CRAXweb: Web Testing and Attacks through QEMU in S2E. Shih-Kun Huang National Chiao Tung University Hsinchu, Taiwan
|
|
- Spencer Wilson
- 6 years ago
- Views:
Transcription
1 CRAXweb: Web Testing and Attacks through QEMU in S2E Shih-Kun Huang National Chiao Tung University Hsinchu, Taiwan
2 Motivation Symbolic Execution is effective to crash applications Catchconv, Bitfuzz, Taintscope, and Ardilla (PHP) Should be effective for Web Testing Symbolic Execution can also automate exploit generation process AEG, MAYHEM, CRAX Should be feasible to automate Web Attack (exploit) generation
3 How Effective of Automatic Exploit Generation for non-web applications Mplayer (1.5MLOC) (CVE ) MPlayer 1.0rc2 and SVN before r seconds Microsoft Office Word (CVE ) Microsoft Office < seconds Nginx (CVE ) nginx 1.3.9/1.4.0 stack buffer overflow 8 seconds
4 Problems of Symbolic Web Testing and Attacks Hard to Implement Symbolic Execution Platform for Web MIT s Ardilla not in public and only for PHP Various number of Web platforms: PHP, JSP, Python, Perl, Ruby, ASP Variety of Attack Methods Non-web attacks: stack, heap, format, integer, uninitialized uses, race, OWASP top attacks: injection, XSS, CSRF,
5 Web Platform Independent Testing (PHP,JSP,ASP,NodeJS,Python,Ruby, ) symbolic execution engine? QEMU based symbolic execution engine -> S2E Issues Performance should be the primary consideration Will symbolic semantics be preserved? Across between Web semantics and llvm semantics.
6 Attack Independent Exploit Generation Taint Analysis Input tainted operations Symbolic Continuations (what to do next?) Symbolic program counter (Symbolic EIP) Where the EIP points to Symbolic SQL query Where the SQL commands run Symbolic HTML response Where the Javascript executes Symbolic command argument Where the shell commands run
7 The power of Symbolic Computation Symbolic Execution Generating Testing input, following all feasible branches Concolic Execution Generating Testing input, following a concrete input path and the associated branches Exploit Generation Generating Exploit input, following a concrete Crash/Anomaly input path and branch to the associated shell code Path Constraint generated by the crash input Constraints of Symbolic continuations branching to the shell code
8 Symbolic Execution Explore every possible path of a program Record path information in path constraint Path constraint 1 Symbolic input A program Path constraint 2 Path constraint 3 Liu Huan 劉歡 A Generic Web Testing 2014/2/11 8 and Attack Generation Framework
9 Concolic Execution Begin with a random input Use false path constraint to generate another input case Input 1 Input 2 A program Output1 Path constraint 1 Output2 Path constraint 2 Input 3 Output3 Path constraint 3 Liu Huan 劉歡 A Generic Web Testing 2014/2/11 9 and Attack Generation Framework
10 Exploit Generation Record the path constraint of the given crash input Crash Input: x A program Output: y Path constraint Liu Huan 劉歡 A Generic Web Testing 2014/2/11 10 and Attack Generation Framework
11 Constraint Solving Unknown input: x A program Output: y Path constraint Given program output y, constraint solving is the way to generate input x Output: y + Path constraint Solve constraint Value of input x 11
12 Constraint Solving If f(x) = 100, what s the value of x? Known output =100 Unknown input: x Sample code int f(x){ int y=x+10; if (y >0) return y; else return y; } 12
13 Constraint Solving If f(x) = 100, what s the value of x? Use symbolic execution to get path constraint PC of path 1 PC of path 2 Path constraint X+10 > 0 X+10 <= 0 Sample code int f(x){ int y=x+10; if (y >0) return y; else return y; } 13
14 Constraint Solving If f(x) = 100, what s the value of x? Use symbolic execution to get path constraint f(x) = y = X+10 = 100 Add path constraint X + 10 = 100 Known output =100 PC of path 1 PC of path 2 Path constraint X+10 > 0 X+10 <= 0 Add constraint from known information X+10 = 100 X + 10 = 100 Sample code int f(x){ int y=x+10; if (y >0) return y; else return y; } 14
15 Constraint Solving If f(x) = 100, what s the value of x? Use symbolic execution to get path constraint f(x) = y = X+10 = 100 Add path constraint X + 10 = 100 Solve the constraint x = 90 PC of path 1 PC of path 2 Path constraint X+10 > 0 X+10 <= 0 Add constraint from known information input: x=90 X+10 = 100 X + 10 = 100 Constraint solving X = 90 No solution Known output =100 Sample code int f(x){ int y=x+10; if (y >0) return y; else return y; } 15
16 Constraint Solving What s the XSS exploit of the given sample code? Sample code <?php $input = $_GET['id']; for($i=0; $i<strlen($input); $i++) echo chr(ord($input[$i])+1);?> 16
17 Constraint Solving What s the XSS exploit of the given sample code? Symbolic request & response HTTP Request Unknown input (XSS attack) GET /index.php?id=[ input ] HTTP/1.1 Host: example.com HTTP Response Known output (an alert script) HTTP/ OK Context-type: text/html <html> some text [ output ] </html> Sample code <?php $input = $_GET['id']; for($i=0; $i<strlen($input); $i++) echo chr(ord($input[$i])+1);?> 17
18 Constraint Solving What s the XSS exploit of the given sample code? Symbolic request & response Add JavaScript code as target character output = <script>alert(document.cookie)</script> HTTP Request ;rbqhos= GET /index.php?id=[ input ] HTTP/1.1 Host: example.com HTTP Response HTTP/ OK Context-type: text/html <html> some text [ output ] </html> <script> Sample code <?php $input = $_GET['id']; for($i=0; $i<strlen($input); $i++) echo chr(ord($input[$i])+1);?> 18
