glass box testing: thinking inside the box omri weisman manager, security research group ibm...
TRANSCRIPT
![Page 1: Glass Box Testing: Thinking Inside the Box Omri Weisman Manager, Security Research Group IBM Rational](https://reader036.vdocument.in/reader036/viewer/2022062421/56649dc05503460f94ab49ae/html5/thumbnails/1.jpg)
Glass Box Testing:Thinking Inside the BoxOmri WeismanManager, Security Research GroupIBM Rational
![Page 2: Glass Box Testing: Thinking Inside the Box Omri Weisman Manager, Security Research Group IBM Rational](https://reader036.vdocument.in/reader036/viewer/2022062421/56649dc05503460f94ab49ae/html5/thumbnails/2.jpg)
Glass Box Testing2© 2011 IBM Corporation
Omri Weisman
Manager, Security Research Group
IBM Rational
9 years working on AppScan technologies, web application security, and static analysis
21 patents pending
2 published papers
![Page 3: Glass Box Testing: Thinking Inside the Box Omri Weisman Manager, Security Research Group IBM Rational](https://reader036.vdocument.in/reader036/viewer/2022062421/56649dc05503460f94ab49ae/html5/thumbnails/3.jpg)
Glass Box Testing3© 2011 IBM Corporation
IBM 100 YEARS
![Page 4: Glass Box Testing: Thinking Inside the Box Omri Weisman Manager, Security Research Group IBM Rational](https://reader036.vdocument.in/reader036/viewer/2022062421/56649dc05503460f94ab49ae/html5/thumbnails/4.jpg)
Glass Box Testing4© 2011 IBM Corporation
![Page 5: Glass Box Testing: Thinking Inside the Box Omri Weisman Manager, Security Research Group IBM Rational](https://reader036.vdocument.in/reader036/viewer/2022062421/56649dc05503460f94ab49ae/html5/thumbnails/5.jpg)
Glass Box Testing5© 2011 IBM Corporation
Agenda
Black box challenges Glass box scanning
Architecture
Summary
![Page 6: Glass Box Testing: Thinking Inside the Box Omri Weisman Manager, Security Research Group IBM Rational](https://reader036.vdocument.in/reader036/viewer/2022062421/56649dc05503460f94ab49ae/html5/thumbnails/6.jpg)
Glass Box Testing6© 2011 IBM Corporation
Black Box Challenge – Hidden Logic
http://SITE/purchase?price=1337
http://SITE/purchase?price=TEST_PAYLOAD
![Page 7: Glass Box Testing: Thinking Inside the Box Omri Weisman Manager, Security Research Group IBM Rational](https://reader036.vdocument.in/reader036/viewer/2022062421/56649dc05503460f94ab49ae/html5/thumbnails/7.jpg)
Glass Box Testing7© 2011 IBM Corporation
Black Box Challenge – Non-reflected Injection
![Page 8: Glass Box Testing: Thinking Inside the Box Omri Weisman Manager, Security Research Group IBM Rational](https://reader036.vdocument.in/reader036/viewer/2022062421/56649dc05503460f94ab49ae/html5/thumbnails/8.jpg)
Glass Box Testing8© 2011 IBM Corporation
SQL injection found – where to fix it?
Black Box Challenge – Remediation
![Page 9: Glass Box Testing: Thinking Inside the Box Omri Weisman Manager, Security Research Group IBM Rational](https://reader036.vdocument.in/reader036/viewer/2022062421/56649dc05503460f94ab49ae/html5/thumbnails/9.jpg)
Glass Box Testing9© 2011 IBM Corporation
![Page 10: Glass Box Testing: Thinking Inside the Box Omri Weisman Manager, Security Research Group IBM Rational](https://reader036.vdocument.in/reader036/viewer/2022062421/56649dc05503460f94ab49ae/html5/thumbnails/10.jpg)
Glass Box Testing10© 2011 IBM Corporation
![Page 11: Glass Box Testing: Thinking Inside the Box Omri Weisman Manager, Security Research Group IBM Rational](https://reader036.vdocument.in/reader036/viewer/2022062421/56649dc05503460f94ab49ae/html5/thumbnails/11.jpg)
Glass Box Testing11© 2011 IBM Corporation
No clear indication for an SQL Injection.Need to go deeper...
![Page 12: Glass Box Testing: Thinking Inside the Box Omri Weisman Manager, Security Research Group IBM Rational](https://reader036.vdocument.in/reader036/viewer/2022062421/56649dc05503460f94ab49ae/html5/thumbnails/12.jpg)
Glass Box Testing12© 2011 IBM Corporation
Finally got it!
