make my day – just run a web scanner toshinari kureha and erik klein fortify software countering...
TRANSCRIPT
![Page 1: Make My Day – Just Run A Web Scanner Toshinari Kureha and Erik Klein Fortify Software Countering the faults of typical web scanners through bytecode injection](https://reader036.vdocuments.us/reader036/viewer/2022081519/56649f355503460f94c5284b/html5/thumbnails/1.jpg)
Make My Day – Just Run A Web Scanner
Toshinari Kureha and Erik KleinFortify Software
Countering the faults of typical web scanners through bytecode injection
![Page 2: Make My Day – Just Run A Web Scanner Toshinari Kureha and Erik Klein Fortify Software Countering the faults of typical web scanners through bytecode injection](https://reader036.vdocuments.us/reader036/viewer/2022081519/56649f355503460f94c5284b/html5/thumbnails/2.jpg)
Agenda Problems With Black Box Testing
Approaches To Finding Security Issues 4 Problems With Black Box Testing
Solution:WhiteBox Testing With ByteCode Injection The Solution Demo Of Solution Building The Solution
Q&A
![Page 3: Make My Day – Just Run A Web Scanner Toshinari Kureha and Erik Klein Fortify Software Countering the faults of typical web scanners through bytecode injection](https://reader036.vdocuments.us/reader036/viewer/2022081519/56649f355503460f94c5284b/html5/thumbnails/3.jpg)
Current Practice
![Page 4: Make My Day – Just Run A Web Scanner Toshinari Kureha and Erik Klein Fortify Software Countering the faults of typical web scanners through bytecode injection](https://reader036.vdocuments.us/reader036/viewer/2022081519/56649f355503460f94c5284b/html5/thumbnails/4.jpg)
Current Practice
How Do You Find Security Issues? Looking at architectural / design documents Looking at the source code
Static Analysis
Looking at a running application Dynamic Analysis
![Page 5: Make My Day – Just Run A Web Scanner Toshinari Kureha and Erik Klein Fortify Software Countering the faults of typical web scanners through bytecode injection](https://reader036.vdocuments.us/reader036/viewer/2022081519/56649f355503460f94c5284b/html5/thumbnails/5.jpg)
Current Practice Static Analysis
Analysis Of Source Code and Configuration Files Manual Source Code Reviews Automated Tools
Commercial Static Analysis Tools Fortify Software Klocwork Ounce Labs
![Page 6: Make My Day – Just Run A Web Scanner Toshinari Kureha and Erik Klein Fortify Software Countering the faults of typical web scanners through bytecode injection](https://reader036.vdocuments.us/reader036/viewer/2022081519/56649f355503460f94c5284b/html5/thumbnails/6.jpg)
Current Practice Dynamic Analysis
Testing & Analysis Of Running Application Find Input; Fuzz Input Analyze Response
Manual Web Scanning Automated Web Scanning
Cenzic SPIDynamics (HP) Watchfire (IBM) Paros (Open Source)
![Page 7: Make My Day – Just Run A Web Scanner Toshinari Kureha and Erik Klein Fortify Software Countering the faults of typical web scanners through bytecode injection](https://reader036.vdocuments.us/reader036/viewer/2022081519/56649f355503460f94c5284b/html5/thumbnails/7.jpg)
Current Practice
Some People Use Automated Web Scanners Because They Can Be…
Easy To Run Fast To Run (sometimes) “Someone Told Me To”
![Page 8: Make My Day – Just Run A Web Scanner Toshinari Kureha and Erik Klein Fortify Software Countering the faults of typical web scanners through bytecode injection](https://reader036.vdocuments.us/reader036/viewer/2022081519/56649f355503460f94c5284b/html5/thumbnails/8.jpg)
Dynamic Analysis Demo
![Page 9: Make My Day – Just Run A Web Scanner Toshinari Kureha and Erik Klein Fortify Software Countering the faults of typical web scanners through bytecode injection](https://reader036.vdocuments.us/reader036/viewer/2022081519/56649f355503460f94c5284b/html5/thumbnails/9.jpg)
Web Scanner Review Good
Found Real Vulnerabilities Was Easy To Run
“Did I Do A Good Job?”
