Embed Size (px)
Citation preview
Glass Box Testing:Thinking Inside the BoxOmri WeismanManager, Security Research GroupIBM Rational
Glass Box Testing2© 2011 IBM Corporation
Omri Weisman
Manager, Security Research Group
IBM Rational
9 years working on AppScan technologies, web application security, and static analysis
21 patents pending
2 published papers
Glass Box Testing3© 2011 IBM Corporation
IBM 100 YEARS
Glass Box Testing4© 2011 IBM Corporation
Glass Box Testing5© 2011 IBM Corporation
Agenda
Black box challenges Glass box scanning
Architecture
Summary
Glass Box Testing6© 2011 IBM Corporation
Black Box Challenge – Hidden Logic
http://SITE/purchase?price=1337
http://SITE/purchase?price=TEST_PAYLOAD
Glass Box Testing7© 2011 IBM Corporation
Black Box Challenge – Non-reflected Injection
Glass Box Testing8© 2011 IBM Corporation
SQL injection found – where to fix it?
Black Box Challenge – Remediation
Glass Box Testing9© 2011 IBM Corporation
Glass Box Testing10© 2011 IBM Corporation
Glass Box Testing11© 2011 IBM Corporation
No clear indication for an SQL Injection.Need to go deeper...
Glass Box Testing12© 2011 IBM Corporation
Finally got it!
Glass Box Testing13© 2011 IBM Corporation
Agenda
Black box challenges
Glass box scanning Architecture
Summary
Glass Box Testing14© 2011 IBM Corporation
What is glass box?
VIDEO
Glass Box Testing15© 2011 IBM Corporation
What is Glass Box?
Main idea:1. Position server-side agents
2. Collect valuable server-side information
3. Report back to black-box scanner
4. Use data to enhance scan
Game-changing enhancement of black-box scanning
accuracy
coverage
reporting
…
Using internal agents to guide application scanning
Glass Box Testing16© 2011 IBM Corporation
Information Available to Glass Box
Web app runtime activities
Application structure, environment, technology, components
Configuration files
Source code information
Log files
File-system activities
Registry accesses Network traffic
DB access
Glass Box Testing17© 2011 IBM Corporation
Things You Can Do With Glass Box
Coverage
Hidden parameters/backdoors
Non-reflected issues
File upload
Denial-of-service
Exploit generation Consolidation
Correlation
Auto-configuration
False positives
Static analysis
Deal with non-standard validation
Glass Box Testing18© 2011 IBM Corporation
Main Challenges – Glass Box to the Rescue
Coverage challenge (hidden logic)
The debug parameter was uncovered and reported back Hence, The Cross-Site Scripting is exposed!
Psst… You can use the “debug” param!
http://SITE/purchase?price=1337
http://SITE/purchase?price=1337&debug=TEST_PAYLOAD
Glass Box Testing19© 2011 IBM Corporation
Main Challenges – Glass Box to the Rescue (Cont.)
Detection of non-reflected issues
Glass Box instrumentation operates at runtime, at the code level
Non-reflected security issue identified!
Fingerprint identified in SQL Injection sink!http://SITE/page?name=GB_FINGERPRINT
Runtime monitored sink
Glass Box Testing20© 2011 IBM Corporation
Main Challenges – Glass Box to the Rescue (Cont.)
Limited security issue information An SQL Injection issue, this time identified with the aid of glass box
Glass Box Testing21© 2011 IBM Corporation
Agenda
Black box challenges
Glass box scanning
Architecture Summary
Glass Box Testing22© 2011 IBM Corporation
Architecture
Black-box Scanner Target web appTarget web appHTTP(S)HTTP(S)
HTTP(S)HTTP(S)Agent(s)
AgentAgentRulesRules
Control & Reporting
Glass box Component
Target ServerTarget Server
Glass boxGlass boxEngineEngine
Glass Box Testing23© 2011 IBM Corporation
Glass Box TimelineGlass Box Timeline
Start EndScanner
Server
Deploy Assistant
11 33
ExploreStart
Glass BoxMagic
22
Glass BoxTest Enhance
77
Glass BoxExplore Enhance
44
55
New ParamRe-explore
66
TestStarted
88
ReportFindings
GET /
GET /page?p=1
...
These are the params you missed ...
...
GET /page?p=G’123B
...
I’ve found these issues ...
Glass Box Testing24© 2011 IBM Corporation
OWASP Top 10 - BB
Injection(SQL, ..)A1
XSSA2
BrokenAuth.A3
Insecure Object
ReferenceA4
CSRFA5
SecurityMisconfigA6
InsecureCrypto
A7
URL RestrictionA8
InsufficientTransport layer
ProtectionA9
UnvalidatedRedirects &Forwards
A10
black-box
Glass Box Testing25© 2011 IBM Corporation
OWASP Top 10 - GB
Injection(SQL, ..)A1
XSSA2
BrokenAuth.A3
Insecure Object
ReferenceA4
CSRFA5
SecurityMisconfigA6
InsecureCrypto
A7
URL RestrictionA8
InsufficientTransport layer
ProtectionA9
UnvalidatedRedirects &Forwards
A10
black-box + glass-box
ONLY TECHNOLOGYto effectively find issues in ALL the categories of
OWASP top 10
Glass Box Testing26© 2011 IBM Corporation
Agenda
Black box challenges
Glass box scanning
Architecture
Summary
Glass Box Testing27© 2011 IBM Corporation
Summary
Glass box is a new technology, that is all about using internal agents to guide application scanning
Glass box significantly enhances every aspect of black box scanning: Exploration, testing, exploitation, reporting
Glass box isn’t just a feature-set... It is a new way of thinking With nearly endless potential
Image: Meawpong3405 / FreeDigitalPhotos.net
Glass Box Testing28© 2011 IBM Corporation
Smarter security for a smarter planet