![Page 13: Glass Box Testing: Thinking Inside the Box Omri Weisman Manager, Security Research Group IBM Rational](https://reader036.vdocument.in/reader036/viewer/2022062421/56649dc05503460f94ab49ae/html5/thumbnails/13.jpg)
Glass Box Testing13© 2011 IBM Corporation
Agenda
Black box challenges
Glass box scanning Architecture
Summary
![Page 14: Glass Box Testing: Thinking Inside the Box Omri Weisman Manager, Security Research Group IBM Rational](https://reader036.vdocument.in/reader036/viewer/2022062421/56649dc05503460f94ab49ae/html5/thumbnails/14.jpg)
Glass Box Testing14© 2011 IBM Corporation
What is glass box?
VIDEO
![Page 15: Glass Box Testing: Thinking Inside the Box Omri Weisman Manager, Security Research Group IBM Rational](https://reader036.vdocument.in/reader036/viewer/2022062421/56649dc05503460f94ab49ae/html5/thumbnails/15.jpg)
Glass Box Testing15© 2011 IBM Corporation
What is Glass Box?
Main idea:1. Position server-side agents
2. Collect valuable server-side information
3. Report back to black-box scanner
4. Use data to enhance scan
Game-changing enhancement of black-box scanning
accuracy
coverage
reporting
…
Using internal agents to guide application scanning
![Page 16: Glass Box Testing: Thinking Inside the Box Omri Weisman Manager, Security Research Group IBM Rational](https://reader036.vdocument.in/reader036/viewer/2022062421/56649dc05503460f94ab49ae/html5/thumbnails/16.jpg)
Glass Box Testing16© 2011 IBM Corporation
Information Available to Glass Box
Web app runtime activities
Application structure, environment, technology, components
Configuration files
Source code information
Log files
File-system activities
Registry accesses Network traffic
DB access
![Page 17: Glass Box Testing: Thinking Inside the Box Omri Weisman Manager, Security Research Group IBM Rational](https://reader036.vdocument.in/reader036/viewer/2022062421/56649dc05503460f94ab49ae/html5/thumbnails/17.jpg)
Glass Box Testing17© 2011 IBM Corporation
Things You Can Do With Glass Box
Coverage
Hidden parameters/backdoors
Non-reflected issues
File upload
Denial-of-service
Exploit generation Consolidation
Correlation
Auto-configuration
False positives
Static analysis
Deal with non-standard validation
![Page 18: Glass Box Testing: Thinking Inside the Box Omri Weisman Manager, Security Research Group IBM Rational](https://reader036.vdocument.in/reader036/viewer/2022062421/56649dc05503460f94ab49ae/html5/thumbnails/18.jpg)
Glass Box Testing18© 2011 IBM Corporation
Main Challenges – Glass Box to the Rescue
Coverage challenge (hidden logic)
The debug parameter was uncovered and reported back Hence, The Cross-Site Scripting is exposed!
Psst… You can use the “debug” param!
http://SITE/purchase?price=1337
http://SITE/purchase?price=1337&debug=TEST_PAYLOAD
![Page 19: Glass Box Testing: Thinking Inside the Box Omri Weisman Manager, Security Research Group IBM Rational](https://reader036.vdocument.in/reader036/viewer/2022062421/56649dc05503460f94ab49ae/html5/thumbnails/19.jpg)
Glass Box Testing19© 2011 IBM Corporation
Main Challenges – Glass Box to the Rescue (Cont.)
Detection of non-reflected issues
Glass Box instrumentation operates at runtime, at the code level
Non-reflected security issue identified!
Fingerprint identified in SQL Injection sink!http://SITE/page?name=GB_FINGERPRINT
Runtime monitored sink
![Page 20: Glass Box Testing: Thinking Inside the Box Omri Weisman Manager, Security Research Group IBM Rational](https://reader036.vdocument.in/reader036/viewer/2022062421/56649dc05503460f94ab49ae/html5/thumbnails/20.jpg)
Glass Box Testing20© 2011 IBM Corporation
Main Challenges – Glass Box to the Rescue (Cont.)