![Page 10: Make My Day – Just Run A Web Scanner Toshinari Kureha and Erik Klein Fortify Software Countering the faults of typical web scanners through bytecode injection](https://reader036.vdocuments.us/reader036/viewer/2022081519/56649f355503460f94c5284b/html5/thumbnails/10.jpg)
Question 1: How Thorough Was My Test?
Do You Know How Much Of Your Application Was Tested?
0%
5%
10%
15%
20%
25%
30%
35%
40%
No Idea Veryuncertain
Could guesswithin 30%
Could guesswithin 15%
Extremelyconfident
![Page 11: Make My Day – Just Run A Web Scanner Toshinari Kureha and Erik Klein Fortify Software Countering the faults of typical web scanners through bytecode injection](https://reader036.vdocuments.us/reader036/viewer/2022081519/56649f355503460f94c5284b/html5/thumbnails/11.jpg)
Question 1: How Thorough Was My Test?
How Much Of The Application Do You Think You Tested?
0%
10%
20%
30%
40%
50%
0-20% of theApplication
21-40 41-60 61-80 81-100
![Page 12: Make My Day – Just Run A Web Scanner Toshinari Kureha and Erik Klein Fortify Software Countering the faults of typical web scanners through bytecode injection](https://reader036.vdocuments.us/reader036/viewer/2022081519/56649f355503460f94c5284b/html5/thumbnails/12.jpg)
Truth About Thoroughness We ran a Very Well Known Commercial Product
Scanner on the following Open Source Apps:Application EMMA Code Coverage Tool Web Source
HacmeBooks 34% classes
12% blocks
14% lines
30.5%
JCVS Web 45% classes
19% blocks
22% lines
31.2%
Java PetStore 2 70% classes
20% blocks
23% lines
18%
![Page 13: Make My Day – Just Run A Web Scanner Toshinari Kureha and Erik Klein Fortify Software Countering the faults of typical web scanners through bytecode injection](https://reader036.vdocuments.us/reader036/viewer/2022081519/56649f355503460f94c5284b/html5/thumbnails/13.jpg)
Web Scanner Review Good
Found Real Vulnerabilities Was Easy To Run
Bad1. How Thorough Was My Test?
No Way To Tell, And Actual Coverage Is Often Low
2. 3. 4.
![Page 14: Make My Day – Just Run A Web Scanner Toshinari Kureha and Erik Klein Fortify Software Countering the faults of typical web scanners through bytecode injection](https://reader036.vdocuments.us/reader036/viewer/2022081519/56649f355503460f94c5284b/html5/thumbnails/14.jpg)
Question 2: Did I Find All Vulnerabilities?
3 Ways To Fail1. Didn’t Test
2. Tested – But Couldn’t Conclude
3. Can’t Test
![Page 15: Make My Day – Just Run A Web Scanner Toshinari Kureha and Erik Klein Fortify Software Countering the faults of typical web scanners through bytecode injection](https://reader036.vdocuments.us/reader036/viewer/2022081519/56649f355503460f94c5284b/html5/thumbnails/15.jpg)
1. Didn’t Test If The Web Scanner Didn’t Even Reach That
Area, It Cannot Test!
Question 2: Did I Find All Vulnerabilities?
TestedVulnerabilities Not Found
Untested
Vulnerabilities Found
Application
![Page 16: Make My Day – Just Run A Web Scanner Toshinari Kureha and Erik Klein Fortify Software Countering the faults of typical web scanners through bytecode injection](https://reader036.vdocuments.us/reader036/viewer/2022081519/56649f355503460f94c5284b/html5/thumbnails/16.jpg)
Question 2: Did I Find All Vulnerabilities?
