make my day just run a web scanner
play

Make My Day Just Run A Web Scanner Countering the faults of - PowerPoint PPT Presentation

Oct 22, 2022 •217 likes •761 views

Make My Day Just Run A Web Scanner Countering the faults of typical web scanners through bytecode injection Toshinari Kureha, Fortify Software Agenda Problems With Black Box Testing Approaches To Finding Security Issues 4

  1. Make My Day – Just Run A Web Scanner Countering the faults of typical web scanners through bytecode injection Toshinari Kureha, Fortify Software

  2. Agenda  Problems With Black Box Testing Approaches To Finding Security Issues  4 Problems With Black Box Testing   Solution:WhiteBox Testing With ByteCode Injection The Solution  Demo Of Solution  Building The Solution   Q&A

  3. Current Practice

  4. Current Practice How Do You Find Security Issues?  Looking at architectural / design documents  Looking at the source code  Static Analysis  Looking at a running application  Dynamic Analysis

  5. Current Practice Dynamic Analysis  Testing & Analysis Of Running Application   Find Input   Fuzz Input  Analyze Response Commercial Web Scanners  Cenzic  SPIDynamics  Watchfire 

  6. Current Practice Most People Use Web Scanners Because…  Easy To Run  Fast To Run  “Someone Told Me To”

  7. Dynamic Analysis Demo

  8. Web Scanner Review Good  Found Real Vulnerabilities  Was Easy To Run  “Did I Do A Good Job?” 

  9. Question 1: How Thorough Was My Test?  Do You Know How Much Of Your Application Was Tested?

  10. Question 1: How Thorough Was My Test?  How Much Of The Application Do You Think You Tested?

  11. Truth About Thoroughness  We ran a “Version 7.0 Scanner” on the following: Application EMMA Code Coverage Tool Web Source HacmeBooks 34% classes 30.5% 12% blocks 14% lines JCVS Web 45% classes 31.2% 19% blocks 22% lines Java PetStore 2 70% classes 18% 20% blocks 23% lines

  12. Web Scanner Review Good  Found Real Vulnerabilities  Was Easy To Run  Bad   How Thorough Was My Test?  No Way To Tell, And Actual Coverage Is Often Low     

  13. Question 2: Did I Find All Vulnerabilities? 3 Ways To Fail   Didn’t Test   Tested – But Couldn’t Conclude  Can’t Test

  14. Question 2: Did I Find All Vulnerabilities? 1. Didn’t Test If The Web Scanner Didn’t Even Reach That  Area, It Cannot Test! Tested Untested Vulnerabilities Not Found Application Vulnerabilities Found

  15. Question 2: Did I Find All Vulnerabilities? 2. Tested, But Couldn’t Conclude Certain Classes Of Vulnerabilities Sometimes  Can Be Detected Through HTTP Response SQL Injection  Command Injection  LDAP Injection 

  16. public void doGet(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException { ServletOutputStream out = res.getOutputStream(); String user = req.getParameter("user"); if(user != null ) { try { String [] args = { "/bin/sh", "-c", "finger " + user }; Process p = Runtime .getRuntime().exec(args); BufferedReader fingdata = new BufferedReader ( new InputStreamReader (p.getInputStream())); String line; while((line = fingdata.readLine()) != null ) out.println(line); p.waitFor(); } catch ( Exception e) { throw new ServletException(e); } } else { out.println("specify a user"); } …

  17. public void doGet(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException { ServletOutputStream out = res.getOutputStream(); String user = req.getParameter("user"); if(user != null ) { try { String [] args = { "/bin/sh", "-c", “sendMail.sh " + user }; Process p = Runtime .getRuntime().exec(args); p.waitFor(); } catch ( Exception e) { e.printStackTrace(System.err); } out.println(“Thank you note was sent”); } else { out.println("specify a user"); } …

  18. Question 2: Did I Find All Vulnerabilities? 3. Can’t Test Some Vulnerabilities Have No Manifestation In  Http Response cc num Log I hope they’re not logging my CC# into File plaintext log file cc num Application Client HTTP Response “Your order will be processed in 2 days”

