Presentation is loading. Please wait.

Presentation is loading. Please wait.

Glass Box Testing: Thinking Inside the Box Omri Weisman Manager, Security Research Group IBM Rational.

Published byAdrian Ferguson Modified over 9 years ago

Similar presentations

Presentation on theme: "Glass Box Testing: Thinking Inside the Box Omri Weisman Manager, Security Research Group IBM Rational."— Presentation transcript:

1 Glass Box Testing: Thinking Inside the Box Omri Weisman Manager, Security Research Group IBM Rational

2 Glass Box Testing 2 © 2011 IBM Corporation Omri Weisman  Manager, Security Research Group  IBM Rational  9 years working on AppScan technologies, web application security, and static analysis  21 patents pending  2 published papers

3 Glass Box Testing 3 © 2011 IBM Corporation IBM 100 YEARS

4 Glass Box Testing 4 © 2011 IBM Corporation

5 Glass Box Testing 5 © 2011 IBM Corporation Agenda  Black box challenges  Glass box scanning  Architecture  Summary

6 Glass Box Testing 6 © 2011 IBM Corporation Black Box Challenge – Hidden Logic http://SITE/purchase?price=1337 http://SITE/purchase?price=TEST_PAYLOAD

7 Glass Box Testing 7 © 2011 IBM Corporation Black Box Challenge – Non-reflected Injection

8 Glass Box Testing 8 © 2011 IBM Corporation  SQL injection found – where to fix it? Black Box Challenge – Remediation

9 Glass Box Testing 9 © 2011 IBM Corporation

10 Glass Box Testing 10 © 2011 IBM Corporation

11 Glass Box Testing 11 © 2011 IBM Corporation No clear indication for an SQL Injection. Need to go deeper...

12 Glass Box Testing 12 © 2011 IBM Corporation Finally got it!

13 Glass Box Testing 13 © 2011 IBM Corporation Agenda  Black box challenges  Glass box scanning  Architecture  Summary

14 Glass Box Testing 14 © 2011 IBM Corporation What is glass box? VIDEO

15 Glass Box Testing 15 © 2011 IBM Corporation What is Glass Box?  Main idea: 1.Position server-side agents 2.Collect valuable server-side information 3.Report back to black-box scanner 4.Use data to enhance scan  Game-changing enhancement of black-box scanning  accuracy  coverage  reporting  … Using internal agents to guide application scanning

16 Glass Box Testing 16 © 2011 IBM Corporation Information Available to Glass Box  Web app runtime activities  Application structure, environment, technology, components  Configuration files  Source code information  Log files  File-system activities  Registry accesses  Network traffic  DB access

17 Glass Box Testing 17 © 2011 IBM Corporation Things You Can Do With Glass Box  Coverage  Hidden parameters/backdoors  Non-reflected issues  File upload  Denial-of-service  Exploit generation  Consolidation  Correlation  Auto-configuration  False positives  Static analysis  Deal with non-standard validation

18 Glass Box Testing 18 © 2011 IBM Corporation Main Challenges – Glass Box to the Rescue  Coverage challenge (hidden logic)  The debug parameter was uncovered and reported back  Hence, The Cross-Site Scripting is exposed! Psst… You can use the “debug” param! http://SITE/purchase?price=1337 http://SITE/purchase?price=1337&debug=TEST_PAYLOAD

19 Glass Box Testing 19 © 2011 IBM Corporation Main Challenges – Glass Box to the Rescue (Cont.)  Detection of non-reflected issues  Glass Box instrumentation operates at runtime, at the code level  Non-reflected security issue identified! Fingerprint identified in SQL Injection sink! http://SITE/page?name=GB_FINGERPRINT Runtime monitored sink

20 Glass Box Testing 20 © 2011 IBM Corporation Main Challenges – Glass Box to the Rescue (Cont.)  Limited security issue information  An SQL Injection issue, this time identified with the aid of glass box

21 Glass Box Testing 21 © 2011 IBM Corporation Agenda  Black box challenges  Glass box scanning  Architecture  Summary

22 Glass Box Testing 22 © 2011 IBM Corporation Architecture Black-box Scanner Target web app HTTP(S) HTTP(S) Agent(s ) AgentRules Control & Reporting Control & Reporting Glass box Component Target Server Glass box Engine

23 Glass Box Testing 23 © 2011 IBM Corporation Glass Box Timeline Start End Scanner Server Deploy Assistant 1 1 3 3 Explore Start Glass Box Magic 2 2 Glass Box Test Enhance 7 7 Glass Box Explore Enhance 4 4 5 5 New Param Re-explore 6 6 Test Started 8 8 Report Findings GET / GET /page?p=1... These are the params you missed...... GET /page?p=G’123B... I’ve found these issues...

