Glass Box Testing: Thinking Inside the Box Omri Weisman Manager, Security Research Group IBM Rational.

Slides:



Advertisements
Similar presentations
Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.
Advertisements

Don’t Teach Developers Security Caleb Sima Armorize Technologies.
Infosec 2012 | 25/4/12 Application Performance Monitoring Ofer MAOR CTO Infosec 2012.
Escape From the Black Box Brian Chess Fortify Software Countering the faults of typical web scanners through bytecode injection.
OWASP Web Vulnerabilities and Auditing
PENETRATION TESTING Presenters:Chakrit Sanbuapoh Sr. Information Security MFEC.
Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
SEC835 OWASP Top Ten Project.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Gray, the New Black Gray-Box Web Vulnerability Testing Brian Chess Founder / Chief Scientist Fortify Software, an HP Company June 22, 2011.
A Demo of and Preventing XSS in.NET Applications.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
“Today over 70% of attacks against a company’s network come at the ‘Application Layer’ not the Network or System layer.” - Gartner Is Your Web Application.
Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Security Scanning OWASP Education Nishi Kumar Computer based training
By: Razieh Rezaei Saleh.  Security Evaluation The examination of a system to determine its degree of compliance with a stated security model, security.
Introduction to Application Penetration Testing
OWASP Zed Attack Proxy Project Lead
Testing Tools. Categories of testing tools Black box testing, or functional testing Testing performed via GUI. The tool helps in emulating end-user actions.
Approaches to Application Security – DSM
A Framework for Automated Web Application Security Evaluation
Security testing of study information system Security team: Matis Alliksoo Alo Konno Urmo Lihten Taavi Podzuks Sander Saarm.
Ryan Dewhurst - 20th March 2012 Web Application (PHP) Security.
November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Web Application Security Testing Automation.. Copyright © 2008 Deloitte Touche Tohmatsu. All rights reserved.1 What types of automated testing are there?
Internet of Things Top Ten. Agenda -Introduction -Misconception -Considerations -The OWASP Internet of Things Top 10 Project -The Top 10 Walkthrough.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
OWASP Cambridge 2 nd December Agenda Networking, food and refreshments Welcome Colin Watson Global Application Security Survey & Benchmarking John.
OWASP Top 10 from a developer’s perspective John Wilander, OWASP/Omegapoint, IBWAS’10.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Maritime Cyber Vulnerabilities in the Energy Sector Center for Joint Operations of the Sea ODU Maritime Institute Students Crow, Fresco, Lee.
Beyond negative security Signatures are not always enough Or Katz Trustwave ot.com/
Hands-On with RailsGoat WEB APPLICATION SECURITY TESTING.
October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University
nd Joint Workshop between Security Research Labs in JAPAN and KOREA Marking Scheme for Semantic- aware Web Application Security HPC.
Web Applications Testing By Jamie Rougvie Supported by.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
OWASP OWASP top 10 - Agenda  Background  Risk based  Top 10 items 1 – 6  Live demo  Top 10 items 7 – 10  OWASP resources.
Deconstructing API Security
Securing Java Applications
COMP9321 Web Application Engineering Semester 2, 2015 Dr. Amin Beheshti Service Oriented Computing Group, CSE, UNSW Australia Week 9 1COMP9321, 15s2, Week.
CS526Topic 12: Web Security (2)1 Information Security CS 526 Topic 9 Web Security Part 2.
Engineering Secure Software. Agenda  What is IoT?  Security implications of IoT  IoT Attack Surface Areas  IoT Testing Guidelines  Top IoT Vulnerabilities.
//ALPHA.1 OWASP Knoxville Application Security Then and Now. Make a Difference Now 2015 June 11 Phil Agcaoili.
© 2011 IBM Corporation Hybrid Analysis for JavaScript Security Assessment Omer Tripp Omri Weisman Salvatore Guarnieri IBM Software Group Sep 2011.
Copyright © The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation OWASP Denver February 2012.
Web Application (In)security Note: Unless noted differently, all scanned figures were from the textbook, Stuttard & Pinto, 2011.
ASP.NET 2.0 Security Alex Mackman CM Group Ltd
Do not try any of the techniques discussed in this presentation on a system you do not own. It is illegal and you will get caught.
SECURE DEVELOPMENT. SEI CERT TOP 10 SECURE CODING PRACTICES Validate input Use strict compiler settings and resolve warnings Architect and design for.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Tomcat Webapp Security Jason Brittain Software Architect, Mulesoft Co-author, Tomcat: The Definitive Guide.
MIS Week 10 Site:
Web Application Vulnerabilities
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
Securing Your Web Application in Azure with a WAF
Marking Scheme for Semantic-aware Web Application Security
Intro to Ethical Hacking
HTML Level II (CyberAdvantage)
WWW安全 國立暨南國際大學 資訊管理學系 陳彥錚.
Presentation transcript:

Glass Box Testing: Thinking Inside the Box Omri Weisman Manager, Security Research Group IBM Rational

Glass Box Testing 2 © 2011 IBM Corporation Omri Weisman  Manager, Security Research Group  IBM Rational  9 years working on AppScan technologies, web application security, and static analysis  21 patents pending  2 published papers

