Presentation is loading. Please wait.

Presentation is loading. Please wait.

Make My Day – Just Run A Web Scanner Toshinari Kureha and Erik Klein Fortify Software Countering the faults of typical web scanners through bytecode injection.

Published byLesley Harrell Modified over 8 years ago

Similar presentations

Presentation on theme: "Make My Day – Just Run A Web Scanner Toshinari Kureha and Erik Klein Fortify Software Countering the faults of typical web scanners through bytecode injection."— Presentation transcript:

1 Make My Day – Just Run A Web Scanner Toshinari Kureha and Erik Klein Fortify Software Countering the faults of typical web scanners through bytecode injection

2 Agenda Problems With Black Box Testing Approaches To Finding Security Issues 4 Problems With Black Box Testing Solution:WhiteBox Testing With ByteCode Injection The Solution Demo Of Solution Building The Solution Q&A

3 Current Practice

4 How Do You Find Security Issues? Looking at architectural / design documents Looking at the source code Static Analysis Looking at a running application Dynamic Analysis

5 Current Practice Static Analysis Analysis Of Source Code and Configuration Files Manual Source Code Reviews Automated Tools Commercial Static Analysis Tools  Fortify Software  Klocwork  Ounce Labs

6 Current Practice Dynamic Analysis Testing & Analysis Of Running Application Find Input; Fuzz Input Analyze Response Manual Web Scanning Automated Web Scanning Cenzic SPIDynamics (HP) Watchfire (IBM) Paros (Open Source)

7 Current Practice Some People Use Automated Web Scanners Because They Can Be… Easy To Run Fast To Run (sometimes) “Someone Told Me To”

8 Dynamic Analysis Demo

9 Web Scanner Review Good Found Real Vulnerabilities Was Easy To Run “Did I Do A Good Job?”

10 Question 1: How Thorough Was My Test? Do You Know How Much Of Your Application Was Tested?

11 Question 1: How Thorough Was My Test? How Much Of The Application Do You Think You Tested?

12 Truth About Thoroughness We ran a Very Well Known Commercial Product Scanner on the following Open Source Apps: ApplicationEMMA Code Coverage ToolWeb Source HacmeBooks34% classes 12% blocks 14% lines 30.5% JCVS Web45% classes 19% blocks 22% lines 31.2% Java PetStore 270% classes 20% blocks 23% lines 18%

13 Web Scanner Review Good Found Real Vulnerabilities Was Easy To Run Bad 1. How Thorough Was My Test? No Way To Tell, And Actual Coverage Is Often Low 2. 3. 4.

14 Question 2: Did I Find All Vulnerabilities? 3 Ways To Fail 1. Didn’t Test 2. Tested – But Couldn’t Conclude 3. Can’t Test

15 1. Didn’t Test If The Web Scanner Didn’t Even Reach That Area, It Cannot Test! Question 2: Did I Find All Vulnerabilities? Tested Vulnerabilities Not Found Untested Vulnerabilities Found Application

16 Question 2: Did I Find All Vulnerabilities? 2. Tested, But Couldn’t Conclude Blind SQL Injection Vulnerabilities That Did Not Return With A Known Signature

17 Question 2: Did I Find All Vulnerabilities? 2. Tested, But Couldn’t Conclude Certain Classes Of Vulnerabilities Sometimes Can Be Detected Through HTTP Response SQL Injection Command Injection LDAP Injection

18 public void doGet(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException { ServletOutputStream out = res.getOutputStream(); String user = req.getParameter("user"); if(user != null) { try { String[] args = { "/bin/sh", "-c", "finger " + user }; Process p = Runtime.getRuntime().exec(args); BufferedReader fingdata = new BufferedReader(new InputStreamReader(p.getInputStream())); String line; while((line = fingdata.readLine()) != null) out.println(line); p.waitFor(); } catch(Exception e) { throw new ServletException(e); } } else { out.println("specify a user"); } …

