logging in or signing up Blackbox vs. Whitebox orysegal Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT lite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 3739 Category: Science & Tech.. License: All Rights Reserved Like it (2) Dislike it (0) Added: September 18, 2008 This Presentation is Public Favorites: 5 Presentation Description An overview of the differences between blackbox and whitebox application security scanning technologies Comments Posting comment... By: manishgangwani (5 month(s) ago) hi very nice ppl really hatz off to yo man plz i want dis can u mail me on manishgangwani123@gmail.com... Saving..... Post Reply Close Saving..... Edit Comment Close By: imthekinnng (6 month(s) ago) download Saving..... Post Reply Close Saving..... Edit Comment Close By: shanth.kadur (9 month(s) ago) Please make it available to download... Saving..... Post Reply Close Saving..... Edit Comment Close By: GDEV.007 (11 month(s) ago) GVE A LINK AT gokuldev1000@gmail.com Saving..... Post Reply Close Saving..... Edit Comment Close By: madhusiva (14 month(s) ago) Nice presentation.. Would like to download.. Saving..... Post Reply Close Saving..... Edit Comment Close loading.... See all Premium member Presentation Transcript Web Application ScannersBlack Box vs. White Box : 1 Web Application ScannersBlack Box vs. White Box The OWASP Foundation OWASP http://www.owasp.org Adi Sharabani – Security Research Group Manager Dr. Yinnon Haviv – Static Analysis Technical Leader IBM Rational Application Security {adish, yinnonh} 14/09/2008 Vs. Outline : 2 Outline Vulnerability example Black Box scanners White Box scanners Technology comparison Technical example (dealing with validation) White Box approach Black Box approach Summary SQL Injection : 3 SQL Injection SQL Injection : 4 SQL Injection SQL Injection : 5 SELECT * from tUsers where userid=' ' AND password='bar' SQL Injection User input is embedded as-is in predefined SQL statements: query = "SELECT * from tUsers where userid='" + + "' AND password='" + + "'"; Hacker supplies input that modifies the original SQL statement, for example: iUserID = ' or 1=1 -- SELECT * from tUsers where userid=‘jsmith' AND password=‘demo1234' ' AND password='bar' iUserID iPassword jsmith demo1234 Outline : 6 Outline Vulnerability example Black Box scanners White Box scanners Technology comparison Technical example (dealing with validation) White Box approach Black Box approach Summary Detecting SQL Injection (Black Box) : 7 Detecting SQL Injection (Black Box) ‘ ****** SELECT * from tUsers where userid=‘’’ AND password=‘foobar’ How BB Scanners Work : 8 How BB Scanners Work Stage 1: Crawling as an honest user http://mySite/editProfile.jsp http://mySite/ http://mySite/login.jsp http://mySite/feedback.jsp http://mySite/logout.jsp How BB Scanners Work : 9 How BB Scanners Work Stage 1: Crawling as an honest user http://mySite/editProfile.jsp http://mySite/ http://mySite/login.jsp http://mySite/feedback.jsp http://mySite/logout.jsp How BB Scanners Work : 10 How BB Scanners Work Stage 1: Crawling as an honest user Stage 2: Testing by tampering requests Outline : 11 Outline Vulnerability example Black Box scanners White Box scanners Technology comparison Technical example (dealing with validation) White Box approach Black Box approach Summary Detecting SQL Injection (White Box) : 12 // ... String username = request.getParameter("username"); String password = request.getParameter("password"); // ... String query = "SELECT * from tUsers where " + "userid='" + username + "' " + "AND password='" + password + "'"; // ... ResultSet rs = stmt.executeQuery(query); Detecting SQL Injection (White Box) User can change executed SQL commands Sink - a potentially dangerous method Source – a method returning tainted string Detecting SQL Injection (White Box) : 13 // ... String password = request.getParameter("password"); // ... "userid='" + username + "' " + "AND password='" + password + "'"; // ... String username = request.getParameter("username"); String query = "SELECT …" + username ResultSet rs = stmt.executeQuery(query); String