Ever since the Internet took off from its humble beginnings as a simple connection between the two networks of UCLA and Stanford for educational purposes, it has increasingly been used by the global population as a means of communication, commerce, charity and much more. The myriad ways of utilizing the Internet backbone all require software engineering of web-enabled applications (webapps). A new product from High-Tech Bridge SA called ImmuniWeb® performs webapp security assessments. If you’re like me, you’re probably thinking that this is just another webapp vulnerability scanner but hang on! It provides an innovative hybrid approach along with some really creative additional modules for assessing security beyond just the webapp. Why would we need such a hybrid approach?
Critical systems are being moved to the Internet by every industry, each of which now requires diligence to ensure their own existence. Education uses the Internet to evolve learning platforms and make enrollment more efficient. The media industry uses the Internet for everything from personal blogs to content delivery of every type. Commercial industry utilizes it from customer service to revenue collection. Banking from account management to funds transfer. Communication from voice and data. Government is using technology to… well let’s not turn this into a political argument. Let’s just take a detailed look at this unique new offering and how it can help the security posture of your entire organization regardless of the industry to which you belong.
Before we dive into the details of this product, let’s take a quick look at the company behind the product. High-Tech Bridge SA (HT Bridge) is a relatively young company having started in 2007 with just a couple of employees. Today, they employ over 25 people and have a considerable client-base including private companies, government agencies, and international organizations. The services offered by High-Tech Bridge include security auditing, security consulting, penetration testing, source code review, training, malware analysis, and cybercrime investigation. In 2012, Frost & Sullivan recognized High-Tech Bridge as one of the market leaders and best service providers in the ethical hacking industry. And in 2013, the Online Trust Alliance (OTA) used ImmuniWeb to score points in the ranking of nominees for the OTA 2013 Honor Roll. High-Tech Bridge has been earning some great accolades for their service offerings and the ImmuniWeb product is no exception.
So what is ImmuniWeb? It’s a multi-faceted web security assessment SaaS product that includes a highly intuitive user portal, a web vulnerability scanner, and real people (called ‘auditors’) that all combine to provide a hybrid approach in identifying vulnerabilities within your web application and beyond. As a user of the product, the ImmuniWeb Portal is your interface to creating new projects or web applications to be assessed. You have the ability to schedule your projects, follow the project status, and create support tickets among other tasks. The web scanner is a proprietary High-Tech Bridge tool used to perform the automated vulnerability scanning of the web application. So far, this probably sounds similar to most other cloud-based web application vulnerability scanners. Here’s where it starts to get different. In addition to the automated testing, High-Tech Bridge also assigns dedicated resources, called ImmuniWeb Auditors, to your projects. These experts, each having years of professional web security experience, perform manual penetration testing of the web application at the same time the automated scan is taking place. This allows High-Tech Bridge to validate findings and provide a zero false-positive guarantee for their report. Unlike other web vulnerability scanners that just spit out lots of information, each of these reports is custom tailored by your assigned auditor and includes POC code for each vulnerability along with expected vulnerability details and remediation information. But wait! There’s more!
ImmuniWeb also includes some additional modules for protecting beyond your web application. The Vulnerability Database Monitor (VDB) performs an extensive search for known vulnerabilities within commercial and open source content management systems. The SSL Certificate Monitor can identify weaknesses and misconfigurations of your SSL implementation. A Hacking Resources Monitor will scour the Internet underground and known hacking hangouts for any information about your website as a target for attacks or malicious activity. And the Phishing Monitor will alert you of registered domain names similar to yours that may be used in phishing attacks. All of this information is wrapped up and included in a single report to provide excellent value for managers, executives, and technical folks.
When we first login to the ImmuniWeb portal, we see Customer Details and Control Panel links on the left hand side. The main portion of the page presents the first step in creating a new project and asks for details such as target URL, hosting type, and authentication.