  20. Web Scanner Review Good  Found Real Vulnerabilities  Was Easy To Run  Bad   How Thorough Was My Test?  No Way To Tell, And Actual Coverage Is Often Low   Did I Find All My Vulnerabilities? Didn’t Test, Tested But Couldn’t Conclude, Can’t Test    

  21. Question 3: Are All The Results Reported True? No Method Is Perfect  Under What Circumstances Do Web  Scanners Report False Positives? Matching Signature On A Valid Page  Matching Behavior On A Valid Page 

  22. Question 3: Are All The Results Reported True? Matching Signature On A Valid Page 

  23. Question 3: Are All The Results Reported True? Matching Behavior On A Valid Page  “To determine if the application is vulnerable to SQL  injection, try injecting an extra true condition into the WHERE clause… and if this query also returns the same …, then the application is susceptible to SQL injection” (from paper on Blind SQL Injection) E.g.  http://www.server.com/getCC.jsp?id=5  select ccnum from table where id=‘5’  http://www.server.com/getCC.jsp?id=5’ AND ‘1’=‘1  select ccnum from table where id=‘5’ AND ‘1’=‘1’ 

  24. Question 3: Are All The Results Reported True? E.g.  http://www.server.com/getCC.jsp?id=5  select ccnum from table where id=‘5’  Response:   “No match found” (No one with id “5”) http://www.server.com/getCC.jsp?id=5’ AND ‘1’=‘1  select ccnum from table where id=‘5\’ AND \‘1\’=\‘1’  Response   “No match found” (No one with id “5’ AND ‘1’=‘1”) All single quotes were escaped.  According To The Algorithm (“inject a true clause and  look for same response”), This Is SQL Injection Vulnerability!

  25. Web Scanner Review Good  Found Real Vulnerabilities  Was Easy To Run  Bad   How Thorough Was My Test?  No Way To Tell, And Actual Coverage Is Often Low   Did I Find All My Vulnerabilities? Didn’t Test, Tested But Couldn’t Conclude, Can’t Test   Are All The Results Reported True? Susceptible To False Signature & Behavior Matching   

  26. Question 4: How Do I Fix The Problem?  Security Issues Must Be Fixed In Source Code  Information Given  URL  Parameter  General Vulnerability Description  HTTP Request/Response  But Where In My Source Code Should I Look At?

  27. Question 4: How Do I Fix The Problem?  Incomplete Vulnerability Report -> Bad Fixes  Report:  Injecting “AAAAA…..AAAAA” Caused Application To Crash  Solution By Developers: …. if (input.equals(“AAAAA…..AAAAA”)) return; …..

  28. Web Scanner Review Good  Found Real Vulnerabilities  Was Easy To Run  Bad   How Thorough Was My Test?  No Way To Tell, And Actual Coverage Is Often Low   Did I Find All My Vulnerabilities? Didn’t Test, Tested But Couldn’t Conclude, Can’t Test   Are All The Results Reported True? Susceptible To Signature & Behavior Matching   How Do I Fix The Problem?  No Source Code / Root Cause Information 

  29. Attacking The Problems White Box Testing With Bytecode Injection

  30. Agenda  Problems With Black Box Testing Approaches To Finding Security Issues  4 Problems With Black Box Testing   Solution:WhiteBox Testing With ByteCode Injection The Solution  Demo Of Solution  Building The Solution   Q&A

  31. and Proposal Review… Application Server Database HTTP Web File Scanne Web System r Application Other Apps Verify Watch Verify Verify Verify Results Results Results Results Result

  32. How Will Monitors Solve The Problems?  How Thorough Was Monitors Inside Will Tell    Which Parts Was Hit My Test? Monitors Inside Detects  Did I Find All My  More Vulnerabilities Vulnerabilities? Very Low False Positive   Are All The Results By Looking At Source Of Reported True? Vulnerabilities  How Do I Fix The  Monitors Inside Can Give   Problem? Root Cause Information

  33. How To Build The Solution  How Do You Inject The Monitors Inside  The Application?  Where Do You Inject The Monitors Inside The Application?  What Should The Monitors Do Inside The Application?

