1 / 28

Glass Box Testing: Thinking Inside the Box

Glass Box Testing: Thinking Inside the Box. Omri Weisman Manager, Security Research Group IBM Rational. Manager, Security Research Group IBM Rational 9 years working on AppScan technologies, web application security, and static analysis 21 patents pending 2 published papers. Omri Weisman.

bowie
Download Presentation

Glass Box Testing: Thinking Inside the Box

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Glass Box Testing:Thinking Inside the Box Omri Weisman Manager, Security Research Group IBM Rational

  2. Manager, Security Research Group IBM Rational 9 years working on AppScan technologies, web application security, and static analysis 21 patents pending 2 published papers Omri Weisman

  3. IBM 100 YEARS

  4. Agenda • Black box challenges • Glass box scanning • Architecture • Summary

  5. Black Box Challenge – Hidden Logic http://SITE/purchase?price=1337 http://SITE/purchase?price=TEST_PAYLOAD

  6. Black Box Challenge – Non-reflected Injection

  7. Black Box Challenge – Remediation • SQL injection found – where to fix it?

  8. No clear indication for an SQL Injection. Need to go deeper...

  9. Finally got it!

  10. Agenda • Black box challenges • Glass box scanning • Architecture • Summary

  11. What is glass box? VIDEO

  12. What is Glass Box? Main idea: Position server-side agents Collect valuable server-side information Report back to black-box scanner Use data to enhance scan Game-changing enhancement of black-box scanning accuracy coverage reporting … Using internal agents to guide application scanning

  13. Information Available to Glass Box Web app runtime activities Application structure, environment, technology, components Configuration files Source code information Log files File-system activities Registry accesses Network traffic DB access I CAN SEE U

  14. Coverage Hidden parameters/backdoors Non-reflected issues File upload Denial-of-service Exploit generation Consolidation Correlation Auto-configuration False positives Static analysis Deal with non-standard validation Things You Can Do With Glass Box

  15. Main Challenges – Glass Box to the Rescue • Coverage challenge (hidden logic) • The debug parameter was uncovered and reported back • Hence, The Cross-Site Scripting is exposed! http://SITE/purchase?price=1337 http://SITE/purchase?price=1337&debug=TEST_PAYLOAD Psst… You can use the “debug” param!

  16. Main Challenges – Glass Box to the Rescue (Cont.) • Detection of non-reflected issues • Glass Box instrumentation operates at runtime, at the code level • Non-reflected security issue identified! Runtime monitored sink http://SITE/page?name=GB_FINGERPRINT Fingerprint identified in SQL Injection sink!

  17. Main Challenges – Glass Box to the Rescue (Cont.) • Limited security issue information • An SQL Injection issue, this time identified with the aid of glass box

  18. Agenda • Black box challenges • Glass box scanning • Architecture • Summary

  19. Architecture Target Server Black-box Scanner Target web app HTTP(S) Agent Rules HTTP(S) Glass box Component Control & Reporting Agent(s) Glass box Engine

  20. I’ve found these issues ... These are the params you missed ... Deploy Assistant ExploreStart New ParamRe-explore TestStarted ReportFindings 3 5 6 8 1 GET / GET /page?p=1 ... ... GET /page?p=G’123B ... 4 7 2 Glass BoxExplore Enhance Glass BoxTest Enhance Glass BoxMagic Glass Box Timeline Start Scanner End Server

  21. Injection (SQL, ..) SecurityMisconfig A1 A6 XSS InsecureCrypto A2 A7 BrokenAuth. URL Restriction A3 A8 Insecure Object Reference InsufficientTransport layerProtection A4 A9 CSRF UnvalidatedRedirects &Forwards A5 A10 OWASP Top 10 - BB black-box

  22. Injection (SQL, ..) SecurityMisconfig A1 A6 XSS InsecureCrypto ONLY TECHNOLOGYto effectively find issues in ALL the categories of OWASP top 10 A2 A7 BrokenAuth. URL Restriction A3 A8 Insecure Object Reference InsufficientTransport layerProtection A4 A9 CSRF UnvalidatedRedirects &Forwards A5 A10 OWASP Top 10 - GB black-box + glass-box

  23. Agenda • Black box challenges • Glass box scanning • Architecture • Summary

  24. Summary • Glass box is a new technology, that is all about using internal agents to guide application scanning • Glass box significantly enhances every aspect of black box scanning: • Exploration, testing, exploitation, reporting • Glass box isn’t just a feature-set... • It is a new way of thinking • With nearly endless potential Image: Meawpong3405 / FreeDigitalPhotos.net

  25. Smarter security for a smarter planet

More Related