Fig. 1 – ImmuniWeb Control Panel
The next important step is validating your ownership or authorization to conduct the security testing of the target domain and that you agree with the Terms of Service to use the product. Important: ALWAYS obtain written and signed legal permission in an authorization letter before performing security testing.
Fig. 2 – Project Step 2 (Ownership Confirmation)
We can now schedule our assessment. All assessments will run up to, and intentionally no longer than, 12 hours. HT Bridge, through their extensive testing, has determined that they can identify all common vulnerabilities of an average SMB website within this timeframe. As of right now, while the product is still in beta, testing can only be scheduled Monday – Friday, up to 90 days in advance, and testing always begins at 0900 CET/CEST (GMT +1/ +2). Additional schedule flexibility will be available in the future.
The ImmuniWeb FAQ page says that different timeframes are also possible upon request to Support.
Fig. 3 – Project Step 3 (Assessment Schedule)
Next we move onto summary and payment. The cost of an ImmuniWeb assessment is CHF 599 (or ~ $630 USD). In comparison to traditional web vulnerability scanner licensing, this cost is more than reasonable for what you are getting. Moreover, if we add 12 hours of manual penetration testing and 8 hours of human work on the report, the price becomes very competitive.
Fig. 4 – Project Step 4 (Payment)
Once we’ve verified the summary details are correct and submitted payment, our assessment is scheduled, and we are taken to the project status page. Here we can see the current stage of the project, when each piece of the assessment is started and completed, and download invoices and reports.
Fig. 5 – Project Details
Once we have submitted our project(s), it is just a matter of time waiting for the assessment date and project completion. Prior to starting the assessment, auditors will ensure that the target web application is live and accessible on the Internet. If it is not, the auditor assigned to your project will open a support ticket through their online system within the portal. You will be automatically notified via email of support ticket updates. The email will include the body of the trouble ticket, so you will be able to read the response directly in your email without having to first login to the portal. It’s also worth noting here that the support personnel were quick to reply to my tickets or responses submitted during testing – getting back to me as quickly as ten minutes but commonly up to one hour.
Fig. 6 – Support Ticket Listing
Fig. 7 – Support Ticket Creation
Fig. 8 – Project Listing
Once the assessment has been completed, the auditor will send an email to notify you. At this point, you will be able to access and download the report. This report is available to you for a period of 60 days, after which is will be deleted and not recoverable. So make sure you download your report and keep it in a safe place.
ImmuniWeb in Action
We now know about the company and the product, and we’ve just seen a brief example of the ImmuniWeb interface. At this point, you’ve either seen enough, or more likely is that you want to know how well this assessment performs. What good is a product review if it isn’t put to the test? Lucky for you, we’ve done just that.
As you can see in the screenshots above, we ran a few different assessments utilizing ImmuniWeb. These first few were targeted at some common web vulnerability frameworks used to test the capability of web application vulnerability scanners. This was an oversight on my part as I originally had the impression that I was testing a web vulnerability scanner – which, as we’ve seen, is not completely the case. We did allow one of these initial tests to complete, the OWASP ZAP WAVE which is part of the OWASP Broken Web Applications Project. I am pleased to say that ImmuniWeb had a 100% detection rate for that test application. All vulnerabilities were successfully identified and reported. Since this was a very controlled test within a lab environment, we decided to try this out on a live and established website to see the full power of the ImmuniWeb assessment including the additional modules.
For this test, we targeted the website belonging to the Cyber Security Forum Initiative (CSFI). After getting proper permission, the project creation steps above were followed and the assessment scheduled. Let’s take a look at what was found…
ImmuniWeb in the Real World
As with most reports, we are given a cover page with the date of the assessment and some additional details. The introduction provides a summary of the ImmuniWeb tool and the assessment framework used while performing the test. We’re then provided with an overview of findings and some nice graphs.
