Download Black Box Scanning. 1) Traversing the application. • Manual. • Automated. 2) Testing the application o Signature analysis o Behavioral anal...
Download Black Box Scanning. 1) Traversing the application. • Manual. • Automated. 2) Testing the application o Signature analysis o Behavioral analysis ...
Download Black-box and white-box assessments. • Secure application development and remediation. • Application security training for developers, security professionals, ...
Download Black-box and white-box assessments. • Secure application development and remediation. • Application security training for developers, security professionals, ...
Download Pendahuluan. Black-Box Testing terfokus pada spesifikasi fungsional dari perangkat lunak. □ Tester dapat mendefinisikan kumpulan kondisi input dan ...
a literature study on all testing techniques together that are related to both Black and White box testing techniques ... and test data for the black box testing methods such as: Equivalence partitioning and Boundary value ...... Heartfelt appreciati
KU Work Group for Community Health and Development ... by a contract from the State of Kansas Department of Social and ... Youth Development: An Action Planning Guide
TOOL BOX FOR THE MEDICAL TRANSLATOR Alain Côté Director, Linguistic Services Janssen-Ortho Inc. 19 Green Belt Drive Toronto, Ontario, Canada M3C 1L9
Download 10 Ags 2015 ... PENGUJIAN APLIKASI MENGGUNAKAN BLACK BOX. TESTING BOUNDARY VALUE ANALYSIS. (Studi Kasus : Aplikasi Prediksi Kelulusan ...
Download 10 Ags 2015 ... Jurnal Ilmiah Teknologi Informasi Terapan. Volume I, No 3, 10 Agustus ... Testing. Pada penelitian ini dicoba diterapkan pengujian dengan menggunakan teknik Black Box Testing. Metoda Black Box Testing terdiri atas beberap
Download 10 Ags 2015 ... PENGUJIAN APLIKASI MENGGUNAKAN BLACK BOX. TESTING BOUNDARY VALUE ANALYSIS. (Studi Kasus : Aplikasi Prediksi Kelulusan ...
Download 10 Ags 2015 ... satu dari jenis pengujian yang ada adalah Black Box. Testing. ... Metoda Black Box Testing terdiri atas beberapa cara antara lain Equivalence ...
Download 724-746-5500 | blackbox.com. About Black Box. Black Box Network Services is your source for more than 118,000 networking and infrastructure products. You'll ...
Download Black-Box Control in Theory and Applications. RMIT University, 19.08.2016. Arie Levant. School of Mathematical Sciences,. Tel-Aviv University, Israel.
Download Founded in 1976, Black Box, a Delaware corporation, operates subsidiaries on ... of Black Box have been prepared in accordance with accounting principles.
Download 724-746-5500 | blackbox.com. About Black Box. Black Box Network Services is your source for more than 118,000 networking and infrastructure products. You'll ...
Download Black-Box Control in Theory and Applications. RMIT University, 19.08.2016. Arie Levant. School of Mathematical Sciences,. Tel-Aviv University, Israel.
The ONE Thing I Forgot To Test... I don't talk a lot about this... (for obvious reasons)... But as you probably already know, I like to test stuff a LOT... In fact, just a few months ago I published my new book “108 Proven Split Test Winners” to show
Download Founded in 1976, Black Box, a Delaware corporation, operates subsidiaries on ... of Black Box have been prepared in accordance with accounting principles.
Page 4 TOOL BOX TALKS Introduction: Why This Project? WHY TRAINING? An insightful contractor commented that if everyone used their common sense, we wouldn’t have
After you have installed the program—. • Open NuVoice from programs. • Activate the voice by entering your email. • Copy and paste the activation code from the email sent to you. The first screen with look like this—. Choose 84 sequenced. Then follow
FREE PDF DOWNLOAD NOW!!! ... 2009 · Perancangan dan Analisa Sistem Document Transcript. 1 ANALISIS ... 1 METODE PELAKSANAAN KONSTRUKSI BANGUNAN GEDUNG MANAJEMEN
Download This study was conducted to help SDIT Al Qudwah Punggur Lampung in testing the accuracy of the. School of Information Systems software used by the school.
