make my day just run a web scanner
play

Make My Day Just Run A Web Scanner Countering the faults of - PowerPoint PPT Presentation

Oct 22, 2022 •217 likes •761 views

Make My Day Just Run A Web Scanner Countering the faults of typical web scanners through bytecode injection Toshinari Kureha, Fortify Software Agenda Problems With Black Box Testing Approaches To Finding Security Issues 4

  1. Make My Day – Just Run A Web Scanner Countering the faults of typical web scanners through bytecode injection Toshinari Kureha, Fortify Software

  2. Agenda  Problems With Black Box Testing Approaches To Finding Security Issues  4 Problems With Black Box Testing   Solution:WhiteBox Testing With ByteCode Injection The Solution  Demo Of Solution  Building The Solution   Q&A

  3. Current Practice

  4. Current Practice How Do You Find Security Issues?  Looking at architectural / design documents  Looking at the source code  Static Analysis  Looking at a running application  Dynamic Analysis

  5. Current Practice Dynamic Analysis  Testing & Analysis Of Running Application   Find Input   Fuzz Input  Analyze Response Commercial Web Scanners  Cenzic  SPIDynamics  Watchfire 

  6. Current Practice Most People Use Web Scanners Because…  Easy To Run  Fast To Run  “Someone Told Me To”

  7. Dynamic Analysis Demo

  8. Web Scanner Review Good  Found Real Vulnerabilities  Was Easy To Run  “Did I Do A Good Job?” 

  9. Question 1: How Thorough Was My Test?  Do You Know How Much Of Your Application Was Tested?

  10. Question 1: How Thorough Was My Test?  How Much Of The Application Do You Think You Tested?

  11. Truth About Thoroughness  We ran a “Version 7.0 Scanner” on the following: Application EMMA Code Coverage Tool Web Source HacmeBooks 34% classes 30.5% 12% blocks 14% lines JCVS Web 45% classes 31.2% 19% blocks 22% lines Java PetStore 2 70% classes 18% 20% blocks 23% lines

  12. Web Scanner Review Good  Found Real Vulnerabilities  Was Easy To Run  Bad   How Thorough Was My Test?  No Way To Tell, And Actual Coverage Is Often Low     

  13. Question 2: Did I Find All Vulnerabilities? 3 Ways To Fail   Didn’t Test   Tested – But Couldn’t Conclude  Can’t Test

  14. Question 2: Did I Find All Vulnerabilities? 1. Didn’t Test If The Web Scanner Didn’t Even Reach That  Area, It Cannot Test! Tested Untested Vulnerabilities Not Found Application Vulnerabilities Found

  15. Question 2: Did I Find All Vulnerabilities? 2. Tested, But Couldn’t Conclude Certain Classes Of Vulnerabilities Sometimes  Can Be Detected Through HTTP Response SQL Injection  Command Injection  LDAP Injection 

  16. public void doGet(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException { ServletOutputStream out = res.getOutputStream(); String user = req.getParameter("user"); if(user != null ) { try { String [] args = { "/bin/sh", "-c", "finger " + user }; Process p = Runtime .getRuntime().exec(args); BufferedReader fingdata = new BufferedReader ( new InputStreamReader (p.getInputStream())); String line; while((line = fingdata.readLine()) != null ) out.println(line); p.waitFor(); } catch ( Exception e) { throw new ServletException(e); } } else { out.println("specify a user"); } …

  17. public void doGet(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException { ServletOutputStream out = res.getOutputStream(); String user = req.getParameter("user"); if(user != null ) { try { String [] args = { "/bin/sh", "-c", “sendMail.sh " + user }; Process p = Runtime .getRuntime().exec(args); p.waitFor(); } catch ( Exception e) { e.printStackTrace(System.err); } out.println(“Thank you note was sent”); } else { out.println("specify a user"); } …

  18. Question 2: Did I Find All Vulnerabilities? 3. Can’t Test Some Vulnerabilities Have No Manifestation In  Http Response cc num Log I hope they’re not logging my CC# into File plaintext log file cc num Application Client HTTP Response “Your order will be processed in 2 days”