  34. How Do You Inject The Monitors?  Problem: How Do You Put The Monitors Into The Application?  Assumption: You Do Not Have Source Code, Only Deployed Java / .NET Application  Solution: Bytecode Weaving  AspectJ for Java  AspectDNG for .NET

  35. How Does Bytecode Weaving Work? New Code & Location Spec. Original New AspectJ .class .class Similar process for .NET

  36. How Does Bytecode Weaving Work? List getStuff(String id) { List getStuff(String id) { List list = new ArrayList(); List list = new ArrayList(); try { try { String sql = “select stuff from String sql = “select stuff from mytable where id=‘” + id + “’”; mytable where id=‘” + id + “’”; JDBCstmt.executeQuery(sql); MyLibrary.doCheck(sql); } catch (Exception ex) { JDBCstmt.executeQuery(sql); log.log(ex); } catch (Exception ex) { } log.log(ex); Before return list; } “executeQuery()” } return list; Call “MyLibrary.doCheck()” }

  37. Bytecode Injection Demo

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

2D & 3D Scanner 2D & 3D Scanner 3D & 2D scanner HD The scanner C800 was specially

2D & 3D Scanner 2D & 3D Scanner 3D & 2D scanner HD The scanner C800 was specially

2D & 3D Scanner 2D & 3D Scanner 3D & 2D scanner HD The scanner C800 was specially developed to suit the wallpaper and dcor industry. The high precision table is equipped with linear motors which results in fast and precise scans.

102 views • 7 slides
How to Scan 35mm Slides Make sure the scanner cable is plugged into the iMacs USB port. 1 Tie

How to Scan 35mm Slides Make sure the scanner cable is plugged into the iMacs USB port. 1 Tie

DIGITAL MEDIA LAB at the new lenox public library How to Scan 35mm Slides Make sure the scanner cable is plugged into the iMacs USB port. 1 Tie scanner cable is cream-colored. 2 Turn the scanner on by pressing the power button. Tie power

195 views • 8 slides
2. Lexical Analysis 2.1 Tasks of a Scanner 2.2 Regular Grammars and Finite Automata 2.3 Scanner

2. Lexical Analysis 2.1 Tasks of a Scanner 2.2 Regular Grammars and Finite Automata 2.3 Scanner

2. Lexical Analysis 2.1 Tasks of a Scanner 2.2 Regular Grammars and Finite Automata 2.3 Scanner Implementation 1 Tasks of a Scanner 1. Delivers terminal symbols (tokens) scanner IF, LPAR, IDENT, EQ, NUMBER, RPAR, ..., EOF i f ( x = = 3

252 views • 21 slides
2. Lexical Analysis 2.1 Tasks of a Scanner 2.2 Regular Grammars and Finite Automata 2.3 Scanner

2. Lexical Analysis 2.1 Tasks of a Scanner 2.2 Regular Grammars and Finite Automata 2.3 Scanner

2. Lexical Analysis 2.1 Tasks of a Scanner 2.2 Regular Grammars and Finite Automata 2.3 Scanner Implementation 1 Tasks of a Scanner 1. Recognizes tokens if, lpar, ident, eql, number, rpar, ..., eof scanner i f ( x = = 3 ) character

581 views • 18 slides
HP Presentation Barcode Scanner The HP Presentation Barcode scanner is compatible with CornerStore

HP Presentation Barcode Scanner The HP Presentation Barcode scanner is compatible with CornerStore

International Point of Sale: Corner Store POS HP Presentation Barcode Scanner The HP Presentation Barcode scanner is compatible with CornerStore and any non-wireless computer. This document will show you how to program your scanner to read

411 views • 6 slides
Lexical Analysis The Scanner CSC 4181 Compiler Construction 1 Scanner 1 Introduction A

Lexical Analysis The Scanner CSC 4181 Compiler Construction 1 Scanner 1 Introduction A

