Blackbox Vs. Whitebox

Featured Animated Featured Animated
Download as
 PPT
Presentation Description 

An overview of the differences between blackbox and whitebox  More

Comments Sign in to comment
By:
 (12 month(s) ago)  
Nice presentation. Would like to download your presentation which is providing in depth details. Regards Maharaj

Embed URL Thumbnail


Custom Embed WordPress Embed

Happy Thanksgiving
What's up on authorSTREAM?
Views: 1740
Like it  ( Likes) Dislike it  ( Dislikes)
Added: September 18, 2008 This Presentation is Public 
Presentation Category : Science & Technology All Rights Reserved
Presentation Transcript

Web Application ScannersBlack Box vs. White Box :1 Web Application ScannersBlack Box vs. White Box The OWASP Foundation OWASP http://www.owasp.org Adi Sharabani – Security Research Group Manager Dr. Yinnon Haviv – Static Analysis Technical Leader IBM Rational Application Security {adish, yinnonh} 14/09/2008 Vs.


Outline :2 Outline Vulnerability example Black Box scanners White Box scanners Technology comparison Technical example (dealing with validation) White Box approach Black Box approach Summary


SQL Injection :3 SQL Injection


SQL Injection :4 SQL Injection


SQL Injection :5 SELECT * from tUsers where userid=' ' AND password='bar' SQL Injection User input is embedded as-is in predefined SQL statements: query = "SELECT * from tUsers where userid='" + + "' AND password='" + + "'"; Hacker supplies input that modifies the original SQL statement, for example: iUserID = ' or 1=1 -- SELECT * from tUsers where userid=‘jsmith' AND password=‘demo1234' ' AND password='bar' iUserID iPassword jsmith demo1234


Outline :6 Outline Vulnerability example Black Box scanners White Box scanners Technology comparison Technical example (dealing with validation) White Box approach Black Box approach Summary


Detecting SQL Injection (Black Box) :7 Detecting SQL Injection (Black Box) ‘ ****** SELECT * from tUsers where userid=‘’’ AND password=‘foobar’


How BB Scanners Work :8 How BB Scanners Work Stage 1: Crawling as an honest user http://mySite/editProfile.jsp http://mySite/ http://mySite/login.jsp http://mySite/feedback.jsp http://mySite/logout.jsp


How BB Scanners Work :9 How BB Scanners Work Stage 1: Crawling as an honest user http://mySite/editProfile.jsp http://mySite/ http://mySite/login.jsp http://mySite/feedback.jsp http://mySite/logout.jsp


How BB Scanners Work :10 How BB Scanners Work Stage 1: Crawling as an honest user Stage 2: Testing by tampering requests


Outline :11 Outline Vulnerability example Black Box scanners White Box scanners Technology comparison Technical example (dealing with validation) White Box approach Black Box approach Summary


Detecting SQL Injection (White Box) :12 // ... String username = request.getParameter("username"); String password = request.getParameter("password"); // ... String query = "SELECT * from tUsers where " + "userid='" + username + "' " + "AND password='" + password + "'"; // ... ResultSet rs = stmt.executeQuery(query); Detecting SQL Injection (White Box) User can change executed SQL commands Sink - a potentially dangerous method Source – a method returning tainted string


Detecting SQL Injection (White Box) :13 // ... String password = request.getParameter("password"); // ... "userid='" + username + "' " + "AND password='" + password + "'"; // ... String username = request.getParameter("username"); String query = "SELECT …" + username ResultSet rs = stmt.executeQuery(query); String username = request.getParameter("username"); String query = "SELECT * from tUsers where " +' ResultSet rs = stmt.executeQuery(query); Detecting SQL Injection (White Box)


A Common Fix (not the best one) :14 // ... String username = request.getParameter("username"); String password = request.getParameter("password"); // ... String query = "SELECT * from tUsers where " + "userid='" + username + "' " + "AND password='" + password + "'"; // ... ResultSet rs = stmt.executeQuery(query); // ... String username = request.getParameter("username"); String password = request.getParameter("password"); // ... String query = "SELECT * from tUsers where " + "userid='" + Encode(username) + "' " + "AND password='" + Encode(password) + "'"; // ... ResultSet rs = stmt.executeQuery(query); A Common Fix (not the best one) Sanitizer: a method returning a non-tainted string


How WB Scanners Work :15 How WB Scanners Work Sources: Sinks: Sanitizers: Many injection problems: SQLi, XSS, LogForging, PathTraversal, Remote code execution … Undecidable problem


Outline :16 Outline Vulnerability example Black Box scanners White Box scanners Technology comparison Technical example (dealing with validation) White Box approach Black Box approach Summary


BB vs. WB – Paradigm :17 BB vs. WB – Paradigm Cleverly “guessing” behaviors that may introduce vulnerabilities Examines infinite numbers of behaviors in a finite approach


BB vs. WB - Perspective :18 BB vs. WB - Perspective Works as an attacker HTTP awareness only Works on the big picture Resembles code auditing Inspects the small details Hard to “connect the dots”


BB vs. WB – Prerequisite :19 BB vs. WB – Prerequisite Any deployed application Mainly used during testing stage Application code Mainly used in development stage


BB vs. WB – Development Effort :20 BB vs. WB – Development Effort Oblivious to different languages Different communication protocols require attention Different languages require support Some frameworks too Oblivious to communication protocols


BB vs. WB – Scope :21 BB vs. WB – Scope Scans the entire system Servers (Application, Http, DB, etc.) External interfaces Network, firewalls Identifies issues regardless of configuration


BB vs. WB – Time/Accuracy Tradeoffs :22 BB vs. WB – Time/Accuracy Tradeoffs Crawling takes time Testing mutations takes (infinite) time Refined model consumes space And time… Analyzing only “important” code Approximating the rest >> Summary


Outline :23 Outline Vulnerability example Black Box scanners White Box scanners Technology comparison Technical example (dealing with validation) White Box approach Black Box approach Summary


Handling Validation Code in WB :24 // ... String password = request.getParameter("password"); if (username.matches("\\w*")) { "userid='" + username + "' " + "AND password='" + password + "'"; } String username = request.getParameter("username"); String query = "SELECT …" + username ResultSet rs = stmt.executeQuery(query); String username = request.getParameter("username"); String query = "SELECT * from tUsers where " +' ResultSet rs = stmt.executeQuery(query); Handling Validation Code in WB


Outline :25 Outline Vulnerability example Black Box scanners White Box scanners Technology comparison Technical example (dealing with validation) White Box approach Black Box approach Summary


Handling Validation Code in BB :26 Handling Validation Code in BB ‘ ****** // ... String username = request.getParameter("username"); String password = request.getParameter("password"); if (username.length() > 5) { String query = "SELECT * from tUsers where " +' "userid='" + username + "' " + "AND password='" + password + "'"; ResultSet rs = stmt.executeQuery(query); }


BB vs. WB – Accuracy Challenges :27 BB vs. WB – Accuracy Challenges Challenge: Cover all attack vectors Challenge: Eliminate non-exploitable issues


Summary :28 Summary Two approaches to web application scanning BB automates attacker actions WB automates code auditing Challenges and issue coverage are different Black Box White Box


Slide 29:29 ?