfaces, you need a way to guide the scanner.
To access any useful functionality of the app in the first place, users and scanners must go through a company-specific authentication process. While DAST solutions like Invicti support most common authentication methods out of the box, many companies use custom authentication flows that follow their unique business logic. Again, you need a way to show the scanner how to connect securely, reliably, and according to business logic – and that’s where Invicti’s advanced features can save you a lot of time and frustration.
The Dangers of Ignoring Business Logic in Application Security Testing
Before getting into the technical details, is it really important that you think about business logic when planning your security tests? Well, regardless of actual business logic vulnerabilities (see sidebar below), monitoring business flows through the application is crucial to maximizing coverage by identifying and testing any attack points that might appear. in different use cases. If your vulnerability scanner (or penetration tester, for that matter) isn’t crawling and testing every page and element a potential attacker could access, you can’t say you’ve done everything possible to secure application – and you put the whole company at risk.
To clarify, this article is not about business logic vulnerabilities, but about ways to incorporate business logic to explore applications and then scan them for technical vulnerabilities. Business logic vulnerabilities are a completely separate class of security issues that result from faulty business logic, not security flaws in the application itself.
Leading the way with the Business Logic Recorder
To provide an easy way to show the crawler and scanner which forms and pages are only loaded after a specific sequence of operations, Invicti Enterprise includes the Business Logic Recorder (BLR). Using BLR, you can record any number of interaction sequences which are then replayed by the Invicti crawler to ensure that subsequent tests also cover logic-dependent test targets. The BLR not only lets you record streams, but also edit them, including the ability to rearrange operations and specify request timeouts, all in a convenient, fully integrated visual tool.
Broadly speaking, there are two types of business flows for which you can use the business logic recorder. First, it’s common for sites to have multi-step forms that display different fields and skip or add steps depending on the values you select along the way. For example, when ordering from an online store, the shipping options available will most likely vary depending on your selections. The site may load different fields and page components depending on your region and delivery method, so to load, explore and test all possible controls, you can register multiple input sequences with the BLR.
Other times you may have parts of an application that are only accessible when specific business logic constraints are met. Continuing with the online store example, many fields in the checkout process are likely to perform validation to, for example, search for valid postal codes or existing mailing addresses. A scanner can only load and test the last page of the checkout process if it provides valid values at each step. Again, preparing appropriate input sequences in the BLR can help guide the scanner through each part of the application in minutes. To learn more, visit our Business Logic Recorder support page.
Configuring Authentication with the Custom Script Editor
Auto-analyze authentication can be cumbersome to set up and troubleshoot. Especially with less advanced solutions that don’t provide instant feedback, your only indication of authentication issues might be that scans fail, return no results, or only work on certain pages. To save you hours of frustration, Invicti Enterprise comes with an interactive visual editor for setting up custom authentication flows. In the custom script editor, you interact with a simulated copy of your login forms to enter company-specific values and correctly navigate pages for multi-page forms.
Having a dedicated authentication flow editor not only saves you time and effort, but (most importantly) ensures that all sections of your site or application are tested for vulnerabilities. To learn more, see our Custom Script Editor blog post and Custom Authentication Scripts support page.
Besides the built-in tools for recording business logic, you also have the option of using Invicti Standard in internal proxy mode and browsing to the URLs you want to test. You can do this manually in a browser or by playing a sequence of macros from Selenium or a similar testing tool. All links captured in proxy mode will be added to the scan list and tested for vulnerabilities.
To learn more, see our proxy mining support page.
Deeper analysis reduces risk and saves you money
Automated DAST has become an essential part of any application security program, but as with anything security, there’s a world of difference between checking the box and getting real improvements. The best modern solutions routinely debunk the myths around what DAST isn’t supposed to do – and with Invicti, exploring custom business logic flows with enterprise-grade authentication is now a reality. By maximizing test coverage, you not only improve security, but you also get more value from your entire AppSec program.
Having an accurate scanner that can handle many security tests that previously required manual work means you can speed up and automate these processes to improve security while saving a lot of time and money on manual penetration testing. This is especially useful for automating the boredom of clicking through every possible business feed, as it frees up your teams to focus on more valuable and interesting tasks that really need their expertise and intuition.
So if you haven’t tested all parts of your web applications due to lack of resources, now is the time to start – and Invicti already comes with all the tools you need to do this automatically.
The post Integrate business logic to get the most out of DAST appeared first on Invicti.
*** This is a syndicated blog from Invicti’s Security Bloggers Network written by Zbigniew Banach. Read the original post at: https://www.invicti.com/blog/docs-and-faqs/incorporate-business-logic-get-the-best-out-of-dast/