Approaches to Application Security – DSM Maheshan C N Maheshan.Chemminiyan@lntinfotech.com

Agenda Sample illustration of a SQL Injection Different Approaches to Security Testing Dynamic (Black Box) Vs Static (White Box) Vs Manual Summary

Sample illustration of a SQL injection

SQL Injection

Normal login for JSMITH Username: jsmith Password: *******

Normal login for JSMITH

Username = Apostrophe? The start of a SQL injection attack Password:

Step 1 – We have an error Syntax error in string query expression ‘username = “’ and password = “’

Step 2 – Try a more complete SQL statement Username:’ or username like ‘s%’ or ‘ --

Now we are Sam!

Approaches to Security Testing

Dynamic, Static and Manual (DSM) Potential Security Defects Manual Analysis Static Analysis or White Box Testing Or Code Review WB BB Dynamic Analysis or Black Box Testing

Static and Dynamic Analysis Two types of security analysis: Static and Dynamic Dynamic Analysis Analyzes a running application Looks for issues both within the application and around it Web application scanners, run-time analyzers Users: “black-box” penetration testing specialists Static Analysis Analyzes source code Looks for security issues within the application source code Users: “white-box”, source code auditors, development teams

Dynamic (Black Box) Vs Static (White Box) Manual

How Dynamic (Black Box) Testing Works?

SQL Injection User input is embedded as-is in predefined SQL statements: jsmith demo1234 query = "SELECT * from tUsers where userid='" + + "' AND password='" + + "'"; iUserID iPassword John Smith demo1234 jsmith 1824 Name Password Username UserID SELECT * from tUsers where userid=‘jsmith' AND password=‘demo1234' Hacker supplies input that modifies the original SQL statement, for example: iUserID = ' or 1=1 -- Administrator $#kaoeFor56 admin 1 Name Password Username UserID SELECT * from tUsers where userid=' ' AND password='bar' ' AND password='bar'

Stage 1: Crawling as an honest user How BB Scanners Work Stage 1: Crawling as an honest user http://mySite/ http://mySite/login.jsp http://mySite/feedback.jsp http://mySite/editProfile.jsp http://mySite/logout.jsp

Stage 1: Crawling as an honest user How BB Scanners Work Stage 1: Crawling as an honest user http://mySite/ http://mySite/login.jsp http://mySite/feedback.jsp http://mySite/editProfile.jsp http://mySite/logout.jsp

How BB Scanners Work Stage 1: Crawling as an honest user Stage 2: Testing by tampering requests

How Static (White Box) Testing Works?

Detecting SQL Injection (White Box) Source – a method returning tainted string // ... Stringusername = request.getParameter("username"); Stringpassword = request.getParameter("password"); Stringquery = "SELECT * from tUsers where " + "userid='" +username + "' " + "AND password='" + password + "'"; ResultSet rs = stmt.executeQuery(query); User can change executed SQL commands Sink - a potentially dangerous method

Detecting SQL Injection (White Box) String username = request.getParameter("username"); // ... Stringpassword = request.getParameter("password"); "userid='" +username + "' " + "AND password='" + password + "'"; Stringusername = request.getParameter("username"); Stringquery = "SELECT * from tUsers where " +' String query = "SELECT …" + username ResultSet rs = stmt.executeQuery(query); ResultSet rs = stmt.executeQuery(query);

How WB Scanners Work Many injection problems: Sources: SQLi, XSS, LogForging, PathTraversal, Remote code execution … Sources: Sanitizers: Undecidable problem Sinks:

Pros and Cons of Black Box and White Box testing

Dynamic (Black) Vs Static (White) Feature Dynamic (Black) Static(White) Paradigm Cleverly “guessing” behaviors that may introduce vulnerabilities Examines infinite numbers of behaviors in a finite approach Perspective Works as an attacker HTTP awareness only Works on the big picture Resembles code auditing Inspects the small details Hard to “connect the dots” Pre-Requisite Any deployed application Mainly used during testing stage Application code Mainly used in development stage Development Effort Oblivious to different languages Different communication protocols require attention Different languages require support Some frameworks too Oblivious to communication protocols

Dynamic (Black) Vs Static (White) contd Feature Dynamic (Black) Static(White) Scope Scans the entire system Servers (Application, Http, DB, etc.) External interfaces Network, firewalls Identifies issues regardless of configuration Time/Accuracy Tradeoffs Crawling takes time Testing mutations takes (infinite) time Refined model consumes space and time… Analyzing only “important” code Approximating the rest Accuracy Challenges Challenge: Cover all attack vectors Eliminate non-exploitable issues

Manual Testing Pros and Cons Cheaper than Automated solutions Can identify any form of issues (based on skill set!!!) Cons Lack of security knowledge Time consuming Inconsistent

Dynamic, Static and Manual (DSM) Potential Security Defects Some Authentication Issues Business Logic Issues Some authorization Issues Manual Analysis Static Analysis or White Box Testing Or Code Review WB Dynamic Analysis or Black Box Testing BB Exception Handling Design Issues Threading Issues Potential NULL Derefrences Patch level issues Production Configuration Issues Cross Site Scripting (XSS) Some Configuration Issues SQL Injection

Summary White Box / static analysis covers 80% of your application specific vulnerabilities Black box / dynamic testing is really good for dynamic Vulnerabilities and Infrastructure based issues Manual testing would still be needed to resolve Application logic and authorization based vulnerabilities

Our Business Knowledge Thank you Our Business Knowledge Your Winning Edge