19 Constraint Solving What s the XSS exploit of given sample code? Symbolic request & response Add JavaScript code as target character output = <script>alert(document.cookie)</script> Solve the constraint input = ;rbqhos=`kds cnbtldms-bnnjhd(;,rbqhos= HTTP Request ;rbqhos= GET /index.php?id=[ input ] HTTP/1.1 Host: example.com HTTP Response HTTP/ OK Context-type: text/html <html> some text [ output ] </html> <script> Sample code <?php $input = $_GET['id']; for($i=0; $i<strlen($input); $i++) echo chr(ord($input[$i])+1);?> 19
20 Path Constraints Input Path constraint Target output Solved output input[0] chr(input[0]+1) < ; input[1] chr(input[1]+1) s r input[2] chr(input[2]+1) c b input[3] chr(input[3]+1) r q input[4] chr(input[4]+1) i h input[5] chr(input[5]+1) p o input[6] chr(input[6]+1) t s input[7] chr(input[7]+1) > = input[8] chr(input[8]+1) a ` input[9] chr(input[9]+1) l k 20
21 Exploit Generation of Single URL This method can check security risk of a single URL HTTP Response HTTP/ OK Context-type: text/html <script>alert(document.cookie)</script> <html> some text [ output ] </html> mysql_query admin or 1=1-- SELECT * FROM user WHERE user=[symbolic] 21
22 Exploit Generation Generate exploit of a web application 22
23 Single Path Concolic Execution In order to reduce the overhead on symbolic execution HTTP Request HTTP Request GET index.php?abc=[ Host: ] HTTP/1.1 GET index.php?abc=[aaaaa] HTTP/1.1 Host: Symbolic execution: Explore all possible paths Single path concolic execution: Only explore the path of the given input 23
24 Restriction 24
25 Outline Introduction Background Method Exploit Generation System Architecture Related Work Evaluation Conclusion and Future Work 25
26 System Architecture Symbolic Environment on S 2 E CRAXWeb Architecture CRAX Framework Detail of CRAXWeb Web Crawler Symbolic Request Sender Symbolic Data Sensor Exploit Generator 26
27 S 2 E (Selective Symbolic Execution) Symbolic data sender Exploit generator 27
28 S 2 E (Selective Symbolic Execution) Symbolic data sender For XSS attack Symbolic data sensor Exploit generator 28
29 S 2 E (Selective Symbolic Execution) Symbolic data sender Symbolic data sensor For SQL injection attack Exploit generator 29
30 CRAXWeb Architecture (server) QEMU S 2 E Test unit Web application Symbolic data sensor s2e_myop Sym. socket Web crawler Symbolic request sender Sym. Socket Web Server Expolit generator Report Sym. Socket Symbolic data sensor (client) s2e_myop STP Solver 30
31 CRAX Framework 31
32 Web Crawler (server) QEMU S 2 E Test unit Web application Symbolic data sensor s2e_myop Sym. socket Web crawler Symbolic request sender Sym. Socket Web Server Expolit generator Report Sym. Socket Symbolic data sensor (client) s2e_myop STP Solver 32
33 Web Crawler (Burp Suite) Web application GET index.php?abc=xxxxx HTTP/1.1 Host: example.com Web crawler Database POST index.php HTTP/1.1 Host: example.com Content-length: 40 a=xxxx&b=xxx 33
34 Symbolic Request Sender (server) QEMU S 2 E Test unit Web application Symbolic data sensor s2e_myop Sym. socket Web crawler Symbolic request sender Symbolic request sender Sym. Socket Web Server Sym. Socket Expolit generator Report Symbolic data sensor (client) s2e_myop STP Solver 34
35 Symbolic Data Sender Web crawler Database Control node 1. Experiment request 2. Experiment response Symbolic data sender Web application 2014/2/11 35
36 Symbolic Data Sensor Web application (server) Symbolic Symbolic data data sensor sensor Sym. socket QEMU s2e_myop S 2 E Test unit Web crawler Symbolic request sender Sym. Socket Web Server Expolit generator Report Sym. Socket Symbolic Symbolic data data sensor sensor (client) s2e_myop STP Solver 36
37 Symbolic Data Sensor Sensitive data Symbolic data sensor Exploit generator If it is a symbolic data, The sensor can call exploit generator Web security issues XSS SQL injection Sensor location HTTP Response mysql_query() 2014/2/11 37
38 Other Web Security issues Sensor location PHP Python Remote file Inclusion include(), include_once() include(), require() Directory fopen(), file() open() traversal Command system(), file() system(), exec() injection Code Injection eval() eval() File upload move_uploaded_file(), rename(), open() 38
39 Exploit Generator (server) QEMU S 2 E Test unit Web application Symbolic data sensor s2e_myop Sym. socket Web crawler Symbolic request sender Sym. Socket Web Server Exploit generator Expolit generator Report Sym. Socket Symbolic data sensor (client) s2e_myop STP Solver 39
40 Exploit Generator 2014/2/11 40
41 Exploit Generator SELECT * FROM user WHERE user=[symbolic] symbolic Sample code <?php $input = base64_decode($_get[ user']); mysql_query( SELECT * FROM user WHERE user=. $input);?>... x.php?user=ywrtaw4gb3ig... 41
42 Outline Introduction Background Method Related Work Evaluation Conclusion and Future Work 42
43 Front End Interface 43
44 Front End Interface 44
45 Experiment Monitor CRAX Web Guest QEMU 45
46 Generated Exploit 46
47 Exploit Validation 47
48 Exploit Validation 48