2. Tested, But Couldn’t Conclude Certain Classes Of Vulnerabilities Sometimes
Can Be Detected Through HTTP Response SQL Injection Command Injection LDAP Injection
![Page 17: Make My Day – Just Run A Web Scanner Toshinari Kureha and Erik Klein Fortify Software Countering the faults of typical web scanners through bytecode injection](https://reader036.vdocuments.us/reader036/viewer/2022081519/56649f355503460f94c5284b/html5/thumbnails/17.jpg)
public void doGet(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException {
ServletOutputStream out = res.getOutputStream(); String user = req.getParameter("user"); if(user != null) { try { String[] args = { "/bin/sh", "-c", "finger " + user }; Process p = Runtime.getRuntime().exec(args); BufferedReader fingdata = new BufferedReader(new InputStreamReader(p.getInputStream())); String line; while((line = fingdata.readLine()) != null) out.println(line); p.waitFor(); } catch(Exception e) { throw new ServletException(e); } } else { out.println("specify a user"); } …
![Page 18: Make My Day – Just Run A Web Scanner Toshinari Kureha and Erik Klein Fortify Software Countering the faults of typical web scanners through bytecode injection](https://reader036.vdocuments.us/reader036/viewer/2022081519/56649f355503460f94c5284b/html5/thumbnails/18.jpg)
public void doGet(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException {
ServletOutputStream out = res.getOutputStream(); String user = req.getParameter("user"); if(user != null) { try { String[] args = { "/bin/sh", "-c", “sendMail.sh " + user }; Process p = Runtime.getRuntime().exec(args); p.waitFor(); } catch(Exception e) { e.printStackTrace(System.err); } out.println(“Thank you note was sent”); } else { out.println("specify a user"); } …
![Page 19: Make My Day – Just Run A Web Scanner Toshinari Kureha and Erik Klein Fortify Software Countering the faults of typical web scanners through bytecode injection](https://reader036.vdocuments.us/reader036/viewer/2022081519/56649f355503460f94c5284b/html5/thumbnails/19.jpg)
Question 2: Did I Find All Vulnerabilities?
3. Can’t Test Some Vulnerabilities Have No Manifestation In
Http Response
Application
LogFile
Client
I hope they’re not logging my CC# into
plaintext log file
cc num
cc num
“Your order will be processed in 2 days”
HTTP Response
![Page 20: Make My Day – Just Run A Web Scanner Toshinari Kureha and Erik Klein Fortify Software Countering the faults of typical web scanners through bytecode injection](https://reader036.vdocuments.us/reader036/viewer/2022081519/56649f355503460f94c5284b/html5/thumbnails/20.jpg)
![Page 21: Make My Day – Just Run A Web Scanner Toshinari Kureha and Erik Klein Fortify Software Countering the faults of typical web scanners through bytecode injection](https://reader036.vdocuments.us/reader036/viewer/2022081519/56649f355503460f94c5284b/html5/thumbnails/21.jpg)
Web Scanner Review Good
Found Real Vulnerabilities Was Easy To Run
Bad1. How Thorough Was My Test?
No Way To Tell, And Actual Coverage Is Often Low2. Did I Find All My Vulnerabilities?
Didn’t Test, Tested But Couldn’t Conclude, Can’t Test3. 4.
![Page 22: Make My Day – Just Run A Web Scanner Toshinari Kureha and Erik Klein Fortify Software Countering the faults of typical web scanners through bytecode injection](https://reader036.vdocuments.us/reader036/viewer/2022081519/56649f355503460f94c5284b/html5/thumbnails/22.jpg)
Question 3: Are All The Results Reported True?
