Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.

Slides:



Advertisements
Similar presentations
Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Advertisements

SecuBat: An Automated Web Vulnerability Detection Framework
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
WEB DESIGN TABLES, PAGE LAYOUT AND FORMS. Page Layout Page Layout is an important part of web design Why do you think your page layout is important?
Closing the Gap: Analyzing the Limitations of Web Application Vulnerability Scanners David Shelly Randy Marchany Joseph Tront Virginia Polytechnic Institute.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
A Crawler-based Study of Spyware on the Web Author: Alexander Moshchuk, Tanya Bragin, Steven D.Gribble, Henry M.Levy Presented At: NDSS, 2006 Prepared.
Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.
SOFTWARE SECURITY JORINA VAN MALSEN 1 FLAX: Systematic Discovery of Client-Side Validation Vulnerabilities in Rich Web Applications.
1 Chapter 12 Working With Access 2000 on the Internet.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
CS 290C: Formal Models for Web Software Lecture 1: Introduction Instructor: Tevfik Bultan.
Usability Test by Knowing User’s Every Move - Bharat chaitanya.
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
March Intensive: XSS Exploits
CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?
Varun Sharma Security Engineer | ACE Team | Microsoft Information Security
Web Application Security Assessment and Vulnerability Assessment.
By: Razieh Rezaei Saleh.  Security Evaluation The examination of a system to determine its degree of compliance with a stated security model, security.
 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.
Load Test Planning Especially with HP LoadRunner >>>>>>>>>>>>>>>>>>>>>>
8 Chapter Eight Server-side Scripts. 8 Chapter Objectives Create dynamic Web pages that retrieve and display database data using Active Server Pages Process.
Software Quality Assurance Lecture #8 By: Faraz Ahmed.
Prevent Cross-Site Scripting (XSS) attack
+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.
CSCI 6962: Server-side Design and Programming Secure Web Programming.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
NDSS 2007 Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, Giovanni Vigna.
About Dynamic Sites (Front End / Back End Implementations) by Janssen & Associates Affordable Website Solutions for Individuals and Small Businesses.
1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),
1-Vulnerabilities 2-Hackers 3-Categories of attacks 4-What a malicious hacker do? 5-Security mechanisms 6-HTTP Web Servers 7-Web applications attacks.
Penetration Testing James Walden Northern Kentucky University.
5 Chapter Five Web Servers. 5 Chapter Objectives Learn about the Microsoft Personal Web Server Software Learn how to improve Web site performance Learn.
Behavior-based Spyware Detection By Engin Kirda and Christopher Kruegel Secure Systems Lab Technical University Vienna Greg Banks, Giovanni Vigna, and.
©2008 Gotham Digital Science Secure Parameter Filter (SPF) (AKA Protecting Vulnerable Applications with IIS7) Justin Clarke, Andrew Carey Nairn.
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Proof-Of-Concept: Signature Based Malware Detection for Websites and Domain Administrators - Anant Kochhar.
1 Vulnerability Analysis and Patches Management Using Secure Mobile Agents Presented by: Muhammad Awais Shibli.
Web Application Security ECE ECE Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.
SIGITE 2008: Oct Integrating Web Application Security into the IT Curriculum James Walden Northern Kentucky University.
Slide 12.1 Chapter 12 Implementation. Slide 12.2 Learning outcomes Produce a plan to minimize the risks involved with the launch phase of an e-business.
October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University
Web Applications Testing By Jamie Rougvie Supported by.
Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.
8 Chapter Eight Server-side Scripts. 8 Chapter Objectives Create dynamic Web pages that retrieve and display database data using Active Server Pages Process.
WEB SERVER SOFTWARE FEATURE SETS
What Is XSS ? ! Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to.
EECS 354: Network Security Group Members: Patrick Wong Eric Chan Shira Schneidman Web Attacks Project: Detecting XSS and SQL Injection Vulnerabilities.
Introduction of XSS:-- Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted.
Example – SQL Injection MySQL & PHP code: // The next instruction prompts the user is to supply an ID $personID = getIDstringFromUser(); $sqlQuery = "SELECT.
By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,
A Presentation Presentation On JSP On JSP & Online Shopping Cart Online Shopping Cart.
Advanced Higher Computing Science The Project. Introduction Worth 60% of the total marks for the course Must include: An appropriate interface using input.
SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.
Fuzzing Machine By Nikolaj Tolkačiov.
Advanced Higher Computing Science
Google’s Gruyere1 : An XSS Example Presented by: Terry Gregory
Group 18: Chris Hood Brett Poche
Web Application Security
CSCE 548 Student Presentation Ryan Labrador
Module: Software Engineering of Web Applications
Presentation by: Naga Sri Charan Pendyala
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
Chapter 7: Identifying Advanced Attacks
Static Detection of Cross-Site Scripting Vulnerabilities
HTML Level II (CyberAdvantage)
Protecting Against Common Web Application Vulnerabilities
Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems
Exploring DOM-Based Cross Site Attacks
Presentation transcript:

Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda Institute Eurecom, France Christopher Kruegel University of California, Santa Barbara

Presented by.. Mahdi Nasrullah Al-Ameen

Research Problem :: Detecting Vulnerabilities in Web Applications using Black-Box Vulnerability Scanner.

