1 / 30

Approaches to Application Security – DSM

Approaches to Application Security – DSM. Maheshan C N. Maheshan.Chemminiyan@lntinfotech.com. Agenda. Sample illustration of a SQL Injection Different Approaches to Security Testing Dynamic (Black Box) Vs Static (White Box) Vs Manual Summary. Sample illustration of a SQL injection.

bian
Download Presentation

Approaches to Application Security – DSM

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Approaches to Application Security – DSM Maheshan C N Maheshan.Chemminiyan@lntinfotech.com

  2. Agenda • Sample illustration of a SQL Injection • Different Approaches to Security Testing • Dynamic (Black Box) Vs Static (White Box) Vs Manual • Summary

  3. Sample illustration of a SQL injection

  4. SQL Injection

  5. Username: jsmith Password: ******* Normal login for JSMITH

  6. Normal login for JSMITH

  7. Username: ‘ Password: Username = Apostrophe? The start of a SQL injection attack

  8. Syntax error in string query expression ‘username = “’ and password = “’ Step 1 – We have an error

  9. Step 2 – Try a more complete SQL statement Username:’ or username like ‘s%’ or ‘ --

  10. Now we are Sam!

  11. Approaches to Security Testing

  12. Manual Analysis Static Analysis or White Box Testing Or Code Review BB Dynamic Analysis or Black Box Testing WB Dynamic, Static and Manual (DSM) Potential Security Defects

  13. Static and Dynamic Analysis Two types of security analysis: Static and Dynamic • Dynamic Analysis • Analyzes a running application • Looks for issues both within the application and around it • Web application scanners, run-time analyzers • Users: “black-box” penetration testing specialists • Static Analysis • Analyzes source code • Looks for security issues within the application source code • Users: “white-box”, source code auditors, development teams

  14. Dynamic (Black Box) Vs Static (White Box) Vs Manual

  15. How Dynamic (Black Box) Testing Works?

  16. UserID UserID Username Username Password Password Name Name 1 1824 admin jsmith $#kaoeFor56 demo1234 Administrator John Smith SQL Injection User input is embedded as-is in predefined SQL statements: jsmith query = "SELECT * from tUsers where userid='" + + "' AND password='" + + "'"; demo1234 iUserID iPassword SELECT * from tUsers where userid=‘jsmith' AND password=‘demo1234' • Hacker supplies input that modifies the original SQL statement, for example: • iUserID = ' or 1=1 -- SELECT * from tUsers where userid=' ' AND password='bar' ' AND password='bar'

  17. How BB Scanners Work Stage 1: Crawling as an honest user http://mySite/ http://mySite/login.jsp http://mySite/feedback.jsp http://mySite/editProfile.jsp http://mySite/logout.jsp

  18. How BB Scanners Work Stage 1: Crawling as an honest user http://mySite/ http://mySite/login.jsp http://mySite/feedback.jsp http://mySite/editProfile.jsp http://mySite/logout.jsp

  19. How BB Scanners Work Stage 1: Crawling as an honest user Stage 2: Testing by tampering requests

  20. How Static (White Box) Testing Works?

  21. Detecting SQL Injection (White Box) Source – a method returning tainted string // ... Stringusername = request.getParameter("username"); Stringpassword = request.getParameter("password"); // ... Stringquery = "SELECT * from tUsers where " + "userid='" +username + "' " + "AND password='" + password + "'"; // ... ResultSet rs = stmt.executeQuery(query); User can change executed SQL commands Sink - a potentially dangerous method

  22. Detecting SQL Injection (White Box) String username = request.getParameter("username"); // ... Stringpassword = request.getParameter("password"); // ... "userid='" +username + "' " + "AND password='" + password + "'"; // ... Stringusername = request.getParameter("username"); Stringquery = "SELECT * from tUsers where " +' String query = "SELECT …" + username ResultSet rs = stmt.executeQuery(query); ResultSet rs = stmt.executeQuery(query);

  23. How WB Scanners Work Many injection problems: SQLi, XSS, LogForging, PathTraversal, Remote code execution … Sources: Sanitizers: Undecidable problem Sinks:

  24. Pros and Cons of Black Box and White Box testing

  25. Dynamic (Black) Vs Static (White)

  26. Dynamic (Black) Vs Static (White) contd

  27. Manual Testing Pros and Cons • Pros • Cheaper than Automated solutions • Can identify any form of issues (based on skill set!!!) • Cons • Lack of security knowledge • Time consuming • Inconsistent

  28. Business Logic Issues Manual Analysis Some Authentication Issues Some authorization Issues Static Analysis or White Box Testing Or Code Review BB Dynamic Analysis or Black Box Testing Patch level issues Threading Issues Potential NULL Derefrences Production Configuration Issues WB Exception Handling Design Issues SQL Injection Some Configuration Issues Cross Site Scripting (XSS) Dynamic, Static and Manual (DSM) Potential Security Defects

  29. Summary • White Box / static analysis covers 80% of your application specific vulnerabilities • Black box / dynamic testing is really good for dynamic Vulnerabilities and Infrastructure based issues • Manual testing would still be needed to resolve Application logic and authorization based vulnerabilities

  30. Our Business Knowledge Your Winning Edge Thank you

More Related