Glass Box Testing: Thinking Inside the Box Omri Weisman Manager, Security Research Group IBM Rational.
Download ReportTranscript Glass Box Testing: Thinking Inside the Box Omri Weisman Manager, Security Research Group IBM Rational.
Glass Box Testing: Thinking Inside the Box Omri Weisman Manager, Security Research Group IBM Rational Omri Weisman Manager, Security Research Group IBM Rational 9 years working on AppScan technologies, web application security, and static analysis 21 patents pending 2 published papers 2 Glass Box Testing © 2011 IBM Corporation IBM 100 YEARS 3 Glass Box Testing © 2011 IBM Corporation 4 Glass Box Testing © 2011 IBM Corporation Agenda Black box challenges Glass box scanning Architecture Summary 5 Glass Box Testing © 2011 IBM Corporation Black Box Challenge – Hidden Logic http://SITE/purchase?price=1337 http://SITE/purchase?price=TEST_PAYLOAD 6 Glass Box Testing © 2011 IBM Corporation Black Box Challenge – Non-reflected Injection 7 Glass Box Testing © 2011 IBM Corporation Black Box Challenge – Remediation SQL injection found – where to fix it? 8 Glass Box Testing © 2011 IBM Corporation 9 Glass Box Testing © 2011 IBM Corporation 10 Glass Box Testing © 2011 IBM Corporation No clear indication for an SQL Injection. Need to go deeper... 11 Glass Box Testing © 2011 IBM Corporation Finally got it! 12 Glass Box Testing © 2011 IBM Corporation Agenda Black box challenges Glass box scanning Architecture Summary 13 Glass Box Testing © 2011 IBM Corporation What is glass box? VIDEO 14 Glass Box Testing © 2011 IBM Corporation What is Glass Box? Using internal agents to guide application scanning Main idea: 1. Position server-side agents 2. Collect valuable server-side information 15 Game-changing enhancement of black-box scanning accuracy coverage 3. Report back to black-box scanner reporting 4. Use data to enhance scan … Glass Box Testing © 2011 IBM Corporation Information Available to Glass Box Web app runtime activities Application structure, environment, technology, components Configuration files Source code information Log files File-system activities Registry accesses Network traffic DB access 16 Glass Box Testing © 2011 IBM Corporation Things You Can Do With Glass Box Coverage Hidden parameters/backdoors Non-reflected issues File upload Denial-of-service Exploit generation Consolidation Correlation Auto-configuration False positives Static analysis Deal with non-standard validation 17 Glass Box Testing © 2011 IBM Corporation Main Challenges – Glass Box to the Rescue Coverage challenge (hidden logic) http://SITE/purchase?price=1337 http://SITE/purchase?price=1337&debug=TEST_PAYLOAD Psst… You can use the “debug” param! The debug parameter was uncovered and reported back Hence, The Cross-Site Scripting is exposed! 18 Glass Box Testing © 2011 IBM Corporation Main Challenges – Glass Box to the Rescue (Cont.) Detection of non-reflected issues Runtime monitored sink Glass Box instrumentation operates at runtime, at the code level http://SITE/page?name=GB_FINGERPRINT Fingerprint identified in SQL Injection sink! Non-reflected security issue identified! 19 Glass Box Testing © 2011 IBM Corporation Main Challenges – Glass Box to the Rescue (Cont.) Limited security issue information An SQL Injection issue, this time identified with the aid of glass box 20 Glass Box Testing © 2011 IBM Corporation Agenda Black box challenges Glass box scanning Architecture Summary 21 Glass Box Testing © 2011 IBM Corporation Architecture Target Server Black-box Scanner Glass box Engine 22 Glass Box Testing HTTP(S) Target web app Glass box Component HTTP(S) Control & Reporting Agent(s) Agent Rules © 2011 IBM Corporation Glass Box Timeline Deploy Assistant Scanner Server Glass Box Testing New Param Re-explore These are the params you missed ... 3 1 2 Glass Box Magic 23 Explore Start 5 Test Started 6 Report Findings I’ve found these issues ... 8 GET / ... GET /page?p=1 GET /page?p=G’123B ... ... 4 Glass Box Explore Enhance 7 Glass Box Test Enhance © 2011 IBM Corporation OWASP Top 10 - BB black-box Injection A1 (SQL, ..) Security A6 Misconfig A2 XSS A7 Insecure Crypto A3 Broken Auth. URL A8 Restriction A4 Insecure Object Reference A9 A5 24 CSRF Glass Box Testing A10 Insufficient Transport layer Protection Unvalidated Redirects & Forwards © 2011 IBM Corporation OWASP Top 10 - GB black-box + glass-box Injection A1 (SQL, ..) Security A6 Misconfig A2 XSS A7 Insecure Crypto A3 Broken Auth. URL A8 Restriction A4 Insecure Object Reference A9 A5 25 CSRF Glass Box Testing A10 ONLY TECHNOLOGY to effectively find issues in ALL the categories of OWASP top 10 Insufficient Transport layer Protection Unvalidated Redirects & Forwards © 2011 IBM Corporation Agenda Black box challenges Glass box scanning Architecture Summary 26 Glass Box Testing © 2011 IBM Corporation Summary Glass box is a new technology, that is all about using internal agents to guide application scanning Glass box significantly enhances every aspect of black box scanning: Exploration, testing, exploitation, reporting Glass box isn’t just a feature-set... It is a new way of thinking With nearly endless potential Image: Meawpong3405 / FreeDigitalPhotos.net 27 Glass Box Testing © 2011 IBM Corporation Smarter security for a smarter planet 28 Glass Box Testing © 2011 IBM Corporation