Blackbox vs. Whitebox

60 %
40 %
Information about Blackbox vs. Whitebox
Science-Technology

Published on September 18, 2008

Author: orysegal

Source: authorstream.com

Web Application ScannersBlack Box vs. White Box : 1 Web Application ScannersBlack Box vs. White Box The OWASP Foundation OWASP http://www.owasp.org Adi Sharabani – Security Research Group Manager Dr. Yinnon Haviv – Static Analysis Technical Leader IBM Rational Application Security {adish, yinnonh} 14/09/2008 Vs. Outline : 2 Outline Vulnerability example Black Box scanners White Box scanners Technology comparison Technical example (dealing with validation) White Box approach Black Box approach Summary SQL Injection : 3 SQL Injection SQL Injection : 4 SQL Injection SQL Injection : 5 SELECT * from tUsers where userid=' ' AND password='bar' SQL Injection User input is embedded as-is in predefined SQL statements: query = "SELECT * from tUsers where userid='" + + "' AND password='" + + "'"; Hacker supplies input that modifies the original SQL statement, for example: iUserID = ' or 1=1 -- SELECT * from tUsers where userid=‘jsmith' AND password=‘demo1234' ' AND password='bar' iUserID iPassword jsmith demo1234 Outline : 6 Outline Vulnerability example Black Box scanners White Box scanners Technology comparison Technical example (dealing with validation) White Box approach Black Box approach Summary Detecting SQL Injection (Black Box) : 7 Detecting SQL Injection (Black Box) ‘ ****** SELECT * from tUsers where userid=‘’’ AND password=‘foobar’ How BB Scanners Work : 8 How BB Scanners Work Stage 1: Crawling as an honest user http://mySite/editProfile.jsp http://mySite/ http://mySite/login.jsp http://mySite/feedback.jsp http://mySite/logout.jsp How BB Scanners Work : 9 How BB Scanners Work Stage 1: Crawling as an honest user http://mySite/editProfile.jsp http://mySite/ http://mySite/login.jsp http://mySite/feedback.jsp http://mySite/logout.jsp How BB Scanners Work : 10 How BB Scanners Work Stage 1: Crawling as an honest user Stage 2: Testing by tampering requests Outline : 11 Outline Vulnerability example Black Box scanners White Box scanners Technology comparison Technical example (dealing with validation) White Box approach Black Box approach Summary Detecting SQL Injection (White Box) : 12 // ... String username = request.getParameter("username"); String password = request.getParameter("password"); // ... String query = "SELECT * from tUsers where " + "userid='" + username + "' " + "AND password='" + password + "'"; // ... ResultSet rs = stmt.executeQuery(query); Detecting SQL Injection (White Box) User can change executed SQL commands Sink - a potentially dangerous method Source – a method returning tainted string Detecting SQL Injection (White Box) : 13 // ... String password = request.getParameter("password"); // ... "userid='" + username + "' " + "AND password='" + password + "'"; // ... String username = request.getParameter("username"); String query = "SELECT …" + username ResultSet rs = stmt.executeQuery(query); String username = request.getParameter("username"); String query = "SELECT * from tUsers where " +' ResultSet rs = stmt.executeQuery(query); Detecting SQL Injection (White Box) A Common Fix (not the best one) : 14 // ... String username = request.getParameter("username"); String password = request.getParameter("password"); // ... String query = "SELECT * from tUsers where " + "userid='" + username + "' " + "AND password='" + password + "'"; // ... ResultSet rs = stmt.executeQuery(query); // ... String username = request.getParameter("username"); String password = request.getParameter("password"); // ... String query = "SELECT * from tUsers where " + "userid='" + Encode(username) + "' " + "AND password='" + Encode(password) + "'"; // ... ResultSet rs = stmt.executeQuery(query); A Common Fix (not the best one) Sanitizer: a method returning a non-tainted string How WB Scanners Work : 15 How WB Scanners Work Sources: Sinks: Sanitizers: Many injection problems: SQLi, XSS, LogForging, PathTraversal, Remote code execution … Undecidable problem Outline : 16 Outline Vulnerability example Black Box scanners White Box scanners Technology comparison Technical example (dealing with validation) White Box approach Black Box approach Summary BB vs. WB – Paradigm : 17 BB vs. WB – Paradigm Cleverly “guessing” behaviors that may introduce vulnerabilities Examines infinite numbers of behaviors in a finite approach BB vs. WB - Perspective : 18 BB vs. WB - Perspective Works as an attacker HTTP awareness only Works on the big picture Resembles code auditing Inspects the small details Hard to “connect the dots” BB vs. WB – Prerequisite : 19 BB vs. WB – Prerequisite Any deployed application Mainly used during testing stage Application code Mainly used in development stage BB vs. WB – Development Effort : 20 BB vs. WB – Development Effort Oblivious to different languages Different communication protocols require attention Different languages require support Some frameworks too Oblivious to communication protocols BB vs. WB – Scope : 21 BB vs. WB – Scope Scans the entire system Servers (Application, Http, DB, etc.) External interfaces Network, firewalls Identifies issues regardless of configuration BB vs. WB – Time/Accuracy Tradeoffs : 22 BB vs. WB – Time/Accuracy Tradeoffs Crawling takes time Testing mutations takes (infinite) time Refined model consumes space And time… Analyzing only “important” code Approximating the rest >> Summary Outline : 23 Outline Vulnerability example Black Box scanners White Box scanners Technology comparison Technical example (dealing with validation) White Box approach Black Box approach Summary Handling Validation Code in WB : 24 // ... String password = request.getParameter("password"); if (username.matches("\\w*")) { "userid='" + username + "' " + "AND password='" + password + "'"; } String username = request.getParameter("username"); String query = "SELECT …" + username ResultSet rs = stmt.executeQuery(query); String username = request.getParameter("username"); String query = "SELECT * from tUsers where " +' ResultSet rs = stmt.executeQuery(query); Handling Validation Code in WB Outline : 25 Outline Vulnerability example Black Box scanners White Box scanners Technology comparison Technical example (dealing with validation) White Box approach Black Box approach Summary Handling Validation Code in BB : 26 Handling Validation Code in BB ‘ ****** // ... String username = request.getParameter("username"); String password = request.getParameter("password"); if (username.length() > 5) { String query = "SELECT * from tUsers where " +' "userid='" + username + "' " + "AND password='" + password + "'"; ResultSet rs = stmt.executeQuery(query); } BB vs. WB – Accuracy Challenges : 27 BB vs. WB – Accuracy Challenges Challenge: Cover all attack vectors Challenge: Eliminate non-exploitable issues Summary : 28 Summary Two approaches to web application scanning BB automates attacker actions WB automates code auditing Challenges and issue coverage are different Black Box White Box Slide 29: 29 ?

