Web Application Security Testing - beyond black box testing

In the recent OWASP convention which conducted Israel, I was exposed to an additional approach in Web Application Security testing - Glass Box testing.

Till now I was mostly familiar with black box security testing and white box security testing.

As an example for each, the black box security testing focus on changing values which are known to the browser, or exposed via web service.

e.g. changing URL parameter -

From: http://www.google.com/search?q=text_to_search&ie=utf-8   

To: http://www.google.com/search?q=SOME_HACKED_CODE&ie=utf-8

Obviously this approach is often limited to modification of data which exposed to the client.

 

The white box testing focuses on founding vulnerabilities on code level, sometimes - regardless the fact whether it is reachable by the UI or not (e.g. static code analysis).

This approach often finds vulnerabilities which would be hard to detect in black-box testing, since the entire code flow is exposed and not only the external interface.

The glass testing approach is actually empowerment of black-box testing with white-box testing detection power.

Imaging a black box testing agent that receive hints from internal agent (in the server) about possible parameters and values it should use in order to penetrate the system.

The black-box agent with the internal information then performs those tests and reports for any findings.

Further reading including examples and references could be found in Omri Weisman's (IBM) presentation.

Recommended reading book list

Most of the information I gain is being consumed from the internet.
There is no need to specify why the Internet is one of the best inventions ever, however, there is one drawback for it: It tend to make people less patience (in a sense of time, not tolerance toward each other..). It seems that the Internet reduces the amount of words people are willing to read.
If the article haven't reached its point in less then 2 minutes - than of we go to the next one..

I think it a common fact that all of the popular content platforms (forums, blogs, web sites,...) are not suited for long content. It's just not comfortable to read too much content via these platforms.

Therefore one can rarely see any long blog posts or articles.  If a certain topic requires in-depth content, then the content will often be migrated to other media type such as ppt or pdf files.



Having said that, I enjoy a good technical book where I can expend my knowledge beyond the 5 minute post with example.
Since I don't have much spare time I always consider cost-benefit tradeoff - whether a book will give me the benefits I expect in aspect to the time I will spend reading it.

The following list contains books which successfully pass the cost-benefit tradeoff test... I'll try to update it from time to time.



Burn Your Business Plan!: What Investors Really Want from Entrepreneurs, by David E. Gumpert - This book encourages out-of-the box not conventional thinking.
Highly recommended for new startups who want to focus on getting things done.
(amazon link)


Spring Security 3, by Peter Mularien - Very good step-by-step books regarding Spring Security 3

(amazon link)

Getting Real by 37signals - 16 chapters and 91 essays that highlight the 37Signal's philosophy about the way entrepreneurs, developers & designers should get the work done.


Rework , by Jason Fried & David Heinemeier Hansson - An agile approach for how business should run. Practical and also philosophical.