![Page 1: Make My Day – Just Run A Web Scanner · Agenda Problems With Black Box Testing Approaches To Finding Security Issues 4 Problems With Black Box Testing Solution:WhiteBox Testing](https://reader034.vdocuments.us/reader034/viewer/2022050406/5f83b01cf16c6a29cf7238d2/html5/thumbnails/1.jpg)
Make My Day –Just Run A Web Scanner
Toshinari Kureha, Fortify Software
Countering the faults of typical webscanners through bytecode injection
![Page 2: Make My Day – Just Run A Web Scanner · Agenda Problems With Black Box Testing Approaches To Finding Security Issues 4 Problems With Black Box Testing Solution:WhiteBox Testing](https://reader034.vdocuments.us/reader034/viewer/2022050406/5f83b01cf16c6a29cf7238d2/html5/thumbnails/2.jpg)
Agenda Problems With Black Box Testing
Approaches To Finding Security Issues 4 Problems With Black Box Testing
Solution:WhiteBox Testing With ByteCode Injection The Solution Demo Of Solution Building The Solution
Q&A
![Page 3: Make My Day – Just Run A Web Scanner · Agenda Problems With Black Box Testing Approaches To Finding Security Issues 4 Problems With Black Box Testing Solution:WhiteBox Testing](https://reader034.vdocuments.us/reader034/viewer/2022050406/5f83b01cf16c6a29cf7238d2/html5/thumbnails/3.jpg)
Current Practice
![Page 4: Make My Day – Just Run A Web Scanner · Agenda Problems With Black Box Testing Approaches To Finding Security Issues 4 Problems With Black Box Testing Solution:WhiteBox Testing](https://reader034.vdocuments.us/reader034/viewer/2022050406/5f83b01cf16c6a29cf7238d2/html5/thumbnails/4.jpg)
Current PracticeHow Do You Find Security Issues? Looking at architectural / design documents Looking at the source code
Static Analysis
Looking at a running application Dynamic Analysis
![Page 5: Make My Day – Just Run A Web Scanner · Agenda Problems With Black Box Testing Approaches To Finding Security Issues 4 Problems With Black Box Testing Solution:WhiteBox Testing](https://reader034.vdocuments.us/reader034/viewer/2022050406/5f83b01cf16c6a29cf7238d2/html5/thumbnails/5.jpg)
Current Practice Dynamic Analysis
Testing & Analysis Of Running Application Find Input Fuzz Input Analyze Response
Commercial Web Scanners Cenzic SPIDynamics Watchfire
![Page 6: Make My Day – Just Run A Web Scanner · Agenda Problems With Black Box Testing Approaches To Finding Security Issues 4 Problems With Black Box Testing Solution:WhiteBox Testing](https://reader034.vdocuments.us/reader034/viewer/2022050406/5f83b01cf16c6a29cf7238d2/html5/thumbnails/6.jpg)
Current PracticeMost People Use Web Scanners Because…
Easy To Run Fast To Run “Someone Told Me To”
![Page 7: Make My Day – Just Run A Web Scanner · Agenda Problems With Black Box Testing Approaches To Finding Security Issues 4 Problems With Black Box Testing Solution:WhiteBox Testing](https://reader034.vdocuments.us/reader034/viewer/2022050406/5f83b01cf16c6a29cf7238d2/html5/thumbnails/7.jpg)
Dynamic AnalysisDemo
![Page 8: Make My Day – Just Run A Web Scanner · Agenda Problems With Black Box Testing Approaches To Finding Security Issues 4 Problems With Black Box Testing Solution:WhiteBox Testing](https://reader034.vdocuments.us/reader034/viewer/2022050406/5f83b01cf16c6a29cf7238d2/html5/thumbnails/8.jpg)
Web Scanner Review Good
Found Real Vulnerabilities Was Easy To Run
“Did I Do A Good Job?”
![Page 9: Make My Day – Just Run A Web Scanner · Agenda Problems With Black Box Testing Approaches To Finding Security Issues 4 Problems With Black Box Testing Solution:WhiteBox Testing](https://reader034.vdocuments.us/reader034/viewer/2022050406/5f83b01cf16c6a29cf7238d2/html5/thumbnails/9.jpg)
Question 1: How Thorough Was MyTest? Do You Know How Much Of Your
Application Was Tested?
