Audit Your Web Applications with AVA

AVA exposes vulnerabilities like a magnifying glass finding flaws

Hosting a web application is an excellent way to expose useful services to the public, but it comes at a cost: vulnerabilities in your web apps could allow attackers to access important systems, endangering your customers and your business.

The Indeed Security team developed Another Vulnerability Auditor (AVA) to address this problem. By using AVA to automate application scans, we can continuously monitor production and QA systems for potential vulnerabilities. And, because we have released it as an open source tool, you can use it to monitor your applications as well.

How does it work?

AVA scans a set of application endpoints, defined in HTTP Archive (HAR) format. The HAR file catalogs the URL, headers, cookies, and POST data for HTTP requests. AVA uses this information to model endpoints and scan them using a combination of auditors and checks.

Auditors

Auditors determine the HTTP elements that AVA audits. These include URLs, headers, cookies, and POST data.

Type What does it audit?
Cookie Individual cookies in the Cookie request header
Header Most request headers
JSON JSON data in the request body
Multipart Multipart form data in the request body
Parameter Parameters in the URL query string and request body
Response Aspects of a response (passive audit)
Text Plain text data in the request body
URL Request URL

Checks

Checks determine the types of security vulnerabilities AVA checks. These include cross-site scripting, open redirects, SQL injection, and shell injection.

Type What does it check for?
Code injection Code injection in Python’s pickle and eval statements
Header injection Header injection in responses
Open redirect Open redirects to arbitrary URLs
Path traversal Path traversal on the local filesystem
Shell injection Shell injection in Bash statements
SQL injection SQL injection in database queries
Cross-site scripting HTML and JavaScript injection in responses
XML external entity XML external entities in XML documents
Personally Identifiable Information (PII) Email addresses, credit cards, and Social Security numbers

How can I use it?

We designed AVA for use within automated systems. We automate AVA with Docker Swarm and Jenkins. However, you can use AVA anywhere Python can be installed.

Use in Docker Swarm

Indeed’s Security team uses Docker Swarm to automate AVA and scan public-facing applications daily. This allows us to identify vulnerabilities shortly after they are introduced. The pipeline has three components:

  • Enricher combines data from sources, such as WES, into endpoint definitions
  • Scheduler maintains a schedule and configuration
  • Vulnerability manager stores reports and displays vulnerability information

The process is as follows:

  1. The scheduler contacts the enricher and requests endpoint definitions for the current application.
  2. The enricher returns these definitions in HAR format.
  3. The scheduler pushes the HAR data and configuration settings to AVA.
  4. AVA runs the configured scan against the application and generates a report.
  5. AVA sends the report to the vulnerability manager for storage.

Diagram showing how AVA finds vulnerabilities with Docker Swarm

Use in Jenkins

We also use AVA in Jenkins to examine systems in our QA environment. This allows us to identify vulnerabilities before they reach production. The pipeline has two components: functional tests and AVA. The functional tests are a collection of Selenium-based test cases for verifying release candidates in QA.

The process is as follows:

  1. Functional tests run against the application.
  2. A proxy collects traffic from the tests and exports it as HAR files.
  3. AVA scans the application using the exported HAR files.
  4. AVA provides a report documenting the results of the scan.

Diagram showing how AVA finds vulnerabilities with Jenkins

How can I get AVA?

We’ve made AVA available and open source on Git. Download it, try it out, and reach out to us on GitHub or Twitter if you need any help. You can open an issue on the GitHub repository, or hit us up on Twitter.


Cross-posted on Medium.

Tweet about this on TwitterShare on FacebookShare on LinkedInShare on Google+Share on RedditEmail this to someone

@IndeedEng Presents: The Art and Science of Product Metrics in San Francisco and Seattle

Indeed Engineering is hosting talks on the art and science of product metrics in San Francisco and Seattle during the month of August.

Ketan Gangatirkar, VP of Engineering for Indeed’s Job Seeker products, will discuss choosing metrics that work, because every story of metrics gone wrong is really a story of badly chosen metrics. Attendees will leave this talk with a greater understanding of data science and concrete strategies for using data to improve their processes and products.

This talk aims to help product managers, tech leads, managers, and data scientists become better at their work. You’ll gain insights and knowledge if you’re in one of these roles or aspiring to be—or you’re just curious.

This is an extended edition of the talk presented at O’Reilly Strata, London.

San Francisco

This talk was held on Wednesday, August 1, 2018

Seattle

This talk was held on Wednesday, August 29, 2018

Tweet about this on TwitterShare on FacebookShare on LinkedInShare on Google+Share on RedditEmail this to someone

Open Source At Indeed: Sponsoring Webpack

Indeed is proud to announce our sponsorship of webpack. Like many other companies, Indeed uses webpack to help deliver a high-quality user experience. Because webpack is so important to our development process, we’re joining our industry peers in supporting and sponsoring the development of this critical open source technology.

Rebecca Murphey, Front-End Engineering Lead at Indeed, notes that “Webpack has been such a key tool in my team’s work to modernize and optimize the front-end development experience at Indeed. I’m so proud that we’re able to give a little bit back to a tool and a community that has provided so much value for us.”  

Sean Larkin, from the webpack core team, says, “We are extremely proud and humbled by Indeed’s decision to sponsor webpack. When you sponsor a project, you are not only becoming a stakeholder, but also an investor in your own infrastructure that you rely on every day. It makes a statement that says: ‘We love open source and want to hire people who know and love webpack.’ We look forward to our new partnership with Indeed and are excited to have tight feedback between their team, and help solve problems that not only create lasting value for Indeed, but the open source ecosystem as a whole.”

As Indeed continues to take a more active role in the open source community, we will seek out additional partnerships, sponsorships, and memberships.

Recently, Indeed joined the Cloud Native Computing Foundation and now sponsors:


For updates on Indeed’s open source projects, visit our open source site. If you’re interested in open source roles at Indeed, visit our hiring page.

Tweet about this on TwitterShare on FacebookShare on LinkedInShare on Google+Share on RedditEmail this to someone