Vulnerabilities ::  Cross-site Scripting (XSS Vulnerabilities)  SQL Injection

Vulnerabilities :: Cross-site Scripting (XSS Vulnerabilities) : It allows an attacker to embed malicious JavaScript, VBScript, HTML into a vulnerable dynamic page to fool the user, executing the script on his machine in order to gather data. Hacker Victim Your Web Page Infect with Script Visit Inject Script

Black Box Vulnerability Scanner ::  Runs the application and monitors its executions.  By providing a variety of malformed input values, the goal is to find cases in which the application misbehaves or crashes.

Limitations of the Current Black Box Vulnerability Scanners :: Often fail to test a substantial fraction of a web application’s logic.. Especially when this logic is invoked from pages that can only be reached..after filling out complex forms that check the correctness of the provided values.

Contributions of the Paper :: To address the limitations of existing tools..the paper has proposed several techniques..that allow the scanner to reach “deeper” into the application..thus detecting more entry points..which can then be tested or fuzzed..using existing databases of malformed input values.

Contributions of the Paper :: Guided Fuzzing : Leverages previously recorded user input to fill out forms with values that are likely valid. Extended Guided Fuzzing : Guided Fuzzing is further extended by using each step to explore a program more comprehensively. Stateful Fuzzing : Mitigates potentially undesirable side effects that may occur during implementing Extended Guided Fuzzing.

Layout of the Presentation ::  High Level Idea of Proposed Fuzzing Techniques  Overview of Experimental Results  Comparison with Related Works  Limitations of the Paper  My Suggestions

Guided Fuzzing :: Increasing Testing Depth Phase I: Collecting Input ::  Using a Proxy between Web Client and the Web Server to log inputs that are sent to the Web Applications.  Recording incoming inputs at the Server side by means of Web Server Log Files.

Guided Fuzzing :: Phase II: Replaying Input :: Assume, the Scanner has reached Step 2 using previously recorded inputs at Step 1. Fuzzer component is invoked at Step 2 (uses database of malformed values). Previously recorded input values stored for Step 2 are used to advance to Step 3.

Guided Fuzzing :: Terminating Condition:  Test Case is exhausted.  Previously recorded input is no longer valid.

Guided Fuzzing :: Limitations: For each step only a single entry point is analyzed.

Extended Guided Fuzzing :: Increasing Testing Breadth  For each step, all the entry points are explored - for fuzzing the complete site.. that is reachable from the current page.  Increases the number of entry points a scanner can test.

Extended Guided Fuzzing :: Increasing Testing Breadth Limitations : Inputs, sent by the fuzzer.. may change the state of the applications such that the remaining steps can no longer be executed.

Stateful Fuzzing :: A Snapshot of the current state of the Application is taken. Then the Fuzzer is allowed to run.. that may cause significant changes to the states of the Application. After each Fuzzing step, the application is restored to the previously taken Snapshot. At this point the Application is in the expected state and can advance one step. After that.. the process is repeated-that is.. a Snapshot is taken and the Fuzzer is invoked.

Stateful Fuzzing :: To be able to capture the state of an Application and subsequently restore it : whenever an Object is modified or deleted, a copy of this object is saved.

Stateful Fuzzing :: Mapping of URLs to Functions:  Finding the set of URLs that all invoke the same function within the application.  User Input, collected for one of these forms.. can be reused for other forms as well (when no user input is recorded for these forms).

Stateful Fuzzing :: Mapping of URLs to Functions:  Record the name of the function, the requested URL maps to.  When an unknown URL is found, query.. which function is invoked by this URL.  Search.. if this function is previously called by another URL.  If this is the case, examine name-value pairs associated with this other URL.  For each of those names.. find a form element on the current page that has the same name.  When a similar name is found.. the corresponding stored value is supplied.

Overview of the Experimental Results Application 1: Blogging Application Detected Unique Vulnerabilities: Guided Fuzzing: 1 Extended Fuzzing: 1 Stateful Fuzzing: 1 Other Scanners: 0 (Spider, Burp Spider, w3af, Acunetix)

Overview of the Experimental Results Application 2: Online Shopping Application Detected Unique Vulnerabilities : Guided Fuzzing: 9 Extended Fuzzing: 1 Stateful Fuzzing: 9 Other Scanners: 1 (w3af, Acunetix)

Overview of the Experimental Results Application 2: Online Shopping Application Locations : Guided Fuzzing: 22 Extended Fuzzing: 25 Stateful Fuzzing: 32 Other Scanners: Spider: 18 Burp Spider: 22 W3af: 21 Acunetix 22

Discussion on the Experimental Results :: The Authors have claimed..  All vulnerabilities that are found in the experiments were previously unknown.  Fuzzing Techniques consistently find more (or at least same amount) of bugs than other open source and commercial scanners.

Related Work :: Secubat : A web Vulnerability Scanner  Can detect XSS and SQL Injection Vulnerabilities. Limitations:  Cannot fill out forms.  Suffers from the problem of test coverage.

Related Work :: WinRunner : A web Vulnerability Scanner  Allows a human tester to record user inputs.  Replays these inputs while testing. Limitations:  Not fully Automated.

Limitations of the Paper ::  Experiments are done only for XSS Vulnerabilities.  Through experiments no Comparison is shown with Static Source Code Analysis Tools.  No Comparison is shown with the Tool that uses Human Tester.

Scopes of Improvements : My Suggestions :: To prove the effectiveness of the Proposed Scanner..  Experiments to find out SQL Injection Vulnerabilities should be done.  Experiments should be done for Social Networking Web Application.  Experiments should accommodate comparisons with the tools that use Human Tester.

qUEsTIONs ?

Thank you…

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.