![Page 10: Make My Day – Just Run A Web Scanner · Agenda Problems With Black Box Testing Approaches To Finding Security Issues 4 Problems With Black Box Testing Solution:WhiteBox Testing](https://reader034.vdocuments.us/reader034/viewer/2022050406/5f83b01cf16c6a29cf7238d2/html5/thumbnails/10.jpg)
Question 1: How Thorough Was MyTest? How Much Of The Application Do You
Think You Tested?
![Page 11: Make My Day – Just Run A Web Scanner · Agenda Problems With Black Box Testing Approaches To Finding Security Issues 4 Problems With Black Box Testing Solution:WhiteBox Testing](https://reader034.vdocuments.us/reader034/viewer/2022050406/5f83b01cf16c6a29cf7238d2/html5/thumbnails/11.jpg)
Truth About Thoroughness We ran a “Version 7.0 Scanner” on the
following:
70% classes20% blocks23% lines
45% classes19% blocks22% lines
34% classes12% blocks14% lines
EMMA Code Coverage Tool
18%
31.2%
30.5%WebSource
Java PetStore 2
JCVS Web
HacmeBooksApplication
![Page 12: Make My Day – Just Run A Web Scanner · Agenda Problems With Black Box Testing Approaches To Finding Security Issues 4 Problems With Black Box Testing Solution:WhiteBox Testing](https://reader034.vdocuments.us/reader034/viewer/2022050406/5f83b01cf16c6a29cf7238d2/html5/thumbnails/12.jpg)
Web Scanner Review Good
Found Real Vulnerabilities Was Easy To Run
Bad How Thorough Was My Test?
No Way To Tell, And Actual Coverage Is Often Low
![Page 13: Make My Day – Just Run A Web Scanner · Agenda Problems With Black Box Testing Approaches To Finding Security Issues 4 Problems With Black Box Testing Solution:WhiteBox Testing](https://reader034.vdocuments.us/reader034/viewer/2022050406/5f83b01cf16c6a29cf7238d2/html5/thumbnails/13.jpg)
Question 2: Did I Find AllVulnerabilities? 3 Ways To Fail
Didn’t Test Tested – But Couldn’t Conclude Can’t Test
![Page 14: Make My Day – Just Run A Web Scanner · Agenda Problems With Black Box Testing Approaches To Finding Security Issues 4 Problems With Black Box Testing Solution:WhiteBox Testing](https://reader034.vdocuments.us/reader034/viewer/2022050406/5f83b01cf16c6a29cf7238d2/html5/thumbnails/14.jpg)
Question 2: Did I Find AllVulnerabilities?1. Didn’t Test
If The Web Scanner Didn’t Even Reach ThatArea, It Cannot Test!
Application
TestedVulnerabilitiesNot Found
Untested
VulnerabilitiesFound
![Page 15: Make My Day – Just Run A Web Scanner · Agenda Problems With Black Box Testing Approaches To Finding Security Issues 4 Problems With Black Box Testing Solution:WhiteBox Testing](https://reader034.vdocuments.us/reader034/viewer/2022050406/5f83b01cf16c6a29cf7238d2/html5/thumbnails/15.jpg)
Question 2: Did I Find AllVulnerabilities?2. Tested, But Couldn’t Conclude
Certain Classes Of Vulnerabilities SometimesCan Be Detected Through HTTP Response SQL Injection Command Injection LDAP Injection
![Page 16: Make My Day – Just Run A Web Scanner · Agenda Problems With Black Box Testing Approaches To Finding Security Issues 4 Problems With Black Box Testing Solution:WhiteBox Testing](https://reader034.vdocuments.us/reader034/viewer/2022050406/5f83b01cf16c6a29cf7238d2/html5/thumbnails/16.jpg)
public void doGet(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException {
ServletOutputStream out = res.getOutputStream(); String user = req.getParameter("user"); if(user != null) { try { String[] args = { "/bin/sh", "-c", "finger " + user }; Process p = Runtime.getRuntime().exec(args); BufferedReader fingdata = new BufferedReader(newInputStreamReader(p.getInputStream())); String line; while((line = fingdata.readLine()) != null) out.println(line); p.waitFor(); } catch(Exception e) { throw new ServletException(e); } } else { out.println("specify a user"); } …
![Page 17: Make My Day – Just Run A Web Scanner · Agenda Problems With Black Box Testing Approaches To Finding Security Issues 4 Problems With Black Box Testing Solution:WhiteBox Testing](https://reader034.vdocuments.us/reader034/viewer/2022050406/5f83b01cf16c6a29cf7238d2/html5/thumbnails/17.jpg)
