Скачать презентацию Approaches to Application Security DSM Maheshan C Скачать презентацию Approaches to Application Security DSM Maheshan C

a6e8d59d5728277a803ce34dd3d0dc4b.ppt

  • Количество слайдов: 30

Approaches to Application Security – DSM Maheshan C N Maheshan. Chemminiyan@lntinfotech. com Confidential | Approaches to Application Security – DSM Maheshan C N Maheshan. [email protected] com Confidential | Copyright © L & T Infotech Ltd. 1

Agenda 1. 2. 3. 4. Sample illustration of a SQL Injection Different Approaches to Agenda 1. 2. 3. 4. Sample illustration of a SQL Injection Different Approaches to Security Testing Dynamic (Black Box) Vs Static (White Box) Vs Manual Summary Confidential | Copyright © L & T Infotech Ltd. 2

Sample illustration of a SQL injection Confidential | Copyright © L & T Infotech Sample illustration of a SQL injection Confidential | Copyright © L & T Infotech Ltd. 3

SQL Injection Confidential | Copyright © L & T Infotech Ltd. 4 SQL Injection Confidential | Copyright © L & T Infotech Ltd. 4

Normal login for JSMITH Username: jsmith Password: ******* Confidential | Copyright © L & Normal login for JSMITH Username: jsmith Password: ******* Confidential | Copyright © L & T Infotech Ltd. 5

Normal login for JSMITH Confidential | Copyright © L & T Infotech Ltd. 6 Normal login for JSMITH Confidential | Copyright © L & T Infotech Ltd. 6

Username = Apostrophe? The start of a SQL injection attack Username: ‘ Password: Confidential Username = Apostrophe? The start of a SQL injection attack Username: ‘ Password: Confidential | Copyright © L & T Infotech Ltd. 7

Step 1 – We have an error Syntax error in string query expression ‘username Step 1 – We have an error Syntax error in string query expression ‘username = “’ and password = “’ Confidential | Copyright © L & T Infotech Ltd. 8

Step 2 – Try a more complete SQL statement Username: ’ or username like Step 2 – Try a more complete SQL statement Username: ’ or username like ‘s%’ or ‘ -- Confidential | Copyright © L & T Infotech Ltd. 9

Now we are Sam! Confidential | Copyright © L & T Infotech Ltd. 10 Now we are Sam! Confidential | Copyright © L & T Infotech Ltd. 10

Approaches to Security Testing Confidential | Copyright © L & T Infotech Ltd. 11 Approaches to Security Testing Confidential | Copyright © L & T Infotech Ltd. 11

Dynamic, Static and Manual (DSM) Potential Security Defects Manual Analysis Dynamic Analysis or Black Dynamic, Static and Manual (DSM) Potential Security Defects Manual Analysis Dynamic Analysis or Black Box Testing BB Static Analysis or White Box Testing Or WB Code Review Confidential | Copyright © L & T Infotech Ltd. 12

Static and Dynamic Analysis Two types of security analysis: Static and Dynamic • Dynamic Static and Dynamic Analysis Two types of security analysis: Static and Dynamic • Dynamic Analysis • Analyzes a running application • Looks for issues both within the application and around it • Web application scanners, run-time analyzers • Users: “black-box” penetration testing specialists • Static Analysis • Analyzes source code • Looks for security issues within the application source code • Users: “white-box”, source code auditors, development teams Confidential | Copyright © L & T Infotech Ltd. 13

Dynamic (Black Box) Vs Static (White Box) Vs Manual Confidential | Copyright © L Dynamic (Black Box) Vs Static (White Box) Vs Manual Confidential | Copyright © L & T Infotech Ltd. 14

How Dynamic (Black Box) Testing Works? Confidential | Copyright © L & T Infotech How Dynamic (Black Box) Testing Works? Confidential | Copyright © L & T Infotech Ltd. 15

SQL Injection User input is embedded as-is in predefined SQL statements: query = SQL Injection User input is embedded as-is in predefined SQL statements: query = "SELECT * from t. Users where userid='" + i. User. ID + "' AND password='" + i. Password + "'"; jsmith demo 1234 SELECT * from t. Users where. Password User. ID Username Name 1824 jsmith demo 1234 John Smith userid=‘jsmith' AND password=‘demo 1234' < Hacker supplies input that modifies the original SQL statement, for example: 4 i. User. ID = ' or 1=1 -User. ID Username Password Name SELECT * from t. Users where 1 admin $#kaoe. For 56 userid=' ' AND Administrator password='bar' Confidential | Copyright © L & T Infotech Ltd. 16

How BB Scanners Work Stage 1: Crawling as an honest user http: //my. Site/login. How BB Scanners Work Stage 1: Crawling as an honest user http: //my. Site/login. jsp http: //my. Site/feedback. jsp http: //my. Site/edit. Profile. jsp http: //my. Site/logout. jsp Confidential | Copyright © L & T Infotech Ltd. 17

How BB Scanners Work Stage 1: Crawling as an honest user http: //my. Site/login. How BB Scanners Work Stage 1: Crawling as an honest user http: //my. Site/login. jsp http: //my. Site/feedback. jsp http: //my. Site/edit. Profile. jsp http: //my. Site/logout. jsp Confidential | Copyright © L & T Infotech Ltd. 18