Lexical Analysis The Scanner CSC 4181 Compiler Construction 1 Scanner 1 Introduction A scanner, sometimes called a lexical analyzer A scanner : gets a stream of characters (source program) divides it into tokens Tokens are

139 views • 11 slides
Getting Input from a File To open a file for reading: Scanner inFile = new Scanner (file);

Getting Input from a File To open a file for reading: Scanner inFile = new Scanner (file);

Getting Input from a File To open a file for reading: Scanner inFile = new Scanner (file); Scanner constructor - takes a File parameter and provides methods to get individual pieces of data 1 Scanner class Provides methods to get the next

179 views • 4 slides
Introduction to Computer Science I Scanner, Increment/Decrement, Conversion Janyl Jumadinova 5

Introduction to Computer Science I Scanner, Increment/Decrement, Conversion Janyl Jumadinova 5

Introduction to Computer Science I Scanner, Increment/Decrement, Conversion Janyl Jumadinova 5 February, 2018 Review: Scanner The Scanner class in the java.util package is a simple text scanner which can parse primitive types and strings

507 views • 14 slides
Introduction to Computer Science I Scanner, Increment/Decrement, Conversion Janyl Jumadinova

Introduction to Computer Science I Scanner, Increment/Decrement, Conversion Janyl Jumadinova

Introduction to Computer Science I Scanner, Increment/Decrement, Conversion Janyl Jumadinova September 19, 2016 Scanner The Scanner class in the java.util package is a simple text scanner which can parse primitive types and strings We

424 views • 13 slides
Scanning Slides and Negatjves Prepare the scanner #1 1. Open the scanner and remove the document

Scanning Slides and Negatjves Prepare the scanner #1 1. Open the scanner and remove the document

Scanning Slides and Negatjves Prepare the scanner #1 1. Open the scanner and remove the document mat if it is present. Note: You must remove the document mat from the scanner to scan fjlm or slides. This uncovers the transparency unit window beneath

69 views • 6 slides
ScanDIVA Book Scanner Product Sales Presentation February, 2013 Product Overview ScanDIVA

ScanDIVA Book Scanner Product Sales Presentation February, 2013 Product Overview ScanDIVA

ScanDIVA Book Scanner Product Sales Presentation February, 2013 Product Overview ScanDIVA Overview -- What is ScanDIVA? Professional book scanner Designed to make scanning books up to 18 x 24 easy Scans 3-dimensional objects

503 views • 26 slides
HP Fortify Scanner Setup CSIF computer's should have the scanner already installed

HP Fortify Scanner Setup CSIF computer's should have the scanner already installed

HP Fortify Scanner Setup CSIF computer's should have the scanner already installed Command is sourceanalyzer Problems which sourceanalyzer == <path>/HP_Fortify/HP_Fortify_SCA_and_Apps_<ver

358 views • 15 slides
How to use the Scanner For Slides Double click on the HP Precision scan icon You will see

How to use the Scanner For Slides Double click on the HP Precision scan icon You will see

How to use the Scanner For Slides Double click on the HP Precision scan icon You will see this screen: Click on Scan . Click on XPA Sildes . Open Scanner and place Scanner Mask on glass. Ensure that the mask is face up and the rectangular

189 views • 3 slides
Laser Wire Scanner test on CTF2 Laser Wire Scanner test on CTF2 Motivation Experimental

Laser Wire Scanner test on CTF2 Laser Wire Scanner test on CTF2 Motivation Experimental

Laser Wire Scanner test on CTF2 Laser Wire Scanner test on CTF2 Motivation Experimental set-up Time and space overlap X-ray detection Result of the scan Future improvements and perspectives CERN Royal Holloway University

296 views • 16 slides
Retrieving String inputs from the keyboard package PackageName ; // import the Scanner class

Retrieving String inputs from the keyboard package PackageName ; // import the Scanner class

Retrieving String inputs from the keyboard package PackageName ; // import the Scanner class import java.util.Scanner ; public class ClassName { public static void main(String args[]) { // Declare a new input scanner for use in your program

