approaches to application security – dsm
DESCRIPTION
Approaches to Application Security – DSM. Maheshan C N. [email protected]. Agenda. Sample illustration of a SQL Injection Different Approaches to Security Testing Dynamic (Black Box) Vs Static (White Box) Vs Manual Summary. Sample illustration of a SQL injection. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Approaches to Application Security – DSM](https://reader036.vdocuments.mx/reader036/viewer/2022062323/56815be4550346895dc9d618/html5/thumbnails/1.jpg)
1Confidential | Copyright © L & T Infotech Ltd.
Approaches to Application Security – DSM
Maheshan C [email protected]
![Page 2: Approaches to Application Security – DSM](https://reader036.vdocuments.mx/reader036/viewer/2022062323/56815be4550346895dc9d618/html5/thumbnails/2.jpg)
2Confidential | Copyright © L & T Infotech Ltd.
Agenda
1. Sample illustration of a SQL Injection2. Different Approaches to Security Testing3. Dynamic (Black Box) Vs Static (White Box) Vs Manual4. Summary
![Page 3: Approaches to Application Security – DSM](https://reader036.vdocuments.mx/reader036/viewer/2022062323/56815be4550346895dc9d618/html5/thumbnails/3.jpg)
3Confidential | Copyright © L & T Infotech Ltd.
Sample illustration of a SQL injection
![Page 4: Approaches to Application Security – DSM](https://reader036.vdocuments.mx/reader036/viewer/2022062323/56815be4550346895dc9d618/html5/thumbnails/4.jpg)
4Confidential | Copyright © L & T Infotech Ltd.
SQL Injection
![Page 5: Approaches to Application Security – DSM](https://reader036.vdocuments.mx/reader036/viewer/2022062323/56815be4550346895dc9d618/html5/thumbnails/5.jpg)
5Confidential | Copyright © L & T Infotech Ltd.
Username: jsmith
Password: *******
Normal login for JSMITH
![Page 6: Approaches to Application Security – DSM](https://reader036.vdocuments.mx/reader036/viewer/2022062323/56815be4550346895dc9d618/html5/thumbnails/6.jpg)
6Confidential | Copyright © L & T Infotech Ltd.
Normal login for JSMITH
![Page 7: Approaches to Application Security – DSM](https://reader036.vdocuments.mx/reader036/viewer/2022062323/56815be4550346895dc9d618/html5/thumbnails/7.jpg)
7Confidential | Copyright © L & T Infotech Ltd.
Username = Apostrophe? The start of a SQL injection attack
Username: ‘
Password:
![Page 8: Approaches to Application Security – DSM](https://reader036.vdocuments.mx/reader036/viewer/2022062323/56815be4550346895dc9d618/html5/thumbnails/8.jpg)
8Confidential | Copyright © L & T Infotech Ltd.
Syntax error in string query expression ‘username = “’ and password = “’
Step 1 – We have an error
![Page 9: Approaches to Application Security – DSM](https://reader036.vdocuments.mx/reader036/viewer/2022062323/56815be4550346895dc9d618/html5/thumbnails/9.jpg)
9Confidential | Copyright © L & T Infotech Ltd.
Step 2 – Try a more complete SQL statement
Username:’ or username like ‘s%’ or ‘ --
![Page 10: Approaches to Application Security – DSM](https://reader036.vdocuments.mx/reader036/viewer/2022062323/56815be4550346895dc9d618/html5/thumbnails/10.jpg)
10Confidential | Copyright © L & T Infotech Ltd.
Now we are Sam!
![Page 11: Approaches to Application Security – DSM](https://reader036.vdocuments.mx/reader036/viewer/2022062323/56815be4550346895dc9d618/html5/thumbnails/11.jpg)
11Confidential | Copyright © L & T Infotech Ltd.
Approaches to Security Testing
![Page 12: Approaches to Application Security – DSM](https://reader036.vdocuments.mx/reader036/viewer/2022062323/56815be4550346895dc9d618/html5/thumbnails/12.jpg)
12Confidential | Copyright © L & T Infotech Ltd.
Potential Security Defects
Dynamic, Static and Manual (DSM)
BB
Dynamic Analysis or Black Box Testing
Static Analysis or White Box Testing
Or Code
Review
WB
Manual Analysis
![Page 13: Approaches to Application Security – DSM](https://reader036.vdocuments.mx/reader036/viewer/2022062323/56815be4550346895dc9d618/html5/thumbnails/13.jpg)
13Confidential | Copyright © L & T Infotech Ltd.