  20. Web Scanner Review Good  Found Real Vulnerabilities  Was Easy To Run  Bad   How Thorough Was My Test?  No Way To Tell, And Actual Coverage Is Often Low   Did I Find All My Vulnerabilities? Didn’t Test, Tested But Couldn’t Conclude, Can’t Test    

  21. Question 3: Are All The Results Reported True? No Method Is Perfect  Under What Circumstances Do Web  Scanners Report False Positives? Matching Signature On A Valid Page  Matching Behavior On A Valid Page 

  22. Question 3: Are All The Results Reported True? Matching Signature On A Valid Page 

  23. Question 3: Are All The Results Reported True? Matching Behavior On A Valid Page  “To determine if the application is vulnerable to SQL  injection, try injecting an extra true condition into the WHERE clause… and if this query also returns the same …, then the application is susceptible to SQL injection” (from paper on Blind SQL Injection) E.g.  http://www.server.com/getCC.jsp?id=5  select ccnum from table where id=‘5’  http://www.server.com/getCC.jsp?id=5’ AND ‘1’=‘1  select ccnum from table where id=‘5’ AND ‘1’=‘1’ 

  24. Question 3: Are All The Results Reported True? E.g.  http://www.server.com/getCC.jsp?id=5  select ccnum from table where id=‘5’  Response:   “No match found” (No one with id “5”) http://www.server.com/getCC.jsp?id=5’ AND ‘1’=‘1  select ccnum from table where id=‘5\’ AND \‘1\’=\‘1’  Response   “No match found” (No one with id “5’ AND ‘1’=‘1”) All single quotes were escaped.  According To The Algorithm (“inject a true clause and  look for same response”), This Is SQL Injection Vulnerability!

  25. Web Scanner Review Good  Found Real Vulnerabilities  Was Easy To Run  Bad   How Thorough Was My Test?  No Way To Tell, And Actual Coverage Is Often Low   Did I Find All My Vulnerabilities? Didn’t Test, Tested But Couldn’t Conclude, Can’t Test   Are All The Results Reported True? Susceptible To False Signature & Behavior Matching   

  26. Question 4: How Do I Fix The Problem?  Security Issues Must Be Fixed In Source Code  Information Given  URL  Parameter  General Vulnerability Description  HTTP Request/Response  But Where In My Source Code Should I Look At?

  27. Question 4: How Do I Fix The Problem?  Incomplete Vulnerability Report -> Bad Fixes  Report:  Injecting “AAAAA…..AAAAA” Caused Application To Crash  Solution By Developers: …. if (input.equals(“AAAAA…..AAAAA”)) return; …..

  28. Web Scanner Review Good  Found Real Vulnerabilities  Was Easy To Run  Bad   How Thorough Was My Test?  No Way To Tell, And Actual Coverage Is Often Low   Did I Find All My Vulnerabilities? Didn’t Test, Tested But Couldn’t Conclude, Can’t Test   Are All The Results Reported True? Susceptible To Signature & Behavior Matching   How Do I Fix The Problem?  No Source Code / Root Cause Information 

  29. Attacking The Problems White Box Testing With Bytecode Injection

  30. Agenda  Problems With Black Box Testing Approaches To Finding Security Issues  4 Problems With Black Box Testing   Solution:WhiteBox Testing With ByteCode Injection The Solution  Demo Of Solution  Building The Solution   Q&A

  31. and Proposal Review… Application Server Database HTTP Web File Scanne Web System r Application Other Apps Verify Watch Verify Verify Verify Results Results Results Results Result

  32. How Will Monitors Solve The Problems?  How Thorough Was Monitors Inside Will Tell    Which Parts Was Hit My Test? Monitors Inside Detects  Did I Find All My  More Vulnerabilities Vulnerabilities? Very Low False Positive   Are All The Results By Looking At Source Of Reported True? Vulnerabilities  How Do I Fix The  Monitors Inside Can Give   Problem? Root Cause Information

  33. How To Build The Solution  How Do You Inject The Monitors Inside  The Application?  Where Do You Inject The Monitors Inside The Application?  What Should The Monitors Do Inside The Application?

