Browse Prior Art Database

Improving security scanning with GlassBox via code parts bypass

IP.com Disclosure Number: IPCOM000197672D
Publication Date: 2010-Jul-19
Document File: 4 page(s) / 49K

Publishing Venue

The IP.com Prior Art Database

Abstract

Many web-applications use various techniques, such as CAPTACH, in order to cripple malicious automated clients that aim to degrade the application's quality of service. However, as a by-product, these countermeasures also cripple automated vulnerability scanners, rendering their coverage capabilities ineffective. Our solution identifies crippling code parts and then dynamically bypasses them in way which does not affect the application's logic. This ultimately allows black-box scanners to scan web-applications that contain anti-automation measures fluently.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 35% of the total text.

Page 1 of 4

Ȉ ˇ

Ȉ ˇ Ȉ ˇ

Oftentimes, applications (e.g. Web Applications) employ code routines that serve a specific purpose that is foreign to the application's usage and behavior.

Mostly used as security mechanisms, these routines can hinder automatic security scanning and in some cases even prevent it.

A prime example of such code routine would be of a CAPTCHA

Automated Public Turing test to tell Computers and Humans Apart").

challenge/response test used to determine whether the responder is human.

issues a CAPTCHA to the responder,

                                             For instance, a common type of CAPTCHA requires that the user type the letters of a distorted image, sometimes with the addition of an obscured sequence of letters or digits that appear on the screen.

    When automatically scanning a site (in a security scan context), a CAPTCHA imposes some sort of user input. Since the scanner cannot fill-in the CAPTCHA, this forces user intervention(s), in order to complete a successful scan. When dealing with large scans and multiple CAPTCHAs or when user intervention is not possible, the scan results may be incomplete and lacking, compared to a manual audit.

By using runtime-analysis technology, it is possible to bypass specific code routines that may hinder or even prevent automatic scanning. While prompting for user input

when scanning an application is possible,

                           in large scans or when user intervention is needed repeatedly, this might become tedious or even impossible.

Changing the behavior of these routines or circumventing them altogether can produce better scan results by enabling and improving the automatic crawl/explore and testing phases,

without any user intervention.

We suggest the following mechanism: When a scan is performed using runtime-analysis technology, the runtime-analysis agent will identify, either heuristically or by a set of rules, certain code parts / routines that should be bypassed.

After identifying such code parts/routines,

                           the runtime-analysis agent can then instrument these method's return value (

which is oftentimes a Boolean one),

to always

return true. This can be accomplished by instrumenting the very first / last instructions of the method.

    The following code may be used to protect against automation attacks, using a CAPTCHA:

    if (!CaptchaValidate(request)) {
return;
}
..rest of code..

After identifying that

                 CaptchaValidate is a CAPTCHA validation method, the runtime-analysis agent modifies the method's body as follows:
boolean CaptchaValidate(Request request){
return true;

("Completely

A CAPTCHA is a

A server

which asks it to complete a test.

Page 2 of 4

    ...
..rest of code.. }

    This alteration effectively bypasses the method's validation logic and enables scanning of the application,

(reoccurring) user interaction.

    Recognizing the relevant code parts that should be disabled in an ideal "black-box" scanning scenario
We suggest the following general approaches for identification of CAPTCHA validation functions.

without the need of

After the ident...