24 Glass Box Testing 24 © 2011 IBM Corporation OWASP Top 10 - BB Injection (SQL,..) A1 XSS A2 Broken Auth. A3 Insecure Object Reference A4 CSRF A5 Security Misconfig A6 Insecure Crypto A7 URL Restriction A8 Insufficient Transport layer Protection A9 Unvalidated Redirects & Forwards A10 black-box

25 Glass Box Testing 25 © 2011 IBM Corporation OWASP Top 10 - GB Injection (SQL,..) A1 XSS A2 Broken Auth. A3 Insecure Object Reference A4 CSRF A5 Security Misconfig A6 Insecure Crypto A7 URL Restriction A8 Insufficient Transport layer Protection A9 Unvalidated Redirects & Forwards A10 black-box + glass-box ONLY TECHNOLOGY to effectively find issues in ALL the categories of OWASP top 10

26 Glass Box Testing 26 © 2011 IBM Corporation Agenda  Black box challenges  Glass box scanning  Architecture  Summary

27 Glass Box Testing 27 © 2011 IBM Corporation Summary  Glass box is a new technology, that is all about using internal agents to guide application scanning  Glass box significantly enhances every aspect of black box scanning:  Exploration, testing, exploitation, reporting  Glass box isn’t just a feature-set...  It is a new way of thinking  With nearly endless potential Image: Meawpong3405 / FreeDigitalPhotos.net

28 Glass Box Testing 28 © 2011 IBM Corporation Smarter security for a smarter planet

Download ppt "Glass Box Testing: Thinking Inside the Box Omri Weisman Manager, Security Research Group IBM Rational."

Similar presentations

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.
Don’t Teach Developers Security Caleb Sima Armorize Technologies.

Don’t Teach Developers Security Caleb Sima Armorize Technologies.
Infosec 2012 | 25/4/12 Application Performance Monitoring Ofer MAOR CTO Infosec 2012.

Infosec 2012 | 25/4/12 Application Performance Monitoring Ofer MAOR CTO Infosec 2012.
Escape From the Black Box Brian Chess Fortify Software Countering the faults of typical web scanners through bytecode injection.

Escape From the Black Box Brian Chess Fortify Software Countering the faults of typical web scanners through bytecode injection.
OWASP Web Vulnerabilities and Auditing

OWASP Web Vulnerabilities and Auditing
PENETRATION TESTING Presenters:Chakrit Sanbuapoh Sr. Information Security MFEC.

PENETRATION TESTING Presenters:Chakrit Sanbuapoh Sr. Information Security MFEC.
Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!

Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
SEC835 OWASP Top Ten Project.

SEC835 OWASP Top Ten Project.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Gray, the New Black Gray-Box Web Vulnerability Testing Brian Chess Founder / Chief Scientist Fortify Software, an HP Company June 22, 2011.

Gray, the New Black Gray-Box Web Vulnerability Testing Brian Chess Founder / Chief Scientist Fortify Software, an HP Company June 22, 2011.
A Demo of and Preventing XSS in.NET Applications.

A Demo of and Preventing XSS in.NET Applications.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
“Today over 70% of attacks against a company’s network come at the ‘Application Layer’ not the Network or System layer.” - Gartner Is Your Web Application.

“Today over 70% of attacks against a company’s network come at the ‘Application Layer’ not the Network or System layer.” - Gartner Is Your Web Application.
Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.

Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Security Scanning OWASP Education Nishi Kumar Computer based training

Security Scanning OWASP Education Nishi Kumar Computer based training
By: Razieh Rezaei Saleh.  Security Evaluation The examination of a system to determine its degree of compliance with a stated security model, security.

By: Razieh Rezaei Saleh.  Security Evaluation The examination of a system to determine its degree of compliance with a stated security model, security.
Introduction to Application Penetration Testing

Introduction to Application Penetration Testing
OWASP Zed Attack Proxy Project Lead

OWASP Zed Attack Proxy Project Lead

Similar presentations

Ads by Google