49 Evaluation for Web platform independence PHP JSP Rails Django ASP Framework OS Linux Linux Linux Linux Windows Server Apache Tomcat Webrick Built-in IIS-5.1 Kernel PHP JDK-7u2 Ruby Python ASP-3.0 Bind Port Symbolic response time Without constraints Test case ~= echo( A x50) OT >= 12hr 18.50s 6.72min 7.45min 32.72s OT 16.42s 3.25min 5.62min 24.02s OT 49
50 Test Case Test Case Evaluation for XSS Line Of Code # of crawled request # of XSS (vulnerable) # of XSS by MIT Time per exploit Time for all crawled request Schoolmate , min min + 30OT Webchess-1.0.0rc2 6, (4) min 94.38min + 313OT Faqforge , min 5.74 min EVE min 4.94min Line Of Code Platform # of crawled request # of XSS (vulnerabl e) Time per exploit Time for all crawled request SimpGB ,296 PHP 1,299 33(57) 0.91min 7.67hr + 334OT DedeCms ,544 PHP 1,111 11(13) 0.48min 8.32hr + 9OT Django-admin ,558 Python min 5.29min + 4OT Discuz! ,088 PHP 613 0(1) 0.85min 8.37hr + 12OT Joomla ,711 PHP 215 0(7) 2.17min 1.26hr + 117OT OT >= 15min 50
51 Evaluation for SQL injection Test Case Schoolmate 1.54 Webchess 1.0.0rc2 Faqforge EVE Testlink phprecipiebook 2.24 Line of code CVE # of crawled request # of SQLi (vulnerable) # of SQLi by MIT Time per exploit 0.55 min 0.39 min 0.27 min min 4.89min min Time for all crawled requests min min 1.88min 2.12 min 706.4min (30 TO) 315.2min (32 TO) # of all solved constraints TO: Timeout 51
52 Outline Introduction Background Method Related Work Evaluation Conclusion and Future Work 52
53 Automatic Web Attack Generator Based on symbolic execution White box Only support specific language Based on reply value of server Black box Hard to handle encrypted data 53
54 Related Work Approach year Attacks/ Detectd Generation Algorithm W/B Plateform Box SAFELI 2008 SQLI Attack Statically inspect bytecode of application WB JAVA Apollo 2008 Malformed HTML Use Concolic execution to find bugs in PHP WB PHP Detect web applications Adrilla 2009 XSS, SQLI Attack It combines concrete and symbolic WB PHP execution to covers paths Kudzu 2010 XSS, SQLI Attack Attack gramma and symbolic execution WB JavaScript PIUIVT 2010 XSS, SQLI Attack Perturbation based Algorithm WB Java MySQLInject 2011 SQLIJ Attack Blind SQL Injection based on True/False, BB PHP or Order by NKSI Scan 2012 SQLIJ Attack Modulize SQL Injection patten to generate BB JSP, ASP attack string CRAX Web 2012 XSS, SQLI Attack Single path symbolic execution WB XSS: All, SQLI: PHP 54
55 Related Work Approach Year Attacks / Detectd W / B Plateform Box SAFELI 2008 SQLI Attack W JAVA Apollo 2008 Malformed HTML W PHP Detect Adrilla 2009 XSS, SQLI Attack W PHP Kudzu 2010 XSS, SQLI Attack W JavaScript PIUIVT 2010 XSS, SQLI Attack W JAVA MySQLInjector 2011 SQLI Attack B PHP NKSI Scan 2012 SQLI Attack B JSP, ASP CRAX Web 2012 XSS, SQLI Attack W XSS: All, SQLI: PHP 55
56 Conclusion A framework to generate exploit of web application Support XSS and SQL injection Web application CRAX Web Vulnerability Report A successful trial of Symbolic Execution for Web by S2E 56
57 Future Work Implement this structure on other kind of exploit generation Other Web Security issues Remote file Inclusion / Local File Inclusion Directory traversal Command injection Code Injection File upload Target Functions include(), include_once(), require(), requireonce() fopen(), file(), unlink system(), file() eval() move_uploaded_file(), rename(), Liu Huan 劉歡 A Generic Web Testing 2014/2/11 57 and Attack Generation Framework
58 Open Doors to More Work Symbolic Executions by S2E for PHP, Python JSP, Ruby ASP, Perl Node JS
Software Crash Analysis for Automatic Exploit GenerationonBinaryPrograms
270 IEEE TRANSACTIONS ON RELIABILITY, VOL. 63, NO. 1, MARCH 2014 Software Crash Analysis for Automatic Exploit GenerationonBinaryPrograms Shih-Kun Huang, Member, IEEE, Min-Hsiang Huang, Po-Yen Huang, Han-Lin
More informationCIS 700/002 : Special Topics : OWASP ZED (ZAP)
CIS 700/002 : Special Topics : OWASP ZED (ZAP) Hitali Sheth CIS 700/002: Security of EMBS/CPS/IoT Department of Computer and Information Science School of Engineering and Applied Science University of
More informationNAVEX: Precise and Scalable Exploit Generation for Dynamic Web Applications
NAVEX: Precise and Scalable Exploit Generation for Dynamic Web Applications Abeer Alhuzali, Rigel Gjomemo, Birhanu Eshete, and V.N. Venkatakrishnan University of Illinois at Chicago 1 Web Applications
More informationProtect your apps and your customers against application layer attacks
Protect your apps and your customers against application layer attacks Development 1 IT Operations VULNERABILITY DETECTION Bots, hackers, and other bad actors will find and exploit vulnerabilities in web
More informationA D V I S O R Y S E R V I C E S. Web Application Assessment
A D V I S O R Y S E R V I C E S Web Application Assessment March 2009 Agenda Definitions Landscape of current web applications Required skills Attack surface Scope Methodology Soft skills 2 Definitions
More informationFinding Vulnerabilities in Source Code
Finding Vulnerabilities in Source Code Jason Miller CSCE 813 Fall 2012 Outline Approaches to code review Signatures of common vulnerabilities Language-independent considerations Tools for code browsing
More informationWeb Penetration Testing
Web Penetration Testing What is a Website How to hack a Website? Computer with OS and some servers. Apache, MySQL...etc Contains web application. PHP, Python...etc Web application is executed here and
More informationGUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.
