300 likes | 656 Vues
Glass Box Testing: Thinking Inside the Box. Omri Weisman Manager, Security Research Group IBM Rational. Manager, Security Research Group IBM Rational 9 years working on AppScan technologies, web application security, and static analysis 21 patents pending 2 published papers. Omri Weisman.
E N D
Glass Box Testing:Thinking Inside the Box Omri Weisman Manager, Security Research Group IBM Rational
Manager, Security Research Group IBM Rational 9 years working on AppScan technologies, web application security, and static analysis 21 patents pending 2 published papers Omri Weisman
Agenda • Black box challenges • Glass box scanning • Architecture • Summary
Black Box Challenge – Hidden Logic http://SITE/purchase?price=1337 http://SITE/purchase?price=TEST_PAYLOAD
Black Box Challenge – Remediation • SQL injection found – where to fix it?
No clear indication for an SQL Injection. Need to go deeper...
Agenda • Black box challenges • Glass box scanning • Architecture • Summary
What is glass box? VIDEO
What is Glass Box? Main idea: Position server-side agents Collect valuable server-side information Report back to black-box scanner Use data to enhance scan Game-changing enhancement of black-box scanning accuracy coverage reporting … Using internal agents to guide application scanning
Information Available to Glass Box Web app runtime activities Application structure, environment, technology, components Configuration files Source code information Log files File-system activities Registry accesses Network traffic DB access I CAN SEE U
Coverage Hidden parameters/backdoors Non-reflected issues File upload Denial-of-service Exploit generation Consolidation Correlation Auto-configuration False positives Static analysis Deal with non-standard validation Things You Can Do With Glass Box
Main Challenges – Glass Box to the Rescue • Coverage challenge (hidden logic) • The debug parameter was uncovered and reported back • Hence, The Cross-Site Scripting is exposed! http://SITE/purchase?price=1337 http://SITE/purchase?price=1337&debug=TEST_PAYLOAD Psst… You can use the “debug” param!
Main Challenges – Glass Box to the Rescue (Cont.) • Detection of non-reflected issues • Glass Box instrumentation operates at runtime, at the code level • Non-reflected security issue identified! Runtime monitored sink http://SITE/page?name=GB_FINGERPRINT Fingerprint identified in SQL Injection sink!
Main Challenges – Glass Box to the Rescue (Cont.) • Limited security issue information • An SQL Injection issue, this time identified with the aid of glass box
Agenda • Black box challenges • Glass box scanning • Architecture • Summary
Architecture Target Server Black-box Scanner Target web app HTTP(S) Agent Rules HTTP(S) Glass box Component Control & Reporting Agent(s) Glass box Engine
I’ve found these issues ... These are the params you missed ... Deploy Assistant ExploreStart New ParamRe-explore TestStarted ReportFindings 3 5 6 8 1 GET / GET /page?p=1 ... ... GET /page?p=G’123B ... 4 7 2 Glass BoxExplore Enhance Glass BoxTest Enhance Glass BoxMagic Glass Box Timeline Start Scanner End Server
Injection (SQL, ..) SecurityMisconfig A1 A6 XSS InsecureCrypto A2 A7 BrokenAuth. URL Restriction A3 A8 Insecure Object Reference InsufficientTransport layerProtection A4 A9 CSRF UnvalidatedRedirects &Forwards A5 A10 OWASP Top 10 - BB black-box
Injection (SQL, ..) SecurityMisconfig A1 A6 XSS InsecureCrypto ONLY TECHNOLOGYto effectively find issues in ALL the categories of OWASP top 10 A2 A7 BrokenAuth. URL Restriction A3 A8 Insecure Object Reference InsufficientTransport layerProtection A4 A9 CSRF UnvalidatedRedirects &Forwards A5 A10 OWASP Top 10 - GB black-box + glass-box
Agenda • Black box challenges • Glass box scanning • Architecture • Summary
Summary • Glass box is a new technology, that is all about using internal agents to guide application scanning • Glass box significantly enhances every aspect of black box scanning: • Exploration, testing, exploitation, reporting • Glass box isn’t just a feature-set... • It is a new way of thinking • With nearly endless potential Image: Meawpong3405 / FreeDigitalPhotos.net