300 likes | 316 Views
Approaches to Application Security – DSM. Maheshan C N. Maheshan.Chemminiyan@lntinfotech.com. Agenda. Sample illustration of a SQL Injection Different Approaches to Security Testing Dynamic (Black Box) Vs Static (White Box) Vs Manual Summary. Sample illustration of a SQL injection.
E N D
Approaches to Application Security – DSM Maheshan C N Maheshan.Chemminiyan@lntinfotech.com
Agenda • Sample illustration of a SQL Injection • Different Approaches to Security Testing • Dynamic (Black Box) Vs Static (White Box) Vs Manual • Summary
Username: jsmith Password: ******* Normal login for JSMITH
Username: ‘ Password: Username = Apostrophe? The start of a SQL injection attack
Syntax error in string query expression ‘username = “’ and password = “’ Step 1 – We have an error
Step 2 – Try a more complete SQL statement Username:’ or username like ‘s%’ or ‘ --
Manual Analysis Static Analysis or White Box Testing Or Code Review BB Dynamic Analysis or Black Box Testing WB Dynamic, Static and Manual (DSM) Potential Security Defects
Static and Dynamic Analysis Two types of security analysis: Static and Dynamic • Dynamic Analysis • Analyzes a running application • Looks for issues both within the application and around it • Web application scanners, run-time analyzers • Users: “black-box” penetration testing specialists • Static Analysis • Analyzes source code • Looks for security issues within the application source code • Users: “white-box”, source code auditors, development teams
Dynamic (Black Box) Vs Static (White Box) Vs Manual
UserID UserID Username Username Password Password Name Name 1 1824 admin jsmith $#kaoeFor56 demo1234 Administrator John Smith SQL Injection User input is embedded as-is in predefined SQL statements: jsmith query = "SELECT * from tUsers where userid='" + + "' AND password='" + + "'"; demo1234 iUserID iPassword SELECT * from tUsers where userid=‘jsmith' AND password=‘demo1234' • Hacker supplies input that modifies the original SQL statement, for example: • iUserID = ' or 1=1 -- SELECT * from tUsers where userid=' ' AND password='bar' ' AND password='bar'
How BB Scanners Work Stage 1: Crawling as an honest user http://mySite/ http://mySite/login.jsp http://mySite/feedback.jsp http://mySite/editProfile.jsp http://mySite/logout.jsp
How BB Scanners Work Stage 1: Crawling as an honest user http://mySite/ http://mySite/login.jsp http://mySite/feedback.jsp http://mySite/editProfile.jsp http://mySite/logout.jsp
How BB Scanners Work Stage 1: Crawling as an honest user Stage 2: Testing by tampering requests
Detecting SQL Injection (White Box) Source – a method returning tainted string // ... Stringusername = request.getParameter("username"); Stringpassword = request.getParameter("password"); // ... Stringquery = "SELECT * from tUsers where " + "userid='" +username + "' " + "AND password='" + password + "'"; // ... ResultSet rs = stmt.executeQuery(query); User can change executed SQL commands Sink - a potentially dangerous method
Detecting SQL Injection (White Box) String username = request.getParameter("username"); // ... Stringpassword = request.getParameter("password"); // ... "userid='" +username + "' " + "AND password='" + password + "'"; // ... Stringusername = request.getParameter("username"); Stringquery = "SELECT * from tUsers where " +' String query = "SELECT …" + username ResultSet rs = stmt.executeQuery(query); ResultSet rs = stmt.executeQuery(query);
How WB Scanners Work Many injection problems: SQLi, XSS, LogForging, PathTraversal, Remote code execution … Sources: Sanitizers: Undecidable problem Sinks:
Pros and Cons of Black Box and White Box testing
Manual Testing Pros and Cons • Pros • Cheaper than Automated solutions • Can identify any form of issues (based on skill set!!!) • Cons • Lack of security knowledge • Time consuming • Inconsistent
Business Logic Issues Manual Analysis Some Authentication Issues Some authorization Issues Static Analysis or White Box Testing Or Code Review BB Dynamic Analysis or Black Box Testing Patch level issues Threading Issues Potential NULL Derefrences Production Configuration Issues WB Exception Handling Design Issues SQL Injection Some Configuration Issues Cross Site Scripting (XSS) Dynamic, Static and Manual (DSM) Potential Security Defects
Summary • White Box / static analysis covers 80% of your application specific vulnerabilities • Black box / dynamic testing is really good for dynamic Vulnerabilities and Infrastructure based issues • Manual testing would still be needed to resolve Application logic and authorization based vulnerabilities
Our Business Knowledge Your Winning Edge Thank you