Report on IRONWASP Software Product: IronWASP Description of the Product: IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing.
More informationLecture 7: Web hacking 3, SQL injection, Xpath injection, Server side template injection, File inclusion
IN5290 Ethical Hacking Lecture 7: Web hacking 3, SQL injection, Xpath injection, Server side template injection, File inclusion Universitetet i Oslo Laszlo Erdödi Lecture Overview What is SQL injection
More informationWeb Security. Thierry Sans
Web Security Thierry Sans 1991 Sir Tim Berners-Lee Web Portals 2014 Customer Resources Managemen Accounting and Billing E-Health E-Learning Collaboration Content Management Social Networks Publishing Web
More informationStatic analysis of PHP applications
Static analysis of PHP applications Ondřej Šerý DISTRIBUTED SYSTEMS RESEARCH GROUP http://dsrg.mff.cuni.cz CHARLES UNIVERSITY PRAGUE Faculty of Mathematics and Physics References G. Wassermann, Z. Su:
More informationOverview AEG Conclusion CS 6V Automatic Exploit Generation (AEG) Matthew Stephen. Department of Computer Science University of Texas at Dallas
CS 6V81.005 Automatic Exploit Generation (AEG) Matthew Stephen Department of Computer Science University of Texas at Dallas February 20 th, 2012 Outline 1 Overview Introduction Considerations 2 AEG Challenges
More informationFinding Vulnerabilities in Web Applications
Finding Vulnerabilities in Web Applications Christopher Kruegel, Technical University Vienna Evolving Networks, Evolving Threats The past few years have witnessed a significant increase in the number of
More informationCNIT 129S: Securing Web Applications. Ch 10: Attacking Back-End Components
CNIT 129S: Securing Web Applications Ch 10: Attacking Back-End Components Injecting OS Commands Web server platforms often have APIs To access the filesystem, interface with other processes, and for network
More informationAutomated Discovery of Parameter Pollution Vulnerabilities in Web Applications
Automated Discovery of Parameter Pollution Vulnerabilities in Web Applications Marco Balduzzi, Carmen Torrano Gimenez, Davide Balzarotti, and Engin Kirda NDSS 2011 The Web as We Know It 2 Has evolved from
More informationSecure Programming Techniques
Secure Programming Techniques Meelis ROOS mroos@ut.ee Institute of Computer Science Tartu University spring 2014 Course outline Introduction General principles Code auditing C/C++ Web SQL Injection PHP
More informationPractical Techniques for Regeneration and Immunization of COTS Applications
Practical Techniques for Regeneration and Immunization of COTS Applications Lixin Li Mark R.Cornwell E.Hultman James E. Just R. Sekar Stony Brook University Global InfoTek, Inc (Research supported by DARPA,
More informationIntroductions. Jack Katie
Main Screen Turn On Hands On Workshop Introductions Jack Skinner @developerjack Katie McLaughlin @glasnt And what about you? (not your employer) What s your flavour? PHP, Ruby, Python? Wordpress, Drupal,
More informationepldt Web Builder Security March 2017
epldt Web Builder Security March 2017 TABLE OF CONTENTS Overview... 4 Application Security... 5 Security Elements... 5 User & Role Management... 5 User / Reseller Hierarchy Management... 5 User Authentication
More informationAn Empirical Study of PHP Security Mechanism Usage. Experience Report: Johannes Dahse and Thorsten Holz Ruhr-University Bochum, Germany
Johannes Dahse and Thorsten Holz Ruhr-University Bochum, Germany ISSTA 2015, July 13-17, Baltimore, Maryland, USA 2 1.1 Web Application State 82% of all websites run PHP as server-side language Weakly-typed
More informationCSE 127 Computer Security
CSE 127 Computer Security Fall 2015 Web Security I: SQL injection Stefan Savage The Web creates new problems Web sites are programs Partially implemented in browser» Javascript, Java, Flash Partially implemented
More information20: Exploits and Containment
20: Exploits and Containment Mark Handley Andrea Bittau What is an exploit? Programs contain bugs. These bugs could have security implications (vulnerabilities) An exploit is a tool which exploits a vulnerability
More informationWeb insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.
