1 / 29

Web Application Scanners Black Box vs. White Box

Web Application Scanners Black Box vs. White Box. BB. WB. Vs. Adi Sharabani – Security Research Group Manager Dr. Yinnon Haviv – Static Analysis Technical Leader IBM Rational Application Security {adish, yinnonh}. OWASP. 14/09/2008. The OWASP Foundation. http://www.owasp.org. Outline.

sevita
Download Presentation

Web Application Scanners Black Box vs. White Box

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Web Application ScannersBlack Box vs. White Box BB WB Vs. Adi Sharabani – Security Research Group Manager Dr. Yinnon Haviv – Static Analysis Technical Leader IBM Rational Application Security {adish, yinnonh} OWASP 14/09/2008 The OWASP Foundation http://www.owasp.org

  2. Outline • Vulnerability example • Black Box scanners • White Box scanners • Technology comparison • Technical example (dealing with validation) • White Box approach • Black Box approach • Summary

  3. SQL Injection

  4. SQL Injection

  5. UserID UserID Username Username Password Password Name Name 1 1824 admin jsmith $#kaoeFor56 demo1234 Administrator John Smith SQL Injection User input is embedded as-is in predefined SQL statements: jsmith query = "SELECT * from tUsers where userid='" + + "' AND password='" + + "'"; demo1234 iUserID iPassword SELECT * from tUsers where userid=‘jsmith' AND password=‘demo1234' • Hacker supplies input that modifies the original SQL statement, for example: • iUserID = ' or 1=1 -- SELECT * from tUsers where userid=' ' AND password='bar' ' AND password='bar'

  6. Outline • Vulnerability example • Black Box scanners • White Box scanners • Technology comparison • Technical example (dealing with validation) • White Box approach • Black Box approach • Summary

  7. Detecting SQL Injection (Black Box) ‘ ****** SELECT * from tUsers where userid=‘’’ AND password=‘foobar’

  8. How BB Scanners Work Stage 1: Crawling as an honest user http://mySite/ http://mySite/login.jsp http://mySite/feedback.jsp http://mySite/editProfile.jsp http://mySite/logout.jsp

  9. How BB Scanners Work Stage 1: Crawling as an honest user http://mySite/ http://mySite/login.jsp http://mySite/feedback.jsp http://mySite/editProfile.jsp http://mySite/logout.jsp

  10. How BB Scanners Work Stage 1: Crawling as an honest user Stage 2: Testing by tampering requests

  11. Outline • Vulnerability example • Black Box scanners • White Box scanners • Technology comparison • Technical example (dealing with validation) • White Box approach • Black Box approach • Summary

  12. Detecting SQL Injection (White Box) Source – a method returning tainted string // ... Stringusername = request.getParameter("username"); Stringpassword = request.getParameter("password"); // ... Stringquery = "SELECT * from tUsers where " + "userid='" +username + "' " + "AND password='" + password + "'"; // ... ResultSet rs = stmt.executeQuery(query); User can change executed SQL commands Sink - a potentially dangerous method

  13. Detecting SQL Injection (White Box) String username = request.getParameter("username"); // ... Stringpassword = request.getParameter("password"); // ... "userid='" +username + "' " + "AND password='" + password + "'"; // ... Stringusername = request.getParameter("username"); Stringquery = "SELECT * from tUsers where " +' String query = "SELECT …" + username ResultSet rs = stmt.executeQuery(query); ResultSet rs = stmt.executeQuery(query);

  14. A Common Fix (not the best one) // ... Stringusername = request.getParameter("username"); Stringpassword = request.getParameter("password"); // ... Stringquery = "SELECT * from tUsers where " + "userid='" +username + "' " + "AND password='" + password + "'"; // ... ResultSet rs = stmt.executeQuery(query); // ... Stringusername = request.getParameter("username"); Stringpassword = request.getParameter("password"); // ... Stringquery = "SELECT * from tUsers where " + "userid='" +Encode(username) + "' " + "AND password='" + Encode(password) + "'"; // ... ResultSet rs = stmt.executeQuery(query); Sanitizer: a method returning a non-tainted string

  15. How WB Scanners Work Many injection problems: SQLi, XSS, LogForging, PathTraversal, Remote code execution … Sources: Sanitizers: Undecidable problem Sinks:

  16. Outline • Vulnerability example • Black Box scanners • White Box scanners • Technology comparison • Technical example (dealing with validation) • White Box approach • Black Box approach • Summary

  17. BB WB BB vs. WB – Paradigm Cleverly “guessing” behaviors that may introduce vulnerabilities Examines infinite numbers of behaviors in a finite approach

  18. BB SQL Injection Found WB BB vs. WB - Perspective • Works as an attacker • HTTP awareness only • Works on the big picture • Resembles code auditing • Inspects the small details • Hard to “connect the dots”

  19. BB WB Bank.war BB vs. WB – Prerequisite • Any deployed application • Mainly used during testing stage • Application code • Mainly used in development stage

  20. BB WB BB vs. WB – Development Effort • Oblivious to different languages • Different communication protocols require attention • Different languages require support • Some frameworks too • Oblivious to communication protocols

  21. BB WB BB vs. WB – Scope • Scans the entire system • Servers (Application, Http, DB, etc.) • External interfaces • Network, firewalls Identifies issues regardless of configuration

  22. BB WB BB vs. WB – Time/Accuracy Tradeoffs • Crawling takes time • Testing mutations takes (infinite) time • Refined model consumes space • And time… • Analyzing only “important” code • Approximating the rest >> Summary

  23. Outline • Vulnerability example • Black Box scanners • White Box scanners • Technology comparison • Technical example (dealing with validation) • White Box approach • Black Box approach • Summary

  24. Handling Validation Code in WB String username = request.getParameter("username"); // ... Stringpassword = request.getParameter("password"); if (username.matches("\\w*")) { "userid='" +username + "' " + "AND password='" + password + "'"; } Stringusername = request.getParameter("username"); Stringquery = "SELECT * from tUsers where " +' String query = "SELECT …" + username ResultSet rs = stmt.executeQuery(query); ResultSet rs = stmt.executeQuery(query);

  25. Outline • Vulnerability example • Black Box scanners • White Box scanners • Technology comparison • Technical example (dealing with validation) • White Box approach • Black Box approach • Summary

  26. Login Failure We’re sorry but this username is not valid. Please insert a valid username and try again. Handling Validation Code in BB ‘ ****** // ... Stringusername = request.getParameter("username"); Stringpassword = request.getParameter("password"); if (username.length() > 5) { Stringquery = "SELECT * from tUsers where " +' "userid='" +username + "' " + "AND password='" + password + "'"; ResultSet rs = stmt.executeQuery(query); }

  27. BB WB BB vs. WB – Accuracy Challenges • Challenge: • Cover all attack vectors • Challenge: • Eliminate non-exploitable issues

  28. Summary • Two approaches to web application scanning • BB automates attacker actions • WB automates code auditing • Challenges and issue coverage are different Black Box White Box

  29. ?

More Related