CORE IMPACT Pro

Web Application Security Testing

TEST WEB APPLICATIONS AGAINST REAL-WORLD
DATA BREACH ATTEMPTS
P R O F E S S I O N A L
CORE IMPACT Pro offers the first and only automated capabilities for penetration testing web applications
and demonstrating the potential consequences of web-based attacks. With IMPACT Pro, you can safely
test web applications against actual data breach attempts on a frequent basis, without requiring advanced
IMPACT Pro’s web application security
technical skills. Leveraging the product’s Rapid Penetration Test (RPT) capabilities, you go beyond scanning testing capabilities enable you to:
to identify and interact with vulnerable web applications to expose backend data – just as an attacker could.
• identify weaknesses in web
IMPACT Pro is the only product to integrate web application penetration testing with network, endpoint applications, web servers and
and wireless testing. You can therefore confidently assess your organization’s ability to detect, prevent and associated databases
respond to real-world, multistaged information security threats.
• dynamically generate exploits that
Go beyond scanning to identify real threats and eliminate false positives can compromise security weaknesses

Mitigating web application vulnerabilities typically requires developers to rework code, so it’s critical for • demonstrate the potential
web application security testing to pinpoint actual threats and eliminate false positives. IMPACT Pro both consequences of a successful attack
identifies potential vulnerabilities and validates them against web application exploits. By revealing how
• gather information necessary for
and where a data breach could unfold and by exposing at-risk information assets, IMPACT Pro enables you to addressing security issues and
work with developers to confidently plan remediation efforts and avoid unnecessary code changes for both preventing data incidents
new and existing applications.
Successfully Testing Your
Replicate attacks that extend to backend network systems Custom Web Applications
Web applications don’t exist in a vacuum and are typically networked to other systems. Consequently, a
compromised web application can open the door to attacks on other network assets, compounding the Most web applications are custom-
built or highly specialized. Because
damage caused by the initial breach. With the addition of web application testing to its comprehensive
of the level of customization, testing
network, endpoint and wireless security testing capabilities, IMPACT Pro enables you to safely assess your applications for security vulnerabilities
security against attacks that cross all three vectors. For instance, IMPACT Pro can replicate an attack that requires the creation of unique exploits.
initially compromises a web server or end-user workstation and then tunnels to backend network systems.
Only IMPACT Pro allows you to test information security in the face of such complex attacks. CORE IMPACT Pro goes beyond web
application vulnerability scanning
by dynamically creating customized
THE WEB APPLICATION RAPID PENETRATION TEST exploits on-the-fly, which can safely
replicate data breach attempts against
CORE IMPACT Pro’s Web Application Rapid Penetration Test (RPT) reduces the time and technical skill both proprietary and out-of-the-box
required to effectively test the security of web applications. The RPT brings speed and efficiency to web apps.
the entire security testing process, allowing you to accurately and safely identify security weaknesses,
demonstrate the potential consequences of an attack, and garner information that can help you prevent Gaining Actionable Data for
actual data incidents. Web Application Risk Mitigation

Through its reporting capabilities,

Though a set of straightforward wizards, the RPT guides you through each step of the testing process:
IMPACT Pro provides security
professionals, web developers and
Information Gathering database administrators with critical
information for identifying security
During this phase, IMPACT Pro crawls through web pages and identifies URLs to test. You can specify: weaknesses, determining possible
fixes, and prioritizing remediation
• a domain or range of web pages to crawl • the browser type and version to use
efforts. IMPACT Pro maintains audit
• the link depth to crawl • any login information required to emulate an trails of all tests performed, servers and
• whether to follow links outside the specified site attack from a user with access to the web app databases accessed, and all actions
taken during testing. Like all IMPACT
IMPACT also conducts web application fingerprinting at this stage, enabling you to select and run Pro reports, web application test reports
known exploits for commercial off-the-shelf web applications, in addition to the product’s dynamically can be exported to HTML, PDF and
created exploits. other formats for further customization
and distribution.