Limited security issue information An SQL Injection issue, this time identified with the aid of glass box
![Page 21: Glass Box Testing: Thinking Inside the Box Omri Weisman Manager, Security Research Group IBM Rational](https://reader036.vdocument.in/reader036/viewer/2022062421/56649dc05503460f94ab49ae/html5/thumbnails/21.jpg)
Glass Box Testing21© 2011 IBM Corporation
Agenda
Black box challenges
Glass box scanning
Architecture Summary
![Page 22: Glass Box Testing: Thinking Inside the Box Omri Weisman Manager, Security Research Group IBM Rational](https://reader036.vdocument.in/reader036/viewer/2022062421/56649dc05503460f94ab49ae/html5/thumbnails/22.jpg)
Glass Box Testing22© 2011 IBM Corporation
Architecture
Black-box Scanner Target web appTarget web appHTTP(S)HTTP(S)
HTTP(S)HTTP(S)Agent(s)
AgentAgentRulesRules
Control & Reporting
Glass box Component
Target ServerTarget Server
Glass boxGlass boxEngineEngine
![Page 23: Glass Box Testing: Thinking Inside the Box Omri Weisman Manager, Security Research Group IBM Rational](https://reader036.vdocument.in/reader036/viewer/2022062421/56649dc05503460f94ab49ae/html5/thumbnails/23.jpg)
Glass Box Testing23© 2011 IBM Corporation
Glass Box TimelineGlass Box Timeline
Start EndScanner
Server
Deploy Assistant
11 33
ExploreStart
Glass BoxMagic
22
Glass BoxTest Enhance
77
Glass BoxExplore Enhance
44
55
New ParamRe-explore
66
TestStarted
88
ReportFindings
GET /
GET /page?p=1
...
These are the params you missed ...
...
GET /page?p=G’123B
...
I’ve found these issues ...
![Page 24: Glass Box Testing: Thinking Inside the Box Omri Weisman Manager, Security Research Group IBM Rational](https://reader036.vdocument.in/reader036/viewer/2022062421/56649dc05503460f94ab49ae/html5/thumbnails/24.jpg)
Glass Box Testing24© 2011 IBM Corporation
OWASP Top 10 - BB
Injection(SQL, ..)A1
XSSA2
BrokenAuth.A3
Insecure Object
ReferenceA4
CSRFA5
SecurityMisconfigA6
InsecureCrypto
A7
URL RestrictionA8
InsufficientTransport layer
ProtectionA9
UnvalidatedRedirects &Forwards
A10
black-box
![Page 25: Glass Box Testing: Thinking Inside the Box Omri Weisman Manager, Security Research Group IBM Rational](https://reader036.vdocument.in/reader036/viewer/2022062421/56649dc05503460f94ab49ae/html5/thumbnails/25.jpg)
Glass Box Testing25© 2011 IBM Corporation
OWASP Top 10 - GB
Injection(SQL, ..)A1
XSSA2
BrokenAuth.A3
Insecure Object
ReferenceA4
CSRFA5
SecurityMisconfigA6
InsecureCrypto
A7
URL RestrictionA8
InsufficientTransport layer
ProtectionA9
UnvalidatedRedirects &Forwards
A10
black-box + glass-box
ONLY TECHNOLOGYto effectively find issues in ALL the categories of
OWASP top 10
![Page 26: Glass Box Testing: Thinking Inside the Box Omri Weisman Manager, Security Research Group IBM Rational](https://reader036.vdocument.in/reader036/viewer/2022062421/56649dc05503460f94ab49ae/html5/thumbnails/26.jpg)
Glass Box Testing26© 2011 IBM Corporation
Agenda
Black box challenges
Glass box scanning
Architecture
Summary
![Page 27: Glass Box Testing: Thinking Inside the Box Omri Weisman Manager, Security Research Group IBM Rational](https://reader036.vdocument.in/reader036/viewer/2022062421/56649dc05503460f94ab49ae/html5/thumbnails/27.jpg)
Glass Box Testing27© 2011 IBM Corporation
Summary
Glass box is a new technology, that is all about using internal agents to guide application scanning
Glass box significantly enhances every aspect of black box scanning: Exploration, testing, exploitation, reporting
Glass box isn’t just a feature-set... It is a new way of thinking With nearly endless potential
Image: Meawpong3405 / FreeDigitalPhotos.net
![Page 28: Glass Box Testing: Thinking Inside the Box Omri Weisman Manager, Security Research Group IBM Rational](https://reader036.vdocument.in/reader036/viewer/2022062421/56649dc05503460f94ab49ae/html5/thumbnails/28.jpg)
Glass Box Testing28© 2011 IBM Corporation
Smarter security for a smarter planet