A project by
Singapore Institute of Technology and PayPal
Motivation
Web application attacks are increasing in number and growing in sophistication. Due to various needs to support today’s digital world & business process, web, APIs and mobile apps are growing in number and scale. In particular, cyber-attacks are increasing in the web layer, posing an easy target for attackers. Vulnerabilities such as command Injection, Server Sider Request Forgery, Cross-Site Scripting, and XML External Entities are some common examples.
Currently, there is no common industry standard for a web security payload template and an approach which security community, researchers & companies can contribute and rely on to test any web applications, APIs and mobile apps.
This project will build a single standard open source collaboration for application security repository and tools. Although different open source and commercial web security scanners are available, this project can benefit the various IT industries including Singaporean industries such as MedTech, Fintech and GovTech. Start-ups and Small Medium Enterprises (SMEs) in particular can use this readily available and validated open source tool to scan web apps for security vulnerabilities using a standard approach and with updated payloads from the security community.
Achievements
The team has designed an OAVL (Open Application Vulnerability Language) format that captures all the essential information from an attack vector, and the ASAP tool that allows target users (researchers and security analysts) to generate custom payloads by filling up certain fields provided through the OAVL Translator, a form that converts all inputs into a standardized format. Contributed attack vectors are stored in the ASAP repository, and accessible to users after validation by an admin panel.
An assessment tool is also developed where users can use payloads in the repository to scan web applications for vulnerabilities, and obtain a vulnerability assessment report. The tool includes a crawler to crawl through all the possible web pages in the source URl that is being assessed.
To encourage contribution to the repository, an authentication system has also been implemented, allowing users to register with ASAP or to use their Facebook/Google credentials. This feature could be the base for developing a reward system in the future where users can gain points based on their contributions.
By being an open source collaboration project, ASAP will lead to quicker assessment of web application vulnerabilities due to the nature of an expanding repository of payloads contributed by people around the world. These may include the most recent and complex threats that can be used to detect vulnerabilities in web applications. Additionally, when scanning for threats, people will gain knowledge on which injection points of a web application is most vulnerable and common to cyberattacks. This would lead to them understanding and fixing the vulnerabilities and eventually lead to lesser occurrences of cyberattacks and sensitive data from being compromised.
Contact
- Vivek Balachandran: vivek.b@singaporetech.edu.sg, LinkedIn
- Riaz Ebrahim Mohamed: LinkedIn