Browse Prior Art Database

Use of web-application deployment to install and operate a Glassbox scanning solution

IP.com Disclosure Number: IPCOM000200262D
Publication Date: 2010-Oct-03
Document File: 2 page(s) / 26K

Publishing Venue

The IP.com Prior Art Database

Abstract

Oftentimes, problems arise when a client agent needs to communicate with a server-side agent, due to various security mechanisms that attempt to disrupt or prevent any illegal communication. In this disclosure we detail a new approach for deployment and operation of a Glassbox solution. The disclosure describes the key disadvantages of other approaches, such as the need for highly privileged credentials for deployment and the need for administrative authority intervention to allow outgoing traffic in hardened (security-wise) servers; it then describes an automated procedure for solving the aforementioned problems, in an effective way.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 52% of the total text.

Page 01 of 2

Ȉ

Ȉ Ȉ

Glassbox testing is a type of application security testing
approach, in which various agents collect server-side data
(from the application runtime itself, server logs, etc) to
improve and guide web-application scanning (e.g., Blackbox
scanning). The agents can collect information from a wide
variety of sources, such as: source code, program runtime
information, log files content, server trace mechanisms
(Directory Services, Databases, etc.), file alteration and
creation, registry manipulation, network activity, etc.

    One of the challenges in introducing GlassBox as a main /
valid scanning technique is the deployment and reporting-back
processes.

    A good solution needs to obey the following guidelines:
* Require minimal permissions from the user.

    In many cases, the user (e.g., a developer, penetration
tester) does not have full administrative permissions on the
server.
* The deployed agents should be able to interact with the
server side with minimum need for server-side/network
configuration changes.

    It is very common to find security appliances (such as:
firewalls, IDS, IPS) that are set-up to protect the server
and/or the server's intranet. these tools can drastically
limit the ability of server-side agents to interact with the
client-side via proprietary ports and unknown protocols.
Adjustments to the configurations of these tools tend to be
cumbersome and unwelcomed by many system administrators due to
security considerations.

In this disclosure we suggest to take-advantage of the
web-server (application-server) and its web-application upload
capabilities to solve the aforementioned limitations of other
approaches.

The idea is to deploy a web-application to the
application-server we want to to analyze using Glassbox
testing; this web-application has various functions:
1. Responsible for installing the Glassbox agents onto the
server (e.g., intrumentation of the code, inspection of file
creation, db/network activity, etc.).
2. Responsible for the reporting back of findings of Glassbox
agents back to the client side (Blackbox scanner).

    In fact, th...