|
SendToTestPositive
About Test Positive, Send-To-Test-PositiveThe Test Positive AppScan Vulnerability Viewer and Analyzer has been created by one of the engineers of the Watchfire Technical Support team (Paul Ionescu) to facilitate the analysis and examination of the false positive information text files sent by the Watchfire customers through the "Report False Positive" functionality. The initial release served only as a simple viewer which replicated the look and feel of the AppScan GUI components that are displayed for each issue under the Request\Response tab, however with each build new features like the response comparison or regular expression search were added, and shortly made this application indispensable. Screenshot
How does it work?There are three main ways in which you can use Test Positive.
This is the primary purpose for which the application has been designed. False positive or false negative report text files can be rendered and validated with the help of the tool. The following screenshots show a comparison between the raw text, false positive report of a Blind SQL Injection vulnerability displayed in Notepad and how it looks loaded in Test Positive.
Test Positive is not limited only to False Positive reports. The tool can be used to view any vulnerability outside AppScan. The most common use case is that of a Security expert wanting to demonstrate the vulnerability to a developer that doesn’t have AppScan installed. Our auditor can simply click on the Send to Test Positive menu item added by the Test Positive Extension, save the report in a convenient location and then zip the Test Positive executable together with the report and e-mail the package to the author of the vulnerable web application.
The Send to Test Positive Extension enhances the AppScan GUI with all the Test Positive features making vulnerabilities easier to understand and validate. It also provides a convenient way to send false positive reports to Watchfire Technical Support for those customers that do not have an e-mail client installed on the testing server, by using the Save As link. FeaturesHere is a list of the features of Test Positive with examples on how they can be put in use:
This feature allows Test Positive to separate different test requests when it comes to complex attacks like Blind SQL Injection or Inadequate Account Lockout. Let’s take Inadequate Account Lockout attack for example. This attack is composed of 13 repeated test requests. First AppScan sends one request with the correct credentials, then it sends 11 requests using W0tchf1r instead of the correct password and last it sends the correct credentials one more time. Then it compares the first and last request against each other and against the last request that used the W0tchf1r password in order to establish if the account has been locked out after 11 unsuccessful attempts. Test Positive will parse the test traffic and identify and separate each of these requests allowing the user to visualize each step performed by AppScan in establishing this vulnerability.
Test Positive contains a convenient way to display messages to its users without disrupting their work: the Information Bar. If the message is too long simply hover your mouse over the yellow band and you can see the entire message in an informational balloon.
All test requests are automatically compared to the original request and the differences are highlighted in red. Thus one can easily see how AppScan mutated the request and performed the attack. Responses can also be compared against each other by clicking the compare link on the top right corner. After the comparison is complete the Information Bar will display the similarity factor of the two responses. The Next Diff link allows the user to circle through the identified differences.
Although highlighting the difference can be great help sometimes the difference will be URL encoded and hard to understand. Using the URL Decoding feature available through the Test Positive context menu the user can clear the encoded characters and understand easily what does the payload actually mean. The tool also contains a Base64 decoding function should anyone want to see what is encoded in a Viewstate parameter for example.
Test Positive gives you the possibility to preview the test or original responses in Internet Explorer in order to better visualize the modifications caused by the attack.
The search feature allows the use of regular expressions. By default Test Positive will search the test response for the validation string, where available, and highlight it on file load.
AppScan Enterprise traffic information can also be imported into Test Positive.
Drag & drop a False Positive Report text file over the Test Positive icon in order to conveniently load that file into the tool.
Vulnerabilities can be easily sent to Test Positive from the Issue context menu using the Send to Test Positive menu item. This action will export the traffic information to a text file in the temporary folder and run Test Positive with that file as an argument. This process will work provided that the Test Positive executable is located in the %userprofile%\Application Data\Watchfire\AppScan\Extensions\Send-to-Test-Positive folder and it is named test_positive.exe. This is usually automatically setup for you when you install the extension. InstallationTest Positive comes as a standalone executable. It needs the .Net Framework 2.0, which is usually installed along AppScan, to work correctly. The Test Positive extension is also very easy to install using the AppScan > Tools > Extensions > Extensions Manager. Building this eXtensionIn order to build this eXtension, you will need to have Visual Studio 2005 installed on your machine, and then you should follow these steps:
That's it, the zipped file is now ready to be loaded into AppScan as an eXtension (Tools->Extensions->Extension Manager). |
Sign in to add a comment
