Presentation is loading. Please wait.

Presentation is loading. Please wait.

Presentation by: Naga Sri Charan Pendyala

Published byAudra Rice Modified over 6 years ago

Similar presentations

Presentation on theme: "Presentation by: Naga Sri Charan Pendyala"— Presentation transcript:

1 Presentation by: Naga Sri Charan Pendyala
Evaluation of Web Security Mechanisms using Vulnerability & Attack Injection By José Fonseca, Marco Vieira, Henrique Madeira Presentation by: Naga Sri Charan Pendyala

2 Attack Injection What is attack Injection?
How is it possible in web applications?

3 Overview Abstract – problem statement. Introduction
Background and Related Work Vulnerability & Attack Injection Methodology VAIT Tool Utilization Scenarios Inline Scenario Offline Scenario and Remarks Experimental Evaluation and Results with case studies Proposed approach in solving the problem

4 Introduction Focus on Web Application security. Why?
Factors affecting Web Application security Market growing fast Can be attacked from anywhere in world Lack of knowledge or inexperience of developers in security Access to valuable enterprise assets Types of Injection Attacks SQL Injection (SQLi) Cross Site Scripting (XSS)

5 Introduction Proposed tool : Vulnerability & Attack Injector Tool (VAIT) Dynamic analysis of the web application behavior and their interaction with external resources, such as the back-end database Vulnerability: represents the space of the “faults” injected in a web application Attack: the “intrusion” is the result of the successful “attack” of a “vulnerability” causing the application to enter in an “error” state

6 Introduction VAIT implemented on web applications was tested in two scenarios Generate a large number of realistic vulnerabilities for offline assessment of security tools, in particular web application vulnerability scanners. Show how it can exploit injected vulnerabilities to launch attacks, allowing the online evaluation of the effectiveness of the counter measure mechanisms installed in the target system, in particular an Intrusion Detection System (IDS).

7 Related Work Automated injection of attacks
Increases the rate of occurrence of errors in the system Helps evaluate impacts of faults and error propagation in system Helps in estimating fault tolerant system measures, such as the fault coverage and error latency Software implemented fault injection (SWIFI), in which hardware faults are emulated by software. Xception and NFTAPE are examples of SWIFI tools. The injection of realistic software faults (i.e., software bugs) has been absent from fault injection effort for a long time.

8 Related Work Industry Side: fuzzing and mutation testing
To automate penetration testing of web applications Rely on web application vulnerability scanner tools that also generate reports compliant with security regulations (Sarbanes- Oxley, PCI-DSS, etc.) E.g. HP WebInspect, IBM Watchfire AppScan, Acunetix web application security scanner and WebSphinx.

9 Related Work Types of Vulnerabilities
XSS and SQLi : accounting for 32% of the vulnerabilities observed SQLi Attack: consists of tweaking the input fields of the web page (which can be visible or hidden) in order to alter the query sent to the back-end database. XSS Attack: consists of injecting HTML and/or other scripting code (usually Javascript) in a vulnerable web page E.g. Malicious adds, links that download malware, redirects etc.

10 Related Work - conclusions
Classified 655 XSS and SQLi security patches of six widely used LAMP (Linux, Apache, MySQL and PHP) web applications. Both XSS and SQLi vulnerabilities result from poorly coded applications that do not properly check their inputs.

11 Related Work - Conclusions
Most common type of vulnerabilities in web application code is by far, the “Missing Function Call – extended” (MFCE), with about ¾ of all vulnerabilities found

12 Vulnerability & Attack Injection Methodology
Four Stages of the methodology of the VAIT Preparation Stage Vulnerability Injection Stage Attackload Generation Stage Attack Stage

13 Preparation Stage The web application is interacted (crawled) executing all the functionalities that need to be tested. HTTP and SQL communications are captured by the two probes and processed for later use.

14 Preparation Stage The outcome is the correlation of Input values.
The HTTP variables that carry them Respective source code files Usage in the structure of the database queries sent to the back-end database (for SQLi) or displayed back to the web browser (for XSS).

15 Vulnerability Injection Stage
Uses both dynamic and static analysis to gather data. Gathers Input Variables that chain to output Variables..

16 Vulnerability Injection Stage
Results provides the best of both worlds to obtain the variables and the location where they are sanitized or filtered and the set of constraints given by the code location required by the Vulnerability Operators

17

18 AttackLoad Generation Stage
Attack Load is the list of malicious interactions particular to the web application based on the crawl and analysis results. The fuzzing process consists of combining the available collection of prefixes

19 Attack Stage Alter the SQL query sent to the database server of the web application (for the case of SQLi attacks) or the HTML data sent back to the user (for the case of XSS attacks) Search for the presence of the payload footprint in the interaction data (HTTP or SQL communications) to check if the attack is successful

20 Vulnerability & Attack Injection Tool
Dependency Builder Variable analyzer Vulnerability Operator Vulnerability Injector Attack Load Generation Attack Success Detector

21 Attack Injection Utilization Scenarios
Inline The VAIT is executed while the security assurance mechanisms under evaluation are also being executed. The VAIT can be used to evaluate tools and security assurance mechanisms, like IDS for databases, Web Application IDS, Web Application Firewalls and Reverse Proxies

22 Attack Injection Utilization Scenarios
Offline The VAIT is executed in advance to provide a set of realistic vulnerabilities for later use. In the offline scenario, the VAIT injects vulnerabilities into the web application and attacks them to check if they can be exploited or not. The offline scenario can also be applied to assess the quality of test cases developed for a given web application.

