1Confidential | Copyright © L & T Infotech Ltd.

Approaches to Application Security – DSM

Maheshan C N

Maheshan.Chemminiyan@lntinfotech.com

2Confidential | Copyright © L & T Infotech Ltd.

Agenda

1. Sample illustration of a SQL Injection2. Different Approaches to Security Testing3. Dynamic (Black Box) Vs Static (White Box) Vs Manual4. Summary

3Confidential | Copyright © L & T Infotech Ltd.

Sample illustration of a SQL injection

4Confidential | Copyright © L & T Infotech Ltd.

SQL Injection

5Confidential | Copyright © L & T Infotech Ltd.

Username: jsmith

Password: *******

Normal login for JSMITH

6Confidential | Copyright © L & T Infotech Ltd.

Normal login for JSMITH

7Confidential | Copyright © L & T Infotech Ltd.

Username = Apostrophe? The start of a SQL injection attack

Username: ‘

Password:

8Confidential | Copyright © L & T Infotech Ltd.

Syntax error in string query expression ‘username = “’ and password = “’

Step 1 – We have an error

9Confidential | Copyright © L & T Infotech Ltd.

Step 2 – Try a more complete SQL statement

Username:’ or username like ‘s%’ or ‘ --

10Confidential | Copyright © L & T Infotech Ltd.

Now we are Sam!

11Confidential | Copyright © L & T Infotech Ltd.

Approaches to Security Testing

12Confidential | Copyright © L & T Infotech Ltd.

Potential Security Defects

Dynamic, Static and Manual (DSM)

BB

Dynamic Analysis or Black Box Testing

Static Analysis or

White Box Testing

Or

Code Review

WB

Manual Analysis

13Confidential | Copyright © L & T Infotech Ltd.

Static and Dynamic Analysis

Two types of security analysis: Static and Dynamic

•Static Analysis

• Analyzes source code

• Looks for security issues within the application source code

• Users: “white-box”, source code auditors, development

teams

• Dynamic Analysis

• Analyzes a running application

• Looks for issues both within the application and around

it

• Web application scanners, run-time analyzers

• Users: “black-box” penetration testing specialists

14Confidential | Copyright © L & T Infotech Ltd.

Dynamic (Black Box) Vs

Static (White Box)Vs

Manual

15Confidential | Copyright © L & T Infotech Ltd.

How Dynamic (Black Box) Testing Works?

16Confidential | Copyright © L & T Infotech Ltd.

SELECT * from tUsers where

userid=' ' AND

password='bar'

SQL Injection

User input is embedded as-is in predefined SQL statements:

query = "SELECT * from tUsers where

userid='" + + "' AND

password='" + + "'";

Hacker supplies input that modifies the original SQL statement, for example: iUserID =

' or 1=1 --' or 1=1 --

SELECT * from tUsers where

userid=‘jsmith' AND

password=‘demo1234'

' AND password='bar'Administrator$#kaoeFor56

admin1

NamePasswordUsername

UserID

John Smithdemo1234jsmith1824

NamePasswordUsername

UserID

iUserIDiUserIDiPasswordiPassword

jsmithjsmith

demo1234demo1234

17Confidential | Copyright © L & T Infotech Ltd.

How BB Scanners Work

Stage 1: Crawling as an honest user

http://mySite/editProfile.jsp

http://mySite/

http://mySite/login.jsp

http://mySite/feedback.jsp

http://mySite/logout.jsp

18Confidential | Copyright © L & T Infotech Ltd.

How BB Scanners Work

Stage 1: Crawling as an honest user

http://mySite/editProfile.jsp

http://mySite/

http://mySite/login.jsp

http://mySite/feedback.jsp

http://mySite/logout.jsp

19Confidential | Copyright © L & T Infotech Ltd.

How BB Scanners Work

Stage 1: Crawling as an honest userStage 2: Testing by tampering requests

20Confidential | Copyright © L & T Infotech Ltd.

