Web application vulnerability scanners are a necessary evil when it comes to achieving a rough baseline or some minimum level of security. While they should never be used as the only testament of security for an application, they do provide a level of assurance above no security testing at all. For the security professional, they serve as another tool in the toolbox. All web application scanners are different and some require finer tuning then others. A common question with IBM's AppScan is, "How do you configure it to test only for privilege escalation issues?" In this post, we'll walk you through the steps!
Privilege escalation testing comes handy during authorization testing, when you're looking to tell if one user is authorized to access data or perform actions outside of their role.
PrerequisiteYou're first step is to run a post authentication scan with a higher privilege user. In this example, we'll use "FSTESTADMIN". Ideally you'll use a manual crawl so that maximum URL’s are covered.
ConfigurationOnce the post-authentication scan is complete, follow configure App Scan as follows:
- Open a new scan and go to "Scan Configuration"
- Go to Login Management and record the login with lower privilege user (Say "FSTESTUSER")
- Go to "Test" then "Privilege Escalation" and browse the scan file created previously (scan file for "FSTESTADMIN")
- Go to Test Policy, using (CTRL+A) select all tests and uncheck them
- In the find section type “escalation” and select all the privilege escalation checks
This usually creates lots of false positives as App Scan checks for URL’s in the higher privilege scan using the authentication credentials of a lower privilege user. Any URL/pages which are common to both the user will be reported as an issue (false positive in this case).