No Method Is Perfect Under What Circumstances Do Web
Scanners Report False Positives? Matching Signature On A Valid Page Matching Behavior On A Valid Page
![Page 23: Make My Day – Just Run A Web Scanner Toshinari Kureha and Erik Klein Fortify Software Countering the faults of typical web scanners through bytecode injection](https://reader036.vdocuments.us/reader036/viewer/2022081519/56649f355503460f94c5284b/html5/thumbnails/23.jpg)
Question 3: Are All The Results Reported True? Matching Behavior On A Valid Page
“To determine if the application is vulnerable to SQL injection, try injecting an extra true condition into the WHERE clause… and if this query also returns the same …, then the application is susceptible to SQL injection” (from paper on Blind SQL Injection)
E.g. http://www.server.com/getCC.jsp?id=5
select ccnum from table where id=‘5’ http://www.server.com/getCC.jsp?id=5’ AND ‘1’=‘1
select ccnum from table where id=‘5’ AND ‘1’=‘1’
![Page 24: Make My Day – Just Run A Web Scanner Toshinari Kureha and Erik Klein Fortify Software Countering the faults of typical web scanners through bytecode injection](https://reader036.vdocuments.us/reader036/viewer/2022081519/56649f355503460f94c5284b/html5/thumbnails/24.jpg)
Question 3: Are All The Results Reported True? E.g.
http://www.server.com/getCC.jsp?id=5 select ccnum from table where id=‘5’ Response:
“No match found” (No one with id “5”) http://www.server.com/getCC.jsp?id=5’ AND ‘1’=‘1
select ccnum from table where id=‘5\’ AND \‘1\’=\‘1’ Response
“No match found” (No one with id “5’ AND ‘1’=‘1”) All single quotes were escaped.
According To The Algorithm (“inject a true clause and look for same response”), This Is SQL Injection Vulnerability!
![Page 25: Make My Day – Just Run A Web Scanner Toshinari Kureha and Erik Klein Fortify Software Countering the faults of typical web scanners through bytecode injection](https://reader036.vdocuments.us/reader036/viewer/2022081519/56649f355503460f94c5284b/html5/thumbnails/25.jpg)
Web Scanner Review Good
Found Real Vulnerabilities Was Easy To Run
Bad1. How Thorough Was My Test?
No Way To Tell, And Actual Coverage Is Often Low2. Did I Find All My Vulnerabilities?
Didn’t Test, Tested But Couldn’t Conclude, Can’t Test3. Are All The Results Reported True (False Positives)?
Susceptible To False Signature & Behavior Matching4.
![Page 26: Make My Day – Just Run A Web Scanner Toshinari Kureha and Erik Klein Fortify Software Countering the faults of typical web scanners through bytecode injection](https://reader036.vdocuments.us/reader036/viewer/2022081519/56649f355503460f94c5284b/html5/thumbnails/26.jpg)
Question 4: How Do I Fix The Problem? Security Issues Must Be Fixed In Source Code Information Given By Web Scanners
URL Parameter General Vulnerability Description HTTP Request/Response
Ummm … what line of code?
![Page 27: Make My Day – Just Run A Web Scanner Toshinari Kureha and Erik Klein Fortify Software Countering the faults of typical web scanners through bytecode injection](https://reader036.vdocuments.us/reader036/viewer/2022081519/56649f355503460f94c5284b/html5/thumbnails/27.jpg)
Question 4: How Do I Fix The Problem? Incomplete Vulnerability Report -> Bad Fixes Report:
Injecting “AAAAA…..AAAAA” Caused Application To Crash
Solution By Developers: ….
if (input.equals(“AAAAA…..AAAAA”))
return;
…..
![Page 28: Make My Day – Just Run A Web Scanner Toshinari Kureha and Erik Klein Fortify Software Countering the faults of typical web scanners through bytecode injection](https://reader036.vdocuments.us/reader036/viewer/2022081519/56649f355503460f94c5284b/html5/thumbnails/28.jpg)
Web Scanner Review Good
Found Real Vulnerabilities Was Easy To Run
Bad1. How Thorough Was My Test?
No Way To Tell, And Actual Coverage Is Often Low2. Did I Find All My Vulnerabilities?
Didn’t Test, Tested But Couldn’t Conclude, Can’t Test3. Are All The Results Reported True (False Positives)?
