Web Application Scanners - owasp

thickbugΛογισμικό & κατασκευή λογ/κού

28 Οκτ 2013 (πριν από 3 χρόνια και 9 μήνες)

103 εμφανίσεις

OWASP

1

Web Application Scanners

Black Box vs. White Box

The OWASP Foundation

OWASP

http://www.owasp.org


Adi Sharabani


Security Research Group Manager

Dr. Yinnon Haviv


Static Analysis Technical Leader


IBM Rational Application Security

{adish, yinnonh}


14/09/2008

BB

WB

Vs.

OWASP

2

Outline

-
Vulnerability example

-
Black Box scanners

-
White Box scanners

-
Technology comparison

-
Technical example
(dealing with validation)

-
White Box approach

-
Black Box approach

-
Summary

OWASP

3

SQL Injection


OWASP

4

SQL Injection

OWASP

5

SELECT * from tUsers where

userid=' ' AND password='bar'

SQL Injection

User input is embedded
as
-
is

in predefined SQL statements:


query = "SELECT * from tUsers where
userid='" + + "' AND
password='" + + "'";


Hacker supplies input that modifies the original SQL statement, for example:


iUserID =

' or
1
=
1
--

SELECT * from tUsers where

userid=‘jsmith' AND password=‘demo1234'


' AND password='bar'

Administrator

$#kaoeFor56

admin

1

Name

Password

Username

UserID

John Smith

demo1234

jsmith

1824

Name

Password

Username

UserID

iUserID

iPassword

jsmith

demo1234

OWASP

6

Outline

-
Vulnerability example

-
Black Box scanners

-
White Box scanners

-
Technology comparison

-
Technical example
(dealing with validation)

-
White Box approach

-
Black Box approach

-
Summary

OWASP

7

Detecting SQL Injection (Black Box)



******

SELECT * from tUsers where

userid=




AND password=

foobar


OWASP

8

How BB Scanners Work

Stage 1: Crawling as an honest user

http://mySite/editProfile.jsp

http://mySite/

http://mySite/login.jsp

http://mySite/feedback.jsp

http://mySite/logout.jsp

OWASP

9

How BB Scanners Work

Stage 1: Crawling as an honest user


http://mySite/editProfile.jsp

http://mySite/

http://mySite/login.jsp

http://mySite/feedback.jsp

http://mySite/logout.jsp

OWASP

10

How BB Scanners Work

Stage 1: Crawling as an honest user

Stage 2: Testing by tampering requests


OWASP

11

Outline

-
Vulnerability example

-
Black Box scanners

-
White Box scanners

-
Technology comparison

-
Technical example
(dealing with validation)

-
White Box approach

-
Black Box approach

-
Summary

OWASP

12


// ...


String

username = request.getParameter(
"username"
);


String

password = request.getParameter(
"password"
);



// ...



String

query =
"SELECT * from tUsers where

"
+


"
userid='"

+

u
sername +
"'
"
+


"
AND password='"

+ password +
"'"
;




// ...


ResultSet

rs = stmt.executeQuery(query);


Detecting SQL Injection (White Box)

User can change executed
SQL commands

Sink

-

a potentially

dangerous method

Source



a method
returning tainted string

OWASP

13


// ...




String

password = request.getParameter(
"password"
);



// ...





"
userid='"

+

u
sername +
"'
"
+


"
AND password='"

+ password +
"'"
;




// ...



String username = request.getParameter
(
"username"
)
;

String query =
"SELECT
…"

+ username

ResultSet rs = stmt.executeQuery(query);

String

username = request.getParameter(
"username"
);

String

query =
"SELECT * from tUsers where

"
+'

ResultSet

rs = stmt.executeQuery(query);

Detecting SQL Injection (White Box)

OWASP

14


// ...


String

username = request.getParameter(
"username"
);


String

password = request.getParameter(
"password"
);



// ...



String

query =
"SELECT * from tUsers where

"
+


"
userid='"

+

u
sername +
"'
"
+


"
AND password='"

+ password +
"'"
;




// ...


ResultSet

rs = stmt.executeQuery(query);



// ...


