Escape From the Black Box Brian Chess Fortify Software Countering the faults of typical web scanners through bytecode injection.

Slides:



Advertisements
Similar presentations
Chapter 6 Server-side Programming: Java Servlets
Advertisements

AP Computer Science Anthony Keen. Computer 101 What happens when you turn a computer on? –BIOS tries to start a system loader –A system loader tries to.
SecuBat: An Automated Web Vulnerability Detection Framework
Making the System Operational
Connecting to Databases. relational databases tables and relations accessed using SQL database -specific functionality –transaction processing commit.
13 Copyright © 2005, Oracle. All rights reserved. Monitoring and Improving Performance.
Test process essentials Riitta Viitamäki,
Dream Report: Advanced Manual Data Entry
Closing the Gap: Analyzing the Limitations of Web Application Vulnerability Scanners David Shelly Randy Marchany Joseph Tront Virginia Polytechnic Institute.
© 2008 Security Compass inc. 1 Firefox Plug-ins for Application Penetration Testing Exploit-Me.
DB Relay An Introduction. INSPIRATION Database access is WAY TOO HARD The crux.
Chapter 5 Loops Liang, Introduction to Java Programming, Tenth Edition, (c) 2015 Pearson Education, Inc. All rights reserved.
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
Towards a Standard Interface for Runtime Inspection in AOP Environments OOPSLA Workshop on Tool for AOSD, Seattle, November 2002 Katharina Mehner and Awais.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
© 2008 All Right Reserved Fortify Software Inc. Hybrid 2.0 – In search of the holy grail… A Talk for OWASP BeNeLux by Roger Thornton Founder/CTO Fortify.
Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.
Fuzzing Dan Fleck CS 469: Security Engineering Sources:
NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu Ostrava-Poruba.
ReferencesReferences DiscussionDiscussion Vulnerability Example: SQL injection Auditing Tool for Eclipse LAPSE: a Security Auditing Tool for Eclipse IntroductionIntroductionResultsResults.
Input Validation For Free Text Fields Project Members: Hagar Offer &Ran Mor Academic Advisor: Dr Gera Weiss Technical Advisors: Raffi Lipkin & Nadav Attias.
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
Static Code Analysis and Governance Effectively Using Source Code Scanners.
Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
23 October 2002Emmanuel Ormancey1 Spam Filtering at CERN Emmanuel Ormancey - 23 October 2002.
Introducing LAMP: Linux, Apache, MySQL and PHP Track 2 Workshop PacNOG 7 July 1, 2010 Pago Pago, American Samoa.
1 Joe Meehean. 2 Testing is the process of executing a program with the intent of finding errors. -Glenford Myers.
Glass Box Testing: Thinking Inside the Box Omri Weisman Manager, Security Research Group IBM Rational.
Web Security Programming I Building Security in from the Start Except where otherwise noted all portions of this work are Copyright (c) 2007 Google and.
Software Quality Assurance Lecture #8 By: Faraz Ahmed.
CSCI 6962: Server-side Design and Programming JDBC Database Programming.
Approaches to Application Security – DSM
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.
A Security Review Process for Existing Software Applications
Introduction Telerik Software Academy Software Quality Assurance.
AMNESIA: Analysis and Monitoring for NEutralizing SQL- Injection Attacks Published by Wiliam Halfond and Alessandro Orso Presented by El Shibani Omar CS691.
Lecture 16 Page 1 CS 236 Online SQL Injection Attacks Many web servers have backing databases –Much of their information stored in a database Web pages.
Web Application Security Testing Automation.. Copyright © 2008 Deloitte Touche Tohmatsu. All rights reserved.1 What types of automated testing are there?
Attacking Applications: SQL Injection & Buffer Overflows.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.
Web Application Security ECE ECE Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.
Watching Software Run Brian ChessNov 18, Success is foreseeing failure. – Henry Petroski.
SIGITE 2008: Oct Integrating Web Application Security into the IT Curriculum James Walden Northern Kentucky University.
 Chapter 14 – Security Engineering 1 Chapter 12 Dependability and Security Specification 1.
Analysis of SQL injection prevention using a filtering proxy server By: David Rowe Supervisor: Barry Irwin.
Beyond negative security Signatures are not always enough Or Katz Trustwave ot.com/
October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University
SQL INJECTIONS Presented By: Eloy Viteri. What is SQL Injection An SQL injection attack is executed when a web page allows users to enter text into a.
Finding Security Vulnerabilities in Java Applications with Static Analysis Reviewed by Roy Ford.
Make My Day – Just Run A Web Scanner Toshinari Kureha and Erik Klein Fortify Software Countering the faults of typical web scanners through bytecode injection.
Server-side Programming The combination of –HTML –JavaScript –DOM is sometimes referred to as Dynamic HTML (DHTML) Web pages that include scripting are.
Connecting to MySQL using Java By:. – Required to use Java.sql so that we can use Connection and Queries using strings. – Javax.swing.* needed for components.
Secure Authentication. SQL Injection Many web developers are unaware of how SQL queries can be tampered with SQL queries are able to circumvent access.
By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
M M Waseem Iqbal.  Cause: Unverified/unsanitized user input  Effect: the application runs unintended SQL code.  Attack is particularly effective if.
SQL INJECTION Diwakar Kumar Dinkar M.Tech, CS&E Roll Diwakar Kumar Dinkar M.Tech, CS&E Roll
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
SQL Injection.
SQL Injection Attacks Many web servers have backing databases
^ About the.
A Security Review Process for Existing Software Applications
Penetration Test Debrief
HTML Level II (CyberAdvantage)
Lecture 2 - SQL Injection
OWASP Application Security Verification Standard
Lecture 34: Testing II April 24, 2017 Selenium testing script 7/7/2019
Presentation transcript:

