Glass Box Testing: Thinking Inside the Box Omri Weisman Manager, Security Research Group IBM Rational.
Download
Report
Transcript Glass Box Testing: Thinking Inside the Box Omri Weisman Manager, Security Research Group IBM Rational.
Glass Box Testing:
Thinking Inside the Box
Omri Weisman
Manager, Security Research Group
IBM Rational
Omri Weisman
Manager, Security Research Group
IBM Rational
9 years working on AppScan technologies,
web application security, and static analysis
21 patents pending
2 published papers
2
Glass Box Testing
© 2011 IBM Corporation
IBM 100 YEARS
3
Glass Box Testing
© 2011 IBM Corporation
4
Glass Box Testing
© 2011 IBM Corporation
Agenda
Black box challenges
Glass box scanning
Architecture
Summary
5
Glass Box Testing
© 2011 IBM Corporation
Black Box Challenge – Hidden Logic
http://SITE/purchase?price=1337
http://SITE/purchase?price=TEST_PAYLOAD
6
Glass Box Testing
© 2011 IBM Corporation
Black Box Challenge – Non-reflected Injection
7
Glass Box Testing
© 2011 IBM Corporation
Black Box Challenge – Remediation
SQL injection found – where to fix it?
8
Glass Box Testing
© 2011 IBM Corporation
9
Glass Box Testing
© 2011 IBM Corporation
10
Glass Box Testing
© 2011 IBM Corporation
No clear indication for an SQL Injection.
Need to go deeper...
11
Glass Box Testing
© 2011 IBM Corporation
Finally got it!
12
Glass Box Testing
© 2011 IBM Corporation
Agenda
Black box challenges
Glass box scanning
Architecture
Summary
13
Glass Box Testing
© 2011 IBM Corporation
What is glass box?
VIDEO
14
Glass Box Testing
© 2011 IBM Corporation
What is Glass Box?
Using internal agents to guide application scanning
Main idea:
1. Position server-side agents
2. Collect valuable server-side
information
15
Game-changing enhancement of
black-box scanning
accuracy
coverage
3. Report back to black-box
scanner
reporting
4. Use data to enhance scan
…
Glass Box Testing
© 2011 IBM Corporation
Information Available to Glass Box
Web app runtime activities
Application structure, environment,
technology, components
Configuration files
Source code information
Log files
File-system activities
Registry accesses
Network traffic
DB access
16
Glass Box Testing
© 2011 IBM Corporation
Things You Can Do With Glass Box
Coverage
Hidden parameters/backdoors
Non-reflected issues
File upload
Denial-of-service
Exploit generation
Consolidation
Correlation
Auto-configuration
False positives
Static analysis
Deal with non-standard validation
17
Glass Box Testing
© 2011 IBM Corporation
Main Challenges – Glass Box to the Rescue
Coverage challenge (hidden logic)
http://SITE/purchase?price=1337
http://SITE/purchase?price=1337&debug=TEST_PAYLOAD
Psst… You can use the “debug” param!
The debug parameter was uncovered and reported back
Hence, The Cross-Site Scripting is exposed!
18
Glass Box Testing
© 2011 IBM Corporation
Main Challenges – Glass Box to the Rescue
(Cont.)
Detection of non-reflected issues
Runtime monitored sink
Glass Box instrumentation operates at runtime, at the code level
http://SITE/page?name=GB_FINGERPRINT
Fingerprint identified in SQL Injection sink!
Non-reflected security issue identified!
19
Glass Box Testing
© 2011 IBM Corporation
Main Challenges – Glass Box to the Rescue
(Cont.)
Limited security issue information
An SQL Injection issue, this time identified with the aid of glass box
20
Glass Box Testing
© 2011 IBM Corporation
Agenda
Black box challenges
Glass box scanning
Architecture
Summary
21
Glass Box Testing
© 2011 IBM Corporation
Architecture
Target Server
Black-box Scanner
Glass box
Engine
22
Glass Box Testing
HTTP(S)
Target web app
Glass box Component
HTTP(S)
Control &
Reporting
Agent(s)
Agent
Rules
© 2011 IBM Corporation
Glass Box Timeline
Deploy
Assistant
Scanner
Server
Glass Box Testing
New Param
Re-explore
These are the
params you
missed ...
3
1
2
Glass Box
Magic
23
Explore
Start
5
Test
Started
6
Report
Findings
I’ve found
these issues
...
8
GET /
...
GET /page?p=1
GET /page?p=G’123B
...
...
4
Glass Box
Explore Enhance
7
Glass Box
Test Enhance
© 2011 IBM Corporation
OWASP Top 10 - BB
black-box
Injection
A1 (SQL, ..)
Security
A6 Misconfig
A2
XSS
A7 Insecure
Crypto
A3
Broken
Auth.
URL
A8 Restriction
A4
Insecure
Object
Reference
A9
A5
24
CSRF
Glass Box Testing
A10
Insufficient
Transport layer
Protection
Unvalidated
Redirects &
Forwards
© 2011 IBM Corporation
OWASP Top 10 - GB
black-box + glass-box
Injection
A1 (SQL, ..)
Security
A6 Misconfig
A2
XSS
A7 Insecure
Crypto
A3
Broken
Auth.
URL
A8 Restriction
A4
Insecure
Object
Reference
A9
A5
25
CSRF
Glass Box Testing
A10
ONLY TECHNOLOGY
to effectively find issues
in ALL the categories of
OWASP top 10
Insufficient
Transport layer
Protection
Unvalidated
Redirects &
Forwards
© 2011 IBM Corporation
Agenda
Black box challenges
Glass box scanning
Architecture
Summary
26
Glass Box Testing
© 2011 IBM Corporation
Summary
Glass box is a new technology, that is all
about using internal agents to guide
application scanning
Glass box significantly enhances every
aspect of black box scanning:
Exploration, testing, exploitation, reporting
Glass box isn’t just a feature-set...
It is a new way of thinking
With nearly endless potential
Image: Meawpong3405 / FreeDigitalPhotos.net
27
Glass Box Testing
© 2011 IBM Corporation
Smarter security for a smarter planet
28
Glass Box Testing
© 2011 IBM Corporation