19 public void doGet(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException { ServletOutputStream out = res.getOutputStream(); String user = req.getParameter("user"); if(user != null) { try { String[] args = { "/bin/sh", "-c", “sendMail.sh " + user }; Process p = Runtime.getRuntime().exec(args); p.waitFor(); } catch(Exception e) { e.printStackTrace(System.err); } out.println(“Thank you note was sent”); } else { out.println("specify a user"); } …

20 Question 2: Did I Find All Vulnerabilities? 3. Can’t Test Some Vulnerabilities Have No Manifestation In Http Response Application Log File Client I hope they’re not logging my CC# into plaintext log file cc num “Your order will be processed in 2 days” HTTP Response

21

22 Web Scanner Review Good Found Real Vulnerabilities Was Easy To Run Bad 1. How Thorough Was My Test? No Way To Tell, And Actual Coverage Is Often Low 2. Did I Find All My Vulnerabilities? Didn’t Test, Tested But Couldn’t Conclude, Can’t Test 3. 4.

23 Question 3: Are All The Results Reported True? No Method Is Perfect Under What Circumstances Do Web Scanners Report False Positives? Matching Signature On A Valid Page Matching Behavior On A Valid Page

24 Question 3: Are All The Results Reported True? Matching Signature On A Valid Page

25 Question 3: Are All The Results Reported True? Matching Behavior On A Valid Page “To determine if the application is vulnerable to SQL injection, try injecting an extra true condition into the WHERE clause… and if this query also returns the same …, then the application is susceptible to SQL injection” (from paper on Blind SQL Injection) E.g. http://www.server.com/getCC.jsp?id=5 select ccnum from table where id=‘5’ http://www.server.com/getCC.jsp?id=5’ AND ‘1’=‘1 select ccnum from table where id=‘5’ AND ‘1’=‘1’

26 Question 3: Are All The Results Reported True? E.g. http://www.server.com/getCC.jsp?id=5 select ccnum from table where id=‘5’ Response:  “No match found” (No one with id “5”) http://www.server.com/getCC.jsp?id=5’ AND ‘1’=‘1 select ccnum from table where id=‘5\’ AND \‘1\’=\‘1’ Response  “No match found” (No one with id “5’ AND ‘1’=‘1”)  All single quotes were escaped. According To The Algorithm (“inject a true clause and look for same response”), This Is SQL Injection Vulnerability!

27 Web Scanner Review Good Found Real Vulnerabilities Was Easy To Run Bad 1. How Thorough Was My Test? No Way To Tell, And Actual Coverage Is Often Low 2. Did I Find All My Vulnerabilities? Didn’t Test, Tested But Couldn’t Conclude, Can’t Test 3. Are All The Results Reported True (False Positives)? Susceptible To False Signature & Behavior Matching 4.

28 Question 4: How Do I Fix The Problem? Security Issues Must Be Fixed In Source Code Information Given By Web Scanners URL Parameter General Vulnerability Description HTTP Request/Response Ummm … what line of code?

29 Question 4: How Do I Fix The Problem? Incomplete Vulnerability Report -> Bad Fixes Report: Injecting “AAAAA…..AAAAA” Caused Application To Crash Solution By Developers: …. if (input.equals(“AAAAA…..AAAAA”)) return; …..

30 Web Scanner Review Good Found Real Vulnerabilities Was Easy To Run Bad 1. How Thorough Was My Test? No Way To Tell, And Actual Coverage Is Often Low 2. Did I Find All My Vulnerabilities? Didn’t Test, Tested But Couldn’t Conclude, Can’t Test 3. Are All The Results Reported True (False Positives)? Susceptible To Signature & Behavior Matching 4. How Do I Fix The Problem? No Source Code / Root Cause Information

31 Attacking The Problems White Box Testing With Bytecode Injection

32 Agenda Problems With Black Box Testing Approaches To Finding Security Issues 4 Problems With Black Box Testing Solution:WhiteBox Testing With ByteCode Injection The Solution Building The Solution Q&A