public void doGet(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException {
ServletOutputStream out = res.getOutputStream(); String user = req.getParameter("user"); if(user != null) { try { String[] args = { "/bin/sh", "-c", “sendMail.sh " + user }; Process p = Runtime.getRuntime().exec(args); p.waitFor(); } catch(Exception e) { e.printStackTrace(System.err); } out.println(“Thank you note was sent”); } else { out.println("specify a user"); } …
![Page 18: Make My Day – Just Run A Web Scanner · Agenda Problems With Black Box Testing Approaches To Finding Security Issues 4 Problems With Black Box Testing Solution:WhiteBox Testing](https://reader034.vdocuments.us/reader034/viewer/2022050406/5f83b01cf16c6a29cf7238d2/html5/thumbnails/18.jpg)
Question 2: Did I Find AllVulnerabilities?3. Can’t Test
Some Vulnerabilities Have No Manifestation InHttp Response
Application
LogFile
Client
I hope they’re notlogging my CC# into
plaintext log file
cc num
cc num
“Your order will beprocessed in 2 days”
HTTPResponse
![Page 19: Make My Day – Just Run A Web Scanner · Agenda Problems With Black Box Testing Approaches To Finding Security Issues 4 Problems With Black Box Testing Solution:WhiteBox Testing](https://reader034.vdocuments.us/reader034/viewer/2022050406/5f83b01cf16c6a29cf7238d2/html5/thumbnails/19.jpg)
![Page 20: Make My Day – Just Run A Web Scanner · Agenda Problems With Black Box Testing Approaches To Finding Security Issues 4 Problems With Black Box Testing Solution:WhiteBox Testing](https://reader034.vdocuments.us/reader034/viewer/2022050406/5f83b01cf16c6a29cf7238d2/html5/thumbnails/20.jpg)
Web Scanner Review Good
Found Real Vulnerabilities Was Easy To Run
Bad How Thorough Was My Test?
No Way To Tell, And Actual Coverage Is Often Low Did I Find All My Vulnerabilities?
Didn’t Test, Tested But Couldn’t Conclude, Can’t Test
![Page 21: Make My Day – Just Run A Web Scanner · Agenda Problems With Black Box Testing Approaches To Finding Security Issues 4 Problems With Black Box Testing Solution:WhiteBox Testing](https://reader034.vdocuments.us/reader034/viewer/2022050406/5f83b01cf16c6a29cf7238d2/html5/thumbnails/21.jpg)
Question 3: Are All The ResultsReported True? No Method Is Perfect Under What Circumstances Do Web
Scanners Report False Positives? Matching Signature On A Valid Page Matching Behavior On A Valid Page
![Page 22: Make My Day – Just Run A Web Scanner · Agenda Problems With Black Box Testing Approaches To Finding Security Issues 4 Problems With Black Box Testing Solution:WhiteBox Testing](https://reader034.vdocuments.us/reader034/viewer/2022050406/5f83b01cf16c6a29cf7238d2/html5/thumbnails/22.jpg)
Matching Signature On A Valid Page
Question 3: Are All The ResultsReported True?
![Page 23: Make My Day – Just Run A Web Scanner · Agenda Problems With Black Box Testing Approaches To Finding Security Issues 4 Problems With Black Box Testing Solution:WhiteBox Testing](https://reader034.vdocuments.us/reader034/viewer/2022050406/5f83b01cf16c6a29cf7238d2/html5/thumbnails/23.jpg)
Question 3: Are All The ResultsReported True? Matching Behavior On A Valid Page
“To determine if the application is vulnerable to SQLinjection, try injecting an extra true condition into theWHERE clause… and if this query also returns thesame …, then the application is susceptible to SQLinjection” (from paper on Blind SQL Injection)
E.g. http://www.server.com/getCC.jsp?id=5
select ccnum from table where id=‘5’ http://www.server.com/getCC.jsp?id=5’ AND ‘1’=‘1
select ccnum from table where id=‘5’ AND ‘1’=‘1’
![Page 24: Make My Day – Just Run A Web Scanner · Agenda Problems With Black Box Testing Approaches To Finding Security Issues 4 Problems With Black Box Testing Solution:WhiteBox Testing](https://reader034.vdocuments.us/reader034/viewer/2022050406/5f83b01cf16c6a29cf7238d2/html5/thumbnails/24.jpg)
Question 3: Are All The ResultsReported True? E.g.