Pivoting to Network
Security Testing
With IMPACT Pro, you can
replicate multistaged attacks
that target backend networks
after compromising web
application infrastructure.
Once a test exploit successfully
compromises a Microsoft SQL,
Oracle or DB2 server (via SQL
Injection), a web server (via PHP
RFI), or a browser (via XSS),
you can execute an IMPACT
OS Agent on the compromised
system. You can then leverage
the system as a beachhead from
which to run automated network
penetration tests against other
systems on the same network,
just as an actual attacker could.
See the IMPACT Pro Network
Security Testing data sheet for
more information.
Next Steps ...
CORE IMPACT Pro also
allows you to test the security
of your network systems,
endpoint systems and
wireless networks. Want to
learn more? Contact us today
to schedule a demonstration:
Phone: (617) 399-6980
Email: info@coresecurity.com
Headquarters
41 Farnsworth St.
Boston, MA 02210
Ph: (617) 399-6980
Fax: (617) 399-6987
www.coresecurity.com
Attack and Penetration
In addition to running packaged exploits for off-the-shelf web applications, IMPACT Pro can generate custom
Cross-Site Scripting (XSS), SQL Injection and Remote File Inclusion (RFI) attacks on-the-fly. For each, the product
first analyzes which pages identified during Information Gathering may be vulnerable. IMPACT Pro then dynamically
creates exploits to prove whether the vulnerabilities pose actual threats. These techniques are safe for production
servers since they don’t attempt to corrupt the web application.
Cross-Site Scripting
Cross-Site Scripting (XSS) threats take advantage of vulnerabilities in web applications and allow attackers to
interact with the browsers of web application users. IMPACT Pro not only identifies web page elements that allow
for URL-based, reflective XSS attacks, but it also allows the security tester to leverage those elements to demonstrate
how end-user browsers and data can be compromised. Using IMPACT Pro, you can replicate the actions an attacker
could take after a successful breach by interacting with vulnerable end-user systems.
• Alert Modules • Modify Page • User Prompt • Cookie Retriever
• Clipboard Grabber • Key Logger • Browser Fingerprinting • Install IMPACT OS Agent
SQL Injection
SQL Injection attacks inject SQL commands into web application databases through web forms, page parameters and
cookie fields. Through its vulnerability analysis capabilities, CORE IMPACT Pro safely identifies both traditional and
blind SQL injection vulnerabilities and then leverages the results to dynamically create and inject SQL queries in an
attempt to retrieve output from the SQL database.
Whenever a query successfully accesses the database, an IMPACT SQL Agent is created. Using the SQL Agent, you
can replicate the actions of an attacker through a variety of post-explotation capabilities for Microsoft SQL Server*,
MySQL**, Oracle and DB2, including:
• Read Files • View Open Ports
• Write Files • Scan Ports
• Get Database Version • Open SQL Console
• Get Database Logins • Detect Sensitive Data (payment card & social security numbers)
• Get Database Schema • Install IMPACT OS Agent (see sidebar)
*Additional MS SQL Server post-exploitation capabilities include Get Linked Servers and Enable xp_cmdshell Stored Procedure.
**MySQL post-exploitation capabilities are limited to Read Files, Write Files and Detect Sensitive Data.
Remote File Inclusion
To test web applications against Remote File Inclusion (RFI) attacks on PHP applications, IMPACT Pro dynamically
manipulates PHP templates in an attempt to retrieve commands from a remote web server. If successful, the
manipulation is recorded as an IMPACT RFI Agent. Using the Agent, you can interact with the targeted web
application to:
• Open a Command Shell - enables you to run OS commands on the web server
• Open a PHP Console - enables you to interact with the web application and server; provides access to
backend databases and programs associated with the web application
• Install IMPACT OS Agent (see sidebar)
Cleanup and Reporting
IMPACT Pro is self-contained and safe for production systems, since it does not install or run any code on
compromised web servers during testing. In the end, you gain actionable data about exploitable weaknesses,
exposed systems and data, and remediation options (see the “Gaining Actionable Data...” sidebar on page 1).
© 2009 Core Security Technologies and CORE IMPACT are trademarks of CORE SDI, Inc. All other brands and products are trademarks of their respective holders.