Improving Web application security with automated attack toolkits

Improving Web application security with automated attack toolkits

While automated attack toolkits may pose the biggest threat to Web apps, is there a good way to use such toolkits within my enterprise for the purposes of pen testing? Or is it too risky to use such volatile tools?

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

Ask the expert!

Have questions about enterprise information security threats? Send them via email to our threats expert, Nick Lewis, who is standing by to provide answers. (All questions are anonymous.)

Yes, there are good ways to use automated attack toolkits within your enterprise. In fact, they can be used when improving Web application security; for example, during penetration testing.

You can also use automated attack toolkits to improve the IT staff’s security awareness by showing them how easy it is to compromise a system. There are significant caveats to using any security tool, but they can be used safely. To use an attack tool safely, you should understand what the tool is doing, how to limit any potential damage and how to recover from any potential damage.

Recovery could be restoring relevant systems and databases from backup, but this might be a significant effort. You can learn how to use an attack tool safely and limit damage by testing it in a non-production or test environment.  Some vendors and open source projects have test sites you can use for testing their tools. This testing could include monitoring all system and network access if that is the level of detail desired, but may not be necessary to understand the tool enough to use in a test environment. If you are not confident in your understanding of what the tool does, how to limit potential damage and how to recover from that damage, then you might not want to run the tool in a production environment.

One of the issues you might run into when running an automated Web attack toolkit that tests for SQL injection is that your database is filled with bad data from the tool testing multiple permutations to determine if the Web application is vulnerable. The attacks could also fill shared log files.

This was first published in November 2011

Back to top