http://www.server.com/getCC.jsp?id=5 select ccnum from table where id=‘5’ Response:
“No match found” (No one with id “5”) http://www.server.com/getCC.jsp?id=5’ AND ‘1’=‘1
select ccnum from table where id=‘5\’ AND \‘1\’=\‘1’ Response
“No match found” (No one with id “5’ AND ‘1’=‘1”) All single quotes were escaped.
According To The Algorithm (“inject a true clause andlook for same response”), This Is SQL InjectionVulnerability!
![Page 25: Make My Day – Just Run A Web Scanner · Agenda Problems With Black Box Testing Approaches To Finding Security Issues 4 Problems With Black Box Testing Solution:WhiteBox Testing](https://reader034.vdocuments.us/reader034/viewer/2022050406/5f83b01cf16c6a29cf7238d2/html5/thumbnails/25.jpg)
Web Scanner Review Good
Found Real Vulnerabilities Was Easy To Run
Bad How Thorough Was My Test?
No Way To Tell, And Actual Coverage Is Often Low Did I Find All My Vulnerabilities?
Didn’t Test, Tested But Couldn’t Conclude, Can’t Test Are All The Results Reported True?
Susceptible To False Signature & Behavior Matching
![Page 26: Make My Day – Just Run A Web Scanner · Agenda Problems With Black Box Testing Approaches To Finding Security Issues 4 Problems With Black Box Testing Solution:WhiteBox Testing](https://reader034.vdocuments.us/reader034/viewer/2022050406/5f83b01cf16c6a29cf7238d2/html5/thumbnails/26.jpg)
Question 4: How Do I Fix TheProblem? Security Issues Must Be Fixed In Source Code Information Given
URL Parameter General Vulnerability Description HTTP Request/Response
But Where In My Source Code Should I LookAt?
![Page 27: Make My Day – Just Run A Web Scanner · Agenda Problems With Black Box Testing Approaches To Finding Security Issues 4 Problems With Black Box Testing Solution:WhiteBox Testing](https://reader034.vdocuments.us/reader034/viewer/2022050406/5f83b01cf16c6a29cf7238d2/html5/thumbnails/27.jpg)
Question 4: How Do I Fix TheProblem? Incomplete Vulnerability Report -> Bad Fixes Report:
Injecting “AAAAA…..AAAAA” Caused Application ToCrash
Solution By Developers: …. if (input.equals(“AAAAA…..AAAAA”)) return; …..
![Page 28: Make My Day – Just Run A Web Scanner · Agenda Problems With Black Box Testing Approaches To Finding Security Issues 4 Problems With Black Box Testing Solution:WhiteBox Testing](https://reader034.vdocuments.us/reader034/viewer/2022050406/5f83b01cf16c6a29cf7238d2/html5/thumbnails/28.jpg)
Web Scanner Review Good
Found Real Vulnerabilities Was Easy To Run
Bad How Thorough Was My Test?
No Way To Tell, And Actual Coverage Is Often Low Did I Find All My Vulnerabilities?
Didn’t Test, Tested But Couldn’t Conclude, Can’t Test Are All The Results Reported True?
Susceptible To Signature & Behavior Matching How Do I Fix The Problem?