How BB Scanners Work Stage 1: Crawling as an honest user Stage 2: Testing How BB Scanners Work Stage 1: Crawling as an honest user Stage 2: Testing by tampering requests Confidential | Copyright © L & T Infotech Ltd. 19

How Static (White Box) Testing Works? Confidential | Copyright © L & T Infotech How Static (White Box) Testing Works? Confidential | Copyright © L & T Infotech Ltd. 20

Detecting SQL Injection (White Box) Source – a method returning tainted string //. . Detecting SQL Injection (White Box) Source – a method returning tainted string //. . . Stringusername = request. get. Parameter("username"); Stringpassword = request. get. Parameter("password"); //. . . Stringquery = "SELECT * from t. Users where " + "userid='" +username + "' " + "AND password='" + password + "'"; //. . . Result. Set rs = stmt. execute. Query(query); User can change executed SQL commands Sink - a potentially dangerous method Confidential | Copyright © L & T Infotech Ltd. 21

Detecting SQL Injection (White Box) String username = request. get. Parameter( Detecting SQL Injection (White Box) String username = request. get. Parameter("username"); //. . . Stringusername = request. get. Parameter("username"); Stringpassword = request. get. Parameter("password"); //. . . Stringquery = "SELECT * from t. Users where " +' "userid='" +username + "' " + "AND password='" + password + "'"; String query = "SELECT …" + username //. . . Result. Set rs = stmt. execute. Query(query); Confidential | Copyright © L & T Infotech Ltd. 22

How WB Scanners Work Sources: Many injection problems: SQLi, XSS, Log. Forging, Path. Traversal, How WB Scanners Work Sources: Many injection problems: SQLi, XSS, Log. Forging, Path. Traversal, Sanitizers: Remote code execution … Undecidable problem Sinks: Confidential | Copyright © L & T Infotech Ltd. 23

Pros and Cons of Black Box and White Box testing Confidential | Copyright © Pros and Cons of Black Box and White Box testing Confidential | Copyright © L & T Infotech Ltd. 24

Dynamic (Black) Vs Static (White) Feature Dynamic (Black) Static(White) Paradigm Cleverly “guessing” behaviors that Dynamic (Black) Vs Static (White) Feature Dynamic (Black) Static(White) Paradigm Cleverly “guessing” behaviors that may introduce vulnerabilities Examines infinite numbers of behaviors in a finite approach Perspective - Works as an attacker - HTTP awareness only - Works on the big picture - Resembles code auditing - Inspects the small details - Hard to “connect the dots” Pre-Requisite -Any deployed application - Mainly used during testing stage -Application code - Mainly used in development stage Development Effort - Oblivious to different languages - Different communication protocols require attention -Different languages require support - Some frameworks too - Oblivious to communication protocols Confidential | Copyright © L & T Infotech Ltd. 25

Dynamic (Black) Vs Static (White) contd Feature Dynamic (Black) Static(White) Scope Scans the entire Dynamic (Black) Vs Static (White) contd Feature Dynamic (Black) Static(White) Scope Scans the entire system - Servers (Application, Http, DB, etc. ) - External interfaces - Network, firewalls Identifies issues regardless of configuration Time/Accuracy Tradeoffs - Crawling takes time - Testing mutations takes (infinite) time -Refined model consumes space and time… - Analyzing only “important” code - Approximating the rest Accuracy Challenges -Challenge: - Cover all attack vectors -Challenge: - Eliminate nonexploitable issues Confidential | Copyright © L & T Infotech Ltd. 26

Manual Testing Pros and Cons § Pros – Cheaper than Automated solutions – Can Manual Testing Pros and Cons § Pros – Cheaper than Automated solutions – Can identify any form of issues (based on skill set!!!) § Cons – Lack of security knowledge – Time consuming – Inconsistent Confidential | Copyright © L & T Infotech Ltd. 27

Dynamic, Static and Manual (DSM) Potential Security Defects Business Logic Issues Manual Analysis Some Dynamic, Static and Manual (DSM) Potential Security Defects Business Logic Issues Manual Analysis Some Authentication Issues Patch level issues Static Analysis or Dynamic Analysis or Black Box Testing White Box Testing BB Threading Issues WB Or Production Configuration Issues Code Review SQL Injection Some authorization Issues Potential NULL Derefrences Exception Handling Design Issues Some Configuration Issues Cross Site Scripting (XSS) Confidential | Copyright © L & T Infotech Ltd. 28

Summary § White Box / static analysis covers 80% of your application specific vulnerabilities Summary § White Box / static analysis covers 80% of your application specific vulnerabilities § Black box / dynamic testing is really good for dynamic Vulnerabilities and Infrastructure based issues § Manual testing would still be needed to resolve Application logic and authorization based vulnerabilities Confidential | Copyright © L & T Infotech Ltd. 29

Thank you Our Business Knowledge Your Winning Edge Confidential | Copyright © L & Thank you Our Business Knowledge Your Winning Edge Confidential | Copyright © L & T Infotech Ltd. 30