Web Security Web Programming Uta Priss ZELL, Ostfalia University 2013 Web Programming Web Security Slide 1/25 Outline Web insecurity Security strategies General security Listing of server-side risks Language
More informationPerslink Security. Perslink Security. Eleonora Petridou Pascal Cuylaerts. System And Network Engineering University of Amsterdam.
Eleonora Petridou Pascal Cuylaerts System And Network Engineering University of Amsterdam June 30, 2011 Outline Research question About Perslink Approach Manual inspection Automated tests Vulnerabilities
More informationApplication Security through a Hacker s Eyes James Walden Northern Kentucky University
Application Security through a Hacker s Eyes James Walden Northern Kentucky University waldenj@nku.edu Why Do Hackers Target Web Apps? Attack Surface A system s attack surface consists of all of the ways
More informationIronWASP (Iron Web application Advanced Security testing Platform)
IronWASP (Iron Web application Advanced Security testing Platform) 1. Introduction: IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability
More informationAttacks Against Websites. Tom Chothia Computer Security, Lecture 11
Attacks Against Websites Tom Chothia Computer Security, Lecture 11 A typical web set up TLS Server HTTP GET cookie Client HTML HTTP file HTML PHP process Display PHP SQL Typical Web Setup HTTP website:
More informationInjection vulnerabilities: command injection and SQL injection
Injection vulnerabilities: command injection and SQL injection Questões de Segurança em Engenharia de Software (QSES) Departamento de Ciência de Computadores Faculdade de Ciências da Universidade do Porto
More informationPHP. MIT 6.470, IAP 2010 Yafim Landa
PHP MIT 6.470, IAP 2010 Yafim Landa (landa@mit.edu) LAMP We ll use Linux, Apache, MySQL, and PHP for this course There are alternatives Windows with IIS and ASP Java with Tomcat Other database systems
More informationIntrusion Recovery for Database-backed Web Applications
Intrusion Recovery for Database-backed Web Applications Ramesh Chandra, Taesoo Kim, Meelap Shah, Neha Narula, Nickolai Zeldovich MIT CSAIL Web applications routinely compromised Web applications routinely
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 16: Building Secure Software Department of Computer Science and Engineering University at Buffalo 1 Review A large number of software vulnerabilities various
More informationSimple Overflow. #include <stdio.h> int main(void){ unsigned int num = 0xffffffff;
Simple Overflow 1 #include int main(void){ unsigned int num = 0xffffffff; printf("num is %d bits long\n", sizeof(num) * 8); printf("num = 0x%x\n", num); printf("num + 1 = 0x%x\n", num + 1); }
More informatione e Prof. Lingyu Wang
INSE 6130 Operating System Security Logging/Auditing g/ g and Vulnerability/Defense e e Prof. Lingyu Wang 1 Outline Logging and Auditing Vulnerability and Defense 2 Overview Motivation Normal users - trust,
More informationISA564 SECURITY LAB. Code Injection Attacks
ISA564 SECURITY LAB Code Injection Attacks Outline Anatomy of Code-Injection Attacks Lab 3: Buffer Overflow Anatomy of Code-Injection Attacks Background About 60% of CERT/CC advisories deal with unauthorized
More informationIntroduction to Ethical Hacking
Introduction to Ethical Hacking Summer University 2017 Seoul, Republic of Korea Alexandre Karlov Today Some tools for web attacks Wireshark How a writeup looks like 0x04 Tools for Web attacks Overview
More informationSecure Software Development: Theory and Practice
Secure Software Development: Theory and Practice Suman Jana MW 2:40-3:55pm 415 Schapiro [SCEP] *Some slides are borrowed from Dan Boneh and John Mitchell Software Security is a major problem! Why writing
More informationINJECTING SECURITY INTO WEB APPS WITH RUNTIME PATCHING AND CONTEXT LEARNING
INJECTING SECURITY INTO WEB APPS WITH RUNTIME PATCHING AND CONTEXT LEARNING AJIN ABRAHAM SECURITY ENGINEER #WHOAMI Security Engineering @ Research on Runtime Application Self Defence Authored MobSF, Xenotix
More informationPreventing Injection Vulnerabilities through Context-Sensitive String Evaluation (CSSE)
IBM Zurich Research Laboratory Preventing Injection Vulnerabilities through Context-Sensitive String Evaluation (CSSE) Tadeusz Pietraszek Chris Vanden Berghe RAID
More informationsottotitolo System Security Introduction Milano, XX mese 20XX A.A. 2016/17 Federico Reghenzani
Titolo presentazione Piattaforme Software per la Rete sottotitolo System Security Introduction Milano, XX mese 20XX A.A. 2016/17 Outline 1) Introduction to System Security 2) Basic Exploits 3) Network
More informationCode review guide. Notice: Read about the language that you will test its code, if you don t have an idea about the language this will be difficult.