No Source Code / Root Cause Information
![Page 29: Make My Day – Just Run A Web Scanner · Agenda Problems With Black Box Testing Approaches To Finding Security Issues 4 Problems With Black Box Testing Solution:WhiteBox Testing](https://reader034.vdocuments.us/reader034/viewer/2022050406/5f83b01cf16c6a29cf7238d2/html5/thumbnails/29.jpg)
Attacking The ProblemsWhite Box Testing With
Bytecode Injection
![Page 30: Make My Day – Just Run A Web Scanner · Agenda Problems With Black Box Testing Approaches To Finding Security Issues 4 Problems With Black Box Testing Solution:WhiteBox Testing](https://reader034.vdocuments.us/reader034/viewer/2022050406/5f83b01cf16c6a29cf7238d2/html5/thumbnails/30.jpg)
Agenda Problems With Black Box Testing
Approaches To Finding Security Issues 4 Problems With Black Box Testing
Solution:WhiteBox Testing With ByteCode Injection The Solution Demo Of Solution Building The Solution
Q&A
![Page 31: Make My Day – Just Run A Web Scanner · Agenda Problems With Black Box Testing Approaches To Finding Security Issues 4 Problems With Black Box Testing Solution:WhiteBox Testing](https://reader034.vdocuments.us/reader034/viewer/2022050406/5f83b01cf16c6a29cf7238d2/html5/thumbnails/31.jpg)
Review…
WebScanne
rWeb
Application
Application Server
HTTP
Database
File System
OtherApps
and Proposal
VerifyResults Verify
ResultsVerify
ResultsVerify
ResultsWatchResult
![Page 32: Make My Day – Just Run A Web Scanner · Agenda Problems With Black Box Testing Approaches To Finding Security Issues 4 Problems With Black Box Testing Solution:WhiteBox Testing](https://reader034.vdocuments.us/reader034/viewer/2022050406/5f83b01cf16c6a29cf7238d2/html5/thumbnails/32.jpg)
How Will Monitors Solve TheProblems? How Thorough Was
My Test? Did I Find All My
Vulnerabilities? Are All The Results
Reported True? How Do I Fix The
Problem?
Monitors Inside Will TellWhich Parts Was Hit
Monitors Inside DetectsMore Vulnerabilities
Very Low False PositiveBy Looking At Source OfVulnerabilities
Monitors Inside Can GiveRoot Cause Information
![Page 33: Make My Day – Just Run A Web Scanner · Agenda Problems With Black Box Testing Approaches To Finding Security Issues 4 Problems With Black Box Testing Solution:WhiteBox Testing](https://reader034.vdocuments.us/reader034/viewer/2022050406/5f83b01cf16c6a29cf7238d2/html5/thumbnails/33.jpg)
How To Build The SolutionHow Do You Inject The Monitors Inside
The Application?Where Do You Inject The Monitors
Inside The Application?What Should The Monitors Do Inside
The Application?
![Page 34: Make My Day – Just Run A Web Scanner · Agenda Problems With Black Box Testing Approaches To Finding Security Issues 4 Problems With Black Box Testing Solution:WhiteBox Testing](https://reader034.vdocuments.us/reader034/viewer/2022050406/5f83b01cf16c6a29cf7238d2/html5/thumbnails/34.jpg)
How Do You Inject The Monitors? Problem: How Do You Put The Monitors Into The
Application?
Assumption: You Do Not Have Source Code,Only Deployed Java / .NET Application
Solution: Bytecode Weaving AspectJ for Java AspectDNG for .NET
![Page 35: Make My Day – Just Run A Web Scanner · Agenda Problems With Black Box Testing Approaches To Finding Security Issues 4 Problems With Black Box Testing Solution:WhiteBox Testing](https://reader034.vdocuments.us/reader034/viewer/2022050406/5f83b01cf16c6a29cf7238d2/html5/thumbnails/35.jpg)
How Does Bytecode Weaving Work?
Original.class
AspectJ New.class
New Code & Location Spec.
