We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byAdrian Ferguson
Modified over 4 years ago
Glass Box Testing: Thinking Inside the Box Omri Weisman Manager, Security Research Group IBM Rational
Glass Box Testing 2 © 2011 IBM Corporation Omri Weisman Manager, Security Research Group IBM Rational 9 years working on AppScan technologies, web application security, and static analysis 21 patents pending 2 published papers
Glass Box Testing 3 © 2011 IBM Corporation IBM 100 YEARS
Glass Box Testing 4 © 2011 IBM Corporation
Glass Box Testing 5 © 2011 IBM Corporation Agenda Black box challenges Glass box scanning Architecture Summary
Glass Box Testing 6 © 2011 IBM Corporation Black Box Challenge – Hidden Logic http://SITE/purchase?price=1337 http://SITE/purchase?price=TEST_PAYLOAD
Glass Box Testing 7 © 2011 IBM Corporation Black Box Challenge – Non-reflected Injection
Glass Box Testing 8 © 2011 IBM Corporation SQL injection found – where to fix it? Black Box Challenge – Remediation
Glass Box Testing 9 © 2011 IBM Corporation
Glass Box Testing 10 © 2011 IBM Corporation
Glass Box Testing 11 © 2011 IBM Corporation No clear indication for an SQL Injection. Need to go deeper...
Glass Box Testing 12 © 2011 IBM Corporation Finally got it!
Glass Box Testing 13 © 2011 IBM Corporation Agenda Black box challenges Glass box scanning Architecture Summary
Glass Box Testing 14 © 2011 IBM Corporation What is glass box? VIDEO
Glass Box Testing 15 © 2011 IBM Corporation What is Glass Box? Main idea: 1.Position server-side agents 2.Collect valuable server-side information 3.Report back to black-box scanner 4.Use data to enhance scan Game-changing enhancement of black-box scanning accuracy coverage reporting … Using internal agents to guide application scanning
Glass Box Testing 16 © 2011 IBM Corporation Information Available to Glass Box Web app runtime activities Application structure, environment, technology, components Configuration files Source code information Log files File-system activities Registry accesses Network traffic DB access
Glass Box Testing 17 © 2011 IBM Corporation Things You Can Do With Glass Box Coverage Hidden parameters/backdoors Non-reflected issues File upload Denial-of-service Exploit generation Consolidation Correlation Auto-configuration False positives Static analysis Deal with non-standard validation
Glass Box Testing 18 © 2011 IBM Corporation Main Challenges – Glass Box to the Rescue Coverage challenge (hidden logic) The debug parameter was uncovered and reported back Hence, The Cross-Site Scripting is exposed! Psst… You can use the “debug” param! http://SITE/purchase?price=1337 http://SITE/purchase?price=1337&debug=TEST_PAYLOAD
Glass Box Testing 19 © 2011 IBM Corporation Main Challenges – Glass Box to the Rescue (Cont.) Detection of non-reflected issues Glass Box instrumentation operates at runtime, at the code level Non-reflected security issue identified! Fingerprint identified in SQL Injection sink! http://SITE/page?name=GB_FINGERPRINT Runtime monitored sink
Glass Box Testing 20 © 2011 IBM Corporation Main Challenges – Glass Box to the Rescue (Cont.) Limited security issue information An SQL Injection issue, this time identified with the aid of glass box
Glass Box Testing 21 © 2011 IBM Corporation Agenda Black box challenges Glass box scanning Architecture Summary
Glass Box Testing 22 © 2011 IBM Corporation Architecture Black-box Scanner Target web app HTTP(S) HTTP(S) Agent(s ) AgentRules Control & Reporting Control & Reporting Glass box Component Target Server Glass box Engine
Glass Box Testing 23 © 2011 IBM Corporation Glass Box Timeline Start End Scanner Server Deploy Assistant 1 1 3 3 Explore Start Glass Box Magic 2 2 Glass Box Test Enhance 7 7 Glass Box Explore Enhance 4 4 5 5 New Param Re-explore 6 6 Test Started 8 8 Report Findings GET / GET /page?p=1... These are the params you missed...... GET /page?p=G’123B... I’ve found these issues...
Glass Box Testing 24 © 2011 IBM Corporation OWASP Top 10 - BB Injection (SQL,..) A1 XSS A2 Broken Auth. A3 Insecure Object Reference A4 CSRF A5 Security Misconfig A6 Insecure Crypto A7 URL Restriction A8 Insufficient Transport layer Protection A9 Unvalidated Redirects & Forwards A10 black-box
Glass Box Testing 25 © 2011 IBM Corporation OWASP Top 10 - GB Injection (SQL,..) A1 XSS A2 Broken Auth. A3 Insecure Object Reference A4 CSRF A5 Security Misconfig A6 Insecure Crypto A7 URL Restriction A8 Insufficient Transport layer Protection A9 Unvalidated Redirects & Forwards A10 black-box + glass-box ONLY TECHNOLOGY to effectively find issues in ALL the categories of OWASP top 10
Glass Box Testing 26 © 2011 IBM Corporation Agenda Black box challenges Glass box scanning Architecture Summary
Glass Box Testing 27 © 2011 IBM Corporation Summary Glass box is a new technology, that is all about using internal agents to guide application scanning Glass box significantly enhances every aspect of black box scanning: Exploration, testing, exploitation, reporting Glass box isn’t just a feature-set... It is a new way of thinking With nearly endless potential Image: Meawpong3405 / FreeDigitalPhotos.net
Glass Box Testing 28 © 2011 IBM Corporation Smarter security for a smarter planet
Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.
Don’t Teach Developers Security Caleb Sima Armorize Technologies.
Infosec 2012 | 25/4/12 Application Performance Monitoring Ofer MAOR CTO Infosec 2012.
Escape From the Black Box Brian Chess Fortify Software Countering the faults of typical web scanners through bytecode injection.
OWASP Web Vulnerabilities and Auditing
PENETRATION TESTING Presenters:Chakrit Sanbuapoh Sr. Information Security MFEC.
Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
SEC835 OWASP Top Ten Project.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Gray, the New Black Gray-Box Web Vulnerability Testing Brian Chess Founder / Chief Scientist Fortify Software, an HP Company June 22, 2011.
A Demo of and Preventing XSS in.NET Applications.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input: Information.
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
“Today over 70% of attacks against a company’s network come at the ‘Application Layer’ not the Network or System layer.” - Gartner Is Your Web Application.
Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Security Scanning OWASP Education Nishi Kumar Computer based training
By: Razieh Rezaei Saleh. Security Evaluation The examination of a system to determine its degree of compliance with a stated security model, security.
Introduction to Application Penetration Testing
OWASP Zed Attack Proxy Project Lead
© 2019 SlidePlayer.com Inc. All rights reserved.