  34. How Do You Inject The Monitors?  Problem: How Do You Put The Monitors Into The Application?  Assumption: You Do Not Have Source Code, Only Deployed Java / .NET Application  Solution: Bytecode Weaving  AspectJ for Java  AspectDNG for .NET

  35. How Does Bytecode Weaving Work? New Code & Location Spec. Original New AspectJ .class .class Similar process for .NET

  36. How Does Bytecode Weaving Work? List getStuff(String id) { List getStuff(String id) { List list = new ArrayList(); List list = new ArrayList(); try { try { String sql = “select stuff from String sql = “select stuff from mytable where id=‘” + id + “’”; mytable where id=‘” + id + “’”; JDBCstmt.executeQuery(sql); MyLibrary.doCheck(sql); } catch (Exception ex) { JDBCstmt.executeQuery(sql); log.log(ex); } catch (Exception ex) { } log.log(ex); Before return list; } “executeQuery()” } return list; Call “MyLibrary.doCheck()” }

  37. Bytecode Injection Demo

Recommend

2D & 3D Scanner 2D & 3D Scanner 3D & 2D scanner HD The scanner C800 was specially

2D & 3D Scanner 2D & 3D Scanner 3D & 2D scanner HD The scanner C800 was specially

2D & 3D Scanner 2D & 3D Scanner 3D & 2D scanner HD The scanner C800 was specially developed to suit the wallpaper and dcor industry. The high precision table is equipped with linear motors which results in fast and precise scans.

102 views • 7 slides
How to Scan 35mm Slides Make sure the scanner cable is plugged into the iMacs USB port. 1 Tie

How to Scan 35mm Slides Make sure the scanner cable is plugged into the iMacs USB port. 1 Tie

DIGITAL MEDIA LAB at the new lenox public library How to Scan 35mm Slides Make sure the scanner cable is plugged into the iMacs USB port. 1 Tie scanner cable is cream-colored. 2 Turn the scanner on by pressing the power button. Tie power

195 views • 8 slides
2. Lexical Analysis 2.1 Tasks of a Scanner 2.2 Regular Grammars and Finite Automata 2.3 Scanner

2. Lexical Analysis 2.1 Tasks of a Scanner 2.2 Regular Grammars and Finite Automata 2.3 Scanner

2. Lexical Analysis 2.1 Tasks of a Scanner 2.2 Regular Grammars and Finite Automata 2.3 Scanner Implementation 1 Tasks of a Scanner 1. Delivers terminal symbols (tokens) scanner IF, LPAR, IDENT, EQ, NUMBER, RPAR, ..., EOF i f ( x = = 3

252 views • 21 slides
2. Lexical Analysis 2.1 Tasks of a Scanner 2.2 Regular Grammars and Finite Automata 2.3 Scanner

2. Lexical Analysis 2.1 Tasks of a Scanner 2.2 Regular Grammars and Finite Automata 2.3 Scanner

2. Lexical Analysis 2.1 Tasks of a Scanner 2.2 Regular Grammars and Finite Automata 2.3 Scanner Implementation 1 Tasks of a Scanner 1. Recognizes tokens if, lpar, ident, eql, number, rpar, ..., eof scanner i f ( x = = 3 ) character

581 views • 18 slides
HP Presentation Barcode Scanner The HP Presentation Barcode scanner is compatible with CornerStore

HP Presentation Barcode Scanner The HP Presentation Barcode scanner is compatible with CornerStore

International Point of Sale: Corner Store POS HP Presentation Barcode Scanner The HP Presentation Barcode scanner is compatible with CornerStore and any non-wireless computer. This document will show you how to program your scanner to read

411 views • 6 slides
Lexical Analysis The Scanner CSC 4181 Compiler Construction 1 Scanner 1 Introduction A

Lexical Analysis The Scanner CSC 4181 Compiler Construction 1 Scanner 1 Introduction A

Lexical Analysis The Scanner CSC 4181 Compiler Construction 1 Scanner 1 Introduction A scanner, sometimes called a lexical analyzer A scanner : gets a stream of characters (source program) divides it into tokens Tokens are