How Static (White Box) Testing Works?

21Confidential | Copyright © L & T Infotech Ltd.

// ...Stringusername = request.getParameter("username");Stringpassword = request.getParameter("password");

// ...Stringquery = "SELECT * from tUsers where " + "userid='" +username + "' " + "AND password='" + password + "'";

// ...ResultSet rs = stmt.executeQuery(query);

Detecting SQL Injection (White Box)

User can change executed SQL

commands

Sink - a potentiallydangerous method

Source – a method returning tainted

string

22Confidential | Copyright © L & T Infotech Ltd.

// ...

Stringpassword = request.getParameter("password");

// ...

"userid='" +username + "' " + "AND password='" + password + "'";

// ...

String username = request.getParameter("username");

String query = "SELECT …" + username

ResultSet rs = stmt.executeQuery(query);

Stringusername = request.getParameter("username");

Stringquery = "SELECT * from tUsers where " +'

ResultSet rs = stmt.executeQuery(query);

Detecting SQL Injection (White Box)

23Confidential | Copyright © L & T Infotech Ltd.

How WB Scanners Work

Sources:

Sinks:

Sanitizers:

Many injection

problems:

SQLi, XSS,

LogForging,

PathTraversal,

Remote code

execution

…

Undecidable problem

24Confidential | Copyright © L & T Infotech Ltd.

Pros and Cons of Black Box and White Box testing

25Confidential | Copyright © L & T Infotech Ltd.

Dynamic (Black) Vs Static (White)

Feature Dynamic (Black) Static(White)

Paradigm Cleverly “guessing” behaviors that may introduce vulnerabilities

Examines infinite numbers of behaviors in a finite approach

Perspective - Works as an attacker- HTTP awareness only- Works on the big picture

- Resembles code auditing- Inspects the small details- Hard to “connect the dots”

Pre-Requisite -Any deployed application- Mainly used during testing stage

-Application code- Mainly used in development stage

Development Effort - Oblivious to different languages- Different communication protocols require attention

-Different languages require support- Some frameworks too- Oblivious to communication protocols

26Confidential | Copyright © L & T Infotech Ltd.

Feature Dynamic (Black) Static(White)

Scope Scans the entire system - Servers (Application, Http, DB, etc.)- External interfaces- Network, firewalls

Identifies issues regardless of configuration

Time/Accuracy Tradeoffs - Crawling takes time- Testing mutations takes (infinite) time

-Refined model consumes space and time…- Analyzing only “important” code- Approximating the rest

Accuracy Challenges -Challenge:- Cover all attack vectors

-Challenge:- Eliminate non-exploitable issues

Dynamic (Black) Vs Static (White) contd

27Confidential | Copyright © L & T Infotech Ltd.

Manual Testing Pros and Cons

Pros– Cheaper than Automated

solutions– Can identify any form of

issues (based on skill set!!!) Cons

– Lack of security knowledge– Time consuming– Inconsistent

28Confidential | Copyright © L & T Infotech Ltd.

Potential Security Defects

Dynamic, Static and Manual (DSM)

Dynamic Analysis or Black Box Testing

BB

Static Analysis or

White Box Testing

Or

Code Review

WB

Patch level issues

Production Configuration Issues

Exception Handling Design Issues

Threading Issues

Potential NULL Derefrences

Some Authentication Issues

Business Logic Issues

Some authorization Issues

Manual Analysis

Cross Site Scripting (XSS)

Some Configuration IssuesSQL Injection

29Confidential | Copyright © L & T Infotech Ltd.

Summary

White Box / static analysis covers 80% of your application specific vulnerabilities

Black box / dynamic testing is really good for dynamic Vulnerabilities and Infrastructure based issues

Manual testing would still be needed to resolve Application logic and authorization based vulnerabilities

30Confidential | Copyright © L & T Infotech Ltd.

Our Business Knowledge

Your Winning Edge

Thank you