Wednesday, September 21, 2011

Web Application Security Testing - beyond black box testing

In the recent OWASP convention which conducted Israel, I was exposed to an additional approach in Web Application Security testing - Glass Box testing.

Till now I was mostly familiar with black box security testing and white box security testing.
As an example for each, the black box security testing focus on changing values which are known to the browser, or exposed via web service.
e.g. changing URL parameter -
From: http://www.google.com/search?q=text_to_search&ie=utf-8   
To: http://www.google.com/search?q=SOME_HACKED_CODE&ie=utf-8

Obviously this approach is often limited to modification of data which exposed to the client.
 
The white box testing focuses on founding vulnerabilities on code level, sometimes - regardless the fact whether it is reachable by the UI or not (e.g. static code analysis).
This approach often finds vulnerabilities which would be hard to detect in black-box testing, since the entire code flow is exposed and not only the external interface.

The glass testing approach is actually empowerment of black-box testing with white-box testing detection power.

Imaging a black box testing agent that receive hints from internal agent (in the server) about possible parameters and values it should use in order to penetrate the system.
The black-box agent with the internal information then performs those tests and reports for any findings.

Further reading including examples and references could be found in Omri Weisman's (IBM) presentation.

No comments :

Post a Comment