139 views • 11 slides
Getting Input from a File To open a file for reading: Scanner inFile = new Scanner (file);

Getting Input from a File To open a file for reading: Scanner inFile = new Scanner (file);

Getting Input from a File To open a file for reading: Scanner inFile = new Scanner (file); Scanner constructor - takes a File parameter and provides methods to get individual pieces of data 1 Scanner class Provides methods to get the next

179 views • 4 slides
Introduction to Computer Science I Scanner, Increment/Decrement, Conversion Janyl Jumadinova 5

Introduction to Computer Science I Scanner, Increment/Decrement, Conversion Janyl Jumadinova 5

Introduction to Computer Science I Scanner, Increment/Decrement, Conversion Janyl Jumadinova 5 February, 2018 Review: Scanner The Scanner class in the java.util package is a simple text scanner which can parse primitive types and strings

507 views • 14 slides
Introduction to Computer Science I Scanner, Increment/Decrement, Conversion Janyl Jumadinova

Introduction to Computer Science I Scanner, Increment/Decrement, Conversion Janyl Jumadinova

Introduction to Computer Science I Scanner, Increment/Decrement, Conversion Janyl Jumadinova September 19, 2016 Scanner The Scanner class in the java.util package is a simple text scanner which can parse primitive types and strings We

424 views • 13 slides
Scanning Slides and Negatjves Prepare the scanner #1 1. Open the scanner and remove the document

Scanning Slides and Negatjves Prepare the scanner #1 1. Open the scanner and remove the document

Scanning Slides and Negatjves Prepare the scanner #1 1. Open the scanner and remove the document mat if it is present. Note: You must remove the document mat from the scanner to scan fjlm or slides. This uncovers the transparency unit window beneath

69 views • 6 slides
ScanDIVA Book Scanner Product Sales Presentation February, 2013 Product Overview ScanDIVA

ScanDIVA Book Scanner Product Sales Presentation February, 2013 Product Overview ScanDIVA

ScanDIVA Book Scanner Product Sales Presentation February, 2013 Product Overview ScanDIVA Overview -- What is ScanDIVA? Professional book scanner Designed to make scanning books up to 18 x 24 easy Scans 3-dimensional objects

503 views • 26 slides
HP Fortify Scanner Setup CSIF computer's should have the scanner already installed

HP Fortify Scanner Setup CSIF computer's should have the scanner already installed

HP Fortify Scanner Setup CSIF computer's should have the scanner already installed Command is sourceanalyzer Problems which sourceanalyzer == <path>/HP_Fortify/HP_Fortify_SCA_and_Apps_<ver

358 views • 15 slides
How to use the Scanner For Slides Double click on the HP Precision scan icon You will see

How to use the Scanner For Slides Double click on the HP Precision scan icon You will see

How to use the Scanner For Slides Double click on the HP Precision scan icon You will see this screen: Click on Scan . Click on XPA Sildes . Open Scanner and place Scanner Mask on glass. Ensure that the mask is face up and the rectangular

189 views • 3 slides
Laser Wire Scanner test on CTF2 Laser Wire Scanner test on CTF2 Motivation Experimental

Laser Wire Scanner test on CTF2 Laser Wire Scanner test on CTF2 Motivation Experimental

Laser Wire Scanner test on CTF2 Laser Wire Scanner test on CTF2 Motivation Experimental set-up Time and space overlap X-ray detection Result of the scan Future improvements and perspectives CERN Royal Holloway University

296 views • 16 slides
Retrieving String inputs from the keyboard package PackageName ; // import the Scanner class

Retrieving String inputs from the keyboard package PackageName ; // import the Scanner class

Retrieving String inputs from the keyboard package PackageName ; // import the Scanner class import java.util.Scanner ; public class ClassName { public static void main(String args[]) { // Declare a new input scanner for use in your program

63 views • 3 slides
TDT4205 Lecture #6 2 Weve recognized the words Regular Scanner expressions Generator

TDT4205 Lecture #6 2 Weve recognized the words Regular Scanner expressions Generator