Susceptible To Signature & Behavior Matching4. How Do I Fix The Problem?
No Source Code / Root Cause Information
![Page 29: Make My Day – Just Run A Web Scanner Toshinari Kureha and Erik Klein Fortify Software Countering the faults of typical web scanners through bytecode injection](https://reader036.vdocuments.us/reader036/viewer/2022081519/56649f355503460f94c5284b/html5/thumbnails/29.jpg)
Attacking The ProblemsWhite Box Testing With
Bytecode Injection
![Page 30: Make My Day – Just Run A Web Scanner Toshinari Kureha and Erik Klein Fortify Software Countering the faults of typical web scanners through bytecode injection](https://reader036.vdocuments.us/reader036/viewer/2022081519/56649f355503460f94c5284b/html5/thumbnails/30.jpg)
Agenda Problems With Black Box Testing
Approaches To Finding Security Issues 4 Problems With Black Box Testing
Solution:WhiteBox Testing With ByteCode Injection The Solution Building The Solution
Q&A
![Page 31: Make My Day – Just Run A Web Scanner Toshinari Kureha and Erik Klein Fortify Software Countering the faults of typical web scanners through bytecode injection](https://reader036.vdocuments.us/reader036/viewer/2022081519/56649f355503460f94c5284b/html5/thumbnails/31.jpg)
Review…
WebScanner
Web App
Application Server
HTTP
Database
File System
OtherApps
and Proposal
VerifyResults Verify
ResultsVerify
ResultsVerify
ResultsWatch Result
![Page 32: Make My Day – Just Run A Web Scanner Toshinari Kureha and Erik Klein Fortify Software Countering the faults of typical web scanners through bytecode injection](https://reader036.vdocuments.us/reader036/viewer/2022081519/56649f355503460f94c5284b/html5/thumbnails/32.jpg)
How Will Monitors Solve The Problems?
1. How Thorough Was My Test?
2. Did I Find All My Vulnerabilities?
3. Are All The Results Reported True?
4. How Do I Fix The Problem?
1. Monitors Inside Will Tell Which Parts Were Hit
2. Monitors Inside Detects More Vulnerabilities
3. Very Low False Positive By Looking At Source Of Vulnerabilities
4. Monitors Inside Can Give Root Cause Information
![Page 33: Make My Day – Just Run A Web Scanner Toshinari Kureha and Erik Klein Fortify Software Countering the faults of typical web scanners through bytecode injection](https://reader036.vdocuments.us/reader036/viewer/2022081519/56649f355503460f94c5284b/html5/thumbnails/33.jpg)
How To Build The Solution
1. How Do You Inject The Monitors Inside The Application?
2. Where Do You Inject The Monitors Inside The Application?
3. What Should The Monitors Do Inside The Application?
![Page 34: Make My Day – Just Run A Web Scanner Toshinari Kureha and Erik Klein Fortify Software Countering the faults of typical web scanners through bytecode injection](https://reader036.vdocuments.us/reader036/viewer/2022081519/56649f355503460f94c5284b/html5/thumbnails/34.jpg)
How Do You Inject The Monitors? Problem: How Do You Put The Monitors Into The
Application?
Assumption: You Do Not Have Source Code, Only Deployed Java / .NET Application
Solution: Bytecode Weaving AspectJ for Java AspectDNG for .NET
![Page 35: Make My Day – Just Run A Web Scanner Toshinari Kureha and Erik Klein Fortify Software Countering the faults of typical web scanners through bytecode injection](https://reader036.vdocuments.us/reader036/viewer/2022081519/56649f355503460f94c5284b/html5/thumbnails/35.jpg)
How Does Bytecode Weaving Work?
Original.class
AspectJ New.class
New Code & Location Spec.