Static and Dynamic Analysis
Two types of security analysis: Static and Dynamic
•Static Analysis• Analyzes source code • Looks for security issues within the application source code• Users: “white-box”, source code auditors, development teams
• Dynamic Analysis• Analyzes a running application • Looks for issues both within the application and around
it • Web application scanners, run-time analyzers• Users: “black-box” penetration testing specialists
![Page 14: Approaches to Application Security – DSM](https://reader036.vdocuments.mx/reader036/viewer/2022062323/56815be4550346895dc9d618/html5/thumbnails/14.jpg)
14Confidential | Copyright © L & T Infotech Ltd.
Dynamic (Black Box) Vs
Static (White Box)Vs
Manual
![Page 15: Approaches to Application Security – DSM](https://reader036.vdocuments.mx/reader036/viewer/2022062323/56815be4550346895dc9d618/html5/thumbnails/15.jpg)
15Confidential | Copyright © L & T Infotech Ltd.
How Dynamic (Black Box) Testing Works?
![Page 16: Approaches to Application Security – DSM](https://reader036.vdocuments.mx/reader036/viewer/2022062323/56815be4550346895dc9d618/html5/thumbnails/16.jpg)
16Confidential | Copyright © L & T Infotech Ltd.
SELECT * from tUsers where userid=' ' AND password='bar'
SQL Injection
User input is embedded as-is in predefined SQL statements:
query = "SELECT * from tUsers where userid='" + + "' AND password='" + + "'";
Hacker supplies input that modifies the original SQL statement, for example: iUserID =
' or 1=1 --' or 1=1 --
SELECT * from tUsers where userid=‘jsmith' AND password=‘demo1234'
' AND password='bar'Administrator$#kaoeFor56
admin1NamePasswordUsernam
eUserID
John Smithdemo1234jsmith1824NamePasswordUsernam
eUserID
iUserIDiUserIDiPasswordiPassword
jsmithjsmithdemo1234demo1234
![Page 17: Approaches to Application Security – DSM](https://reader036.vdocuments.mx/reader036/viewer/2022062323/56815be4550346895dc9d618/html5/thumbnails/17.jpg)
17Confidential | Copyright © L & T Infotech Ltd.
How BB Scanners Work
Stage 1: Crawling as an honest user
http://mySite/editProfile.jsp
http://mySite/
http://mySite/login.jsp
http://mySite/feedback.jsp
http://mySite/logout.jsp
![Page 18: Approaches to Application Security – DSM](https://reader036.vdocuments.mx/reader036/viewer/2022062323/56815be4550346895dc9d618/html5/thumbnails/18.jpg)
18Confidential | Copyright © L & T Infotech Ltd.
How BB Scanners Work
Stage 1: Crawling as an honest user
http://mySite/editProfile.jsp
http://mySite/
http://mySite/login.jsp
http://mySite/feedback.jsp
http://mySite/logout.jsp
![Page 19: Approaches to Application Security – DSM](https://reader036.vdocuments.mx/reader036/viewer/2022062323/56815be4550346895dc9d618/html5/thumbnails/19.jpg)
19Confidential | Copyright © L & T Infotech Ltd.
How BB Scanners Work
Stage 1: Crawling as an honest userStage 2: Testing by tampering requests
![Page 20: Approaches to Application Security – DSM](https://reader036.vdocuments.mx/reader036/viewer/2022062323/56815be4550346895dc9d618/html5/thumbnails/20.jpg)
20Confidential | Copyright © L & T Infotech Ltd.
How Static (White Box) Testing Works?
![Page 21: Approaches to Application Security – DSM](https://reader036.vdocuments.mx/reader036/viewer/2022062323/56815be4550346895dc9d618/html5/thumbnails/21.jpg)
21Confidential | Copyright © L & T Infotech Ltd.
// ...Stringusername = request.getParameter("username");Stringpassword = request.getParameter("password");
// ...Stringquery = "SELECT * from tUsers where " + "userid='" +username + "' " + "AND password='" + password + "'";
// ...ResultSet rs = stmt.executeQuery(query);
Detecting SQL Injection (White Box)
User can change executed SQL
commands
Sink - a potentiallydangerous method
Source – a method returning tainted
string
![Page 22: Approaches to Application Security – DSM](https://reader036.vdocuments.mx/reader036/viewer/2022062323/56815be4550346895dc9d618/html5/thumbnails/22.jpg)
22Confidential | Copyright © L & T Infotech Ltd.
// ...
Stringpassword = request.getParameter("password");
// ...
"userid='" +username + "' " + "AND password='" + password + "'";
// ...
