Web Application Scanners Black Box vs. White Box - PowerPoint PPT Presentation

1 / 29
About This Presentation
Title:

Web Application Scanners Black Box vs. White Box

Description:

Black Box scanners. White Box scanners. Technology comparison ... Detecting SQL Injection (Black Box) SELECT * from tUsers where. userid= '' AND password= foobar' ... – PowerPoint PPT presentation

Number of Views:139
Avg rating:3.0/5.0
Slides: 30
Provided by: adi52
Category:

less

Transcript and Presenter's Notes

Title: Web Application Scanners Black Box vs. White Box


1
Web Application ScannersBlack Box vs. White Box
Vs.
Adi Sharabani Security Research Group
Manager Dr. Yinnon Haviv Static Analysis
Technical Leader IBM Rational Application
Security adish, yinnonh
OWASP
14/09/2008
The OWASP Foundation
http//www.owasp.org
2
Outline
  • Vulnerability example
  • Black Box scanners
  • White Box scanners
  • Technology comparison
  • Technical example (dealing with validation)
  • White Box approach
  • Black Box approach
  • Summary

3
SQL Injection
4
SQL Injection
5
SQL Injection
  • User input is embedded as-is in predefined SQL
    statements

jsmith
query "SELECT from tUsers where userid'"
"' AND password'" "'"
demo1234
iUserID
iPassword
SELECT from tUsers where useridjsmith' AND
passworddemo1234'
  • Hacker supplies input that modifies the original
    SQL statement, for example
  • iUserID

' or 11 --
SELECT from tUsers where userid' '
AND password'bar'
' AND password'bar'
6
Outline
  • Vulnerability example
  • Black Box scanners
  • White Box scanners
  • Technology comparison
  • Technical example (dealing with validation)
  • White Box approach
  • Black Box approach
  • Summary

7
Detecting SQL Injection (Black Box)


SELECT from tUsers where userid AND
passwordfoobar
8
How BB Scanners Work
  • Stage 1 Crawling as an honest user

http//mySite/
http//mySite/login.jsp
http//mySite/feedback.jsp
http//mySite/editProfile.jsp
http//mySite/logout.jsp
9
How BB Scanners Work
  • Stage 1 Crawling as an honest user

http//mySite/
http//mySite/login.jsp
http//mySite/feedback.jsp
http//mySite/editProfile.jsp
http//mySite/logout.jsp
10
How BB Scanners Work
  • Stage 1 Crawling as an honest user
  • Stage 2 Testing by tampering requests

11
Outline
  • Vulnerability example
  • Black Box scanners
  • White Box scanners
  • Technology comparison
  • Technical example (dealing with validation)
  • White Box approach
  • Black Box approach
  • Summary

12
Detecting SQL Injection (White Box)
Source a method returning tainted string
// ... String username request.getParameter(
"username") String password
request.getParameter("password") // ...
String query "SELECT from tUsers where "
"userid'" username "' " "AND
password'" password "'" // ...
ResultSet rs stmt.executeQuery(query)
User can change executed SQL commands
Sink - a potentially dangerous method
13
Detecting SQL Injection (White Box)
String username request.getParameter("username")

// ... String password
request.getParameter("password") // ...
"userid'" username "' " "AND
password'" password "'" // ...
String username request.getParameter("username")

String query "SELECT from tUsers where " '
String query "SELECT " username
ResultSet rs stmt.executeQuery(query)
ResultSet rs stmt.executeQuery(query)
14
A Common Fix (not the best one)
// ... String username request.getParameter(
"username") String password
request.getParameter("password") // ...
String query "SELECT from tUsers where "
"userid'" username "' " "AND
password'" password "'" // ...
ResultSet rs stmt.executeQuery(query)
// ... String username request.getParameter(
"username") String password
request.getParameter("password") // ...
String query "SELECT from tUsers where "
"userid'" Encode(username) "' " "AND
password'" Encode(password) "'" // ...
ResultSet rs stmt.executeQuery(query)
Sanitizer a method returning a non-tainted
string
15
How WB Scanners Work
Many injection problems SQLi, XSS, LogForging,
PathTraversal, Remote code execution
Sources
Sanitizers
Undecidable problem
Sinks
16
Outline
  • Vulnerability example
  • Black Box scanners
  • White Box scanners
  • Technology comparison
  • Technical example (dealing with validation)
  • White Box approach
  • Black Box approach
  • Summary

17
BB vs. WB Paradigm
Cleverly guessing behaviors that may introduce
vulnerabilities
Examines infinite numbers of behaviors in a
finite approach
18
BB vs. WB - Perspective
  • Works as an attacker
  • HTTP awareness only
  • Works on the big picture
  • Resembles code auditing
  • Inspects the small details
  • Hard to connect the dots

19
BB vs. WB Prerequisite
  • Any deployed application
  • Mainly used during testing stage
  • Application code
  • Mainly used in development stage

20
BB vs. WB Development Effort
  • Oblivious to different languages
  • Different communication protocols require
    attention
  • Different languages require support
  • Some frameworks too
  • Oblivious to communication protocols

21
BB vs. WB Scope
  • Scans the entire system
  • Servers (Application, Http, DB, etc.)
  • External interfaces
  • Network, firewalls

Identifies issues regardless of configuration
22
BB vs. WB Time/Accuracy Tradeoffs
  • Crawling takes time
  • Testing mutations takes (infinite) time
  • Refined model consumes space
  • And time
  • Analyzing only important code
  • Approximating the rest

gtgt Summary
23
Outline
  • Vulnerability example
  • Black Box scanners
  • White Box scanners
  • Technology comparison
  • Technical example (dealing with validation)
  • White Box approach
  • Black Box approach
  • Summary

24
Handling Validation Code in WB
String username request.getParameter("username")

// ... String password
request.getParameter("password") if
(username.matches("\\w"))
"userid'" username "' " "AND
password'" password "'"
String username request.getParameter("username")

String query "SELECT from tUsers
where " '
String query "SELECT " username
ResultSet rs stmt.executeQuery(query)
ResultSet rs stmt.executeQuery(query)
25
Outline
  • Vulnerability example
  • Black Box scanners
  • White Box scanners
  • Technology comparison
  • Technical example (dealing with validation)
  • White Box approach
  • Black Box approach
  • Summary

26
Handling Validation Code in BB


// ... String username request.getParameter(
"username") String password
request.getParameter("password") if
(username.length() gt 5) String query
"SELECT from tUsers where " '
"userid'" username "' " "AND
password'" password "'" ResultSet rs
stmt.executeQuery(query)
27
BB vs. WB Accuracy Challenges
  • Challenge
  • Cover all attack vectors
  • Challenge
  • Eliminate non-exploitable issues

28
Summary
  • Two approaches to web application scanning
  • BB automates attacker actions
  • WB automates code auditing
  • Challenges and issue coverage are different

Black Box
White Box
29
  • ?
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Web Application Scanners Black Box vs. White Box" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!