String

username = request.getParameter(
"username"
);


String

password = request.getParameter(
"password"
);



// ...



String

query =
"SELECT * from tUsers where

"
+


"
userid='"

+

Encode(
u
sername
)

+
"'
"
+


"
AND password='"

+
Encode(
password
)

+
"'"
;




// ...


ResultSet

rs = stmt.executeQuery(query);


A Common Fix (not the best one)


Sanitizer:


a method returning


a non
-
tainted string

OWASP

15

How WB Scanners Work

Sources:

Sinks
:

Sanitizers
:

Many injection problems:


SQLi, XSS,


LogForging, PathTraversal,


Remote code execution




Undecidable
problem

OWASP

16

Outline

-
Vulnerability example

-
Black Box scanners

-
White Box scanners

-
Technology comparison

-
Technical example
(dealing with validation)

-
White Box approach

-
Black Box approach

-
Summary

OWASP

17

BB vs. WB


Paradigm

Cleverly “guessing” behaviors that may
introduce vulnerabilities

Examines infinite numbers of behaviors in a
finite approach

BB

WB

OWASP

18

BB vs. WB
-

Perspective

-

Works as an attacker

-

HTTP awareness only

-

Works on the big picture

-

Resembles code auditing

-

Inspects the small details

-

Hard to “connect the dots”


BB

WB

SQL Injection Found

OWASP

19

BB vs. WB


Prerequisite

-

Any deployed application

-

Mainly used during testing stage

-

Application code

-

Mainly used in development stage

BB

WB

OWASP

20

BB vs. WB


Development Effort

-

Oblivious to different languages

-

Different communication protocols


require attention


-

Different languages require support

-

Some frameworks too

-

Oblivious to communication protocols

BB

WB

OWASP

21

BB vs. WB


Scope


Scans the entire system

-

Servers (Application, Http, DB, etc.)

-

External interfaces

-

Network, firewalls


Identifies issues regardless of configuration

BB

WB

OWASP

22

BB vs. WB


Time/Accuracy Tradeoffs

-

Crawling takes time

-

Testing mutations takes


(infinite) time

-

Refined model consumes space

-

And time…

-

Analyzing only “important” code

-

Approximating the rest

BB

WB

>>
Summary

OWASP

23

Outline

-
Vulnerability example

-
Black Box scanners

-
White Box scanners

-
Technology comparison

-
Technical example
(dealing with validation)

-
White Box approach

-
Black Box approach

-
Summary

OWASP

24


// ...




String

password = request.getParameter(
"password"
);



if

(username.matches(
"
\
\
w*"
)) {







"
userid='"

+

u
sername +
"'
"
+




"
AND password='"

+ password +
"'"
;





}



String username = request.getParameter
(
"username"
)
;

String query =
"SELECT
…"

+ username

ResultSet rs = stmt.executeQuery(query);

String

username = request.getParameter(
"username"
);


String

query =
"SELECT * from tUsers where

"
+'

ResultSet

rs = stmt.executeQuery(query);

Handling Validation Code in WB

OWASP

25

Outline

-
Vulnerability example

-
Black Box scanners

-
White Box scanners

-
Technology comparison

-
Technical example
(dealing with validation)

-
White Box approach

-
Black Box approach

-
Summary

OWASP

26

Handling Validation Code in BB



******

Login Failure


We’re sorry but this username is not valid.

Please insert a valid username and try again.


// ...


String

username

= request.getParameter(
"username
"
);


String

password = request.getParameter(
"password"
);



if

(username.length() > 5) {



String

query =
"SELECT * from tUsers where

"
+'




"
userid='"

+

u
sername +
"'
"
+




"
AND password='"

+ password +
"'"
;




ResultSet

rs = stmt.executeQuery(query);


}



OWASP

27

BB vs. WB


Accuracy Challenges

-

Challenge:

-

Cover all attack vectors

-

Challenge:

-

Eliminate non
-
exploitable issues


BB

WB

OWASP

28

Summary


Two approaches to web application scanning


BB automates attacker actions


WB automates code auditing



Challenges and issue coverage are different

Black Box

White Box

OWASP

29