Understanding Technical vs. Logical Vulnerabilities
by Jeremiah Grossman - Founder and CTO of WhiteHat Security - Article originally appeared on SearchAppSecurity.com
Can we guess what the application order.asp combined with the parameters item and price do? Using intelligence unique to humans, we can quickly deduce their purpose with relative certainty. This is a product ordering application. The item parameter is the particular product we are interested in. In our case, let's say an iPod. The price parameter is the amount we are going to pay for our portable music player. What happens if we changed the price of 300.00 to 100.00? Or 1.00? Does the Web site still sell us the iPod? If so, we can easily understand that the Web site should not have allowed the price alteration. As humans, we possess a natural ability to assess context, and we aptly refer to these types of issues as "logical vulnerabilities," issues that only humans can identify.

Now, if an automated scanner attempted the very same attack in a generic fashion, how would it decide if a custom Web site's response was good or bad? How would it know if the attack worked or was adequately defended? Or what the item and price parameters were supposed to do in the first place? The answer is clear: Scanners cannot reliably make these assumptions. The numbers in the URL easily could have meant something else entirely when presented in a different context. The rules for what is supposed to happen on Web sites are not defined as they are in chess. These decisions require contextual knowledge of the system, plus the ability to "logically" understand any number of previously undefined results.

In mathematics, this very large obstacle is commonly referred to as the undecidable problem. An undecidable problem is a problem that cannot be solved for all cases by any algorithm (or computer program). Chess IS NOT an undecidable problem, since it can be accounted for in all instances at all times. Fully analyzing custom Web application software for vulnerabilities IS an undecidable problem. That's why the game of chess can be fully automated by a computer and identifying vulnerabilities in custom Web applications cannot be. There are unique aspects of the human mind that computers have yet to duplicate. WhiteHat's statistics, based on aggregate data from thousands of assessments, indicate that only about half of the possible Web application security issues can be tested for in a completely automated fashion. The remaining tests for logical issues require the involvement of a Web application security Garry Kasparov.

In a thorough Web application security assessment, potentially hundreds of thousands of customized tests must be performed. By hand, even the world's best experts would never be able to complete this much work in a feasible amount of time.

Similar to the work of X3D Fritz, harnessing the power of a truly enterprise class vulnerability scanner greatly deceases the workload by performing the monotonous tasks that can be automated. Scanners are great at tackling technical vulnerabilities such as cross-site scripting and SQL injection, and not effective at identifying price list modification, credential/session prediction, insufficient authorization, and other logical vulnerabilities.

The industry has acknowledged the combination of a comprehensive, consistent, and efficient testing methodology backed by experienced security professionals as a best practice for ensuring complete vulnerability coverage. To build this program, our customers use WhiteHat Sentinel, a turnkey approach to continuous Web site vulnerability assessment and management.

While artificially intelligent computers like HAL 9000 may arrive or someone may achieve the mathematical breakthrough of the century, currently technology alone is no match for the human mind.


Critical bug found in Cisco ASA products, attackers are scanning for affected devices

Several Cisco ASA products - appliances, firewalls, switches, routers, and security modules - have been found sporting a flaw that can ultimately lead to remote code execution by attackers.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Feb 12th