Similar process for .NET
![Page 36: Make My Day – Just Run A Web Scanner · Agenda Problems With Black Box Testing Approaches To Finding Security Issues 4 Problems With Black Box Testing Solution:WhiteBox Testing](https://reader034.vdocuments.us/reader034/viewer/2022050406/5f83b01cf16c6a29cf7238d2/html5/thumbnails/36.jpg)
How Does Bytecode Weaving Work?List getStuff(String id) { List list = new ArrayList(); try {
String sql = “select stuff frommytable where id=‘” + id + “’”;JDBCstmt.executeQuery(sql);
} catch (Exception ex) {log.log(ex);
} return list;}
List getStuff(String id) { List list = new ArrayList(); try {
String sql = “select stuff frommytable where id=‘” + id + “’”;MyLibrary.doCheck(sql);JDBCstmt.executeQuery(sql);
} catch (Exception ex) {log.log(ex);
} return list;}
Before“executeQuery()”
Call“MyLibrary.doCheck()”
![Page 37: Make My Day – Just Run A Web Scanner · Agenda Problems With Black Box Testing Approaches To Finding Security Issues 4 Problems With Black Box Testing Solution:WhiteBox Testing](https://reader034.vdocuments.us/reader034/viewer/2022050406/5f83b01cf16c6a29cf7238d2/html5/thumbnails/37.jpg)
Bytecode Injection Demo
![Page 38: Make My Day – Just Run A Web Scanner · Agenda Problems With Black Box Testing Approaches To Finding Security Issues 4 Problems With Black Box Testing Solution:WhiteBox Testing](https://reader034.vdocuments.us/reader034/viewer/2022050406/5f83b01cf16c6a29cf7238d2/html5/thumbnails/38.jpg)
Applying Byte-Code Injection ToEnhance Security TestingHow Do You Inject The Monitors Inside
The Application?Where Do You Inject The Monitors
Inside The Application?What Should The Monitors Do Inside
The Application?
![Page 39: Make My Day – Just Run A Web Scanner · Agenda Problems With Black Box Testing Approaches To Finding Security Issues 4 Problems With Black Box Testing Solution:WhiteBox Testing](https://reader034.vdocuments.us/reader034/viewer/2022050406/5f83b01cf16c6a29cf7238d2/html5/thumbnails/39.jpg)
Where Do You Inject The Monitors? All Web Inputs (My Web Scan Should Hit All Of
Them) request.getParameter, form.getBean
All Inputs (Not All Inputs Are Web) socket.getInputStream.read
All “Sinks” (All Security Critical Functions) Statement.executeQuery(String) (FileOutputStream|FileWriter).write(byte[]) …
![Page 40: Make My Day – Just Run A Web Scanner · Agenda Problems With Black Box Testing Approaches To Finding Security Issues 4 Problems With Black Box Testing Solution:WhiteBox Testing](https://reader034.vdocuments.us/reader034/viewer/2022050406/5f83b01cf16c6a29cf7238d2/html5/thumbnails/40.jpg)
Applying Byte-Code Injection ToEnhance Security TestingHow Do You Inject The Monitors Inside
The Application?Where Do You Inject The Monitors
Inside The Application?What Should The Monitors Do Inside
The Application?
![Page 41: Make My Day – Just Run A Web Scanner · Agenda Problems With Black Box Testing Approaches To Finding Security Issues 4 Problems With Black Box Testing Solution:WhiteBox Testing](https://reader034.vdocuments.us/reader034/viewer/2022050406/5f83b01cf16c6a29cf7238d2/html5/thumbnails/41.jpg)
What Should The Monitors Do?Report Whether The Monitor Was HitAnalyze The Content Of the Call For
Security IssuesReport Code-Level Information About
Where The Monitor Got Triggered
![Page 42: Make My Day – Just Run A Web Scanner · Agenda Problems With Black Box Testing Approaches To Finding Security Issues 4 Problems With Black Box Testing Solution:WhiteBox Testing](https://reader034.vdocuments.us/reader034/viewer/2022050406/5f83b01cf16c6a29cf7238d2/html5/thumbnails/42.jpg)
aspect SQLInjection { pointcut sqlExec(String sql):call(ResultSet Statement.executeQuery(String)) && args(sql); before(String sql) : sqlExec(sql) { checkInjection(sql, thisJoinPoint); } void checkInjection(String sql, JoinPoint thisJoinPoint){
System.out.println("HIT:" +thisJoinPoint.getSourceLocation().getFileName() +
thisJoinPoint.getSourceLocation().getLine());if (count(sql, '\'')%2 == 1) {
System.out.println("*** SQL Injection detected. SQL statementbeing executed as follows: “ + sql);
}…..
What Should The Monitors Do?