String username = request.getParameter("username");
String query = "SELECT …" + username
ResultSet rs = stmt.executeQuery(query);
Stringusername = request.getParameter("username");
Stringquery = "SELECT * from tUsers where " +'
ResultSet rs = stmt.executeQuery(query);
Detecting SQL Injection (White Box)
![Page 23: Approaches to Application Security – DSM](https://reader036.vdocuments.mx/reader036/viewer/2022062323/56815be4550346895dc9d618/html5/thumbnails/23.jpg)
23Confidential | Copyright © L & T Infotech Ltd.
How WB Scanners Work
Sources:
Sinks:
Sanitizers:
Many injection problems:
SQLi, XSS,
LogForging, PathTraversal,
Remote code execution
…
Undecidable problem
![Page 24: Approaches to Application Security – DSM](https://reader036.vdocuments.mx/reader036/viewer/2022062323/56815be4550346895dc9d618/html5/thumbnails/24.jpg)
24Confidential | Copyright © L & T Infotech Ltd.
Pros and Cons of Black Box and White Box testing
![Page 25: Approaches to Application Security – DSM](https://reader036.vdocuments.mx/reader036/viewer/2022062323/56815be4550346895dc9d618/html5/thumbnails/25.jpg)
25Confidential | Copyright © L & T Infotech Ltd.
Dynamic (Black) Vs Static (White)
Feature Dynamic (Black) Static(White)Paradigm Cleverly “guessing”
behaviors that may introduce vulnerabilities
Examines infinite numbers of behaviors in a finite approach
Perspective - Works as an attacker- HTTP awareness only- Works on the big picture
- Resembles code auditing- Inspects the small details- Hard to “connect the dots”
Pre-Requisite -Any deployed application- Mainly used during testing stage
-Application code- Mainly used in development stage
Development Effort - Oblivious to different languages- Different communication protocols require attention
-Different languages require support- Some frameworks too- Oblivious to communication protocols
![Page 26: Approaches to Application Security – DSM](https://reader036.vdocuments.mx/reader036/viewer/2022062323/56815be4550346895dc9d618/html5/thumbnails/26.jpg)
26Confidential | Copyright © L & T Infotech Ltd.
Feature Dynamic (Black) Static(White)Scope Scans the entire system
- Servers (Application, Http, DB, etc.)- External interfaces- Network, firewalls
Identifies issues regardless of configuration
Time/Accuracy Tradeoffs - Crawling takes time- Testing mutations takes (infinite) time
-Refined model consumes space and time…- Analyzing only “important” code- Approximating the rest
Accuracy Challenges -Challenge:- Cover all attack vectors
-Challenge:- Eliminate non-exploitable issues
Dynamic (Black) Vs Static (White) contd
![Page 27: Approaches to Application Security – DSM](https://reader036.vdocuments.mx/reader036/viewer/2022062323/56815be4550346895dc9d618/html5/thumbnails/27.jpg)
27Confidential | Copyright © L & T Infotech Ltd.
Manual Testing Pros and Cons
Pros– Cheaper than Automated
solutions– Can identify any form of
issues (based on skill set!!!) Cons
– Lack of security knowledge– Time consuming– Inconsistent
![Page 28: Approaches to Application Security – DSM](https://reader036.vdocuments.mx/reader036/viewer/2022062323/56815be4550346895dc9d618/html5/thumbnails/28.jpg)
28Confidential | Copyright © L & T Infotech Ltd.
Potential Security Defects
Dynamic, Static and Manual (DSM)
Dynamic Analysis or Black Box Testing
BB
Static Analysis or White Box Testing
Or Code
Review
WB
Patch level issues
Production Configuration Issues
Exception Handling Design Issues
Threading Issues
Potential NULL Derefrences
Some Authentication Issues
Business Logic Issues
Some authorization Issues
Manual Analysis
Cross Site Scripting (XSS)
Some Configuration IssuesSQL Injection
![Page 29: Approaches to Application Security – DSM](https://reader036.vdocuments.mx/reader036/viewer/2022062323/56815be4550346895dc9d618/html5/thumbnails/29.jpg)
29Confidential | Copyright © L & T Infotech Ltd.
Summary
White Box / static analysis covers 80% of your application specific vulnerabilities
Black box / dynamic testing is really good for dynamic Vulnerabilities and Infrastructure based issues
Manual testing would still be needed to resolve Application logic and authorization based vulnerabilities
![Page 30: Approaches to Application Security – DSM](https://reader036.vdocuments.mx/reader036/viewer/2022062323/56815be4550346895dc9d618/html5/thumbnails/30.jpg)
30Confidential | Copyright © L & T Infotech Ltd.
Our Business Knowledge
Your Winning Edge
Thank you