33 Review… Web Scanner Web App Application Server HTTP Database File System Other Apps and Proposal Verify Results Verify Results Verify Results Verify Results Watch Result

34 How Will Monitors Solve The Problems? 1. How Thorough Was My Test? 2. Did I Find All My Vulnerabilities? 3. Are All The Results Reported True? 4. How Do I Fix The Problem? 1. Monitors Inside Will Tell Which Parts Were Hit 2. Monitors Inside Detects More Vulnerabilities 3. Very Low False Positive By Looking At Source Of Vulnerabilities 4. Monitors Inside Can Give Root Cause Information

35 How To Build The Solution 1. How Do You Inject The Monitors Inside The Application? 2. Where Do You Inject The Monitors Inside The Application? 3. What Should The Monitors Do Inside The Application?

36 How Do You Inject The Monitors? Problem: How Do You Put The Monitors Into The Application? Assumption: You Do Not Have Source Code, Only Deployed Java /.NET Application Solution: Bytecode Weaving AspectJ for Java AspectDNG for.NET

37 How Does Bytecode Weaving Work? Original.class AspectJ New.class New Code & Location Spec. Similar process for.NET

38 How Does Bytecode Weaving Work? List getStuff(String id) { List list = new ArrayList(); try { String sql = “select stuff from mytable where id=‘” + id + “’”; JDBCstmt.executeQuery(sql); } catch (Exception ex) { log.log(ex); } return list; } List getStuff(String id) { List list = new ArrayList(); try { String sql = “select stuff from mytable where id=‘” + id + “’”; MyLibrary.doCheck(sql); JDBCstmt.executeQuery(sql); } catch (Exception ex) { log.log(ex); } return list; } Before “executeQuery()” Call “MyLibrary.doCheck()”

39 Bytecode Injection Demo

40 Applying Byte-Code Injection To Enhance Security Testing 1. How Do You Inject The Monitors Inside The Application? 2. Where Do You Inject The Monitors Inside The Application? 3. What Should The Monitors Do Inside The Application?

41 Where Do You Inject The Monitors? 1. All Web Inputs (Web Scan Should Hit Them All) request.getParameter, form.getBean 2. All Inputs (Not All Inputs Are Web) socket.getInputStream.read 3. All “Sinks” (All Security Critical Functions) Statement.executeQuery(String) – SQL Injection JNDI.lookup(String) – LDAP Injection (FileOutputStream|FileWriter).write(byte[]) …

42 Applying Byte-Code Injection To Enhance Security Testing 1. How Do You Inject The Monitors Inside The Application? 2. Where Do You Inject The Monitors Inside The Application? 3. What Should The Monitors Do Inside The Application?

43 What Should The Monitors Do? 1. Report Whether The Monitor Was Hit 2. Analyze The Content Of the Call For Security Issues 3. Report Code-Level Information About Where The Monitor Got Triggered

44 aspect SQLInjection { pointcut sqlExec(String sql):call(ResultSet Statement.executeQuery(String)) && args(sql); before(String sql) : sqlExec(sql) { checkInjection(sql, thisJoinPoint); } void checkInjection(String sql, JoinPoint thisJoinPoint){ System.out.println("HIT:" + thisJoinPoint.getSourceLocation().getFileName() + thisJoinPoint.getSourceLocation().getLine()); if (count(sql, '\'')%2 == 1) { System.out.println("*** SQL Injection detected. SQL statement being executed as follows: “ + sql); } ….. What Should The Monitors Do? 1) Report whether API was hit or not 2) Analyze The Content Of The API Call 3) Report Code-Level Information

45 Proof Of Concept Running The Custom Solution

46 With Additional Work on UI

47 Coverage

48 With Additional Work on UI

49 Security Issues Detail

50 Security Issues Detail – SQL Injection

51 Security Issue Detail – Privacy Violation

52 Conclusions – Web Scanners Good Easy To Use Finding Smoking Gun Bad Lack Of Coverage Information False Negative False Positive Lack Of Code-Level / Root Cause Information