1) Report whether API was hit or not
2) Analyze The Content Of The API Call
3) Report Code-Level Information
![Page 43: Make My Day – Just Run A Web Scanner · Agenda Problems With Black Box Testing Approaches To Finding Security Issues 4 Problems With Black Box Testing Solution:WhiteBox Testing](https://reader034.vdocuments.us/reader034/viewer/2022050406/5f83b01cf16c6a29cf7238d2/html5/thumbnails/43.jpg)
Proof Of Concept Running The Custom Solution
![Page 44: Make My Day – Just Run A Web Scanner · Agenda Problems With Black Box Testing Approaches To Finding Security Issues 4 Problems With Black Box Testing Solution:WhiteBox Testing](https://reader034.vdocuments.us/reader034/viewer/2022050406/5f83b01cf16c6a29cf7238d2/html5/thumbnails/44.jpg)
With Additional Work on UI
![Page 45: Make My Day – Just Run A Web Scanner · Agenda Problems With Black Box Testing Approaches To Finding Security Issues 4 Problems With Black Box Testing Solution:WhiteBox Testing](https://reader034.vdocuments.us/reader034/viewer/2022050406/5f83b01cf16c6a29cf7238d2/html5/thumbnails/45.jpg)
Coverage
![Page 46: Make My Day – Just Run A Web Scanner · Agenda Problems With Black Box Testing Approaches To Finding Security Issues 4 Problems With Black Box Testing Solution:WhiteBox Testing](https://reader034.vdocuments.us/reader034/viewer/2022050406/5f83b01cf16c6a29cf7238d2/html5/thumbnails/46.jpg)
With Additional Work on UI
![Page 47: Make My Day – Just Run A Web Scanner · Agenda Problems With Black Box Testing Approaches To Finding Security Issues 4 Problems With Black Box Testing Solution:WhiteBox Testing](https://reader034.vdocuments.us/reader034/viewer/2022050406/5f83b01cf16c6a29cf7238d2/html5/thumbnails/47.jpg)
Security Issues Detail
![Page 48: Make My Day – Just Run A Web Scanner · Agenda Problems With Black Box Testing Approaches To Finding Security Issues 4 Problems With Black Box Testing Solution:WhiteBox Testing](https://reader034.vdocuments.us/reader034/viewer/2022050406/5f83b01cf16c6a29cf7238d2/html5/thumbnails/48.jpg)
Security Issues Detail – SQL Injection
![Page 49: Make My Day – Just Run A Web Scanner · Agenda Problems With Black Box Testing Approaches To Finding Security Issues 4 Problems With Black Box Testing Solution:WhiteBox Testing](https://reader034.vdocuments.us/reader034/viewer/2022050406/5f83b01cf16c6a29cf7238d2/html5/thumbnails/49.jpg)
Security Issue Detail – PrivacyViolation
![Page 50: Make My Day – Just Run A Web Scanner · Agenda Problems With Black Box Testing Approaches To Finding Security Issues 4 Problems With Black Box Testing Solution:WhiteBox Testing](https://reader034.vdocuments.us/reader034/viewer/2022050406/5f83b01cf16c6a29cf7238d2/html5/thumbnails/50.jpg)
Conclusions – Web Scanners Good
Easy To Use Finding Smoking Gun
Bad Lack Of Coverage Information False Negative False Positive Lack Of Code-Level / Root Cause Information
![Page 51: Make My Day – Just Run A Web Scanner · Agenda Problems With Black Box Testing Approaches To Finding Security Issues 4 Problems With Black Box Testing Solution:WhiteBox Testing](https://reader034.vdocuments.us/reader034/viewer/2022050406/5f83b01cf16c6a29cf7238d2/html5/thumbnails/51.jpg)
Conclusions – White Box Testing Bytecode Injection Require Access To
Running Application In Exchange …
Gain Coverage Information Find More Vulnerabilities, More Accurately Determine Root Cause Information
![Page 52: Make My Day – Just Run A Web Scanner · Agenda Problems With Black Box Testing Approaches To Finding Security Issues 4 Problems With Black Box Testing Solution:WhiteBox Testing](https://reader034.vdocuments.us/reader034/viewer/2022050406/5f83b01cf16c6a29cf7238d2/html5/thumbnails/52.jpg)
Conclusions – Use Your Advantage
Access ToApplication
SecurityKnowledge
Attempts
Time
DefenderAttacker
![Page 53: Make My Day – Just Run A Web Scanner · Agenda Problems With Black Box Testing Approaches To Finding Security Issues 4 Problems With Black Box Testing Solution:WhiteBox Testing](https://reader034.vdocuments.us/reader034/viewer/2022050406/5f83b01cf16c6a29cf7238d2/html5/thumbnails/53.jpg)
Thank You Questions?
Email: tkureha at fortifysoftware.com