In the recent OWASP convention which conducted Israel, I was exposed to an additional approach in Web
Application Security testing - Glass Box testing.
Till now I was mostly familiar with black box security
testing and white box security testing.
As an example for each, the black box security testing focus on
changing values which are known to the browser, or exposed via web service.
e.g. changing URL parameter -
From: http://www.google.com/search?q=text_to_search&ie=utf-8
To: http://www.google.com/search?q=SOME_HACKED_CODE&ie=utf-8
Obviously this approach is often limited to modification of data
which exposed to the client.
The white box testing focuses on founding vulnerabilities on code
level, sometimes - regardless the fact whether it is reachable by the UI or not
(e.g. static code analysis).
This approach often finds vulnerabilities which would be hard to
detect in black-box testing, since the entire code flow is exposed and not only
the external interface.
The glass testing approach is actually empowerment of black-box
testing with white-box testing detection power.
Imaging a black box testing agent that receive hints from internal
agent (in the server) about possible parameters and values it should use in
order to penetrate the system.
The black-box agent with the internal information then performs
those tests and reports for any findings.
Further reading including examples and references could be found in Omri
Weisman's (IBM) presentation.
No comments :
Post a Comment