53 Conclusions – White Box Testing Bytecode Injection Requires Access To Running Application In Exchange … Gain Coverage Information Find More Vulnerabilities, More Accurately Determine Root Cause Information

54 Conclusions – Use Your Advantage AttackerDefender Time Attempts Security Knowledge Access To Application

55 Thank You Questions? Email: eklein@fortify.com

Download ppt "Make My Day – Just Run A Web Scanner Toshinari Kureha and Erik Klein Fortify Software Countering the faults of typical web scanners through bytecode injection."

Similar presentations

Chapter 6 Server-side Programming: Java Servlets

Chapter 6 Server-side Programming: Java Servlets
Escape From the Black Box Brian Chess Fortify Software Countering the faults of typical web scanners through bytecode injection.

Escape From the Black Box Brian Chess Fortify Software Countering the faults of typical web scanners through bytecode injection.
Exception Handling. Background In a perfect world, users would never enter data in the wrong form, files they choose to open would always exist, and code.

Exception Handling. Background In a perfect world, users would never enter data in the wrong form, files they choose to open would always exist, and code.
© 2008 All Right Reserved Fortify Software Inc. Hybrid 2.0 – In search of the holy grail… A Talk for OWASP BeNeLux by Roger Thornton Founder/CTO Fortify.

© 2008 All Right Reserved Fortify Software Inc. Hybrid 2.0 – In search of the holy grail… A Talk for OWASP BeNeLux by Roger Thornton Founder/CTO Fortify.
Slides prepared by Rose Williams, Binghamton University ICS201 Exception Handling University of Hail College of Computer Science and Engineering Department.

Slides prepared by Rose Williams, Binghamton University ICS201 Exception Handling University of Hail College of Computer Science and Engineering Department.
Introduction The concept of “SQL Injection”

Introduction The concept of “SQL Injection”
Fuzzing Dan Fleck CS 469: Security Engineering Sources:

Fuzzing Dan Fleck CS 469: Security Engineering Sources:
Input Validation For Free Text Fields Project Members: Hagar Offer &Ran Mor Academic Advisor: Dr Gera Weiss Technical Advisors: Raffi Lipkin & Nadav Attias.

Input Validation For Free Text Fields Project Members: Hagar Offer &Ran Mor Academic Advisor: Dr Gera Weiss Technical Advisors: Raffi Lipkin & Nadav Attias.
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.

Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
1 Joe Meehean. 2 Testing is the process of executing a program with the intent of finding errors. -Glenford Myers.

1 Joe Meehean. 2 Testing is the process of executing a program with the intent of finding errors. -Glenford Myers.
Test Design Techniques

Test Design Techniques
Glass Box Testing: Thinking Inside the Box Omri Weisman Manager, Security Research Group IBM Rational.

Glass Box Testing: Thinking Inside the Box Omri Weisman Manager, Security Research Group IBM Rational.
Web Security Programming I Building Security in from the Start Except where otherwise noted all portions of this work are Copyright (c) 2007 Google and.

Web Security Programming I Building Security in from the Start Except where otherwise noted all portions of this work are Copyright (c) 2007 Google and.
Testing Tools. Categories of testing tools Black box testing, or functional testing Testing performed via GUI. The tool helps in emulating end-user actions.

Testing Tools. Categories of testing tools Black box testing, or functional testing Testing performed via GUI. The tool helps in emulating end-user actions.
Software Quality Assurance Lecture #8 By: Faraz Ahmed.

Software Quality Assurance Lecture #8 By: Faraz Ahmed.
CSCI 6962: Server-side Design and Programming JDBC Database Programming.

CSCI 6962: Server-side Design and Programming JDBC Database Programming.
Approaches to Application Security – DSM

Approaches to Application Security – DSM
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.

Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.

Similar presentations

Ads by Google