1Confidential | Copyright © L & T Infotech Ltd.
Approaches to Application Security – DSM
Maheshan C [email protected]
2Confidential | Copyright © L & T Infotech Ltd.
Agenda
1. Sample illustration of a SQL Injection2. Different Approaches to Security Testing3. Dynamic (Black Box) Vs Static (White Box) Vs Manual4. Summary
3Confidential | Copyright © L & T Infotech Ltd.
Sample illustration of a SQL injection
4Confidential | Copyright © L & T Infotech Ltd.
SQL Injection
5Confidential | Copyright © L & T Infotech Ltd.
Username: jsmith
Password: *******
Normal login for JSMITH
6Confidential | Copyright © L & T Infotech Ltd.
Normal login for JSMITH
7Confidential | Copyright © L & T Infotech Ltd.
Username = Apostrophe? The start of a SQL injection attack
Username: ‘
Password:
8Confidential | Copyright © L & T Infotech Ltd.
Syntax error in string query expression ‘username = “’ and password = “’
Step 1 – We have an error
9Confidential | Copyright © L & T Infotech Ltd.
Step 2 – Try a more complete SQL statement
Username:’ or username like ‘s%’ or ‘ --
10Confidential | Copyright © L & T Infotech Ltd.
Now we are Sam!
11Confidential | Copyright © L & T Infotech Ltd.
Approaches to Security Testing
12Confidential | Copyright © L & T Infotech Ltd.
Potential Security Defects
Dynamic, Static and Manual (DSM)
BB
Dynamic Analysis or Black Box Testing
Static Analysis or White Box Testing
Or Code
Review
WB
Manual Analysis
13Confidential | Copyright © L & T Infotech Ltd.
Static and Dynamic Analysis
Two types of security analysis: Static and Dynamic
•Static Analysis• Analyzes source code • Looks for security issues within the application source code• Users: “white-box”, source code auditors, development teams
• Dynamic Analysis• Analyzes a running application • Looks for issues both within the application and around
it • Web application scanners, run-time analyzers• Users: “black-box” penetration testing specialists
14Confidential | Copyright © L & T Infotech Ltd.
Dynamic (Black Box) Vs
Static (White Box)Vs
Manual
15Confidential | Copyright © L & T Infotech Ltd.
How Dynamic (Black Box) Testing Works?
16Confidential | Copyright © L & T Infotech Ltd.
SELECT * from tUsers where userid=' ' AND password='bar'
SQL Injection
User input is embedded as-is in predefined SQL statements:
query = "SELECT * from tUsers where userid='" + + "' AND password='" + + "'";
Hacker supplies input that modifies the original SQL statement, for example: iUserID =
' or 1=1 --' or 1=1 --
SELECT * from tUsers where userid=‘jsmith' AND password=‘demo1234'
' AND password='bar'Administrator$#kaoeFor56
admin1NamePasswordUsernam
eUserID
John Smithdemo1234jsmith1824NamePasswordUsernam
eUserID
iUserIDiUserIDiPasswordiPassword
jsmithjsmithdemo1234demo1234
17Confidential | Copyright © L & T Infotech Ltd.
How BB Scanners Work
Stage 1: Crawling as an honest user
http://mySite/editProfile.jsp
http://mySite/
http://mySite/login.jsp
http://mySite/feedback.jsp
http://mySite/logout.jsp
18Confidential | Copyright © L & T Infotech Ltd.
How BB Scanners Work
Stage 1: Crawling as an honest user
http://mySite/editProfile.jsp
http://mySite/
http://mySite/login.jsp
http://mySite/feedback.jsp
http://mySite/logout.jsp
19Confidential | Copyright © L & T Infotech Ltd.
How BB Scanners Work
Stage 1: Crawling as an honest userStage 2: Testing by tampering requests
20Confidential | Copyright © L & T Infotech Ltd.
How Static (White Box) Testing Works?
21Confidential | Copyright © L & T Infotech Ltd.
// ...Stringusername = request.getParameter("username");Stringpassword = request.getParameter("password");
// ...Stringquery = "SELECT * from tUsers where " + "userid='" +username + "' " + "AND password='" + password + "'";
// ...ResultSet rs = stmt.executeQuery(query);
Detecting SQL Injection (White Box)
User can change executed SQL
commands
Sink - a potentiallydangerous method
Source – a method returning tainted
string
22Confidential | Copyright © L & T Infotech Ltd.
// ...
Stringpassword = request.getParameter("password");
// ...
"userid='" +username + "' " + "AND password='" + password + "'";
// ...
String username = request.getParameter("username");
String query = "SELECT …" + username
ResultSet rs = stmt.executeQuery(query);
Stringusername = request.getParameter("username");
Stringquery = "SELECT * from tUsers where " +'
ResultSet rs = stmt.executeQuery(query);
Detecting SQL Injection (White Box)
23Confidential | Copyright © L & T Infotech Ltd.
How WB Scanners Work
Sources:
Sinks:
Sanitizers:
Many injection problems:
SQLi, XSS,
LogForging, PathTraversal,
Remote code execution
…
Undecidable problem
24Confidential | Copyright © L & T Infotech Ltd.
Pros and Cons of Black Box and White Box testing
25Confidential | Copyright © L & T Infotech Ltd.
Dynamic (Black) Vs Static (White)
Feature Dynamic (Black) Static(White)Paradigm Cleverly “guessing”
behaviors that may introduce vulnerabilities
Examines infinite numbers of behaviors in a finite approach
Perspective - Works as an attacker- HTTP awareness only- Works on the big picture
- Resembles code auditing- Inspects the small details- Hard to “connect the dots”
Pre-Requisite -Any deployed application- Mainly used during testing stage
-Application code- Mainly used in development stage
Development Effort - Oblivious to different languages- Different communication protocols require attention
-Different languages require support- Some frameworks too- Oblivious to communication protocols
26Confidential | Copyright © L & T Infotech Ltd.
Feature Dynamic (Black) Static(White)Scope Scans the entire system
- Servers (Application, Http, DB, etc.)- External interfaces- Network, firewalls
Identifies issues regardless of configuration
Time/Accuracy Tradeoffs - Crawling takes time- Testing mutations takes (infinite) time
-Refined model consumes space and time…- Analyzing only “important” code- Approximating the rest
Accuracy Challenges -Challenge:- Cover all attack vectors
-Challenge:- Eliminate non-exploitable issues
Dynamic (Black) Vs Static (White) contd
27Confidential | Copyright © L & T Infotech Ltd.
Manual Testing Pros and Cons
Pros– Cheaper than Automated
solutions– Can identify any form of
issues (based on skill set!!!) Cons
– Lack of security knowledge– Time consuming– Inconsistent
28Confidential | Copyright © L & T Infotech Ltd.
Potential Security Defects
Dynamic, Static and Manual (DSM)
Dynamic Analysis or Black Box Testing
BB
Static Analysis or White Box Testing
Or Code
Review
WB
Patch level issues
Production Configuration Issues
Exception Handling Design Issues
Threading Issues
Potential NULL Derefrences
Some Authentication Issues
Business Logic Issues
Some authorization Issues
Manual Analysis
Cross Site Scripting (XSS)
Some Configuration IssuesSQL Injection
29Confidential | Copyright © L & T Infotech Ltd.
Summary
White Box / static analysis covers 80% of your application specific vulnerabilities
Black box / dynamic testing is really good for dynamic Vulnerabilities and Infrastructure based issues
Manual testing would still be needed to resolve Application logic and authorization based vulnerabilities
30Confidential | Copyright © L & T Infotech Ltd.
Our Business Knowledge
Your Winning Edge
Thank you