Code review guide Author: Jameel Nabbo Website: www.jameelnabbo.com Table of contents Introduction Code review Checklist Steps to perform on code review task Tips for code review Starting the Code review
More informationWeb Application Penetration Testing
Web Application Penetration Testing COURSE BROCHURE & SYLLABUS Course Overview Web Application penetration Testing (WAPT) is the Security testing techniques for vulnerabilities or security holes in corporate
More informationNAVEX: Precise and Scalable Exploit Generation for Dynamic Web Applications
NAVEX: Precise and Scalable Exploit Generation for Dynamic Web Applications Abeer Alhuzali, Rigel Gjomemo, Birhanu Eshete, and V.N. Venkatakrishnan, University of Illinois at Chicago https://www.usenix.org/conference/usenixsecurity18/presentation/alhuzali
More informationExpanding Human Interactions for In-Depth Testing of Web Applications
Expanding Human Interactions for In-Depth Testing of Web Applications Sean McAllister 1, Engin Kirda 2, and Christopher Kruegel 3 1 Secure Systems Lab, Technical University Vienna, Austria sean@seclab.tuwien.ac.at
More informationNET 311 INFORMATION SECURITY
NET 311 INFORMATION SECURITY Networks and Communication Department Lec12: Software Security / Vulnerabilities lecture contents: o Vulnerabilities in programs Buffer Overflow Cross-site Scripting (XSS)
More informationLecture Overview. IN5290 Ethical Hacking. Lecture 4: Web hacking 1, Client side bypass, Tampering data, Brute-forcing
Lecture Overview IN5290 Ethical Hacking Lecture 4: Web hacking 1, Client side bypass, Tampering data, Brute-forcing Summary - how web sites work HTTP protocol Client side server side actions Accessing
More informationCoding for Penetration
Coding for Penetration Testers Building Better Tools Jason Andress Ryan Linn ELSEVIER AMSTERDAM BOSTON HEIDELBERG LONDON NEW YORK OXFORD PARIS SAN DIEGO SAN FRANCISCO SINGAPORE SYDNEY TOKYO Syngress is
More informationWeb Security. Jace Baker, Nick Ramos, Hugo Espiritu, Andrew Le
Web Security Jace Baker, Nick Ramos, Hugo Espiritu, Andrew Le Topics Web Architecture Parameter Tampering Local File Inclusion SQL Injection XSS Web Architecture Web Request Structure Web Request Structure
More informationAndrés Riancho sec.com H2HC, 1
Andrés Riancho andres@bonsai-sec.com sec.com H2HC, HC, Brazil - 2009 1 Web Application Security enthusiast Developer (python!) Open Source Evangelist With some knowledge in networking, IPS design and evasion
More informationSecure Development After Security Bugs
Secure Development After Security Bugs Jeremy Epstein Program Manager Presentation to 1 st IEEE Cybersecurity Development Conference (SecDev) 11/03/16 Distribution Statement A. Approved for public release:
More informationAn analysis of security in a web application development process
An analysis of security in a web application development process Florent Gontharet Ethical Hacking University of Abertay Dundee MSc Ethical Hacking 2015 Table of Contents Abstract...2 Introduction...3
More informationSecure Programming. Input Validation. Learning objectives Code Injection: Outline. 4 Code Injection
Secure Programming Input Validation 2 Learning objectives Understand the definition of code injection Know how code injection happens Learn how to perform input validation and cleansing 1 Ahmet Burak Can
More informationI n p u t. This time. Security. Software. sanitization ); drop table slides. Continuing with. Getting insane with. New attacks and countermeasures:
This time Continuing with Software Security Getting insane with I n p u t sanitization ); drop table slides New attacks and countermeasures: SQL injection Background on web architectures A very basic web
More informationSECURE CODING ESSENTIALS
SECURE CODING ESSENTIALS DEFENDING YOUR WEB APPLICATION AGAINST CYBER ATTACKS ROB AUGUSTINUS 30 MARCH 2017 AGENDA Intro - A.S. Watson and Me Why this Presentation? Security Architecture Secure Code Design
More informationWeb Application Security. OWASP 11 th August, The OWASP Foundation Basic SQL injection Basic Click Jacking
Web Application Security Basic SQL injection Basic Click Jacking OWASP 11 th August, 2012 Vinod Senthil T Director infysec vinod@infysec.com 044-42611142/43 Copyright The OWASP Foundation Permission is
More informationPHP 1. Introduction Temasek Polytechnic
PHP 1 Introduction Temasek Polytechnic Background Open Source Apache License Free to redistribute with/without source code http://www.apache.org/license.txt Backed by Zend Corporation http://www.zend.com
More informationCoding for Penetration Testers Building Better Tools
Coding for Penetration Testers Building Better Tools Second Edition Jason Andress Ryan Linn Clara Hartwell, Technical Editor ELSEVIER AMSTERDAM BOSTON HEIDELBERG LONDON NEW YORK OXFORD PARIS SAN DIEGO
More informationShiftLeft. Real-World Runtime Protection Benchmarking
ShiftLeft Real-World Runtime Protection Benchmarking Table of Contents Executive Summary... 02 Testing Approach... 02 ShiftLeft Technology... 04 Test Application... 06 Results... 07 SQL injection exploits
More informationSolutions Business Manager Web Application Security Assessment
White Paper Solutions Business Manager Solutions Business Manager 11.3.1 Web Application Security Assessment Table of Contents Micro Focus Takes Security Seriously... 1 Solutions Business Manager Security
More informationMavituna Security Ltd. Finance House, 522A Uxbridge Rd. Pinner. HA5 3PU / UK
Netsparker is the first false positive free scanner. In this document you can see the details of features, how to use them and how to tweak Netsparker. If you can t find what you are looking for, please
More informationDepartment of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I
Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY 6.858 Fall 2010 Quiz I All problems are open-ended questions. In order to receive credit you must answer
More informationYour Turn to Hack the OWASP Top 10!