1 Context-Free Grammars TDT4205 Lecture #6 2 Weve recognized the words Regular Scanner expressions Generator Source Scanner Pairs of code (token, lexeme) Inside of compiler 3 Next comes statements That is, syntactic

513 views • 32 slides
Implementation of the treatment of the scanner data in France Guillaume Rateau Head of the CPI

Implementation of the treatment of the scanner data in France Guillaume Rateau Head of the CPI

Implementation of the treatment of the scanner data in France Guillaume Rateau Head of the CPI methodology section May 2017 Introduction : project schedule since 2009 Solution studies, implementation of the IT system to treat scanner data

388 views • 26 slides
Scanner Data in the CPI: The Imputation CCDI Index Revisited Jan de Haan Statistics Netherlands

Scanner Data in the CPI: The Imputation CCDI Index Revisited Jan de Haan Statistics Netherlands

Scanner Data in the CPI: The Imputation CCDI Index Revisited Jan de Haan Statistics Netherlands EMG, chain drift and multilateral methods Lorraine Ivancic (2007) Scanner Data and the Construction of Price Indices PhD thesis, School of

1.14k views • 32 slides
Automatic scanner generation in MiniJava Symbol class We use the jflex tool to automatically

Automatic scanner generation in MiniJava Symbol class We use the jflex tool to automatically

Automatic scanner generation in MiniJava Symbol class We use the jflex tool to automatically create a scanner from a Lexemes are represented as instances of class Symbol specification file, Scanner/minijava.jflex class Symbol { (We use the CUP

458 views • 7 slides
Stellenbosch CT Scanner Facility What is CT scanning? Industrial X-ray Computed Tomography

Stellenbosch CT Scanner Facility What is CT scanning? Industrial X-ray Computed Tomography

Stellenbosch CT Scanner Facility What is CT scanning? Industrial X-ray Computed Tomography (CT) scanner Also known as microCT, X-ray tomography, microtomography, industrial CT, X-ray microscopy What is it? High resolution 3D imaging of

502 views • 19 slides
Uniscan Web Vulnerability Scanner Quem sou Nome: Douglas Poerschke Rocha Idade: 27 anos

Uniscan Web Vulnerability Scanner Quem sou Nome: Douglas Poerschke Rocha Idade: 27 anos

Uniscan Web Vulnerability Scanner Quem sou Nome: Douglas Poerschke Rocha Idade: 27 anos Formao: Graduando em cincia da computao O que o Uniscan Scanner de vulnerabilidades para aplicaes Web. Open source. Presente no

578 views • 30 slides
Scanner: Lexical Analysis Readings: EAC2 Chapter 2 EECS4302 M: Compilers and Interpreters

Scanner: Lexical Analysis Readings: EAC2 Chapter 2 EECS4302 M: Compilers and Interpreters

Scanner: Lexical Analysis Readings: EAC2 Chapter 2 EECS4302 M: Compilers and Interpreters Winter 2020 C HEN -W EI W ANG Scanner in Context Recall: Lexical Analysis Syntactic Analysis Semantic Analysis Source Program pretty printed AST 1

787 views • 68 slides
Nondeterministic Finite Automata (NFA) CS 536 Previous Lecture Scanner: converts a sequence of

Nondeterministic Finite Automata (NFA) CS 536 Previous Lecture Scanner: converts a sequence of

Nondeterministic Finite Automata (NFA) CS 536 Previous Lecture Scanner: converts a sequence of characters to a sequence of tokens Scanner implemented using FSMs FSM: DFA or NFA This Lecture NFAs from a formal perspective Theorem: NFAs and

577 views • 30 slides
Project1: Build A Small Scanner/Parser Introducing Lex, Yacc, and POET cs5363 1 Project1:

Project1: Build A Small Scanner/Parser Introducing Lex, Yacc, and POET cs5363 1 Project1:

Project1: Build A Small Scanner/Parser Introducing Lex, Yacc, and POET cs5363 1 Project1: Building A Scanner/Parser Parse a subset of the C language Support two types of atomic values: int float Support one type of compound

904 views • 30 slides

More recommend