Escape From the Black Box Brian Chess Fortify Software Countering the faults of typical web scanners through bytecode injection

Agenda Problems With Black Box Testing Approaches To Finding Security Issues 4 Problems With Black Box Testing Solution: White Box Testing Bytecode Injection Demo

Black Box Testing Today

How Do You Find Security Issues? Looking at architectural / design documents Looking at the source code Static Analysis Looking at a running application Dynamic Analysis

Static Analysis Analysis Of Source Code and Configuration Files Manual Source Code Reviews Automated Tools Commercial Static Analysis Tools Coverity Fortify Software Klocwork Ounce Labs

Dynamic Analysis Testing & Analysis Of Running Application Find Input Fuzz Input Analyze Response Commercial Web Scanners Cenzic SPIDynamics Watchfire...

Most People Use Web Scanners Because… Easy To Run Fast To Run “Someone Told Me To”

But... “Did I Do A Good Job?”

Q1: How Thorough Was My Test? Do You Know How Much Of Your Application Was Tested?

Q1: How Thorough Was My Test? How Much Of The Application Do You Think You Tested?

Truth About Thoroughness We ran a “Version 7.0 Scanner” on the following: ApplicationEMMA Code Coverage ToolWeb Source HacmeBooks34% classes 12% blocks 14% lines 30.5% JCVS Web45% classes 19% blocks 22% lines 31.2% Java PetStore 270% classes 20% blocks 23% lines 18%

Web Scanner Review Good Found Real Vulnerabilities Was Easy To Run Bad How Thorough Was My Test? No Way To Tell, And Actual Coverage Is Often Low

Q2: Did I Find All Vulnerabilities? 3 Ways To Fail Didn’t Test Tested – But Couldn’t Conclude Can’t Test

Q2: Did I Find All Vulnerabilities? 1. Didn’t Test If The Web Scanner Didn’t Even Reach That Area, It Cannot Test! Application Tested Vulnerabilities Not Found Untested Vulnerabilities Found

Q2: Did I Find All Vulnerabilities? 2. Tested, But Couldn’t Conclude Blind SQL Injection Vulnerabilities That Did Not Return With A Known Signature

Q2: Did I Find All Vulnerabilities? 2. Tested, But Couldn’t Conclude Certain Classes Of Vulnerabilities Sometimes Can Be Detected Through HTTP Response SQL Injection Command Injection LDAP Injection

Q2: Did I Find All Vulnerabilities? 3. Can’t Test Some Vulnerabilities Have No Manifestation In Http Response Application Log File Client I hope they’re not logging my CC# into plaintext log file cc num “Your order will be processed in 2 days” HTTP Response

Web Scanner Review Good Found Real Vulnerabilities Was Easy To Run Bad How Thorough Was My Test? No Way To Tell, And Actual Coverage Is Often Low Did I Find All My Vulnerabilities? Didn’t Test, Tested But Couldn’t Conclude, Can’t Test

Q3: Are The Results Reported True? No Method Is Perfect Under What Circumstances Do Web Scanners Report False Positives? Matching Signature On A Valid Page Matching Behavior On A Valid Page

Matching Signature On A Valid Page Q3: Are The Results Reported True?

Matching Behavior On A Valid Page “To determine if the application is vulnerable to SQL injection, try injecting an extra true condition into the WHERE clause… and if this query also returns the same …, then the application is susceptible to SQL injection” (from paper on Blind SQL Injection) E.g. select ccnum from table where id=‘5’ AND ‘1’=‘1 select ccnum from table where id=‘5’ AND ‘1’=‘1’

Q3: Are The Results Reported True? E.g. select ccnum from table where id=‘5’ Response:  “No match found” (No one with id “5”) AND ‘1’=‘1 select ccnum from table where id=‘5\’ AND \‘1\’=\‘1’ Response  “No match found” (No one with id “5’ AND ‘1’=‘1”)  All single quotes were escaped. According To The Algorithm (“inject a true clause and look for same response”), This Is SQL Injection Vulnerability!