Glass Box Testing 3 © 2011 IBM Corporation IBM 100 YEARS

Glass Box Testing 4 © 2011 IBM Corporation

Glass Box Testing 5 © 2011 IBM Corporation Agenda  Black box challenges  Glass box scanning  Architecture  Summary

Glass Box Testing 6 © 2011 IBM Corporation Black Box Challenge – Hidden Logic

Glass Box Testing 7 © 2011 IBM Corporation Black Box Challenge – Non-reflected Injection

Glass Box Testing 8 © 2011 IBM Corporation  SQL injection found – where to fix it? Black Box Challenge – Remediation

Glass Box Testing 9 © 2011 IBM Corporation

Glass Box Testing 10 © 2011 IBM Corporation

Glass Box Testing 11 © 2011 IBM Corporation No clear indication for an SQL Injection. Need to go deeper...

Glass Box Testing 12 © 2011 IBM Corporation Finally got it!

Glass Box Testing 13 © 2011 IBM Corporation Agenda  Black box challenges  Glass box scanning  Architecture  Summary

Glass Box Testing 14 © 2011 IBM Corporation What is glass box? VIDEO

Glass Box Testing 15 © 2011 IBM Corporation What is Glass Box?  Main idea: 1.Position server-side agents 2.Collect valuable server-side information 3.Report back to black-box scanner 4.Use data to enhance scan  Game-changing enhancement of black-box scanning  accuracy  coverage  reporting  … Using internal agents to guide application scanning

Glass Box Testing 16 © 2011 IBM Corporation Information Available to Glass Box  Web app runtime activities  Application structure, environment, technology, components  Configuration files  Source code information  Log files  File-system activities  Registry accesses  Network traffic  DB access

Glass Box Testing 17 © 2011 IBM Corporation Things You Can Do With Glass Box  Coverage  Hidden parameters/backdoors  Non-reflected issues  File upload  Denial-of-service  Exploit generation  Consolidation  Correlation  Auto-configuration  False positives  Static analysis  Deal with non-standard validation

Glass Box Testing 18 © 2011 IBM Corporation Main Challenges – Glass Box to the Rescue  Coverage challenge (hidden logic)  The debug parameter was uncovered and reported back  Hence, The Cross-Site Scripting is exposed! Psst… You can use the “debug” param!

Glass Box Testing 19 © 2011 IBM Corporation Main Challenges – Glass Box to the Rescue (Cont.)  Detection of non-reflected issues  Glass Box instrumentation operates at runtime, at the code level  Non-reflected security issue identified! Fingerprint identified in SQL Injection sink! Runtime monitored sink

Glass Box Testing 20 © 2011 IBM Corporation Main Challenges – Glass Box to the Rescue (Cont.)  Limited security issue information  An SQL Injection issue, this time identified with the aid of glass box

Glass Box Testing 21 © 2011 IBM Corporation Agenda  Black box challenges  Glass box scanning  Architecture  Summary

Glass Box Testing 22 © 2011 IBM Corporation Architecture Black-box Scanner Target web app HTTP(S) HTTP(S) Agent(s ) AgentRules Control & Reporting Control & Reporting Glass box Component Target Server Glass box Engine

Glass Box Testing 23 © 2011 IBM Corporation Glass Box Timeline Start End Scanner Server Deploy Assistant Explore Start Glass Box Magic 2 2 Glass Box Test Enhance 7 7 Glass Box Explore Enhance New Param Re-explore 6 6 Test Started 8 8 Report Findings GET / GET /page?p=1... These are the params you missed GET /page?p=G’123B... I’ve found these issues...

Glass Box Testing 24 © 2011 IBM Corporation OWASP Top 10 - BB Injection (SQL,..) A1 XSS A2 Broken Auth. A3 Insecure Object Reference A4 CSRF A5 Security Misconfig A6 Insecure Crypto A7 URL Restriction A8 Insufficient Transport layer Protection A9 Unvalidated Redirects & Forwards A10 black-box

Glass Box Testing 25 © 2011 IBM Corporation OWASP Top 10 - GB Injection (SQL,..) A1 XSS A2 Broken Auth. A3 Insecure Object Reference A4 CSRF A5 Security Misconfig A6 Insecure Crypto A7 URL Restriction A8 Insufficient Transport layer Protection A9 Unvalidated Redirects & Forwards A10 black-box + glass-box ONLY TECHNOLOGY to effectively find issues in ALL the categories of OWASP top 10

Glass Box Testing 26 © 2011 IBM Corporation Agenda  Black box challenges  Glass box scanning  Architecture  Summary

Glass Box Testing 27 © 2011 IBM Corporation Summary  Glass box is a new technology, that is all about using internal agents to guide application scanning  Glass box significantly enhances every aspect of black box scanning:  Exploration, testing, exploitation, reporting  Glass box isn’t just a feature-set...  It is a new way of thinking  With nearly endless potential Image: Meawpong3405 / FreeDigitalPhotos.net

Glass Box Testing 28 © 2011 IBM Corporation Smarter security for a smarter planet

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.