23 Experimental Evaluation and Results
How many lines of code are necessary to be able to inject a vulnerability on average. How many of those vulnerabilities can be successfully attacked TikiWiki: 1,857 lines of code phpBB: 4,639 lines of code MyReferences: 479 lines of code. On average, the tool injected one vulnerability for every 129 lines of PHP code. A collection of attackloads (see Table 2) was applied to each vulnerability injected and 38% of these attacks were successful

24 Experimental Evaluation and Results
IDS was able to detect 99% of the attacks injected and missed only five of them Developers and security practitioners can improve their security mechanisms and procedures with all the information provided by VAIT above. The VAIT collects the results all the details of the attacks, like the exact HTTP attack code, the target variable, the attackload used, the query sent to the database, etc. Allied to the high detection rate of the IDS, there is also a high false positive rate.

25 Experimental Evaluation and Results
.

26 Conclusion Proposed a novel methodology to automatically inject realistic attacks in web applications. Analyze Web applications and inject set of potential vulnerabilities. Report success of each attack automatically Developed a tool VAIT to realize the methodology focusing on the most important fault type, the MFCE VAIT can be used to evaluate security mechanisms like IDS. VAIT was also used to evaluate two commercial and widely used web application vulnerability scanners, concerning their ability to detect SQLi vulnerabilities in web applications The results show that there is room for improvement in the SQLi

27 Queries and Discussion

Download ppt "Presentation by: Naga Sri Charan Pendyala"

Similar presentations

SecuBat: An Automated Web Vulnerability Detection Framework

SecuBat: An Automated Web Vulnerability Detection Framework
Hossain Shahriar Mohammad Zulkernine. One of the worst vulnerabilities in web applications It involves the generation of dynamic HTML contents with invalidated.

Hossain Shahriar Mohammad Zulkernine. One of the worst vulnerabilities in web applications It involves the generation of dynamic HTML contents with invalidated.
Closing the Gap: Analyzing the Limitations of Web Application Vulnerability Scanners David Shelly Randy Marchany Joseph Tront Virginia Polytechnic Institute.

Closing the Gap: Analyzing the Limitations of Web Application Vulnerability Scanners David Shelly Randy Marchany Joseph Tront Virginia Polytechnic Institute.
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
Web Trust Boundaries and Security Vulnerabilities Haris Volos and Hidayat Teonadi CS739 – Distributed Systems.

Web Trust Boundaries and Security Vulnerabilities Haris Volos and Hidayat Teonadi CS739 – Distributed Systems.
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.

Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.
Crawler-Based Search Engine By Ryan Caplet, Morris Wright and Bryan Chapman.

Crawler-Based Search Engine By Ryan Caplet, Morris Wright and Bryan Chapman.
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
“Today over 70% of attacks against a company’s network come at the ‘Application Layer’ not the Network or System layer.” - Gartner Is Your Web Application.

“Today over 70% of attacks against a company’s network come at the ‘Application Layer’ not the Network or System layer.” - Gartner Is Your Web Application.
Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.

Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.
Automatic Creation of SQL Injection and Cross-Site Scripting Attacks 2nd-order XSS attacks 1st-order XSS attacks SQLI attacks Adam Kiezun, Philip J. Guo,

Automatic Creation of SQL Injection and Cross-Site Scripting Attacks 2nd-order XSS attacks 1st-order XSS attacks SQLI attacks Adam Kiezun, Philip J. Guo,
Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.

Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.
Security Scanning OWASP Education Nishi Kumar Computer based training

Security Scanning OWASP Education Nishi Kumar Computer based training
W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.

W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.
Software Faults and Fault Injection Models --Raviteja Varanasi.

Software Faults and Fault Injection Models --Raviteja Varanasi.
Is Your Website Hackable? Check with Acunetix Web Vulnerability Scanner. Acunetix Web Vulnerability Scanner V9.

Is Your Website Hackable? Check with Acunetix Web Vulnerability Scanner. Acunetix Web Vulnerability Scanner V9.
SQL Power Injector Avadanei AlinBalan Robert. What is SQL Power Injector ?  A graphical application created in C#.Net 1.1 that helps the penetration.

SQL Power Injector Avadanei AlinBalan Robert. What is SQL Power Injector ?  A graphical application created in C#.Net 1.1 that helps the penetration.
CSCI 6962: Server-side Design and Programming Secure Web Programming.

CSCI 6962: Server-side Design and Programming Secure Web Programming.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

Similar presentations

Ads by Google