63 views • 3 slides
TDT4205 Lecture #6 2 Weve recognized the words Regular Scanner expressions Generator

TDT4205 Lecture #6 2 Weve recognized the words Regular Scanner expressions Generator

1 Context-Free Grammars TDT4205 Lecture #6 2 Weve recognized the words Regular Scanner expressions Generator Source Scanner Pairs of code (token, lexeme) Inside of compiler 3 Next comes statements That is, syntactic

513 views • 32 slides
NY State of Health the Official Health Plan Marketplace Inning #2 Hit a Home Run at Your Next

NY State of Health the Official Health Plan Marketplace Inning #2 Hit a Home Run at Your Next

NY State of Health the Official Health Plan Marketplace Inning #2 Hit a Home Run at Your Next Outreach Event Dont Kick Sand at the Umpire June 4, 2014 Presenters Welcome Donna Frescatore Executive Director, NY State of Health

798 views • 62 slides
Taking the difficult out of difficult feedback: understanding generational differences that

Taking the difficult out of difficult feedback: understanding generational differences that

Taking the difficult out of difficult feedback: understanding generational differences that matter Kanade Shinkai, MD PhD Assistant Professor of Clinical Dermatology Associate Residency Program Director Mediator, Office of the Ombuds

677 views • 39 slides
The North Carolina Innocence Inquiry Commission Hearing April 28 th and 29 th , 2011 Welcome

The North Carolina Innocence Inquiry Commission Hearing April 28 th and 29 th , 2011 Welcome

The North Carolina Innocence Inquiry Commission Hearing April 28 th and 29 th , 2011 Welcome Commissioners! State of North Carolina v. Kenneth Kagonyera 00 CRS 65086 and Robert Wilcoxson 00 CRS 65088 Convictions for Second Degree Murder

835 views • 80 slides
Housekeeping Issues Housekeeping Issues Call ll 86 866. 6.493.282 825 5 for technology

Housekeeping Issues Housekeeping Issues Call ll 86 866. 6.493.282 825 5 for technology

Session ssion O One: e: Ov Overcom ercoming Im Implem plemen entation tation Is Issu sues es For audio For audio r audio participation r audio participation participation participation Dial: 866. Dial: 866. 866.793. 866.793.

381 views • 16 slides
CSA Recordkeeping and Other Unique Issues Plaintiff and Defense Strategies for Approaching

CSA Recordkeeping and Other Unique Issues Plaintiff and Defense Strategies for Approaching

Presenting a live 90-minute webinar with interactive Q&A Litigating Trucking Accident Injury Claims: Theories of Liability, Impact of CSA Recordkeeping and Other Unique Issues Plaintiff and Defense Strategies for Approaching Discovery,

1.7k views • 150 slides
Federal Coronavirus Response An Overview of the Families First Coronavirus Response Act March

Federal Coronavirus Response An Overview of the Families First Coronavirus Response Act March

Federal Coronavirus Response An Overview of the Families First Coronavirus Response Act March 24, 2020 Agenda Introduction (Michelle Templin) Big Picture Review of Congress & Coronavirus Summary of Closures and Restrictions

349 views • 22 slides
Wisconsin Digital Government Summit Wisconsin Department of Justice Office of the Attorney

Wisconsin Digital Government Summit Wisconsin Department of Justice Office of the Attorney

Wisconsin Digital Government Summit Wisconsin Department of Justice Office of the Attorney General Office of Open Government Madison, November 30, 2017 The Role of the Wisconsin Department of Justice Openness and transparency in

425 views • 20 slides
Effects of Single Counter Efficiencies on Mu2e Mu2e Sensitivity and Mitigation Strategy

Effects of Single Counter Efficiencies on Mu2e Mu2e Sensitivity and Mitigation Strategy

Jo Lynn Tyner Effects of Single Counter Efficiencies on Mu2e Mu2e Sensitivity and Mitigation Strategy Background Layout CRV for Individual Counter Efficiency Deficits Importance Efficiency Simulation Gap Hits Dead Counters Local Drop

279 views • 15 slides

More recommend