Pandora’s Box Pandora’s Box is an embroidery project designed to combine different embroidery techniques within one project thus encouraging the embroiderer to
Legacy of a Super Stock Trader Frank Watkins Darvas Box Darvas Box Trading
Toshi’s Approach to Runtime Analysis
Black Box Scanning Tool + White Box Testing Tool
Toshi’s Black Box Scanning Tool Same approach as: Cenzic SPI Dynamics Watchfire
Toshi’s tool is unique because: Built on Microsoft Visual Studio 2005 platform Reuses Web application testing capabilities Builds on existing test scripts (not useful today; we didn’t give him any scripts)
Black Box Scanning 1)
Traversing the application • •
2)
Manual Automated
Testing the application o o
Signature analysis Behavioral analysis
Traversing: Manual Crawl Manually map the application’s interface Advantages Can often achieve higher coverage
Disadvantages Time consuming
Traversing: Automated Crawl Enter starting URL and map the interface automatically Advantages Easy to use Sometimes comprehensive
Disadvantages Cannot crawl complex web applications Make take a long time, looping redundant pages
Black Box Scanning 1)
Traversing the application o o
2)
Manual Automated
Testing the application • •
Signature analysis Behavioral analysis
Testing: Signature Analysis Search for specific strings in the HTTP response Example: SQL injection “SQLException” “OLE DB Provider”
Testing: Behavioral Analysis Identify behavior indicative of a vulnerability Example: Blind SQL Injection 1. 2. 3. 4.
Inject original clause: id=3 Inject true clause: id=3 AND 1=1 Inject false clause: id=3 AND 1=0 If (original==true && true != false) then report SQL injection
Advantages Black Box Scanning Advantages If you have a running application, you can test it Bugs are easy to verify (reproduce)
Disadvantages: Low Coverage You can’t test what you can’t reach
Tested Untested Application Vulnerabilities Found
Vulnerabilities Not Found
Disadvantage: Missing Oracles Some vulnerabilities not visible from Web I hope they’re not logging my CC# into plaintext log file
Credit card # Client “Your order will be processed in 2 days”
HTTP Response
CC #
Application
Log File
Toshi’s Special Sauce: White Box Testing Tool Insert monitors around security-relevant APIs Sources of input Web: ServletRequest.getParameter(String) Sinks Database: SQLStatement.executeQuery(String) Process: Runtime.exec(String) File: Log.log(String)
Look for potential problems
Combats Black Box Limitations Coverage Percentage of security-relevant APIs exercised
Code-level details File name, line number and API details for bugs
Improved oracles Vulnerabilities not evidenced on Web
Black Box Scan + White Box Testing Tool
and Proposal Application Server Web Scanner
Verify Results
HTTP Web Application
Database File System
Other Apps Watch Verify Results Result
How To Inject Monitors Monitor code written as aspects Use aspect-oriented technology AspectJ AspectDNG
(Java) ( .NET)
Works on bytecode Java class files & .NET MSIL (no source code required)
Bytecode Injection: Process
New Code and Location
Original .class
AspectJ
New .class
Bytecode Injection: Result List getStuff(String id) { List getStuff(String id) { List list = new ArrayList(); List list = new ArrayList(); try { try { String sql = “select stuff from String sql = “select stuff from mytable where id=‘” + id +“’”; mytable where id=‘” + id + “’”; MyLibrary.doCheck(sql); JDBCstmt.executeQuery(sql); JDBCstmt.executeQuery(sql); } catch (Exception ex) { } catch (Exception ex) { log.log(ex); log.log(ex); } } return list; return list; } } Before “executeQuery()” Call “MyLibrary.doCheck()”
Summary Black box scanner Smart fuzzer (uses specific attack strings) Oracles with signatures and behavioral analysis
White box testing tool Inject monitors Provide coverage, code details, enhanced oracle