Approaches to Application Security – DSM

1Confidential | Copyright © L & T Infotech Ltd.

Approaches to Application Security – DSM

Maheshan C [email protected]


Agenda

1. Sample illustration of a SQL Injection2. Different Approaches to Security Testing3. Dynamic (Black Box) Vs Static (White Box) Vs Manual4. Summary


Sample illustration of a SQL injection


SQL Injection


Username: jsmith

Password: *******

Normal login for JSMITH


Normal login for JSMITH


Username = Apostrophe? The start of a SQL injection attack

Username: ‘

Password:


Syntax error in string query expression ‘username = “’ and password = “’

Step 1 – We have an error


Step 2 – Try a more complete SQL statement

Username:’ or username like ‘s%’ or ‘ --


Now we are Sam!


Approaches to Security Testing


Potential Security Defects

Dynamic, Static and Manual (DSM)

BB

Dynamic Analysis or Black Box Testing

Static Analysis or White Box Testing

Or Code

Review

WB

Manual Analysis


Static and Dynamic Analysis

Two types of security analysis: Static and Dynamic

•Static Analysis• Analyzes source code • Looks for security issues within the application source code• Users: “white-box”, source code auditors, development teams

• Dynamic Analysis• Analyzes a running application • Looks for issues both within the application and around

it • Web application scanners, run-time analyzers• Users: “black-box” penetration testing specialists


Dynamic (Black Box) Vs

Static (White Box)Vs

Manual


How Dynamic (Black Box) Testing Works?


SELECT * from tUsers where userid=' ' AND password='bar'

SQL Injection

User input is embedded as-is in predefined SQL statements:

query = "SELECT * from tUsers where userid='" + + "' AND password='" + + "'";

Hacker supplies input that modifies the original SQL statement, for example: iUserID =

' or 1=1 --' or 1=1 --

SELECT * from tUsers where userid=‘jsmith' AND password=‘demo1234'

' AND password='bar'Administrator$#kaoeFor56

admin1NamePasswordUsernam

eUserID

John Smithdemo1234jsmith1824NamePasswordUsernam

eUserID

iUserIDiUserIDiPasswordiPassword

jsmithjsmithdemo1234demo1234


How BB Scanners Work

Stage 1: Crawling as an honest user

http://mySite/editProfile.jsp

http://mySite/

http://mySite/login.jsp

http://mySite/feedback.jsp

http://mySite/logout.jsp



Stage 1: Crawling as an honest user

http://mySite/editProfile.jsp

http://mySite/

http://mySite/login.jsp

http://mySite/feedback.jsp

http://mySite/logout.jsp



Stage 1: Crawling as an honest userStage 2: Testing by tampering requests


How Static (White Box) Testing Works?


// ...Stringusername = request.getParameter("username");Stringpassword = request.getParameter("password");

// ...Stringquery = "SELECT * from tUsers where " + "userid='" +username + "' " + "AND password='" + password + "'";

// ...ResultSet rs = stmt.executeQuery(query);

Detecting SQL Injection (White Box)

User can change executed SQL

commands

Sink - a potentiallydangerous method

Source – a method returning tainted

string


// ...

Stringpassword = request.getParameter("password");

// ...

"userid='" +username + "' " + "AND password='" + password + "'";

// ...

String username = request.getParameter("username");

String query = "SELECT …" + username

ResultSet rs = stmt.executeQuery(query);

Stringusername = request.getParameter("username");

Stringquery = "SELECT * from tUsers where " +'

ResultSet rs = stmt.executeQuery(query);

Detecting SQL Injection (White Box)


How WB Scanners Work

Sources:

Sinks:

Sanitizers:

Many injection problems:

SQLi, XSS,

LogForging, PathTraversal,

Remote code execution

…

Undecidable problem


Pros and Cons of Black Box and White Box testing


Dynamic (Black) Vs Static (White)

Feature Dynamic (Black) Static(White)Paradigm Cleverly “guessing”

behaviors that may introduce vulnerabilities

Examines infinite numbers of behaviors in a finite approach

Perspective - Works as an attacker- HTTP awareness only- Works on the big picture

- Resembles code auditing- Inspects the small details- Hard to “connect the dots”

Pre-Requisite -Any deployed application- Mainly used during testing stage

-Application code- Mainly used in development stage

Development Effort - Oblivious to different languages- Different communication protocols require attention

-Different languages require support- Some frameworks too- Oblivious to communication protocols


Feature Dynamic (Black) Static(White)Scope Scans the entire system

- Servers (Application, Http, DB, etc.)- External interfaces- Network, firewalls

Identifies issues regardless of configuration

Time/Accuracy Tradeoffs - Crawling takes time- Testing mutations takes (infinite) time

-Refined model consumes space and time…- Analyzing only “important” code- Approximating the rest

Accuracy Challenges -Challenge:- Cover all attack vectors

-Challenge:- Eliminate non-exploitable issues

Dynamic (Black) Vs Static (White) contd


Manual Testing Pros and Cons

Pros– Cheaper than Automated

solutions– Can identify any form of

issues (based on skill set!!!) Cons

– Lack of security knowledge– Time consuming– Inconsistent


Potential Security Defects

Dynamic, Static and Manual (DSM)

Dynamic Analysis or Black Box Testing

BB

Static Analysis or White Box Testing

Or Code

Review

WB

Patch level issues

Production Configuration Issues

Exception Handling Design Issues

Threading Issues

Potential NULL Derefrences

Some Authentication Issues

Business Logic Issues

Some authorization Issues

Manual Analysis

Cross Site Scripting (XSS)

Some Configuration IssuesSQL Injection


Summary

White Box / static analysis covers 80% of your application specific vulnerabilities

Black box / dynamic testing is really good for dynamic Vulnerabilities and Infrastructure based issues

Manual testing would still be needed to resolve Application logic and authorization based vulnerabilities


Our Business Knowledge

Your Winning Edge

Thank you

Date post:	08-Feb-2016
Category:	Documents
Upload:	bian
View:	39 times
Download:	0 times

Approaches to Application Security – DSM

Documents