Similar process for .NET
![Page 36: Make My Day – Just Run A Web Scanner Toshinari Kureha and Erik Klein Fortify Software Countering the faults of typical web scanners through bytecode injection](https://reader036.vdocuments.us/reader036/viewer/2022081519/56649f355503460f94c5284b/html5/thumbnails/36.jpg)
How Does Bytecode Weaving Work?List getStuff(String id) { List list = new ArrayList(); try {
String sql = “select stuff from mytable where id=‘” + id + “’”;JDBCstmt.executeQuery(sql);
} catch (Exception ex) {log.log(ex);
} return list;}
List getStuff(String id) { List list = new ArrayList(); try {
String sql = “select stuff from mytable where id=‘” + id + “’”;MyLibrary.doCheck(sql);JDBCstmt.executeQuery(sql);
} catch (Exception ex) {log.log(ex);
} return list;}
Before “executeQuery()”
Call “MyLibrary.doCheck()”
![Page 37: Make My Day – Just Run A Web Scanner Toshinari Kureha and Erik Klein Fortify Software Countering the faults of typical web scanners through bytecode injection](https://reader036.vdocuments.us/reader036/viewer/2022081519/56649f355503460f94c5284b/html5/thumbnails/37.jpg)
Applying Byte-Code Injection To Enhance Security Testing
1. How Do You Inject The Monitors Inside The Application?
2. Where Do You Inject The Monitors Inside The Application?
3. What Should The Monitors Do Inside The Application?
![Page 38: Make My Day – Just Run A Web Scanner Toshinari Kureha and Erik Klein Fortify Software Countering the faults of typical web scanners through bytecode injection](https://reader036.vdocuments.us/reader036/viewer/2022081519/56649f355503460f94c5284b/html5/thumbnails/38.jpg)
Where Do You Inject The Monitors?
1. All Web Inputs (Web Scan Should Hit Them All) request.getParameter, form.getBean
2. All Inputs (Not All Inputs Are Web) socket.getInputStream.read
3. All “Sinks” (All Security Critical Functions) Statement.executeQuery(String) – SQL Injection JNDI.lookup(String) – LDAP Injection (FileOutputStream|FileWriter).write(byte[]) …
![Page 39: Make My Day – Just Run A Web Scanner Toshinari Kureha and Erik Klein Fortify Software Countering the faults of typical web scanners through bytecode injection](https://reader036.vdocuments.us/reader036/viewer/2022081519/56649f355503460f94c5284b/html5/thumbnails/39.jpg)
Applying Byte-Code Injection To Enhance Security Testing
1. How Do You Inject The Monitors Inside The Application?
2. Where Do You Inject The Monitors Inside The Application?
3. What Should The Monitors Do Inside The Application?
![Page 40: Make My Day – Just Run A Web Scanner Toshinari Kureha and Erik Klein Fortify Software Countering the faults of typical web scanners through bytecode injection](https://reader036.vdocuments.us/reader036/viewer/2022081519/56649f355503460f94c5284b/html5/thumbnails/40.jpg)
What Should The Monitors Do?
1. Report Whether The Monitor Was Hit
2. Analyze The Content Of the Call For Security Issues
3. Report Code-Level Information About Where The Monitor Got Triggered
![Page 41: Make My Day – Just Run A Web Scanner Toshinari Kureha and Erik Klein Fortify Software Countering the faults of typical web scanners through bytecode injection](https://reader036.vdocuments.us/reader036/viewer/2022081519/56649f355503460f94c5284b/html5/thumbnails/41.jpg)
aspect SQLInjection { pointcut sqlExec(String sql):call(ResultSet Statement.executeQuery(String)) && args(sql); before(String sql) : sqlExec(sql) { checkInjection(sql, thisJoinPoint); } void checkInjection(String sql, JoinPoint thisJoinPoint){
System.out.println("HIT:" + thisJoinPoint.getSourceLocation().getFileName() + thisJoinPoint.getSourceLocation().getLine());
if (count(sql, '\'')%2 == 1) { System.out.println("*** SQL Injection detected. SQL statement being executed as follows: “ + sql);
}…..
