SlideShare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our User Agreement and Privacy Policy.
SlideShare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our Privacy Policy and User Agreement for details.
Successfully reported this slideshow.
Activate your 14 day free trial to unlock unlimited reading.
7.
Review flow
Architecture Review
Scoping
Footprinting
Discovery
Enumeration & Profiling
Security Controls & Cases
Vulnerability Assessment
Threat Modeling
Mitigation strategies
Reporting
Sample Security Control Categories – Authentication,
Access Controls/Authorization, API misuse, Path traversal,
Sensitive information leakage, Error handling, Session management,
Protocol abuse, Input validations, Cross Site Scripting (XSS),
Cross Site Request Forgery (CSRF), Logic bypass, Insecure crypto,
Denial of Services, Malicious Code Injection, SQL injection,
XPATH and LDAP injections, OS command injection,
Parameter manipulations, Bruteforce, Buffer Overflow,
Format string, HTTP response splitting, HTTP replay,
XML injection, Canonicalization, Logging and auditing.
8.
Challenges
• Technology fingerprinting
• Hidden calls
• Framework integration
• Entry points are multiple
• Traditional fuzzing will not work
• Auto assessment can be challenge
• Behavioral assessment with Artificial
intelligence
9.
Whitebox
Identified threats
Identifying configuration and code blocks
Configuration review Code review
Security control
Vulnerability detection
10.
Review flow
Architecture Review
Scoping
Threat Modeling
Code Enumeration
Security Controls & Cases
Entry Point Discoveries
Class, Function & Variable
Tracing
Code Mapping and
Functionality
Vulnerability Detection
Mitigation Controls
Reporting
Sample Security Control Categories – Authentication,
Access Controls/Authorization, API misuse, Path traversal,
Sensitive information leakage, Error handling, Session management,
Protocol abuse, Input validations, Cross Site Scripting (XSS),
Cross Site Request Forgery (CSRF), Logic bypass, Insecure crypto,
Denial of Services, Malicious Code Injection, SQL injection,
XPATH and LDAP injections, OS command injection,
Parameter manipulations, Bruteforce, Buffer Overflow,
Format string, HTTP response splitting, HTTP replay,
XML injection, Canonicalization, Logging and auditing.
11.
Defense
Vulnerabilities
Identifying configuration and code blocks
Code controls Configuration locks
Defense strategies and policies
Content filtering
12.
Challenges
• JavaScript code analysis
• Logic on Client
• Reverse engineering on code – Flash,
Silverlight or Ajax
• Server side issues and source code analysis
• Web Services a major concern and its source
security
13.
Challenges
• Filtering required for different streams
• Code security on client side is needed as well
• Browser and DOM security
• Web application firewall – web 2.0 stream
protection
• Overall new approach for entry point analysis
14.
Web 2.0 Challenges
• How to identify possible hosts running the application? –
Cross Domain.
• Identifying Ajax and RIA calls
• Dynamic DOM manipulations points
• Identifying XSS and XSRF vulnerabilities for Web 2.0
• Discovering back end Web Services - SOAP, XML-RPC or REST.
• How to fuzz XML and JSON structures?
• Web Services assessment and audit
• Client side code review
• Mashup and networked application points
15.
WhiteBox vs. BlackBox
• Scope of coverage
– Blackbox method uses crawling and spidering to
determine all possible resources
– Application assets are residing in JavaScript and various
other tags in HTML, it makes asset detection very difficult
and blackbox approach fails in many cases.
– If one is using whitebox approach then not a single line of
code will get missed and scope can be covered at 100%.
Whitebox can do much better job when comes to covering
the scope of the source.
16.
WhiteBox vs. BlackBox
• Discovery and Detection
– Blackbox testing uses signature analysis for vulnerability
detection. Example, it looks for ODBC error for SQL
injection and so on.
– If errrors are missing …
– Blackbox fails in those cases
– Whitebox good to go
17.
WhiteBox vs. BlackBox
• Accuracy of Vulnerability
– Accuracy of vulnerability is very important as well.
– Blackbox is inaccurate in some cases
– Came up false +/-
18.
WhiteBox vs. BlackBox
• Cause Identification
– One of the major challenges is to identify actual cause of
the vulnerability.
– Blackbox shows symptoms
– Whitebox can pin point the cause