Fig. 9 – ImmuniWeb Report Cover
Fig. 10 – Assessment Overview
Fig. 11 – Vulnerability Statistics Charts
We can easily see the results show zero critical or high risks, but that 9 Medium risk vulnerabilities were identified during the assessment, all of which are Cross-Site Scripting (XSS) vulnerabilities. For each identified vulnerability, we are shown a table that includes technical findings and information about the vulnerability, POC code to exploit the vulnerability, and remediation suggestions.
Fig. 12 – Vulnerability Details
For the additional modules included, ImmuniWeb came up with some interesting information. The CSFI website does not appear to be using a standard CMS system and currently does not have a SSL certificate installed, so the Vulnerability Database Monitor and SSL Certificate Monitor came up empty. The Hacking Resources Monitor, on the other hand, came up with a few links including a Twitter post highlighting one of the XSS vulnerabilities from someone known as “thadeus zu,” and a lulzsec mention from pastebin. The Phishing Monitor also yielded some interesting results of registered domains that are similar and could possibly be used for phishing attacks.
Fig. 13 – Vulnerability Database Monitor results
Fig. 14 – SSL Certificate Monitor results
Fig. 15 – Hacking Resources Monitor results
Fig. 16 – Phishing Monitor results
Not only are the additional points something not seen in other products, but all of the various components of the report are also presented together nicely in a format that is clearly easy to follow. This makes life easier as it lends itself to efficiently communicate with all of those inside your organization involved in the project to make the determination of remediation or acceptance of risk.
Overall, the ImmuniWeb product appears to be a strong contender in the web application security assessment space. It’s a good bang for the buck, and customers will definitely get a lot of value from the hybrid testing approach provided by the proprietary, automated scanning tool in addition to the manual penetration testing of the web security auditors. The reporting is very straightforward and easy to follow for non-technical higher-ups and technical geeks alike. Knowing that all findings have already been validated and no false-positives are included is a great bonus for someone on a compressed schedule.
When it comes to typical and standard web applications in the SMB space, this is certainly a product worth considering. I would recommend ImmuniWeb by High-Tech Bridge to managers or internal security personnel on a tight budget who need a good, quality web application assessment conducted. ImmuniWeb also makes for a cost-effective way to verify the findings of your own security assessments.
On the flip side, the ImmuniWeb product, in its current offering, doesn’t quite have the scalability for larger enterprise or very complex web applications. In my experience of testing larger web applications with various roles and many complexities involved, both time to test and test thoroughness increase significantly. The information on the ImmuniWeb website supports this by stating the product is primarily intended for the SMB space but also suggests that larger enterprises could use this solution as an efficient decision-making tool prior to conducting more robust tests. I fully agree and think that while this may not be an in-depth assessment for a large application, it will certainly provide a good baseline and value to the customer.
I hope you enjoyed the review and appreciate the utilization of both standard testing procedures as well as performing an assessment on a live site. Please keep in mind that although no flaws were found in the operation of the product itself, this is a beta offering. For more information or to contact High-Tech Bridge directly, please use the links provided within the review article itself. As always, feel free to use the forums connected to this article for any additional questions you might have or to share your thoughts.
Bill Varhol (MCSE+S, OSCP, OSWP, GPEN et al) is a 14-year veteran of the industry having worked for multiple organizations in varying sectors including Greenpath Debt Solutions (Non-profit/Finance), Defense Finance and Accounting Service (Government), KPMG (Consulting Firm), and his current role with AlixPartners (Consulting Firm). Since childhood, Bill has been building computers, poking around websites, troubleshooting problems, and enjoying every minute of it all. He realized his interest in computer security from the beginning and has successfully managed to make a professional career out of it. He regularly conducts vulnerability assessments, limited-to-full scope penetration tests, and provides InfoSec consulting services in his current role. He has also helped shape the ethical hacking landscape by being a board member of a certification organization for several years. Bill lives in Michigan with his family and enjoys spending time with his children when not busy breaking things.