OWASP Top 10 Web Application Security Risks Your Turn to Hack OWASP Top 10 using Mutillidae Born to Be Hacked Metasploit in VMWare Page 1 https://www.owasp.org/index.php/main_page The Open Web Application
More informationSecure Coding and Code Review. Berlin : 2012
Secure Coding and Code Review Berlin : 2012 Outline Overview of top vulnerabilities Code review practice Secure design / writing secure code Write some secure code Review a volunteer's code Top Problems
More informationConfiguring User Defined Patterns
The allows you to create customized data patterns which can be detected and handled according to the configured security settings. The uses regular expressions (regex) to define data type patterns. Custom
More informationLecture 6: Web Security CS /17/2017
Lecture 6: Web Security CS5431 03/17/2017 2015 Security Incidents Web Vulnerabilities by Year 2500 2000 1500 1000 500 0 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015
More informationWeb Security, Part 2
Web Security, Part 2 CS 161 - Computer Security Profs. Vern Paxson & David Wagner TAs: John Bethencourt, Erika Chin, Matthew Finifter, Cynthia Sturton, Joel Weinberger http://inst.eecs.berkeley.edu/~cs161/
More information2/16/18. CYSE 411/AIT 681 Secure Software Engineering. Secure Coding. The Web. Topic #11. Web Security. Instructor: Dr. Kun Sun
CYSE 411/AIT 681 Secure Software Engineering Topic #11. Web Security Instructor: Dr. Kun Sun Secure Coding String management Pointer Subterfuge Dynamic memory management Integer security Formatted output
More informationApplications. Cloud. See voting example (DC Internet voting pilot) Select * from userinfo WHERE id = %%% (variable)
Software Security Requirements General Methodologies Hardware Firmware Software Protocols Procedure s Applications OS Cloud Attack Trees is one of the inside requirement 1. Attacks 2. Evaluation 3. Mitigation
More informationInstructor s Notes Web Data Management Web Client/Server Concepts. Web Data Management Web Client/Server Concepts
Instructor s Web Data Management Web Client/Server Concepts Web Data Management 152-155 Web Client/Server Concepts Quick Links & Text References Client / Server Concepts Pages 4 11 Web Data Mgt Software
More informationSECURE CODING PART 1 MAGDA LILIA CHELLY ENTREPRENEUR CISO ADVISOR CYBERFEMINIST PEERLYST BRAND AMBASSADOR TOP 50 CYBER CYBER
SECURE CODING PART 1 MAGDA LILIA CHELLY ENTREPRENEUR CISO ADVISOR CYBERFEMINIST PEERLYST BRAND AMBASSADOR TOP 50 CYBER INFLUENCER @RESPONSIBLE CYBER 1 AGENDA 1. Introduction: What is security? How much
More informationWEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang
WEB SECURITY WORKSHOP TEXSAW 2014 Presented by Solomon Boyd and Jiayang Wang Introduction and Background Targets Web Applications Web Pages Databases Goals Steal data Gain access to system Bypass authentication
More informationWaratek Runtime Protection Platform
Waratek Runtime Protection Platform Cirosec TrendTage - March 2018 Waratek Solves the Application Security Problems That No One Else Can Prateep Bandharangshi Director of Client Security Solutions March,
More informationApplication security : going quicker
Application security : going quicker The web application firewall example Agenda Agenda o Intro o Application security o The dev team approach o The infra team approach o Impact of the agility o The WAF
More informationRuby on Rails Secure Coding Recommendations
Introduction Altius IT s list of Ruby on Rails Secure Coding Recommendations is based upon security best practices. This list may not be complete and Altius IT recommends this list be augmented with additional
More informationCourse 834 EC-Council Certified Secure Programmer Java (ECSP)
Course 834 EC-Council Certified Secure Programmer Java (ECSP) Duration: 3 days You Will Learn How To Apply Java security principles and secure coding practices Java Security Platform, Sandbox, JVM, Class
More informationSecuring Software Applications Using Dynamic Dataflow Analysis. OWASP June 16, The OWASP Foundation
Securing Software Applications Using Dynamic Dataflow Analysis Steve Cook OWASP June 16, 2010 0 Southwest Research Institute scook@swri.org (210) 522-6322 Copyright The OWASP Foundation Permission is granted
More informationEliminating XSS: Context-Sensitive Auto-Sanitization in PHP
Eliminating XSS: Context-Sensitive Auto-Sanitization in PHP Joseph Connor @josconno Jared M. Smith @jaredthecoder Howdy! I am Jared Smith I do R&D at Oak Ridge National Laboratory. You can find me at @jaredthecoder
More informationAttacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14
Attacks Against Websites 3 The OWASP Top 10 Tom Chothia Computer Security, Lecture 14 OWASP top 10. The Open Web Application Security Project Open public effort to improve web security: Many useful documents.
