300 likes | 595 Views
Web Application Scanners Black Box vs. White Box. BB. WB. Vs. Adi Sharabani – Security Research Group Manager Dr. Yinnon Haviv – Static Analysis Technical Leader IBM Rational Application Security {adish, yinnonh}. OWASP. 14/09/2008. The OWASP Foundation. http://www.owasp.org. Outline.
E N D
Web Application ScannersBlack Box vs. White Box BB WB Vs. Adi Sharabani – Security Research Group Manager Dr. Yinnon Haviv – Static Analysis Technical Leader IBM Rational Application Security {adish, yinnonh} OWASP 14/09/2008 The OWASP Foundation http://www.owasp.org
Outline • Vulnerability example • Black Box scanners • White Box scanners • Technology comparison • Technical example (dealing with validation) • White Box approach • Black Box approach • Summary
UserID UserID Username Username Password Password Name Name 1 1824 admin jsmith $#kaoeFor56 demo1234 Administrator John Smith SQL Injection User input is embedded as-is in predefined SQL statements: jsmith query = "SELECT * from tUsers where userid='" + + "' AND password='" + + "'"; demo1234 iUserID iPassword SELECT * from tUsers where userid=‘jsmith' AND password=‘demo1234' • Hacker supplies input that modifies the original SQL statement, for example: • iUserID = ' or 1=1 -- SELECT * from tUsers where userid=' ' AND password='bar' ' AND password='bar'
Outline • Vulnerability example • Black Box scanners • White Box scanners • Technology comparison • Technical example (dealing with validation) • White Box approach • Black Box approach • Summary
Detecting SQL Injection (Black Box) ‘ ****** SELECT * from tUsers where userid=‘’’ AND password=‘foobar’
How BB Scanners Work Stage 1: Crawling as an honest user http://mySite/ http://mySite/login.jsp http://mySite/feedback.jsp http://mySite/editProfile.jsp http://mySite/logout.jsp
How BB Scanners Work Stage 1: Crawling as an honest user http://mySite/ http://mySite/login.jsp http://mySite/feedback.jsp http://mySite/editProfile.jsp http://mySite/logout.jsp
How BB Scanners Work Stage 1: Crawling as an honest user Stage 2: Testing by tampering requests
Outline • Vulnerability example • Black Box scanners • White Box scanners • Technology comparison • Technical example (dealing with validation) • White Box approach • Black Box approach • Summary
Detecting SQL Injection (White Box) Source – a method returning tainted string // ... Stringusername = request.getParameter("username"); Stringpassword = request.getParameter("password"); // ... Stringquery = "SELECT * from tUsers where " + "userid='" +username + "' " + "AND password='" + password + "'"; // ... ResultSet rs = stmt.executeQuery(query); User can change executed SQL commands Sink - a potentially dangerous method
Detecting SQL Injection (White Box) String username = request.getParameter("username"); // ... Stringpassword = request.getParameter("password"); // ... "userid='" +username + "' " + "AND password='" + password + "'"; // ... Stringusername = request.getParameter("username"); Stringquery = "SELECT * from tUsers where " +' String query = "SELECT …" + username ResultSet rs = stmt.executeQuery(query); ResultSet rs = stmt.executeQuery(query);
A Common Fix (not the best one) // ... Stringusername = request.getParameter("username"); Stringpassword = request.getParameter("password"); // ... Stringquery = "SELECT * from tUsers where " + "userid='" +username + "' " + "AND password='" + password + "'"; // ... ResultSet rs = stmt.executeQuery(query); // ... Stringusername = request.getParameter("username"); Stringpassword = request.getParameter("password"); // ... Stringquery = "SELECT * from tUsers where " + "userid='" +Encode(username) + "' " + "AND password='" + Encode(password) + "'"; // ... ResultSet rs = stmt.executeQuery(query); Sanitizer: a method returning a non-tainted string
How WB Scanners Work Many injection problems: SQLi, XSS, LogForging, PathTraversal, Remote code execution … Sources: Sanitizers: Undecidable problem Sinks:
Outline • Vulnerability example • Black Box scanners • White Box scanners • Technology comparison • Technical example (dealing with validation) • White Box approach • Black Box approach • Summary
BB WB BB vs. WB – Paradigm Cleverly “guessing” behaviors that may introduce vulnerabilities Examines infinite numbers of behaviors in a finite approach
BB SQL Injection Found WB BB vs. WB - Perspective • Works as an attacker • HTTP awareness only • Works on the big picture • Resembles code auditing • Inspects the small details • Hard to “connect the dots”
BB WB Bank.war BB vs. WB – Prerequisite • Any deployed application • Mainly used during testing stage • Application code • Mainly used in development stage
BB WB BB vs. WB – Development Effort • Oblivious to different languages • Different communication protocols require attention • Different languages require support • Some frameworks too • Oblivious to communication protocols
BB WB BB vs. WB – Scope • Scans the entire system • Servers (Application, Http, DB, etc.) • External interfaces • Network, firewalls Identifies issues regardless of configuration
BB WB BB vs. WB – Time/Accuracy Tradeoffs • Crawling takes time • Testing mutations takes (infinite) time • Refined model consumes space • And time… • Analyzing only “important” code • Approximating the rest >> Summary
Outline • Vulnerability example • Black Box scanners • White Box scanners • Technology comparison • Technical example (dealing with validation) • White Box approach • Black Box approach • Summary
Handling Validation Code in WB String username = request.getParameter("username"); // ... Stringpassword = request.getParameter("password"); if (username.matches("\\w*")) { "userid='" +username + "' " + "AND password='" + password + "'"; } Stringusername = request.getParameter("username"); Stringquery = "SELECT * from tUsers where " +' String query = "SELECT …" + username ResultSet rs = stmt.executeQuery(query); ResultSet rs = stmt.executeQuery(query);
Outline • Vulnerability example • Black Box scanners • White Box scanners • Technology comparison • Technical example (dealing with validation) • White Box approach • Black Box approach • Summary
Login Failure We’re sorry but this username is not valid. Please insert a valid username and try again. Handling Validation Code in BB ‘ ****** // ... Stringusername = request.getParameter("username"); Stringpassword = request.getParameter("password"); if (username.length() > 5) { Stringquery = "SELECT * from tUsers where " +' "userid='" +username + "' " + "AND password='" + password + "'"; ResultSet rs = stmt.executeQuery(query); }
BB WB BB vs. WB – Accuracy Challenges • Challenge: • Cover all attack vectors • Challenge: • Eliminate non-exploitable issues
Summary • Two approaches to web application scanning • BB automates attacker actions • WB automates code auditing • Challenges and issue coverage are different Black Box White Box