What Should The Monitors Do?
1) Report whether API was hit or not
2) Analyze The Content Of The API Call
3) Report Code-Level Information
![Page 42: Make My Day – Just Run A Web Scanner Toshinari Kureha and Erik Klein Fortify Software Countering the faults of typical web scanners through bytecode injection](https://reader036.vdocuments.us/reader036/viewer/2022081519/56649f355503460f94c5284b/html5/thumbnails/42.jpg)
Proof Of Concept Running The Custom Solution
![Page 43: Make My Day – Just Run A Web Scanner Toshinari Kureha and Erik Klein Fortify Software Countering the faults of typical web scanners through bytecode injection](https://reader036.vdocuments.us/reader036/viewer/2022081519/56649f355503460f94c5284b/html5/thumbnails/43.jpg)
With Additional Work on UI
![Page 44: Make My Day – Just Run A Web Scanner Toshinari Kureha and Erik Klein Fortify Software Countering the faults of typical web scanners through bytecode injection](https://reader036.vdocuments.us/reader036/viewer/2022081519/56649f355503460f94c5284b/html5/thumbnails/44.jpg)
Coverage
![Page 45: Make My Day – Just Run A Web Scanner Toshinari Kureha and Erik Klein Fortify Software Countering the faults of typical web scanners through bytecode injection](https://reader036.vdocuments.us/reader036/viewer/2022081519/56649f355503460f94c5284b/html5/thumbnails/45.jpg)
With Additional Work on UI
![Page 46: Make My Day – Just Run A Web Scanner Toshinari Kureha and Erik Klein Fortify Software Countering the faults of typical web scanners through bytecode injection](https://reader036.vdocuments.us/reader036/viewer/2022081519/56649f355503460f94c5284b/html5/thumbnails/46.jpg)
Security Issues Detail
![Page 47: Make My Day – Just Run A Web Scanner Toshinari Kureha and Erik Klein Fortify Software Countering the faults of typical web scanners through bytecode injection](https://reader036.vdocuments.us/reader036/viewer/2022081519/56649f355503460f94c5284b/html5/thumbnails/47.jpg)
Security Issues Detail – SQL Injection
![Page 48: Make My Day – Just Run A Web Scanner Toshinari Kureha and Erik Klein Fortify Software Countering the faults of typical web scanners through bytecode injection](https://reader036.vdocuments.us/reader036/viewer/2022081519/56649f355503460f94c5284b/html5/thumbnails/48.jpg)
Security Issue Detail – Privacy Violation
![Page 49: Make My Day – Just Run A Web Scanner Toshinari Kureha and Erik Klein Fortify Software Countering the faults of typical web scanners through bytecode injection](https://reader036.vdocuments.us/reader036/viewer/2022081519/56649f355503460f94c5284b/html5/thumbnails/49.jpg)
Conclusions – Web Scanners Good
Easy To Use Finding Smoking Gun
Bad Lack Of Coverage Information False Negative False Positive Lack Of Code-Level / Root Cause Information
![Page 50: Make My Day – Just Run A Web Scanner Toshinari Kureha and Erik Klein Fortify Software Countering the faults of typical web scanners through bytecode injection](https://reader036.vdocuments.us/reader036/viewer/2022081519/56649f355503460f94c5284b/html5/thumbnails/50.jpg)
Conclusions – White Box Testing Bytecode Injection Requires Access To
Running Application In Exchange …
Gain Coverage Information Find More Vulnerabilities, More Accurately Determine Root Cause Information
![Page 51: Make My Day – Just Run A Web Scanner Toshinari Kureha and Erik Klein Fortify Software Countering the faults of typical web scanners through bytecode injection](https://reader036.vdocuments.us/reader036/viewer/2022081519/56649f355503460f94c5284b/html5/thumbnails/51.jpg)
Conclusions – Use Your Advantage
Attacker Defender
Time
Attempts
Security Knowledge
Access To Application