N-Stalker Web Security Scanner Review

N-Stalker ReviewIn my quest for better and smarter security tools I came across N-Stalker Web Security Scanner. There is a free download available but, since I don’t like testing evaluation versions, I needed to find a way to evaluate the full blown Enterprise edition. I knocked on the door and both Thiago Zaninotti and Sabrina Martins from N-Stalker were very kind and granted me an 8 IP license of N-Stalker Enterprise Edition.  So this review was born out of my curiosity and an open minded vendor 🙂


The test bed consisted of Badstore.net free web application which includes the Apache web server, a Perl CGI (Common Gateway Interface) application, and a full MySQL implementation.
It is a full-featured application that uses standard coding methods and, inevitably, the most common web security vulnerabilities.

Having everything installed, I fired N-Stalker up and started the assessment.
I was expecting some sort of scan assistant / wizard and indeed, the wizard popped up .Choosing the most suitable security scan profile it’s not easy and it’s interesting to see how N-Stalker decided to split the assessment tasks.


N-Stalker approach is based on integrating security into SDLC (System Development Life Cycle) which is defined as the scope of activities associated with a system, encompassing the system’s initiation, development and acquisition, implementation, operation and maintenance, and ultimately its disposal that instigates another system initiation.

If you’ve been involved into information systems development (even developing a small web application), you know that the sooner you include security checks in the system the better. One penny spent in the early stages of design & coding can save hundreds of man hours later. NIST covers this issue very good in their Security Considerations in the Information System Development Life Cycle (PDF).

N-Stalker took the same approach when defining the scanning tasks and this can be summed up in this table:

SDLC Activities N-Stalker Scanning Policy
Initiation Phase  
Development / Aquisition Phase Development & QA 
Implementation Phase Infrastructure & Deploy
Operation / Maintenance Phase Audit & Pen-Test
Disposal Phase  

 
Scanning Policy #1 Development &QA
I chose this option and I got 3 policies to choose from:

  • Custom Designs Errors Only
  • Common OWASP Top10 Check
  • Information Exposure Analysis (Confidentiality Check Only)

 I went for Common OWASP Top10 check and the scan started right away. 18 minutes later I was informed that the scan ended and I opened the N-Stalker Report Manager to check the results.

The executive report (PDF) would make any project manager happy (or rather unhappy 🙂  38 Vulnerabilities sorted by vulnerability classes :
Policy Name: Common OWASP Top10 Check
Policy Type: Development & QA Assessment

  • Type of vulnerabilities
  • Web Server Exposure: 3
  • Custom Design Errors: 25
  • Web Signature Attacks: 0
  • Confidentiality Exposure: 5
  • Cookie Exposure: 4
  • File & Directory Exposure: 1
  • Custom Content Inspection: 0

However, the technical detailed report (PDF)  gave all the details about vulnerabilities and, very important, remediation suggestion for each vulnerability.

I would use this scanning profile while the application is still under development because it focuses more on the application itself than the hosting platform, OS, etc. We all know that testing environments (web server, application server) are not the top security priority when code is pouring in every day.

Once the development phase is over ( or at least when the project manager decides to freeze the code base:) you do care about the whole application environment and this is the moment I would use the second scanning profile of N-Stalker :

Scanning Policy #2 Infrastructure / Deploy
The testing procedure is similar to #1 but the results are different :
 
The executive report (PDF)  presented 11 vulnerabilities sorted on vulnerability types :
Policy Name: Complete Web Server Pen-test
Policy Type: Deploy & Infrastructure Assessment
Type of vulnerabilities

  • Web Server Exposure: 7
  • Custom Design Errors: 0
  • Web Signature Attacks: 0
  • Confidentiality Exposure: 0
  • Cookie Exposure: 0
  • File & Directory Exposure: 2
  • Custom Content Inspection: 0

The detailed technical report (PDF) presents remediation suggestions because, in order to pass the user acceptance tests, the application server admins must fix any single vulnerability.  Let’s just hope that the application developers have a good change management and versioning system in place which will prevent other bugs to creep in after the code freeze!

And the big day comes and the application is released and everybody is concerned only about Champaign overflows in their glasses (yeah, I wish). Now the application moves into the maintenance phase of the SDLC. This also means undergoing periodic security audits which everybody loves / hates to experience or to endure.

Lucky for the security staff, N-Stalker has a 3rd Scanning Policy: Audit & Pen-Test: This policy combines all the security checks from the previous two policies. You get the most complete security scan and you have a consistent report to present to the auditor.
 
The executive report (PDF) presents the 42 vulnerabilities sorted by vulnerability type:
Complete Pen-test Assessment
Policy Type: Audit & Pen-Test Assessment
Type of vulnerabilities

  • Web Server Exposure: 7
  • Custom Design Errors: 26
  • Web Signature Attacks: 0
  • Confidentiality Exposure: 3
  • Cookie Exposure: 2
  • File & Directory Exposure: 2
  • Custom Content Inspection: 0

The technical report (PDF) as always gives details and remediation suggestions about every vulnerability which was found. Of course one can create new security scanning policies either form scratch or by modifying an existing one. N-Stalker offers the possibility to create new security checks in an intuitive way. You just need to know what you want to check and a helpful wizard assists you completing this task.

At any moment of the scan you can pause it and resume it later which I found very helpful because as a security auditor you might run out of time during the maintenance window assigned by the operations department and it’s nice to know that you can resume the scanning at a later time.

Because every coin has two sides, I will present two things I found missing in N-Stalker.

1. Lack of additional tools.
During my web application assessments I rarely rely on automated scanners alone. There are many times when I prefer to manually continue the attack starting where the scanner left it. And for that you need tools such as encoders, fuzzers, custom proxies, cookie crunchers etc. I would love to see this tool collection in N-Stalker.

2. No support for Web Services. Web 2.0 is here to stay and many applications are built on web service powered consumer / provider architecture.

As a wrap-up of my review, I would like to point out that N-Stalker is a great tool for every day’s security tests. It’s packed with lots of features which will make your job easier. For instance it can go beyond the login screen of an application thanks to its smart authentication procedure which supports pre-recorded username/password pairs as well as digital certificates.

The SDLC integration will definitely prove beneficial on the long term, should you decide to use it, because you can tailor your security checks according to the development phase of the project. And this saves money and time.

At some point you will need to dynamically alter a cookie / form parameter / request header, etc in a way that it looks harmless to the application syntax validation but it’s devastating for the application layer.You can manage to record specific attack scenarios and have it played automatically. You can create manual URL scripts through manual policy configuration or wizard-based policy configuration.

However, the web app penetration tester must continue alone from where N-Stalker stops. I don’t think that there will ever be a tool to replace the long hours of manual labor during a web application penetration test. For instance, you can check the badstore.net complete (well.. almost complete) list of vulnerabilities here (PDF). Many of these vulnerabilities have been discovered by hand.

Sometimes your arsenal resumes to a browser, a proxy and your own brain. But it sure would have helped to do an N-Stalker scan first 🙂

I would like to thank Thiago and Sabrina for the opportunity to test N-Stalker Enterprise Edition. You can download an N-Stalker evaluation version for free and I encourage you to do this and test it for yourself.

Or find a way to get the Enterprise edition for free like I did 🙂



Thank you for reading this post. You can now Leave A Comment (0) or Leave A Trackback. Print This Post Print This Post


Subscribe without commenting


Leave a Reply

Note: Any comments are permitted only because the site owner is letting you post, and any comments will be removed for any reason at the absolute discretion of the site owner.

CommentLuv badge