WEB APPLICATION SECURITY ASSESSOR

-1-
Abstract
Web Application Security Assessor is security verifcation software
which can be used to identify the security threats in a website or web
application. The Application runs as a proxy server allowing the browser to
connect to via WESA proxy. The Application is divided into the following
modules.
1. roxy Server
!. Spider
". scan policies
#. $e%uest&$esponse Trac'er
(. Session )anagement
*. +ilter & Encoder
,. Security -ulnerability Assessment
Proxy Serer
As a part of this module connection setting for local proxy or remote proxy
have to be created. The module should allow connecting to third party
proxy tool so that this application becomes an intermediate proxy
irrespective of corporate proxy server.
Spi!er
The Spider is a crawler program used to crawl the .$/ specifed in the
website or Web Application this crawled )eta data can be used for
scanning for security vulnerabilities.
Scan Policies
-2-
Scan policies determines the di0erent plug1ins to be made available for
the purpose of scanning such as 22S +ile plug in3 /otus domino +ile plug in3
rivate 2 disclosure3 4lient 5rowser plug1in and 2n6ections.
Re"uest# Response Trac$er
The Trac'er is used to trap the re%uest and response between the client
browser and the web server.
Session %ana&e'ent
The )odule should facilitate session management thereby enabling
allowing to use new session and opening existing session. 2t should also
facilitate session trac'ing via 4oo'ies.
(ilter#enco!er
The +iltering module should provide fltering of re%uest and response
between the browser and the web server. 7etails include
Storing the 8ET and 9ST re%uest.
$eplacing re%uest and response headers
7etecting insecure and malicious content3 etc.
Enco!er tool s)oul! allo* Enco!in& +or t)e (ollo*in&
.$/ Encoding
5ase *# Encoding
S:A 1 :AS:
)7( :ash
,eco!in& +or
.$/ 7ecode
-3-
5ASE *# 7ecode
Security -ulnerability Assess'ent
This )odule should identify the security threats available in a website or
web application based on the scan policies and spider information. 2t
should allow multiple sites scanning in a single instance. The report
generated categori;es the security threats into :igh3 )edium3 and /ow
along with the suggestions for removing the security threats. The Alerts
also have to be created.

-4-
2ntroduction<
Web Application Security Assessor is completely written in =ava. Through
proxy nature3 all :TT and :TTS data between server and client3
including coo'ies and form felds3 can be intercepted and modifed.
Enable&disable spider to 9ST forms in options panel to avoid generating
unwanted tra>c ?default to enable@. 7ecrease the number of possible
combinations crawled by spider on forms with multiple SE/E4T&9T29AS.
This ma'e crawling less resource consuming and lower chance to a0ect
application being scanned
urpose
Web Application Security Assessor can act as a )2T) roxy B Spider B
Scanner plus anything else you want it to be. 2tCs particularly useful for
testing web applications and things such as insecure sessions.
Web Application Security Assessment. 2s for people who need to evaluate
the security of their web applications. 2t is free of charge and completely
written in =ava. Through arosDs proxy nature3 all :TT and :TTS data
between server and client3 including coo'ies and form felds3 can be
intercepted and modifed.
Scope<
roposed System features<
1 Authentication support
. support proxy authentication. 5asic and AT/) support.
. support individual server authentication.
1 Session Saving
. the sites hierarchy and history can be restored from session fle.
. better performance by use of inline 75.
. support large sites testing both in scanning and spidering.
1 5etter extensibility by supporting extensions and plugins
-5-
1 lugin +eatures
. each plugin represent a test
. support 'nowledge base for plugins sharing
. support dependency chec'.
. customer plugins can be created by inheriting di0erent
AbstractluginEEE class.
1 Spider<
. .$/ crawling and form crawling. +orms will fll the options values
with limited combinations.
. with confgurable options.
. support start&stop&resume
. estimated F complete
1 Scanner<
. with confgurable options
. with multiple hosts&threads
. support stopping individual hosts.
. generated alerts can be viewed while scanning.
1 +ilters<
. custom flter can be added by dropping into flter directory by using
+ilter interface.
1 Aew application logging support in log directory.
1 .ser 2nterface.
. 4lic' on tab to maximi;e wor'ing panel.
. Support image viewing.
Automated rocess<
Spider
Scanner
Trapping :TT re%uests and responses
+ilter
Session Saving
Authentication support
-6-
lugin +eatures
Specifcation $e%uirements<
:ardware $e%uirements<

Software $e%uirements<
-7-
1. entium# with !""):; or better
!. !(*)5 $A) minimum recommended
". GHH I *HH resolutionJ 1* bit color ?1H!#I,*G3 !# bit is
recommended@