More informationWeb Architecture AN OVERVIEW
Web Architecture AN OVERVIEW General web architecture Historically, the client is a web browser But it can be also A mobile application A desktop application Other server applications Internet Server(s)
More informationHacking by Numbers OWASP. The OWASP Foundation
Hacking by Numbers OWASP Tom Brennan WhiteHat Security Inc. tom.brennan@whitehatsec.com 973-506-9303 skype: jinxpuppy Copyright The OWASP Foundation Permission is granted to copy, distribute and/or modify
More informationSecure Programming and! Common Errors! PART II"
Secure Programming and! Common Errors! PART II" brought to you by Michele AntiSnatchOr Orrù and Integrating Web LTD! Computer System Security course lead by Prof. Ozalp Babaoglu! 9 December 2009! Who am
More informationA1 (Part 1): Injection Command and Code injection
A1 (Part 1): Injection Command and Code injection A1 Injection Tricking an application into executing commands or code embedded in data Data and code mixing! Often injected into interpreters SQL, PHP,
More informationHackveda Training - Ethical Hacking, Networking & Security
Hackveda Training - Ethical Hacking, Networking & Security Day1: Hacking windows 7 / 8 system and security Part1 a.) Windows Login Password Bypass manually without CD / DVD b.) Windows Login Password Bypass
More informationVulnerability Signature Update
Vulnerability Signature Update March 2017 - Document WST-0014-015 For Versions 1.12+ OpShieldSignature_0053-R1.12-2017-03.asg MD5 A0A246A65443E542358EE7B24859F90D SHA-1 6E1A9CB01AB043AB81FD4361B580535DF61C5FEA
More informationROSAEC Survey Workshop SELab. Soohyun Baik
ROSAEC Survey Workshop SELab. Soohyun Baik Cross-Site Scripting Prevention with Dynamic Data Tainting and Static Analysis Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel,
More information1. Oracle mod_plsql v in Oracle9i Application Server v1.0.2.x (Oracle9iAS v1.0.2.x)
Oracle Security Alert #28 Dated: 06 Feburary 2002 Updated: 05 July 2002 1. Oracle mod_plsql v3.0.9.8.2 in Oracle9i Application Server (Oracle9iAS ) a) Potential buffer overflow-related security vulnerabilities
More informationIntegrity attacks (from data to code): Malicious File upload, code execution, SQL Injection
Pattern Recognition and Applications Lab Integrity attacks (from data to code): Malicious File upload, code execution, SQL Injection Igino Corona igino.corona _at_ diee.unica.it Computer Security May 2nd,
More informationSQL Injection. EECS Introduction to Database Management Systems
SQL Injection EECS3421 - Introduction to Database Management Systems Credit "Foundations of Security: What Every Programmer Needs To Know" (Chapter 8) by Neil Daswani, Christoph Kern, and Anita Kesavan
More informationAnalysis/Bug-finding/Verification for Security
Analysis/Bug-finding/Verification for Security VIJAY GANESH University of Waterloo Winter 2013 Analysis/Test/Verify for Security Instrument code for testing Heap memory: Purify Perl tainting (information
More informationINF3700 Informasjonsteknologi og samfunn. Application Security. Audun Jøsang University of Oslo Spring 2015
INF3700 Informasjonsteknologi og samfunn Application Security Audun Jøsang University of Oslo Spring 2015 Outline Application Security Malicious Software Attacks on applications 2 Malicious Software 3
More informations642 web security computer security adam everspaugh
adam everspaugh ace@cs.wisc.edu s642 computer security web security today Authentication cookies + session hijacking Browser security model, frame policies Cross-site request forgery Announcement: No class
More informationC and C++ Secure Coding 4-day course. Syllabus
C and C++ Secure Coding 4-day course Syllabus C and C++ Secure Coding 4-Day Course Course description Secure Programming is the last line of defense against attacks targeted toward our systems. This course
More informationUpload to your web space (e.g., UCSC) Due this Thursday 4/8 in class Deliverable: Send me an with the URL Grading:
CS 183 4/6/2010 Build a simple HTML page, topic of your choice Will use this as a basis and gradually and add more features as the class progresses Need to be done with your favorite text editor, no visual
More informationSaving Time and Costs with Virtual Patching and Legacy Application Modernizing
Case Study Virtual Patching/Legacy Applications May 2017 Saving Time and Costs with Virtual Patching and Legacy Application Modernizing Instant security and operations improvement without code changes
More informationA framework to 0wn the Web - part I -
A framework to 0wn the Web - part I - Andrés Riancho andres@bonsai-sec.com SecTor Toronto, Canada - 2009 Copyright 2008 CYBSEC. All rights reserved. andres@bonsai-sec:~$ whoami Web Application Security
More informationOutline STRANGER. Background
Outline Malicious Code Analysis II : An Automata-based String Analysis Tool for PHP 1 Mitchell Adair 2 November 28 th, 2011 Outline 1 2 Credit: [: An Automata-based String Analysis Tool for PHP] Background
More informationLecture Notes: Unleashing MAYHEM on Binary Code
Lecture Notes: Unleashing MAYHEM on Binary Code Rui Zhang February 22, 2017 1 Finding Exploitable Bugs 1.1 Main Challenge in Exploit Generation Exploring enough of the state space of an application to
More informationKruiser: Semi-synchronized Nonblocking Concurrent Kernel Heap Buffer Overflow Monitoring
NDSS 2012 Kruiser: Semi-synchronized Nonblocking Concurrent Kernel Heap Buffer Overflow Monitoring Donghai Tian 1,2, Qiang Zeng 2, Dinghao Wu 2, Peng Liu 2 and Changzhen Hu 1 1 Beijing Institute of Technology
More informationMalicious Code Analysis II
Malicious Code Analysis II STRANGER: An Automata-based String Analysis Tool for PHP Mitchell Adair November 28 th, 2011 Outline 1 STRANGER 2 Outline 1 STRANGER 2 STRANGER Credit: [STRANGER: An Automata-based
More informationPHP CURRICULUM 6 WEEKS
PHP CURRICULUM 6 WEEKS Hands-On Training In this course, you develop PHP scripts to perform a variety to takes, culminating in the development of a full database-driven Web page. Exercises include: Accessing
More informationAdon'tbe an Adobe victim
Adon'tbe an Adobe victim An overview of how recent Adobe-related flaws affect your web application Joshua Stabiner EY Agenda Introductions Background Cross-site scripting (PDF) Overview Exploit Mitigation
More information