username = request.getParameter("username"); String query = "SELECT * from tUsers where " +' ResultSet rs = stmt.executeQuery(query); Detecting SQL Injection (White Box) A Common Fix (not the best one) : 14 // ... String username = request.getParameter("username"); String password = request.getParameter("password"); // ... String query = "SELECT * from tUsers where " + "userid='" + username + "' " + "AND password='" + password + "'"; // ... ResultSet rs = stmt.executeQuery(query); // ... String username = request.getParameter("username"); String password = request.getParameter("password"); // ... String query = "SELECT * from tUsers where " + "userid='" + Encode(username) + "' " + "AND password='" + Encode(password) + "'"; // ... ResultSet rs = stmt.executeQuery(query); A Common Fix (not the best one) Sanitizer: a method returning a non-tainted string How WB Scanners Work : 15 How WB Scanners Work Sources: Sinks: Sanitizers: Many injection problems: SQLi, XSS, LogForging, PathTraversal, Remote code execution … Undecidable problem Outline : 16 Outline Vulnerability example Black Box scanners White Box scanners Technology comparison Technical example (dealing with validation) White Box approach Black Box approach Summary BB vs. WB – Paradigm : 17 BB vs. WB – Paradigm Cleverly “guessing” behaviors that may introduce vulnerabilities Examines infinite numbers of behaviors in a finite approach BB vs. WB - Perspective : 18 BB vs. WB - Perspective Works as an attacker HTTP awareness only Works on the big picture Resembles code auditing Inspects the small details Hard to “connect the dots” BB vs. WB – Prerequisite : 19 BB vs. WB – Prerequisite Any deployed application Mainly used during testing stage Application code Mainly used in development stage BB vs. WB – Development Effort : 20 BB vs. WB – Development Effort Oblivious to different languages Different communication protocols require attention Different languages require support Some frameworks too Oblivious to communication protocols BB vs. WB – Scope : 21 BB vs. WB – Scope Scans the entire system Servers (Application, Http, DB, etc.) External interfaces Network, firewalls Identifies issues regardless of configuration BB vs. WB – Time/Accuracy Tradeoffs : 22 BB vs. WB – Time/Accuracy Tradeoffs Crawling takes time Testing mutations takes (infinite) time Refined model consumes space And time… Analyzing only “important” code Approximating the rest >> Summary Outline : 23 Outline Vulnerability example Black Box scanners White Box scanners Technology comparison Technical example (dealing with validation) White Box approach Black Box approach Summary Handling Validation Code in WB : 24 // ... String password = request.getParameter("password"); if (username.matches("\\w*")) { "userid='" + username + "' " + "AND password='" + password + "'"; } String username = request.getParameter("username"); String query = "SELECT …" + username ResultSet rs = stmt.executeQuery(query); String username = request.getParameter("username"); String query = "SELECT * from tUsers where " +' ResultSet rs = stmt.executeQuery(query); Handling Validation Code in WB Outline : 25 Outline Vulnerability example Black Box scanners White Box scanners Technology comparison Technical example (dealing with validation) White Box approach Black Box approach Summary Handling Validation Code in BB : 26 Handling Validation Code in BB ‘ ****** // ... String username = request.getParameter("username"); String password = request.getParameter("password"); if (username.length() > 5) { String query = "SELECT * from tUsers where " +' "userid='" + username + "' " + "AND password='" + password + "'"; ResultSet rs = stmt.executeQuery(query); } BB vs. WB – Accuracy Challenges : 27 BB vs. WB – Accuracy Challenges Challenge: Cover all attack vectors Challenge: Eliminate non-exploitable issues Summary : 28 Summary Two approaches to web application scanning BB automates attacker actions WB automates code auditing Challenges and issue coverage are different Black Box White Box Slide 29: 29 ? You do not have the permission to view this presentation. In order to view it, please contact the author of the presentation.