Web Scanner Review Good Found Real Vulnerabilities Was Easy To Run Bad 1. How Thorough Was My Test? No Way To Tell, And Actual Coverage Is Often Low 2. Did I Find All My Vulnerabilities? Didn’t Test, Tested But Couldn’t Conclude, Can’t Test 3. Are All The Results Reported True? Susceptible To False Signature & Behavior Matching

Q4: How Do I Fix The Problem? Security Issues Must Be Fixed In Source Code Information Given URL Parameter General Vulnerability Description HTTP Request/Response But Where In My Source Code Should I Look?

Question 4: How Do I Fix The Problem? Incomplete Vulnerability Report -> Bad Fixes Report: Injecting “AAAAA…..AAAAA” Caused Application To Crash Solution By Developers: …. if (input.equals(“AAAAA…..AAAAA”)) return; …..

Web Scanner Review Good Found Real Vulnerabilities Was Easy To Run Bad 1. How Thorough Was My Test? No Way To Tell, And Actual Coverage Is Often Low 2. Did I Find All My Vulnerabilities? Didn’t Test, Tested But Couldn’t Conclude, Can’t Test 3. Are All The Results Reported True? Susceptible To Signature & Behavior Matching 4. How Do I Fix The Problem? No Source Code / Root Cause Information

Attacking The Problems White Box Testing With Bytecode Injection

Review… Web Scanner Web Application Application Server HTTP Database File System Other Apps and Proposal Verify Results Verify Results Verify Results Verify Results Watch Result

How Will Monitors Solve The Problems? How Thorough Was My Test? Did I Find All My Vulnerabilities? Are All The Results Reported True? How Do I Fix The Problem? Monitors Inside Will Tell Which Parts Was Hit Monitors Inside Detects More Vulnerabilities Very Low False Positive By Looking At Source Of Vulnerabilities Monitors Inside Can Give Root Cause Information

How To Build The Solution How Do You Inject The Monitors Inside The Application? Where Do You Inject The Monitors Inside The Application? What Should The Monitors Do Inside The Application?

How Do You Inject The Monitors? Problem: How Do You Put The Monitors Into The Application? Assumption: You Do Not Have Source Code, Only Deployed Java /.NET Application Solution: Bytecode Weaving AspectJ for Java AspectDNG for.NET

How Does Bytecode Weaving Work? Original.class AspectJ New.class New Code & Location Spec. Similar process for.NET

How Does Bytecode Weaving Work? List getStuff(String id) { List list = new ArrayList(); try { String sql = “select stuff from mytable where id=‘” + id + “’”; JDBCstmt.executeQuery(sql); } catch (Exception ex) { log.log(ex); } return list; } List getStuff(String id) { List list = new ArrayList(); try { String sql = “select stuff from mytable where id=‘” + id + “’”; MyLibrary.doCheck(sql); JDBCstmt.executeQuery(sql); } catch (Exception ex) { log.log(ex); } return list; } Before “executeQuery()” Call “MyLibrary.doCheck()”

Applying Byte-Code Injection To Enhance Security Testing How Do You Inject The Monitors Inside The Application? Where Do You Inject The Monitors Inside The Application? What Should The Monitors Do Inside The Application?

Where Do You Inject The Monitors? All Web Inputs (My Web Scan Should Hit All Of Them) request.getParameter, form.getBean All Inputs (Not All Inputs Are Web) socket.getInputStream.read All “Sinks” (All Security Critical Functions) Statement.executeQuery(String) (FileOutputStream|FileWriter).write(byte[]) …

What Should The Monitors Do? Report Whether The Monitor Was Hit Analyze The Content Of the Call For Security Issues Report Code-Level Information About Where The Monitor Got Triggered

aspect SQLInjection { pointcut sqlExec(String sql):call(ResultSet Statement.executeQuery(String)) && args(sql); before(String sql) : sqlExec(sql) { checkInjection(sql, thisJoinPoint); } void checkInjection(String sql, JoinPoint thisJoinPoint){ System.out.println("HIT:" + thisJoinPoint.getSourceLocation().getFileName() + thisJoinPoint.getSourceLocation().getLine()); if (count(sql, '\'')%2 == 1) { System.out.println("*** SQL Injection detected. SQL statement being executed as follows: “ + sql); } ….. What Should The Monitors Do? 1) Report whether API was hit or not 2) Analyze The Content Of The API Call 3) Report Code-Level Information

Conclusions – Web Scanners Good Easy To Use Finding Smoking Gun Bad Lack Of Coverage Information False Negatives False Positives Lack Of Code-Level / Root Cause Information

Conclusions – White Box Testing Bytecode Injection Require Access To Running Application In Exchange … Gain Coverage Information Find More Vulnerabilities, More Accurately Determine Root Cause Information

Conclusions – Use Your Advantage AttackerDefender Time Attempts Security Knowledge Access To Application

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.