Add a comment

Related presentations

Related pages

Black-box vs White-box Testing | Technology Conversations

Testing shows the presence, not the absence of bugs. Edsger W. Dijkstra Two common types of testing are black-box and white-box testing. Both can drive or ...
Read more

qa - Black box vs White box Testing - Stack Overflow

Black box testing should be the emphasis for testers/QA. White box testing should be the emphasis for developers (i.e. unit tests). The other folks who ...
Read more

White-Box-Test – Wikipedia

Zudem sei genannt, dass die Unterscheidung zwischen Black-Box-Test und White-Box-Test teilweise von der Perspektive abhängt.
Read more

Testverfahren: White-Box vs Black-Box? | www.der ...

In der Software-Entwicklung müssen Entwicklungsergebnisse immer verifiziert und validiert werden. Dazu werden White-Box- und Black-Box-Tests verwendet.
Read more

White-box testing - Wikipedia, the free encyclopedia

White-box testing (also known as clear box testing, glass box testing, transparent box testing, and structural testing) is a method of testing software ...
Read more

MicroVolts BlackBox vs WhiteBox - YouTube

New Channel : http://www.youtube.com/user/hammy488 This is a clanwar between BlackBox and WhiteBox where i lvl up to lv 61 :) Song :
Read more

Black-box vs. White-box Testing: Choosing the Right ...

Position Piece Black-box vs. White-box Testing: Choosing the Right Approach to Deliver Quality Applications Overview Within the automated testing world ...
Read more

Black-box vs. White-box Coverage | Conformiq

» Black-box vs. White-box Coverage | Next generation in Agile Software Test Automation
Read more

Differences Between Black Box Testing and White Box ...

Criteria: Black Box Testing: White Box Testing: Definition: Black Box Testing is a software testing method in which the internal structure/ design ...
Read more

Black-Box-Test – Wikipedia

Black-Box-Test bezeichnet eine Methode des Softwaretests, bei der die Tests ohne Kenntnisse über die innere Funktionsweise des zu testenden Systems ...
Read more