Blackbox vs. Whitebox orysegal Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT lite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 3739 Category: Science & Tech.. License: All Rights Reserved Like it (2) Dislike it (0) Added: September 18, 2008 This Presentation is Public Favorites: 5 Presentation Description An overview of the differences between blackbox and whitebox application security scanning technologies Comments Posting comment... By: manishgangwani (5 month(s) ago) hi very nice ppl really hatz off to yo man plz i want dis can u mail me on manishgangwani123@gmail.com... Saving..... Post Reply Close Saving..... Edit Comment Close By: imthekinnng (6 month(s) ago) download Saving..... Post Reply Close Saving..... Edit Comment Close By: shanth.kadur (9 month(s) ago) Please make it available to download... Saving..... Post Reply Close Saving..... Edit Comment Close By: GDEV.007 (11 month(s) ago) GVE A LINK AT gokuldev1000@gmail.com Saving..... Post Reply Close Saving..... Edit Comment Close By: madhusiva (14 month(s) ago) Nice presentation.. Would like to download.. Saving..... Post Reply Close Saving..... Edit Comment Close loading.... See all Premium member Presentation Transcript Web Application ScannersBlack Box vs. White Box : 1 Web Application ScannersBlack Box vs. White Box The OWASP Foundation OWASP http://www.owasp.org Adi Sharabani – Security Research Group Manager Dr. Yinnon Haviv – Static Analysis Technical Leader IBM Rational Application Security {adish, yinnonh} 14/09/2008 Vs. Outline : 2 Outline Vulnerability example Black Box scanners White Box scanners Technology comparison Technical example (dealing with validation) White Box approach Black Box approach Summary SQL Injection : 3 SQL Injection SQL Injection : 4 SQL Injection SQL Injection : 5 SELECT * from tUsers where userid=' ' AND password='bar' SQL Injection User input is embedded as-is in predefined SQL statements: query = "SELECT * from tUsers where userid='" + + "' AND password='" + + "'"; Hacker supplies input that modifies the original SQL statement, for example: iUserID = ' or 1=1 -- SELECT * from tUsers where userid=‘jsmith' AND password=‘demo1234' ' AND password='bar' iUserID iPassword jsmith demo1234 Outline : 6 Outline Vulnerability example Black Box scanners White Box scanners Technology comparison Technical example (dealing with validation) White Box approach Black Box approach Summary Detecting SQL Injection (Black Box) : 7 Detecting SQL Injection (Black Box) ‘ ****** SELECT * from tUsers where userid=‘’’ AND password=‘foobar’ How BB Scanners Work : 8 How BB Scanners Work Stage 1: Crawling as an honest user http://mySite/editProfile.jsp http://mySite/ http://mySite/login.jsp http://mySite/feedback.jsp http://mySite/logout.jsp How BB Scanners Work : 9 How BB Scanners Work Stage 1: Crawling as an honest user http://mySite/editProfile.jsp http://mySite/ http://mySite/login.jsp http://mySite/feedback.jsp http://mySite/logout.jsp How BB Scanners Work : 10 How BB Scanners Work Stage 1: Crawling as an honest user Stage 2: Testing by tampering requests Outline : 11 Outline Vulnerability example Black Box scanners White Box scanners Technology comparison Technical example (dealing with validation) White Box approach Black Box approach Summary Detecting SQL Injection (White Box) : 12 // ... String username = request.getParameter("username"); String password = request.getParameter("password"); // ... String query = "SELECT * from tUsers where " + "userid='" + username + "' " + "AND password='" + password + "'"; // ... ResultSet rs = stmt.executeQuery(query); Detecting SQL Injection (White Box) User can change executed SQL commands Sink - a potentially dangerous method Source – a method returning tainted string Detecting SQL Injection (White Box) : 13 // ... String password = request.getParameter("password"); // ... "userid='" + username + "' " + "AND password='" + password + "'"; // ... String username = request.getParameter("username"); String query = "SELECT …" + username ResultSet rs = stmt.executeQuery(query); String username = request.getParameter("username"); String query = "SELECT * from tUsers where " +' ResultSet rs = stmt.executeQuery(query); Detecting SQL Injection (White Box) A Common Fix (not the best one) : 14 // ... String username = request.getParameter("username"); String password = request.getParameter("password"); // ... String query = "SELECT * from tUsers where " + "userid='" + username + "' " + "AND password='" + password + "'"; // ... ResultSet rs = stmt.executeQuery(query); // ... String username = request.getParameter("username"); String password = request.getParameter("password"); // ... String query = "SELECT * from tUsers where " + "userid='" + Encode(username) + "' " + "AND password='" + Encode(password) + "'"; // ... ResultSet rs = stmt.executeQuery(query); A Common Fix (not the best one) Sanitizer: a method returning a non-tainted string How WB Scanners Work : 15 How WB Scanners Work Sources: Sinks: Sanitizers: Many injection problems: SQLi, XSS, LogForging, PathTraversal, Remote code execution … Undecidable problem Outline : 16 Outline Vulnerability example Black Box scanners White Box scanners Technology comparison Technical example (dealing with validation) White Box approach Black Box approach Summary BB vs. WB – Paradigm : 17 BB vs. WB – Paradigm Cleverly “guessing” behaviors that may introduce vulnerabilities Examines infinite numbers of behaviors in a finite approach BB vs. WB - Perspective : 18 BB vs. WB - Perspective Works as an attacker HTTP awareness only Works on the big picture Resembles code auditing Inspects the small details Hard to “connect the dots” BB vs. WB – Prerequisite : 19 BB vs. WB – Prerequisite Any deployed application Mainly used during testing stage Application code Mainly used in development stage BB vs. WB – Development Effort : 20 BB vs. WB – Development Effort Oblivious to different languages Different communication protocols require attention Different languages require support Some frameworks too Oblivious to communication protocols BB vs. WB – Scope : 21 BB vs. WB – Scope Scans the entire system Servers (Application, Http, DB, etc.) External interfaces Network, firewalls Identifies issues regardless of configuration BB vs. WB – Time/Accuracy Tradeoffs : 22 BB vs. WB – Time/Accuracy Tradeoffs Crawling takes time Testing mutations takes (infinite) time Refined model consumes space And time… Analyzing only “important” code Approximating the rest >> Summary Outline : 23 Outline Vulnerability example Black Box scanners White Box scanners Technology comparison Technical example (dealing with validation) White Box approach Black Box approach Summary Handling Validation Code in WB : 24 // ... String password = request.getParameter("password"); if (username.matches("\\w*")) { "userid='" + username + "' " + "AND password='" + password + "'"; } String username = request.getParameter("username"); String query = "SELECT …" + username ResultSet rs = stmt.executeQuery(query); String username = request.getParameter("username"); String query = "SELECT * from tUsers where " +' ResultSet rs = stmt.executeQuery(query); Handling Validation Code in WB Outline : 25 Outline Vulnerability example Black Box scanners White Box scanners Technology comparison Technical example (dealing with validation) White Box approach Black Box approach Summary Handling Validation Code in BB : 26 Handling Validation Code in BB ‘ ****** // ... String username = request.getParameter("username"); String password = request.getParameter("password"); if (username.length() > 5) { String query = "SELECT * from tUsers where " +' "userid='" + username + "' " + "AND password='" + password + "'"; ResultSet rs = stmt.executeQuery(query); } BB vs. WB – Accuracy Challenges : 27 BB vs. WB – Accuracy Challenges Challenge: Cover all attack vectors Challenge: Eliminate non-exploitable issues Summary : 28 Summary Two approaches to web application scanning BB automates attacker actions WB automates code auditing Challenges and issue coverage are different Black Box White Box Slide 29: 29 ?